From a7ce72418ba1083ee06d7c9ba56bac518fb8f036 Mon Sep 17 00:00:00 2001 From: Christian Kauhaus Date: Fri, 3 Jul 2020 10:57:38 +0200 Subject: [PATCH 1/4] sqlite: 3.32.2 -> 3.32.3 Fixes: CVE-2019-19242 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2020-9327 CVE-2020-11655 CVE-2020-11656 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-13871 CVE-2020-15358 Re #92072, #90989, #88403, #88401, #88400, #77944, #92063, #90990 --- pkgs/development/libraries/sqlite/analyzer.nix | 4 ++-- pkgs/development/libraries/sqlite/default.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/sqlite/analyzer.nix b/pkgs/development/libraries/sqlite/analyzer.nix index 1190ba8a367366..56eef21ac1489a 100644 --- a/pkgs/development/libraries/sqlite/analyzer.nix +++ b/pkgs/development/libraries/sqlite/analyzer.nix @@ -6,11 +6,11 @@ in stdenv.mkDerivation rec { pname = "sqlite-analyzer"; - version = "3.32.2"; + version = "3.32.3"; src = assert version == sqlite.version; fetchurl { url = "https://sqlite.org/2020/sqlite-src-${archiveVersion version}.zip"; - sha256 = "1jqhs896cvp9l399mjpbv1x2qbfvq875l1vrgnl3zc4ffdjxs9z0"; + sha256 = "1fgmslzf013ry3a7g2vms7zyg24gs53gfj308r6ki4inbn3g04lk"; }; nativeBuildInputs = [ unzip ]; diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix index 1255985b6b263e..ba938ebedafa46 100644 --- a/pkgs/development/libraries/sqlite/default.nix +++ b/pkgs/development/libraries/sqlite/default.nix @@ -10,12 +10,12 @@ in stdenv.mkDerivation rec { pname = "sqlite"; - version = "3.32.2"; + version = "3.32.3"; # NB! Make sure to update analyzer.nix src (in the same directory). src = fetchurl { url = "https://sqlite.org/2020/sqlite-autoconf-${archiveVersion version}.tar.gz"; - sha256 = "1130bcd70s2vlsq0d638pb5qrw9kwqvjswnp2dfypghx9hjz3gid"; + sha256 = "0rlbaq177gcgk5dswd3akbhv2nvvzljrbhgy18hklbhw7h90f5d3"; }; outputs = [ "bin" "dev" "out" ]; From 58f5c23823c43c320b110c29c15690919705a228 Mon Sep 17 00:00:00 2001 From: Martin Milata Date: Tue, 19 May 2020 00:06:13 +0200 Subject: [PATCH 2/4] openconnect: patch CVE-2020-12105 & CVE-2020-12823 - https://nvd.nist.gov/vuln/detail/CVE-2020-12105 - https://nvd.nist.gov/vuln/detail/CVE-2020-12823 --- pkgs/tools/networking/openconnect/default.nix | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/openconnect/default.nix b/pkgs/tools/networking/openconnect/default.nix index a926ef1e1ddcfb..83e6f2d1230dec 100644 --- a/pkgs/tools/networking/openconnect/default.nix +++ b/pkgs/tools/networking/openconnect/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgconfig, openssl ? null, gnutls ? null, gmp, libxml2, stoken, zlib, fetchgit, darwin } : +{ stdenv, fetchurl, fetchpatch, pkgconfig, openssl ? null, gnutls ? null, gmp, libxml2, stoken, zlib, fetchgit, darwin } : assert (openssl != null) == (gnutls == null); @@ -19,6 +19,19 @@ in stdenv.mkDerivation rec { sha256 = "14i9q727c2zc9xhzp1a9hz3gzb5lwgsslbhircm84dnbs192jp1k"; }; + patches = [ + (fetchpatch { + name = "CVE-2020-12105.patch"; + url = "https://gitlab.com/openconnect/openconnect/-/merge_requests/96.patch"; + sha256 = "19ra55jql2f2sim9kkgybrm4abz28iax92iwpijiipz5lk2jz0ai"; + }) + (fetchpatch { + name = "CVE-2020-12823.patch"; + url = "https://gitlab.com/openconnect/openconnect/-/merge_requests/108.patch"; + sha256 = "1ycw0b7wbj6byb151vlyywr0y3x0prsyxal5gdds5xcsdr5s9va3"; + }) + ]; + outputs = [ "out" "dev" ]; configureFlags = [ From a7447ffc77d20ce1a1f02ed2fd3a737833b079b2 Mon Sep 17 00:00:00 2001 From: Justin Humm Date: Mon, 13 Jan 2020 15:59:01 +0100 Subject: [PATCH 3/4] fontforge: 20190413 -> 20190801 - Init libuninameslist at 20190701 as it is a new dependency to fontforge - Remove gnulib, as it is not used anymore - Remove a non-applying patch - Add myself as maintainer (cherry picked from commit 4496f8f4b82d51fd3157836d64fa5266ea767e85) --- .../libraries/libuninameslist/default.nix | 28 +++++++++++++++++ pkgs/tools/misc/fontforge/default.nix | 17 +++++----- ...fontforge-20140813-use-system-uthash.patch | 31 ------------------- pkgs/top-level/all-packages.nix | 2 ++ 4 files changed, 37 insertions(+), 41 deletions(-) create mode 100644 pkgs/development/libraries/libuninameslist/default.nix delete mode 100644 pkgs/tools/misc/fontforge/fontforge-20140813-use-system-uthash.patch diff --git a/pkgs/development/libraries/libuninameslist/default.nix b/pkgs/development/libraries/libuninameslist/default.nix new file mode 100644 index 00000000000000..5d4cc61fe7acf6 --- /dev/null +++ b/pkgs/development/libraries/libuninameslist/default.nix @@ -0,0 +1,28 @@ +{ stdenv +, fetchFromGitHub +, autoreconfHook +}: + +stdenv.mkDerivation rec { + pname = "libuninameslist"; + version = "20190701"; + + src = fetchFromGitHub { + owner = "fontforge"; + repo = pname; + rev = version; + sha256 = "sha256:034c8clnskvqbwyiq7si4dad1kbngi3jmnrj064i39msqixmpdzb"; + }; + + nativeBuildInputs = [ + autoreconfHook + ]; + + meta = with stdenv.lib; { + homepage = https://github.com/fontforge/libuninameslist/; + description = "A Library of Unicode names and annotation data"; + license = licenses.bsd3; + maintainers = with maintainers; [ erictapen ]; + platforms = platforms.all; + }; +} diff --git a/pkgs/tools/misc/fontforge/default.nix b/pkgs/tools/misc/fontforge/default.nix index 6239e839598169..635d786da53aa5 100644 --- a/pkgs/tools/misc/fontforge/default.nix +++ b/pkgs/tools/misc/fontforge/default.nix @@ -1,7 +1,7 @@ { stdenv, fetchurl, lib -, autoconf, automake, gnum4, libtool, perl, gnulib, uthash, pkgconfig, gettext +, autoconf, automake, gnum4, libtool, perl, uthash, pkgconfig, gettext , python, freetype, zlib, glib, libungif, libpng, libjpeg, libtiff, libxml2, cairo, pango -, readline, woff2, zeromq +, readline, woff2, zeromq, libuninameslist , withSpiro ? false, libspiro , withGTK ? false, gtk2 , withPython ? true @@ -11,15 +11,13 @@ stdenv.mkDerivation rec { pname = "fontforge"; - version = "20190413"; + version = "20190801"; src = fetchurl { url = "https://github.com/${pname}/${pname}/releases/download/${version}/${pname}-${version}.tar.gz"; - sha256 = "05v640mnk4fy4jzmxb6c4n4qm800x7hy4sl5gcdgzmm3md2s0qk7"; + sha256 = "0lh8yx01asbzxm6car5cfi64njh5p4lxc7iv8dldr5rwg357a86r"; }; - patches = [ ./fontforge-20140813-use-system-uthash.patch ]; - # use $SOURCE_DATE_EPOCH instead of non-deterministic timestamps postPatch = '' find . -type f -name '*.c' -exec sed -r -i 's#\btime\(&(.+)\)#if (getenv("SOURCE_DATE_EPOCH")) \1=atol(getenv("SOURCE_DATE_EPOCH")); else &#g' {} \; @@ -34,7 +32,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig autoconf automake gnum4 libtool perl gettext ]; buildInputs = [ - readline uthash woff2 zeromq + readline uthash woff2 zeromq libuninameslist python freetype zlib glib libungif libpng libjpeg libtiff libxml2 ] ++ lib.optionals withSpiro [libspiro] @@ -53,9 +51,7 @@ stdenv.mkDerivation rec { export SOURCE_DATE_EPOCH=$(date -d ${version} +%s) export GIT="$(type -P true)" - cp -r "${gnulib}" ./gnulib - chmod +w -R ./gnulib - ./bootstrap --skip-git --gnulib-srcdir=./gnulib --force + ./bootstrap --skip-git --force ''; doCheck = false; # tries to wget some fonts @@ -74,5 +70,6 @@ stdenv.mkDerivation rec { homepage = http://fontforge.github.io; platforms = stdenv.lib.platforms.all; license = stdenv.lib.licenses.bsd3; + maintainers = [ stdenv.lib.maintainers.erictapen ]; }; } diff --git a/pkgs/tools/misc/fontforge/fontforge-20140813-use-system-uthash.patch b/pkgs/tools/misc/fontforge/fontforge-20140813-use-system-uthash.patch deleted file mode 100644 index fb53c619b2bccc..00000000000000 --- a/pkgs/tools/misc/fontforge/fontforge-20140813-use-system-uthash.patch +++ /dev/null @@ -1,31 +0,0 @@ ---- a/Makefile.am.old 2014-08-12 10:07:32.000000000 +0530 -+++ b/Makefile.am 2014-09-08 16:23:56.046996941 +0530 -@@ -43,7 +43,6 @@ - AM_CPPFLAGS = - AM_LDFLAGS = - --BUILT_SOURCES = uthash/src - EXTRA_DIST = - CLEANFILES = - MOSTLYCLEANFILES = -@@ -113,8 +112,7 @@ - Packaging/FontForge-doc.spec \ - Packaging/FontForge.spec \ - Packaging/FontForge.static.spec \ - README \ -- uthash/src \ - $(NULL) - - #-------------------------------------------------------------------------- -@@ -129,11 +127,6 @@ - - - #-------------------------------------------------------------------------- --uthash/src: -- if [ ! -e uthash/src ]; then \ -- if [ -e uthash ] ; then rm -r uthash ; fi ; \ -- git clone https://github.com/troydhanson/uthash ; \ -- fi ; - - # We import a selection of targets from Frank's standard packaging Makefile. - diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1eca5d2f942a2c..194030e4040dc0 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -13156,6 +13156,8 @@ in libunibreak = callPackage ../development/libraries/libunibreak { }; + libuninameslist = callPackage ../development/libraries/libuninameslist { }; + libunique = callPackage ../development/libraries/libunique { }; libunique3 = callPackage ../development/libraries/libunique/3.x.nix { }; From 99b72d2248d1264bb1ac828df896c54cd3637b4d Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Fri, 5 Jun 2020 21:40:35 +0000 Subject: [PATCH 4/4] fontforge: 20190801 -> 20200314 This fixes the failing build. Build system changed to cmake. (cherry picked from commit e9848d11ad038d4077948f14986496ccb14e11bc) Reason: fixes CVE-2019-15785, CVE-2020-5395, CVE-2020-5496 --- pkgs/tools/misc/fontforge/default.nix | 31 ++++++++++----------------- pkgs/top-level/all-packages.nix | 2 +- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/pkgs/tools/misc/fontforge/default.nix b/pkgs/tools/misc/fontforge/default.nix index 635d786da53aa5..e3906ebce02290 100644 --- a/pkgs/tools/misc/fontforge/default.nix +++ b/pkgs/tools/misc/fontforge/default.nix @@ -1,9 +1,9 @@ { stdenv, fetchurl, lib -, autoconf, automake, gnum4, libtool, perl, uthash, pkgconfig, gettext +, cmake, perl, uthash, pkgconfig, gettext , python, freetype, zlib, glib, libungif, libpng, libjpeg, libtiff, libxml2, cairo, pango , readline, woff2, zeromq, libuninameslist , withSpiro ? false, libspiro -, withGTK ? false, gtk2 +, withGTK ? false, gtk3 , withPython ? true , withExtras ? true , Carbon ? null, Cocoa ? null @@ -11,11 +11,11 @@ stdenv.mkDerivation rec { pname = "fontforge"; - version = "20190801"; + version = "20200314"; src = fetchurl { - url = "https://github.com/${pname}/${pname}/releases/download/${version}/${pname}-${version}.tar.gz"; - sha256 = "0lh8yx01asbzxm6car5cfi64njh5p4lxc7iv8dldr5rwg357a86r"; + url = "https://github.com/${pname}/${pname}/releases/download/${version}/${pname}-${version}.tar.xz"; + sha256 = "0qf88wd6riycq56d24brybyc93ns74s0nyyavm43zp2kfcihn6fd"; }; # use $SOURCE_DATE_EPOCH instead of non-deterministic timestamps @@ -30,41 +30,32 @@ stdenv.mkDerivation rec { # do not use x87's 80-bit arithmetic, rouding errors result in very different font binaries NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isi686 "-msse2 -mfpmath=sse"; - nativeBuildInputs = [ pkgconfig autoconf automake gnum4 libtool perl gettext ]; + nativeBuildInputs = [ pkgconfig cmake ]; buildInputs = [ readline uthash woff2 zeromq libuninameslist python freetype zlib glib libungif libpng libjpeg libtiff libxml2 ] ++ lib.optionals withSpiro [libspiro] - ++ lib.optionals withGTK [ gtk2 cairo pango ] + ++ lib.optionals withGTK [ gtk3 cairo pango ] ++ lib.optionals stdenv.isDarwin [ Carbon Cocoa ]; - configureFlags = [ "--enable-woff2" ] - ++ lib.optionals (!withPython) [ "--disable-python-scripting" "--disable-python-extension" ] - ++ lib.optional withGTK "--enable-gtk2-use" - ++ lib.optional (!withGTK) "--without-x" - ++ lib.optional withExtras "--enable-fontforge-extras"; + cmakeFlags = [ "-DCMAKE_BUILD_WITH_INSTALL_RPATH=ON" ] + ++ lib.optional (!withSpiro) "-DENABLE_LIBSPIRO=OFF" + ++ lib.optional (!withGTK) "-DENABLE_GUI=OFF" + ++ lib.optional withExtras "-DENABLE_FONTFORGE_EXTRAS=ON"; # work-around: git isn't really used, but configuration fails without it preConfigure = '' # The way $version propagates to $version of .pe-scripts (https://github.com/dejavu-fonts/dejavu-fonts/blob/358190f/scripts/generate.pe#L19) export SOURCE_DATE_EPOCH=$(date -d ${version} +%s) - - export GIT="$(type -P true)" - ./bootstrap --skip-git --force ''; - doCheck = false; # tries to wget some fonts - doInstallCheck = doCheck; - postInstall = # get rid of the runtime dependency on python lib.optionalString (!withPython) '' rm -r "$out/share/fontforge/python" ''; - enableParallelBuilding = true; - meta = { description = "A font editor"; homepage = http://fontforge.github.io; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 194030e4040dc0..9c2d281f21a68b 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3378,7 +3378,7 @@ in fontforge-gtk = fontforge.override { withSpiro = true; withGTK = true; - gtk2 = gtk2-x11; + gtk3 = gtk3-x11; inherit (darwin.apple_sdk.frameworks) Carbon Cocoa; };