pyrox.dev / nixpkgs
lol
fork atom

guix: 1.4.0 -> 1.4.0-unstable-2025-06.24

Fixes CVE-2025-46415, CVE-2025-52991, CVE-2025-52992, CVE-2025-52993 and
CVE-2025-46416.

authored by Jörg Thalheim and committed by Thomas Gerbet 25354a7d 9f7c0e8a

+48 -38
unified split
+24
pkgs/by-name/gu/guix/missing-cstdint-include.patch
···
··· 1 + From bdf4159dd5c1cf925512c0eb8490846c084e3c8c Mon Sep 17 00:00:00 2001 2 + From: Reepca Russelstein 3 + Date: Tue, 24 Jun 2025 22:35:04 -0500 4 + Subject: [PATCH] nix: libutil: add <cstdint> include to seccomp.hh. 5 + 6 + * nix/libutil/seccomp.hh (<cstdint>): add include of header. 7 + 8 + Change-Id: I0a0b2892d81dbab662eda1ba80f4736178d70c65 9 + --- 10 + nix/libutil/seccomp.hh | 1 + 11 + 1 file changed, 1 insertion(+) 12 + 13 + diff --git a/nix/libutil/seccomp.hh b/nix/libutil/seccomp.hh 14 + index 634dfad5f8..a4b449fc66 100644 15 + --- a/nix/libutil/seccomp.hh 16 + +++ b/nix/libutil/seccomp.hh 17 + @@ -4,6 +4,7 @@ 18 + #include <linux/audit.h> /* For AUDIT_ARCH_* */ 19 + #include <linux/seccomp.h> 20 + #include <linux/filter.h> 21 + +#include <cstdint> 22 + 23 + 24 + /* This file provides two preprocessor macros (among other things):
+24 -38
pkgs/by-name/gu/guix/package.nix
··· 1 { 2 lib, 3 stdenv, 4 - fetchurl, 5 - fetchpatch, 6 - fetchDebianPatch, 7 autoreconfHook, 8 disarchive, 9 git, ··· 27 pkg-config, 28 po4a, 29 scheme-bytestructures, 30 texinfo, 31 bzip2, 32 libgcrypt, ··· 37 storeDir ? "/gnu/store", 38 confDir ? "/etc", 39 }: 40 - 41 stdenv.mkDerivation rec { 42 pname = "guix"; 43 - version = "1.4.0"; 44 45 - src = fetchurl { 46 - url = "mirror://gnu/guix/guix-${version}.tar.gz"; 47 - hash = "sha256-Q8dpy/Yy7wVEmsH6SMG6FSwzSUxqvH5HE3u6eyFJ+KQ="; 48 }; 49 50 patches = [ 51 - (fetchpatch { 52 - name = "CVE-2024-27297_1.patch"; 53 - url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143"; 54 - hash = "sha256-xKo1h2uckC2pYHt+memekagfL6dWcF8gOnTOOW/wJUU="; 55 - }) 56 - (fetchpatch { 57 - name = "CVE-2024-27297_2.patch"; 58 - url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42"; 59 - hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao="; 60 - }) 61 - # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability 62 - (fetchDebianPatch { 63 - inherit pname version; 64 - debianRevision = "8"; 65 - patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch"; 66 - hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo="; 67 - }) 68 - (fetchDebianPatch { 69 - inherit pname version; 70 - debianRevision = "8"; 71 - patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch"; 72 - hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM="; 73 - }) 74 - (fetchpatch { 75 - name = "fix-guile-ssh-detection.patch"; 76 - url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=b8a45bd0473ab2ba9b96b7ef429a557ece9bf06c"; 77 - hash = "sha256-oYkgM694qPK8kqgxatkr4fj/GL73ozTNQADNyDeU6WY="; 78 - }) 79 ]; 80 81 postPatch = '' ··· 90 autoreconfHook 91 disarchive 92 git 93 glibcLocales 94 guile 95 guile-avahi ··· 110 pkg-config 111 po4a 112 scheme-bytestructures 113 texinfo 114 ]; 115 ··· 136 guile-zlib 137 guile-zstd 138 scheme-bytestructures 139 ]; 140 141 configureFlags = [ ··· 145 "--with-bash-completion-dir=$(out)/etc/bash_completion.d" 146 ]; 147 148 enableParallelBuilding = true; 149 150 postInstall = '' ··· 174 Guix. 175 Guix is based on the Nix package manager. 176 ''; 177 - homepage = "http://www.gnu.org/software/guix"; 178 - changelog = "https://git.savannah.gnu.org/cgit/guix.git/plain/NEWS?h=v${version}"; 179 license = lib.licenses.gpl3Plus; 180 mainProgram = "guix"; 181 maintainers = with lib.maintainers; [
··· 1 { 2 lib, 3 stdenv, 4 + fetchgit, 5 + graphviz, 6 + gettext, 7 autoreconfHook, 8 disarchive, 9 git, ··· 27 pkg-config, 28 po4a, 29 scheme-bytestructures, 30 + slirp4netns, 31 texinfo, 32 bzip2, 33 libgcrypt, ··· 38 storeDir ? "/gnu/store", 39 confDir ? "/etc", 40 }: 41 + let 42 + rev = "30a5d140aa5a789a362749d057754783fea83dde"; 43 + in 44 stdenv.mkDerivation rec { 45 pname = "guix"; 46 + version = "1.4.0-unstable-2025-06-24"; 47 48 + src = fetchgit { 49 + url = "https://codeberg.org/guix/guix.git"; 50 + inherit rev; 51 + hash = "sha256-QsOYApnwA2hb1keSv6p3EpMT09xCs9uyoSeIdXzftF0="; 52 }; 53 54 patches = [ 55 + ./missing-cstdint-include.patch 56 ]; 57 58 postPatch = '' ··· 67 autoreconfHook 68 disarchive 69 git 70 + graphviz 71 + gettext 72 glibcLocales 73 guile 74 guile-avahi ··· 89 pkg-config 90 po4a 91 scheme-bytestructures 92 + slirp4netns 93 texinfo 94 ]; 95 ··· 116 guile-zlib 117 guile-zstd 118 scheme-bytestructures 119 + slirp4netns 120 ]; 121 122 configureFlags = [ ··· 126 "--with-bash-completion-dir=$(out)/etc/bash_completion.d" 127 ]; 128 129 + preAutoreconf = '' 130 + echo ${version} > .tarball-version 131 + ./bootstrap 132 + ''; 133 + 134 enableParallelBuilding = true; 135 136 postInstall = '' ··· 160 Guix. 161 Guix is based on the Nix package manager. 162 ''; 163 + homepage = "https://guix.gnu.org/"; 164 + changelog = "https://codeberg.org/guix/guix/raw/commit/${rev}/NEWS"; 165 license = lib.licenses.gpl3Plus; 166 mainProgram = "guix"; 167 maintainers = with lib.maintainers; [