From fbef3e574ed67c69cffd12f71c0f9b3d6bab9137 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sat, 11 Sep 2021 13:35:56 +0100
Subject: [PATCH 1/4] python38Packages.flask-restx: add patch for
 CVE-2021-32838

---
 pkgs/development/python-modules/flask-restx/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/development/python-modules/flask-restx/default.nix b/pkgs/development/python-modules/flask-restx/default.nix
index e1de7bf0d3b..b33a5704c34 100644
--- a/pkgs/development/python-modules/flask-restx/default.nix
+++ b/pkgs/development/python-modules/flask-restx/default.nix
@@ -1,6 +1,7 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
+, fetchpatch
 , aniso8601
 , jsonschema
 , flask
@@ -30,6 +31,14 @@ buildPythonPackage rec {
     sha256 = "0aj13nd3z71gb8c2kqiaz3f9k7jr0srlvrsx8hpz4nkpki8jiz2s";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-32838.patch";
+      url = "https://github.com/python-restx/flask-restx/commit/bab31e085f355dd73858fd3715f7ed71849656da.patch";
+      sha256 = "1n786f0zq3gyrp9s28qw3j8bkqhys38vbaafaizplaf4f76bh7m8";
+    })
+  ];
+
   propagatedBuildInputs = [ aniso8601 jsonschema flask werkzeug pytz six ]
     ++ lib.optionals isPy27 [ enum34 ];
 

From 5a17bb5d2b4700c9410ccfdf533b3f45ccdf23ce Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Wed, 8 Sep 2021 22:45:50 +0200
Subject: [PATCH 2/4] nixos/privacyidea: use `sudo(8)` that's configured via
 the module

(cherry picked from commit 69e75754d57b4c9785058d663daa3817745930aa)
---
 nixos/modules/services/security/privacyidea.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix
index 2696dca4c76..02c182b4a1a 100644
--- a/nixos/modules/services/security/privacyidea.nix
+++ b/nixos/modules/services/security/privacyidea.nix
@@ -228,7 +228,7 @@ in
         path = with pkgs; [ openssl ];
         environment.PRIVACYIDEA_CONFIGFILE = "${cfg.stateDir}/privacyidea.cfg";
         preStart = let
-          pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage";
+          pi-manage = "${config.security.sudo.package}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage";
           pgsu = config.services.postgresql.superUser;
           psql = config.services.postgresql.package;
         in ''
@@ -239,8 +239,8 @@ in
                                                    -i "${piCfgFile}"
           chown ${cfg.user}:${cfg.group} ${cfg.stateDir}/privacyidea.cfg
           if ! test -e "${cfg.stateDir}/db-created"; then
-            ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user}
-            ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea
+            ${config.security.sudo.package}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user}
+            ${config.security.sudo.package}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea
             ${pi-manage} create_enckey
             ${pi-manage} create_audit_keys
             ${pi-manage} createdb

From 0d85dce13f7165b883ff3290a94b77b18ab48911 Mon Sep 17 00:00:00 2001
From: TredwellGit <tredwell@tutanota.com>
Date: Sat, 11 Sep 2021 12:38:13 +0000
Subject: [PATCH 3/4] steam: fix steamwebhelper

Fixes https://github.com/NixOS/nixpkgs/issues/137279 and https://github.com/ValveSoftware/steam-runtime/issues/462.

(cherry picked from commit 64c6851fd3acb13440bbffccf1fe386702725291)
---
 pkgs/games/steam/fhsenv.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkgs/games/steam/fhsenv.nix b/pkgs/games/steam/fhsenv.nix
index f09330ccdde..ff3c574f068 100644
--- a/pkgs/games/steam/fhsenv.nix
+++ b/pkgs/games/steam/fhsenv.nix
@@ -100,6 +100,11 @@ in buildFHSUserEnv rec {
     libva
     pipewire.lib
 
+    # steamwebhelper
+    harfbuzz
+    libthai
+    pango
+
     # Not formally in runtime but needed by some games
     at-spi2-atk
     at-spi2-core   # CrossCode
@@ -114,7 +119,7 @@ in buildFHSUserEnv rec {
     xorg.libpciaccess
     udev # shadow of the tomb raider
 
-    ## screeps dependencies
+    # screeps dependencies
     gtk3
     dbus
     zlib
@@ -123,7 +128,6 @@ in buildFHSUserEnv rec {
     cairo
     freetype
     gdk-pixbuf
-    pango
     fontconfig
 
     # friends options won't display "Launch Game" without it
@@ -188,7 +192,6 @@ in buildFHSUserEnv rec {
     nss
     fontconfig
     cairo
-    pango
     expat
     dbus
     cups

From 042bd4f47b5467988ad12865b74521ccb03e19de Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Sun, 12 Sep 2021 23:14:22 +0200
Subject: [PATCH 4/4] nixos/kernel: add 5.14 to kernel test-suite

Same as 2444c11431a37e04de025b63f6a12bdd05d2f4c1 on master.
---
 nixos/tests/kernel-generic.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix
index 62d80db2915..2bd0c50e61c 100644
--- a/nixos/tests/kernel-generic.nix
+++ b/nixos/tests/kernel-generic.nix
@@ -32,6 +32,7 @@ with pkgs; {
   linux_5_4 = makeKernelTest "5.4" linuxPackages_5_4;
   linux_5_10 = makeKernelTest "5.10" linuxPackages_5_10;
   linux_5_13 = makeKernelTest "5.13" linuxPackages_5_13;
+  linux_5_14 = makeKernelTest "5.14" linuxPackages_5_14;
 
   linux_testing = makeKernelTest "testing" linuxPackages_testing;
 }