diff --git a/pkgs/applications/editors/emacs/elisp-packages/elpa-packages.nix b/pkgs/applications/editors/emacs/elisp-packages/elpa-packages.nix index 02a9a6e6562..0b8929d5127 100644 --- a/pkgs/applications/editors/emacs/elisp-packages/elpa-packages.nix +++ b/pkgs/applications/editors/emacs/elisp-packages/elpa-packages.nix @@ -21,7 +21,7 @@ formats commits for you. */ -{ lib, stdenv, texinfo, writeText }: +{ lib, stdenv, buildPackages, texinfo, writeText }: self: let @@ -41,7 +41,10 @@ self: let }: let imported = import generated { - inherit (self) callPackage; + callPackage = pkgs: args: self.callPackage pkgs (args // { + # Use custom elpa url fetcher with fallback/uncompress + fetchurl = buildPackages.callPackage ./fetchelpa.nix { }; + }); }; super = removeAttrs imported [ "dash" ]; diff --git a/pkgs/applications/editors/emacs/elisp-packages/fetchelpa.nix b/pkgs/applications/editors/emacs/elisp-packages/fetchelpa.nix new file mode 100644 index 00000000000..f4524f3b7a9 --- /dev/null +++ b/pkgs/applications/editors/emacs/elisp-packages/fetchelpa.nix @@ -0,0 +1,21 @@ +# Elpa only serves the latest version of a given package uncompressed. +# Once that release is no longer the latest & greatest it gets archived and compressed +# meaning that both the URL and the hash changes. +# +# To work around this issue we fall back to the URL with the .lz suffix and if that's the +# one we downloaded we uncompress the file to ensure the hash matches regardless of compression. + +{ fetchurl, lzip }: + +{ url, ... }@args: fetchurl ((removeAttrs args [ "url" ]) // { + urls = [ + url + (url + ".lz") + ]; + postFetch = '' + if [[ $url == *.lz ]]; then + ${lzip}/bin/lzip -c -d $out > uncompressed + mv uncompressed $out + fi + ''; +}) diff --git a/pkgs/development/libraries/folly/default.nix b/pkgs/development/libraries/folly/default.nix index 212b656adda..a80a5cd9f8f 100644 --- a/pkgs/development/libraries/folly/default.nix +++ b/pkgs/development/libraries/folly/default.nix @@ -19,13 +19,13 @@ stdenv.mkDerivation (rec { pname = "folly"; - version = "2021.01.25.00"; + version = "2021.08.02.00"; src = fetchFromGitHub { owner = "facebook"; repo = "folly"; rev = "v${version}"; - sha256 = "sha256-n2cpXdjPZYNjvSHBZFFn3JFwqYCFWc8qSKwet80LtJE="; + sha256 = "sha256-Y2CqPlhbfC++udbbURnI9mvRZswC8kmikp1HY0qJz4k="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/ndpi/3.4-CVE-2021-36082.patch b/pkgs/development/libraries/ndpi/3.4-CVE-2021-36082.patch new file mode 100644 index 00000000000..192605917ab --- /dev/null +++ b/pkgs/development/libraries/ndpi/3.4-CVE-2021-36082.patch @@ -0,0 +1,101 @@ +Based on upstream https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3 +adapted by ris to apply to ndpi 3.4 + +diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c +index 1f3850cb..0d3b705f 100644 +--- a/src/lib/protocols/netbios.c ++++ b/src/lib/protocols/netbios.c +@@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len + int ret = 0, len, idx = inlen; + char *b; + +- len = (*in++)/2; ++ len = (*in++)/2, inlen--; + b = out; + *out = 0; + + +diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c +index 5b572cae..304d5799 100644 +--- a/src/lib/protocols/tls.c ++++ b/src/lib/protocols/tls.c +@@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + i += 4 + extension_len, offset += 4 + extension_len; + } + +- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); ++ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); + +- for(i=0; i 0) ? "-" : "", ja3.cipher[i]); ++ for(i=0; (i ja3_str_len); i++) { ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); + + if(rc <= 0) break; else ja3_str_len += rc; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); ++ if(JA3_STR_LEN > ja3_str_len) { ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; ++ } + + /* ********** */ + +- for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); ++ for(i=0; (i ja3_str_len); i++) { ++ int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); + + if(rc <= 0) break; else ja3_str_len += rc; + } +@@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + int rc; + + compute_ja3c: +- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); ++ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); + + for(i=0; i 0) ? "-" : "", ja3.cipher[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + + /* ********** */ + + for(i=0; i 0) ? "-" : "", ja3.tls_extension[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + + /* ********** */ + + for(i=0; i 0) ? "-" : "", ja3.elliptic_curve[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + + for(i=0; i 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } diff --git a/pkgs/development/libraries/ndpi/default.nix b/pkgs/development/libraries/ndpi/default.nix index c3df23052e2..c2cd1fca699 100644 --- a/pkgs/development/libraries/ndpi/default.nix +++ b/pkgs/development/libraries/ndpi/default.nix @@ -14,6 +14,10 @@ stdenv.mkDerivation { sha256 = "0xjh9gv0mq0213bjfs5ahrh6m7l7g99jjg8104c0pw54hz0p5pq1"; }; + patches = [ + ./3.4-CVE-2021-36082.patch + ]; + configureScript = "./autogen.sh"; nativeBuildInputs = [which autoconf automake libtool]; diff --git a/pkgs/development/python-modules/yamale/default.nix b/pkgs/development/python-modules/yamale/default.nix index 9b2c7b116c6..5d292644139 100644 --- a/pkgs/development/python-modules/yamale/default.nix +++ b/pkgs/development/python-modules/yamale/default.nix @@ -9,7 +9,7 @@ buildPythonPackage rec { pname = "yamale"; - version = "3.0.4"; + version = "3.0.8"; disabled = !isPy3k; @@ -17,7 +17,7 @@ buildPythonPackage rec { owner = "23andMe"; repo = pname; rev = version; - sha256 = "1xjvah4r3gpwk4zxql3c9jpllb34k175fm6iq1zvsd2vv2fwf8s2"; + sha256 = "0bn0himn5fwndaxn205s55bdc4np7lhd940i0lkv0m7ybhbw7dap"; }; propagatedBuildInputs = [ @@ -28,6 +28,7 @@ buildPythonPackage rec { checkInputs = [ pytest ]; + pythonImportsCheck = [ "yamale" ]; meta = with lib; { description = "A schema and validator for YAML"; diff --git a/pkgs/os-specific/linux/openvswitch/default.nix b/pkgs/os-specific/linux/openvswitch/default.nix index 5faccc14ce7..8222c155878 100644 --- a/pkgs/os-specific/linux/openvswitch/default.nix +++ b/pkgs/os-specific/linux/openvswitch/default.nix @@ -1,5 +1,5 @@ -{ lib, stdenv, fetchurl, makeWrapper, pkg-config, util-linux, which -, procps, libcap_ng, openssl, python3 , perl +{ lib, stdenv, fetchurl, fetchpatch, makeWrapper, pkg-config, util-linux, which +, procps, libcap_ng, openssl, python3, perl, autoconf, automake, libtool , kernel ? null }: with lib; @@ -16,9 +16,22 @@ in stdenv.mkDerivation rec { sha256 = "sha256-ZfQg+VTiUNiV+y2yKhMuHLVgvF4rkFHoNFETSBCOWXo="; }; + patches = [ + (fetchpatch { + name = "CVE-2021-36980.patch"; + url = "https://github.com/openvswitch/ovs/commit/8ce8dc34b5f73b30ce0c1869af9947013c3c6575.patch"; + sha256 = "1iyaqkiwijl2djjvnnvykh95qlzgvn9hmpszrwzmhwvik5m7b6g6"; + # we don't run the tests, and the binary example missing from the patch + # file upsets the build process + excludes = [ "tests/*" ]; + }) + ]; + + preConfigure = "./boot.sh"; + kernel = optional (_kernel != null) _kernel.dev; - nativeBuildInputs = [ pkg-config makeWrapper ]; + nativeBuildInputs = [ pkg-config makeWrapper autoconf automake libtool ]; buildInputs = [ util-linux openssl libcap_ng pythonEnv perl procps which ]; diff --git a/pkgs/servers/mail/postsrsd/default.nix b/pkgs/servers/mail/postsrsd/default.nix index b61332be243..67dbea9c470 100644 --- a/pkgs/servers/mail/postsrsd/default.nix +++ b/pkgs/servers/mail/postsrsd/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "postsrsd"; - version = "1.10"; + version = "1.11"; src = fetchFromGitHub { owner = "roehling"; repo = "postsrsd"; rev = version; - sha256 = "sha256-AqOHHOnGqOnIw5hPPiJjUJFiwngTux7gwn8qig0t7hs="; + sha256 = "sha256-M1VtH+AToLh9J4zwIznInfFJzqmKElTvqAgI+qqL+Lw="; }; cmakeFlags = [ "-DGENERATE_SRS_SECRET=OFF" "-DINIT_FLAVOR=systemd" ]; diff --git a/pkgs/servers/matrix-synapse/0001-setup-add-homeserver-as-console-script.patch b/pkgs/servers/matrix-synapse/0001-setup-add-homeserver-as-console-script.patch new file mode 100644 index 00000000000..eb70d21ed5c --- /dev/null +++ b/pkgs/servers/matrix-synapse/0001-setup-add-homeserver-as-console-script.patch @@ -0,0 +1,33 @@ +From 36ffbb7ad2c535180cae473b470a43f9db4fbdcd Mon Sep 17 00:00:00 2001 +From: Maximilian Bosch +Date: Mon, 16 Aug 2021 13:27:28 +0200 +Subject: [PATCH] setup: add homeserver as console script + +With this change, it will be added to `$out/bin` in `nixpkgs` directly. +This became necessary since our old workaround, calling it as script, +doesn't work anymore since the shebangs were removed[1]. + +[1] https://github.com/matrix-org/synapse/pull/10415 +--- + setup.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/setup.py b/setup.py +index c47856351..27f1d842c 100755 +--- a/setup.py ++++ b/setup.py +@@ -133,6 +133,11 @@ setup( + long_description=long_description, + long_description_content_type="text/x-rst", + python_requires="~=3.6", ++ entry_points={ ++ 'console_scripts': [ ++ 'homeserver = synapse.app.homeserver:main' ++ ] ++ }, + classifiers=[ + "Development Status :: 5 - Production/Stable", + "Topic :: Communications :: Chat", +-- +2.31.1 + diff --git a/pkgs/servers/matrix-synapse/default.nix b/pkgs/servers/matrix-synapse/default.nix index 9380a22dae8..b32af092ca9 100644 --- a/pkgs/servers/matrix-synapse/default.nix +++ b/pkgs/servers/matrix-synapse/default.nix @@ -24,16 +24,15 @@ let in with py.pkgs; buildPythonApplication rec { pname = "matrix-synapse"; - version = "1.39.0"; + version = "1.40.0"; src = fetchPypi { inherit pname version; - sha256 = "sha256-dErfNHDUo0yGLbrRQdwbNkMVfnMfbrO3f7bsRwgRQMM="; + sha256 = "sha256-5RCeKTAtuFERQSoz4WinGz36tMuKtijnupPR/X02hCU="; }; patches = [ - # adds an entry point for the service - ./homeserver-script.patch + ./0001-setup-add-homeserver-as-console-script.patch ]; buildInputs = [ openssl ]; diff --git a/pkgs/servers/matrix-synapse/homeserver-script.patch b/pkgs/servers/matrix-synapse/homeserver-script.patch deleted file mode 100644 index 554a2c5f66c..00000000000 --- a/pkgs/servers/matrix-synapse/homeserver-script.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/homeserver b/homeserver -new file mode 120000 -index 000000000..2f1d41351 ---- /dev/null -+++ b/homeserver -@@ -0,0 +1 @@ -+synapse/app/homeserver.py -\ No newline at end of file -diff --git a/setup.py b/setup.py -index 5ce06c898..f1ccd95bc 100755 ---- a/setup.py -+++ b/setup.py -@@ -115,6 +115,6 @@ setup( - "Programming Language :: Python :: 3.6", - "Programming Language :: Python :: 3.7", - ], -- scripts=["synctl"] + glob.glob("scripts/*"), -+ scripts=["synctl", "homeserver"] + glob.glob("scripts/*"), - cmdclass={"test": TestCommand}, - ) --- -2.22.0 - diff --git a/pkgs/top-level/emacs-packages.nix b/pkgs/top-level/emacs-packages.nix index d168d34e373..c682a9da014 100644 --- a/pkgs/top-level/emacs-packages.nix +++ b/pkgs/top-level/emacs-packages.nix @@ -26,7 +26,7 @@ let mkElpaPackages = { pkgs, lib }: import ../applications/editors/emacs/elisp-packages/elpa-packages.nix { - inherit (pkgs) stdenv texinfo writeText; + inherit (pkgs) stdenv texinfo writeText buildPackages; inherit lib; };