diff options
| author | VladimÃr ÄŒunát <v@cunat.cz> | 2023-10-13 21:46:16 +0200 |
|---|---|---|
| committer | VladimÃr ÄŒunát <v@cunat.cz> | 2023-10-13 21:46:16 +0200 |
| commit | 898cb2064b6e98b8c5499f37e81adbdf2925f7c5 (patch) | |
| tree | 0cd4b1705268954d9ffd23d63c23cb64c9d448f8 | |
| parent | freetube: 0.19.0 -> 0.19.1 (diff) | |
| parent | python311Packages.sanic: disable failing tests (diff) | |
| download | nixpkgs-898cb2064b6e98b8c5499f37e81adbdf2925f7c5.tar.gz | |
Merge #260159: staging-next-23.05 iteration 9 - 2023-10-10
...into release-23.05
33 files changed, 437 insertions, 456 deletions
diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 65849a948cad..137639d0c9d6 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -121,20 +121,20 @@ sourceVersion = { major = "3"; minor = "10"; - patch = "12"; + patch = "13"; suffix = ""; }; - hash = "sha256-r7dL8ZEw56R9EDEsj154TyTgUnmB6raOIFRs+4ZYMLg="; + hash = "sha256-XIiEhmhkDT4VKzW0U27xwjsspL0slX7x7LsFP1cd0/Y="; }; python311 = { sourceVersion = { major = "3"; minor = "11"; - patch = "4"; + patch = "5"; suffix = ""; }; - hash = "sha256-Lw5AnfKrV6qfxMvd+5dq9E5OVb9vYZ7ua8XCKXJkp/Y="; + hash = "sha256-hc0S6c8dbVpF8X96/hzr5+5ijTKCKBxJLoat9jbe+j8="; }; }; diff --git a/pkgs/development/libraries/glibc/2.37-master.patch.gz b/pkgs/development/libraries/glibc/2.37-master.patch.gz Binary files differindex 04b4e264751e..889feab56532 100644 --- a/pkgs/development/libraries/glibc/2.37-master.patch.gz +++ b/pkgs/development/libraries/glibc/2.37-master.patch.gz diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 00b78f57db61..4b00fecc6161 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -44,7 +44,7 @@ let version = "2.37"; - patchSuffix = "-8"; + patchSuffix = "-45"; sha256 = "sha256-Ilfv8RGhgV109GhW2q9AsBnB5VMVbGnUi6DL/Bu5GkM="; in @@ -59,8 +59,8 @@ stdenv.mkDerivation ({ patches = [ /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. - $ git fetch --all -p && git checkout origin/release/2.36/master && git describe - glibc-2.37-8-g590d0e089b + $ git fetch --all -p && git checkout origin/release/2.37/master && git describe + glibc-2.37-45-gb4e23c75ae $ git show --minimal --reverse glibc-2.37.. | gzip -9n --rsyncable - > 2.37-master.patch.gz To compare the archive contents zdiff can be used. diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index b969bdff25f7..466cc162fb3d 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -107,13 +107,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-bad"; - version = "1.22.5"; + version = "1.22.6"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-5k51za/X/y/H/DToVbBrHj7SJ8wG+jeNF7vNdngMM4w="; + hash = "sha256-tAKc0pCKCJxV8dkCpWXQB0lclbFELYOEhdxH+xLfcTc="; }; patches = [ diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix index 9c3884fc0d9e..782c6997cd91 100644 --- a/pkgs/development/libraries/gstreamer/base/default.nix +++ b/pkgs/development/libraries/gstreamer/base/default.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gst-plugins-base"; - version = "1.22.5"; + version = "1.22.6"; outputs = [ "out" "dev" ]; @@ -53,7 +53,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-7dQzi0XCapryjA01qrlkoCTDiEum9SDYQo3wQhLIyTo="; + hash = "sha256-UPK00XwC7v5DC776jFzRNLG+eKU8D2DpURNtls9J/Us="; }; strictDeps = true; diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix index 1a52a8ed42b5..ecf36c5d9189 100644 --- a/pkgs/development/libraries/gstreamer/core/default.nix +++ b/pkgs/development/libraries/gstreamer/core/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gstreamer"; - version = "1.22.5"; + version = "1.22.6"; outputs = [ "bin" @@ -36,7 +36,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-RAjXkw84GAnoWReswZcS8XMmG6hb3yDFVnsqIbEZO2E="; + hash = "sha256-9QDmz93/VZCPk3cR/CaghA3iih6exJYhwLbxrb2PgY4="; }; depsBuildBuild = [ diff --git a/pkgs/development/libraries/gstreamer/devtools/default.nix b/pkgs/development/libraries/gstreamer/devtools/default.nix index 6fcf867f05ea..f0c4a30ba0aa 100644 --- a/pkgs/development/libraries/gstreamer/devtools/default.nix +++ b/pkgs/development/libraries/gstreamer/devtools/default.nix @@ -17,11 +17,11 @@ stdenv.mkDerivation rec { pname = "gst-devtools"; - version = "1.22.5"; + version = "1.22.6"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-Kt0VGapu6wHVRMuUKTaI7jvCB59rymB1v1wj0AoJIb4="; + hash = "sha256-iShWDvrxYTfDAoXnGHCOXQurB3frTvgSfgJ04SDT2Gs="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix index a5926a776e30..790ca93b5276 100644 --- a/pkgs/development/libraries/gstreamer/ges/default.nix +++ b/pkgs/development/libraries/gstreamer/ges/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "gst-editing-services"; - version = "1.22.5"; + version = "1.22.6"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-vM3TvWHYaCmxbODiBtthsz95SsF5JCP558xl110aMbU="; + hash = "sha256-dI1CNnLFl/h24TCAT7mEhI9bS4nv14pQbLF/dkZ5UwE="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix index dd956277be4d..317707c45c0c 100644 --- a/pkgs/development/libraries/gstreamer/good/default.nix +++ b/pkgs/development/libraries/gstreamer/good/default.nix @@ -53,26 +53,15 @@ assert raspiCameraSupport -> (stdenv.isLinux && stdenv.isAarch64); stdenv.mkDerivation rec { pname = "gst-plugins-good"; - version = "1.22.5"; + version = "1.22.6"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-tnsxMTpUxpKbgpadQdPP3y9Y21c/tfSR5rul2ErqB3g="; + hash = "sha256-s7B/4/HOf+k6qb5yF4ZgRFSPNcSneSKA7sfhCKMvmBc="; }; - # TODO: Patch is conditional to spare rebuilds during the current staging-next cycle and should be removed during the next bump - patches = lib.optionals qt5Support [ - # Needed until https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5083 is merged and released - (fetchpatch { - name = "gst-plugins-good-fix-qt5-without-viv-fb.patch"; - url = "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/03d8ef0b7c6e70eb936de0514831c1aafc763dcf.diff"; - hash = "sha256-17XU/W/TMPg5669O1EBXByAN/VwFu/0idTg5ze3M/D4="; - stripLen = 2; - }) - ]; - strictDeps = true; depsBuildBuild = [ pkg-config ]; @@ -91,6 +80,7 @@ stdenv.mkDerivation rec { hotdoc ] ++ lib.optionals qt5Support (with qt5; [ qtbase + qttools ]) ++ lib.optionals qt6Support (with qt6; [ qtbase qttools diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix index 2309e8717e2b..7dbd9b61cbc3 100644 --- a/pkgs/development/libraries/gstreamer/libav/default.nix +++ b/pkgs/development/libraries/gstreamer/libav/default.nix @@ -18,11 +18,11 @@ stdenv.mkDerivation rec { pname = "gst-libav"; - version = "1.22.5"; + version = "1.22.6"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-hYPwwfT8sB7tEfoePCESZUOovXOe1Pwdsx91alqwHZo="; + hash = "sha256-d4nmQIOIol8jy/lIz8XGIw1zW7zYt/N/SgHJ40ih46c="; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix index 4344a0f124cf..a90480d84157 100644 --- a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix +++ b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { pname = "gst-rtsp-server"; - version = "1.22.5"; + version = "1.22.6"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-80PrVJZOvU2MBxvl7srVhvKP6wFW4DbgaxSNDn/rscA="; + hash = "sha256-CuM6i1BEO2LxFYGpGB6Qa0HNOHey15nb6nKRLD7aS7M="; }; outputs = [ diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix index 2392d7f341d7..cf5f93707cca 100644 --- a/pkgs/development/libraries/gstreamer/ugly/default.nix +++ b/pkgs/development/libraries/gstreamer/ugly/default.nix @@ -26,13 +26,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-ugly"; - version = "1.22.5"; + version = "1.22.6"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-JoBHOyGBWPGEZ8rD4cUCkbf/TgcQ3TUKWeqsvCnAmlQ="; + hash = "sha256-PjFFTJjLL39tLTVezrkzqJL6Dx3Am8NsmryTDY4pykg="; }; nativeBuildInputs = [ diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix index 2b32be937fd5..7b7da009de7f 100644 --- a/pkgs/development/libraries/gstreamer/vaapi/default.nix +++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix @@ -24,11 +24,11 @@ stdenv.mkDerivation rec { pname = "gstreamer-vaapi"; - version = "1.22.5"; + version = "1.22.6"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-qaVQJnyVhN8OjHBDTTBHbo/QAYtzPBwe4z3q9CK9sks="; + hash = "sha256-2bovwmvvmMeOmCxZn1hdRru2X+Ei2onC16tB9GilLHs="; }; outputs = [ diff --git a/pkgs/development/libraries/kerberos/krb5.nix b/pkgs/development/libraries/kerberos/krb5.nix index aefbaa6d41df..08d0ffae8f9d 100644 --- a/pkgs/development/libraries/kerberos/krb5.nix +++ b/pkgs/development/libraries/kerberos/krb5.nix @@ -27,11 +27,11 @@ let in stdenv.mkDerivation rec { pname = "${type}krb5"; - version = "1.20.1"; + version = "1.20.2"; src = fetchurl { url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor version}/krb5-${version}.tar.gz"; - sha256 = "sha256-cErtSbGetacXizSyhzYg7CmdsIdS1qhXT5XUGHmriFE="; + sha256 = "sha256-fY1ofUKu01DCUly2mk/DqnkWlNpnYdzMHELC7neWtd0="; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/development/libraries/libarchive/default.nix b/pkgs/development/libraries/libarchive/default.nix index c8f050c300ce..2868ca921953 100644 --- a/pkgs/development/libraries/libarchive/default.nix +++ b/pkgs/development/libraries/libarchive/default.nix @@ -43,6 +43,19 @@ assert xarSupport -> libxml2 != null; outputs = [ "out" "lib" "dev" ]; + patches = [ + (fetchpatch { + name = "security-fixes-pax-writer.patch"; + url = "https://github.com/libarchive/libarchive/commit/1b4e0d0f9d445ba3e4d0c7db7ce0b30300572fe8.patch"; + hash = "sha256-Ei0FMBu0SKZhJdOzHni/gyi8VTmF2cC0K4gEJDSPXpU="; + }) + (fetchpatch { + name = "security-fixes-cpio-list_item_verbose.patch"; + url = "https://github.com/libarchive/libarchive/commit/ee312cfd05c1d1d38f3a5dd10872b97cbc11902c.patch"; + hash = "sha256-n1cZBgRmcNCx+PzGub5KE/TMY1oPXihMTVjkdF9Ws3k="; + }) + ]; + postPatch = let skipTestPaths = [ # test won't work in nix sandbox @@ -122,7 +135,7 @@ assert xarSupport -> libxml2 != null; })).overrideAttrs(previousAttrs: assert previousAttrs.version == "3.6.2"; lib.optionalAttrs stdenv.hostPlatform.isStatic { - patches = [ + patches = previousAttrs.patches ++ [ # fixes static linking; upstream in releases after 3.6.2 # https://github.com/libarchive/libarchive/pull/1825 merged upstream (fetchpatch { diff --git a/pkgs/development/libraries/libvpx/default.nix b/pkgs/development/libraries/libvpx/default.nix index 3df8cce6f4b4..eb5b320b317b 100644 --- a/pkgs/development/libraries/libvpx/default.nix +++ b/pkgs/development/libraries/libvpx/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, fetchpatch, perl, yasm +{ lib, stdenv, fetchFromGitHub, perl, yasm , vp8DecoderSupport ? true # VP8 decoder , vp8EncoderSupport ? true # VP8 encoder , vp9DecoderSupport ? true # VP9 decoder @@ -75,27 +75,15 @@ assert isCygwin -> unitTestsSupport && webmIOSupport && libyuvSupport; stdenv.mkDerivation rec { pname = "libvpx"; - version = "1.13.0"; + version = "1.13.1"; src = fetchFromGitHub { owner = "webmproject"; repo = pname; rev = "v${version}"; - sha256 = "sha256-IH+ZWbBUlU5fbciYe+dNGnTFFCte2BXxAlLcvmzdAeY="; + hash = "sha256-KTbzZ5/qCH+bCvatYZhFiWcT+L2duD40E2w/BUaRorQ="; }; - patches = [ - (fetchpatch { - # https://www.openwall.com/lists/oss-security/2023/09/28/5 - name = "CVE-2023-5217.patch"; - url = "https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590.patch"; - hash = "sha256-1hHUd/dNGm8dmdYYN60j1aOgC2pdIIq7vqJZ7mTXfps="; - includes = [ - "vp8/encoder/onyx_if.c" - ]; - }) - ]; - postPatch = '' patchShebangs --build \ build/make/*.sh \ diff --git a/pkgs/development/libraries/libwebp/CVE-2023-4863.patch b/pkgs/development/libraries/libwebp/CVE-2023-4863.patch deleted file mode 100644 index c01b8a486675..000000000000 --- a/pkgs/development/libraries/libwebp/CVE-2023-4863.patch +++ /dev/null @@ -1,361 +0,0 @@ -From 4de93ac70c3292fc944e4587101a52a29f8b0c9c Mon Sep 17 00:00:00 2001 -From: Vincent Rabaud <vrabaud@google.com> -Date: Thu, 7 Sep 2023 21:16:03 +0200 -Subject: [PATCH] Fix OOB write in BuildHuffmanTable. - -First, BuildHuffmanTable is called to check if the data is valid. -If it is and the table is not big enough, more memory is allocated. - -This will make sure that valid (but unoptimized because of unbalanced -codes) streams are still decodable. - -Bug: chromium:1479274 -Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 -(cherry picked from commit 902bc9190331343b2017211debcec8d2ab87e17a) ---- - src/dec/vp8l_dec.c | 46 ++++++++++--------- - src/dec/vp8li_dec.h | 2 +- - src/utils/huffman_utils.c | 97 +++++++++++++++++++++++++++++++-------- - src/utils/huffman_utils.h | 27 +++++++++-- - 4 files changed, 129 insertions(+), 43 deletions(-) - -diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c -index c0ea0181..7995313f 100644 ---- a/src/dec/vp8l_dec.c -+++ b/src/dec/vp8l_dec.c -@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( - int symbol; - int max_symbol; - int prev_code_len = DEFAULT_CODE_LENGTH; -- HuffmanCode table[1 << LENGTHS_TABLE_BITS]; -+ HuffmanTables tables; - -- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS, -- code_length_code_lengths, -- NUM_CODE_LENGTH_CODES)) { -+ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, &tables) || -+ !VP8LBuildHuffmanTable(&tables, LENGTHS_TABLE_BITS, -+ code_length_code_lengths, NUM_CODE_LENGTH_CODES)) { - goto End; - } - -@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths( - int code_len; - if (max_symbol-- == 0) break; - VP8LFillBitWindow(br); -- p = &table[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; -+ p = &tables.curr_segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; - VP8LSetBitPos(br, br->bit_pos_ + p->bits); - code_len = p->value; - if (code_len < kCodeLengthLiterals) { -@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths( - ok = 1; - - End: -+ VP8LHuffmanTablesDeallocate(&tables); - if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR; - return ok; - } -@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths( - // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman - // tree. - static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec, -- int* const code_lengths, HuffmanCode* const table) { -+ int* const code_lengths, -+ HuffmanTables* const table) { - int ok = 0; - int size = 0; - VP8LBitReader* const br = &dec->br_; -@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, - VP8LMetadata* const hdr = &dec->hdr_; - uint32_t* huffman_image = NULL; - HTreeGroup* htree_groups = NULL; -- HuffmanCode* huffman_tables = NULL; -- HuffmanCode* huffman_table = NULL; -+ HuffmanTables* huffman_tables = &hdr->huffman_tables_; - int num_htree_groups = 1; - int num_htree_groups_max = 1; - int max_alphabet_size = 0; -@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, - int* mapping = NULL; - int ok = 0; - -+ // Check the table has been 0 initialized (through InitMetadata). -+ assert(huffman_tables->root.start == NULL); -+ assert(huffman_tables->curr_segment == NULL); -+ - if (allow_recursion && VP8LReadBits(br, 1)) { - // use meta Huffman codes. - const int huffman_precision = VP8LReadBits(br, 3) + 2; -@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, - - code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size, - sizeof(*code_lengths)); -- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size, -- sizeof(*huffman_tables)); - htree_groups = VP8LHtreeGroupsNew(num_htree_groups); - -- if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) { -+ if (htree_groups == NULL || code_lengths == NULL || -+ !VP8LHuffmanTablesAllocate(num_htree_groups * table_size, -+ huffman_tables)) { - dec->status_ = VP8_STATUS_OUT_OF_MEMORY; - goto Error; - } - -- huffman_table = huffman_tables; - for (i = 0; i < num_htree_groups_max; ++i) { - // If the index "i" is unused in the Huffman image, just make sure the - // coefficients are valid but do not store them. -@@ -468,19 +472,20 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, - int max_bits = 0; - for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) { - int alphabet_size = kAlphabetSize[j]; -- htrees[j] = huffman_table; - if (j == 0 && color_cache_bits > 0) { - alphabet_size += (1 << color_cache_bits); - } -- size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table); -+ size = -+ ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_tables); -+ htrees[j] = huffman_tables->curr_segment->curr_table; - if (size == 0) { - goto Error; - } - if (is_trivial_literal && kLiteralMap[j] == 1) { -- is_trivial_literal = (huffman_table->bits == 0); -+ is_trivial_literal = (htrees[j]->bits == 0); - } -- total_size += huffman_table->bits; -- huffman_table += size; -+ total_size += htrees[j]->bits; -+ huffman_tables->curr_segment->curr_table += size; - if (j <= ALPHA) { - int local_max_bits = code_lengths[0]; - int k; -@@ -515,14 +520,13 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, - hdr->huffman_image_ = huffman_image; - hdr->num_htree_groups_ = num_htree_groups; - hdr->htree_groups_ = htree_groups; -- hdr->huffman_tables_ = huffman_tables; - - Error: - WebPSafeFree(code_lengths); - WebPSafeFree(mapping); - if (!ok) { - WebPSafeFree(huffman_image); -- WebPSafeFree(huffman_tables); -+ VP8LHuffmanTablesDeallocate(huffman_tables); - VP8LHtreeGroupsFree(htree_groups); - } - return ok; -@@ -1358,7 +1362,7 @@ static void ClearMetadata(VP8LMetadata* const hdr) { - assert(hdr != NULL); - - WebPSafeFree(hdr->huffman_image_); -- WebPSafeFree(hdr->huffman_tables_); -+ VP8LHuffmanTablesDeallocate(&hdr->huffman_tables_); - VP8LHtreeGroupsFree(hdr->htree_groups_); - VP8LColorCacheClear(&hdr->color_cache_); - VP8LColorCacheClear(&hdr->saved_color_cache_); -@@ -1673,7 +1677,7 @@ int VP8LDecodeImage(VP8LDecoder* const dec) { - - if (dec == NULL) return 0; - -- assert(dec->hdr_.huffman_tables_ != NULL); -+ assert(dec->hdr_.huffman_tables_.root.start != NULL); - assert(dec->hdr_.htree_groups_ != NULL); - assert(dec->hdr_.num_htree_groups_ > 0); - -diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h -index 72b2e861..32540a4b 100644 ---- a/src/dec/vp8li_dec.h -+++ b/src/dec/vp8li_dec.h -@@ -51,7 +51,7 @@ typedef struct { - uint32_t* huffman_image_; - int num_htree_groups_; - HTreeGroup* htree_groups_; -- HuffmanCode* huffman_tables_; -+ HuffmanTables huffman_tables_; - } VP8LMetadata; - - typedef struct VP8LDecoder VP8LDecoder; -diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c -index 90c2fbf7..cf73abd4 100644 ---- a/src/utils/huffman_utils.c -+++ b/src/utils/huffman_utils.c -@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, - if (num_open < 0) { - return 0; - } -- if (root_table == NULL) continue; - for (; count[len] > 0; --count[len]) { - HuffmanCode code; - if ((key & mask) != low) { -- table += table_size; -+ if (root_table != NULL) table += table_size; - table_bits = NextTableBitSize(count, len, root_bits); - table_size = 1 << table_bits; - total_size += table_size; - low = key & mask; -- root_table[low].bits = (uint8_t)(table_bits + root_bits); -- root_table[low].value = (uint16_t)((table - root_table) - low); -+ if (root_table != NULL) { -+ root_table[low].bits = (uint8_t)(table_bits + root_bits); -+ root_table[low].value = (uint16_t)((table - root_table) - low); -+ } -+ } -+ if (root_table != NULL) { -+ code.bits = (uint8_t)(len - root_bits); -+ code.value = (uint16_t)sorted[symbol++]; -+ ReplicateValue(&table[key >> root_bits], step, table_size, code); - } -- code.bits = (uint8_t)(len - root_bits); -- code.value = (uint16_t)sorted[symbol++]; -- ReplicateValue(&table[key >> root_bits], step, table_size, code); - key = GetNextKey(key, len); - } - } -@@ -211,25 +214,83 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, - ((1 << MAX_CACHE_BITS) + NUM_LITERAL_CODES + NUM_LENGTH_CODES) - // Cut-off value for switching between heap and stack allocation. - #define SORTED_SIZE_CUTOFF 512 --int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits, -+int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, - const int code_lengths[], int code_lengths_size) { -- int total_size; -+ const int total_size = -+ BuildHuffmanTable(NULL, root_bits, code_lengths, code_lengths_size, NULL); - assert(code_lengths_size <= MAX_CODE_LENGTHS_SIZE); -- if (root_table == NULL) { -- total_size = BuildHuffmanTable(NULL, root_bits, -- code_lengths, code_lengths_size, NULL); -- } else if (code_lengths_size <= SORTED_SIZE_CUTOFF) { -+ if (total_size == 0 || root_table == NULL) return total_size; -+ -+ if (root_table->curr_segment->curr_table + total_size >= -+ root_table->curr_segment->start + root_table->curr_segment->size) { -+ // If 'root_table' does not have enough memory, allocate a new segment. -+ // The available part of root_table->curr_segment is left unused because we -+ // need a contiguous buffer. -+ const int segment_size = root_table->curr_segment->size; -+ struct HuffmanTablesSegment* next = -+ (HuffmanTablesSegment*)WebPSafeMalloc(1, sizeof(*next)); -+ if (next == NULL) return 0; -+ // Fill the new segment. -+ // We need at least 'total_size' but if that value is small, it is better to -+ // allocate a big chunk to prevent more allocations later. 'segment_size' is -+ // therefore chosen (any other arbitrary value could be chosen). -+ next->size = total_size > segment_size ? total_size : segment_size; -+ next->start = -+ (HuffmanCode*)WebPSafeMalloc(next->size, sizeof(*next->start)); -+ if (next->start == NULL) { -+ WebPSafeFree(next); -+ return 0; -+ } -+ next->curr_table = next->start; -+ next->next = NULL; -+ // Point to the new segment. -+ root_table->curr_segment->next = next; -+ root_table->curr_segment = next; -+ } -+ if (code_lengths_size <= SORTED_SIZE_CUTOFF) { - // use local stack-allocated array. - uint16_t sorted[SORTED_SIZE_CUTOFF]; -- total_size = BuildHuffmanTable(root_table, root_bits, -- code_lengths, code_lengths_size, sorted); -- } else { // rare case. Use heap allocation. -+ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits, -+ code_lengths, code_lengths_size, sorted); -+ } else { // rare case. Use heap allocation. - uint16_t* const sorted = - (uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted)); - if (sorted == NULL) return 0; -- total_size = BuildHuffmanTable(root_table, root_bits, -- code_lengths, code_lengths_size, sorted); -+ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits, -+ code_lengths, code_lengths_size, sorted); - WebPSafeFree(sorted); - } - return total_size; - } -+ -+int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables) { -+ // Have 'segment' point to the first segment for now, 'root'. -+ HuffmanTablesSegment* const root = &huffman_tables->root; -+ huffman_tables->curr_segment = root; -+ // Allocate root. -+ root->start = (HuffmanCode*)WebPSafeMalloc(size, sizeof(*root->start)); -+ if (root->start == NULL) return 0; -+ root->curr_table = root->start; -+ root->next = NULL; -+ root->size = size; -+ return 1; -+} -+ -+void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables) { -+ HuffmanTablesSegment *current, *next; -+ if (huffman_tables == NULL) return; -+ // Free the root node. -+ current = &huffman_tables->root; -+ next = current->next; -+ WebPSafeFree(current->start); -+ current->start = NULL; -+ current->next = NULL; -+ current = next; -+ // Free the following nodes. -+ while (current != NULL) { -+ next = current->next; -+ WebPSafeFree(current->start); -+ WebPSafeFree(current); -+ current = next; -+ } -+} -diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h -index 13b7ad1a..98415c53 100644 ---- a/src/utils/huffman_utils.h -+++ b/src/utils/huffman_utils.h -@@ -43,6 +43,29 @@ typedef struct { - // or non-literal symbol otherwise - } HuffmanCode32; - -+// Contiguous memory segment of HuffmanCodes. -+typedef struct HuffmanTablesSegment { -+ HuffmanCode* start; -+ // Pointer to where we are writing into the segment. Starts at 'start' and -+ // cannot go beyond 'start' + 'size'. -+ HuffmanCode* curr_table; -+ // Pointer to the next segment in the chain. -+ struct HuffmanTablesSegment* next; -+ int size; -+} HuffmanTablesSegment; -+ -+// Chained memory segments of HuffmanCodes. -+typedef struct HuffmanTables { -+ HuffmanTablesSegment root; -+ // Currently processed segment. At first, this is 'root'. -+ HuffmanTablesSegment* curr_segment; -+} HuffmanTables; -+ -+// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on -+// memory allocation error, 1 otherwise. -+int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables); -+void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables); -+ - #define HUFFMAN_PACKED_BITS 6 - #define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS) - -@@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups); - // the huffman table. - // Returns built table size or 0 in case of error (invalid tree or - // memory error). --// If root_table is NULL, it returns 0 if a lookup cannot be built, something --// > 0 otherwise (but not the table size). --int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits, -+int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, - const int code_lengths[], int code_lengths_size); - - #ifdef __cplusplus --- -2.41.0 - diff --git a/pkgs/development/libraries/libwebp/default.nix b/pkgs/development/libraries/libwebp/default.nix index c70b7d40b3e4..868266466271 100644 --- a/pkgs/development/libraries/libwebp/default.nix +++ b/pkgs/development/libraries/libwebp/default.nix @@ -28,13 +28,13 @@ stdenv.mkDerivation rec { pname = "libwebp"; - version = "1.3.1"; + version = "1.3.2"; src = fetchFromGitHub { owner = "webmproject"; repo = pname; rev = "v${version}"; - hash = "sha256-Q94avvKjPdwdGt5ADo30cf2V4T7MCTubDHJxTtbG4xQ="; + hash = "sha256-UYO2Fmm8nzQR8VBC26wEwWd3qZTD+6MHKcmKBoNcpEE="; }; patches = [ @@ -45,12 +45,6 @@ stdenv.mkDerivation rec { revert = true; hash = "sha256-yy/T0IZolk5JLbVRevtLWErOSVQIZqNRg/a6J6JHDHg="; }) - - # Commit 902bc919 from upstream, mangled slightly to apply onto 1.3.1. - # There is currently (2023-09-12) no confirmation that this is the fix for - # CVE-2023-4863, but it is linked to the right crbug, and matches the - # description of that (critical sev, exploited in the wild) CVE. - ./CVE-2023-4863.patch ]; configureFlags = [ diff --git a/pkgs/development/libraries/lmdb/default.nix b/pkgs/development/libraries/lmdb/default.nix index dbc15f11c3aa..378e456b1fb2 100644 --- a/pkgs/development/libraries/lmdb/default.nix +++ b/pkgs/development/libraries/lmdb/default.nix @@ -17,6 +17,11 @@ stdenv.mkDerivation rec { patches = [ ./hardcoded-compiler.patch ./bin-ext.patch ]; patchFlags = [ "-p3" ]; + # Don't attempt the .so if static, as it would fail. + postPatch = lib.optionalString stdenv.hostPlatform.isStatic '' + sed 's/^ILIBS\>.*/ILIBS = liblmdb.a/' -i Makefile + ''; + outputs = [ "bin" "out" "dev" ]; buildInputs = lib.optional stdenv.hostPlatform.isWindows windows.pthreads; diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index fb581f36a133..cc9d769baeb4 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -242,8 +242,8 @@ in { }; openssl_3 = common { - version = "3.0.10"; - sha256 = "sha256-F2HU9bE6ECi5tvPUuOF/6wztyTcPav5h1xk9LNzoMyM="; + version = "3.0.11"; + sha256 = "sha256-s0JdO7SiIY0Gl+tB9/wM3t4BbtGcpJ0Wi3jo2UeIf1U="; patches = [ ./3.0/nix-ssl-cert-file.patch diff --git a/pkgs/development/libraries/webkitgtk/default.nix b/pkgs/development/libraries/webkitgtk/default.nix index 57168b2cc17a..1db2f4ce6d8c 100644 --- a/pkgs/development/libraries/webkitgtk/default.nix +++ b/pkgs/development/libraries/webkitgtk/default.nix @@ -27,6 +27,7 @@ , libxkbcommon , libavif , libepoxy +, libjxl , at-spi2-core , libxml2 , libsoup @@ -34,7 +35,6 @@ , libxslt , harfbuzz , libpthreadstubs -, pcre , nettle , libtasn1 , p11-kit @@ -51,7 +51,6 @@ , openjpeg , geoclue2 , sqlite -, enableGLES ? true , gst-plugins-base , gst-plugins-bad , woff2 @@ -71,7 +70,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "webkitgtk"; - version = "2.40.5"; + version = "2.42.1"; name = "${finalAttrs.pname}-${finalAttrs.version}+abi=${if lib.versionAtLeast gtk3.version "4.0" then "6.0" else "4.${if lib.versions.major libsoup.version == "2" then "0" else "1"}"}"; outputs = [ "out" "dev" "devdoc" ]; @@ -82,7 +81,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "https://webkitgtk.org/releases/webkitgtk-${finalAttrs.version}.tar.xz"; - hash = "sha256-feBRomNmhiHZGmGl6xw3cdGnzskABD1K/vBsMmwWA38="; + hash = "sha256-b0H6yZidPuUcCMSN4dQ5ze3ey8dX40thgJh9mbFtJJk="; }; patches = lib.optionals stdenv.isLinux [ @@ -132,6 +131,7 @@ stdenv.mkDerivation (finalAttrs: { enchant2 libavif libepoxy + libjxl gnutls gst-plugins-bad gst-plugins-base @@ -153,7 +153,6 @@ stdenv.mkDerivation (finalAttrs: { nettle openjpeg p11-kit - pcre sqlite woff2 ] ++ (with xorg; [ @@ -219,8 +218,6 @@ stdenv.mkDerivation (finalAttrs: { "-DUSE_GTK4=ON" ] ++ lib.optionals (!systemdSupport) [ "-DENABLE_JOURNALD_LOG=OFF" - ] ++ lib.optionals (stdenv.isLinux && enableGLES) [ - "-DENABLE_GLES2=ON" ]; postPatch = '' diff --git a/pkgs/development/libraries/webkitgtk/fdo-backend-path.patch b/pkgs/development/libraries/webkitgtk/fdo-backend-path.patch index f46c0fe8a15c..48e7d9cca745 100644 --- a/pkgs/development/libraries/webkitgtk/fdo-backend-path.patch +++ b/pkgs/development/libraries/webkitgtk/fdo-backend-path.patch @@ -3,7 +3,7 @@ @@ -84,7 +84,7 @@ void WebProcessPool::platformInitializeWebProcess(const WebProcessProxy& process #if PLATFORM(WAYLAND) - if (WebCore::PlatformDisplay::sharedDisplay().type() == WebCore::PlatformDisplay::Type::Wayland) { + if (WebCore::PlatformDisplay::sharedDisplay().type() == WebCore::PlatformDisplay::Type::Wayland && parameters.dmaBufRendererBufferMode.isEmpty()) { - wpe_loader_init("libWPEBackend-fdo-1.0.so.1"); + wpe_loader_init("@wpebackend_fdo@/lib/libWPEBackend-fdo-1.0.so.1"); if (AcceleratedBackingStoreWayland::checkRequirements()) { diff --git a/pkgs/development/python-modules/django/3.nix b/pkgs/development/python-modules/django/3.nix index 9c8e13842422..7796c31ebd0e 100644 --- a/pkgs/development/python-modules/django/3.nix +++ b/pkgs/development/python-modules/django/3.nix @@ -15,14 +15,14 @@ buildPythonPackage rec { pname = "django"; - version = "3.2.20"; + version = "3.2.22"; disabled = pythonOlder "3.7"; src = fetchPypi { pname = "Django"; inherit version; - hash = "sha256-3sKhFnh7jhSWIBS/eOEgu6RUE1EI4a+em5Gt57KWTEA="; + hash = "sha256-g7bWawbkhIB9d4Jj/cf5GG1NwYYvz6ZQeDBEasawYLo="; }; patches = [ diff --git a/pkgs/development/python-modules/gst-python/default.nix b/pkgs/development/python-modules/gst-python/default.nix index efa4fba8513a..2f9ced5aec75 100644 --- a/pkgs/development/python-modules/gst-python/default.nix +++ b/pkgs/development/python-modules/gst-python/default.nix @@ -14,7 +14,7 @@ buildPythonPackage rec { pname = "gst-python"; - version = "1.22.5"; + version = "1.22.6"; format = "other"; @@ -22,7 +22,7 @@ buildPythonPackage rec { src = fetchurl { url = "${meta.homepage}/src/gst-python/${pname}-${version}.tar.xz"; - hash = "sha256-vwUjJBXPYBgUKuUd07iXu3NDJoe1zheGv0btximM5bA="; + hash = "sha256-Ud4tbROxLOCV6sl8C5TuWcKuujcSu3Rit4xNV93hdsU="; }; # Python 2.x is not supported. diff --git a/pkgs/development/python-modules/sanic/default.nix b/pkgs/development/python-modules/sanic/default.nix index 52b04f4cccef..7bc191dd0eea 100644 --- a/pkgs/development/python-modules/sanic/default.nix +++ b/pkgs/development/python-modules/sanic/default.nix @@ -107,6 +107,10 @@ buildPythonPackage rec { "test_default_reload_shutdown_order" # App not found. "test_input_is_dir" + # HTTP 500 with Websocket subprotocols + "test_websocket_route_with_subprotocols" + # Socket closes early + "test_no_exceptions_when_cancel_pending_request" ]; disabledTestPaths = [ diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index 99d56af97c3d..ba414d7aec5b 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -23,11 +23,11 @@ stdenv.mkDerivation rec { pname = "cups"; - version = "2.4.6"; + version = "2.4.7"; src = fetchurl { url = "https://github.com/OpenPrinting/cups/releases/download/v${version}/cups-${version}-source.tar.gz"; - sha256 = "sha256-WOlwzxlV4cyH0IR8MlJtnCzO4zXl8OOIKygxOLoOcmI="; + sha256 = "sha256-3VQijdkDUmQozn43lhr67SMK0xB4gUHadc66oINiz2w="; }; outputs = [ "out" "lib" "dev" "man" ]; diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix index 95e212c32365..09a640b8bdbb 100644 --- a/pkgs/misc/ghostscript/default.nix +++ b/pkgs/misc/ghostscript/default.nix @@ -61,11 +61,11 @@ let in stdenv.mkDerivation rec { pname = "ghostscript${lib.optionalString x11Support "-with-X"}"; - version = "10.01.2"; + version = "10.02.0"; src = fetchurl { url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${lib.replaceStrings ["."] [""] version}/ghostscript-${version}.tar.xz"; - hash = "sha512-7iDw4S9VOj0EV45xoNRd7+vHERfOTcLBQEOYW/5zSK1/iy/pj8m09bk17LMuUNw0C+Z9bvWBkFQuxtD52h3jgA=="; + hash = "sha512-xJNEFRBj6RWt1VoKhCwqZF2DYqXLymY70HY49L02maCMreN6nv6QWtWkHgFDU+XhsSaLeSXkMSitMNWwMTlrcQ=="; }; patches = [ diff --git a/pkgs/misc/ghostscript/test-corpus-render.nix b/pkgs/misc/ghostscript/test-corpus-render.nix index 26cad916e209..089661293c25 100644 --- a/pkgs/misc/ghostscript/test-corpus-render.nix +++ b/pkgs/misc/ghostscript/test-corpus-render.nix @@ -5,12 +5,12 @@ stdenv.mkDerivation { pname = "ghostscript-test-corpus-render"; - version = "unstable-2022-12-01"; + version = "unstable-2023-05-19"; src = fetchgit { url = "git://git.ghostscript.com/tests.git"; - rev = "e81c3a1d7c679aab8230e9152165d8cffb687242"; - hash = "sha256-h+UHpCHASYOhf4xG6gkVJK9TEG85kE3jNx5cD1I3LQg="; + rev = "f7d5087d3d6c236707842dcd428818c6cb8fb041"; + hash = "sha256-xHOEo1ZJG1GCcEKqaXLDpfRRQxpbSy0bzicKju9hG40="; }; dontConfigure = true; diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index bf7cb3aceb49..5378cda4f374 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -892,11 +892,11 @@ self: with self; { # THIS IS A GENERATED FILE. DO NOT EDIT! libX11 = callPackage ({ stdenv, pkg-config, fetchurl, xorgproto, libpthreadstubs, libxcb, xtrans }: stdenv.mkDerivation { pname = "libX11"; - version = "1.8.6"; + version = "1.8.7"; builder = ./builder.sh; src = fetchurl { - url = "mirror://xorg/individual/lib/libX11-1.8.6.tar.xz"; - sha256 = "1jawl8zp1h7hdmxx1sc6kmxkki187d9yixr2l03ai6wqqry5nlsr"; + url = "mirror://xorg/individual/lib/libX11-1.8.7.tar.xz"; + sha256 = "1vlrgrdibp4lr84wgmsdy1ihzaai8bvvqc68npi1m19wir36gwh5"; }; hardeningDisable = [ "bindnow" "relro" ]; strictDeps = true; @@ -1180,11 +1180,11 @@ self: with self; { # THIS IS A GENERATED FILE. DO NOT EDIT! libXpm = callPackage ({ stdenv, pkg-config, fetchurl, libX11, libXext, xorgproto, libXt, gettext }: stdenv.mkDerivation { pname = "libXpm"; - version = "3.5.15"; + version = "3.5.17"; builder = ./builder.sh; src = fetchurl { - url = "mirror://xorg/individual/lib/libXpm-3.5.15.tar.xz"; - sha256 = "1hfivygzrzpq81vg9z2l46pd5nrzm326k6z3cfw6syiibin91fv0"; + url = "mirror://xorg/individual/lib/libXpm-3.5.17.tar.xz"; + sha256 = "0hvf49qy55gwldpwpw7ihcmn5i2iinpjh2rbha63hzcy060izcv4"; }; hardeningDisable = [ "bindnow" "relro" ]; strictDeps = true; diff --git a/pkgs/servers/x11/xorg/tarballs.list b/pkgs/servers/x11/xorg/tarballs.list index 941504a62b14..604450c6945a 100644 --- a/pkgs/servers/x11/xorg/tarballs.list +++ b/pkgs/servers/x11/xorg/tarballs.list @@ -174,7 +174,7 @@ mirror://xorg/individual/lib/libICE-1.0.10.tar.bz2 mirror://xorg/individual/lib/libpciaccess-0.16.tar.bz2 mirror://xorg/individual/lib/libSM-1.2.3.tar.bz2 mirror://xorg/individual/lib/libWindowsWM-1.0.1.tar.bz2 -mirror://xorg/individual/lib/libX11-1.8.6.tar.xz +mirror://xorg/individual/lib/libX11-1.8.7.tar.xz mirror://xorg/individual/lib/libXau-1.0.9.tar.bz2 mirror://xorg/individual/lib/libXaw-1.0.14.tar.bz2 mirror://xorg/individual/lib/libxcb-1.14.tar.xz @@ -193,7 +193,7 @@ mirror://xorg/individual/lib/libXinerama-1.1.4.tar.bz2 mirror://xorg/individual/lib/libxkbfile-1.1.0.tar.bz2 mirror://xorg/individual/lib/libXmu-1.1.3.tar.bz2 mirror://xorg/individual/lib/libXp-1.0.3.tar.bz2 -mirror://xorg/individual/lib/libXpm-3.5.15.tar.xz +mirror://xorg/individual/lib/libXpm-3.5.17.tar.xz mirror://xorg/individual/lib/libXpresent-1.0.0.tar.bz2 mirror://xorg/individual/lib/libXrandr-1.5.2.tar.bz2 mirror://xorg/individual/lib/libXrender-0.9.10.tar.bz2 diff --git a/pkgs/tools/networking/curl/CVE-2023-38039.patch b/pkgs/tools/networking/curl/CVE-2023-38039.patch new file mode 100644 index 000000000000..b080237111fe --- /dev/null +++ b/pkgs/tools/networking/curl/CVE-2023-38039.patch @@ -0,0 +1,211 @@ +From 3ee79c1674fd6f99e8efca52cd7510e08b766770 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 2 Aug 2023 23:34:48 +0200 +Subject: [PATCH] http: return error when receiving too large header set + +To avoid abuse. The limit is set to 300 KB for the accumulated size of +all received HTTP headers for a single response. Incomplete research +suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to +1MB. + +Closes #11582 +--- + lib/c-hyper.c | 12 +++++++----- + lib/cf-h1-proxy.c | 4 +++- + lib/http.c | 34 ++++++++++++++++++++++++++++++---- + lib/http.h | 9 +++++++++ + lib/pingpong.c | 4 +++- + lib/urldata.h | 17 ++++++++--------- + 6 files changed, 60 insertions(+), 20 deletions(-) + +diff --git a/lib/c-hyper.c b/lib/c-hyper.c +index c29983c0b24a6..0b9d9ab478e67 100644 +--- a/lib/c-hyper.c ++++ b/lib/c-hyper.c +@@ -182,8 +182,11 @@ static int hyper_each_header(void *userdata, + } + } + +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; ++ result = Curl_bump_headersize(data, len, FALSE); ++ if(result) { ++ data->state.hresult = result; ++ return HYPER_ITER_BREAK; ++ } + return HYPER_ITER_CONTINUE; + } + +@@ -313,9 +316,8 @@ static CURLcode status_line(struct Curl_easy *data, + if(result) + return result; + } +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; +- return CURLE_OK; ++ result = Curl_bump_headersize(data, len, FALSE); ++ return result; + } + + /* +diff --git a/lib/cf-h1-proxy.c b/lib/cf-h1-proxy.c +index c9b157c9bccc7..b1d8cb618b7d1 100644 +--- a/lib/cf-h1-proxy.c ++++ b/lib/cf-h1-proxy.c +@@ -587,7 +587,9 @@ static CURLcode recv_CONNECT_resp(struct Curl_cfilter *cf, + return result; + } + +- data->info.header_size += (long)perline; ++ result = Curl_bump_headersize(data, perline, TRUE); ++ if(result) ++ return result; + + /* Newlines are CRLF, so the CR is ignored as the line isn't + really terminated until the LF comes. Treat a following CR +diff --git a/lib/http.c b/lib/http.c +index f7c71afd7d847..bc78ff97435c4 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3920,6 +3920,29 @@ static CURLcode verify_header(struct Curl_easy *data) + return CURLE_OK; + } + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only) ++{ ++ size_t bad = 0; ++ if(delta < MAX_HTTP_RESP_HEADER_SIZE) { ++ if(!connect_only) ++ data->req.headerbytecount += (unsigned int)delta; ++ data->info.header_size += (unsigned int)delta; ++ if(data->info.header_size > MAX_HTTP_RESP_HEADER_SIZE) ++ bad = data->info.header_size; ++ } ++ else ++ bad = data->info.header_size + delta; ++ if(bad) { ++ failf(data, "Too large response headers: %zu > %zu", ++ bad, MAX_HTTP_RESP_HEADER_SIZE); ++ return CURLE_RECV_ERROR; ++ } ++ return CURLE_OK; ++} ++ ++ + /* + * Read any HTTP header lines from the server and pass them to the client app. + */ +@@ -4173,8 +4196,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += (long)headerlen; +- data->req.headerbytecount += (long)headerlen; ++ result = Curl_bump_headersize(data, headerlen, FALSE); ++ if(result) ++ return result; + + /* + * When all the headers have been parsed, see if we should give +@@ -4496,8 +4520,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += Curl_dyn_len(&data->state.headerb); +- data->req.headerbytecount += Curl_dyn_len(&data->state.headerb); ++ result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb), ++ FALSE); ++ if(result) ++ return result; + + Curl_dyn_reset(&data->state.headerb); + } +diff --git a/lib/http.h b/lib/http.h +index df3b4e38b8a88..4aeabc345938c 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -64,6 +64,10 @@ extern const struct Curl_handler Curl_handler_wss; + + struct dynhds; + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only); ++ + /* Header specific functions */ + bool Curl_compareheader(const char *headerline, /* line to check */ + const char *header, /* header keyword _with_ colon */ +@@ -183,6 +187,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data); + #define EXPECT_100_THRESHOLD (1024*1024) + #endif + ++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers ++ combined that libcurl allows for a single HTTP response, any HTTP ++ version. This count includes CONNECT response headers. */ ++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024) ++ + #endif /* CURL_DISABLE_HTTP */ + + /**************************************************************************** +diff --git a/lib/pingpong.c b/lib/pingpong.c +index f3f7cb93cb9b7..523bbec189fe6 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -341,7 +341,9 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data, + ssize_t clipamount = 0; + bool restart = FALSE; + +- data->req.headerbytecount += (long)gotbytes; ++ result = Curl_bump_headersize(data, gotbytes, FALSE); ++ if(result) ++ return result; + + pp->nread_resp += gotbytes; + for(i = 0; i < gotbytes; ptr++, i++) { +diff --git a/lib/urldata.h b/lib/urldata.h +index e5446b6840f63..d21aa415dc94b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -629,17 +629,16 @@ struct SingleRequest { + curl_off_t bytecount; /* total number of bytes read */ + curl_off_t writebytecount; /* number of bytes written */ + +- curl_off_t headerbytecount; /* only count received headers */ +- curl_off_t deductheadercount; /* this amount of bytes doesn't count when we +- check if anything has been transferred at +- the end of a connection. We use this +- counter to make only a 100 reply (without a +- following second response code) result in a +- CURLE_GOT_NOTHING error code */ +- + curl_off_t pendingheader; /* this many bytes left to send is actually + header and not body */ + struct curltime start; /* transfer started at this time */ ++ unsigned int headerbytecount; /* only count received headers */ ++ unsigned int deductheadercount; /* this amount of bytes doesn't count when ++ we check if anything has been transferred ++ at the end of a connection. We use this ++ counter to make only a 100 reply (without ++ a following second response code) result ++ in a CURLE_GOT_NOTHING error code */ + enum { + HEADER_NORMAL, /* no bad header at all */ + HEADER_PARTHEADER, /* part of the chunk is a bad header, the rest +@@ -1089,7 +1088,6 @@ struct PureInfo { + int httpversion; /* the http version number X.Y = X*10+Y */ + time_t filetime; /* If requested, this is might get set. Set to -1 if the + time was unretrievable. */ +- curl_off_t header_size; /* size of read header(s) in bytes */ + curl_off_t request_size; /* the amount of bytes sent in the request(s) */ + unsigned long proxyauthavail; /* what proxy auth types were announced */ + unsigned long httpauthavail; /* what host auth types were announced */ +@@ -1097,6 +1095,7 @@ struct PureInfo { + char *contenttype; /* the content type of the object */ + char *wouldredirect; /* URL this would've been redirected to if asked to */ + curl_off_t retry_after; /* info from Retry-After: header */ ++ unsigned int header_size; /* size of read header(s) in bytes */ + + /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip' + and, 'conn_local_port' are copied over from the connectdata struct in diff --git a/pkgs/tools/networking/curl/CVE-2023-38545.patch b/pkgs/tools/networking/curl/CVE-2023-38545.patch new file mode 100644 index 000000000000..c15c273ea41e --- /dev/null +++ b/pkgs/tools/networking/curl/CVE-2023-38545.patch @@ -0,0 +1,134 @@ +From 92fd36dd54de9ac845549944692eb33c5aee7343 Mon Sep 17 00:00:00 2001 +From: Jay Satiro <raysatiro@yahoo.com> +Date: Mon, 9 Oct 2023 17:15:44 -0400 +Subject: [PATCH] socks: return error if hostname too long for remote resolve + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +This patch applies to curl versions 7.87.0 - 8.1.2. Other versions +that are affected take a different patch. Refer to the CVE advisory +for more information. + +Bug: https://curl.se/docs/CVE-2023-38545.html +--- + lib/socks.c | 8 +++---- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index d491e08..e7da5b4 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -539,9 +539,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, + + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -882,7 +882,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, + } + else { + socksreq[len++] = 3; +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ + len += hostname_len; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3e0221a..64b11de 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -99,7 +99,7 @@ test679 test680 test681 test682 test683 test684 test685 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +-test718 test719 test720 test721 \ ++test718 test719 test720 test721 test728 \ + \ + test800 test801 test802 test803 test804 test805 test806 test807 test808 \ + test809 test810 test811 test812 test813 test814 test815 test816 test817 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 0000000..05bcf28 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,64 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++<data> ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<features> ++proxy ++</features> ++<server> ++http ++socks5 ++</server> ++ <name> ++SOCKS5h with HTTP redirect to hostname too long ++ </name> ++ <command> ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++</command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++<protocol crlf="yes"> ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++</protocol> ++<errorcode> ++97 ++</errorcode> ++# the error message is verified because error code CURLE_PROXY (97) may be ++# returned for any number of reasons and we need to make sure it is ++# specifically for the reason below so that we know the check is working. ++<stderr mode="text"> ++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. ++</stderr> ++</verify> ++</testcase> +-- +2.7.4 + diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index d1d80037b5e1..6f0740b1ae17 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { urls = [ "https://curl.haxx.se/download/curl-${finalAttrs.version}.tar.bz2" - "https://github.com/curl/curl/releases/download/curl-${finalAttrs.version}/curl-${finalAttrs.version}.tar.bz2" + "https://github.com/curl/curl/releases/download/curl-${builtins.replaceStrings [ "." ] [ "_" ] finalAttrs.version}/curl-${finalAttrs.version}.tar.bz2" ]; hash = "sha256-UdKvcieZE7XUyrH+Hzi5RM9wkEyIvuJGtb1XWETnA1o="; }; @@ -60,8 +60,14 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./7.79.1-darwin-no-systemconfiguration.patch - # Affected versions: 7.84.0 to and including 8.1.2 + # https://curl.se/docs/CVE-2023-32001.html ./CVE-2023-32001.patch + + # https://curl.se/docs/CVE-2023-38039.html + ./CVE-2023-38039.patch + + # https://curl.se/docs/CVE-2023-38545.html + ./CVE-2023-38545.patch ]; outputs = [ "bin" "dev" "out" "man" "devdoc" ]; |