diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch deleted file mode 100644 index e5ba8ddc6f79a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 0902b52f6687b1f7952422080d50b93108742e53 Mon Sep 17 00:00:00 2001 -From: Wayne Davison -Date: Tue, 29 Oct 2024 22:55:29 -0700 -Subject: [PATCH 1/2] Some checksum buffer fixes. - -- Put sum2_array into sum_struct to hold an array of sum2 checksums - that are each xfer_sum_len bytes. -- Remove sum2 buf from sum_buf. -- Add macro sum2_at() to access each sum2 array element. -- Throw an error if a sums header has an s2length larger than - xfer_sum_len. ---- - io.c | 3 ++- - match.c | 8 ++++---- - rsync.c | 5 ++++- - rsync.h | 4 +++- - sender.c | 4 +++- - 5 files changed, 16 insertions(+), 8 deletions(-) - -diff --git a/io.c b/io.c -index a99ac0ec..bb60eeca 100644 ---- a/io.c -+++ b/io.c -@@ -55,6 +55,7 @@ extern int read_batch; - extern int compat_flags; - extern int protect_args; - extern int checksum_seed; -+extern int xfer_sum_len; - extern int daemon_connection; - extern int protocol_version; - extern int remove_source_files; -@@ -1977,7 +1978,7 @@ void read_sum_head(int f, struct sum_struct *sum) - exit_cleanup(RERR_PROTOCOL); - } - sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f); -- if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) { -+ if (sum->s2length < 0 || sum->s2length > xfer_sum_len) { - rprintf(FERROR, "Invalid checksum length %d [%s]\n", - sum->s2length, who_am_i()); - exit_cleanup(RERR_PROTOCOL); -diff --git a/match.c b/match.c -index cdb30a15..36e78ed2 100644 ---- a/match.c -+++ b/match.c -@@ -232,7 +232,7 @@ static void hash_search(int f,struct sum_struct *s, - done_csum2 = 1; - } - -- if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) { -+ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) { - false_alarms++; - continue; - } -@@ -252,7 +252,7 @@ static void hash_search(int f,struct sum_struct *s, - if (i != aligned_i) { - if (sum != s->sums[aligned_i].sum1 - || l != s->sums[aligned_i].len -- || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0) -+ || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0) - goto check_want_i; - i = aligned_i; - } -@@ -271,7 +271,7 @@ static void hash_search(int f,struct sum_struct *s, - if (sum != s->sums[i].sum1) - goto check_want_i; - get_checksum2((char *)map, l, sum2); -- if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0) -+ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) - goto check_want_i; - /* OK, we have a re-alignment match. Bump the offset - * forward to the new match point. */ -@@ -290,7 +290,7 @@ static void hash_search(int f,struct sum_struct *s, - && (!updating_basis_file || s->sums[want_i].offset >= offset - || s->sums[want_i].flags & SUMFLG_SAME_OFFSET) - && sum == s->sums[want_i].sum1 -- && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) { -+ && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) { - /* we've found an adjacent match - the RLL coder - * will be happy */ - i = want_i; -diff --git a/rsync.c b/rsync.c -index cd288f57..b130aba5 100644 ---- a/rsync.c -+++ b/rsync.c -@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, cha - */ - void free_sums(struct sum_struct *s) - { -- if (s->sums) free(s->sums); -+ if (s->sums) { -+ free(s->sums); -+ free(s->sum2_array); -+ } - free(s); - } - -diff --git a/rsync.h b/rsync.h -index d3709fe0..8ddbe702 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -958,12 +958,12 @@ struct sum_buf { - uint32 sum1; /**< simple checksum */ - int32 chain; /**< next hash-table collision */ - short flags; /**< flag bits */ -- char sum2[SUM_LENGTH]; /**< checksum */ - }; - - struct sum_struct { - OFF_T flength; /**< total file length */ - struct sum_buf *sums; /**< points to info for each chunk */ -+ char *sum2_array; /**< checksums of length xfer_sum_len */ - int32 count; /**< how many chunks */ - int32 blength; /**< block_length */ - int32 remainder; /**< flength % block_length */ -@@ -982,6 +982,8 @@ struct map_struct { - int status; /* first errno from read errors */ - }; - -+#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) -+ - #define NAME_IS_FILE (0) /* filter name as a file */ - #define NAME_IS_DIR (1<<0) /* filter name as a dir */ - #define NAME_IS_XATTR (1<<2) /* filter name as an xattr */ -diff --git a/sender.c b/sender.c -index 3d4f052e..ab205341 100644 ---- a/sender.c -+++ b/sender.c -@@ -31,6 +31,7 @@ extern int log_before_transfer; - extern int stdout_format_has_i; - extern int logfile_format_has_i; - extern int want_xattr_optim; -+extern int xfer_sum_len; - extern int csum_length; - extern int append_mode; - extern int copy_links; -@@ -94,10 +95,11 @@ static struct sum_struct *receive_sums(int f) - return(s); - - s->sums = new_array(struct sum_buf, s->count); -+ s->sum2_array = new_array(char, s->count * xfer_sum_len); - - for (i = 0; i < s->count; i++) { - s->sums[i].sum1 = read_int(f); -- read_buf(f, s->sums[i].sum2, s->s2length); -+ read_buf(f, sum2_at(s, i), s->s2length); - - s->sums[i].offset = offset; - s->sums[i].flags = 0; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch deleted file mode 100644 index 5a21d71b292e2..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1 Mon Sep 17 00:00:00 2001 -From: Wayne Davison -Date: Tue, 5 Nov 2024 11:01:03 -0800 -Subject: [PATCH 2/2] Another cast when multiplying integers. - ---- - rsync.h | 2 +- - sender.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/rsync.h b/rsync.h -index 8ddbe702..0f9e277f 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -982,7 +982,7 @@ struct map_struct { - int status; /* first errno from read errors */ - }; - --#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) -+#define sum2_at(s, i) ((s)->sum2_array + ((size_t)(i) * xfer_sum_len)) - - #define NAME_IS_FILE (0) /* filter name as a file */ - #define NAME_IS_DIR (1<<0) /* filter name as a dir */ -diff --git a/sender.c b/sender.c -index ab205341..2bbff2fa 100644 ---- a/sender.c -+++ b/sender.c -@@ -95,7 +95,7 @@ static struct sum_struct *receive_sums(int f) - return(s); - - s->sums = new_array(struct sum_buf, s->count); -- s->sum2_array = new_array(char, s->count * xfer_sum_len); -+ s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len); - - for (i = 0; i < s->count; i++) { - s->sums[i].sum1 = read_int(f); --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch deleted file mode 100644 index 7356fb6cb022a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch +++ /dev/null @@ -1,27 +0,0 @@ -From cf620065502f065d4ea44f5df4f81295a738aa21 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Thu, 14 Nov 2024 09:57:08 +1100 -Subject: [PATCH] prevent information leak off the stack - -prevent leak of uninitialised stack data in hash_search ---- - match.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/match.c b/match.c -index 36e78ed2..dfd6af2c 100644 ---- a/match.c -+++ b/match.c -@@ -147,6 +147,9 @@ static void hash_search(int f,struct sum_struct *s, - int more; - schar *map; - -+ // prevent possible memory leaks -+ memset(sum2, 0, sizeof sum2); -+ - /* want_i is used to encourage adjacent matches, allowing the RLL - * coding of the output to work more efficiently. */ - want_i = 0; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch deleted file mode 100644 index f409b1aa7ec72..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3feb8669d875d03c9ceb82e208ef40ddda8eb908 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 11:08:03 +1100 -Subject: [PATCH 1/4] refuse fuzzy options when fuzzy not selected - -this prevents a malicious server providing a file to compare to when -the user has not given the fuzzy option ---- - receiver.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/receiver.c b/receiver.c -index 6b4b369e..2d7f6033 100644 ---- a/receiver.c -+++ b/receiver.c -@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN]; - extern struct file_list *cur_flist, *first_flist, *dir_flist; - extern filter_rule_list daemon_filter_list; - extern OFF_T preallocated_len; -+extern int fuzzy_basis; - - extern struct name_num_item *xfer_sum_nni; - extern int xfer_sum_len; -@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name) - fnamecmp = get_backup_name(fname); - break; - case FNAMECMP_FUZZY: -+ if (fuzzy_basis == 0) { -+ rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname); -+ exit_cleanup(RERR_PROTOCOL); -+ } - if (file->dirname) { - pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); - fnamecmp = fnamecmpbuf; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0002-added-secure_relative_open.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0002-added-secure_relative_open.patch deleted file mode 100644 index 719c6f1a7cff6..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0002-added-secure_relative_open.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 33385aefe4773e7a3982d41995681eb079c92d12 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 12:26:10 +1100 -Subject: [PATCH 2/4] added secure_relative_open() - -this is an open that enforces no symlink following for all path -components in a relative path ---- - syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 74 insertions(+) - -diff --git a/syscall.c b/syscall.c -index d92074aa..a4b7f542 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -33,6 +33,8 @@ - #include - #endif - -+#include "ifuncs.h" -+ - extern int dry_run; - extern int am_root; - extern int am_sender; -@@ -712,3 +714,75 @@ int do_open_nofollow(const char *pathname, int flags) - - return fd; - } -+ -+/* -+ open a file relative to a base directory. The basedir can be NULL, -+ in which case the current working directory is used. The relpath -+ must be a relative path, and the relpath must not contain any -+ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but -+ applies to all path components, not just the last component) -+*/ -+int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) -+{ -+ if (!relpath || relpath[0] == '/') { -+ // must be a relative path -+ errno = EINVAL; -+ return -1; -+ } -+ -+#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) -+ // really old system, all we can do is live with the risks -+ if (!basedir) { -+ return open(relpath, flags, mode); -+ } -+ char fullpath[MAXPATHLEN]; -+ pathjoin(fullpath, sizeof fullpath, basedir, relpath); -+ return open(fullpath, flags, mode); -+#else -+ int dirfd = AT_FDCWD; -+ if (basedir != NULL) { -+ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY); -+ if (dirfd == -1) { -+ return -1; -+ } -+ } -+ int retfd = -1; -+ -+ char *path_copy = my_strdup(relpath, __FILE__, __LINE__); -+ if (!path_copy) { -+ return -1; -+ } -+ -+ for (const char *part = strtok(path_copy, "/"); -+ part != NULL; -+ part = strtok(NULL, "/")) -+ { -+ int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW); -+ if (next_fd == -1 && errno == ENOTDIR) { -+ if (strtok(NULL, "/") != NULL) { -+ // this is not the last component of the path -+ errno = ELOOP; -+ goto cleanup; -+ } -+ // this could be the last component of the path, try as a file -+ retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode); -+ goto cleanup; -+ } -+ if (next_fd == -1) { -+ goto cleanup; -+ } -+ if (dirfd != AT_FDCWD) close(dirfd); -+ dirfd = next_fd; -+ } -+ -+ // the path must be a directory -+ errno = EINVAL; -+ -+cleanup: -+ free(path_copy); -+ if (dirfd != AT_FDCWD) { -+ close(dirfd); -+ } -+ return retfd; -+#endif // O_NOFOLLOW, O_DIRECTORY -+} --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch deleted file mode 100644 index 4be6391648dfd..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch +++ /dev/null @@ -1,103 +0,0 @@ -From e59ef9939d3f0ccc8f9bab51442989a81be0c914 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 12:28:13 +1100 -Subject: [PATCH 3/4] receiver: use secure_relative_open() for basis file - -this prevents attacks where the basis file is manipulated by a -malicious sender to gain information about files outside the -destination tree ---- - receiver.c | 42 ++++++++++++++++++++++++++---------------- - 1 file changed, 26 insertions(+), 16 deletions(-) - -diff --git a/receiver.c b/receiver.c -index 2d7f6033..8031b8f4 100644 ---- a/receiver.c -+++ b/receiver.c -@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name) - progress_init(); - - while (1) { -+ const char *basedir = NULL; -+ - cleanup_disable(); - - /* This call also sets cur_flist. */ -@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name) - exit_cleanup(RERR_PROTOCOL); - } - if (file->dirname) { -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); -- fnamecmp = fnamecmpbuf; -- } else -- fnamecmp = xname; -+ basedir = file->dirname; -+ } -+ fnamecmp = xname; - break; - default: - if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) { - fnamecmp_type -= FNAMECMP_FUZZY + 1; - if (file->dirname) { -- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf, -- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL); -- } else -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname); -+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname); -+ basedir = fnamecmpbuf; -+ } else { -+ basedir = basis_dir[fnamecmp_type]; -+ } -+ fnamecmp = xname; - } else if (fnamecmp_type >= basis_dir_cnt) { - rprintf(FERROR, - "invalid basis_dir index: %d.\n", - fnamecmp_type); - exit_cleanup(RERR_PROTOCOL); -- } else -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname); -- fnamecmp = fnamecmpbuf; -+ } else { -+ basedir = basis_dir[fnamecmp_type]; -+ fnamecmp = fname; -+ } - break; - } - if (!fnamecmp || (daemon_filter_list.head -@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name) - } - - /* open the file */ -- fd1 = do_open(fnamecmp, O_RDONLY, 0); -+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); - - if (fd1 == -1 && protocol_version < 29) { - if (fnamecmp != fname) { -@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name) - - if (fd1 == -1 && basis_dir[0]) { - /* pre-29 allowed only one alternate basis */ -- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, -- basis_dir[0], fname); -- fnamecmp = fnamecmpbuf; -+ basedir = basis_dir[0]; -+ fnamecmp = fname; - fnamecmp_type = FNAMECMP_BASIS_DIR_LOW; -- fd1 = do_open(fnamecmp, O_RDONLY, 0); -+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); - } - } - -+ if (basedir) { -+ // for the following code we need the full -+ // path name as a single string -+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp); -+ fnamecmp = fnamecmpbuf; -+ } -+ - one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR; - updating_basis_or_equiv = one_inplace - || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP)); --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch deleted file mode 100644 index 74a16e79a16a4..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c78e53edb802d04f7e4e070fe8314f2544749e7a Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Tue, 26 Nov 2024 09:16:31 +1100 -Subject: [PATCH 4/4] disallow ../ elements in relpath for secure_relative_open - ---- - syscall.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/syscall.c b/syscall.c -index a4b7f542..47c5ea57 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -721,6 +721,8 @@ int do_open_nofollow(const char *pathname, int flags) - must be a relative path, and the relpath must not contain any - elements in the path which follow symlinks (ie. like O_NOFOLLOW, but - applies to all path components, not just the last component) -+ -+ The relpath must also not contain any ../ elements in the path - */ - int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) - { -@@ -729,6 +731,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo - errno = EINVAL; - return -1; - } -+ if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) { -+ // no ../ elements allowed in the relpath -+ errno = EINVAL; -+ return -1; -+ } - - #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) - // really old system, all we can do is live with the risks --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch deleted file mode 100644 index 99ebc15bd4585..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0ebc19ee486a8e928a68d8f98d07d40f176770aa Mon Sep 17 00:00:00 2001 -From: Wayne Davison -Date: Thu, 14 Nov 2024 15:46:50 -0800 -Subject: [PATCH 1/2] Refuse a duplicate dirlist. - ---- - flist.c | 9 +++++++++ - rsync.h | 1 + - 2 files changed, 10 insertions(+) - -diff --git a/flist.c b/flist.c -index 464d556e..847b1054 100644 ---- a/flist.c -+++ b/flist.c -@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx) - init_hard_links(); - #endif - -+ if (inc_recurse && dir_ndx >= 0) { -+ struct file_struct *file = dir_flist->files[dir_ndx]; -+ if (file->flags & FLAG_GOT_DIR_FLIST) { -+ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); -+ exit_cleanup(RERR_PROTOCOL); -+ } -+ file->flags |= FLAG_GOT_DIR_FLIST; -+ } -+ - flist = flist_new(0, "recv_file_list"); - flist_expand(flist, FLIST_START_LARGE); - -diff --git a/rsync.h b/rsync.h -index 0f9e277f..b9a7101a 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -84,6 +84,7 @@ - #define FLAG_DUPLICATE (1<<4) /* sender */ - #define FLAG_MISSING_DIR (1<<4) /* generator */ - #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ -+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ - #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ - #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ - #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch deleted file mode 100644 index b067809ebb3af..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b3e16be18d582dac1513c0a932d146b36e867b1b Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Tue, 26 Nov 2024 16:12:45 +1100 -Subject: [PATCH 2/2] range check dir_ndx before use - ---- - flist.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/flist.c b/flist.c -index 847b1054..087f9da6 100644 ---- a/flist.c -+++ b/flist.c -@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx) - #endif - - if (inc_recurse && dir_ndx >= 0) { -+ if (dir_ndx >= dir_flist->used) { -+ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used); -+ exit_cleanup(RERR_PROTOCOL); -+ } - struct file_struct *file = dir_flist->files[dir_ndx]; - if (file->flags & FLAG_GOT_DIR_FLIST) { - rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12088/0001-make-safe-links-stricter.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12088/0001-make-safe-links-stricter.patch deleted file mode 100644 index 2ba588127013a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12088/0001-make-safe-links-stricter.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 535f8f816539ba681ef0f12015d2cb587ae61b6d Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Nov 2024 15:15:53 +1100 -Subject: [PATCH] make --safe-links stricter - -when --safe-links is used also reject links where a '../' component is -included in the destination as other than the leading part of the -filename ---- - testsuite/safe-links.test | 55 ++++++++++++++++++++++++++++++++++++ - testsuite/unsafe-byname.test | 2 +- - util1.c | 26 ++++++++++++++++- - 3 files changed, 81 insertions(+), 2 deletions(-) - create mode 100644 testsuite/safe-links.test - -diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test -new file mode 100644 -index 00000000..6e95a4b9 ---- /dev/null -+++ b/testsuite/safe-links.test -@@ -0,0 +1,55 @@ -+#!/bin/sh -+ -+. "$suitedir/rsync.fns" -+ -+test_symlink() { -+ is_a_link "$1" || test_fail "File $1 is not a symlink" -+} -+ -+test_regular() { -+ if [ ! -f "$1" ]; then -+ test_fail "File $1 is not regular file or not exists" -+ fi -+} -+ -+test_notexist() { -+ if [ -e "$1" ]; then -+ test_fail "File $1 exists" -+ fi -+ if [ -h "$1" ]; then -+ test_fail "File $1 exists as a symlink" -+ fi -+} -+ -+cd "$tmpdir" -+ -+mkdir from -+ -+mkdir "from/safe" -+mkdir "from/unsafe" -+ -+mkdir "from/safe/files" -+mkdir "from/safe/links" -+ -+touch "from/safe/files/file1" -+touch "from/safe/files/file2" -+touch "from/unsafe/unsafefile" -+ -+ln -s ../files/file1 "from/safe/links/" -+ln -s ../files/file2 "from/safe/links/" -+ln -s ../../unsafe/unsafefile "from/safe/links/" -+ln -s a/a/a/../../../unsafe2 "from/safe/links/" -+ -+#echo "LISTING FROM" -+#ls -lR from -+ -+echo "rsync with relative path and just -a" -+$RSYNC -avv --safe-links from/safe/ to -+ -+#echo "LISTING TO" -+#ls -lR to -+ -+test_symlink to/links/file1 -+test_symlink to/links/file2 -+test_notexist to/links/unsafefile -+test_notexist to/links/unsafe2 -diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test -index 75e72014..d2e318ef 100644 ---- a/testsuite/unsafe-byname.test -+++ b/testsuite/unsafe-byname.test -@@ -40,7 +40,7 @@ test_unsafe ..//../dest from/dir unsafe - test_unsafe .. from/file safe - test_unsafe ../.. from/file unsafe - test_unsafe ..//.. from//file unsafe --test_unsafe dir/.. from safe -+test_unsafe dir/.. from unsafe - test_unsafe dir/../.. from unsafe - test_unsafe dir/..//.. from unsafe - -diff --git a/util1.c b/util1.c -index da50ff1e..f260d398 100644 ---- a/util1.c -+++ b/util1.c -@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create) - * - * "src" is the top source directory currently applicable at the level - * of the referenced symlink. This is usually the symlink's full path -- * (including its name), as referenced from the root of the transfer. */ -+ * (including its name), as referenced from the root of the transfer. -+ * -+ * NOTE: this also rejects dest names with a .. component in other -+ * than the first component of the name ie. it rejects names such as -+ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or -+ * 'b' could later be replaced with symlinks such as a link to '.' -+ * resulting in the link being transferred now becoming unsafe -+ */ - int unsafe_symlink(const char *dest, const char *src) - { - const char *name, *slash; -@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, const char *src) - if (!dest || !*dest || *dest == '/') - return 1; - -+ // reject destinations with /../ in the name other than at the start of the name -+ const char *dest2 = dest; -+ while (strncmp(dest2, "../", 3) == 0) { -+ dest2 += 3; -+ while (*dest2 == '/') { -+ // allow for ..//..///../foo -+ dest2++; -+ } -+ } -+ if (strstr(dest2, "/../")) -+ return 1; -+ -+ // reject if the destination ends in /.. -+ const size_t dlen = strlen(dest); -+ if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0) -+ return 1; -+ - /* find out what our safety margin is */ - for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) { - /* ".." segment starts the count over. "." segment is ignored. */ --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch b/pkgs/applications/networking/sync/rsync/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch deleted file mode 100644 index c5401b5df319a..0000000000000 --- a/pkgs/applications/networking/sync/rsync/CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch +++ /dev/null @@ -1,187 +0,0 @@ -From f45f48055e548851bc7230f454dfeba139be6c04 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Wed, 18 Dec 2024 08:59:42 +1100 -Subject: [PATCH] fixed symlink race condition in sender - -when we open a file that we don't expect to be a symlink use -O_NOFOLLOW to prevent a race condition where an attacker could change -a file between being a normal file and a symlink ---- - checksum.c | 2 +- - flist.c | 2 +- - generator.c | 4 ++-- - receiver.c | 2 +- - sender.c | 2 +- - syscall.c | 20 ++++++++++++++++++++ - t_unsafe.c | 3 +++ - tls.c | 3 +++ - trimslash.c | 2 ++ - util1.c | 2 +- - 10 files changed, 35 insertions(+), 7 deletions(-) - -diff --git a/checksum.c b/checksum.c -index cb21882c..66e80896 100644 ---- a/checksum.c -+++ b/checksum.c -@@ -406,7 +406,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum) - int32 remainder; - int fd; - -- fd = do_open(fname, O_RDONLY, 0); -+ fd = do_open_checklinks(fname); - if (fd == -1) { - memset(sum, 0, file_sum_len); - return; -diff --git a/flist.c b/flist.c -index 087f9da6..17832533 100644 ---- a/flist.c -+++ b/flist.c -@@ -1390,7 +1390,7 @@ struct file_struct *make_file(const char *fname, struct file_list *flist, - - if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) { - if (st.st_size == 0) { -- int fd = do_open(fname, O_RDONLY, 0); -+ int fd = do_open_checklinks(fname); - if (fd >= 0) { - st.st_size = get_device_size(fd, fname); - close(fd); -diff --git a/generator.c b/generator.c -index 110db28f..3f13bb95 100644 ---- a/generator.c -+++ b/generator.c -@@ -1798,7 +1798,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, - - if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) { - /* This early open into fd skips the regular open below. */ -- if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0) -+ if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0) - real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp); - } - -@@ -1867,7 +1867,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, - } - - /* open the file */ -- if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) { -+ if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) { - rsyserr(FERROR, errno, "failed to open %s, continuing", - full_fname(fnamecmp)); - pretend_missing: -diff --git a/receiver.c b/receiver.c -index 8031b8f4..edfbb210 100644 ---- a/receiver.c -+++ b/receiver.c -@@ -775,7 +775,7 @@ int recv_files(int f_in, int f_out, char *local_name) - if (fnamecmp != fname) { - fnamecmp = fname; - fnamecmp_type = FNAMECMP_FNAME; -- fd1 = do_open(fnamecmp, O_RDONLY, 0); -+ fd1 = do_open_nofollow(fnamecmp, O_RDONLY); - } - - if (fd1 == -1 && basis_dir[0]) { -diff --git a/sender.c b/sender.c -index 2bbff2fa..a4d46c39 100644 ---- a/sender.c -+++ b/sender.c -@@ -350,7 +350,7 @@ void send_files(int f_in, int f_out) - exit_cleanup(RERR_PROTOCOL); - } - -- fd = do_open(fname, O_RDONLY, 0); -+ fd = do_open_checklinks(fname); - if (fd == -1) { - if (errno == ENOENT) { - enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING; -diff --git a/syscall.c b/syscall.c -index 081357bb..8cea2900 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -45,6 +45,8 @@ extern int preallocate_files; - extern int preserve_perms; - extern int preserve_executability; - extern int open_noatime; -+extern int copy_links; -+extern int copy_unsafe_links; - - #ifndef S_BLKSIZE - # if defined hpux || defined __hpux__ || defined __hpux -@@ -788,3 +790,21 @@ cleanup: - return retfd; - #endif // O_NOFOLLOW, O_DIRECTORY - } -+ -+/* -+ varient of do_open/do_open_nofollow which does do_open() if the -+ copy_links or copy_unsafe_links options are set and does -+ do_open_nofollow() otherwise -+ -+ This is used to prevent a race condition where an attacker could be -+ switching a file between being a symlink and being a normal file -+ -+ The open is always done with O_RDONLY flags -+ */ -+int do_open_checklinks(const char *pathname) -+{ -+ if (copy_links || copy_unsafe_links) { -+ return do_open(pathname, O_RDONLY, 0); -+ } -+ return do_open_nofollow(pathname, O_RDONLY); -+} -diff --git a/t_unsafe.c b/t_unsafe.c -index 010cac50..e10619a2 100644 ---- a/t_unsafe.c -+++ b/t_unsafe.c -@@ -28,6 +28,9 @@ int am_root = 0; - int am_sender = 1; - int read_only = 0; - int list_only = 0; -+int copy_links = 0; -+int copy_unsafe_links = 0; -+ - short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG]; - - int -diff --git a/tls.c b/tls.c -index e6b0708a..858f8f10 100644 ---- a/tls.c -+++ b/tls.c -@@ -49,6 +49,9 @@ int list_only = 0; - int link_times = 0; - int link_owner = 0; - int nsec_times = 0; -+int safe_symlinks = 0; -+int copy_links = 0; -+int copy_unsafe_links = 0; - - #ifdef SUPPORT_XATTRS - -diff --git a/trimslash.c b/trimslash.c -index 1ec928ca..f2774cd7 100644 ---- a/trimslash.c -+++ b/trimslash.c -@@ -26,6 +26,8 @@ int am_root = 0; - int am_sender = 1; - int read_only = 1; - int list_only = 0; -+int copy_links = 0; -+int copy_unsafe_links = 0; - - int - main(int argc, char **argv) -diff --git a/util1.c b/util1.c -index f260d398..d84bc414 100644 ---- a/util1.c -+++ b/util1.c -@@ -365,7 +365,7 @@ int copy_file(const char *source, const char *dest, int tmpfilefd, mode_t mode) - int len; /* Number of bytes read into `buf'. */ - OFF_T prealloc_len = 0, offset = 0; - -- if ((ifd = do_open(source, O_RDONLY, 0)) < 0) { -+ if ((ifd = do_open_nofollow(source, O_RDONLY)) < 0) { - int save_errno = errno; - rsyserr(FERROR_XFER, errno, "open %s", full_fname(source)); - errno = save_errno; --- -2.34.1 - diff --git a/pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch b/pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch deleted file mode 100644 index 3305653d025ff..0000000000000 --- a/pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rup rsync-3.2.7/configure.sh rsync-3.2.7-fixed/configure.sh ---- rsync-3.2.7/configure.sh 2022-10-20 17:57:22 -+++ rsync-3.2.7-fixed/configure.sh 2024-01-01 19:51:58 -@@ -7706,7 +7706,7 @@ else $as_nop - #include - #include - #include --main() -+int main() - { - if (socket(AF_INET6, SOCK_STREAM, 0) < 0) - exit(1); diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix index 8ccd645c09def..0d6710c0a02db 100644 --- a/pkgs/applications/networking/sync/rsync/default.nix +++ b/pkgs/applications/networking/sync/rsync/default.nix @@ -22,12 +22,12 @@ stdenv.mkDerivation rec { pname = "rsync"; - version = "3.3.0"; + version = "3.4.1"; src = fetchurl { - # signed with key 0048 C8B0 26D4 C96F 0E58 9C2F 6C85 9FB1 4B96 A8C5 + # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${version}.tar.gz"; - hash = "sha256-c5nppnCMMtZ4pypjIZ6W8jvgviM25Q/RNISY0HBB35A="; + hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI="; }; nativeBuildInputs = [ @@ -35,23 +35,6 @@ stdenv.mkDerivation rec { perl ]; - patches = [ - # https://github.com/WayneD/rsync/pull/558 - ./configure.ac-fix-failing-IPv6-check.patch - ./CVE-2024-12084/0001-Some-checksum-buffer-fixes.patch - ./CVE-2024-12084/0002-Another-cast-when-multiplying-integers.patch - ./CVE-2024-12085/0001-prevent-information-leak-off-the-stack.patch - ./CVE-2024-12086/0001-refuse-fuzzy-options-when-fuzzy-not-selected.patch - ./CVE-2024-12086/0002-added-secure_relative_open.patch - ./CVE-2024-12086/0003-receiver-use-secure_relative_open-for-basis-file.patch - ./CVE-2024-12086/0004-disallow-.-elements-in-relpath-for-secure_relative_o.patch - ./CVE-2024-12087/0001-Refuse-a-duplicate-dirlist.patch - ./CVE-2024-12087/0002-range-check-dir_ndx-before-use.patch - ./CVE-2024-12088/0001-make-safe-links-stricter.patch - ./CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch - ./raise-protocol-version-to-32.patch - ]; - buildInputs = [ libiconv diff --git a/pkgs/applications/networking/sync/rsync/raise-protocol-version-to-32.patch b/pkgs/applications/networking/sync/rsync/raise-protocol-version-to-32.patch deleted file mode 100644 index 94054fdc8c359..0000000000000 --- a/pkgs/applications/networking/sync/rsync/raise-protocol-version-to-32.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 163e05b1680c4a3b448fa68d03c3fca9589f3bc4 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Tue, 10 Dec 2024 13:34:01 +1100 -Subject: [PATCH 1/3] raise protocol version to 32 - -make it easier to spot unpatched servers ---- - rsync.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rsync.h b/rsync.h -index b9a7101a..9be1297b 100644 ---- a/rsync.h -+++ b/rsync.h -@@ -111,7 +111,7 @@ - - /* Update this if you make incompatible changes and ALSO update the - * SUBPROTOCOL_VERSION if it is not a final (official) release. */ --#define PROTOCOL_VERSION 31 -+#define PROTOCOL_VERSION 32 - - /* This is used when working on a new protocol version or for any unofficial - * protocol tweaks. It should be a non-zero value for each pre-release repo --- -2.34.1 - diff --git a/pkgs/applications/version-management/git/default.nix b/pkgs/applications/version-management/git/default.nix index 4ec161a897589..082b1c9f37aa1 100644 --- a/pkgs/applications/version-management/git/default.nix +++ b/pkgs/applications/version-management/git/default.nix @@ -30,7 +30,7 @@ assert sendEmailSupport -> perlSupport; assert svnSupport -> perlSupport; let - version = "2.47.1"; + version = "2.47.2"; svn = subversionClient.override { perlBindings = perlSupport; }; gitwebPerlLibs = with perlPackages; [ CGI HTMLParser CGIFast FCGI FCGIProcManager HTMLTagCloud ]; in @@ -43,7 +43,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz"; - hash = "sha256-89j5uyOuOSN06RzZ05WXDavFucXucvOYhGE82Epu0xA="; + hash = "sha256-sZJovmtvFVa0ep3YNCcuFn06dXQM3NKDzzgS7f/jkw8="; }; outputs = [ "out" ] ++ lib.optional withManual "doc"; diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 697387f292ba7..bb70a559fe966 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -9,6 +9,7 @@ import tomllib from pathlib import Path from typing import Any, TypedDict, cast +from urllib.parse import unquote import requests from requests.adapters import HTTPAdapter, Retry @@ -21,6 +22,15 @@ def load_toml(path: Path) -> dict[str, Any]: return tomllib.load(f) +def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int: + # lockfile v1 and v2 don't have the `version` key, so assume v2 + version = cargo_lock_toml.get("version", 2) + + # TODO: add logic for differentiating between v1 and v2 + + return version + + def download_file_with_checksum(url: str, destination_path: Path) -> str: retries = Retry( total=5, @@ -93,20 +103,29 @@ class GitSourceInfo(TypedDict): git_sha_rev: str -def parse_git_source(source: str) -> GitSourceInfo: +def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo: match = GIT_SOURCE_REGEX.match(source) if match is None: raise Exception(f"Unable to process git source: {source}.") - return cast(GitSourceInfo, match.groupdict(default=None)) + + source_info = cast(GitSourceInfo, match.groupdict(default=None)) + + # the source URL is URL-encoded in lockfile_version >=4 + # since we just used regex to parse it we have to manually decode the escaped branch/tag name + if lockfile_version >= 4 and source_info["value"] is not None: + source_info["value"] = unquote(source_info["value"]) + + return source_info def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: - cargo_toml = load_toml(lockfile_path) + cargo_lock_toml = load_toml(lockfile_path) + lockfile_version = get_lockfile_version(cargo_lock_toml) git_packages: list[dict[str, Any]] = [] registry_packages: list[dict[str, Any]] = [] - for pkg in cargo_toml["package"]: + for pkg in cargo_lock_toml["package"]: # ignore local dependenices if "source" not in pkg.keys(): eprint(f"Skipping local dependency: {pkg["name"]}") @@ -122,7 +141,7 @@ def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: git_sha_rev_to_url: dict[str, str] = {} for pkg in git_packages: - source_info = parse_git_source(pkg["source"]) + source_info = parse_git_source(pkg["source"], lockfile_version) git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"] out_dir.mkdir(exist_ok=True) @@ -207,7 +226,8 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: out_dir.mkdir(exist_ok=True) shutil.copy(lockfile_path, out_dir / "Cargo.lock") - cargo_toml = load_toml(lockfile_path) + cargo_lock_toml = load_toml(lockfile_path) + lockfile_version = get_lockfile_version(cargo_lock_toml) config_lines = [ '[source.vendored-sources]', @@ -217,7 +237,7 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: ] seen_source_keys = set() - for pkg in cargo_toml["package"]: + for pkg in cargo_lock_toml["package"]: # ignore local dependenices if "source" not in pkg.keys(): @@ -230,7 +250,8 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: if source.startswith("git+"): - source_info = parse_git_source(pkg["source"]) + source_info = parse_git_source(pkg["source"], lockfile_version) + git_sha_rev = source_info["git_sha_rev"] git_tree = vendor_staging_dir / "git" / git_sha_rev diff --git a/pkgs/build-support/rust/import-cargo-lock.nix b/pkgs/build-support/rust/import-cargo-lock.nix index e88931d0f383d..b39b56f4ccb5e 100644 --- a/pkgs/build-support/rust/import-cargo-lock.nix +++ b/pkgs/build-support/rust/import-cargo-lock.nix @@ -49,6 +49,10 @@ let parsedLockFile = builtins.fromTOML lockFileContents; + # lockfile v1 and v2 don't have the `version` key, so assume v2 + # we can implement more fine-grained detection later, if needed + lockFileVersion = parsedLockFile.version or 2; + packages = parsedLockFile.package; # There is no source attribute for the source package itself. But @@ -202,11 +206,20 @@ let # Cargo is happy with empty metadata. printf '{"files":{},"package":null}' > "$out/.cargo-checksum.json" + ${lib.optionalString (gitParts ? type) '' + gitPartsValue=${lib.escapeShellArg gitParts.value} + # starting with lockfile version v4 the git source url contains encoded query parameters + # our regex parser does not know how to unescape them to get the actual value, so we do it here + ${lib.optionalString (lockFileVersion >= 4) '' + gitPartsValue=$(${lib.getExe python3Packages.python} -c "import sys, urllib.parse; print(urllib.parse.unquote(sys.argv[1]))" "$gitPartsValue") + ''} + ''} + # Set up configuration for the vendor directory. cat > $out/.cargo-config < +Date: Thu, 5 Dec 2024 23:07:18 -0800 +Subject: [PATCH 1/9] Garbage collect stray reference to auto_array + +This entry should have been removed in the referenced commit. + +Fixes: 6639d083e7d5b4b478397cc416cd42a756d17b0c +--- + atf-c++/detail/Makefile.am.inc | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/atf-c++/detail/Makefile.am.inc b/atf-c++/detail/Makefile.am.inc +index b3181346..29b41c3f 100644 +--- a/atf-c++/detail/Makefile.am.inc ++++ b/atf-c++/detail/Makefile.am.inc +@@ -25,7 +25,6 @@ + + libatf_c___la_SOURCES += atf-c++/detail/application.cpp \ + atf-c++/detail/application.hpp \ +- atf-c++/detail/auto_array.hpp \ + atf-c++/detail/env.cpp \ + atf-c++/detail/env.hpp \ + atf-c++/detail/exceptions.cpp \ + +From bb58a4dfbc98e95c365be8033f9778571f35ef9d Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Thu, 5 Dec 2024 23:25:26 -0800 +Subject: [PATCH 2/9] Require C++-14 at bare minimum + +This change imports ac_cxx_compile_stdcxx.m4 from gnu,org and makes use +of the `AX_CXX_COMPILE_STDCXX` macro in configure.ac to ensure that the +compiler specified supports C++-14 (at bare minimum). This is being done +to quell some issues reported by scan-build about the code using C++ +range-based for-loops (a feature added in C++-11). +--- + configure.ac | 3 +- + m4/ac_cxx_compile_stdcxx.m4 | 1070 +++++++++++++++++++++++++++++++++++ + 2 files changed, 1072 insertions(+), 1 deletion(-) + create mode 100644 m4/ac_cxx_compile_stdcxx.m4 + +diff --git a/configure.ac b/configure.ac +index c37aca44..6d802144 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,8 +58,9 @@ AM_PROG_CC_C_O + dnl The C compiler check automatically aborts if the compiler does not work. + dnl Nothing to do here. + +-AC_LANG(C++) + AC_PROG_CXX ++AC_LANG_COMPILER(C++) ++AX_CXX_COMPILE_STDCXX(14, noext, mandatory) + AC_CACHE_CHECK([whether the C++ compiler works], + [atf_cv_prog_cxx_works], + [AC_LANG_PUSH([C++]) +diff --git a/m4/ac_cxx_compile_stdcxx.m4 b/m4/ac_cxx_compile_stdcxx.m4 +new file mode 100644 +index 00000000..fe6ae17e +--- /dev/null ++++ b/m4/ac_cxx_compile_stdcxx.m4 +@@ -0,0 +1,1070 @@ ++# =========================================================================== ++# https://www.gnu.org/software/autoconf-archive/ax_cxx_compile_stdcxx.html ++# =========================================================================== ++# ++# SYNOPSIS ++# ++# AX_CXX_COMPILE_STDCXX(VERSION, [ext|noext], [mandatory|optional]) ++# ++# DESCRIPTION ++# ++# Check for baseline language coverage in the compiler for the specified ++# version of the C++ standard. If necessary, add switches to CXX and ++# CXXCPP to enable support. VERSION may be '11', '14', '17', '20', or ++# '23' for the respective C++ standard version. ++# ++# The second argument, if specified, indicates whether you insist on an ++# extended mode (e.g. -std=gnu++11) or a strict conformance mode (e.g. ++# -std=c++11). If neither is specified, you get whatever works, with ++# preference for no added switch, and then for an extended mode. ++# ++# The third argument, if specified 'mandatory' or if left unspecified, ++# indicates that baseline support for the specified C++ standard is ++# required and that the macro should error out if no mode with that ++# support is found. If specified 'optional', then configuration proceeds ++# regardless, after defining HAVE_CXX${VERSION} if and only if a ++# supporting mode is found. ++# ++# LICENSE ++# ++# Copyright (c) 2008 Benjamin Kosnik ++# Copyright (c) 2012 Zack Weinberg ++# Copyright (c) 2013 Roy Stogner ++# Copyright (c) 2014, 2015 Google Inc.; contributed by Alexey Sokolov ++# Copyright (c) 2015 Paul Norman ++# Copyright (c) 2015 Moritz Klammler ++# Copyright (c) 2016, 2018 Krzesimir Nowak ++# Copyright (c) 2019 Enji Cooper ++# Copyright (c) 2020 Jason Merrill ++# Copyright (c) 2021, 2024 Jörn Heusipp ++# Copyright (c) 2015, 2022, 2023, 2024 Olly Betts ++# ++# Copying and distribution of this file, with or without modification, are ++# permitted in any medium without royalty provided the copyright notice ++# and this notice are preserved. This file is offered as-is, without any ++# warranty. ++ ++#serial 25 ++ ++dnl This macro is based on the code from the AX_CXX_COMPILE_STDCXX_11 macro ++dnl (serial version number 13). ++ ++AC_DEFUN([AX_CXX_COMPILE_STDCXX], [dnl ++ m4_if([$1], [11], [ax_cxx_compile_alternatives="11 0x"], ++ [$1], [14], [ax_cxx_compile_alternatives="14 1y"], ++ [$1], [17], [ax_cxx_compile_alternatives="17 1z"], ++ [$1], [20], [ax_cxx_compile_alternatives="20"], ++ [$1], [23], [ax_cxx_compile_alternatives="23"], ++ [m4_fatal([invalid first argument `$1' to AX_CXX_COMPILE_STDCXX])])dnl ++ m4_if([$2], [], [], ++ [$2], [ext], [], ++ [$2], [noext], [], ++ [m4_fatal([invalid second argument `$2' to AX_CXX_COMPILE_STDCXX])])dnl ++ m4_if([$3], [], [ax_cxx_compile_cxx$1_required=true], ++ [$3], [mandatory], [ax_cxx_compile_cxx$1_required=true], ++ [$3], [optional], [ax_cxx_compile_cxx$1_required=false], ++ [m4_fatal([invalid third argument `$3' to AX_CXX_COMPILE_STDCXX])]) ++ AC_LANG_PUSH([C++])dnl ++ ac_success=no ++ ++ m4_if([$2], [], [dnl ++ AC_CACHE_CHECK(whether $CXX supports C++$1 features by default, ++ ax_cv_cxx_compile_cxx$1, ++ [AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_testbody_$1])], ++ [ax_cv_cxx_compile_cxx$1=yes], ++ [ax_cv_cxx_compile_cxx$1=no])]) ++ if test x$ax_cv_cxx_compile_cxx$1 = xyes; then ++ ac_success=yes ++ fi]) ++ ++ m4_if([$2], [noext], [], [dnl ++ if test x$ac_success = xno; then ++ for alternative in ${ax_cxx_compile_alternatives}; do ++ switch="-std=gnu++${alternative}" ++ cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx$1_$switch]) ++ AC_CACHE_CHECK(whether $CXX supports C++$1 features with $switch, ++ $cachevar, ++ [ac_save_CXX="$CXX" ++ CXX="$CXX $switch" ++ AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_testbody_$1])], ++ [eval $cachevar=yes], ++ [eval $cachevar=no]) ++ CXX="$ac_save_CXX"]) ++ if eval test x\$$cachevar = xyes; then ++ CXX="$CXX $switch" ++ if test -n "$CXXCPP" ; then ++ CXXCPP="$CXXCPP $switch" ++ fi ++ ac_success=yes ++ break ++ fi ++ done ++ fi]) ++ ++ m4_if([$2], [ext], [], [dnl ++ if test x$ac_success = xno; then ++ dnl HP's aCC needs +std=c++11 according to: ++ dnl http://h21007.www2.hp.com/portal/download/files/unprot/aCxx/PDF_Release_Notes/769149-001.pdf ++ dnl Cray's crayCC needs "-h std=c++11" ++ dnl MSVC needs -std:c++NN for C++17 and later (default is C++14) ++ for alternative in ${ax_cxx_compile_alternatives}; do ++ for switch in -std=c++${alternative} +std=c++${alternative} "-h std=c++${alternative}" MSVC; do ++ if test x"$switch" = xMSVC; then ++ dnl AS_TR_SH maps both `:` and `=` to `_` so -std:c++17 would collide ++ dnl with -std=c++17. We suffix the cache variable name with _MSVC to ++ dnl avoid this. ++ switch=-std:c++${alternative} ++ cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx$1_${switch}_MSVC]) ++ else ++ cachevar=AS_TR_SH([ax_cv_cxx_compile_cxx$1_$switch]) ++ fi ++ AC_CACHE_CHECK(whether $CXX supports C++$1 features with $switch, ++ $cachevar, ++ [ac_save_CXX="$CXX" ++ CXX="$CXX $switch" ++ AC_COMPILE_IFELSE([AC_LANG_SOURCE([_AX_CXX_COMPILE_STDCXX_testbody_$1])], ++ [eval $cachevar=yes], ++ [eval $cachevar=no]) ++ CXX="$ac_save_CXX"]) ++ if eval test x\$$cachevar = xyes; then ++ CXX="$CXX $switch" ++ if test -n "$CXXCPP" ; then ++ CXXCPP="$CXXCPP $switch" ++ fi ++ ac_success=yes ++ break ++ fi ++ done ++ if test x$ac_success = xyes; then ++ break ++ fi ++ done ++ fi]) ++ AC_LANG_POP([C++]) ++ if test x$ax_cxx_compile_cxx$1_required = xtrue; then ++ if test x$ac_success = xno; then ++ AC_MSG_ERROR([*** A compiler with support for C++$1 language features is required.]) ++ fi ++ fi ++ if test x$ac_success = xno; then ++ HAVE_CXX$1=0 ++ AC_MSG_NOTICE([No compiler with C++$1 support was found]) ++ else ++ HAVE_CXX$1=1 ++ AC_DEFINE(HAVE_CXX$1,1, ++ [define if the compiler supports basic C++$1 syntax]) ++ fi ++ AC_SUBST(HAVE_CXX$1) ++]) ++ ++ ++dnl Test body for checking C++11 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_11], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11] ++) ++ ++dnl Test body for checking C++14 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_14], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14] ++) ++ ++dnl Test body for checking C++17 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_17], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_17] ++) ++ ++dnl Test body for checking C++20 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_20], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_17 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_20] ++) ++ ++dnl Test body for checking C++23 support ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_23], ++ [_AX_CXX_COMPILE_STDCXX_testbody_new_in_11 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_14 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_17 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_20 ++ _AX_CXX_COMPILE_STDCXX_testbody_new_in_23] ++) ++ ++ ++dnl Tests for new features in C++11 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_11], [[ ++ ++// If the compiler admits that it is not ready for C++11, why torture it? ++// Hopefully, this will speed up the test. ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++// MSVC always sets __cplusplus to 199711L in older versions; newer versions ++// only set it correctly if /Zc:__cplusplus is specified as well as a ++// /std:c++NN switch: ++// ++// https://devblogs.microsoft.com/cppblog/msvc-now-correctly-reports-__cplusplus/ ++// ++// The value __cplusplus ought to have is available in _MSVC_LANG since ++// Visual Studio 2015 Update 3: ++// ++// https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros ++// ++// This was also the first MSVC version to support C++14 so we can't use the ++// value of either __cplusplus or _MSVC_LANG to quickly rule out MSVC having ++// C++11 or C++14 support, but we can check _MSVC_LANG for C++17 and later. ++#elif __cplusplus < 201103L && !defined _MSC_VER ++ ++#error "This is not a C++11 compiler" ++ ++#else ++ ++namespace cxx11 ++{ ++ ++ namespace test_static_assert ++ { ++ ++ template ++ struct check ++ { ++ static_assert(sizeof(int) <= sizeof(T), "not big enough"); ++ }; ++ ++ } ++ ++ namespace test_final_override ++ { ++ ++ struct Base ++ { ++ virtual ~Base() {} ++ virtual void f() {} ++ }; ++ ++ struct Derived : public Base ++ { ++ virtual ~Derived() override {} ++ virtual void f() override {} ++ }; ++ ++ } ++ ++ namespace test_double_right_angle_brackets ++ { ++ ++ template < typename T > ++ struct check {}; ++ ++ typedef check single_type; ++ typedef check> double_type; ++ typedef check>> triple_type; ++ typedef check>>> quadruple_type; ++ ++ } ++ ++ namespace test_decltype ++ { ++ ++ int ++ f() ++ { ++ int a = 1; ++ decltype(a) b = 2; ++ return a + b; ++ } ++ ++ } ++ ++ namespace test_type_deduction ++ { ++ ++ template < typename T1, typename T2 > ++ struct is_same ++ { ++ static const bool value = false; ++ }; ++ ++ template < typename T > ++ struct is_same ++ { ++ static const bool value = true; ++ }; ++ ++ template < typename T1, typename T2 > ++ auto ++ add(T1 a1, T2 a2) -> decltype(a1 + a2) ++ { ++ return a1 + a2; ++ } ++ ++ int ++ test(const int c, volatile int v) ++ { ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == false, ""); ++ static_assert(is_same::value == false, ""); ++ auto ac = c; ++ auto av = v; ++ auto sumi = ac + av + 'x'; ++ auto sumf = ac + av + 1.0; ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == true, ""); ++ static_assert(is_same::value == false, ""); ++ static_assert(is_same::value == true, ""); ++ return (sumf > 0.0) ? sumi : add(c, v); ++ } ++ ++ } ++ ++ namespace test_noexcept ++ { ++ ++ int f() { return 0; } ++ int g() noexcept { return 0; } ++ ++ static_assert(noexcept(f()) == false, ""); ++ static_assert(noexcept(g()) == true, ""); ++ ++ } ++ ++ namespace test_constexpr ++ { ++ ++ template < typename CharT > ++ unsigned long constexpr ++ strlen_c_r(const CharT *const s, const unsigned long acc) noexcept ++ { ++ return *s ? strlen_c_r(s + 1, acc + 1) : acc; ++ } ++ ++ template < typename CharT > ++ unsigned long constexpr ++ strlen_c(const CharT *const s) noexcept ++ { ++ return strlen_c_r(s, 0UL); ++ } ++ ++ static_assert(strlen_c("") == 0UL, ""); ++ static_assert(strlen_c("1") == 1UL, ""); ++ static_assert(strlen_c("example") == 7UL, ""); ++ static_assert(strlen_c("another\0example") == 7UL, ""); ++ ++ } ++ ++ namespace test_rvalue_references ++ { ++ ++ template < int N > ++ struct answer ++ { ++ static constexpr int value = N; ++ }; ++ ++ answer<1> f(int&) { return answer<1>(); } ++ answer<2> f(const int&) { return answer<2>(); } ++ answer<3> f(int&&) { return answer<3>(); } ++ ++ void ++ test() ++ { ++ int i = 0; ++ const int c = 0; ++ static_assert(decltype(f(i))::value == 1, ""); ++ static_assert(decltype(f(c))::value == 2, ""); ++ static_assert(decltype(f(0))::value == 3, ""); ++ } ++ ++ } ++ ++ namespace test_uniform_initialization ++ { ++ ++ struct test ++ { ++ static const int zero {}; ++ static const int one {1}; ++ }; ++ ++ static_assert(test::zero == 0, ""); ++ static_assert(test::one == 1, ""); ++ ++ } ++ ++ namespace test_lambdas ++ { ++ ++ void ++ test1() ++ { ++ auto lambda1 = [](){}; ++ auto lambda2 = lambda1; ++ lambda1(); ++ lambda2(); ++ } ++ ++ int ++ test2() ++ { ++ auto a = [](int i, int j){ return i + j; }(1, 2); ++ auto b = []() -> int { return '0'; }(); ++ auto c = [=](){ return a + b; }(); ++ auto d = [&](){ return c; }(); ++ auto e = [a, &b](int x) mutable { ++ const auto identity = [](int y){ return y; }; ++ for (auto i = 0; i < a; ++i) ++ a += b--; ++ return x + identity(a + b); ++ }(0); ++ return a + b + c + d + e; ++ } ++ ++ int ++ test3() ++ { ++ const auto nullary = [](){ return 0; }; ++ const auto unary = [](int x){ return x; }; ++ using nullary_t = decltype(nullary); ++ using unary_t = decltype(unary); ++ const auto higher1st = [](nullary_t f){ return f(); }; ++ const auto higher2nd = [unary](nullary_t f1){ ++ return [unary, f1](unary_t f2){ return f2(unary(f1())); }; ++ }; ++ return higher1st(nullary) + higher2nd(nullary)(unary); ++ } ++ ++ } ++ ++ namespace test_variadic_templates ++ { ++ ++ template ++ struct sum; ++ ++ template ++ struct sum ++ { ++ static constexpr auto value = N0 + sum::value; ++ }; ++ ++ template <> ++ struct sum<> ++ { ++ static constexpr auto value = 0; ++ }; ++ ++ static_assert(sum<>::value == 0, ""); ++ static_assert(sum<1>::value == 1, ""); ++ static_assert(sum<23>::value == 23, ""); ++ static_assert(sum<1, 2>::value == 3, ""); ++ static_assert(sum<5, 5, 11>::value == 21, ""); ++ static_assert(sum<2, 3, 5, 7, 11, 13>::value == 41, ""); ++ ++ } ++ ++ // http://stackoverflow.com/questions/13728184/template-aliases-and-sfinae ++ // Clang 3.1 fails with headers of libstd++ 4.8.3 when using std::function ++ // because of this. ++ namespace test_template_alias_sfinae ++ { ++ ++ struct foo {}; ++ ++ template ++ using member = typename T::member_type; ++ ++ template ++ void func(...) {} ++ ++ template ++ void func(member*) {} ++ ++ void test(); ++ ++ void test() { func(0); } ++ ++ } ++ ++} // namespace cxx11 ++ ++#endif // __cplusplus >= 201103L ++ ++]]) ++ ++ ++dnl Tests for new features in C++14 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_14], [[ ++ ++// If the compiler admits that it is not ready for C++14, why torture it? ++// Hopefully, this will speed up the test. ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif __cplusplus < 201402L && !defined _MSC_VER ++ ++#error "This is not a C++14 compiler" ++ ++#else ++ ++namespace cxx14 ++{ ++ ++ namespace test_polymorphic_lambdas ++ { ++ ++ int ++ test() ++ { ++ const auto lambda = [](auto&&... args){ ++ const auto istiny = [](auto x){ ++ return (sizeof(x) == 1UL) ? 1 : 0; ++ }; ++ const int aretiny[] = { istiny(args)... }; ++ return aretiny[0]; ++ }; ++ return lambda(1, 1L, 1.0f, '1'); ++ } ++ ++ } ++ ++ namespace test_binary_literals ++ { ++ ++ constexpr auto ivii = 0b0000000000101010; ++ static_assert(ivii == 42, "wrong value"); ++ ++ } ++ ++ namespace test_generalized_constexpr ++ { ++ ++ template < typename CharT > ++ constexpr unsigned long ++ strlen_c(const CharT *const s) noexcept ++ { ++ auto length = 0UL; ++ for (auto p = s; *p; ++p) ++ ++length; ++ return length; ++ } ++ ++ static_assert(strlen_c("") == 0UL, ""); ++ static_assert(strlen_c("x") == 1UL, ""); ++ static_assert(strlen_c("test") == 4UL, ""); ++ static_assert(strlen_c("another\0test") == 7UL, ""); ++ ++ } ++ ++ namespace test_lambda_init_capture ++ { ++ ++ int ++ test() ++ { ++ auto x = 0; ++ const auto lambda1 = [a = x](int b){ return a + b; }; ++ const auto lambda2 = [a = lambda1(x)](){ return a; }; ++ return lambda2(); ++ } ++ ++ } ++ ++ namespace test_digit_separators ++ { ++ ++ constexpr auto ten_million = 100'000'000; ++ static_assert(ten_million == 100000000, ""); ++ ++ } ++ ++ namespace test_return_type_deduction ++ { ++ ++ auto f(int& x) { return x; } ++ decltype(auto) g(int& x) { return x; } ++ ++ template < typename T1, typename T2 > ++ struct is_same ++ { ++ static constexpr auto value = false; ++ }; ++ ++ template < typename T > ++ struct is_same ++ { ++ static constexpr auto value = true; ++ }; ++ ++ int ++ test() ++ { ++ auto x = 0; ++ static_assert(is_same::value, ""); ++ static_assert(is_same::value, ""); ++ return x; ++ } ++ ++ } ++ ++} // namespace cxx14 ++ ++#endif // __cplusplus >= 201402L ++ ++]]) ++ ++ ++dnl Tests for new features in C++17 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_17], [[ ++ ++// If the compiler admits that it is not ready for C++17, why torture it? ++// Hopefully, this will speed up the test. ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 201703L ++ ++#error "This is not a C++17 compiler" ++ ++#else ++ ++#include ++#include ++#include ++ ++namespace cxx17 ++{ ++ ++ namespace test_constexpr_lambdas ++ { ++ ++ constexpr int foo = [](){return 42;}(); ++ ++ } ++ ++ namespace test::nested_namespace::definitions ++ { ++ ++ } ++ ++ namespace test_fold_expression ++ { ++ ++ template ++ int multiply(Args... args) ++ { ++ return (args * ... * 1); ++ } ++ ++ template ++ bool all(Args... args) ++ { ++ return (args && ...); ++ } ++ ++ } ++ ++ namespace test_extended_static_assert ++ { ++ ++ static_assert (true); ++ ++ } ++ ++ namespace test_auto_brace_init_list ++ { ++ ++ auto foo = {5}; ++ auto bar {5}; ++ ++ static_assert(std::is_same, decltype(foo)>::value); ++ static_assert(std::is_same::value); ++ } ++ ++ namespace test_typename_in_template_template_parameter ++ { ++ ++ template typename X> struct D; ++ ++ } ++ ++ namespace test_fallthrough_nodiscard_maybe_unused_attributes ++ { ++ ++ int f1() ++ { ++ return 42; ++ } ++ ++ [[nodiscard]] int f2() ++ { ++ [[maybe_unused]] auto unused = f1(); ++ ++ switch (f1()) ++ { ++ case 17: ++ f1(); ++ [[fallthrough]]; ++ case 42: ++ f1(); ++ } ++ return f1(); ++ } ++ ++ } ++ ++ namespace test_extended_aggregate_initialization ++ { ++ ++ struct base1 ++ { ++ int b1, b2 = 42; ++ }; ++ ++ struct base2 ++ { ++ base2() { ++ b3 = 42; ++ } ++ int b3; ++ }; ++ ++ struct derived : base1, base2 ++ { ++ int d; ++ }; ++ ++ derived d1 {{1, 2}, {}, 4}; // full initialization ++ derived d2 {{}, {}, 4}; // value-initialized bases ++ ++ } ++ ++ namespace test_general_range_based_for_loop ++ { ++ ++ struct iter ++ { ++ int i; ++ ++ int& operator* () ++ { ++ return i; ++ } ++ ++ const int& operator* () const ++ { ++ return i; ++ } ++ ++ iter& operator++() ++ { ++ ++i; ++ return *this; ++ } ++ }; ++ ++ struct sentinel ++ { ++ int i; ++ }; ++ ++ bool operator== (const iter& i, const sentinel& s) ++ { ++ return i.i == s.i; ++ } ++ ++ bool operator!= (const iter& i, const sentinel& s) ++ { ++ return !(i == s); ++ } ++ ++ struct range ++ { ++ iter begin() const ++ { ++ return {0}; ++ } ++ ++ sentinel end() const ++ { ++ return {5}; ++ } ++ }; ++ ++ void f() ++ { ++ range r {}; ++ ++ for (auto i : r) ++ { ++ [[maybe_unused]] auto v = i; ++ } ++ } ++ ++ } ++ ++ namespace test_lambda_capture_asterisk_this_by_value ++ { ++ ++ struct t ++ { ++ int i; ++ int foo() ++ { ++ return [*this]() ++ { ++ return i; ++ }(); ++ } ++ }; ++ ++ } ++ ++ namespace test_enum_class_construction ++ { ++ ++ enum class byte : unsigned char ++ {}; ++ ++ byte foo {42}; ++ ++ } ++ ++ namespace test_constexpr_if ++ { ++ ++ template ++ int f () ++ { ++ if constexpr(cond) ++ { ++ return 13; ++ } ++ else ++ { ++ return 42; ++ } ++ } ++ ++ } ++ ++ namespace test_selection_statement_with_initializer ++ { ++ ++ int f() ++ { ++ return 13; ++ } ++ ++ int f2() ++ { ++ if (auto i = f(); i > 0) ++ { ++ return 3; ++ } ++ ++ switch (auto i = f(); i + 4) ++ { ++ case 17: ++ return 2; ++ ++ default: ++ return 1; ++ } ++ } ++ ++ } ++ ++ namespace test_template_argument_deduction_for_class_templates ++ { ++ ++ template ++ struct pair ++ { ++ pair (T1 p1, T2 p2) ++ : m1 {p1}, ++ m2 {p2} ++ {} ++ ++ T1 m1; ++ T2 m2; ++ }; ++ ++ void f() ++ { ++ [[maybe_unused]] auto p = pair{13, 42u}; ++ } ++ ++ } ++ ++ namespace test_non_type_auto_template_parameters ++ { ++ ++ template ++ struct B ++ {}; ++ ++ B<5> b1; ++ B<'a'> b2; ++ ++ } ++ ++ namespace test_structured_bindings ++ { ++ ++ int arr[2] = { 1, 2 }; ++ std::pair pr = { 1, 2 }; ++ ++ auto f1() -> int(&)[2] ++ { ++ return arr; ++ } ++ ++ auto f2() -> std::pair& ++ { ++ return pr; ++ } ++ ++ struct S ++ { ++ int x1 : 2; ++ volatile double y1; ++ }; ++ ++ S f3() ++ { ++ return {}; ++ } ++ ++ auto [ x1, y1 ] = f1(); ++ auto& [ xr1, yr1 ] = f1(); ++ auto [ x2, y2 ] = f2(); ++ auto& [ xr2, yr2 ] = f2(); ++ const auto [ x3, y3 ] = f3(); ++ ++ } ++ ++ namespace test_exception_spec_type_system ++ { ++ ++ struct Good {}; ++ struct Bad {}; ++ ++ void g1() noexcept; ++ void g2(); ++ ++ template ++ Bad ++ f(T*, T*); ++ ++ template ++ Good ++ f(T1*, T2*); ++ ++ static_assert (std::is_same_v); ++ ++ } ++ ++ namespace test_inline_variables ++ { ++ ++ template void f(T) ++ {} ++ ++ template inline T g(T) ++ { ++ return T{}; ++ } ++ ++ template<> inline void f<>(int) ++ {} ++ ++ template<> int g<>(int) ++ { ++ return 5; ++ } ++ ++ } ++ ++} // namespace cxx17 ++ ++#endif // (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 201703L ++ ++]]) ++ ++ ++dnl Tests for new features in C++20 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_20], [[ ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202002L ++ ++#error "This is not a C++20 compiler" ++ ++#else ++ ++#include ++ ++namespace cxx20 ++{ ++ ++// As C++20 supports feature test macros in the standard, there is no ++// immediate need to actually test for feature availability on the ++// Autoconf side. ++ ++} // namespace cxx20 ++ ++#endif // (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202002L ++ ++]]) ++ ++ ++dnl Tests for new features in C++23 ++ ++m4_define([_AX_CXX_COMPILE_STDCXX_testbody_new_in_23], [[ ++ ++#ifndef __cplusplus ++ ++#error "This is not a C++ compiler" ++ ++#elif (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202302L ++ ++#error "This is not a C++23 compiler" ++ ++#else ++ ++#include ++ ++namespace cxx23 ++{ ++ ++// As C++23 supports feature test macros in the standard, there is no ++// immediate need to actually test for feature availability on the ++// Autoconf side. ++ ++} // namespace cxx23 ++ ++#endif // (defined _MSVC_LANG ? _MSVC_LANG : __cplusplus) < 202302L ++ ++]]) + +From e00b7f9250e0b7dae44e6b9191be0aa31d8cb668 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Sat, 7 Dec 2024 18:18:02 -0800 +Subject: [PATCH 3/9] Stop shipping atf-*-api(3) manpages + +These manpages have been deprecated for at least a release. Remove them +and all of the logic associated with them. + +Signed-off-by: Enji Cooper +--- + Makefile.am | 8 -------- + configure.ac | 3 --- + 2 files changed, 11 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 913910c2..d202fd1d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -114,12 +114,4 @@ clean-all: + + .PHONY: $(PHONY_TARGETS) + +-# TODO(jmmv): Remove after atf 0.22. +-install-data-hook: +- cd $(DESTDIR)$(man3dir) && \ +- for binding in c c++ sh; do \ +- rm -f "atf-$${binding}-api.3"; \ +- $(LN_S) "atf-$${binding}.3" "atf-$${binding}-api.3"; \ +- done +- + # vim: syntax=make:noexpandtab:shiftwidth=8:softtabstop=8 +diff --git a/configure.ac b/configure.ac +index 6d802144..a2d68cee 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -74,9 +74,6 @@ fi + + KYUA_DEVELOPER_MODE([C,C++]) + +-dnl TODO(jmmv): Remove once the atf-*-api.3 symlinks are removed. +-AC_PROG_LN_S +- + ATF_MODULE_APPLICATION + ATF_MODULE_DEFS + ATF_MODULE_ENV + +From aa0fe99ef3de0f31dbaefb5268015258478d0ba4 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Sat, 7 Dec 2024 18:20:47 -0800 +Subject: [PATCH 4/9] Expose WCOREDUMP(..) in a deterministic manner + +WCOREDUMP is considered an extension to the POSIX spec on multiple +platforms, and thus is not automatically exposed on all platforms. Add the +relevant preprocessor defines to config.h via autoconf, then leverage them +in atf-c(3). + +This helps ensure that the platforms which support WCOREDUMP properly +expose the macro. + +Signed-off-by: Enji Cooper +--- + atf-c/detail/process.c | 2 ++ + configure.ac | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/atf-c/detail/process.c b/atf-c/detail/process.c +index 567d28ec..84bb4882 100644 +--- a/atf-c/detail/process.c ++++ b/atf-c/detail/process.c +@@ -23,6 +23,8 @@ + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + ++#include "config.h" ++ + #include "atf-c/detail/process.h" + + #include +diff --git a/configure.ac b/configure.ac +index a2d68cee..3a88354b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,6 +58,8 @@ AM_PROG_CC_C_O + dnl The C compiler check automatically aborts if the compiler does not work. + dnl Nothing to do here. + ++AC_USE_SYSTEM_EXTENSIONS ++ + AC_PROG_CXX + AC_LANG_COMPILER(C++) + AX_CXX_COMPILE_STDCXX(14, noext, mandatory) + +From deee8f2628847e3fff6fd2af04f163fadee4c61c Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Tue, 10 Dec 2024 14:26:58 -0800 +Subject: [PATCH 5/9] Add compiler feature detection for + `__attribute__((nonnull))` + +This feature is being detected so several functions can be appropriately +marked as taking non-NULL/-nullptr parameters, and the compiler and static +analyzers can (in turn) make intelligent decisions when optimizing and +analyzing code, respectively. + +Signed-off-by: Enji Cooper +--- + atf-c/defs.h.in | 1 + + m4/module-defs.m4 | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/atf-c/defs.h.in b/atf-c/defs.h.in +index 6059e7fd..5346e56a 100644 +--- a/atf-c/defs.h.in ++++ b/atf-c/defs.h.in +@@ -27,6 +27,7 @@ + #define ATF_C_DEFS_H + + #define ATF_DEFS_ATTRIBUTE_FORMAT_PRINTF(a, b) @ATTRIBUTE_FORMAT_PRINTF@ ++#define ATF_DEFS_ATTRIBUTE_NONNULL @ATTRIBUTE_NONNULL@ + #define ATF_DEFS_ATTRIBUTE_NORETURN @ATTRIBUTE_NORETURN@ + #define ATF_DEFS_ATTRIBUTE_UNUSED @ATTRIBUTE_UNUSED@ + +diff --git a/m4/module-defs.m4 b/m4/module-defs.m4 +index b1c9cc84..feb3df27 100644 +--- a/m4/module-defs.m4 ++++ b/m4/module-defs.m4 +@@ -54,6 +54,26 @@ test_printf(const char *format, ...) + AC_SUBST([ATTRIBUTE_FORMAT_PRINTF], [${value}]) + ]) + ++AC_DEFUN([ATF_ATTRIBUTE_NONNULL], [ ++ AC_CACHE_CHECK( ++ [whether __attribute__((nonnull)) is supported], ++ [kyua_cv_attribute_nonnull], [ ++ AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM([ ++void func(char *foo __attribute__((nonnull))); ++])], ++ [kyua_cv_attribute_nonnull=yes], ++ [kyua_cv_attribute_nonnull=no]) ++ ]) ++ if test x"${kyua_cv_attribute_nonnull}" = xyes; then ++ value="__attribute__((nonnull))" ++ else ++ value="" ++ fi ++ AC_SUBST([ATTRIBUTE_NONNULL], [${value}]) ++]) ++ ++ + AC_DEFUN([ATF_ATTRIBUTE_NORETURN], [ + dnl XXX This check is overly simple and should be fixed. For example, + dnl Sun's cc does support the noreturn attribute but CC (the C++ +@@ -103,6 +123,7 @@ function(int a __attribute__((__unused__))) + + AC_DEFUN([ATF_MODULE_DEFS], [ + ATF_ATTRIBUTE_FORMAT_PRINTF ++ ATF_ATTRIBUTE_NONNULL + ATF_ATTRIBUTE_NORETURN + ATF_ATTRIBUTE_UNUSED + ]) + +From 1ca4688b87e8bcb3bfc5c05ef61b385d59019383 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Wed, 25 Dec 2024 11:31:12 -0800 +Subject: [PATCH 6/9] Restore AC_PROG_CPP + +This was accidentally deleted post-0.21 release. It's still needed by +tests and build infrastructure. + +Signed-off-by: Enji Cooper +--- + configure.ac | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/configure.ac b/configure.ac +index 3a88354b..e42ee5e1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -62,6 +62,7 @@ AC_USE_SYSTEM_EXTENSIONS + + AC_PROG_CXX + AC_LANG_COMPILER(C++) ++AC_PROG_CPP + AX_CXX_COMPILE_STDCXX(14, noext, mandatory) + AC_CACHE_CHECK([whether the C++ compiler works], + [atf_cv_prog_cxx_works], + +From bff968f5a164a81819046c55881e6083a7607dcf Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Sat, 7 Dec 2024 18:12:02 -0800 +Subject: [PATCH 7/9] atf-c/detail/env.c: remove unnecessary complexity + +The libcalls used have been in the POSIX standard since 2008.1. Require +them to be present instead of conditionally hoping they're present. + +This fixes an issue where the autoconf code was messing up with a +combination of clang tools, which resulted in the autoconf code failing +to properly determine whether or not the functions were available. + +Signed-off-by: Enji Cooper +--- + atf-c/detail/env.c | 41 +++-------------------------------------- + configure.ac | 1 - + m4/module-env.m4 | 28 ---------------------------- + 3 files changed, 3 insertions(+), 67 deletions(-) + delete mode 100644 m4/module-env.m4 + +diff --git a/atf-c/detail/env.c b/atf-c/detail/env.c +index 8ee3d697..36de217c 100644 +--- a/atf-c/detail/env.c ++++ b/atf-c/detail/env.c +@@ -25,10 +25,6 @@ + + #include "atf-c/detail/env.h" + +-#if defined(HAVE_CONFIG_H) +-#include "config.h" +-#endif +- + #include + #include + +@@ -65,25 +61,11 @@ atf_env_set(const char *name, const char *val) + { + atf_error_t err; + +-#if defined(HAVE_SETENV) + if (setenv(name, val, 1) == -1) +- err = atf_libc_error(errno, "Cannot set environment variable " +- "'%s' to '%s'", name, val); ++ err = atf_libc_error(errno, ++ "Cannot set environment variable '%s' to '%s'", name, val); + else + err = atf_no_error(); +-#elif defined(HAVE_PUTENV) +- char *buf; +- +- err = atf_text_format(&buf, "%s=%s", name, val); +- if (!atf_is_error(err)) { +- if (putenv(buf) == -1) +- err = atf_libc_error(errno, "Cannot set environment variable " +- "'%s' to '%s'", name, val); +- free(buf); +- } +-#else +-# error "Don't know how to set an environment variable." +-#endif + + return err; + } +@@ -91,24 +73,7 @@ atf_env_set(const char *name, const char *val) + atf_error_t + atf_env_unset(const char *name) + { +- atf_error_t err; + +-#if defined(HAVE_UNSETENV) + unsetenv(name); +- err = atf_no_error(); +-#elif defined(HAVE_PUTENV) +- char *buf; +- +- err = atf_text_format(&buf, "%s=", name); +- if (!atf_is_error(err)) { +- if (putenv(buf) == -1) +- err = atf_libc_error(errno, "Cannot unset environment variable" +- " '%s'", name); +- free(buf); +- } +-#else +-# error "Don't know how to unset an environment variable." +-#endif +- +- return err; ++ return (atf_no_error()); + } +diff --git a/configure.ac b/configure.ac +index e42ee5e1..00ee124c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -79,7 +79,6 @@ KYUA_DEVELOPER_MODE([C,C++]) + + ATF_MODULE_APPLICATION + ATF_MODULE_DEFS +-ATF_MODULE_ENV + ATF_MODULE_FS + + ATF_RUNTIME_TOOL([ATF_BUILD_CC], +diff --git a/m4/module-env.m4 b/m4/module-env.m4 +deleted file mode 100644 +index 963aab38..00000000 +--- a/m4/module-env.m4 ++++ /dev/null +@@ -1,28 +0,0 @@ +-dnl Copyright (c) 2007 The NetBSD Foundation, Inc. +-dnl All rights reserved. +-dnl +-dnl Redistribution and use in source and binary forms, with or without +-dnl modification, are permitted provided that the following conditions +-dnl are met: +-dnl 1. Redistributions of source code must retain the above copyright +-dnl notice, this list of conditions and the following disclaimer. +-dnl 2. Redistributions in binary form must reproduce the above copyright +-dnl notice, this list of conditions and the following disclaimer in the +-dnl documentation and/or other materials provided with the distribution. +-dnl +-dnl THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND +-dnl CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +-dnl INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +-dnl MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +-dnl IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY +-dnl DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +-dnl DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +-dnl GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +-dnl INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER +-dnl IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +-dnl OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +-dnl IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +- +-AC_DEFUN([ATF_MODULE_ENV], [ +- AC_CHECK_FUNCS([putenv setenv unsetenv]) +-]) + +From 402b9362d01448074c4d2d91a8c770e591577167 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Wed, 25 Dec 2024 17:19:28 -0800 +Subject: [PATCH 8/9] Remove ATF_BUILD_CXX require.progs check + +This particular check unfortunately doesn't work when ATF_BUILD_CXX +contains multiple CXXFLAGS, or contains a path with spaces in it. Remove +this check to unbreak the dependent tests +post-793d4640031dc06ce8a239ffa9ab61322104c4ca. + +Signed-off-by: Enji Cooper +--- + atf-c++/detail/test_helpers.hpp | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/atf-c++/detail/test_helpers.hpp b/atf-c++/detail/test_helpers.hpp +index c1171801..1c4c316f 100644 +--- a/atf-c++/detail/test_helpers.hpp ++++ b/atf-c++/detail/test_helpers.hpp +@@ -45,8 +45,6 @@ + { \ + set_md_var("descr", "Tests that the " hdrname " file can be " \ + "included on its own, without any prerequisites"); \ +- const std::string cxx = atf::env::get("ATF_BUILD_CXX", ATF_BUILD_CXX); \ +- set_md_var("require.progs", cxx); \ + } \ + ATF_TEST_CASE_BODY(name) \ + { \ +@@ -58,8 +56,6 @@ + ATF_TEST_CASE_HEAD(name) \ + { \ + set_md_var("descr", descr); \ +- const std::string cxx = atf::env::get("ATF_BUILD_CXX", ATF_BUILD_CXX); \ +- set_md_var("require.progs", cxx); \ + } \ + ATF_TEST_CASE_BODY(name) \ + { \ + +From f054eebc616577d973fa6f3b4ec440bb29671c20 Mon Sep 17 00:00:00 2001 +From: Enji Cooper +Date: Wed, 25 Dec 2024 20:17:15 -0800 +Subject: [PATCH 9/9] Remove redundant C++ toolchain check + +The C++ toolchain is sanity checked when C++14 conformance is checked; +there's no reason why we need to check whether or not the C++ toolchain +works again. + +Signed-off-by: Enji Cooper +--- + configure.ac | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 00ee124c..e36f9817 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -64,16 +64,6 @@ AC_PROG_CXX + AC_LANG_COMPILER(C++) + AC_PROG_CPP + AX_CXX_COMPILE_STDCXX(14, noext, mandatory) +-AC_CACHE_CHECK([whether the C++ compiler works], +- [atf_cv_prog_cxx_works], +- [AC_LANG_PUSH([C++]) +- AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], +- [atf_cv_prog_cxx_works=yes], +- [atf_cv_prog_cxx_works=no]) +- AC_LANG_POP]) +-if test "${atf_cv_prog_cxx_works}" = no; then +- AC_MSG_ERROR([C++ compiler cannot create executables]) +-fi + + KYUA_DEVELOPER_MODE([C,C++]) + diff --git a/pkgs/by-name/cu/curlMinimal/fix-eventfd-free.patch b/pkgs/by-name/cu/curlMinimal/fix-eventfd-free.patch new file mode 100644 index 0000000000000..5b0979fd4cbdc --- /dev/null +++ b/pkgs/by-name/cu/curlMinimal/fix-eventfd-free.patch @@ -0,0 +1,33 @@ +From ff5091aa9f73802e894b1cbdf24ab84e103200e2 Mon Sep 17 00:00:00 2001 +From: Andy Pan +Date: Thu, 12 Dec 2024 12:48:56 +0000 +Subject: [PATCH] async-thread: avoid closing eventfd twice + +When employing eventfd for socketpair, there is only one file +descriptor. Closing that fd twice might result in fd corruption. +Thus, we should avoid closing the eventfd twice, following the +pattern in lib/multi.c. + +Fixes #15725 +Closes #15727 +Reported-by: Christian Heusel +--- + lib/asyn-thread.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index a58e4b790494..32d496b107cb 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -195,9 +195,11 @@ void destroy_thread_sync_data(struct thread_sync_data *tsd) + * close one end of the socket pair (may be done in resolver thread); + * the other end (for reading) is always closed in the parent thread. + */ ++#ifndef USE_EVENTFD + if(tsd->sock_pair[1] != CURL_SOCKET_BAD) { + wakeup_close(tsd->sock_pair[1]); + } ++#endif + #endif + memset(tsd, 0, sizeof(*tsd)); + } diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 2716d08839a41..445fe9f8e2942 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -59,6 +59,12 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-x8p9tIsJCXQ+rvNCUNoCwZvGHU8dzt1mA/EJQJU2q1Y="; }; + # FIXME: avoid rebuilding lots of darwin packages for now; eventfd looks linux-only + patches = lib.optionals stdenv.isLinux [ + # https://github.com/curl/curl/issues/15725 + ./fix-eventfd-free.patch + ]; + # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion # necessary for FreeBSD code path in configure postPatch = '' diff --git a/pkgs/by-name/hw/hwdata/package.nix b/pkgs/by-name/hw/hwdata/package.nix index 2eefae34d4fcd..10b24a35a2e68 100644 --- a/pkgs/by-name/hw/hwdata/package.nix +++ b/pkgs/by-name/hw/hwdata/package.nix @@ -6,13 +6,13 @@ stdenv.mkDerivation rec { pname = "hwdata"; - version = "0.388"; + version = "0.390"; src = fetchFromGitHub { owner = "vcrhonek"; repo = "hwdata"; rev = "v${version}"; - hash = "sha256-MTXRvqhzNI4afOWLWY6bvv84Q/MXVTsn0w9awRIDAEU="; + hash = "sha256-DexmtBKe1rrmvHMVk8P20hBLfdP1x6CWx/F1s4lDnK4="; }; configureFlags = [ "--datadir=${placeholder "out"}/share" ]; diff --git a/pkgs/by-name/op/openjpeg/package.nix b/pkgs/by-name/op/openjpeg/package.nix index 0bfa1067a7f77..2518ed29e8cfb 100644 --- a/pkgs/by-name/op/openjpeg/package.nix +++ b/pkgs/by-name/op/openjpeg/package.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, cmake, pkg-config +{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, pkg-config , libpng, libtiff, zlib, lcms2, jpylyzer , jpipLibSupport ? false # JPIP library & executables , jpipServerSupport ? false, curl, fcgi # JPIP Server @@ -32,6 +32,21 @@ stdenv.mkDerivation rec { hash = "sha256-mQ9B3MJY2/bg0yY/7jUJrAXM6ozAHT5fmwES5Q1SGxw="; }; + patches = [ + (fetchpatch { + # https://github.com/uclouvain/openjpeg/issues/1564 + name = "CVE-2024-56826_ISSUE1564.patch"; + url = "https://github.com/uclouvain/openjpeg/commit/e492644fbded4c820ca55b5e50e598d346e850e8.patch"; + hash = "sha256-v+odu4/MXRA+RKOlPO+m/Xk66BMH6mOcEN4ScHn3VAo="; + }) + (fetchpatch { + # https://github.com/uclouvain/openjpeg/issues/1563 + name = "CVE-2024-56826_ISSUE1563.patch"; + url = "https://github.com/uclouvain/openjpeg/commit/98592ee6d6904f1b48e8207238779b89a63befa2.patch"; + hash = "sha256-1ScnEZAPuvclyRME5kbeo7dBMG31Njs5CaYC4sGyx08="; + }) + ]; + outputs = [ "out" "dev" ]; cmakeFlags = [ diff --git a/pkgs/by-name/re/redis/package.nix b/pkgs/by-name/re/redis/package.nix index 5e008b7d4d900..8e6b697aaa39f 100644 --- a/pkgs/by-name/re/redis/package.nix +++ b/pkgs/by-name/re/redis/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchurl, - fetchpatch, lua, jemalloc, pkg-config, @@ -25,29 +24,20 @@ stdenv.mkDerivation (finalAttrs: { pname = "redis"; - version = "7.2.6"; + version = "7.2.7"; src = fetchurl { url = "https://download.redis.io/releases/redis-${finalAttrs.version}.tar.gz"; - hash = "sha256-+xDWei/itFVvbLhABk3W5uMXXOjKA18HJpkOwtqfPQ4="; + hash = "sha256-csCB47jPrnFEJz0m12c28IMZAAr0bAFRXK1dKXZc6tU="; }; - patches = - [ - # fixes: make test [exception]: Executing test client: permission denied - # https://github.com/redis/redis/issues/12792 - (fetchpatch { - url = "https://github.com/redis/redis/pull/12887.diff"; - hash = "sha256-VZEMShW7Ckn5hLJHffQvE94Uly41WZW1bwvxny+Y3W8="; - }) - ] - ++ lib.optionals useSystemJemalloc [ - # use system jemalloc - (fetchurl { - url = "https://gitlab.archlinux.org/archlinux/packaging/packages/redis/-/raw/102cc861713c796756abd541bf341a4512eb06e6/redis-5.0-use-system-jemalloc.patch"; - hash = "sha256-VPRfoSnctkkkzLrXEWQX3Lh5HmZaCXoJafyOG007KzM="; - }) - ]; + patches = lib.optionals useSystemJemalloc [ + # use system jemalloc + (fetchurl { + url = "https://gitlab.archlinux.org/archlinux/packaging/packages/redis/-/raw/102cc861713c796756abd541bf341a4512eb06e6/redis-5.0-use-system-jemalloc.patch"; + hash = "sha256-VPRfoSnctkkkzLrXEWQX3Lh5HmZaCXoJafyOG007KzM="; + }) + ]; nativeBuildInputs = [ pkg-config ]; diff --git a/pkgs/development/compilers/go/1.23.nix b/pkgs/development/compilers/go/1.23.nix index 4d056b1504493..4abc239546249 100644 --- a/pkgs/development/compilers/go/1.23.nix +++ b/pkgs/development/compilers/go/1.23.nix @@ -50,11 +50,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.23.3"; + version = "1.23.5"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-jWp3MySHVXxq+iQhExtQ+D20rjxXnDvHLmcO4faWhZk="; + hash = "sha256-pvP0u9PmvdYm95tmjyEvu1ZJ2vdQhPt5tnigrk2XQjs="; }; strictDeps = true; @@ -94,7 +94,7 @@ stdenv.mkDerivation (finalAttrs: { inherit tzdata; }) ./remove-tools-1.11.patch - ./go_no_vendor_checks-1.22.patch + ./go_no_vendor_checks-1.23.patch ]; GOOS = if stdenv.targetPlatform.isWasi then "wasip1" else stdenv.targetPlatform.parsed.kernel.name; diff --git a/pkgs/development/compilers/go/go_no_vendor_checks-1.23.patch b/pkgs/development/compilers/go/go_no_vendor_checks-1.23.patch new file mode 100644 index 0000000000000..eaffb1bef6481 --- /dev/null +++ b/pkgs/development/compilers/go/go_no_vendor_checks-1.23.patch @@ -0,0 +1,26 @@ +diff --git a/src/cmd/go/internal/modload/import.go b/src/cmd/go/internal/modload/import.go +index a3105b6b6d..0e10154a70 100644 +--- a/src/cmd/go/internal/modload/import.go ++++ b/src/cmd/go/internal/modload/import.go +@@ -345,7 +345,7 @@ func importFromModules(ctx context.Context, path string, rs *Requirements, mg *M + // vendor/modules.txt does not exist or the user manually added directories to the vendor directory. + // Go 1.23 and later require vendored packages to be present in modules.txt to be imported. + _, ok := vendorPkgModule[path] +- if ok || (gover.Compare(MainModules.GoVersion(), gover.ExplicitModulesTxtImportVersion) < 0) { ++ if ok || (gover.Compare(MainModules.GoVersion(), gover.ExplicitModulesTxtImportVersion) < 0) || os.Getenv("GO_NO_VENDOR_CHECKS") == "1" { + mods = append(mods, vendorPkgModule[path]) + dirs = append(dirs, dir) + roots = append(roots, vendorDir) +diff --git a/src/cmd/go/internal/modload/vendor.go b/src/cmd/go/internal/modload/vendor.go +index b2cb44100e..05bf3829d5 100644 +--- a/src/cmd/go/internal/modload/vendor.go ++++ b/src/cmd/go/internal/modload/vendor.go +@@ -159,7 +159,7 @@ func checkVendorConsistency(indexes []*modFileIndex, modFiles []*modfile.File, m + panic(fmt.Errorf("not in workspace mode but number of indexes is %v, not 1", len(indexes))) + } + index := indexes[0] +- if gover.Compare(index.goVersion, "1.14") < 0 { ++ if gover.Compare(index.goVersion, "1.14") < 0 || (os.Getenv("GO_NO_VENDOR_CHECKS") == "1" && len(vendorMeta) == 0) { + // Go versions before 1.14 did not include enough information in + // vendor/modules.txt to check for consistency. + // If we know that we're on an earlier version, relax the consistency check. diff --git a/pkgs/development/libraries/gtk/4.x.nix b/pkgs/development/libraries/gtk/4.x.nix index 8a79a06560fc1..80c8ca5ae24b2 100644 --- a/pkgs/development/libraries/gtk/4.x.nix +++ b/pkgs/development/libraries/gtk/4.x.nix @@ -70,7 +70,7 @@ in stdenv.mkDerivation (finalAttrs: { pname = "gtk4"; - version = "4.16.3"; + version = "4.16.7"; outputs = [ "out" "dev" ] ++ lib.optionals x11Support [ "devdoc" ]; outputBin = "dev"; @@ -82,7 +82,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = with finalAttrs; "mirror://gnome/sources/gtk/${lib.versions.majorMinor version}/gtk-${version}.tar.xz"; - hash = "sha256-LsU+B9GMnwA7OeSmqDgFTZJZ4Ei2xMBdgMDQWqch2UQ="; + hash = "sha256-UwPHYk4VpIiAWRud3UM4mvuj3k+5KiGXGVGbsWQs49w="; }; depsBuildBuild = [ diff --git a/pkgs/development/libraries/qt-6/modules/qtwayland.nix b/pkgs/development/libraries/qt-6/modules/qtwayland.nix index ac8c570c900ca..02e8a12bc9d36 100644 --- a/pkgs/development/libraries/qt-6/modules/qtwayland.nix +++ b/pkgs/development/libraries/qt-6/modules/qtwayland.nix @@ -37,13 +37,20 @@ qtModule { url = "https://invent.kde.org/qt/qt/qtwayland/-/commit/24002ac6cbd01dbde4944b63c1f7c87ed2bd72b5.patch"; hash = "sha256-Lz4Gv6FLhFGv7dVpqqcss6/w5jsGA8SKaNeWMHT0A/A="; }) - ]; - # Replace vendored wayland.xml with our matching version - # FIXME: remove when upstream updates past 1.23 - postPatch = '' - cp ${wayland-scanner}/share/wayland/wayland.xml src/3rdparty/protocol/wayland/wayland.xml - ''; + # run waylandscanner with private-code to avoid conflict with symbols from libwayland + # better solution for https://github.com/NixOS/nixpkgs/pull/337913 + (fetchpatch2 { + url = "https://invent.kde.org/qt/qt/qtwayland/-/commit/67f121cc4c3865aa3a93cf563caa1d9da3c92695.patch"; + hash = "sha256-uh5lecHlHCWyO1/EU5kQ00VS7eti3PEvPA2HBCL9K0k="; + }) + + # fix crash when attach differ shellsurface to the same shellsurfaceitem + (fetchpatch2 { + url = "https://invent.kde.org/qt/qt/qtwayland/-/commit/070414dd4155e13583e5e8b16bed1a5b68d32910.patch"; + hash = "sha256-JLTdSEbqM6OSijk0cgC419AdLE+PF5KbFh3ypgYUKz8="; + }) + ]; meta = { platforms = lib.platforms.unix; diff --git a/pkgs/development/python-modules/django/4.nix b/pkgs/development/python-modules/django/4.nix index dbb579300ab69..b437a8b75232f 100644 --- a/pkgs/development/python-modules/django/4.nix +++ b/pkgs/development/python-modules/django/4.nix @@ -44,7 +44,7 @@ buildPythonPackage rec { pname = "django"; - version = "4.2.17"; + version = "4.2.18"; format = "pyproject"; disabled = pythonOlder "3.8"; @@ -53,7 +53,7 @@ buildPythonPackage rec { owner = "django"; repo = "django"; rev = "refs/tags/${version}"; - hash = "sha256-G3PAG/fe4yG55699XS8rcWigF92J0Fke1qnUxRqOUnc="; + hash = "sha256-aOTfZDJsEfWHXxkvTgyc2E9ye3LpzHG1bJTo40Dke4I="; }; patches = diff --git a/pkgs/development/tools/profiling/sysprof/capture.nix b/pkgs/development/tools/profiling/sysprof/capture.nix index 00a7bdc6a01e5..6dd050841b0bc 100644 --- a/pkgs/development/tools/profiling/sysprof/capture.nix +++ b/pkgs/development/tools/profiling/sysprof/capture.nix @@ -6,7 +6,7 @@ sysprof, }: -stdenv.mkDerivation rec { +stdenv.mkDerivation { pname = "libsysprof-capture"; inherit (sysprof) src version; diff --git a/pkgs/development/tools/profiling/sysprof/default.nix b/pkgs/development/tools/profiling/sysprof/default.nix index 01de2e761ea9f..837a0c8f05728 100644 --- a/pkgs/development/tools/profiling/sysprof/default.nix +++ b/pkgs/development/tools/profiling/sysprof/default.nix @@ -23,9 +23,9 @@ gnome, }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (finalAttrs: { pname = "sysprof"; - version = "47.0"; + version = "47.2"; outputs = [ "out" @@ -34,8 +34,8 @@ stdenv.mkDerivation rec { ]; src = fetchurl { - url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz"; - hash = "sha256-dCTGKUNGYGVCiMBCSJmMNX0c6H7hVZ/UTfGYCZLvXfU="; + url = "mirror://gnome/sources/sysprof/${lib.versions.major finalAttrs.version}/sysprof-${finalAttrs.version}.tar.xz"; + hash = "sha256-5LXt6f2XjsPw1aDUTQQpptIBw2K/bLRScxkDGuRixU8="; }; nativeBuildInputs = [ @@ -70,7 +70,7 @@ stdenv.mkDerivation rec { passthru = { updateScript = gnome.updateScript { - packageName = pname; + packageName = "sysprof"; }; }; @@ -88,4 +88,4 @@ stdenv.mkDerivation rec { maintainers = teams.gnome.members; platforms = platforms.unix; }; -} +})