From c9ac79b71454cd7c1b592d9f7814aadb394f18a3 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Thu, 7 Nov 2024 06:54:34 +0000 Subject: [PATCH 01/19] hwdata: 0.388 -> 0.389 Changes: https://github.com/vcrhonek/hwdata/compare/v0.388...v0.389 --- pkgs/by-name/hw/hwdata/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/hw/hwdata/package.nix b/pkgs/by-name/hw/hwdata/package.nix index 2eefae34d4fcd..9631f2f2900a7 100644 --- a/pkgs/by-name/hw/hwdata/package.nix +++ b/pkgs/by-name/hw/hwdata/package.nix @@ -6,13 +6,13 @@ stdenv.mkDerivation rec { pname = "hwdata"; - version = "0.388"; + version = "0.389"; src = fetchFromGitHub { owner = "vcrhonek"; repo = "hwdata"; rev = "v${version}"; - hash = "sha256-MTXRvqhzNI4afOWLWY6bvv84Q/MXVTsn0w9awRIDAEU="; + hash = "sha256-w8rN9T0GwElkLmNLzROQtd7CdY0DcuCRUWxFtA2ekJc="; }; configureFlags = [ "--datadir=${placeholder "out"}/share" ]; From 3e46711af10a5fcb17c7205069b8cb9976a2ff7a Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Thu, 5 Dec 2024 06:58:49 +0000 Subject: [PATCH 02/19] hwdata: 0.389 -> 0.390 Changes: https://github.com/vcrhonek/hwdata/compare/v0.389...v0.390 --- pkgs/by-name/hw/hwdata/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/hw/hwdata/package.nix b/pkgs/by-name/hw/hwdata/package.nix index 9631f2f2900a7..10b24a35a2e68 100644 --- a/pkgs/by-name/hw/hwdata/package.nix +++ b/pkgs/by-name/hw/hwdata/package.nix @@ -6,13 +6,13 @@ stdenv.mkDerivation rec { pname = "hwdata"; - version = "0.389"; + version = "0.390"; src = fetchFromGitHub { owner = "vcrhonek"; repo = "hwdata"; rev = "v${version}"; - hash = "sha256-w8rN9T0GwElkLmNLzROQtd7CdY0DcuCRUWxFtA2ekJc="; + hash = "sha256-DexmtBKe1rrmvHMVk8P20hBLfdP1x6CWx/F1s4lDnK4="; }; configureFlags = [ "--datadir=${placeholder "out"}/share" ]; From 956dd6cd9a115eac6bbc694421589738577072b8 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 5 Jan 2025 04:55:38 +0100 Subject: [PATCH 03/19] Reapply "[Backport release-24.11] atf: 0.21-unstable-2021-09-01 -> 0.22" This reverts commit 88cfc31aeff59d9580aba360677bd229e0ebe3e8. --- pkgs/by-name/at/atf/package.nix | 29 +- pkgs/by-name/at/atf/pr-85.patch | 1529 +++++++++++++++++++++++++++++++ 2 files changed, 1542 insertions(+), 16 deletions(-) create mode 100644 pkgs/by-name/at/atf/pr-85.patch diff --git a/pkgs/by-name/at/atf/package.nix b/pkgs/by-name/at/atf/package.nix index 5edb2d6366b8f..cbae83d9d988c 100644 --- a/pkgs/by-name/at/atf/package.nix +++ b/pkgs/by-name/at/atf/package.nix @@ -10,33 +10,28 @@ stdenv.mkDerivation (finalAttrs: { pname = "atf"; - version = "0.21-unstable-2021-09-01"; # Match the commit used in FreeBSD’s port. + version = "0.22"; src = fetchFromGitHub { owner = "freebsd"; repo = "atf"; - rev = "55c21b2c5fb189bbdfccb2b297bfa89236502542"; - hash = "sha256-u0YBPcoIBvqBVaytaO9feBaRnQygtzEPGJV0ItI1Vco="; + tag = "atf-${finalAttrs.version}"; + hash = "sha256-vZfBk/lH+04d3NbTUYjAaxwGFHtnagl/kY04hgkE4Iw="; }; patches = [ - # Fixes use after free that causes failures in Kyua’s test suite. - # https://github.com/freebsd/atf/pull/57 - # https://github.com/freebsd/kyua/issues/223 + # https://github.com/freebsd/atf/issues/88 + # https://github.com/freebsd/atf/pull/85 + # Maintainer say it fix some tests in issue 88. + ./pr-85.patch (fetchpatch { - name = "fix-use-after-free.patch"; - url = "https://github.com/freebsd/atf/commit/fb22f3837bcfdce5ce8b3c0e18af131bb6902a02.patch"; - hash = "sha256-p4L3sxSYfMSzwKrUDlEZpoJydbaK3Hcbvn90KlPHkic="; + url = "https://github.com/freebsd/atf/commit/b42c98612cb99fa3f52766a46203263dc1de7187.patch?full_index=1"; + hash = "sha256-goDPIdIF8vHXDengVIYbxw5W/JT5kfsG5japgtranas="; }) ]; postPatch = lib.optionalString finalAttrs.doInstallCheck '' - # https://github.com/freebsd/atf/issues/61 - substituteInPlace atf-c/check_test.c \ - --replace-fail 'ATF_TP_ADD_TC(tp, build_cpp)' "" - substituteInPlace atf-c++/check_test.cpp \ - --replace-fail 'ATF_ADD_TEST_CASE(tcs, build_cpp);' "" # Can’t find `c_helpers` in the work folder. substituteInPlace test-programs/Kyuafile \ --replace-fail 'atf_test_program{name="srcdir_test"}' "" @@ -60,12 +55,14 @@ stdenv.mkDerivation (finalAttrs: { makeFlags = [ # ATF isn’t compatible with C++17, which is the default on current clang and GCC. - "CXXFLAGS=-std=c++11" + "CXXFLAGS=-std=c++14" ]; doInstallCheck = true; - nativeInstallCheckInputs = [ kyua ]; + nativeInstallCheckInputs = [ + kyua + ]; installCheckPhase = '' runHook preInstallCheck diff --git a/pkgs/by-name/at/atf/pr-85.patch b/pkgs/by-name/at/atf/pr-85.patch new file mode 100644 index 0000000000000..d438ce16b0480 --- /dev/null +++ b/pkgs/by-name/at/atf/pr-85.patch @@ -0,0 +1,1529 @@ +From 1f0ee71c000074ca48c2d9edc94f152747835e20 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Thu, 5 Dec 2024 23:07:18 -0800 +Subject: [PATCH 1/9] Garbage collect stray reference to auto_array + +This entry should have been removed in the referenced commit. + +Fixes: 6639d083e7d5b4b478397cc416cd42a756d17b0c +--- + atf-c++/detail/Makefile.am.inc | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/atf-c++/detail/Makefile.am.inc b/atf-c++/detail/Makefile.am.inc +index b3181346..29b41c3f 100644 +--- a/atf-c++/detail/Makefile.am.inc ++++ b/atf-c++/detail/Makefile.am.inc +@@ -25,7 +25,6 @@ + + libatf_c___la_SOURCES += atf-c++/detail/application.cpp \ + atf-c++/detail/application.hpp \ +- atf-c++/detail/auto_array.hpp \ + atf-c++/detail/env.cpp \ + atf-c++/detail/env.hpp \ + atf-c++/detail/exceptions.cpp \ + +From bb58a4dfbc98e95c365be8033f9778571f35ef9d Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Thu, 5 Dec 2024 23:25:26 -0800 +Subject: [PATCH 2/9] Require C++-14 at bare minimum + +This change imports ac_cxx_compile_stdcxx.m4 from gnu,org and makes use +of the `AX_CXX_COMPILE_STDCXX` macro in configure.ac to ensure that the +compiler specified supports C++-14 (at bare minimum). This is being done +to quell some issues reported by scan-build about the code using C++ +range-based for-loops (a feature added in C++-11). +--- + configure.ac | 3 +- + m4/ac_cxx_compile_stdcxx.m4 | 1070 +++++++++++++++++++++++++++++++++++ + 2 files changed, 1072 insertions(+), 1 deletion(-) + create mode 100644 m4/ac_cxx_compile_stdcxx.m4 + +diff --git a/configure.ac b/configure.ac +index c37aca44..6d802144 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,8 +58,9 @@ AM_PROG_CC_C_O + dnl The C compiler check automatically aborts if the compiler does not work. + dnl Nothing to do here. + +-AC_LANG(C++) + AC_PROG_CXX ++AC_LANG_COMPILER(C++) ++AX_CXX_COMPILE_STDCXX(14, noext, mandatory) + AC_CACHE_CHECK([whether the C++ compiler works], + [atf_cv_prog_cxx_works], + [AC_LANG_PUSH([C++]) +diff --git a/m4/ac_cxx_compile_stdcxx.m4 b/m4/ac_cxx_compile_stdcxx.m4 +new file mode 100644 +index 00000000..fe6ae17e +--- /dev/null ++++ b/m4/ac_cxx_compile_stdcxx.m4 +@@ -0,0 +1,1070 @@ ++# =========================================================================== ++# https://www.gnu.org/software/autoconf-archive/ax_cxx_compile_stdcxx.html ++# =========================================================================== ++# ++# SYNOPSIS ++# ++# AX_CXX_COMPILE_STDCXX(VERSION, [ext|noext], [mandatory|optional]) ++# ++# DESCRIPTION ++# ++# Check for baseline language coverage in the compiler for the specified ++# version of the C++ standard. If necessary, add switches to CXX and ++# CXXCPP to enable support. VERSION may be '11', '14', '17', '20', or ++# '23' for the respective C++ standard version. ++# ++# The second argument, if specified, indicates whether you insist on an ++# extended mode (e.g. -std=gnu++11) or a strict conformance mode (e.g. ++# -std=c++11). If neither is specified, you get whatever works, with ++# preference for no added switch, and then for an extended mode. ++# ++# The third argument, if specified 'mandatory' or if left unspecified, ++# indicates that baseline support for the specified C++ standard is ++# required and that the macro should error out if no mode with that ++# support is found. If specified 'optional', then configuration proceeds ++# regardless, after defining HAVE_CXX${VERSION} if and only if a ++# supporting mode is found. ++# ++# LICENSE ++# ++# Copyright (c) 2008 Benjamin Kosnik ++# Copyright (c) 2012 Zack Weinberg ++# Copyright (c) 2013 Roy Stogner ++# Copyright (c) 2014, 2015 Google Inc.; contributed by Alexey Sokolov ++# Copyright (c) 2015 Paul Norman ++# Copyright (c) 2015 Moritz Klammler ++# Copyright (c) 2016, 2018 Krzesimir Nowak ++# Copyright (c) 2019 Enji Cooper ++# Copyright (c) 2020 Jason Merrill ++# Copyright (c) 2021, 2024 Jörn Heusipp ++# Copyright (c) 2015, 2022, 2023, 2024 Olly Betts ++# ++# Copying and distribution of this file, with or without modification, are ++# permitted in any medium without royalty provided the copyright notice ++# and this notice are preserved. This file is offered as-is, without any ++# warranty. ++ ++#serial 25 ++ ++dnl This macro is based on the code from the AX_CXX_COMPILE_STDCXX_11 macro ++dnl (serial version number 13). ++ ++AC_DEFUN([AX_CXX_COMPILE_STDCXX], [dnl ++ m4_if([$1], [11], [ax_cxx_compile_alternatives="11 0x"], ++ [$1], [14], [ax_cxx_compile_alternatives="14 1y"], ++ [$1], [17], [ax_cxx_compile_alternatives="17 1z"], ++ [$1], [20], [ax_cxx_compile_alternatives="20"], ++ [$1], [23], [ax_cxx_compile_alternatives="23"], ++ [m4_fatal([invalid first argument `$1' to AX_CXX_COMPILE_STDCXX])])dnl ++ m4_if([$2], [], [], ++ [$2], [ext], [], ++ [$2], [noext], [], ++ [m4_fatal([invalid second argument `$2' to AX_CXX_COMPILE_STDCXX])])dnl ++ m4_if([$3], [], [ax_cxx_compile_cxx$1_required=true], ++ [$3], [mandatory], [ax_cxx_compile_cxx$1_required=true], ++ [$3], [optional], [ax_cxx_compile_cxx$1_required=false], ++ [m4_fatal([invalid third argument `$3' to AX_CXX_COMPILE_STDCXX])]) ++ AC_LANG_PUSH([C++])dnl ++ ac_success=no ++ ++ m4_if([$2], [], [dnl ++ AC_CACHE_CHECK(whether $CXX supports C++$1 features by default, ++ ax_cv_cxx_compile_cxx$1, ++ [AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_testbody_$1])], ++ [ax_cv_cxx_compile_cxx$1=yes], ++ [ax_cv_cxx_compile_cxx$1=no])]) ++ if test x$ax_cv_cxx_compile_cxx$1 = xyes; then ++ ac_success=yes ++ fi]) ++ ++ m4_if([$2], [noext], [], [dnl ++ if test x$ac_success = xno; then ++ for alternative in ${ax_cxx_compile_alternatives}; do ++ switch="-std=gnu++${alternative}" ++ cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx$1_$switch]) ++ AC_CACHE_CHECK(whether $CXX supports C++$1 features with $switch, ++ $cachevar, ++ [ac_save_CXX="$CXX" ++ CXX="$CXX $switch" ++ AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_testbody_$1])], ++ [eval $cachevar=yes], ++ [eval $cachevar=no]) ++ CXX="$ac_save_CXX"]) ++ if eval test x\$$cachevar = xyes; then ++ CXX="$CXX $switch" ++ if test -n "$CXXCPP" ; then ++ CXXCPP="$CXXCPP $switch" ++ fi ++ ac_success=yes ++ break ++ fi ++ done ++ fi]) ++ ++ m4_if([$2], [ext], [], [dnl ++ if test x$ac_success = xno; then ++ dnl HP's aCC needs +std=c++11 according to: ++ dnl http://h21007.www2.hp.com/portal/download/files/unprot/aCxx/PDF_Release_Notes/769149-001.pdf ++ dnl Cray's crayCC needs "-h std=c++11" ++ dnl MSVC needs -std:c++NN for C++17 and later (default is C++14) ++ for alternative in ${ax_cxx_compile_alternatives}; do ++ for switch in -std=c++${alternative} +std=c++${alternative} "-h std=c++${alternative}" MSVC; do ++ if test x"$switch" = xMSVC; then ++ dnl AS_TR_SH maps both `:` and `=` to `_` so -std:c++17 would collide ++ dnl with -std=c++17. We suffix the cache variable name with _MSVC to ++ dnl avoid this. ++ switch=-std:c++${alternative} ++ cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx$1_${switch}_MSVC]) ++ else ++ cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx$1_$switch]) ++ fi ++ AC_CACHE_CHECK(whether $CXX supports C++$1 features with $switch, ++ $cachevar, ++ [ac_save_CXX="$CXX" ++ CXX="$CXX $switch" ++ AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_testbody_$1])], ++ [eval $cachevar=yes], ++ [eval $cachevar=no]) ++ CXX="$ac_save_CXX"]) ++ if eval test x\$$cachevar = xyes; then ++ CXX="$CXX $switch" ++ if test -n "$CXXCPP" ; then ++ CXXCPP="$CXXCPP $switch" ++ fi ++ ac_success=yes ++ break ++ fi ++ done ++ if test x$ac_success = xyes; then ++ break ++ fi ++ done ++ fi]) ++ AC_LANG_POP([C++]) ++ if test x$ax_cxx_compile_cxx$1_required = xtrue; then ++ if test x$ac_success = xno; then ++ AC_MSG_ERROR([*** A compiler with support for C++$1 language features is required.]) ++ fi ++ fi ++ if test x$ac_success = xno; then ++ HAVE_CXX$1=0 ++ AC_MSG_NOTICE([No compiler with C++$1 support was found]) ++ else ++ HAVE_CXX$1=1 ++ AC_DEFINE(HAVE_CXX$1,1, ++ [define if the compiler supports basic C++$1 syntax]) ++ fi ++ AC_SUBST(HAVE_CXX$1) ++]) ++ ++ ++dnl Test body for checking C++11 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_11], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11] ++) ++ ++dnl Test body for checking C++14 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_14], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14] ++) ++ ++dnl Test body for checking C++17 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_17], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_17] ++) ++ ++dnl Test body for checking C++20 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_20], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_17 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_20] ++) ++ ++dnl Test body for checking C++23 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_23], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_17 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_20 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_23] ++) ++ ++ ++dnl Tests for new features in C++11 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_11], [[ ++ ++// If the compiler admits that it is not ready for C++11, why torture it? ++// Hopefully, this will speed up the test. ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++// MSVC always sets __cplusplus to 199711L in older versions; newer versions ++// only set it correctly if /Zc:__cplusplus is specified as well as a ++// /std:c++NN switch: ++// ++// https://devblogs.microsoft.com/cppblog/msvc-now-correctly-reports-__cplusplus/ ++// ++// The value __cplusplus ought to have is available in _MSVC_LANG since ++// Visual Studio 2015 Update 3: ++// ++// https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros ++// ++// This was also the first MSVC version to support C++14 so we can't use the ++// value of either __cplusplus or _MSVC_LANG to quickly rule out MSVC having ++// C++11 or C++14 support, but we can check _MSVC_LANG for C++17 and later. ++#elif __cplusplus < 201103L && !defined _MSC_VER ++ ++#error "This is not a C++11 compiler" ++ ++#else ++ ++namespace cxx11 ++{ ++ ++ namespace test_static_assert ++ { ++ ++ template ++ struct check ++ { ++ static_assert(sizeof(int) <= sizeof(T), "not big enough"); ++ }; ++ ++ } ++ ++ namespace test_final_override ++ { ++ ++ struct Base ++ { ++ virtual ~Base() {} ++ virtual void f() {} ++ }; ++ ++ struct Derived : public Base ++ { ++ virtual ~Derived() override {} ++ virtual void f() override {} ++ }; ++ ++ } ++ ++ namespace test_double_right_angle_brackets ++ { ++ ++ template < typename T > ++ struct check {}; ++ ++ typedef check single_type; ++ typedef check> double_type; ++ typedef check>> triple_type; ++ typedef check>>> quadruple_type; ++ ++ } ++ ++ namespace test_decltype ++ { ++ ++ int ++ f() ++ { ++ int a = 1; ++ decltype(a) b = 2; ++ return a + b; ++ } ++ ++ } ++ ++ namespace test_type_deduction ++ { ++ ++ template < typename T1, typename T2 > ++ struct is_same ++ { ++ static const bool value = false; ++ }; ++ ++ template < typename T > ++ struct is_same ++ { ++ static const bool value = true; ++ }; ++ ++ template < typename T1, typename T2 > ++ auto ++ add(T1 a1, T2 a2) -> decltype(a1 + a2) ++ { ++ return a1 + a2; ++ } ++ ++ int ++ test(const int c, volatile int v) ++ { ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == false, ""); ++ static_assert(is_same::value == false, ""); ++ auto ac = c; ++ auto av = v; ++ auto sumi = ac + av + 'x'; ++ auto sumf = ac + av + 1.0; ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == false, ""); ++ static_assert(is_same::value == true, ""); ++ return (sumf > 0.0) ? sumi : add(c, v); ++ } ++ ++ } ++ ++ namespace test_noexcept ++ { ++ ++ int f() { return 0; } ++ int g() noexcept { return 0; } ++ ++ static_assert(noexcept(f()) == false, ""); ++ static_assert(noexcept(g()) == true, ""); ++ ++ } ++ ++ namespace test_constexpr ++ { ++ ++ template < typename CharT > ++ unsigned long constexpr ++ strlen_c_r(const CharT *const s, const unsigned long acc) noexcept ++ { ++ return *s ? strlen_c_r(s + 1, acc + 1) : acc; ++ } ++ ++ template < typename CharT > ++ unsigned long constexpr ++ strlen_c(const CharT *const s) noexcept ++ { ++ return strlen_c_r(s, 0UL); ++ } ++ ++ static_assert(strlen_c("") == 0UL, ""); ++ static_assert(strlen_c("1") == 1UL, ""); ++ static_assert(strlen_c("example") == 7UL, ""); ++ static_assert(strlen_c("another\0example") == 7UL, ""); ++ ++ } ++ ++ namespace test_rvalue_references ++ { ++ ++ template < int N > ++ struct answer ++ { ++ static constexpr int value = N; ++ }; ++ ++ answer<1> f(int&) { return answer<1>(); } ++ answer<2> f(const int&) { return answer<2>(); } ++ answer<3> f(int&&) { return answer<3>(); } ++ ++ void ++ test() ++ { ++ int i = 0; ++ const int c = 0; ++ static_assert(decltype(f(i))::value == 1, ""); ++ static_assert(decltype(f(c))::value == 2, ""); ++ static_assert(decltype(f(0))::value == 3, ""); ++ } ++ ++ } ++ ++ namespace test_uniform_initialization ++ { ++ ++ struct test ++ { ++ static const int zero {}; ++ static const int one {1}; ++ }; ++ ++ static_assert(test::zero == 0, ""); ++ static_assert(test::one == 1, ""); ++ ++ } ++ ++ namespace test_lambdas ++ { ++ ++ void ++ test1() ++ { ++ auto lambda1 = [](){}; ++ auto lambda2 = lambda1; ++ lambda1(); ++ lambda2(); ++ } ++ ++ int ++ test2() ++ { ++ auto a = [](int i, int j){ return i + j; }(1, 2); ++ auto b = []() -> int { return '0'; }(); ++ auto c = [=](){ return a + b; }(); ++ auto d = [&](){ return c; }(); ++ auto e = [a, &b](int x) mutable { ++ const auto identity = [](int y){ return y; }; ++ for (auto i = 0; i < a; ++i) ++ a += b--; ++ return x + identity(a + b); ++ }(0); ++ return a + b + c + d + e; ++ } ++ ++ int ++ test3() ++ { ++ const auto nullary = [](){ return 0; }; ++ const auto unary = [](int x){ return x; }; ++ using nullary_t = decltype(nullary); ++ using unary_t = decltype(unary); ++ const auto higher1st = [](nullary_t f){ return f(); }; ++ const auto higher2nd = [unary](nullary_t f1){ ++ return [unary, f1](unary_t f2){ return f2(unary(f1())); }; ++ }; ++ return higher1st(nullary) + higher2nd(nullary)(unary); ++ } ++ ++ } ++ ++ namespace test_variadic_templates ++ { ++ ++ template ++ struct sum; ++ ++ template ++ struct sum ++ { ++ static constexpr auto value = N0 + sum::value; ++ }; ++ ++ template <> ++ struct sum<> ++ { ++ static constexpr auto value = 0; ++ }; ++ ++ static_assert(sum<>::value == 0, ""); ++ static_assert(sum<1>::value == 1, ""); ++ static_assert(sum<23>::value == 23, ""); ++ static_assert(sum<1, 2>::value == 3, ""); ++ static_assert(sum<5, 5, 11>::value == 21, ""); ++ static_assert(sum<2, 3, 5, 7, 11, 13>::value == 41, ""); ++ ++ } ++ ++ // http://stackoverflow.com/questions/13728184/template-aliases-and-sfinae ++ // Clang 3.1 fails with headers of libstd++ 4.8.3 when using std::function ++ // because of this. ++ namespace test_template_alias_sfinae ++ { ++ ++ struct foo {}; ++ ++ template ++ using member = typename T::member_type; ++ ++ template ++ void func(...) {} ++ ++ template ++ void func(member*) {} ++ ++ void test(); ++ ++ void test() { func(0); } ++ ++ } ++ ++} // namespace cxx11 ++ ++#endif // __cplusplus >= 201103L ++ ++]]) ++ ++ ++dnl Tests for new features in C++14 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_14], [[ ++ ++// If the compiler admits that it is not ready for C++14, why torture it? ++// Hopefully, this will speed up the test. ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif __cplusplus < 201402L && !defined _MSC_VER ++ ++#error "This is not a C++14 compiler" ++ ++#else ++ ++namespace cxx14 ++{ ++ ++ namespace test_polymorphic_lambdas ++ { ++ ++ int ++ test() ++ { ++ const auto lambda = [](auto&&... args){ ++ const auto istiny = [](auto x){ ++ return (sizeof(x) == 1UL) ? 1 : 0; ++ }; ++ const int aretiny[] = { istiny(args)... }; ++ return aretiny[0]; ++ }; ++ return lambda(1, 1L, 1.0f, '1'); ++ } ++ ++ } ++ ++ namespace test_binary_literals ++ { ++ ++ constexpr auto ivii = 0b0000000000101010; ++ static_assert(ivii == 42, "wrong value"); ++ ++ } ++ ++ namespace test_generalized_constexpr ++ { ++ ++ template < typename CharT > ++ constexpr unsigned long ++ strlen_c(const CharT *const s) noexcept ++ { ++ auto length = 0UL; ++ for (auto p = s; *p; ++p) ++ ++length; ++ return length; ++ } ++ ++ static_assert(strlen_c("") == 0UL, ""); ++ static_assert(strlen_c("x") == 1UL, ""); ++ static_assert(strlen_c("test") == 4UL, ""); ++ static_assert(strlen_c("another\0test") == 7UL, ""); ++ ++ } ++ ++ namespace test_lambda_init_capture ++ { ++ ++ int ++ test() ++ { ++ auto x = 0; ++ const auto lambda1 = [a = x](int b){ return a + b; }; ++ const auto lambda2 = [a = lambda1(x)](){ return a; }; ++ return lambda2(); ++ } ++ ++ } ++ ++ namespace test_digit_separators ++ { ++ ++ constexpr auto ten_million = 100'000'000; ++ static_assert(ten_million == 100000000, ""); ++ ++ } ++ ++ namespace test_return_type_deduction ++ { ++ ++ auto f(int& x) { return x; } ++ decltype(auto) g(int& x) { return x; } ++ ++ template < typename T1, typename T2 > ++ struct is_same ++ { ++ static constexpr auto value = false; ++ }; ++ ++ template < typename T > ++ struct is_same ++ { ++ static constexpr auto value = true; ++ }; ++ ++ int ++ test() ++ { ++ auto x = 0; ++ static_assert(is_same::value, ""); ++ static_assert(is_same::value, ""); ++ return x; ++ } ++ ++ } ++ ++} // namespace cxx14 ++ ++#endif // __cplusplus >= 201402L ++ ++]]) ++ ++ ++dnl Tests for new features in C++17 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_17], [[ ++ ++// If the compiler admits that it is not ready for C++17, why torture it? ++// Hopefully, this will speed up the test. ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 201703L ++ ++#error "This is not a C++17 compiler" ++ ++#else ++ ++#include ++#include ++#include ++ ++namespace cxx17 ++{ ++ ++ namespace test_constexpr_lambdas ++ { ++ ++ constexpr int foo = [](){return 42;}(); ++ ++ } ++ ++ namespace test::nested_namespace::definitions ++ { ++ ++ } ++ ++ namespace test_fold_expression ++ { ++ ++ template ++ int multiply(Args... args) ++ { ++ return (args * ... * 1); ++ } ++ ++ template ++ bool all(Args... args) ++ { ++ return (args && ...); ++ } ++ ++ } ++ ++ namespace test_extended_static_assert ++ { ++ ++ static_assert (true); ++ ++ } ++ ++ namespace test_auto_brace_init_list ++ { ++ ++ auto foo = {5}; ++ auto bar {5}; ++ ++ static_assert(std::is_same, decltype(foo)>::value); ++ static_assert(std::is_same::value); ++ } ++ ++ namespace test_typename_in_template_template_parameter ++ { ++ ++ template typename X> struct D; ++ ++ } ++ ++ namespace test_fallthrough_nodiscard_maybe_unused_attributes ++ { ++ ++ int f1() ++ { ++ return 42; ++ } ++ ++ [[nodiscard]] int f2() ++ { ++ [[maybe_unused]] auto unused = f1(); ++ ++ switch (f1()) ++ { ++ case 17: ++ f1(); ++ [[fallthrough]]; ++ case 42: ++ f1(); ++ } ++ return f1(); ++ } ++ ++ } ++ ++ namespace test_extended_aggregate_initialization ++ { ++ ++ struct base1 ++ { ++ int b1, b2 = 42; ++ }; ++ ++ struct base2 ++ { ++ base2() { ++ b3 = 42; ++ } ++ int b3; ++ }; ++ ++ struct derived : base1, base2 ++ { ++ int d; ++ }; ++ ++ derived d1 {{1, 2}, {}, 4}; // full initialization ++ derived d2 {{}, {}, 4}; // value-initialized bases ++ ++ } ++ ++ namespace test_general_range_based_for_loop ++ { ++ ++ struct iter ++ { ++ int i; ++ ++ int& operator* () ++ { ++ return i; ++ } ++ ++ const int& operator* () const ++ { ++ return i; ++ } ++ ++ iter& operator++() ++ { ++ ++i; ++ return *this; ++ } ++ }; ++ ++ struct sentinel ++ { ++ int i; ++ }; ++ ++ bool operator== (const iter& i, const sentinel& s) ++ { ++ return i.i == s.i; ++ } ++ ++ bool operator!= (const iter& i, const sentinel& s) ++ { ++ return !(i == s); ++ } ++ ++ struct range ++ { ++ iter begin() const ++ { ++ return {0}; ++ } ++ ++ sentinel end() const ++ { ++ return {5}; ++ } ++ }; ++ ++ void f() ++ { ++ range r {}; ++ ++ for (auto i : r) ++ { ++ [[maybe_unused]] auto v = i; ++ } ++ } ++ ++ } ++ ++ namespace test_lambda_capture_asterisk_this_by_value ++ { ++ ++ struct t ++ { ++ int i; ++ int foo() ++ { ++ return [*this]() ++ { ++ return i; ++ }(); ++ } ++ }; ++ ++ } ++ ++ namespace test_enum_class_construction ++ { ++ ++ enum class byte : unsigned char ++ {}; ++ ++ byte foo {42}; ++ ++ } ++ ++ namespace test_constexpr_if ++ { ++ ++ template ++ int f () ++ { ++ if constexpr(cond) ++ { ++ return 13; ++ } ++ else ++ { ++ return 42; ++ } ++ } ++ ++ } ++ ++ namespace test_selection_statement_with_initializer ++ { ++ ++ int f() ++ { ++ return 13; ++ } ++ ++ int f2() ++ { ++ if (auto i = f(); i > 0) ++ { ++ return 3; ++ } ++ ++ switch (auto i = f(); i + 4) ++ { ++ case 17: ++ return 2; ++ ++ default: ++ return 1; ++ } ++ } ++ ++ } ++ ++ namespace test_template_argument_deduction_for_class_templates ++ { ++ ++ template ++ struct pair ++ { ++ pair (T1 p1, T2 p2) ++ : m1 {p1}, ++ m2 {p2} ++ {} ++ ++ T1 m1; ++ T2 m2; ++ }; ++ ++ void f() ++ { ++ [[maybe_unused]] auto p = pair{13, 42u}; ++ } ++ ++ } ++ ++ namespace test_non_type_auto_template_parameters ++ { ++ ++ template ++ struct B ++ {}; ++ ++ B<5> b1; ++ B<'a'> b2; ++ ++ } ++ ++ namespace test_structured_bindings ++ { ++ ++ int arr[2] = { 1, 2 }; ++ std::pair pr = { 1, 2 }; ++ ++ auto f1() -> int(&)[2] ++ { ++ return arr; ++ } ++ ++ auto f2() -> std::pair& ++ { ++ return pr; ++ } ++ ++ struct S ++ { ++ int x1 : 2; ++ volatile double y1; ++ }; ++ ++ S f3() ++ { ++ return {}; ++ } ++ ++ auto [ x1, y1 ] = f1(); ++ auto& [ xr1, yr1 ] = f1(); ++ auto [ x2, y2 ] = f2(); ++ auto& [ xr2, yr2 ] = f2(); ++ const auto [ x3, y3 ] = f3(); ++ ++ } ++ ++ namespace test_exception_spec_type_system ++ { ++ ++ struct Good {}; ++ struct Bad {}; ++ ++ void g1() noexcept; ++ void g2(); ++ ++ template ++ Bad ++ f(T*, T*); ++ ++ template ++ Good ++ f(T1*, T2*); ++ ++ static_assert (std::is_same_v); ++ ++ } ++ ++ namespace test_inline_variables ++ { ++ ++ template void f(T) ++ {} ++ ++ template inline T g(T) ++ { ++ return T{}; ++ } ++ ++ template<> inline void f<>(int) ++ {} ++ ++ template<> int g<>(int) ++ { ++ return 5; ++ } ++ ++ } ++ ++} // namespace cxx17 ++ ++#endif // (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 201703L ++ ++]]) ++ ++ ++dnl Tests for new features in C++20 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_20], [[ ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202002L ++ ++#error "This is not a C++20 compiler" ++ ++#else ++ ++#include ++ ++namespace cxx20 ++{ ++ ++// As C++20 supports feature test macros in the standard, there is no ++// immediate need to actually test for feature availability on the ++// Autoconf side. ++ ++} // namespace cxx20 ++ ++#endif // (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202002L ++ ++]]) ++ ++ ++dnl Tests for new features in C++23 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_23], [[ ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202302L ++ ++#error "This is not a C++23 compiler" ++ ++#else ++ ++#include ++ ++namespace cxx23 ++{ ++ ++// As C++23 supports feature test macros in the standard, there is no ++// immediate need to actually test for feature availability on the ++// Autoconf side. ++ ++} // namespace cxx23 ++ ++#endif // (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202302L ++ ++]]) + +From e00b7f9250e0b7dae44e6b9191be0aa31d8cb668 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Sat, 7 Dec 2024 18:18:02 -0800 +Subject: [PATCH 3/9] Stop shipping atf-*-api(3) manpages + +These manpages have been deprecated for at least a release. Remove them +and all of the logic associated with them. + +Signed-off-by: Enji Cooper +--- + Makefile.am | 8 -------- + configure.ac | 3 --- + 2 files changed, 11 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 913910c2..d202fd1d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -114,12 +114,4 @@ clean-all: + + .PHONY: $(PHONY_TARGETS) + +-# TODO(jmmv): Remove after atf 0.22. +-install-data-hook: +- cd $(DESTDIR)$(man3dir) && \ +- for binding in c c++ sh; do \ +- rm -f "atf-$${binding}-api.3"; \ +- $(LN_S) "atf-$${binding}.3" "atf-$${binding}-api.3"; \ +- done +- + # vim: syntax=make:noexpandtab:shiftwidth=8:softtabstop=8 +diff --git a/configure.ac b/configure.ac +index 6d802144..a2d68cee 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -74,9 +74,6 @@ fi + + KYUA_DEVELOPER_MODE([C,C++]) + +-dnl TODO(jmmv): Remove once the atf-*-api.3 symlinks are removed. +-AC_PROG_LN_S +- + ATF_MODULE_APPLICATION + ATF_MODULE_DEFS + ATF_MODULE_ENV + +From aa0fe99ef3de0f31dbaefb5268015258478d0ba4 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Sat, 7 Dec 2024 18:20:47 -0800 +Subject: [PATCH 4/9] Expose WCOREDUMP(..) in a deterministic manner + +WCOREDUMP is considered an extension to the POSIX spec on multiple +platforms, and thus is not automatically exposed on all platforms. Add the +relevant preprocessor defines to config.h via autoconf, then leverage them +in atf-c(3). + +This helps ensure that the platforms which support WCOREDUMP properly +expose the macro. + +Signed-off-by: Enji Cooper +--- + atf-c/detail/process.c | 2 ++ + configure.ac | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/atf-c/detail/process.c b/atf-c/detail/process.c +index 567d28ec..84bb4882 100644 +--- a/atf-c/detail/process.c ++++ b/atf-c/detail/process.c +@@ -23,6 +23,8 @@ + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + ++#include "config.h" ++ + #include "atf-c/detail/process.h" + + #include +diff --git a/configure.ac b/configure.ac +index a2d68cee..3a88354b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,6 +58,8 @@ AM_PROG_CC_C_O + dnl The C compiler check automatically aborts if the compiler does not work. + dnl Nothing to do here. + ++AC_USE_SYSTEM_EXTENSIONS ++ + AC_PROG_CXX + AC_LANG_COMPILER(C++) + AX_CXX_COMPILE_STDCXX(14, noext, mandatory) + +From deee8f2628847e3fff6fd2af04f163fadee4c61c Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Tue, 10 Dec 2024 14:26:58 -0800 +Subject: [PATCH 5/9] Add compiler feature detection for + `__attribute__((nonnull))` + +This feature is being detected so several functions can be appropriately +marked as taking non-NULL/-nullptr parameters, and the compiler and static +analyzers can (in turn) make intelligent decisions when optimizing and +analyzing code, respectively. + +Signed-off-by: Enji Cooper +--- + atf-c/defs.h.in | 1 + + m4/module-defs.m4 | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/atf-c/defs.h.in b/atf-c/defs.h.in +index 6059e7fd..5346e56a 100644 +--- a/atf-c/defs.h.in ++++ b/atf-c/defs.h.in +@@ -27,6 +27,7 @@ + #define ATF_C_DEFS_H + + #define ATF_DEFS_ATTRIBUTE_FORMAT_PRINTF(a, b) @ATTRIBUTE_FORMAT_PRINTF@ ++#define ATF_DEFS_ATTRIBUTE_NONNULL @ATTRIBUTE_NONNULL@ + #define ATF_DEFS_ATTRIBUTE_NORETURN @ATTRIBUTE_NORETURN@ + #define ATF_DEFS_ATTRIBUTE_UNUSED @ATTRIBUTE_UNUSED@ + +diff --git a/m4/module-defs.m4 b/m4/module-defs.m4 +index b1c9cc84..feb3df27 100644 +--- a/m4/module-defs.m4 ++++ b/m4/module-defs.m4 +@@ -54,6 +54,26 @@ test_printf(const char *format, ...) + AC_SUBST([ATTRIBUTE_FORMAT_PRINTF], [${value}]) + ]) + ++AC_DEFUN([ATF_ATTRIBUTE_NONNULL], [ ++ AC_CACHE_CHECK( ++ [whether __attribute__((nonnull)) is supported], ++ [kyua_cv_attribute_nonnull], [ ++ AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM([ ++void func(char *foo __attribute__((nonnull))); ++])], ++ [kyua_cv_attribute_nonnull=yes], ++ [kyua_cv_attribute_nonnull=no]) ++ ]) ++ if test x"${kyua_cv_attribute_nonnull}" = xyes; then ++ value="__attribute__((nonnull))" ++ else ++ value="" ++ fi ++ AC_SUBST([ATTRIBUTE_NONNULL], [${value}]) ++]) ++ ++ + AC_DEFUN([ATF_ATTRIBUTE_NORETURN], [ + dnl XXX This check is overly simple and should be fixed. For example, + dnl Sun's cc does support the noreturn attribute but CC (the C++ +@@ -103,6 +123,7 @@ function(int a __attribute__((__unused__))) + + AC_DEFUN([ATF_MODULE_DEFS], [ + ATF_ATTRIBUTE_FORMAT_PRINTF ++ ATF_ATTRIBUTE_NONNULL + ATF_ATTRIBUTE_NORETURN + ATF_ATTRIBUTE_UNUSED + ]) + +From 1ca4688b87e8bcb3bfc5c05ef61b385d59019383 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Wed, 25 Dec 2024 11:31:12 -0800 +Subject: [PATCH 6/9] Restore AC_PROG_CPP + +This was accidentally deleted post-0.21 release. It's still needed by +tests and build infrastructure. + +Signed-off-by: Enji Cooper +--- + configure.ac | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/configure.ac b/configure.ac +index 3a88354b..e42ee5e1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -62,6 +62,7 @@ AC_USE_SYSTEM_EXTENSIONS + + AC_PROG_CXX + AC_LANG_COMPILER(C++) ++AC_PROG_CPP + AX_CXX_COMPILE_STDCXX(14, noext, mandatory) + AC_CACHE_CHECK([whether the C++ compiler works], + [atf_cv_prog_cxx_works], + +From bff968f5a164a81819046c55881e6083a7607dcf Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Sat, 7 Dec 2024 18:12:02 -0800 +Subject: [PATCH 7/9] atf-c/detail/env.c: remove unnecessary complexity + +The libcalls used have been in the POSIX standard since 2008.1. Require +them to be present instead of conditionally hoping they're present. + +This fixes an issue where the autoconf code was messing up with a +combination of clang tools, which resulted in the autoconf code failing +to properly determine whether or not the functions were available. + +Signed-off-by: Enji Cooper +--- + atf-c/detail/env.c | 41 +++-------------------------------------- + configure.ac | 1 - + m4/module-env.m4 | 28 ---------------------------- + 3 files changed, 3 insertions(+), 67 deletions(-) + delete mode 100644 m4/module-env.m4 + +diff --git a/atf-c/detail/env.c b/atf-c/detail/env.c +index 8ee3d697..36de217c 100644 +--- a/atf-c/detail/env.c ++++ b/atf-c/detail/env.c +@@ -25,10 +25,6 @@ + + #include "atf-c/detail/env.h" + +-#if defined(HAVE_CONFIG_H) +-#include "config.h" +-#endif +- + #include + #include + +@@ -65,25 +61,11 @@ atf_env_set(const char *name, const char *val) + { + atf_error_t err; + +-#if defined(HAVE_SETENV) + if (setenv(name, val, 1) == -1) +- err = atf_libc_error(errno, "Cannot set environment variable " +- "'%s' to '%s'", name, val); ++ err = atf_libc_error(errno, ++ "Cannot set environment variable '%s' to '%s'", name, val); + else + err = atf_no_error(); +-#elif defined(HAVE_PUTENV) +- char *buf; +- +- err = atf_text_format(&buf, "%s=%s", name, val); +- if (!atf_is_error(err)) { +- if (putenv(buf) == -1) +- err = atf_libc_error(errno, "Cannot set environment variable " +- "'%s' to '%s'", name, val); +- free(buf); +- } +-#else +-# error "Don't know how to set an environment variable." +-#endif + + return err; + } +@@ -91,24 +73,7 @@ atf_env_set(const char *name, const char *val) + atf_error_t + atf_env_unset(const char *name) + { +- atf_error_t err; + +-#if defined(HAVE_UNSETENV) + unsetenv(name); +- err = atf_no_error(); +-#elif defined(HAVE_PUTENV) +- char *buf; +- +- err = atf_text_format(&buf, "%s=", name); +- if (!atf_is_error(err)) { +- if (putenv(buf) == -1) +- err = atf_libc_error(errno, "Cannot unset environment variable" +- " '%s'", name); +- free(buf); +- } +-#else +-# error "Don't know how to unset an environment variable." +-#endif +- +- return err; ++ return (atf_no_error()); + } +diff --git a/configure.ac b/configure.ac +index e42ee5e1..00ee124c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -79,7 +79,6 @@ KYUA_DEVELOPER_MODE([C,C++]) + + ATF_MODULE_APPLICATION + ATF_MODULE_DEFS +-ATF_MODULE_ENV + ATF_MODULE_FS + + ATF_RUNTIME_TOOL([ATF_BUILD_CC], +diff --git a/m4/module-env.m4 b/m4/module-env.m4 +deleted file mode 100644 +index 963aab38..00000000 +--- a/m4/module-env.m4 ++++ /dev/null +@@ -1,28 +0,0 @@ +-dnl Copyright (c) 2007 The NetBSD Foundation, Inc. +-dnl All rights reserved. +-dnl +-dnl Redistribution and use in source and binary forms, with or without +-dnl modification, are permitted provided that the following conditions +-dnl are met: +-dnl 1. Redistributions of source code must retain the above copyright +-dnl notice, this list of conditions and the following disclaimer. +-dnl 2. Redistributions in binary form must reproduce the above copyright +-dnl notice, this list of conditions and the following disclaimer in the +-dnl documentation and/or other materials provided with the distribution. +-dnl +-dnl THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND +-dnl CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +-dnl INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +-dnl MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +-dnl IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY +-dnl DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +-dnl DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +-dnl GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +-dnl INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER +-dnl IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +-dnl OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +-dnl IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +- +-AC_DEFUN([ATF_MODULE_ENV], [ +- AC_CHECK_FUNCS([putenv setenv unsetenv]) +-]) + +From 402b9362d01448074c4d2d91a8c770e591577167 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Wed, 25 Dec 2024 17:19:28 -0800 +Subject: [PATCH 8/9] Remove ATF_BUILD_CXX require.progs check + +This particular check unfortunately doesn't work when ATF_BUILD_CXX +contains multiple CXXFLAGS, or contains a path with spaces in it. Remove +this check to unbreak the dependent tests +post-793d4640031dc06ce8a239ffa9ab61322104c4ca. + +Signed-off-by: Enji Cooper +--- + atf-c++/detail/test_helpers.hpp | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/atf-c++/detail/test_helpers.hpp b/atf-c++/detail/test_helpers.hpp +index c1171801..1c4c316f 100644 +--- a/atf-c++/detail/test_helpers.hpp ++++ b/atf-c++/detail/test_helpers.hpp +@@ -45,8 +45,6 @@ + { \ + set_md_var("descr", "Tests that the " hdrname " file can be " \ + "included on its own, without any prerequisites"); \ +- const std::string cxx = atf::env::get("ATF_BUILD_CXX", ATF_BUILD_CXX); \ +- set_md_var("require.progs", cxx); \ + } \ + ATF_TEST_CASE_BODY(name) \ + { \ +@@ -58,8 +56,6 @@ + ATF_TEST_CASE_HEAD(name) \ + { \ + set_md_var("descr", descr); \ +- const std::string cxx = atf::env::get("ATF_BUILD_CXX", ATF_BUILD_CXX); \ +- set_md_var("require.progs", cxx); \ + } \ + ATF_TEST_CASE_BODY(name) \ + { \ + +From f054eebc616577d973fa6f3b4ec440bb29671c20 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Wed, 25 Dec 2024 20:17:15 -0800 +Subject: [PATCH 9/9] Remove redundant C++ toolchain check + +The C++ toolchain is sanity checked when C++14 conformance is checked; +there's no reason why we need to check whether or not the C++ toolchain +works again. + +Signed-off-by: Enji Cooper +--- + configure.ac | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 00ee124c..e36f9817 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -64,16 +64,6 @@ AC_PROG_CXX + AC_LANG_COMPILER(C++) + AC_PROG_CPP + AX_CXX_COMPILE_STDCXX(14, noext, mandatory) +-AC_CACHE_CHECK([whether the C++ compiler works], +- [atf_cv_prog_cxx_works], +- [AC_LANG_PUSH([C++]) +- AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], +- [atf_cv_prog_cxx_works=yes], +- [atf_cv_prog_cxx_works=no]) +- AC_LANG_POP]) +-if test "${atf_cv_prog_cxx_works}" = no; then +- AC_MSG_ERROR([C++ compiler cannot create executables]) +-fi + + KYUA_DEVELOPER_MODE([C,C++]) + From ec6d3309e07829703188f67277332f3d1364d2d2 Mon Sep 17 00:00:00 2001 From: rewine Date: Fri, 3 Jan 2025 14:50:39 +0800 Subject: [PATCH 04/19] qt6.qtwayland: backport fix for qtwayland compositor (cherry picked from commit 98cca0e02c9f1804d8ad86ddd6005c6b90055127) --- .../libraries/qt-6/modules/qtwayland.nix | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/pkgs/development/libraries/qt-6/modules/qtwayland.nix b/pkgs/development/libraries/qt-6/modules/qtwayland.nix index ac8c570c900ca..02e8a12bc9d36 100644 --- a/pkgs/development/libraries/qt-6/modules/qtwayland.nix +++ b/pkgs/development/libraries/qt-6/modules/qtwayland.nix @@ -37,13 +37,20 @@ qtModule { url = "https://invent.kde.org/qt/qt/qtwayland/-/commit/24002ac6cbd01dbde4944b63c1f7c87ed2bd72b5.patch"; hash = "sha256-Lz4Gv6FLhFGv7dVpqqcss6/w5jsGA8SKaNeWMHT0A/A="; }) - ]; - # Replace vendored wayland.xml with our matching version - # FIXME: remove when upstream updates past 1.23 - postPatch = '' - cp ${wayland-scanner}/share/wayland/wayland.xml src/3rdparty/protocol/wayland/wayland.xml - ''; + # run waylandscanner with private-code to avoid conflict with symbols from libwayland + # better solution for https://github.com/NixOS/nixpkgs/pull/337913 + (fetchpatch2 { + url = "https://invent.kde.org/qt/qt/qtwayland/-/commit/67f121cc4c3865aa3a93cf563caa1d9da3c92695.patch"; + hash = "sha256-uh5lecHlHCWyO1/EU5kQ00VS7eti3PEvPA2HBCL9K0k="; + }) + + # fix crash when attach differ shellsurface to the same shellsurfaceitem + (fetchpatch2 { + url = "https://invent.kde.org/qt/qt/qtwayland/-/commit/070414dd4155e13583e5e8b16bed1a5b68d32910.patch"; + hash = "sha256-JLTdSEbqM6OSijk0cgC419AdLE+PF5KbFh3ypgYUKz8="; + }) + ]; meta = { platforms = lib.platforms.unix; From 5fdc683082e81727a7ecec0d5d7683bde46c3add Mon Sep 17 00:00:00 2001 From: TomaSajt <62384384+TomaSajt@users.noreply.github.com> Date: Tue, 7 Jan 2025 14:01:12 +0100 Subject: [PATCH 05/19] rustPlatform.fetchCargoVendor: support lockfile v4 escaping (cherry picked from commit 1db27e9394165ef0b15b35cbfadedb35a3f1cda8) --- .../rust/fetch-cargo-vendor-util.py | 37 +++++++++++++++---- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 697387f292ba7..bb70a559fe966 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -9,6 +9,7 @@ import tomllib from pathlib import Path from typing import Any, TypedDict, cast +from urllib.parse import unquote import requests from requests.adapters import HTTPAdapter, Retry @@ -21,6 +22,15 @@ def load_toml(path: Path) -> dict[str, Any]: return tomllib.load(f) +def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int: + # lockfile v1 and v2 don't have the `version` key, so assume v2 + version = cargo_lock_toml.get("version", 2) + + # TODO: add logic for differentiating between v1 and v2 + + return version + + def download_file_with_checksum(url: str, destination_path: Path) -> str: retries = Retry( total=5, @@ -93,20 +103,29 @@ class GitSourceInfo(TypedDict): git_sha_rev: str -def parse_git_source(source: str) -> GitSourceInfo: +def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo: match = GIT_SOURCE_REGEX.match(source) if match is None: raise Exception(f"Unable to process git source: {source}.") - return cast(GitSourceInfo, match.groupdict(default=None)) + + source_info = cast(GitSourceInfo, match.groupdict(default=None)) + + # the source URL is URL-encoded in lockfile_version >=4 + # since we just used regex to parse it we have to manually decode the escaped branch/tag name + if lockfile_version >= 4 and source_info["value"] is not None: + source_info["value"] = unquote(source_info["value"]) + + return source_info def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: - cargo_toml = load_toml(lockfile_path) + cargo_lock_toml = load_toml(lockfile_path) + lockfile_version = get_lockfile_version(cargo_lock_toml) git_packages: list[dict[str, Any]] = [] registry_packages: list[dict[str, Any]] = [] - for pkg in cargo_toml["package"]: + for pkg in cargo_lock_toml["package"]: # ignore local dependenices if "source" not in pkg.keys(): eprint(f"Skipping local dependency: {pkg["name"]}") @@ -122,7 +141,7 @@ def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: git_sha_rev_to_url: dict[str, str] = {} for pkg in git_packages: - source_info = parse_git_source(pkg["source"]) + source_info = parse_git_source(pkg["source"], lockfile_version) git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"] out_dir.mkdir(exist_ok=True) @@ -207,7 +226,8 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: out_dir.mkdir(exist_ok=True) shutil.copy(lockfile_path, out_dir / "Cargo.lock") - cargo_toml = load_toml(lockfile_path) + cargo_lock_toml = load_toml(lockfile_path) + lockfile_version = get_lockfile_version(cargo_lock_toml) config_lines = [ '[source.vendored-sources]', @@ -217,7 +237,7 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: ] seen_source_keys = set() - for pkg in cargo_toml["package"]: + for pkg in cargo_lock_toml["package"]: # ignore local dependenices if "source" not in pkg.keys(): @@ -230,7 +250,8 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: if source.startswith("git+"): - source_info = parse_git_source(pkg["source"]) + source_info = parse_git_source(pkg["source"], lockfile_version) + git_sha_rev = source_info["git_sha_rev"] git_tree = vendor_staging_dir / "git" / git_sha_rev From 79442c07658dbeb603f6fa33522c89d0a5d007e1 Mon Sep 17 00:00:00 2001 From: TomaSajt <62384384+TomaSajt@users.noreply.github.com> Date: Tue, 7 Jan 2025 21:03:55 +0100 Subject: [PATCH 06/19] rustPlatform.importCargoLock: support lockfile v4 escaping (cherry picked from commit 0bfdb03af347712c4e110174f64f92313e3d84e0) --- pkgs/build-support/rust/import-cargo-lock.nix | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/rust/import-cargo-lock.nix b/pkgs/build-support/rust/import-cargo-lock.nix index e88931d0f383d..b39b56f4ccb5e 100644 --- a/pkgs/build-support/rust/import-cargo-lock.nix +++ b/pkgs/build-support/rust/import-cargo-lock.nix @@ -49,6 +49,10 @@ let parsedLockFile = builtins.fromTOML lockFileContents; + # lockfile v1 and v2 don't have the `version` key, so assume v2 + # we can implement more fine-grained detection later, if needed + lockFileVersion = parsedLockFile.version or 2; + packages = parsedLockFile.package; # There is no source attribute for the source package itself. But @@ -202,11 +206,20 @@ let # Cargo is happy with empty metadata. printf '{"files":{},"package":null}' > "$out/.cargo-checksum.json" + ${lib.optionalString (gitParts ? type) '' + gitPartsValue=${lib.escapeShellArg gitParts.value} + # starting with lockfile version v4 the git source url contains encoded query parameters + # our regex parser does not know how to unescape them to get the actual value, so we do it here + ${lib.optionalString (lockFileVersion >= 4) '' + gitPartsValue=$(${lib.getExe python3Packages.python} -c "import sys, urllib.parse; print(urllib.parse.unquote(sys.argv[1]))" "$gitPartsValue") + ''} + ''} + # Set up configuration for the vendor directory. cat > $out/.cargo-config < Date: Sat, 4 Jan 2025 13:42:55 +0100 Subject: [PATCH 07/19] buildGoModule: fix GO_NO_VENDOR_CHECKS for v1.23+ There was an additional check added for vendor/modules.txt when loading packages, see https://github.com/golang/go/commit/38ee0c7630e999f97d96899ecf4e8d0230236cd6#diff-61fb6e44eac25bd4d6a8a64b3f38ee8a41faaefd1ef481170a011ecfc0f7c76bR344 The new version of the patch tries to also disable these checks. Signed-off-by: Paul Meyer (cherry picked from commit 75dfe81caf85265943e23070f98c1ddc8c69aa18) --- pkgs/development/compilers/go/1.23.nix | 2 +- .../go/go_no_vendor_checks-1.23.patch | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 pkgs/development/compilers/go/go_no_vendor_checks-1.23.patch diff --git a/pkgs/development/compilers/go/1.23.nix b/pkgs/development/compilers/go/1.23.nix index 4d056b1504493..08c17cca8c037 100644 --- a/pkgs/development/compilers/go/1.23.nix +++ b/pkgs/development/compilers/go/1.23.nix @@ -94,7 +94,7 @@ stdenv.mkDerivation (finalAttrs: { inherit tzdata; }) ./remove-tools-1.11.patch - ./go_no_vendor_checks-1.22.patch + ./go_no_vendor_checks-1.23.patch ]; GOOS = if stdenv.targetPlatform.isWasi then "wasip1" else stdenv.targetPlatform.parsed.kernel.name; diff --git a/pkgs/development/compilers/go/go_no_vendor_checks-1.23.patch b/pkgs/development/compilers/go/go_no_vendor_checks-1.23.patch new file mode 100644 index 0000000000000..eaffb1bef6481 --- /dev/null +++ b/pkgs/development/compilers/go/go_no_vendor_checks-1.23.patch @@ -0,0 +1,26 @@ +diff --git a/src/cmd/go/internal/modload/import.go b/src/cmd/go/internal/modload/import.go +index a3105b6b6d..0e10154a70 100644 +--- a/src/cmd/go/internal/modload/import.go ++++ b/src/cmd/go/internal/modload/import.go +@@ -345,7 +345,7 @@ func importFromModules(ctx context.Context, path string, rs *Requirements, mg *M + // vendor/modules.txt does not exist or the user manually added directories to the vendor directory. + // Go 1.23 and later require vendored packages to be present in modules.txt to be imported. + _, ok := vendorPkgModule[path] +- if ok || (gover.Compare(MainModules.GoVersion(), gover.ExplicitModulesTxtImportVersion) < 0) { ++ if ok || (gover.Compare(MainModules.GoVersion(), gover.ExplicitModulesTxtImportVersion) < 0) || os.Getenv("GO_NO_VENDOR_CHECKS") == "1" { + mods = append(mods, vendorPkgModule[path]) + dirs = append(dirs, dir) + roots = append(roots, vendorDir) +diff --git a/src/cmd/go/internal/modload/vendor.go b/src/cmd/go/internal/modload/vendor.go +index b2cb44100e..05bf3829d5 100644 +--- a/src/cmd/go/internal/modload/vendor.go ++++ b/src/cmd/go/internal/modload/vendor.go +@@ -159,7 +159,7 @@ func checkVendorConsistency(indexes []*modFileIndex, modFiles []*modfile.File, m + panic(fmt.Errorf("not in workspace mode but number of indexes is %v, not 1", len(indexes))) + } + index := indexes[0] +- if gover.Compare(index.goVersion, "1.14") < 0 { ++ if gover.Compare(index.goVersion, "1.14") < 0 || (os.Getenv("GO_NO_VENDOR_CHECKS") == "1" && len(vendorMeta) == 0) { + // Go versions before 1.14 did not include enough information in + // vendor/modules.txt to check for consistency. + // If we know that we're on an earlier version, relax the consistency check. From 5efb65741634a1129fc7d319d271ab255df6de0e Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Tue, 31 Dec 2024 19:22:12 +0000 Subject: [PATCH 08/19] =?UTF-8?q?sysprof:=2047.0=20=E2=86=92=2047.2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://gitlab.gnome.org/GNOME/sysprof/-/compare/47.0...47.2 (cherry picked from commit 51853c01f116064a02cd20f7018ca60daa66c748) --- pkgs/development/tools/profiling/sysprof/capture.nix | 2 +- pkgs/development/tools/profiling/sysprof/default.nix | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkgs/development/tools/profiling/sysprof/capture.nix b/pkgs/development/tools/profiling/sysprof/capture.nix index 00a7bdc6a01e5..6dd050841b0bc 100644 --- a/pkgs/development/tools/profiling/sysprof/capture.nix +++ b/pkgs/development/tools/profiling/sysprof/capture.nix @@ -6,7 +6,7 @@ sysprof, }: -stdenv.mkDerivation rec { +stdenv.mkDerivation { pname = "libsysprof-capture"; inherit (sysprof) src version; diff --git a/pkgs/development/tools/profiling/sysprof/default.nix b/pkgs/development/tools/profiling/sysprof/default.nix index 01de2e761ea9f..837a0c8f05728 100644 --- a/pkgs/development/tools/profiling/sysprof/default.nix +++ b/pkgs/development/tools/profiling/sysprof/default.nix @@ -23,9 +23,9 @@ gnome, }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (finalAttrs: { pname = "sysprof"; - version = "47.0"; + version = "47.2"; outputs = [ "out" @@ -34,8 +34,8 @@ stdenv.mkDerivation rec { ]; src = fetchurl { - url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz"; - hash = "sha256-dCTGKUNGYGVCiMBCSJmMNX0c6H7hVZ/UTfGYCZLvXfU="; + url = "mirror://gnome/sources/sysprof/${lib.versions.major finalAttrs.version}/sysprof-${finalAttrs.version}.tar.xz"; + hash = "sha256-5LXt6f2XjsPw1aDUTQQpptIBw2K/bLRScxkDGuRixU8="; }; nativeBuildInputs = [ @@ -70,7 +70,7 @@ stdenv.mkDerivation rec { passthru = { updateScript = gnome.updateScript { - packageName = pname; + packageName = "sysprof"; }; }; @@ -88,4 +88,4 @@ stdenv.mkDerivation rec { maintainers = teams.gnome.members; platforms = platforms.unix; }; -} +}) From 63e6f2f8d280bc568e9a39c17cc5696cc72ef74f Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Tue, 31 Dec 2024 19:20:55 +0000 Subject: [PATCH 09/19] =?UTF-8?q?gtk4:=204.16.3=20=E2=86=92=204.16.7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://gitlab.gnome.org/GNOME/gtk/-/compare/4.16.3...4.16.7 (cherry picked from commit 8efc701451f14fa4c758b2b0e1ddf55780f87b7f) --- pkgs/development/libraries/gtk/4.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gtk/4.x.nix b/pkgs/development/libraries/gtk/4.x.nix index 8a79a06560fc1..80c8ca5ae24b2 100644 --- a/pkgs/development/libraries/gtk/4.x.nix +++ b/pkgs/development/libraries/gtk/4.x.nix @@ -70,7 +70,7 @@ in stdenv.mkDerivation (finalAttrs: { pname = "gtk4"; - version = "4.16.3"; + version = "4.16.7"; outputs = [ "out" "dev" ] ++ lib.optionals x11Support [ "devdoc" ]; outputBin = "dev"; @@ -82,7 +82,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = with finalAttrs; "mirror://gnome/sources/gtk/${lib.versions.majorMinor version}/gtk-${version}.tar.xz"; - hash = "sha256-LsU+B9GMnwA7OeSmqDgFTZJZ4Ei2xMBdgMDQWqch2UQ="; + hash = "sha256-UwPHYk4VpIiAWRud3UM4mvuj3k+5KiGXGVGbsWQs49w="; }; depsBuildBuild = [ From 37153b32d0f988fd1d0a497130dbd6780b5aeb64 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 14 Jan 2025 18:52:24 +0100 Subject: [PATCH 10/19] python313Packages.django_4: 4.2.17 -> 4.2.18 https://docs.djangoproject.com/en/4.2/releases/4.2.18/ https://www.djangoproject.com/weblog/2025/jan/14/security-releases/ Fixes: CVE-2024-56374 (cherry picked from commit d8c10f07988449084d174abd2f31e314938a49b9) --- pkgs/development/python-modules/django/4.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index dbb579300ab69..b437a8b75232f 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -44,7 +44,7 @@ buildPythonPackage rec { pname = "django"; - version = "4.2.17"; + version = "4.2.18"; format = "pyproject"; disabled = pythonOlder "3.8"; @@ -53,7 +53,7 @@ buildPythonPackage rec { owner = "django"; repo = "django"; rev = "refs/tags/${version}"; - hash = "sha256-G3PAG/fe4yG55699XS8rcWigF92J0Fke1qnUxRqOUnc="; + hash = "sha256-aOTfZDJsEfWHXxkvTgyc2E9ye3LpzHG1bJTo40Dke4I="; }; patches = From 7415730cfc8e54882dc26c0af4484291e29a2b80 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 14 Jan 2025 21:23:39 +0100 Subject: [PATCH 11/19] rsync: 3.3.0 -> 3.4.1 Follow-up to edccf51c1cb9202ee43999fc02ce83e68dbecc36. Changes: https://github.com/RsyncProject/rsync/blob/v3.4.1/NEWS.md The PGP key change is expected and has been confirmed by the maintainers. In a effort to provide traceability the new key has been signed by Wayne Davison, another rsync maintainer, see https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6c859fb14b96a8c5 (cherry picked from commit 79a3e7628f72045946fb3cb40509fdaa4be8655d) --- .../0001-Some-checksum-buffer-fixes.patch | 151 -------------- ...other-cast-when-multiplying-integers.patch | 39 ---- ...event-information-leak-off-the-stack.patch | 27 --- ...uzzy-options-when-fuzzy-not-selected.patch | 37 ---- .../0002-added-secure_relative_open.patch | 103 ---------- ...-secure_relative_open-for-basis-file.patch | 103 ---------- ...nts-in-relpath-for-secure_relative_o.patch | 37 ---- .../0001-Refuse-a-duplicate-dirlist.patch | 45 ----- .../0002-range-check-dir_ndx-before-use.patch | 27 --- .../0001-make-safe-links-stricter.patch | 136 ------------- ...xed-symlink-race-condition-in-sender.patch | 187 ------------------ .../configure.ac-fix-failing-IPv6-check.patch | 12 -- .../networking/sync/rsync/default.nix | 23 +-- .../rsync/raise-protocol-version-to-32.patch | 26 --- 14 files changed, 3 insertions(+), 950 deletions(-) delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12086/0002-added-secure_relative_open.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12088/0001-make-safe-links-stricter.patch delete mode 100644 pkgs/applications/networking/sync/rsync/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch delete mode 100644 pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch delete mode 100644 pkgs/applications/networking/sync/rsync/raise-protocol-version-to-32.patch diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch deleted file mode 100644 index e5ba8ddc6f79a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 0902b52f6687b1f7952422080d50b93108742e53 Mon Sep 17 00:00:00 2001 -From: Wayne Davison -Date: Tue, 29 Oct 2024 22:55:29 -0700 -Subject: [PATCH 1/2] Some checksum buffer fixes. - -- Put sum2_array into sum_struct to hold an array of sum2 checksums - that are each xfer_sum_len bytes. -- Remove sum2 buf from sum_buf. -- Add macro sum2_at() to access each sum2 array element. -- Throw an error if a sums header has an s2length larger than - xfer_sum_len. ---- - io.c | 3 ++- - match.c | 8 ++++---- - rsync.c | 5 ++++- - rsync.h | 4 +++- - sender.c | 4 +++- - 5 files changed, 16 insertions(+), 8 deletions(-) - -diff --git a/io.c b/io.c -index a99ac0ec..bb60eeca 100644 ---- a/io.c -+++ b/io.c -@@ -55,6 +55,7 @@ extern int read_batch; - extern int compat_flags; - extern int protect_args; - extern int checksum_seed; -+extern int xfer_sum_len; - extern int daemon_connection; - extern int protocol_version; - extern int remove_source_files; -@@ -1977,7 +1978,7 @@ void read_sum_head(int f, struct sum_struct *sum) - exit_cleanup(RERR_PROTOCOL); - } - sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f); -- if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) { -+ if (sum->s2length < 0 || sum->s2length > xfer_sum_len) { - rprintf(FERROR, "Invalid checksum length %d [%s]\n", - sum->s2length, who_am_i()); - exit_cleanup(RERR_PROTOCOL); -diff --git a/match.c b/match.c -index cdb30a15..36e78ed2 100644 ---- a/match.c -+++ b/match.c -@@ -232,7 +232,7 @@ static void hash_search(int f,struct sum_struct *s, - done_csum2 = 1; - } - -- if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) { -+ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) { - false_alarms++; - continue; - } -@@ -252,7 +252,7 @@ static void hash_search(int f,struct sum_struct *s, - if (i != aligned_i) { - if (sum != s->sums[aligned_i].sum1 - || l != s->sums[aligned_i].len -- || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0) -+ || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0) - goto check_want_i; - i = aligned_i; - } -@@ -271,7 +271,7 @@ static void hash_search(int f,struct sum_struct *s, - if (sum != s->sums[i].sum1) - goto check_want_i; - get_checksum2((char *)map, l, sum2); -- if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0) -+ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) - goto check_want_i; - /* OK, we have a re-alignment match. Bump the offset - * forward to the new match point. */ -@@ -290,7 +290,7 @@ static void hash_search(int f,struct sum_struct *s, - && (!updating_basis_file || s->sums[want_i].offset >= offset - || s->sums[want_i].flags & SUMFLG_SAME_OFFSET) - && sum == s->sums[want_i].sum1 -- && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) { -+ && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) { - /* we've found an adjacent match - the RLL coder - * will be happy */ - i = want_i; -diff --git a/rsync.c b/rsync.c -index cd288f57..b130aba5 100644 ---- a/rsync.c -+++ b/rsync.c -@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, cha - */ - void free_sums(struct sum_struct *s) - { -- if (s->sums) free(s->sums); -+ if (s->sums) { -+ free(s->sums); -+ free(s->sum2_array); -+ } - free(s); - } - -diff --git a/rsync.h b/rsync.h -index d3709fe0..8ddbe702 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -958,12 +958,12 @@ struct sum_buf { - uint32 sum1; /**< simple checksum */ - int32 chain; /**< next hash-table collision */ - short flags; /**< flag bits */ -- char sum2[SUM_LENGTH]; /**< checksum */ - }; - - struct sum_struct { - OFF_T flength; /**< total file length */ - struct sum_buf *sums; /**< points to info for each chunk */ -+ char *sum2_array; /**< checksums of length xfer_sum_len */ - int32 count; /**< how many chunks */ - int32 blength; /**< block_length */ - int32 remainder; /**< flength % block_length */ -@@ -982,6 +982,8 @@ struct map_struct { - int status; /* first errno from read errors */ - }; - -+#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) -+ - #define NAME_IS_FILE (0) /* filter name as a file */ - #define NAME_IS_DIR (1<<0) /* filter name as a dir */ - #define NAME_IS_XATTR (1<<2) /* filter name as an xattr */ -diff --git a/sender.c b/sender.c -index 3d4f052e..ab205341 100644 ---- a/sender.c -+++ b/sender.c -@@ -31,6 +31,7 @@ extern int log_before_transfer; - extern int stdout_format_has_i; - extern int logfile_format_has_i; - extern int want_xattr_optim; -+extern int xfer_sum_len; - extern int csum_length; - extern int append_mode; - extern int copy_links; -@@ -94,10 +95,11 @@ static struct sum_struct *receive_sums(int f) - return(s); - - s->sums = new_array(struct sum_buf, s->count); -+ s->sum2_array = new_array(char, s->count * xfer_sum_len); - - for (i = 0; i < s->count; i++) { - s->sums[i].sum1 = read_int(f); -- read_buf(f, s->sums[i].sum2, s->s2length); -+ read_buf(f, sum2_at(s, i), s->s2length); - - s->sums[i].offset = offset; - s->sums[i].flags = 0; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch deleted file mode 100644 index 5a21d71b292e2..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1 Mon Sep 17 00:00:00 2001 -From: Wayne Davison -Date: Tue, 5 Nov 2024 11:01:03 -0800 -Subject: [PATCH 2/2] Another cast when multiplying integers. - ---- - rsync.h | 2 +- - sender.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/rsync.h b/rsync.h -index 8ddbe702..0f9e277f 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -982,7 +982,7 @@ struct map_struct { - int status; /* first errno from read errors */ - }; - --#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) -+#define sum2_at(s, i) ((s)->sum2_array + ((size_t)(i) * xfer_sum_len)) - - #define NAME_IS_FILE (0) /* filter name as a file */ - #define NAME_IS_DIR (1<<0) /* filter name as a dir */ -diff --git a/sender.c b/sender.c -index ab205341..2bbff2fa 100644 ---- a/sender.c -+++ b/sender.c -@@ -95,7 +95,7 @@ static struct sum_struct *receive_sums(int f) - return(s); - - s->sums = new_array(struct sum_buf, s->count); -- s->sum2_array = new_array(char, s->count * xfer_sum_len); -+ s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len); - - for (i = 0; i < s->count; i++) { - s->sums[i].sum1 = read_int(f); --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch deleted file mode 100644 index 7356fb6cb022a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch +++ /dev/null @@ -1,27 +0,0 @@ -From cf620065502f065d4ea44f5df4f81295a738aa21 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Thu, 14 Nov 2024 09:57:08 +1100 -Subject: [PATCH] prevent information leak off the stack - -prevent leak of uninitialised stack data in hash_search ---- - match.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/match.c b/match.c -index 36e78ed2..dfd6af2c 100644 ---- a/match.c -+++ b/match.c -@@ -147,6 +147,9 @@ static void hash_search(int f,struct sum_struct *s, - int more; - schar *map; - -+ // prevent possible memory leaks -+ memset(sum2, 0, sizeof sum2); -+ - /* want_i is used to encourage adjacent matches, allowing the RLL - * coding of the output to work more efficiently. */ - want_i = 0; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch deleted file mode 100644 index f409b1aa7ec72..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3feb8669d875d03c9ceb82e208ef40ddda8eb908 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 11:08:03 +1100 -Subject: [PATCH 1/4] refuse fuzzy options when fuzzy not selected - -this prevents a malicious server providing a file to compare to when -the user has not given the fuzzy option ---- - receiver.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/receiver.c b/receiver.c -index 6b4b369e..2d7f6033 100644 ---- a/receiver.c -+++ b/receiver.c -@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN]; - extern struct file_list *cur_flist, *first_flist, *dir_flist; - extern filter_rule_list daemon_filter_list; - extern OFF_T preallocated_len; -+extern int fuzzy_basis; - - extern struct name_num_item *xfer_sum_nni; - extern int xfer_sum_len; -@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name) - fnamecmp = get_backup_name(fname); - break; - case FNAMECMP_FUZZY: -+ if (fuzzy_basis == 0) { -+ rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname); -+ exit_cleanup(RERR_PROTOCOL); -+ } - if (file->dirname) { - pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); - fnamecmp = fnamecmpbuf; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0002-added-secure_relative_open.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0002-added-secure_relative_open.patch deleted file mode 100644 index 719c6f1a7cff6..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0002-added-secure_relative_open.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 33385aefe4773e7a3982d41995681eb079c92d12 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 12:26:10 +1100 -Subject: [PATCH 2/4] added secure_relative_open() - -this is an open that enforces no symlink following for all path -components in a relative path ---- - syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 74 insertions(+) - -diff --git a/syscall.c b/syscall.c -index d92074aa..a4b7f542 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -33,6 +33,8 @@ - #include - #endif - -+#include "ifuncs.h" -+ - extern int dry_run; - extern int am_root; - extern int am_sender; -@@ -712,3 +714,75 @@ int do_open_nofollow(const char *pathname, int flags) - - return fd; - } -+ -+/* -+ open a file relative to a base directory. The basedir can be NULL, -+ in which case the current working directory is used. The relpath -+ must be a relative path, and the relpath must not contain any -+ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but -+ applies to all path components, not just the last component) -+*/ -+int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) -+{ -+ if (!relpath || relpath[0] == '/') { -+ // must be a relative path -+ errno = EINVAL; -+ return -1; -+ } -+ -+#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) -+ // really old system, all we can do is live with the risks -+ if (!basedir) { -+ return open(relpath, flags, mode); -+ } -+ char fullpath[MAXPATHLEN]; -+ pathjoin(fullpath, sizeof fullpath, basedir, relpath); -+ return open(fullpath, flags, mode); -+#else -+ int dirfd = AT_FDCWD; -+ if (basedir != NULL) { -+ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY); -+ if (dirfd == -1) { -+ return -1; -+ } -+ } -+ int retfd = -1; -+ -+ char *path_copy = my_strdup(relpath, __FILE__, __LINE__); -+ if (!path_copy) { -+ return -1; -+ } -+ -+ for (const char *part = strtok(path_copy, "/"); -+ part != NULL; -+ part = strtok(NULL, "/")) -+ { -+ int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW); -+ if (next_fd == -1 && errno == ENOTDIR) { -+ if (strtok(NULL, "/") != NULL) { -+ // this is not the last component of the path -+ errno = ELOOP; -+ goto cleanup; -+ } -+ // this could be the last component of the path, try as a file -+ retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode); -+ goto cleanup; -+ } -+ if (next_fd == -1) { -+ goto cleanup; -+ } -+ if (dirfd != AT_FDCWD) close(dirfd); -+ dirfd = next_fd; -+ } -+ -+ // the path must be a directory -+ errno = EINVAL; -+ -+cleanup: -+ free(path_copy); -+ if (dirfd != AT_FDCWD) { -+ close(dirfd); -+ } -+ return retfd; -+#endif // O_NOFOLLOW, O_DIRECTORY -+} --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch deleted file mode 100644 index 4be6391648dfd..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch +++ /dev/null @@ -1,103 +0,0 @@ -From e59ef9939d3f0ccc8f9bab51442989a81be0c914 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 12:28:13 +1100 -Subject: [PATCH 3/4] receiver: use secure_relative_open() for basis file - -this prevents attacks where the basis file is manipulated by a -malicious sender to gain information about files outside the -destination tree ---- - receiver.c | 42 ++++++++++++++++++++++++++---------------- - 1 file changed, 26 insertions(+), 16 deletions(-) - -diff --git a/receiver.c b/receiver.c -index 2d7f6033..8031b8f4 100644 ---- a/receiver.c -+++ b/receiver.c -@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name) - progress_init(); - - while (1) { -+ const char *basedir = NULL; -+ - cleanup_disable(); - - /* This call also sets cur_flist. */ -@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name) - exit_cleanup(RERR_PROTOCOL); - } - if (file->dirname) { -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); -- fnamecmp = fnamecmpbuf; -- } else -- fnamecmp = xname; -+ basedir = file->dirname; -+ } -+ fnamecmp = xname; - break; - default: - if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) { - fnamecmp_type -= FNAMECMP_FUZZY + 1; - if (file->dirname) { -- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf, -- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL); -- } else -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname); -+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname); -+ basedir = fnamecmpbuf; -+ } else { -+ basedir = basis_dir[fnamecmp_type]; -+ } -+ fnamecmp = xname; - } else if (fnamecmp_type >= basis_dir_cnt) { - rprintf(FERROR, - "invalid basis_dir index: %d.\n", - fnamecmp_type); - exit_cleanup(RERR_PROTOCOL); -- } else -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname); -- fnamecmp = fnamecmpbuf; -+ } else { -+ basedir = basis_dir[fnamecmp_type]; -+ fnamecmp = fname; -+ } - break; - } - if (!fnamecmp || (daemon_filter_list.head -@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name) - } - - /* open the file */ -- fd1 = do_open(fnamecmp, O_RDONLY, 0); -+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); - - if (fd1 == -1 && protocol_version < 29) { - if (fnamecmp != fname) { -@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name) - - if (fd1 == -1 && basis_dir[0]) { - /* pre-29 allowed only one alternate basis */ -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, -- basis_dir[0], fname); -- fnamecmp = fnamecmpbuf; -+ basedir = basis_dir[0]; -+ fnamecmp = fname; - fnamecmp_type = FNAMECMP_BASIS_DIR_LOW; -- fd1 = do_open(fnamecmp, O_RDONLY, 0); -+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); - } - } - -+ if (basedir) { -+ // for the following code we need the full -+ // path name as a single string -+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp); -+ fnamecmp = fnamecmpbuf; -+ } -+ - one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR; - updating_basis_or_equiv = one_inplace - || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP)); --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch deleted file mode 100644 index 74a16e79a16a4..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c78e53edb802d04f7e4e070fe8314f2544749e7a Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Tue, 26 Nov 2024 09:16:31 +1100 -Subject: [PATCH 4/4] disallow ../ elements in relpath for secure_relative_open - ---- - syscall.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/syscall.c b/syscall.c -index a4b7f542..47c5ea57 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -721,6 +721,8 @@ int do_open_nofollow(const char *pathname, int flags) - must be a relative path, and the relpath must not contain any - elements in the path which follow symlinks (ie. like O_NOFOLLOW, but - applies to all path components, not just the last component) -+ -+ The relpath must also not contain any ../ elements in the path - */ - int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) - { -@@ -729,6 +731,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo - errno = EINVAL; - return -1; - } -+ if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) { -+ // no ../ elements allowed in the relpath -+ errno = EINVAL; -+ return -1; -+ } - - #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) - // really old system, all we can do is live with the risks --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch deleted file mode 100644 index 99ebc15bd4585..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0ebc19ee486a8e928a68d8f98d07d40f176770aa Mon Sep 17 00:00:00 2001 -From: Wayne Davison -Date: Thu, 14 Nov 2024 15:46:50 -0800 -Subject: [PATCH 1/2] Refuse a duplicate dirlist. - ---- - flist.c | 9 +++++++++ - rsync.h | 1 + - 2 files changed, 10 insertions(+) - -diff --git a/flist.c b/flist.c -index 464d556e..847b1054 100644 ---- a/flist.c -+++ b/flist.c -@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx) - init_hard_links(); - #endif - -+ if (inc_recurse && dir_ndx >= 0) { -+ struct file_struct *file = dir_flist->files[dir_ndx]; -+ if (file->flags & FLAG_GOT_DIR_FLIST) { -+ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); -+ exit_cleanup(RERR_PROTOCOL); -+ } -+ file->flags |= FLAG_GOT_DIR_FLIST; -+ } -+ - flist = flist_new(0, "recv_file_list"); - flist_expand(flist, FLIST_START_LARGE); - -diff --git a/rsync.h b/rsync.h -index 0f9e277f..b9a7101a 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -84,6 +84,7 @@ - #define FLAG_DUPLICATE (1<<4) /* sender */ - #define FLAG_MISSING_DIR (1<<4) /* generator */ - #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ -+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ - #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ - #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ - #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch deleted file mode 100644 index b067809ebb3af..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b3e16be18d582dac1513c0a932d146b36e867b1b Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Tue, 26 Nov 2024 16:12:45 +1100 -Subject: [PATCH 2/2] range check dir_ndx before use - ---- - flist.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/flist.c b/flist.c -index 847b1054..087f9da6 100644 ---- a/flist.c -+++ b/flist.c -@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx) - #endif - - if (inc_recurse && dir_ndx >= 0) { -+ if (dir_ndx >= dir_flist->used) { -+ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used); -+ exit_cleanup(RERR_PROTOCOL); -+ } - struct file_struct *file = dir_flist->files[dir_ndx]; - if (file->flags & FLAG_GOT_DIR_FLIST) { - rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12088/0001-make-safe-links-stricter.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12088/0001-make-safe-links-stricter.patch deleted file mode 100644 index 2ba588127013a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12088/0001-make-safe-links-stricter.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 535f8f816539ba681ef0f12015d2cb587ae61b6d Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 15:15:53 +1100 -Subject: [PATCH] make --safe-links stricter - -when --safe-links is used also reject links where a '../' component is -included in the destination as other than the leading part of the -filename ---- - testsuite/safe-links.test | 55 ++++++++++++++++++++++++++++++++++++ - testsuite/unsafe-byname.test | 2 +- - util1.c | 26 ++++++++++++++++- - 3 files changed, 81 insertions(+), 2 deletions(-) - create mode 100644 testsuite/safe-links.test - -diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test -new file mode 100644 -index 00000000..6e95a4b9 ---- /dev/null -+++ b/testsuite/safe-links.test -@@ -0,0 +1,55 @@ -+#!/bin/sh -+ -+. "$suitedir/rsync.fns" -+ -+test_symlink() { -+ is_a_link "$1" || test_fail "File $1 is not a symlink" -+} -+ -+test_regular() { -+ if [ ! -f "$1" ]; then -+ test_fail "File $1 is not regular file or not exists" -+ fi -+} -+ -+test_notexist() { -+ if [ -e "$1" ]; then -+ test_fail "File $1 exists" -+ fi -+ if [ -h "$1" ]; then -+ test_fail "File $1 exists as a symlink" -+ fi -+} -+ -+cd "$tmpdir" -+ -+mkdir from -+ -+mkdir "from/safe" -+mkdir "from/unsafe" -+ -+mkdir "from/safe/files" -+mkdir "from/safe/links" -+ -+touch "from/safe/files/file1" -+touch "from/safe/files/file2" -+touch "from/unsafe/unsafefile" -+ -+ln -s ../files/file1 "from/safe/links/" -+ln -s ../files/file2 "from/safe/links/" -+ln -s ../../unsafe/unsafefile "from/safe/links/" -+ln -s a/a/a/../../../unsafe2 "from/safe/links/" -+ -+#echo "LISTING FROM" -+#ls -lR from -+ -+echo "rsync with relative path and just -a" -+$RSYNC -avv --safe-links from/safe/ to -+ -+#echo "LISTING TO" -+#ls -lR to -+ -+test_symlink to/links/file1 -+test_symlink to/links/file2 -+test_notexist to/links/unsafefile -+test_notexist to/links/unsafe2 -diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test -index 75e72014..d2e318ef 100644 ---- a/testsuite/unsafe-byname.test -+++ b/testsuite/unsafe-byname.test -@@ -40,7 +40,7 @@ test_unsafe ..//../dest from/dir unsafe - test_unsafe .. from/file safe - test_unsafe ../.. from/file unsafe - test_unsafe ..//.. from//file unsafe --test_unsafe dir/.. from safe -+test_unsafe dir/.. from unsafe - test_unsafe dir/../.. from unsafe - test_unsafe dir/..//.. from unsafe - -diff --git a/util1.c b/util1.c -index da50ff1e..f260d398 100644 ---- a/util1.c -+++ b/util1.c -@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create) - * - * "src" is the top source directory currently applicable at the level - * of the referenced symlink. This is usually the symlink's full path -- * (including its name), as referenced from the root of the transfer. */ -+ * (including its name), as referenced from the root of the transfer. -+ * -+ * NOTE: this also rejects dest names with a .. component in other -+ * than the first component of the name ie. it rejects names such as -+ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or -+ * 'b' could later be replaced with symlinks such as a link to '.' -+ * resulting in the link being transferred now becoming unsafe -+ */ - int unsafe_symlink(const char *dest, const char *src) - { - const char *name, *slash; -@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, const char *src) - if (!dest || !*dest || *dest == '/') - return 1; - -+ // reject destinations with /../ in the name other than at the start of the name -+ const char *dest2 = dest; -+ while (strncmp(dest2, "../", 3) == 0) { -+ dest2 += 3; -+ while (*dest2 == '/') { -+ // allow for ..//..///../foo -+ dest2++; -+ } -+ } -+ if (strstr(dest2, "/../")) -+ return 1; -+ -+ // reject if the destination ends in /.. -+ const size_t dlen = strlen(dest); -+ if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0) -+ return 1; -+ - /* find out what our safety margin is */ - for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) { - /* ".." segment starts the count over. "." segment is ignored. */ --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch deleted file mode 100644 index c5401b5df319a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch +++ /dev/null @@ -1,187 +0,0 @@ -From f45f48055e548851bc7230f454dfeba139be6c04 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Wed, 18 Dec 2024 08:59:42 +1100 -Subject: [PATCH] fixed symlink race condition in sender - -when we open a file that we don't expect to be a symlink use -O_NOFOLLOW to prevent a race condition where an attacker could change -a file between being a normal file and a symlink ---- - checksum.c | 2 +- - flist.c | 2 +- - generator.c | 4 ++-- - receiver.c | 2 +- - sender.c | 2 +- - syscall.c | 20 ++++++++++++++++++++ - t_unsafe.c | 3 +++ - tls.c | 3 +++ - trimslash.c | 2 ++ - util1.c | 2 +- - 10 files changed, 35 insertions(+), 7 deletions(-) - -diff --git a/checksum.c b/checksum.c -index cb21882c..66e80896 100644 ---- a/checksum.c -+++ b/checksum.c -@@ -406,7 +406,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum) - int32 remainder; - int fd; - -- fd = do_open(fname, O_RDONLY, 0); -+ fd = do_open_checklinks(fname); - if (fd == -1) { - memset(sum, 0, file_sum_len); - return; -diff --git a/flist.c b/flist.c -index 087f9da6..17832533 100644 ---- a/flist.c -+++ b/flist.c -@@ -1390,7 +1390,7 @@ struct file_struct *make_file(const char *fname, struct file_list *flist, - - if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) { - if (st.st_size == 0) { -- int fd = do_open(fname, O_RDONLY, 0); -+ int fd = do_open_checklinks(fname); - if (fd >= 0) { - st.st_size = get_device_size(fd, fname); - close(fd); -diff --git a/generator.c b/generator.c -index 110db28f..3f13bb95 100644 ---- a/generator.c -+++ b/generator.c -@@ -1798,7 +1798,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, - - if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) { - /* This early open into fd skips the regular open below. */ -- if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0) -+ if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0) - real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp); - } - -@@ -1867,7 +1867,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, - } - - /* open the file */ -- if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) { -+ if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) { - rsyserr(FERROR, errno, "failed to open %s, continuing", - full_fname(fnamecmp)); - pretend_missing: -diff --git a/receiver.c b/receiver.c -index 8031b8f4..edfbb210 100644 ---- a/receiver.c -+++ b/receiver.c -@@ -775,7 +775,7 @@ int recv_files(int f_in, int f_out, char *local_name) - if (fnamecmp != fname) { - fnamecmp = fname; - fnamecmp_type = FNAMECMP_FNAME; -- fd1 = do_open(fnamecmp, O_RDONLY, 0); -+ fd1 = do_open_nofollow(fnamecmp, O_RDONLY); - } - - if (fd1 == -1 && basis_dir[0]) { -diff --git a/sender.c b/sender.c -index 2bbff2fa..a4d46c39 100644 ---- a/sender.c -+++ b/sender.c -@@ -350,7 +350,7 @@ void send_files(int f_in, int f_out) - exit_cleanup(RERR_PROTOCOL); - } - -- fd = do_open(fname, O_RDONLY, 0); -+ fd = do_open_checklinks(fname); - if (fd == -1) { - if (errno == ENOENT) { - enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING; -diff --git a/syscall.c b/syscall.c -index 081357bb..8cea2900 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -45,6 +45,8 @@ extern int preallocate_files; - extern int preserve_perms; - extern int preserve_executability; - extern int open_noatime; -+extern int copy_links; -+extern int copy_unsafe_links; - - #ifndef S_BLKSIZE - # if defined hpux || defined __hpux__ || defined __hpux -@@ -788,3 +790,21 @@ cleanup: - return retfd; - #endif // O_NOFOLLOW, O_DIRECTORY - } -+ -+/* -+ varient of do_open/do_open_nofollow which does do_open() if the -+ copy_links or copy_unsafe_links options are set and does -+ do_open_nofollow() otherwise -+ -+ This is used to prevent a race condition where an attacker could be -+ switching a file between being a symlink and being a normal file -+ -+ The open is always done with O_RDONLY flags -+ */ -+int do_open_checklinks(const char *pathname) -+{ -+ if (copy_links || copy_unsafe_links) { -+ return do_open(pathname, O_RDONLY, 0); -+ } -+ return do_open_nofollow(pathname, O_RDONLY); -+} -diff --git a/t_unsafe.c b/t_unsafe.c -index 010cac50..e10619a2 100644 ---- a/t_unsafe.c -+++ b/t_unsafe.c -@@ -28,6 +28,9 @@ int am_root = 0; - int am_sender = 1; - int read_only = 0; - int list_only = 0; -+int copy_links = 0; -+int copy_unsafe_links = 0; -+ - short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG]; - - int -diff --git a/tls.c b/tls.c -index e6b0708a..858f8f10 100644 ---- a/tls.c -+++ b/tls.c -@@ -49,6 +49,9 @@ int list_only = 0; - int link_times = 0; - int link_owner = 0; - int nsec_times = 0; -+int safe_symlinks = 0; -+int copy_links = 0; -+int copy_unsafe_links = 0; - - #ifdef SUPPORT_XATTRS - -diff --git a/trimslash.c b/trimslash.c -index 1ec928ca..f2774cd7 100644 ---- a/trimslash.c -+++ b/trimslash.c -@@ -26,6 +26,8 @@ int am_root = 0; - int am_sender = 1; - int read_only = 1; - int list_only = 0; -+int copy_links = 0; -+int copy_unsafe_links = 0; - - int - main(int argc, char **argv) -diff --git a/util1.c b/util1.c -index f260d398..d84bc414 100644 ---- a/util1.c -+++ b/util1.c -@@ -365,7 +365,7 @@ int copy_file(const char *source, const char *dest, int tmpfilefd, mode_t mode) - int len; /* Number of bytes read into `buf'. */ - OFF_T prealloc_len = 0, offset = 0; - -- if ((ifd = do_open(source, O_RDONLY, 0)) < 0) { -+ if ((ifd = do_open_nofollow(source, O_RDONLY)) < 0) { - int save_errno = errno; - rsyserr(FERROR_XFER, errno, "open %s", full_fname(source)); - errno = save_errno; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch b/pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch deleted file mode 100644 index 3305653d025ff..0000000000000 --- a/pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rup rsync-3.2.7/configure.sh rsync-3.2.7-fixed/configure.sh ---- rsync-3.2.7/configure.sh 2022-10-20 17:57:22 -+++ rsync-3.2.7-fixed/configure.sh 2024-01-01 19:51:58 -@@ -7706,7 +7706,7 @@ else $as_nop - #include - #include - #include --main() -+int main() - { - if (socket(AF_INET6, SOCK_STREAM, 0) < 0) - exit(1); diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix index 8ccd645c09def..0d6710c0a02db 100644 --- a/pkgs/applications/networking/sync/rsync/default.nix +++ b/pkgs/applications/networking/sync/rsync/default.nix @@ -22,12 +22,12 @@ stdenv.mkDerivation rec { pname = "rsync"; - version = "3.3.0"; + version = "3.4.1"; src = fetchurl { - # signed with key 0048 C8B0 26D4 C96F 0E58 9C2F 6C85 9FB1 4B96 A8C5 + # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${version}.tar.gz"; - hash = "sha256-c5nppnCMMtZ4pypjIZ6W8jvgviM25Q/RNISY0HBB35A="; + hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI="; }; nativeBuildInputs = [ @@ -35,23 +35,6 @@ stdenv.mkDerivation rec { perl ]; - patches = [ - # https://github.com/WayneD/rsync/pull/558 - ./configure.ac-fix-failing-IPv6-check.patch - ./CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch - ./CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch - ./CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch - ./CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch - ./CVE-2024-12086/0002-added-secure_relative_open.patch - ./CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch - ./CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch - ./CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch - ./CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch - ./CVE-2024-12088/0001-make-safe-links-stricter.patch - ./CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch - ./raise-protocol-version-to-32.patch - ]; - buildInputs = [ libiconv diff --git a/pkgs/applications/networking/sync/rsync/raise-protocol-version-to-32.patch b/pkgs/applications/networking/sync/rsync/raise-protocol-version-to-32.patch deleted file mode 100644 index 94054fdc8c359..0000000000000 --- a/pkgs/applications/networking/sync/rsync/raise-protocol-version-to-32.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 163e05b1680c4a3b448fa68d03c3fca9589f3bc4 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Tue, 10 Dec 2024 13:34:01 +1100 -Subject: [PATCH 1/3] raise protocol version to 32 - -make it easier to spot unpatched servers ---- - rsync.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rsync.h b/rsync.h -index b9a7101a..9be1297b 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -111,7 +111,7 @@ - - /* Update this if you make incompatible changes and ALSO update the - * SUBPROTOCOL_VERSION if it is not a final (official) release. */ --#define PROTOCOL_VERSION 31 -+#define PROTOCOL_VERSION 32 - - /* This is used when working on a new protocol version or for any unofficial - * protocol tweaks. It should be a non-zero value for each pre-release repo --- -2.34.1 - From 99241537efce8da8ccaeb1a0815ea9fddd4a63dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20=C5=BDlender?= Date: Tue, 14 Jan 2025 10:55:36 +0100 Subject: [PATCH 12/19] curl: apply eventfd free patch (#373692) (cherry picked from commit 9d9ddb55ca18e7756e604ae2b425be3defe89a9e) Picked with some nit changes. --- .../cu/curlMinimal/fix-eventfd-free.patch | 33 +++++++++++++++++++ pkgs/by-name/cu/curlMinimal/package.nix | 6 ++++ 2 files changed, 39 insertions(+) create mode 100644 pkgs/by-name/cu/curlMinimal/fix-eventfd-free.patch diff --git a/pkgs/by-name/cu/curlMinimal/fix-eventfd-free.patch b/pkgs/by-name/cu/curlMinimal/fix-eventfd-free.patch new file mode 100644 index 0000000000000..5b0979fd4cbdc --- /dev/null +++ b/pkgs/by-name/cu/curlMinimal/fix-eventfd-free.patch @@ -0,0 +1,33 @@ +From ff5091aa9f73802e894b1cbdf24ab84e103200e2 Mon Sep 17 00:00:00 2001 +From: Andy Pan +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +Closes #15727 +Reported-by: Christian Heusel +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494..32d496b107cb 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + } diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 2716d08839a41..445fe9f8e2942 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -59,6 +59,12 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-x8p9tIsJCXQ+rvNCUNoCwZvGHU8dzt1mA/EJQJU2q1Y="; }; + # FIXME: avoid rebuilding lots of darwin packages for now; eventfd looks linux-only + patches = lib.optionals stdenv.isLinux [ + # https://github.com/curl/curl/issues/15725 + ./fix-eventfd-free.patch + ]; + # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion # necessary for FreeBSD code path in configure postPatch = '' From 7ad65336c3ffd9e320c5f6fccbf740ba29e87a0a Mon Sep 17 00:00:00 2001 From: Paul Meyer Date: Fri, 17 Jan 2025 10:30:35 +0100 Subject: [PATCH 13/19] go_1_23: 1.23.4 -> 1.23.5 Signed-off-by: Paul Meyer --- pkgs/development/compilers/go/1.23.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/go/1.23.nix b/pkgs/development/compilers/go/1.23.nix index 08c17cca8c037..4abc239546249 100644 --- a/pkgs/development/compilers/go/1.23.nix +++ b/pkgs/development/compilers/go/1.23.nix @@ -50,11 +50,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.23.3"; + version = "1.23.5"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-jWp3MySHVXxq+iQhExtQ+D20rjxXnDvHLmcO4faWhZk="; + hash = "sha256-pvP0u9PmvdYm95tmjyEvu1ZJ2vdQhPt5tnigrk2XQjs="; }; strictDeps = true; From 84ce9af4d2081b946e729228fdf39629a9fc87f3 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 14 Jan 2025 19:17:04 +0100 Subject: [PATCH 14/19] git: 2.47.1 -> 2.47.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes CVE-2024-50349 and CVE-2024-52006 https://raw.githubusercontent.com/git/git/v2.47.2/Documentation/RelNotes/2.47.2.txt ``` - CVE-2024-50349: Printing unsanitized URLs when asking for credentials makes the user susceptible to crafted URLs (e.g. in recursive clones). These URLs can mislead the user into typing in passwords for trusted sites that would then be sent to untrusted sites instead. A potential scenario of how this can be exploited is a recursive clone where one of the submodules prompts for a password, pretending to ask for a different host than the password will be sent to. - CVE-2024-52006: Git may pass on Carriage Returns via the credential protocol to credential helpers which use line-reading functions that interpret Carriage Returns as line endings, even though this is not what was intended (but Git’s documentation did not clarify that "newline" meant "Line Feed character"). This affected the popular .NET-based Git Credential Manager, which has been updated accordingly in coordination with the Git project. ``` (cherry picked from commit 7e92703f04b1096df66822ea227d8ffeeca3013d) --- pkgs/applications/version-management/git/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/version-management/git/default.nix b/pkgs/applications/version-management/git/default.nix index 4ec161a897589..082b1c9f37aa1 100644 --- a/pkgs/applications/version-management/git/default.nix +++ b/pkgs/applications/version-management/git/default.nix @@ -30,7 +30,7 @@ assert sendEmailSupport -> perlSupport; assert svnSupport -> perlSupport; let - version = "2.47.1"; + version = "2.47.2"; svn = subversionClient.override { perlBindings = perlSupport; }; gitwebPerlLibs = with perlPackages; [ CGI HTMLParser CGIFast FCGI FCGIProcManager HTMLTagCloud ]; in @@ -43,7 +43,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz"; - hash = "sha256-89j5uyOuOSN06RzZ05WXDavFucXucvOYhGE82Epu0xA="; + hash = "sha256-sZJovmtvFVa0ep3YNCcuFn06dXQM3NKDzzgS7f/jkw8="; }; outputs = [ "out" ] ++ lib.optional withManual "doc"; From 7b0d7bd27d90ac02ac6cfd7bf8436e2f393e42a8 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 18 Jan 2025 12:39:44 +0100 Subject: [PATCH 15/19] redis: 7.2.6 -> 7.2.7 Fixes CVE-2024-46981 and CVE-2024-51741. https://github.com/redis/redis/releases/tag/7.2.7 (cherry picked from commit 63c77937bbb9ee419094d14cdf7683578ee02d1b) --- pkgs/by-name/re/redis/package.nix | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/pkgs/by-name/re/redis/package.nix b/pkgs/by-name/re/redis/package.nix index 5e008b7d4d900..8e6b697aaa39f 100644 --- a/pkgs/by-name/re/redis/package.nix +++ b/pkgs/by-name/re/redis/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchurl, - fetchpatch, lua, jemalloc, pkg-config, @@ -25,29 +24,20 @@ stdenv.mkDerivation (finalAttrs: { pname = "redis"; - version = "7.2.6"; + version = "7.2.7"; src = fetchurl { url = "https://download.redis.io/releases/redis-${finalAttrs.version}.tar.gz"; - hash = "sha256-+xDWei/itFVvbLhABk3W5uMXXOjKA18HJpkOwtqfPQ4="; + hash = "sha256-csCB47jPrnFEJz0m12c28IMZAAr0bAFRXK1dKXZc6tU="; }; - patches = - [ - # fixes: make test [exception]: Executing test client: permission denied - # https://github.com/redis/redis/issues/12792 - (fetchpatch { - url = "https://github.com/redis/redis/pull/12887.diff"; - hash = "sha256-VZEMShW7Ckn5hLJHffQvE94Uly41WZW1bwvxny+Y3W8="; - }) - ] - ++ lib.optionals useSystemJemalloc [ - # use system jemalloc - (fetchurl { - url = "https://gitlab.archlinux.org/archlinux/packaging/packages/redis/-/raw/102cc861713c796756abd541bf341a4512eb06e6/redis-5.0-use-system-jemalloc.patch"; - hash = "sha256-VPRfoSnctkkkzLrXEWQX3Lh5HmZaCXoJafyOG007KzM="; - }) - ]; + patches = lib.optionals useSystemJemalloc [ + # use system jemalloc + (fetchurl { + url = "https://gitlab.archlinux.org/archlinux/packaging/packages/redis/-/raw/102cc861713c796756abd541bf341a4512eb06e6/redis-5.0-use-system-jemalloc.patch"; + hash = "sha256-VPRfoSnctkkkzLrXEWQX3Lh5HmZaCXoJafyOG007KzM="; + }) + ]; nativeBuildInputs = [ pkg-config ]; From 747171b9fbb00bfc3fa2c4ec2a4c5820c55c01f4 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 14 Jan 2025 12:32:40 +0100 Subject: [PATCH 16/19] openjpeg: apply patches for CVE-2024-56826 Preferred to apply patches instead of bumping to 2.5.3 until the upgrade can be dealt with, see https://github.com/NixOS/nixpkgs/pull/370072 for the last attempt. (cherry picked from commit b851789ab0f7ae545da7292b04c8cd2aad12bff4) Backport of PR https://github.com/NixOS/nixpkgs/pull/373709 --- pkgs/by-name/op/openjpeg/package.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/pkgs/by-name/op/openjpeg/package.nix b/pkgs/by-name/op/openjpeg/package.nix index 0bfa1067a7f77..2518ed29e8cfb 100644 --- a/pkgs/by-name/op/openjpeg/package.nix +++ b/pkgs/by-name/op/openjpeg/package.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, cmake, pkg-config +{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, pkg-config , libpng, libtiff, zlib, lcms2, jpylyzer , jpipLibSupport ? false # JPIP library & executables , jpipServerSupport ? false, curl, fcgi # JPIP Server @@ -32,6 +32,21 @@ stdenv.mkDerivation rec { hash = "sha256-mQ9B3MJY2/bg0yY/7jUJrAXM6ozAHT5fmwES5Q1SGxw="; }; + patches = [ + (fetchpatch { + # https://github.com/uclouvain/openjpeg/issues/1564 + name = "CVE-2024-56826_ISSUE1564.patch"; + url = "https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8.patch"; + hash = "sha256-v+odu4/MXRA+RKOlPO+m/Xk66BMH6mOcEN4ScHn3VAo="; + }) + (fetchpatch { + # https://github.com/uclouvain/openjpeg/issues/1563 + name = "CVE-2024-56826_ISSUE1563.patch"; + url = "https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2.patch"; + hash = "sha256-1ScnEZAPuvclyRME5kbeo7dBMG31Njs5CaYC4sGyx08="; + }) + ]; + outputs = [ "out" "dev" ]; cmakeFlags = [ From 4e5627e01c11e7d8917f86d27d56755d96f288cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 25 Jan 2025 09:41:17 +0100 Subject: [PATCH 17/19] python3Packages.uvloop: avoid test_dns (on darwin) Example issues: https://hydra.nixos.org/build/286095873/nixlog/2/tail (cherry picked from commit e3ad49cbc42c2afcaa30de300e58d142effd03cc) Only applied on darwin, as linux is probably safe (+avoid rebuilds). --- pkgs/development/python-modules/uvloop/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/python-modules/uvloop/default.nix b/pkgs/development/python-modules/uvloop/default.nix index 8ef7730047d5a..98118537bddfc 100644 --- a/pkgs/development/python-modules/uvloop/default.nix +++ b/pkgs/development/python-modules/uvloop/default.nix @@ -69,6 +69,8 @@ buildPythonPackage rec { "--deselect=tests/test_fs_event.py::Test_UV_FS_EVENT_RENAME::test_fs_event_rename" # Broken: https://github.com/NixOS/nixpkgs/issues/160904 "--deselect=tests/test_context.py::Test_UV_Context::test_create_ssl_server_manual_connection_lost" + # Pointless and flaky (depending on the sandbox perhaps) + "--deselect=tests/test_dns.py" ]; disabledTestPaths = [ From 18cd1b9484ae394b3ce08bcbeab50895011f517c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 5 Jan 2025 01:37:36 -0800 Subject: [PATCH 18/19] python312Packages.wandb: skip failing tests (cherry picked from commit 0cba26e6364b519f2e3a6adde9d73b08ff965e1e) --- pkgs/development/python-modules/wandb/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/python-modules/wandb/default.nix b/pkgs/development/python-modules/wandb/default.nix index d7ed6a75f16b7..5573e42d401af 100644 --- a/pkgs/development/python-modules/wandb/default.nix +++ b/pkgs/development/python-modules/wandb/default.nix @@ -299,6 +299,11 @@ buildPythonPackage rec { # Error in the moviepy package: # TypeError: must be real number, not NoneType "test_video_numpy_mp4" + + # AssertionError: assert not _IS_INTERNAL_PROCESS + "test_disabled_can_pickle" + "test_disabled_context_manager" + "test_mode_disabled" ] ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isx86_64) [ # AssertionError: assert not copy2_mock.called From 9a9e7a1adb21fde707c81b6fa4d0a20806b87b7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 26 Jan 2025 08:13:40 +0100 Subject: [PATCH 19/19] python3Packages.waitress: disable tests on x86_64-darwin Let's just unblock the dependents. I'm tired of these errors. https://hydra.nixos.org/build/286270226#tabs-buildsteps --- pkgs/development/python-modules/waitress/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/python-modules/waitress/default.nix b/pkgs/development/python-modules/waitress/default.nix index 79e9b73780bb2..e27b8e6a4c385 100644 --- a/pkgs/development/python-modules/waitress/default.nix +++ b/pkgs/development/python-modules/waitress/default.nix @@ -1,4 +1,5 @@ { + stdenv, lib, buildPythonPackage, fetchPypi, @@ -26,6 +27,7 @@ buildPythonPackage rec { pytest-cov-stub ]; + doCheck = !(stdenv.isDarwin && stdenv.isx86_64); disabledTests = [ # access to socket "test_service_port"