diff --git a/pkgs/applications/gis/saga/default.nix b/pkgs/applications/gis/saga/default.nix index feb79f444b8..90e7af9944d 100644 --- a/pkgs/applications/gis/saga/default.nix +++ b/pkgs/applications/gis/saga/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gdal, wxGTK30, proj, libiodbc, lzma, jasper, +{ stdenv, fetchurl, gdal, wxGTK30, proj, libiodbc, lzma, libharu, opencv, vigra, postgresql, Cocoa, unixODBC , poppler, hdf4, hdf5, netcdf, sqlite, qhull, giflib }: @@ -9,7 +9,7 @@ stdenv.mkDerivation { # See https://groups.google.com/forum/#!topic/nix-devel/h_vSzEJAPXs # for why the have additional buildInputs on darwin buildInputs = [ gdal wxGTK30 proj libharu opencv vigra postgresql libiodbc lzma - jasper qhull giflib ] + qhull giflib ] ++ stdenv.lib.optionals stdenv.isDarwin [ Cocoa unixODBC poppler hdf4.out hdf5 netcdf sqlite ]; diff --git a/pkgs/applications/graphics/digikam/default.nix b/pkgs/applications/graphics/digikam/default.nix index 1fc15af7244..1d9b06de29f 100644 --- a/pkgs/applications/graphics/digikam/default.nix +++ b/pkgs/applications/graphics/digikam/default.nix @@ -26,7 +26,7 @@ , exiv2 , ffmpeg , flex -, jasper +, jasper ? null, withJpeg2k ? false # disable JPEG2000 support, jasper has unfixed CVE , lcms2 , lensfun , libgphoto2 @@ -70,7 +70,6 @@ mkDerivation rec { exiv2 ffmpeg flex - jasper lcms2 lensfun libgphoto2 @@ -103,7 +102,8 @@ mkDerivation rec { marble oxygen threadweaver - ]; + ] + ++ lib.optionals withJpeg2k [ jasper ]; enableParallelBuilding = true; diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index a2eba8e08c2..aedfff40d70 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -3,7 +3,7 @@ , enableGSL ? true, gsl , enableGhostScript ? true, ghostscript , enableMuPDF ? true, mupdf -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper ? null # disabled by default, jasper has unfixed CVE , enableDJVU ? true, djvulibre , enableGOCR ? false, gocr # Disabled by default due to crashes , enableTesseract ? true, leptonica, tesseract4 diff --git a/pkgs/applications/video/kodi/default.nix b/pkgs/applications/video/kodi/default.nix index 8edc99c5f02..0302dd24646 100644 --- a/pkgs/applications/video/kodi/default.nix +++ b/pkgs/applications/video/kodi/default.nix @@ -9,7 +9,7 @@ , libXinerama, libXrandr , libXtst, libXfixes, systemd , alsaLib, libGLU, libGL, glew, fontconfig, freetype, ftgl -, libjpeg, jasper, libpng, libtiff +, libjpeg, libpng, libtiff , libmpeg2, libsamplerate, libmad , libogg, libvorbis, flac, libxslt , lzo, libcdio, libmodplug, libass, libbluray @@ -157,7 +157,7 @@ in stdenv.mkDerivation { libX11 xorgproto libXt libXmu libXext libXinerama libXrandr libXtst libXfixes alsaLib libGL libGLU glew fontconfig freetype ftgl - libjpeg jasper libpng libtiff + libjpeg libpng libtiff libmpeg2 libsamplerate libmad libogg libvorbis flac libxslt systemd lzo libcdio libmodplug libass libbluray diff --git a/pkgs/development/libraries/gdk-pixbuf/default.nix b/pkgs/development/libraries/gdk-pixbuf/default.nix index f4c554395d4..9c2da3c5b69 100644 --- a/pkgs/development/libraries/gdk-pixbuf/default.nix +++ b/pkgs/development/libraries/gdk-pixbuf/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, nixosTests, fixDarwinDylibNames, meson, ninja, pkgconfig, gettext, python3, libxml2, libxslt, docbook_xsl , docbook_xml_dtd_43, gtk-doc, glib, libtiff, libjpeg, libpng, libX11, gnome3 -, jasper, gobject-introspection, doCheck ? false, makeWrapper }: +, gobject-introspection, doCheck ? false, makeWrapper }: let pname = "gdk-pixbuf"; @@ -31,11 +31,10 @@ in stdenv.mkDerivation rec { ] ++ stdenv.lib.optional stdenv.isDarwin fixDarwinDylibNames; - propagatedBuildInputs = [ glib libtiff libjpeg libpng jasper ]; + propagatedBuildInputs = [ glib libtiff libjpeg libpng ]; mesonFlags = [ "-Ddocs=true" - "-Djasper=true" "-Dx11=true" "-Dgir=${if gobject-introspection != null then "true" else "false"}" "-Dgio_sniffing=false" diff --git a/pkgs/development/libraries/grib-api/default.nix b/pkgs/development/libraries/grib-api/default.nix index 38243ce5a6d..0c9e4bf3156 100644 --- a/pkgs/development/libraries/grib-api/default.nix +++ b/pkgs/development/libraries/grib-api/default.nix @@ -1,5 +1,5 @@ -{ fetchurl, stdenv, - cmake, netcdf, gfortran, jasper, libpng, +{ fetchurl, fetchpatch, stdenv, + cmake, netcdf, gfortran, libpng, openjpeg, enablePython ? false, pythonPackages }: stdenv.mkDerivation rec{ @@ -11,6 +11,13 @@ stdenv.mkDerivation rec{ sha256 = "0qbj12ap7yy2rl1pq629chnss2jl73wxdj1lwzv0xp87r6z5qdfl"; }; + patches = [ + (fetchpatch { + url = "https://salsa.debian.org/science-team/grib-api/raw/debian/1.28.0-2/debian/patches/openjpeg2.patch"; + sha256 = "05faxh51vlidiazxq1ssd3k4cjivk1adyn30k94mxqa1xnb2r2pc"; + }) + ]; + preConfigure = '' # Fix "no member named 'inmem_' in 'jas_image_t'" substituteInPlace "src/grib_jasper_encoding.c" --replace "image.inmem_ = 1;" "" @@ -19,8 +26,8 @@ stdenv.mkDerivation rec{ buildInputs = [ cmake netcdf gfortran - jasper libpng + openjpeg ] ++ stdenv.lib.optionals enablePython [ pythonPackages.python ]; @@ -32,6 +39,7 @@ stdenv.mkDerivation rec{ cmakeFlags = [ "-DENABLE_PYTHON=${if enablePython then "ON" else "OFF"}" "-DENABLE_PNG=ON" "-DENABLE_FORTRAN=ON" + "-DOPENJPEG_INCLUDE_DIR=${openjpeg.dev}/include/${openjpeg.incDir}" ]; enableParallelBuilding = true; @@ -52,13 +60,15 @@ stdenv.mkDerivation rec{ homepage = https://software.ecmwf.int/wiki/display/GRIB/Home; license = licenses.asl20; platforms = with platforms; linux ++ darwin; - description = "ECMWF Library for the GRIB file format"; + description = "ECMWF Library for the GRIB file format -- DEPRECATED"; longDescription = '' The ECMWF GRIB API is an application program interface accessible from C, FORTRAN and Python programs developed for encoding and decoding WMO FM-92 GRIB edition 1 and edition 2 messages. + + Please note: GRIB-API support is being discontinued at the end of 2018. + After which there will be no further releases. Please upgrade to ecCodes ''; maintainers = with maintainers; [ knedlsepp ]; }; } - diff --git a/pkgs/development/libraries/jasper/default.nix b/pkgs/development/libraries/jasper/default.nix index 1bad3394b6a..093fd0c5f28 100644 --- a/pkgs/development/libraries/jasper/default.nix +++ b/pkgs/development/libraries/jasper/default.nix @@ -42,5 +42,10 @@ stdenv.mkDerivation rec { platforms = platforms.unix; license = licenses.jasper; maintainers = with maintainers; [ pSub ]; + knownVulnerabilities = [ + "Numerous CVE unsolved upstream" + "See: https://github.com/NixOS/nixpkgs/pull/57681#issuecomment-475857499" + "See: https://github.com/mdadams/jasper/issues/208" + ]; }; } diff --git a/pkgs/development/libraries/libicns/default.nix b/pkgs/development/libraries/libicns/default.nix index 298d6124505..27ec8b17c0d 100644 --- a/pkgs/development/libraries/libicns/default.nix +++ b/pkgs/development/libraries/libicns/default.nix @@ -1,14 +1,24 @@ -{ stdenv, fetchurl, libpng, jasper }: +{ stdenv, fetchurl, fetchpatch, autoreconfHook, libpng, openjpeg }: stdenv.mkDerivation rec { - name = "libicns-0.8.1"; + pname = "libicns"; + version = "0.8.1"; src = fetchurl { - url = "mirror://sourceforge/icns/${name}.tar.gz"; + url = "mirror://sourceforge/icns/${pname}-${version}.tar.gz"; sha256 = "1hjm8lwap7bjyyxsyi94fh5817xzqhk4kb5y0b7mb6675xw10prk"; }; - buildInputs = [ libpng jasper ]; + patches = [ + (fetchpatch { + url = "https://sources.debian.org/data/main/libi/libicns/0.8.1-3.1/debian/patches/support-libopenjp2.patch"; + sha256 = "0ss298lyzvydxvaxsadi6kbbjpwykd86jw3za76brcsg2dpssgas"; + }) + ]; + + nativeBuildInputs = [ autoreconfHook ]; + buildInputs = [ libpng openjpeg ]; + NIX_CFLAGS_COMPILE = [ "-I${openjpeg.dev}/include/${openjpeg.incDir}" ]; meta = with stdenv.lib; { description = "Library for manipulation of the Mac OS icns resource format"; diff --git a/pkgs/development/libraries/libraw/default.nix b/pkgs/development/libraries/libraw/default.nix index 62fa8c1a675..00288e359df 100644 --- a/pkgs/development/libraries/libraw/default.nix +++ b/pkgs/development/libraries/libraw/default.nix @@ -1,4 +1,7 @@ -{ stdenv, fetchurl, lcms2, jasper, pkgconfig }: +{ stdenv, fetchurl, lcms2, pkgconfig +, jasper ? null, withJpeg2k ? false +# disable JPEG2000 support by default as jasper has many CVE +}: stdenv.mkDerivation rec { pname = "libraw"; @@ -11,7 +14,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "dev" "doc" ]; - buildInputs = [ jasper ]; + buildInputs = stdenv.lib.optionals withJpeg2k [ jasper ]; propagatedBuildInputs = [ lcms2 ]; diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 874f9535759..97df84637ef 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -9,7 +9,7 @@ , enableTIFF ? true, libtiff , enableWebP ? true, libwebp , enableEXR ? !stdenv.isDarwin, openexr, ilmbase -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper # disable jasper by default (many CVE) , enableEigen ? true, eigen , enableOpenblas ? true, openblas , enableContrib ? true diff --git a/pkgs/development/libraries/opencv/4.x.nix b/pkgs/development/libraries/opencv/4.x.nix index a5eb1029ad9..408368b89c4 100644 --- a/pkgs/development/libraries/opencv/4.x.nix +++ b/pkgs/development/libraries/opencv/4.x.nix @@ -9,7 +9,7 @@ , enableTIFF ? true, libtiff , enableWebP ? true, libwebp , enableEXR ? !stdenv.isDarwin, openexr, ilmbase -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper # disable jasper by default (many CVE) , enableEigen ? true, eigen , enableOpenblas ? true, openblas , enableContrib ? true diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index b91a1489eb6..db8a5e5a41b 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -6,7 +6,7 @@ , enablePNG ? true, libpng , enableTIFF ? true, libtiff , enableEXR ? (!stdenv.isDarwin), openexr, ilmbase -, enableJPEG2K ? true, jasper +, enableJPEG2K ? false, jasper # disable jasper by default (many CVE) , enableFfmpeg ? false, ffmpeg , enableGStreamer ? false, gst_all_1 , enableEigen ? true, eigen diff --git a/pkgs/development/libraries/openscenegraph/default.nix b/pkgs/development/libraries/openscenegraph/default.nix index 9be5018dc29..b12ca67655b 100644 --- a/pkgs/development/libraries/openscenegraph/default.nix +++ b/pkgs/development/libraries/openscenegraph/default.nix @@ -2,7 +2,7 @@ libX11, libXinerama, libXrandr, libGLU, libGL, glib, ilmbase, libxml2, pcre, zlib, jpegSupport ? true, libjpeg, - jasperSupport ? true, jasper, + jasperSupport ? false, jasper, # disable jasper by default (many CVE) exrSupport ? false, openexr, gifSupport ? true, giflib, pngSupport ? true, libpng, diff --git a/pkgs/tools/graphics/dcraw/default.nix b/pkgs/tools/graphics/dcraw/default.nix index e4ceff36f92..11ff4b743dd 100644 --- a/pkgs/tools/graphics/dcraw/default.nix +++ b/pkgs/tools/graphics/dcraw/default.nix @@ -4,7 +4,7 @@ stdenv.mkDerivation rec { name = "dcraw-9.28.0"; src = fetchurl { - url = "https://www.cybercom.net/~dcoffin/dcraw/archive/${name}.tar.gz"; + url = "https://www.dechifro.org/dcraw/archive/${name}.tar.gz"; sha256 = "1fdl3xa1fbm71xzc3760rsjkvf0x5jdjrvdzyg2l9ka24vdc7418"; }; @@ -23,10 +23,17 @@ stdenv.mkDerivation rec { ''; meta = { - homepage = http://www.cybercom.net/~dcoffin/dcraw/; + homepage = https://www.dechifro.org/dcraw/; description = "Decoder for many camera raw picture formats"; license = stdenv.lib.licenses.free; platforms = stdenv.lib.platforms.unix; # Once had cygwin problems maintainers = [ ]; + knownVulnerabilities = [ + "CVE-2018-19655" + "CVE-2018-19565" + "CVE-2018-19566" + "CVE-2018-19567" + "CVE-2018-19568" + ]; }; }