Merge branch 'staging-25.11' into staging-next-25.11

Author: vcunat

pkgs/applications/graphics/ImageMagick/default.nix

@@ -173,7 +173,7 @@ stdenv.mkDerivation (finalAttrs: {
     configDestination=($out/share/ImageMagick-*)
     grep -v '/nix/store' $dev/lib/ImageMagick-*/config-Q16HDRI/configure.xml > $configDestination/configure.xml
     for file in "$dev"/bin/*-config; do
-      substituteInPlace "$file" --replace pkg-config \
+      substituteInPlace "$file" --replace-fail "$PKG_CONFIG" \
         "PKG_CONFIG_PATH='$dev/lib/pkgconfig' '$(command -v $PKG_CONFIG)'"
     done
   ''

pkgs/by-name/al/alsa-lib/package.nix

@@ -2,6 +2,7 @@
   lib,
   stdenv,
   fetchurl,
+  fetchpatch,
   alsa-topology-conf,
   alsa-ucm-conf,
   testers,
@@ -23,6 +24,11 @@ stdenv.mkDerivation (finalAttrs: {
     # "libs" field to declare locations for both native and 32bit plugins, in
     # order to support apps with 32bit sound running on x86_64 architecture.
     ./alsa-plugin-conf-multilib.patch
+    (fetchpatch {
+      name = "CVE-2026-25068.patch";
+      url = "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40.patch";
+      hash = "sha256-4memtcg+FDOctX6wgiCdmnlG+IUS+5rL1f3LcsWS5lw=";
+    })
   ];
 
   enableParallelBuilding = true;

pkgs/by-name/cr/cryptsetup/package.nix

@@ -25,7 +25,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "cryptsetup";
-  version = "2.8.3";
+  version = "2.8.4";
 
   outputs = [
     "bin"
@@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
     url =
       "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/"
       + "cryptsetup-${finalAttrs.version}.tar.xz";
-    hash = "sha256-SoojuLnRoyUEUuQKzq1EIaA+RaOJVK0FlWNPQmaqgA8=";
+    hash = "sha256-RD5G+JZMmsx4D0Va+7jiOqDo7X7FBM/FngT0BvoeioM=";
   };
 
   patches = [

pkgs/by-name/ex/expat/package.nix

@@ -18,7 +18,7 @@
 # files.
 
 let
-  version = "2.7.3";
+  version = "2.7.4";
   tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}";
 in
 stdenv.mkDerivation (finalAttrs: {
@@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
     url =
       with finalAttrs;
       "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz";
-    hash = "sha256-cd+PQHBqe7CoClNnB56nXZHaT4xlxY7Fm837997Nq58=";
+    hash = "sha256-npyrtFfB4J3pHbJwbYNlZFeSY46zvh+U27IUkwEIasA=";
   };
 
   strictDeps = true;

pkgs/by-name/li/libvpx/package.nix

@@ -131,13 +131,13 @@ assert isCygwin -> unitTestsSupport && webmIOSupport && libyuvSupport;
 
 stdenv.mkDerivation rec {
   pname = "libvpx";
-  version = "1.15.2";
+  version = "1.16.0";
 
   src = fetchFromGitHub {
     owner = "webmproject";
     repo = "libvpx";
     rev = "v${version}";
-    hash = "sha256-1F5Zlue2DY1yJXwfDfGeh3KcFTQVo9voHcGkgItKgh0=";
+    hash = "sha256-z1Ov3BHnAGuayeY4D86oTRiDfuZ2Wpc4ZD7pXGaakVI=";
   };
 
   postPatch = ''

pkgs/by-name/lo/lowdown/package.nix

@@ -11,13 +11,14 @@
   enableDarwinSandbox ? true,
   # for passthru.tests
   nix,
+  lowdown-unsandboxed,
 }:
 
 stdenv.mkDerivation rec {
   pname = "lowdown${
     lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed"
   }";
-  version = "2.0.2";
+  version = "2.0.4";
 
   outputs = [
     "out"
@@ -28,7 +29,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz";
-    hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA==";
+    sha512 = "649a508b7727df6e7e1203abb3853e05f167b64832fd5e1271f142ccf782e600b1de73c72dc02673d7b175effdc54f2c0f60318208a968af9f9763d09cf4f9ef";
   };
 
   nativeBuildInputs = [
@@ -38,6 +39,12 @@ stdenv.mkDerivation rec {
   ]
   ++ lib.optionals stdenv.hostPlatform.isDarwin [ fixDarwinDylibNames ];
 
+  postPatch = ''
+    # fails test, some column width mismatch
+    rm regress/table-footnotes.md
+    rm regress/table-styles.md
+  '';
+
   # The Darwin sandbox calls fail inside Nix builds, presumably due to
   # being nested inside another sandbox.
   preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) ''
@@ -74,32 +81,8 @@ stdenv.mkDerivation rec {
     "install_static"
   ];
 
-  postInstall =
-    let
-      soVersion = "2";
-    in
-
-    # Check that soVersion is up to date even if we are not on darwin
-    lib.optionalString (enableShared && !stdenv.hostPlatform.isDarwin) ''
-      test -f $lib/lib/liblowdown.so.${soVersion} || \
-        die "postInstall: expected $lib/lib/liblowdown.so.${soVersion} is missing"
-    ''
-    # Fix lib extension so that fixDarwinDylibNames detects it, see
-    # <https://github.com/kristapsdz/lowdown/issues/87#issuecomment-1532243650>.
-    + lib.optionalString (enableShared && stdenv.hostPlatform.isDarwin) ''
-      darwinDylib="$lib/lib/liblowdown.${soVersion}.dylib"
-      mv "$lib/lib/liblowdown.so.${soVersion}" "$darwinDylib"
-
-      # Make sure we are re-creating a symbolic link here
-      test -L "$lib/lib/liblowdown.so" || \
-        die "postInstall: expected $lib/lib/liblowdown.so to be a symlink"
-      ln -s "$darwinDylib" "$lib/lib/liblowdown.dylib"
-      rm "$lib/lib/liblowdown.so"
-    '';
-
-  doInstallCheck = true;
-
-  installCheckPhase = lib.optionalString (!stdenv.hostPlatform.isDarwin || !enableDarwinSandbox) ''
+  doInstallCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox;
+  installCheckPhase = ''
     runHook preInstallCheck
 
     echo '# TEST' > test.md
@@ -108,12 +91,12 @@ stdenv.mkDerivation rec {
     runHook postInstallCheck
   '';
 
-  doCheck = true;
+  doCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox;
   checkTarget = "regress";
 
   passthru.tests = {
-    # most important consumer in nixpkgs
-    inherit nix;
+    # most important consumers in nixpkgs
+    inherit nix lowdown-unsandboxed;
   };
 
   meta = {

pkgs/by-name/mi/mimir/package.nix

@@ -7,13 +7,13 @@
 }:
 buildGoModule (finalAttrs: {
   pname = "mimir";
-  version = "3.0.1";
+  version = "3.0.3";
 
   src = fetchFromGitHub {
     rev = "mimir-${finalAttrs.version}";
     owner = "grafana";
     repo = "mimir";
-    hash = "sha256-tYGzU/sn6KLLetDmAyph5u8bCocmfF4ZysTkOCSVf+U=";
+    hash = "sha256-OUFmtHGGDU1+7EwfGVzrjPS2hqba0FfIuQl0V7up9Yk=";
   };
 
   vendorHash = null;

pkgs/by-name/mo/modemmanager/package.nix

@@ -32,14 +32,14 @@
 
 stdenv.mkDerivation rec {
   pname = "modemmanager";
-  version = "1.24.0";
+  version = "1.24.2";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "mobile-broadband";
     repo = "ModemManager";
     rev = version;
-    hash = "sha256-3jI75aR2esmv5dkE4TrdCHIcCvtdOBKnBC5XLEKoVFs=";
+    hash = "sha256-rBLOqpx7Y2BB6/xvhIw+rDEXsLtePhHLBvfpSuJzQik=";
   };
 
   patches = [

pkgs/by-name/pu/publicsuffix-list/package.nix

@@ -7,13 +7,13 @@
 
 stdenvNoCC.mkDerivation {
   pname = "publicsuffix-list";
-  version = "0-unstable-2025-12-28";
+  version = "0-unstable-2026-01-25";
 
   src = fetchFromGitHub {
     owner = "publicsuffix";
     repo = "list";
-    rev = "1ef6d3bc102c85d12e92be54ec0dad8ee990dd5f";
-    hash = "sha256-rQdum6XLgfXwzpKTneakFmC80tOmlPFrZ8C7dfEnlSo=";
+    rev = "6c40921fc61160568b101aff506d548ba3300ba6";
+    hash = "sha256-BOSau54FwCHNLordlN0+I708acXSogjnfKINpfMeYcc=";
   };
 
   dontBuild = true;

pkgs/by-name/un/unzip/CVE-2021-4217.patch

@@ -0,0 +1,47 @@
+From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
+From: Nils Bars <nils.bars@t-online.de>
+Date: Mon, 17 Jan 2022 16:53:16 +0000
+Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
+
+This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
+to read as many bytes as indicated by the extra field length attribute.
+Furthermore, this fixes a null pointer dereference if an archive contains an
+`EF_UNIPATH` extra field but does not have a filename set.
+---
+ fileio.c  | 5 ++++-
+ process.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -2310,8 +2310,11 @@ int do_string(__G__ length, option)   /*
+             seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
+                       (G.inptr-G.inbuf) + length);
+         } else {
+-            if (readbuf(__G__ (char *)G.extra_field, length) == 0)
++            unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
++            if (bytes_read == 0)
+                 return PK_EOF;
++            if (bytes_read != length)
++                return PK_ERR;
+             /* Looks like here is where extra fields are read */
+             if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+             {
+--- a/process.c
++++ b/process.c
+@@ -2067,10 +2067,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+           G.unipath_checksum = makelong(offset + ef_buf);
+           offset += 4;
+ 
++          if (!G.filename_full) {
++            /* Check if we have a unicode extra section but no filename set */
++            return PK_ERR;
++          }
++
+           /*
+            * Compute 32-bit crc
+            */
+-
+           chksum = crc32(chksum, (uch *)(G.filename_full),
+                          strlen(G.filename_full));
+