From 76ef70af7d2bcdbac6c3ff5e182f3cbd7516f42f Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 7 Dec 2016 07:24:13 -0500 Subject: [PATCH 1/7] imagemagick: 6.9.6-2 -> 6.9.6-7 for CVE-2016-9556 and CVE-2016-9559 --- pkgs/applications/graphics/ImageMagick/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index c7d1adfdd18..1095ff97fc5 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -11,8 +11,8 @@ let else throw "ImageMagick is not supported on this platform."; cfg = { - version = "6.9.6-2"; - sha256 = "139h9lycxw3lszn052m34xm0rqyanin4nb529vxjcrkkzqilh91r"; + version = "6.9.6-7"; + sha256 = "1ls3g4gpdh094n03szr9arpr0rfwd1krv2s9gnck8j0ab10ccgs5"; patches = []; } # Freeze version on mingw so we don't need to port the patch too often. From e42f6a11acb1cdd5b8bb033ac275ff15e1e48d11 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 7 Dec 2016 08:49:24 -0500 Subject: [PATCH 2/7] gstreamer: 1.10.1 -> 1.10.2 for multiple CVEs CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636 https://gstreamer.freedesktop.org/releases/1.10/#1.10.2 --- pkgs/development/libraries/gstreamer/bad/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/base/default.nix | 5 ++--- pkgs/development/libraries/gstreamer/core/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/ges/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/good/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/libav/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/python/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/ugly/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/vaapi/default.nix | 4 ++-- pkgs/development/libraries/gstreamer/validate/default.nix | 5 ++--- 10 files changed, 20 insertions(+), 22 deletions(-) diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index 4e18e4d16b2..7479c153af2 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -14,7 +14,7 @@ let inherit (stdenv.lib) optional optionalString; in stdenv.mkDerivation rec { - name = "gst-plugins-bad-1.10.1"; + name = "gst-plugins-bad-1.10.2"; meta = with stdenv.lib; { description = "Gstreamer Bad Plugins"; @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gst-plugins-bad/${name}.tar.xz"; - sha256 = "07cjra4fclrk6lpdm5hrsgp79aqpklx3v3l9scain091zvchwghk"; + sha256 = "0fisnnfpp3s8pbm6hjrfi4wjpq2da8c6w3ns9pjcg7590f9wm587"; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix index 319f7c75a75..c3e8f3c65a1 100644 --- a/pkgs/development/libraries/gstreamer/base/default.nix +++ b/pkgs/development/libraries/gstreamer/base/default.nix @@ -4,7 +4,7 @@ }: stdenv.mkDerivation rec { - name = "gst-plugins-base-1.10.1"; + name = "gst-plugins-base-1.10.2"; meta = { description = "Base plugins and helper libraries"; @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gst-plugins-base/${name}.tar.xz"; - sha256 = "1jbnr6vbklzli493xdd8y5sflm32r90lifpacxw9vbvs9hlyxkv6"; + sha256 = "086yjwmp4fykcqkj6zqhwrk2z49981kl8x545vz2wvblrc7x9h7v"; }; outputs = [ "out" "dev" ]; @@ -44,4 +44,3 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; } - diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix index 55da05c4c97..8b27fa7ad3b 100644 --- a/pkgs/development/libraries/gstreamer/core/default.nix +++ b/pkgs/development/libraries/gstreamer/core/default.nix @@ -3,7 +3,7 @@ }: stdenv.mkDerivation rec { - name = "gstreamer-1.10.1"; + name = "gstreamer-1.10.2"; meta = { description = "Open source multimedia framework"; @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gstreamer/${name}.tar.xz"; - sha256 = "1npnpyrw8603ivi5g3ziglvh3hq2shypid2vjcmki6g6w2bgk3gn"; + sha256 = "0rcd4ya4k99x6ngm9v78as7ql0rqibkwshc13lb4rjdszs0qw3hm"; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix index 06776de9340..a45c190b020 100644 --- a/pkgs/development/libraries/gstreamer/ges/default.nix +++ b/pkgs/development/libraries/gstreamer/ges/default.nix @@ -3,7 +3,7 @@ }: stdenv.mkDerivation rec { - name = "gstreamer-editing-services-1.10.1"; + name = "gstreamer-editing-services-1.10.2"; meta = with stdenv.lib; { description = "Library for creation of audio/video non-linear editors"; @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gstreamer-editing-services/${name}.tar.xz"; - sha256 = "048dxpbzmidbl1sb902nx8rkg8m0z69f3dn7vfhs1ai68x2hzip9"; + sha256 = "0hx7bwj8li88qq09slvdxlnfq76hr35nyjvd4ixrz5gmkpmrl5fv"; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix index ba6f79c138a..fbf67fb34f5 100644 --- a/pkgs/development/libraries/gstreamer/good/default.nix +++ b/pkgs/development/libraries/gstreamer/good/default.nix @@ -10,7 +10,7 @@ let inherit (stdenv.lib) optionals optionalString; in stdenv.mkDerivation rec { - name = "gst-plugins-good-1.10.1"; + name = "gst-plugins-good-1.10.2"; meta = with stdenv.lib; { description = "Gstreamer Good Plugins"; @@ -26,7 +26,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gst-plugins-good/${name}.tar.xz"; - sha256 = "1hkcap9l2603266gyi6jgvx7frbvfmb7xhfhjizbczy1wykjwr57"; + sha256 = "04rksbhjj2yz32g523cfabwqn2s3byd94dpbxghxr0p9ridk53qr"; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix index 7ae10f50c4d..447b679898a 100644 --- a/pkgs/development/libraries/gstreamer/libav/default.nix +++ b/pkgs/development/libraries/gstreamer/libav/default.nix @@ -9,7 +9,7 @@ assert withSystemLibav -> libav != null; stdenv.mkDerivation rec { - name = "gst-libav-1.10.1"; + name = "gst-libav-1.10.2"; meta = { homepage = "http://gstreamer.freedesktop.org"; @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gst-libav/${name}.tar.xz"; - sha256 = "1ivjbh5g0l5ykfpc16kq5x2jz8d4ignyha14jpiz3pz6w26qpci7"; + sha256 = "0g778j7w4vpbhwjzyrzpajvr26nxm6vqby84v8g1w1hz44v71pd3"; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/python/default.nix b/pkgs/development/libraries/gstreamer/python/default.nix index 78127e3ce98..880b5d734d4 100644 --- a/pkgs/development/libraries/gstreamer/python/default.nix +++ b/pkgs/development/libraries/gstreamer/python/default.nix @@ -6,14 +6,14 @@ let inherit (pythonPackages) python pygobject3; in stdenv.mkDerivation rec { - name = "gst-python-1.10.1"; + name = "gst-python-1.10.2"; src = fetchurl { urls = [ "${meta.homepage}/src/gst-python/${name}.tar.xz" "mirror://gentoo/distfiles/${name}.tar.xz" ]; - sha256 = "04xhh0z0c0s6aq7kvmfs4r6yl1pjnqz0krp05pbjy62ayx5b61ak"; + sha256 = "1sljnqkxf2ix6yzghrapw5irl0rbp8aa8w2hggk7i6d9js10ls71"; }; patches = [ ./different-path-with-pygobject.patch ]; diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix index df5b682a237..981a05b4f1f 100644 --- a/pkgs/development/libraries/gstreamer/ugly/default.nix +++ b/pkgs/development/libraries/gstreamer/ugly/default.nix @@ -5,7 +5,7 @@ }: stdenv.mkDerivation rec { - name = "gst-plugins-ugly-1.10.1"; + name = "gst-plugins-ugly-1.10.2"; meta = with stdenv.lib; { description = "Gstreamer Ugly Plugins"; @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gst-plugins-ugly/${name}.tar.xz"; - sha256 = "1hl385fys7hfx5ffipavvhciq6hwm731rs4d6r9fn7h9qagxbv55"; + sha256 = "17gc2zd3v6spmm2d6912sqfcyyv5f2ghdhq31f5kx5mw5r6ds0zk"; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix index f18b9fc214d..f136df099bf 100644 --- a/pkgs/development/libraries/gstreamer/vaapi/default.nix +++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix @@ -5,11 +5,11 @@ stdenv.mkDerivation rec { name = "gst-vaapi-${version}"; - version = "1.10.1"; + version = "1.10.2"; src = fetchurl { url = "${meta.homepage}/src/gstreamer-vaapi/gstreamer-vaapi-${version}.tar.xz"; - sha256 = "0d6sw5j7x3ah7zlcipy7w3fwag0fqxyfgc8q4phnazgk16kcmblr"; + sha256 = "1abzaj9kczap1xmalgzid1k3gqcn1ghnn76cn2kclc1gbfwd4ccy"; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/validate/default.nix b/pkgs/development/libraries/gstreamer/validate/default.nix index 2f5ba2372ce..a05bbd3e9a2 100644 --- a/pkgs/development/libraries/gstreamer/validate/default.nix +++ b/pkgs/development/libraries/gstreamer/validate/default.nix @@ -3,7 +3,7 @@ }: stdenv.mkDerivation rec { - name = "gst-validate-1.10.1"; + name = "gst-validate-1.10.2"; meta = { description = "Integration testing infrastructure for the GStreamer framework"; @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}/src/gst-validate/${name}.tar.xz"; - sha256 = "0x9z0kizi44swsrx8mdc6xlmn9dksdfifchp5h6liibp7qd6gbh7"; + sha256 = "1mwyk3b19aq78mjhmrpc7qqs9flrykrn1j763g5wx546swc489xy"; }; outputs = [ "out" "dev" ]; @@ -31,4 +31,3 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; } - From e0b850147d10564308d7f49850ecbf7168afa7e7 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 7 Dec 2016 19:29:06 -0500 Subject: [PATCH 3/7] openafs: 1.6.17 -> 1.6.20 for CVE-2016-9772 From release notes: OPENAFS-SA-2016-003: file and directory names leak due to reuse of directory objects without zeroing the contents (12461 12462 12463 12464 12465) --- pkgs/servers/openafs-client/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 52a7941d093..6383ce12bc1 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -3,11 +3,11 @@ stdenv.mkDerivation rec { name = "openafs-${version}-${kernel.version}"; - version = "1.6.17"; + version = "1.6.20"; src = fetchurl { url = "http://www.openafs.org/dl/openafs/${version}/openafs-${version}-src.tar.bz2"; - sha256 = "16532f4951piv1g2i539233868xfs1damrnxql61gjgxpwnklhcn"; + sha256 = "0qar94k9x9dkws4clrnlw789q1ha9qjk06356s86hh78qwywc1ki"; }; nativeBuildInputs = [ autoconf automake flex yacc perl which ]; From 0683c1a35ca9513d53a7df94cabdd91f9f1cd2a1 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 7 Dec 2016 19:38:50 -0500 Subject: [PATCH 4/7] p7zip: patch for CVE-2016-9296 --- pkgs/tools/archivers/p7zip/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/archivers/p7zip/default.nix b/pkgs/tools/archivers/p7zip/default.nix index 7c952a8f729..c11c437fa37 100644 --- a/pkgs/tools/archivers/p7zip/default.nix +++ b/pkgs/tools/archivers/p7zip/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl }: +{ stdenv, fetchurl, fetchpatch }: stdenv.mkDerivation rec { name = "p7zip-${version}"; @@ -9,6 +9,13 @@ stdenv.mkDerivation rec { sha256 = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f"; }; + patches = [ + (fetchpatch { + url = "https://sources.debian.net/data/main/p/p7zip/16.02+dfsg-2/debian/patches/12-CVE-2016-9296.patch"; + sha256 = "0inblicg24gcbaq84n0mr6w4yc5ak65mh9wxml96wlhdf7ph2i3m"; + }) + ]; + preConfigure = '' makeFlagsArray=(DEST_HOME=$out) buildFlags=all3 From 4c5a1980198eb482e2e73c30beb8c0d13e07d246 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 7 Dec 2016 19:46:54 -0500 Subject: [PATCH 5/7] teeworlds: 0.6.3 -> 0.6.4 for CVE-2016-9400 --- pkgs/games/teeworlds/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/games/teeworlds/default.nix b/pkgs/games/teeworlds/default.nix index ea337c208df..504353afebe 100644 --- a/pkgs/games/teeworlds/default.nix +++ b/pkgs/games/teeworlds/default.nix @@ -3,11 +3,11 @@ }: stdenv.mkDerivation rec { - name = "teeworlds-0.6.3"; + name = "teeworlds-0.6.4"; src = fetchurl { - url = "https://downloads.teeworlds.com/teeworlds-0.6.3-src.tar.gz"; - sha256 = "0yq7f3yan07sxrhz7mzwqv344nfmdc67p3dg173631w9fb1yf3j9"; + url = "https://downloads.teeworlds.com/teeworlds-0.6.4-src.tar.gz"; + sha256 = "1qlqzp4wqh1vnip081lbsjnx5jj5m5y4msrcm8glbd80pfgd2qf2"; }; # we always want to use system libs instead of these From 86da9839b17127c0ca474dc56a58717160bbcc6c Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 7 Dec 2016 20:16:05 -0500 Subject: [PATCH 6/7] xen: Patch for CVE-2016-9385, CVE-2016-9377, and CVE-2016-9378 --- pkgs/applications/virtualization/xen/4.5.nix | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/virtualization/xen/4.5.nix b/pkgs/applications/virtualization/xen/4.5.nix index 271ab7e7fe9..e7a46a24965 100644 --- a/pkgs/applications/virtualization/xen/4.5.nix +++ b/pkgs/applications/virtualization/xen/4.5.nix @@ -1,4 +1,4 @@ -{ callPackage, fetchurl, fetchgit, ... } @ args: +{ callPackage, fetchurl, fetchpatch, fetchgit, ... } @ args: let # Xen 4.5.5 @@ -54,7 +54,23 @@ let xenPatches = [ ./0001-libxl-Spice-image-compression-setting-support-for-up.patch ./0002-libxl-Spice-streaming-video-setting-support-for-upst.patch - ./0003-Add-qxl-vga-interface-support-for-upstream-qem.patch ]; + ./0003-Add-qxl-vga-interface-support-for-upstream-qem.patch + (fetchpatch { + url = "https://bugzilla.redhat.com/attachment.cgi?id=1218547"; + name = "CVE-2016-9385.patch"; + sha256 = "0l5drg862708ngy49jl65vmv6iwxlm7h8b4vabnffc2496f2gbwk"; + }) + (fetchpatch { + url = "https://bugzilla.redhat.com/attachment.cgi?id=1218536"; + name = "CVE-2016-9377-CVE-2016-9378-part1.patch"; + sha256 = "1dy8xvnkdvc44ywzzlswmkljjva44c0ndw7538iicr3qyf0244n4"; + }) + (fetchpatch { + url = "https://bugzilla.redhat.com/attachment.cgi?id=1218537"; + name = "CVE-2016-9377-CVE-2016-9378-part2.patch"; + sha256 = "0iz36s2w6bh5h9i1a9gj1c748fq1dj90kcg2yzld1m26qx21qrr5"; + }) + ]; }; in callPackage ./generic.nix (args // { xenConfig=xenConfig; }) From d71dbd733c0fde876219086bf978cd5b2abe7917 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Wed, 7 Dec 2016 20:26:47 -0500 Subject: [PATCH 7/7] chromium: 54.0.2840.100 -> 55.0.2883.75 --- .../browsers/chromium/upstream-info.nix | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix index 1c71e7419a1..fa24ed9146f 100644 --- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix +++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix @@ -1,18 +1,18 @@ # This file is autogenerated from update.sh in the same directory. { beta = { - sha256 = "1dw5difl42jch8pppk9z7ivvw0ah7azjx81allfm85ys075h0ppm"; - sha256bin64 = "1vd3ia7s7k8dkcc9sg1wmbi6x54wf7jmiavixnqb5swglczxfmxz"; - version = "55.0.2883.44"; + sha256 = "0mafk3cxwc16qbd7jzqj8rw1ys6s2bv7f9byixjcgssvjf073ksv"; + sha256bin64 = "0sb2d7vyrckkbg823rnl7y3k6q3kvmxp13lpm0ncy821cx89m89a"; + version = "55.0.2883.75"; }; dev = { - sha256 = "1pfgb5dnygyxiwfq6ini5s159c178zz7235npaag7k8gcc10ybnz"; - sha256bin64 = "14s185361inkqh8ykl94xhgv01z68gxqh7j6gyb4jbr0rhcsd9pl"; - version = "56.0.2906.0"; + sha256 = "1g4jy8zpmgqh9br2jcvbrnnr8fc5i4s5hvv01bs433rlcgaqk066"; + sha256bin64 = "08vzar0zshf39390xhr8l7gvzai9pxcqzwqzrmizaaqi9m5pijdr"; + version = "56.0.2924.18"; }; stable = { - sha256 = "1pw91kqqvm9nkz9i6wmm83wnqzl34q8rxw1sjcpfr4qcg15gbrz2"; - sha256bin64 = "05w9yadn7kwn0aiqd2mrg67lpk413zp6xkgwxnwni7z13j3zrw49"; - version = "54.0.2840.100"; + sha256 = "0mafk3cxwc16qbd7jzqj8rw1ys6s2bv7f9byixjcgssvjf073ksv"; + sha256bin64 = "0qfqj8067vjqklg1zm203dh6c29sbhk6w7flvi8h3z28y1pws2qw"; + version = "55.0.2883.75"; }; }