From fc4cae6760b263314dcd50337dac16feae263535 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sat, 18 Sep 2021 13:17:36 +0100 Subject: [PATCH 1/4] gd: 2.3.0 -> 2.3.3 remove now-included patch this partially resolves CVE-2021-40812 (cherry picked from commit d6f49708212822b6a3c0fe598f3a20abf8676990) --- pkgs/development/libraries/gd/default.nix | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 36a93095603..6a27c32a5d2 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -14,27 +14,14 @@ stdenv.mkDerivation rec { pname = "gd"; - version = "2.3.0"; + version = "2.3.3"; src = fetchurl { url = "https://github.com/libgd/libgd/releases/download/${pname}-${version}/libgd-${version}.tar.xz"; - sha256 = "0n5czhxzinvjvmhkf5l9fwjdx5ip69k5k7pj6zwb6zs1k9dibngc"; + sha256 = "0qas3q9xz3wgw06dm2fj0i189rain6n60z1vyq50d5h7wbn25s1z"; }; hardeningDisable = [ "format" ]; - patches = [ - # Fixes an issue where some other packages would fail to build - # their documentation with an error like: - # "Error: Problem doing text layout" - # - # Can be removed if Wayland can still be built successfully with - # documentation. - (fetchpatch { - url = "https://github.com/libgd/libgd/commit/3dd0e308cbd2c24fde2fc9e9b707181252a2de95.patch"; - excludes = [ "tests/gdimagestringft/.gitignore" ]; - sha256 = "12iqlanl9czig9d7c3rvizrigw2iacimnmimfcny392dv9iazhl1"; - }) - ]; # -pthread gets passed to clang, causing warnings configureFlags = lib.optional stdenv.isDarwin "--enable-werror=no"; From dfe2998cba241f28469396264870a1f4ac576c87 Mon Sep 17 00:00:00 2001 From: adisbladis Date: Thu, 2 Sep 2021 13:57:53 -0500 Subject: [PATCH 2/4] qt5.qtbase: Enable parallel building (cherry picked from commit 54a62ba0080cc5d40567dc0f492389e199c6e3a9) --- pkgs/development/libraries/qt-5/modules/qtbase.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/qt-5/modules/qtbase.nix b/pkgs/development/libraries/qt-5/modules/qtbase.nix index 0d0bef342b0..2536e03bc75 100644 --- a/pkgs/development/libraries/qt-5/modules/qtbase.nix +++ b/pkgs/development/libraries/qt-5/modules/qtbase.nix @@ -94,6 +94,8 @@ stdenv.mkDerivation { propagatedNativeBuildInputs = [ lndir ]; + enableParallelBuilding = true; + outputs = [ "bin" "dev" "out" ]; inherit patches; From e0bcfe1ae3a1466103b6b12e79f541ea2dd14a9d Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Wed, 22 Sep 2021 00:31:09 +0100 Subject: [PATCH 3/4] Revert "[Backport staging-21.05] gd: 2.3.0 -> 2.3.3" --- pkgs/development/libraries/gd/default.nix | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 6a27c32a5d2..36a93095603 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -14,14 +14,27 @@ stdenv.mkDerivation rec { pname = "gd"; - version = "2.3.3"; + version = "2.3.0"; src = fetchurl { url = "https://github.com/libgd/libgd/releases/download/${pname}-${version}/libgd-${version}.tar.xz"; - sha256 = "0qas3q9xz3wgw06dm2fj0i189rain6n60z1vyq50d5h7wbn25s1z"; + sha256 = "0n5czhxzinvjvmhkf5l9fwjdx5ip69k5k7pj6zwb6zs1k9dibngc"; }; hardeningDisable = [ "format" ]; + patches = [ + # Fixes an issue where some other packages would fail to build + # their documentation with an error like: + # "Error: Problem doing text layout" + # + # Can be removed if Wayland can still be built successfully with + # documentation. + (fetchpatch { + url = "https://github.com/libgd/libgd/commit/3dd0e308cbd2c24fde2fc9e9b707181252a2de95.patch"; + excludes = [ "tests/gdimagestringft/.gitignore" ]; + sha256 = "12iqlanl9czig9d7c3rvizrigw2iacimnmimfcny392dv9iazhl1"; + }) + ]; # -pthread gets passed to clang, causing warnings configureFlags = lib.optional stdenv.isDarwin "--enable-werror=no"; From 67d593a330ebf918b44d0e108e7bd818a6e00553 Mon Sep 17 00:00:00 2001 From: TredwellGit Date: Wed, 22 Sep 2021 14:28:33 +0000 Subject: [PATCH 4/4] ffmpeg: patch CVE-2021-38171 and CVE-2021-38291 https://nvd.nist.gov/vuln/detail/CVE-2021-38171 https://nvd.nist.gov/vuln/detail/CVE-2021-38291 (cherry picked from commit b1f41c918452b0b6a8d7afb14a04063ff56556df) --- pkgs/development/libraries/ffmpeg/4.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/development/libraries/ffmpeg/4.nix b/pkgs/development/libraries/ffmpeg/4.nix index f3758ca5392..14405f40f67 100644 --- a/pkgs/development/libraries/ffmpeg/4.nix +++ b/pkgs/development/libraries/ffmpeg/4.nix @@ -23,6 +23,16 @@ callPackage ./generic.nix (rec { url = "https://github.com/FFmpeg/FFmpeg/commit/7150f9575671f898382c370acae35f9087a30ba1.patch"; sha256 = "0gwkc7v1wsh4j0am2nnskhsca1b5aqzhcfd41sd9mh2swsdyf27i"; }) + (fetchpatch { + name = "CVE-2021-38171.patch"; + url = "https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6.patch"; + sha256 = "0b8hsb45izw7w1vb2b94k9f6kvn2shxrap5ip1krdxg6hs7an0x8"; + }) + (fetchpatch { + name = "CVE-2021-38291.patch"; + url = "https://github.com/FFmpeg/FFmpeg/commit/e01d306c647b5827102260b885faa223b646d2d1.patch"; + sha256 = "0p2p8gcnb5j469xa3czfssm09w3jk08kz8rnl8wi2l9aj9l08my9"; + }) # Fix incorrect segment length in HLS child playlist with fmp4 segment format # FIXME remove in version 4.5 # https://trac.ffmpeg.org/ticket/9193