From 23edc9cf14d3a7c427abfb69fe8b542ed5bf0365 Mon Sep 17 00:00:00 2001 From: Dima Date: Mon, 21 Oct 2019 20:40:12 +0200 Subject: [PATCH 1/2] pango: 1.43.0 -> 1.44.6, fixes CVE-2019-1010238 Bumping version to incorporate a security fix. Addresses: https://github.com/NixOS/nixpkgs/issues/70120 Upstream fix: https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54 Additional change required to build docs: https://gitlab.gnome.org/GNOME/pango/commit/71461689b0e34d873018d46bff555475019fbf4a The dropped patch is already incorporated into the version. --- pkgs/development/libraries/pango/default.nix | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/pkgs/development/libraries/pango/default.nix b/pkgs/development/libraries/pango/default.nix index 0f84b382f4d..05260ee427b 100644 --- a/pkgs/development/libraries/pango/default.nix +++ b/pkgs/development/libraries/pango/default.nix @@ -9,13 +9,13 @@ with stdenv.lib; let pname = "pango"; - version = "1.43.0"; + version = "1.44.6"; in stdenv.mkDerivation rec { name = "${pname}-${version}"; src = fetchurl { url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz"; - sha256 = "1lnxldmv1a12dq5h0dlq5jyzl4w75k76dp8cn360x2ijlm9w5h6j"; + sha256 = "0v7qq3fv1c0dl80d4qxsvd6cmhh4ngih3w0zc40f4dw7hfx427iy"; }; # FIXME: docs fail on darwin @@ -36,16 +36,8 @@ in stdenv.mkDerivation rec { propagatedBuildInputs = [ cairo glib libintl ] ++ optional x11Support libXft; - patches = [ - (fetchpatch { - # Add gobject-2 to .pc file - url = "https://gitlab.gnome.org/GNOME/pango/commit/546f4c242d6f4fe312de3b7c918a848e5172e18d.patch"; - sha256 = "1cqhy4xbwx3ad7z5d1ks7smf038b9as8c6qy84rml44h0fgiq4m2"; - }) - ]; - mesonFlags = [ - "-Denable_docs=${if stdenv.isDarwin then "false" else "true"}" + "-Dgtk_doc=${if stdenv.isDarwin then "false" else "true"}" ]; enableParallelBuilding = true; From db174675f153a7d35ac4633d5bca9986ece36d6a Mon Sep 17 00:00:00 2001 From: Dima Date: Tue, 22 Oct 2019 00:49:21 +0200 Subject: [PATCH 2/2] pulling PangoFontsetSimple patch and propagating harfbuzz --- pkgs/development/libraries/pango/default.nix | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/pango/default.nix b/pkgs/development/libraries/pango/default.nix index 05260ee427b..073dc38bb09 100644 --- a/pkgs/development/libraries/pango/default.nix +++ b/pkgs/development/libraries/pango/default.nix @@ -18,6 +18,15 @@ in stdenv.mkDerivation rec { sha256 = "0v7qq3fv1c0dl80d4qxsvd6cmhh4ngih3w0zc40f4dw7hfx427iy"; }; + # 1.44.6-2 is not available from the usual mirrors yet, + # so applying from gitlab + patches = [ + (fetchpatch { + url = "https://gitlab.gnome.org/GNOME/pango/commit/8a408d4f25ddb0e3d6020cdde0cd8f8a19ee8db2.patch"; + sha256 = "0l0hxwbijqrfvka302ijgih9jafc2ffs3d6d4v7bwynpn54lmza7"; + }) + ]; + # FIXME: docs fail on darwin outputs = [ "bin" "dev" "out" ] ++ optional (!stdenv.isDarwin) "devdoc"; @@ -26,14 +35,14 @@ in stdenv.mkDerivation rec { pkgconfig gobject-introspection gtk-doc docbook_xsl docbook_xml_dtd_43 ]; buildInputs = [ - harfbuzz fribidi + fribidi ] ++ optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ ApplicationServices Carbon CoreGraphics CoreText ]); - propagatedBuildInputs = [ cairo glib libintl ] ++ + propagatedBuildInputs = [ cairo glib libintl harfbuzz ] ++ optional x11Support libXft; mesonFlags = [