diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix index 8b38e1c6e6e4a70..8a66a71bbe155c9 100644 --- a/pkgs/applications/editors/vim/common.nix +++ b/pkgs/applications/editors/vim/common.nix @@ -1,6 +1,6 @@ { lib, fetchFromGitHub }: rec { - version = "9.1.0377"; + version = "9.1.0707"; outputs = [ "out" "xxd" ]; @@ -8,7 +8,7 @@ rec { owner = "vim"; repo = "vim"; rev = "v${version}"; - hash = "sha256-cfN/QbnpWIQmLtpXWPc1JnaaX+J10ietObN/B9lE1F0="; + hash = "sha256-iHOLABPk5B7Sh7EBYnM7wdxnK2Wv7q4WS3FEp780SV4="; }; enableParallelBuilding = true; diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix index b6bf52048f5e4f8..d9e80637367f072 100644 --- a/pkgs/applications/version-management/mercurial/default.nix +++ b/pkgs/applications/version-management/mercurial/default.nix @@ -1,4 +1,5 @@ { lib, stdenv, fetchurl, python3Packages, makeWrapper, gettext, installShellFiles +, fetchpatch , re2Support ? true # depends on rust-cpython which won't support python312 # https://github.com/dgrunwald/rust-cpython/commit/e815555629e557be084813045ca1ddebc2f76ef9 @@ -30,6 +31,14 @@ let hash = "sha256-911qSnWCOht9cTpJZ+yi9Zb0ZuWPxrwG1yZCky/X4wc="; }; + patches = lib.optionals (!python3Packages.isPy311) [ # avoid rebuild on 3.11 + (fetchpatch { + name = "circular-import.patch"; + url = "https://foss.heptapod.net/mercurial/mercurial-devel/-/commit/63ede7a43a3731fecc7e5b535144c6bd59911284.diff"; + hash = "sha256-qoqg1QCHhfzTXmp0sfJvsH2SCP+KRjuIy+TJZFHqAQw="; + }) + ]; + format = "other"; passthru = { inherit python; }; # pass it so that the same version can be used in hg2git diff --git a/pkgs/applications/video/handbrake/default.nix b/pkgs/applications/video/handbrake/default.nix index f3f6dacd4a540be..8b1dd0d4e8ed582 100644 --- a/pkgs/applications/video/handbrake/default.nix +++ b/pkgs/applications/video/handbrake/default.nix @@ -11,6 +11,7 @@ , lib , fetchFromGitHub , fetchpatch +, fetchpatch2 # For tests , testers , runCommand @@ -135,6 +136,12 @@ let "${src}/contrib/ffmpeg/A18-qsv-fix-decode-10bit-hdr.patch" "${src}/contrib/ffmpeg/A19-ffbuild-common-use-gzip-n-flag-for-cuda.patch" + + (fetchpatch2 { + name = "fix_vulkan_av1.patch"; + url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/e06ce6d2b45edac4a2df04f304e18d4727417d24"; + hash = "sha256-73mlX1rdJrguw7OXaSItfHtI7gflDrFj+7SepVvvUIg="; + }) ]; }); diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 7668c67b31e39f5..35a628d1f603567 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -20,7 +20,7 @@ let blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist); extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings); - srcVersion = "3.101"; + srcVersion = "3.104"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = with lib; { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -37,7 +37,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings ["."] ["_"] version}_RTM"; - hash = "sha256-lO+81zYBBFwqcjh4cd/fpiznHZ9rTJpfDW/yF8phYts="; + hash = "sha256-TEGEKocapU5OTqx69n8nrn/X3SZr49d1alHM73UnDJw="; }; dontBuild = true; diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 263bfa24d7d3c63..211da13c7926006 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -79,10 +79,10 @@ in { sourceVersion = { major = "3"; minor = "12"; - patch = "4"; + patch = "5"; suffix = ""; }; - hash = "sha256-9tQZpth0OrJnAIAbSQjSbZfouYbhT5XeMbMt4rDnlVQ="; + hash = "sha256-+oouEsXmILCfU+ZbzYdVDS5aHi4Ev4upkdzFUROHY5c="; inherit (darwin) configd; inherit passthruFun; }; diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix index df46440ea54a448..25314cd999e89f2 100644 --- a/pkgs/development/interpreters/ruby/default.nix +++ b/pkgs/development/interpreters/ruby/default.nix @@ -307,8 +307,8 @@ in { }; ruby_3_3 = generic { - version = rubyVersion "3" "3" "4" ""; - hash = "sha256-/mow+X1U4Cl2jy3fSSNpnEFs28Om6W2z4tVxbH25ajQ="; + version = rubyVersion "3" "3" "5" ""; + hash = "sha256-N4GjUEIiwvJstLnrnBoS2/SUTTZs4kqf+M+Z7LznUZY="; cargoHash = "sha256-GeelTMRFIyvz1QS2L+Q3KAnyQy7jc0ejhx3TdEFVEbk="; }; diff --git a/pkgs/development/libraries/audio/libopenmpt/default.nix b/pkgs/development/libraries/audio/libopenmpt/default.nix index 8e32ae89502b8d9..a08b93a9b0e5524 100644 --- a/pkgs/development/libraries/audio/libopenmpt/default.nix +++ b/pkgs/development/libraries/audio/libopenmpt/default.nix @@ -16,13 +16,13 @@ stdenv.mkDerivation rec { pname = "libopenmpt"; - version = "0.7.8"; + version = "0.7.9"; outputs = [ "out" "dev" "bin" ]; src = fetchurl { url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz"; - hash = "sha256-h3eMgEaiJsbL+xFPTI4+J8Eht7PczOXLfeRYmSUCdMw="; + hash = "sha256-A4bpGNddeX551bFO3QhHFl2LNZ6YEe9XZSwKNWot/PQ="; }; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/expat/default.nix b/pkgs/development/libraries/expat/default.nix index 9944277e946b676..be4083e04276561 100644 --- a/pkgs/development/libraries/expat/default.nix +++ b/pkgs/development/libraries/expat/default.nix @@ -16,7 +16,7 @@ # files. let - version = "2.6.2"; + version = "2.6.3"; tag = "R_${lib.replaceStrings ["."] ["_"] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-7hS0xdiQixvsN62TdgfqsYPU2YBqCK3uRyw8MSHSc2Q="; + hash = "sha256-J02yVKaXm95arUBHY6cElWlA5GWEPyqb2e168i4sDvw="; }; strictDeps = true; diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index 5bd9171275bee2b..f7607862c3e5336 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -27,13 +27,13 @@ let }; v6 = { - version = "6.1.1"; - hash = "sha256-Q0c95hbCVUHQWPoh5uC8uzMylmB4BnWg+VhXEgSouzo="; + version = "6.1.2"; + hash = "sha256-h/N56iKkAR5kH+PRQceWZvHe3k+70KWMDEP5iVq/YFQ="; }; v7 = { - version = "7.0.1"; - hash = "sha256-HiCT6bvLx4zmJ6ffutoimdz5ENQ55CRF64WBT3HeXMA="; + version = "7.0.2"; + hash = "sha256-6bcTxMt0rH/Nso3X7zhrFNkkmWYtxsbUqVQKh25R1Fs="; }; in diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix index 4b487dbf9320e6b..0238a71e0e93c66 100644 --- a/pkgs/development/libraries/ffmpeg/generic.nix +++ b/pkgs/development/libraries/ffmpeg/generic.nix @@ -475,11 +475,6 @@ stdenv.mkDerivation (finalAttrs: { url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/cb049d377f54f6b747667a93e4b719380c3e9475"; hash = "sha256-sxRXKKgUak5vsQTiV7ge8vp+N22CdTIvuczNgVRP72c="; }) - (fetchpatch2 { - name = "fix_vulkan_av1"; - url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/e06ce6d2b45edac4a2df04f304e18d4727417d24"; - hash = "sha256-73mlX1rdJrguw7OXaSItfHtI7gflDrFj+7SepVvvUIg="; - }) (fetchpatch2 { name = "CVE-2024-31582.patch"; url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/99debe5f823f45a482e1dc08de35879aa9c74bd2"; diff --git a/pkgs/development/libraries/grpc/default.nix b/pkgs/development/libraries/grpc/default.nix index bf9b58ec4a0922d..b8428cde6ad03d4 100644 --- a/pkgs/development/libraries/grpc/default.nix +++ b/pkgs/development/libraries/grpc/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { pname = "grpc"; - version = "1.62.1"; # N.B: if you change this, please update: + version = "1.62.3"; # N.B: if you change this, please update: # pythonPackages.grpcio-tools # pythonPackages.grpcio-status @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { owner = "grpc"; repo = "grpc"; rev = "v${version}"; - hash = "sha256-L0bn6Bg36UKIRxznH9o4T7WXUqMwFjr8ybeQfbUi8xM="; + hash = "sha256-ShcC90WSMFVjpuM1up+0JShqK3RGW2edxlp9wMt6dPg="; fetchSubmodules = true; }; diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index 808f119b7ddae15..990409fd36adf98 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -44,7 +44,7 @@ buildPythonPackage rec { pname = "django"; - version = "4.2.15"; + version = "4.2.16"; format = "pyproject"; disabled = pythonOlder "3.8"; @@ -53,7 +53,7 @@ buildPythonPackage rec { owner = "django"; repo = "django"; rev = "refs/tags/${version}"; - hash = "sha256-SWENMUsTgP3X3EvFiTgpKCZO0/KaZ1x1stSyp2kM/P4="; + hash = "sha256-VW/qfqOadivtU8Xg70FLqENtOV7GqJM4bR2Ik6Yag+o="; }; patches = diff --git a/pkgs/development/python-modules/executing/default.nix b/pkgs/development/python-modules/executing/default.nix index 7eb94f3b1348191..68617d003475ef9 100644 --- a/pkgs/development/python-modules/executing/default.nix +++ b/pkgs/development/python-modules/executing/default.nix @@ -2,6 +2,7 @@ lib, buildPythonPackage, fetchFromGitHub, + fetchpatch, pythonAtLeast, pythonOlder, @@ -30,6 +31,13 @@ buildPythonPackage rec { hash = "sha256-PBvfkv9GQ5Vj5I5SygtmHXtqqHMJ4XgNV1/I+lSU0/U="; }; + patches = lib.optionals (pythonAtLeast "3.12") [ + (fetchpatch { # https://github.com/alexmojaki/executing/pull/83 + url = "https://github.com/alexmojaki/executing/commit/230ef110f004a8cecf03e983561f26a5fecede8f.diff"; + hash = "sha256-McMUIbOWozoDDQSfrJqcxBjuAZ/rrHePfqp5+AVUKI4="; + }) + ]; + nativeBuildInputs = [ setuptools setuptools-scm diff --git a/pkgs/development/python-modules/grpcio-status/default.nix b/pkgs/development/python-modules/grpcio-status/default.nix index c587948f185f58f..de9631d6876f154 100644 --- a/pkgs/development/python-modules/grpcio-status/default.nix +++ b/pkgs/development/python-modules/grpcio-status/default.nix @@ -10,14 +10,14 @@ buildPythonPackage rec { pname = "grpcio-status"; - version = "1.62.2"; + version = "1.62.3"; format = "setuptools"; disabled = pythonOlder "3.6"; src = fetchPypi { inherit pname version; - hash = "sha256-YuG/ywICWhzXNzKi0zZy0+nQ300hwSxR4LvK8JurdCo="; + hash = "sha256-KJvdeyRZeUoSz5XcDLcnvUoXQsN72CP3YCNsk35TpIU="; }; postPatch = '' diff --git a/pkgs/development/python-modules/grpcio-tools/default.nix b/pkgs/development/python-modules/grpcio-tools/default.nix index d98f1bee9ee20a4..396f3cdef4817a2 100644 --- a/pkgs/development/python-modules/grpcio-tools/default.nix +++ b/pkgs/development/python-modules/grpcio-tools/default.nix @@ -9,12 +9,12 @@ buildPythonPackage rec { pname = "grpcio-tools"; - version = "1.62.2"; + version = "1.62.3"; format = "setuptools"; src = fetchPypi { inherit pname version; - hash = "sha256-X9XhWCtnjmuUHuX1gJNAvl4HJGkd9SmaroImZA+U4Y8="; + hash = "sha256-fHE2AVw9YsPu9JPvq6+eM4Dj5m0k7o6UwBy3E3f1eDM="; }; postPatch = '' diff --git a/pkgs/development/python-modules/urllib3/default.nix b/pkgs/development/python-modules/urllib3/default.nix index 77742a521d24205..1bffd501e763df9 100644 --- a/pkgs/development/python-modules/urllib3/default.nix +++ b/pkgs/development/python-modules/urllib3/default.nix @@ -24,12 +24,12 @@ let self = buildPythonPackage rec { pname = "urllib3"; - version = "2.2.1"; + version = "2.2.2"; pyproject = true; src = fetchPypi { inherit pname version; - hash = "sha256-0FcIdsYaueUg13bDisu7WwWndtP5/5ilyP1RYqREzxk="; + hash = "sha256-3VBUhVSaelUoM9peYGNjnQ0XfATyO8OGTkHl3F9hIWg="; }; nativeBuildInputs = [ hatchling ]; diff --git a/pkgs/development/python-modules/uvloop/default.nix b/pkgs/development/python-modules/uvloop/default.nix index 4f2ff7d11ceae32..533efe1f81caede 100644 --- a/pkgs/development/python-modules/uvloop/default.nix +++ b/pkgs/development/python-modules/uvloop/default.nix @@ -23,17 +23,17 @@ buildPythonPackage rec { pname = "uvloop"; - version = "0.19.0"; + version = "0.20.0"; pyproject = true; disabled = pythonOlder "3.8"; src = fetchPypi { inherit pname version; - hash = "sha256-Akb0/Rvyv3AuBrDUXukWd+5cMSQvOaq06m/gxRrt0P0="; + hash = "sha256-RgPKcUp1T8jZsZfjJdslsuoEU4Xoo60F00Y95yX99Gk="; }; - nativeBuildInputs = [ + build-system = [ cython_0 setuptools ]; diff --git a/pkgs/development/python-modules/webob/default.nix b/pkgs/development/python-modules/webob/default.nix index 921b75ef0778a2a..93ad2874aab988a 100644 --- a/pkgs/development/python-modules/webob/default.nix +++ b/pkgs/development/python-modules/webob/default.nix @@ -1,22 +1,28 @@ { lib, buildPythonPackage, - fetchPypi, + fetchFromGitHub, pytestCheckHook, pythonOlder, + + # for passthru.tests + pyramid, + routes, + tokenlib, }: buildPythonPackage rec { pname = "webob"; - version = "1.8.7"; + version = "1.8.8"; format = "setuptools"; disabled = pythonOlder "3.7"; - src = fetchPypi { - pname = "WebOb"; - inherit version; - hash = "sha256-tk71FBvlWc+t5EjwRPpFwiYDUe3Lao72t+AMfc7wwyM="; + src = fetchFromGitHub { + owner = "Pylons"; + repo = "webob"; + rev = "refs/tags/${version}"; + hash = "sha256-QN0UMLzO0g8Oalnn5GlOulXUxtXOx89jeeEvJV53rVs="; }; nativeCheckInputs = [ pytestCheckHook ]; @@ -29,6 +35,10 @@ buildPythonPackage rec { "tests/test_client_functional.py" ]; + passthru.tests = { + inherit pyramid routes tokenlib; + }; + meta = with lib; { description = "WSGI request and response object"; homepage = "https://webob.org/"; diff --git a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch b/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch deleted file mode 100644 index 243be682ceb6634..000000000000000 --- a/pkgs/misc/cups/2.4.8-CVE-2024-35235.patch +++ /dev/null @@ -1,86 +0,0 @@ -Based on upstream ff1f8a623e090dee8a8aadf12a6a4b25efac143d, adjusted to -apply to 2.4.8 - -diff --git a/cups/http-addr.c b/cups/http-addr.c -index 6aeeb8074..73a6b2f37 100644 ---- a/cups/http-addr.c -+++ b/cups/http-addr.c -@@ -206,27 +206,30 @@ httpAddrListen(http_addr_t *addr, /* I - Address to bind to */ - * Remove any existing domain socket file... - */ - -- unlink(addr->un.sun_path); -- -- /* -- * Save the current umask and set it to 0 so that all users can access -- * the domain socket... -- */ -- -- mask = umask(0); -+ // Remove any existing domain socket file... -+ if ((status = unlink(addr->un.sun_path)) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno))); - -- /* -- * Bind the domain socket... -- */ -+ if (errno == ENOENT) -+ status = 0; -+ } - -- status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr)); -+ if (!status) -+ { -+ // Save the current umask and set it to 0 so that all users can access -+ // the domain socket... -+ mask = umask(0); - -- /* -- * Restore the umask and fix permissions... -- */ -+ // Bind the domain socket... -+ if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0) -+ { -+ DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno))); -+ } - -- umask(mask); -- chmod(addr->un.sun_path, 0140777); -+ // Restore the umask... -+ umask(mask); -+ } - } - else - #endif /* AF_LOCAL */ -diff --git a/scheduler/conf.c b/scheduler/conf.c -index defca78aa..ebf8ca8cc 100644 ---- a/scheduler/conf.c -+++ b/scheduler/conf.c -@@ -3083,6 +3083,26 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ - cupsd_listener_t *lis; /* New listeners array */ - - -+ /* -+ * If we are launched on-demand, do not use domain sockets from the config -+ * file. Also check that the domain socket path is not too long... -+ */ -+ -+#ifdef HAVE_ONDEMAND -+ if (*value == '/' && OnDemand) -+ { -+ if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET)) -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum); -+ continue; -+ } -+#endif // HAVE_ONDEMAND -+ -+ if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1)) -+ { -+ cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum); -+ continue; -+ } -+ - /* - * Get the address list... - */ diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 5d4b6f00acae12f..396914479d4a596 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -19,6 +19,7 @@ , libpaper ? null , coreutils , nixosTests +, fetchpatch }: stdenv.mkDerivation rec { @@ -33,7 +34,28 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "dev" "man" ]; patches = [ - ./2.4.8-CVE-2024-35235.patch + (fetchpatch { + name = "CVE-2024-35235.patch"; + url = "https://github.com/OpenPrinting/cups/commit/b273a1f29bda87317c551614cf9ab6125f56e317.patch"; + hash = "sha256-nzWKEMOEBKZMjqVPl2mcATtXZSrh++yhv9VMvbA+49E="; + }) + # the following three patches fix a regression introduced by the patch above + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-1.patch"; + url = "https://github.com/OpenPrinting/cups/commit/6131f6a73c188f3db0ec94ae488991ce80cfd7ea.patch"; + hash = "sha256-uftOI0zkwPXsW8CY8BoOkx4BysjDUc66LuzyZDjUHCI="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-2.patch"; + url = "https://github.com/OpenPrinting/cups/commit/4417cd366f7baf64f4ada3efbb3ec13cd773a0f4.patch"; + hash = "sha256-ighA4Vmf43iiwkNl71//Ml8ynh8nF/bcNOKELeJFPKo="; + }) + (fetchpatch { + name = "CVE-2024-35235-fixup-domainsocket-3.patch"; + url = "https://github.com/OpenPrinting/cups/commit/145b946a86062aafab76c656ee9c1112bfd4f804.patch"; + includes = [ "scheduler/conf.c" ]; + hash = "sha256-2jQFHUFav8XDfqA/PVKNvbUnZI34na8Wbuu4XRy3uqc="; + }) ]; postPatch = '' diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 116f88ad19b63c7..d9693a8a9624fac 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -510,6 +510,7 @@ let # Support configuring jack functions via fw mechanism at boot SND_HDA_PATCH_LOADER = yes; SND_HDA_CODEC_CA0132_DSP = whenOlder "5.7" yes; # Enable DSP firmware loading on Creative Soundblaster Z/Zx/ZxR/Recon + SND_HDA_CODEC_CS8409 = whenAtLeast "6.6" module; # Cirrus Logic HDA Bridge CS8409 SND_OSSEMUL = yes; SND_USB_CAIAQ_INPUT = yes; SND_USB_AUDIO_MIDI_V2 = whenAtLeast "6.5" yes; diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index d7521b1ad5da79f..e46c3c61ee68cf0 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -981,7 +981,13 @@ substituteAllInPlace() { # the environment used for building. dumpVars() { if [ "${noDumpEnvVars:-0}" != 1 ]; then - export 2>/dev/null >| "$NIX_BUILD_TOP/env-vars" || true + # On darwin, install(1) cannot be called with /dev/stdin or fd from process substitution + # so first we create the file and then write to it + # See https://github.com/NixOS/nixpkgs/issues/335016 + { + install -m 0600 /dev/null "$NIX_BUILD_TOP/env-vars" && + export 2>/dev/null >| "$NIX_BUILD_TOP/env-vars" + } || true fi } diff --git a/pkgs/tools/networking/tcpdump/default.nix b/pkgs/tools/networking/tcpdump/default.nix index 996466901201db3..b61f42eae308e9f 100644 --- a/pkgs/tools/networking/tcpdump/default.nix +++ b/pkgs/tools/networking/tcpdump/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "tcpdump"; - version = "4.99.4"; + version = "4.99.5"; src = fetchurl { url = "https://www.tcpdump.org/release/tcpdump-${version}.tar.gz"; - hash = "sha256-AjIjG7LynWvyQm5woIp+DGOg1ZqbRIY7f14jV6bkn+o="; + hash = "sha256-jHWFbgCt3urfcNrWfJ/z3TaFNrK4Vjq/aFTXx2TNOts="; }; postPatch = '' diff --git a/pkgs/tools/text/gnupatch/Abort_when_cleaning_up_fails.patch b/pkgs/tools/text/gnupatch/Abort_when_cleaning_up_fails.patch new file mode 100644 index 000000000000000..ab3baf80f8c178e --- /dev/null +++ b/pkgs/tools/text/gnupatch/Abort_when_cleaning_up_fails.patch @@ -0,0 +1,51 @@ +From b7b028a77bd855f6f56b17c8837fc1cca77b469d Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Fri, 28 Jun 2019 00:30:25 +0200 +Subject: Abort when cleaning up fails + +When a fatal error triggers during cleanup, another attempt will be made to +clean up, which will likely lead to the same fatal error. So instead, bail out +when that happens. +src/patch.c (cleanup): Bail out when called recursively. +(main): There is no need to call output_files() before cleanup() as cleanup() +already does that. +--- + src/patch.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/patch.c b/src/patch.c +index 4616a48..02fd982 100644 +--- a/src/patch.c ++++ b/src/patch.c +@@ -685,7 +685,6 @@ main (int argc, char **argv) + } + if (outstate.ofp && (ferror (outstate.ofp) || fclose (outstate.ofp) != 0)) + write_fatal (); +- output_files (NULL); + cleanup (); + delete_files (); + if (somefailed) +@@ -1991,7 +1990,6 @@ void + fatal_exit (int sig) + { + cleanup (); +- + if (sig) + exit_with_signal (sig); + +@@ -2011,6 +2009,12 @@ remove_if_needed (char const *name, bool *needs_removal) + static void + cleanup (void) + { ++ static bool already_cleaning_up; ++ ++ if (already_cleaning_up) ++ return; ++ already_cleaning_up = true; ++ + remove_if_needed (TMPINNAME, &TMPINNAME_needs_removal); + remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal); + remove_if_needed (TMPPATNAME, &TMPPATNAME_needs_removal); +-- +cgit v1.1 + diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix index c19e087ea5478ef..19d8652396c9187 100644 --- a/pkgs/tools/text/gnupatch/default.nix +++ b/pkgs/tools/text/gnupatch/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 ./Allow_input_files_to_be_missing_for_ed-style_patches.patch + # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=b7b028a77bd855f6f56b17c8837fc1cca77b469d + ./Abort_when_cleaning_up_fails.patch + # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=123eaff0d5d1aebe128295959435b9ca5909c26d ./CVE-2018-1000156.patch