From abc2a76cb5814ae090fcec996ba06cfdc6e1106a Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 26 Jul 2021 22:18:23 +0200 Subject: [PATCH 1/4] aspell: fix buffer overflow in objstack Fixes: CVE-2019-25051 (cherry picked from commit 000fe8c92ccbf44c91d48235bd5ecb9773b223ed) --- pkgs/development/libraries/aspell/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/aspell/default.nix b/pkgs/development/libraries/aspell/default.nix index 01acced98f6..777bad1e5a5 100644 --- a/pkgs/development/libraries/aspell/default.nix +++ b/pkgs/development/libraries/aspell/default.nix @@ -23,7 +23,14 @@ stdenv.mkDerivation rec { sha256 = "1wi60ankalmh8ds7nplz434jd7j94gdvbahdwsr539rlad8pxdzr"; }; - patches = lib.optional searchNixProfiles ./data-dirs-from-nix-profiles.patch; + patches = [ + (fetchpatch { + # objstack: assert that the alloc size will fit within a chunk + name = "CVE-2019-25051.patch"; + url = "https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a.patch"; + sha256 = "03z259xrk41x3j190gaprf3mqysyfgh3a04rjmch3h625vj95x39"; + }) + ] ++ lib.optional searchNixProfiles ./data-dirs-from-nix-profiles.patch; postPatch = '' patch interfaces/cc/aspell.h < ${./clang.patch} From c752f9e15d0c2277df9d25ec84aed778d9a34319 Mon Sep 17 00:00:00 2001 From: Marc Seeger Date: Fri, 13 Aug 2021 13:51:48 -0700 Subject: [PATCH 2/4] [21.05] gtk3: replace bugzilla patch with local file. --- pkgs/development/libraries/gtk/3.x.nix | 7 +--- ...etting-fallback-compute-DPI-properly.patch | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 pkgs/development/libraries/gtk/patches/3.0-Xft-setting-fallback-compute-DPI-properly.patch diff --git a/pkgs/development/libraries/gtk/3.x.nix b/pkgs/development/libraries/gtk/3.x.nix index f9b5d5f68b5..e922676d180 100644 --- a/pkgs/development/libraries/gtk/3.x.nix +++ b/pkgs/development/libraries/gtk/3.x.nix @@ -77,12 +77,7 @@ stdenv.mkDerivation rec { patches = [ ./patches/3.0-immodules.cache.patch - - (fetchpatch { - name = "Xft-setting-fallback-compute-DPI-properly.patch"; - url = "https://bug757142.bugzilla-attachments.gnome.org/attachment.cgi?id=344123"; - sha256 = "0g6fhqcv8spfy3mfmxpyji93k8d4p4q4fz1v9a1c1cgcwkz41d7p"; - }) + ./patches/3.0-Xft-setting-fallback-compute-DPI-properly.patch ] ++ lib.optionals stdenv.isDarwin [ # X11 module requires which is not installed on Darwin # let’s drop that dependency in similar way to how other parts of the library do it diff --git a/pkgs/development/libraries/gtk/patches/3.0-Xft-setting-fallback-compute-DPI-properly.patch b/pkgs/development/libraries/gtk/patches/3.0-Xft-setting-fallback-compute-DPI-properly.patch new file mode 100644 index 00000000000..247dd3ea845 --- /dev/null +++ b/pkgs/development/libraries/gtk/patches/3.0-Xft-setting-fallback-compute-DPI-properly.patch @@ -0,0 +1,34 @@ +From 269f2d80ea41cde17612600841fbdc32e99010f5 Mon Sep 17 00:00:00 2001 +From: Giuseppe Bilotta +Date: Tue, 24 Jan 2017 12:30:08 +0100 +Subject: [PATCH] Xft setting fallback: compute DPI properly + +This is a partial revert of bdf0820c501437a2150d8ff0d5340246e713f73f. If +the Xft DPI settings are not explicitly set, use the values provided by +the X server rather than hard-coding the fallback value of 96. + +While an auto-configured Xorg already reports 96, this value can be +overriden by the user, and we should respect the user choice in this +case. There is no need to require them to set the same value in +different places (the Xorg DPI settings and Xft.dpi). +--- + gdk/x11/gdkxftdefaults.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gdk/x11/gdkxftdefaults.c b/gdk/x11/gdkxftdefaults.c +index fa1cfde2ec..c462b78c4b 100644 +--- a/gdk/x11/gdkxftdefaults.c ++++ b/gdk/x11/gdkxftdefaults.c +@@ -174,7 +174,8 @@ init_xft_settings (GdkScreen *screen) + x11_screen->xft_rgba = FC_RGBA_UNKNOWN; + + if (!get_double_default (xdisplay, "dpi", &dpi_double)) +- dpi_double = 96.0; ++ dpi_double = (DisplayHeight(xdisplay, x11_screen->screen_num)*25.4)/ ++ DisplayHeightMM(xdisplay, x11_screen->screen_num); + + x11_screen->xft_dpi = (int)(0.5 + PANGO_SCALE * dpi_double); + } +-- +2.11.0.616.gd72966cf44.dirty + From c39b79e047934fd304a1e8370cece13541413d4b Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Wed, 4 Aug 2021 20:37:40 +0200 Subject: [PATCH 3/4] libsndfile: 1.0.30 -> 1.0.31 Fixes CVE-2021-3246. https://github.com/libsndfile/libsndfile/releases/tag/1.0.31 (cherry picked from commit 88c53421a729c9a3030c8e43f91844d5f1f2d146) --- pkgs/development/libraries/libsndfile/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/libsndfile/default.nix b/pkgs/development/libraries/libsndfile/default.nix index 61e6d9cd765..dbe108f586f 100644 --- a/pkgs/development/libraries/libsndfile/default.nix +++ b/pkgs/development/libraries/libsndfile/default.nix @@ -4,13 +4,13 @@ stdenv.mkDerivation rec { pname = "libsndfile"; - version = "1.0.30"; + version = "1.0.31"; src = fetchFromGitHub { owner = pname; repo = pname; - rev = "v${version}"; - sha256 = "1rh79y4s4m2wcm2kahmzs2kijpdpayif2gyca6m71f3k7jbhgcwa"; + rev = version; + sha256 = "1alba3iv8i7i2jb5fd6q5s7j9bcj48sf28nfjd3qigz2n2is5jl2"; }; nativeBuildInputs = [ autoreconfHook autogen pkg-config python3 ]; From 46c853dfc225f9ad9bc986dd42dc86515233c8b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 19 Aug 2021 09:48:17 +0200 Subject: [PATCH 4/4] Merge #134714: gpgme: move flaky patch URL to local file (cherry picked from commit 4c88dc6a7035089ab3a311bfd09a790ea3ff5d35) --- pkgs/development/libraries/gpgme/default.nix | 10 ++-------- .../libraries/gpgme/fix_gpg_list_keys.diff | 12 ++++++++++++ 2 files changed, 14 insertions(+), 8 deletions(-) create mode 100644 pkgs/development/libraries/gpgme/fix_gpg_list_keys.diff diff --git a/pkgs/development/libraries/gpgme/default.nix b/pkgs/development/libraries/gpgme/default.nix index 09ec32cea54..5b11f014d5f 100644 --- a/pkgs/development/libraries/gpgme/default.nix +++ b/pkgs/development/libraries/gpgme/default.nix @@ -21,14 +21,8 @@ stdenv.mkDerivation rec { }; patches = [ - (fetchpatch { # gpg: Send --with-keygrip when listing keys - name = "c4cf527ea227edb468a84bf9b8ce996807bd6992.patch"; - urls = [ - "https://files.gnupg.net/file/data/2ufcg7ny5jdnv7hmewb4/PHID-FILE-7iwvryn2btti6txr3bsz/file" - "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=patch;h=c4cf527ea227edb468a84bf9b8ce996807bd6992" - ]; - sha256 = "0y0b0lb2nq5p9kx13b59b2jaz157mvflliw1qdvg1v1hynvgb8m4"; - }) + # https://dev.gnupg.org/rMc4cf527ea227edb468a84bf9b8ce996807bd6992 + ./fix_gpg_list_keys.diff # https://lists.gnupg.org/pipermail/gnupg-devel/2020-April/034591.html (fetchpatch { name = "0001-Fix-python-tests-on-non-Linux.patch"; diff --git a/pkgs/development/libraries/gpgme/fix_gpg_list_keys.diff b/pkgs/development/libraries/gpgme/fix_gpg_list_keys.diff new file mode 100644 index 00000000000..bd8da4edd6e --- /dev/null +++ b/pkgs/development/libraries/gpgme/fix_gpg_list_keys.diff @@ -0,0 +1,12 @@ +diff --git a/src/engine-gpg.c b/src/engine-gpg.c +index b51ea173..4e74665e 100644 +--- a/src/engine-gpg.c ++++ b/src/engine-gpg.c +@@ -3005,6 +3005,7 @@ gpg_keylist_build_options (engine_gpg_t gpg, int secret_only, + gpg_error_t err; + + err = add_arg (gpg, "--with-colons"); ++ err = add_arg (gpg, "--with-keygrip"); + + /* Since gpg 2.1.15 fingerprints are always printed, thus there is + * no more need to explicitly request them. */ \ No newline at end of file