staging-next-23.11 iteration 8 - 2024-04-27

pkgs/applications/graphics/ImageMagick/default.nix

@@ -49,13 +49,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "imagemagick";
-  version = "7.1.1-29";
+  version = "7.1.1-30";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     rev = finalAttrs.version;
-    hash = "sha256-W9WbHzmTa0dA9+mOxXu88qmN1mO9ORaH0Nj6r2s1Q+E=";
+    hash = "sha256-btXl1J/WjV+5BZibgUzylVmBrhR3KBK/ZSbP0B2fM5c=";
   };
 
   outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big

pkgs/development/libraries/giflib/default.nix

@@ -4,7 +4,6 @@
 , fetchpatch
 , fixDarwinDylibNames
 , pkgsStatic
-, imagemagick_light
 }:
 
 stdenv.mkDerivation rec {
@@ -29,17 +28,19 @@ stdenv.mkDerivation rec {
     ./mingw-install-exes.patch
   ];
 
-  nativeBuildInputs = [
-    imagemagick_light
-  ] ++ lib.optionals stdenv.isDarwin [
+  nativeBuildInputs = lib.optionals stdenv.isDarwin [
     fixDarwinDylibNames
   ];
 
   makeFlags = [
     "PREFIX=${builtins.placeholder "out"}"
   ];
 
-  postPatch = lib.optionalString stdenv.hostPlatform.isStatic ''
+  postPatch = ''
+    # we don't want to build HTML documentation
+    substituteInPlace doc/Makefile \
+      --replace-fail "all: allhtml manpages" "all: manpages"
+  '' + lib.optionalString stdenv.hostPlatform.isStatic ''
     # Upstream build system does not support NOT building shared libraries.
     sed -i '/all:/ s/$(LIBGIFSO)//' Makefile
     sed -i '/all:/ s/$(LIBUTILSO)//' Makefile

pkgs/development/libraries/glibc/common.nix

@@ -44,7 +44,7 @@
 
 let
   version = "2.38";
-  patchSuffix = "-44";
+  patchSuffix = "-66";
   sha256 = "sha256-+4KZiZiyspllRnvBtp0VLpwwfSzzAcnq+0VVt3DvP9I=";
 in
 
@@ -60,7 +60,7 @@ stdenv.mkDerivation ({
     [
       /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping.
           $ git fetch --all -p && git checkout origin/release/2.38/master && git describe
-          glibc-2.38-44-gd37c2b20a4
+          glibc-2.38-66-ge1135387de
           $ git show --minimal --reverse glibc-2.38.. | gzip -9n --rsyncable - > 2.38-master.patch.gz
 
          To compare the archive contents zdiff can be used.

pkgs/development/libraries/libarchive/default.nix

@@ -49,6 +49,24 @@ stdenv.mkDerivation (finalAttrs: {
       url = "https://github.com/libarchive/libarchive/commit/6110e9c82d8ba830c3440f36b990483ceaaea52c.patch";
       hash = "sha256-/j6rJ0xWhtXU0YCu1LOokxxNppy5Of6Q0XyO4U6la7M=";
     })
+    (fetchpatch {
+      # https://github.com/advisories/GHSA-2jc9-36w4-pmqw
+      name = "CVE-2024-26256.patch";
+      url = "https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237.patch";
+      hash = "sha256-w/WuOGlx5pSw4LwMgvL6arrL1Huhg45bitoRRVEHcec=";
+    })
+    (fetchpatch {
+      # https://github.com/libarchive/libarchive/pull/2108 (needed to cleanly apply the ZIP OOB patch)
+      name = "update-appledouble-support-directories.patch";
+      url = "https://github.com/libarchive/libarchive/commit/91f27004a5c88589658e38d68e46d223da6b75ca.patch";
+      hash = "sha256-q8x5NPmMh2P4j4fMEdjAWG2srzJCyF37SEW42kRuAZM=";
+    })
+    (fetchpatch {
+      # https://github.com/libarchive/libarchive/pull/2145
+      name = "zip-out-of-bound-access.patch";
+      url = "https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0.patch";
+      hash = "sha256-9TRJzV1l13Fk2JKqoejDM/kl0BsaD8EuIa11+aGnShM=";
+    })
   ];
 
   outputs = [ "out" "lib" "dev" ];

pkgs/development/libraries/libseccomp/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "libseccomp";
-  version = "2.5.4";
+  version = "2.5.5";
 
   src = fetchurl {
     url = "https://github.com/seccomp/libseccomp/releases/download/v${version}/libseccomp-${version}.tar.gz";
-    sha256 = "sha256-2CkCQAQFzwBoV07z3B/l9ZJiB1Q7oa5vjnoVdjUdy9s=";
+    hash = "sha256-JIosik2bmFiqa69ScSw0r+/PnJ6Ut23OAsHJqiX7M3U=";
   };
 
   outputs = [ "out" "lib" "dev" "man" "pythonsrc" ];

pkgs/development/libraries/nghttp2/CVE-2024-28182.patch

@@ -0,0 +1,198 @@
+From b45ea923dc7996bc9de6a6e179c4a386a702e237 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:26:42 +0900
+Subject: [PATCH 1/2] Limit CONTINUATION frames following an incoming HEADER
+ frame
+
+(cherry picked from commit 00201ecd8f982da3b67d4f6868af72a1b03b14e0)
+---
+ lib/includes/nghttp2/nghttp2.h |  7 ++++++-
+ lib/nghttp2_helper.c           |  2 ++
+ lib/nghttp2_session.c          |  7 +++++++
+ lib/nghttp2_session.h          | 10 ++++++++++
+ 4 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index fa22081c..b394bde9 100644
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -440,7 +440,12 @@ typedef enum {
+    * exhaustion on server side to send these frames forever and does
+    * not read network.
+    */
+-  NGHTTP2_ERR_FLOODED = -904
++  NGHTTP2_ERR_FLOODED = -904,
++  /**
++   * When a local endpoint receives too many CONTINUATION frames
++   * following a HEADER frame.
++   */
++  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
+ } nghttp2_error;
+
+ /**
+diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
+index 93dd4754..b3563d98 100644
+--- a/lib/nghttp2_helper.c
++++ b/lib/nghttp2_helper.c
+@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
+            "closed";
+   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
+     return "SETTINGS frame contained more than the maximum allowed entries";
++  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
++    return "Too many CONTINUATION frames following a HEADER frame";
+   default:
+     return "Unknown error code";
+   }
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index ec5024d0..8e4d2e7e 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
+   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
+   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
+   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
++  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
+
+   if (option) {
+     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
+@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           }
+         }
+         session_inbound_frame_reset(session);
++
++        session->num_continuations = 0;
+       }
+       break;
+     }
+@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+       }
+ #endif /* DEBUGBUILD */
+
++      if (++session->num_continuations > session->max_continuations) {
++        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
++      }
++
+       readlen = inbound_frame_buf_read(iframe, in, last);
+       in += readlen;
+
+diff --git a/lib/nghttp2_session.h b/lib/nghttp2_session.h
+index b119329a..ef8f7b27 100644
+--- a/lib/nghttp2_session.h
++++ b/lib/nghttp2_session.h
+@@ -110,6 +110,10 @@ typedef struct {
+ #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
+ #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+
++/* The default max number of CONTINUATION frames following an incoming
++   HEADER frame. */
++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+   /* Receiving frame header */
+@@ -290,6 +294,12 @@ struct nghttp2_session {
+   size_t max_send_header_block_length;
+   /* The maximum number of settings accepted per SETTINGS frame. */
+   size_t max_settings;
++  /* The maximum number of CONTINUATION frames following an incoming
++     HEADER frame. */
++  size_t max_continuations;
++  /* The number of CONTINUATION frames following an incoming HEADER
++     frame.  This variable is reset when END_HEADERS flag is seen. */
++  size_t num_continuations;
+   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
+   uint32_t next_stream_id;
+   /* The last stream ID this session initiated.  For client session,
+-- 
+2.44.0
+
+
+From a425367ad06675ef588432f7aa5f221b06d39c9a Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 9 Mar 2024 16:48:10 +0900
+Subject: [PATCH 2/2] Add nghttp2_option_set_max_continuations
+
+(cherry picked from commit d71a4668c6bead55805d18810d633fbb98315af9)
+---
+ lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
+ lib/nghttp2_option.c           |  5 +++++
+ lib/nghttp2_option.h           |  5 +++++
+ lib/nghttp2_session.c          |  4 ++++
+ 5 files changed, 26 insertions(+)
+
+diff --git a/lib/includes/nghttp2/nghttp2.h b/lib/includes/nghttp2/nghttp2.h
+index b394bde9..4d3339b5 100644
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
+ nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+                                            uint64_t burst, uint64_t rate);
+
++/**
++ * @function
++ *
++ * This function sets the maximum number of CONTINUATION frames
++ * following an incoming HEADER frame.  If more than those frames are
++ * received, the remote endpoint is considered to be misbehaving and
++ * session will be closed.  The default value is 8.
++ */
++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
++                                                         size_t val);
++
+ /**
+  * @function
+  *
+diff --git a/lib/nghttp2_option.c b/lib/nghttp2_option.c
+index 43d4e952..53144b9b 100644
+--- a/lib/nghttp2_option.c
++++ b/lib/nghttp2_option.c
+@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
+   option->stream_reset_burst = burst;
+   option->stream_reset_rate = rate;
+ }
++
++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
++  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
++  option->max_continuations = val;
++}
+diff --git a/lib/nghttp2_option.h b/lib/nghttp2_option.h
+index 2259e184..c89cb97f 100644
+--- a/lib/nghttp2_option.h
++++ b/lib/nghttp2_option.h
+@@ -71,6 +71,7 @@ typedef enum {
+   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
+   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
+   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
++  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
+ } nghttp2_option_flag;
+
+ /**
+@@ -98,6 +99,10 @@ struct nghttp2_option {
+    * NGHTTP2_OPT_MAX_SETTINGS
+    */
+   size_t max_settings;
++  /**
++   * NGHTTP2_OPT_MAX_CONTINUATIONS
++   */
++  size_t max_continuations;
+   /**
+    * Bitwise OR of nghttp2_option_flag to determine that which fields
+    * are specified.
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 8e4d2e7e..ced7517b 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
+                            option->stream_reset_burst,
+                            option->stream_reset_rate);
+     }
++
++    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
++      (*session_ptr)->max_continuations = option->max_continuations;
++    }
+   }
+
+   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+-- 
+2.44.0
+

pkgs/development/libraries/nghttp2/default.nix

@@ -39,6 +39,10 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-xjdnfLrESU6q+LDgOGFzFGhFgw76/+To3JL7O0KOWtI=";
   };
 
+  patches = [
+    ./CVE-2024-28182.patch
+  ];
+
   outputs = [ "out" "dev" "lib" "doc" "man" ];
 
   nativeBuildInputs = [ pkg-config ]

pkgs/development/python-modules/astropy/default.nix

@@ -79,6 +79,7 @@ buildPythonPackage rec {
     # May fail due to parallelism, see:
     # https://github.com/astropy/astropy/issues/15441
     "TestUnifiedOutputRegistry"
+    "test_datetime_to_timedelta"
   ];
 
   meta = {

pkgs/development/python-modules/pillow/default.nix

@@ -2,7 +2,9 @@
 , stdenv
 , buildPythonPackage
 , pythonOlder
+, fetchpatch
 , fetchPypi
+, fetchurl
 , isPyPy
 , defusedxml, olefile, freetype, libjpeg, zlib, libtiff, libwebp, libxcrypt, tcl, lcms2, tk, libX11
 , libxcb, openjpeg, libimagequant, pyroma, numpy, pytestCheckHook, setuptools
@@ -23,6 +25,34 @@ import ./generic.nix (rec {
     hash = "sha256-6H8LLHgVfhLXaGsn1jwHD9ZdmU6N2ubzKODc9KDNAH4=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-28219.patch";
+      url = "https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061.patch";
+      hash = "sha256-djbVjbWWAAr+QMErT+lFhj2HF7uGn8oI68tC+i1PHys=";
+    })
+  ];
+
+  # patching mechanism doesn't work with binary files, but the commits contain
+  # example images needed for the accompanying tests, so invent our own mechanism
+  # to put these in place
+  extraPostPatch = lib.concatMapStrings ({commit, hash, path}: let
+      src = fetchurl {
+        inherit hash;
+        url = "https://github.com/python-pillow/Pillow/raw/${commit}/${path}";
+      };
+      dest = path;
+    in ''
+      cp ${src} ${dest}
+    ''
+  ) [
+    { # needed by CVE-2024-28219.patch
+      commit = "2a93aba5cfcf6e241ab4f9392c13e3b74032c061";
+      hash = "sha256-rCgFueB7b6O6dAaqSOhNhwQQl9pmIgzCo4Xhe7KJPME=";
+      path = "Tests/icc/sGrey-v2-nano.icc";
+    }
+  ];
+
   passthru.tests = {
     inherit imageio matplotlib pilkit pydicom reportlab;
   };

pkgs/development/python-modules/pillow/generic.nix

@@ -3,6 +3,7 @@
 , disabled
 , src
 , patches ? []
+, extraPostPatch ? ""
 , meta
 , passthru ? {}
 , ...
@@ -17,7 +18,7 @@ buildPythonPackage rec {
   # https://github.com/python-pillow/Pillow/issues/1259
   postPatch = ''
     rm Tests/test_imagefont.py
-  '';
+  '' + extraPostPatch;
 
   disabledTests = [
     # Code quality mismathch 9 vs 10