Merge branch 'nixpkgs-update' into master

2 files changed, 22 insertions, 15 deletions

diff --git a/pkgs/tools/graphics/graphviz/base.nix b/pkgs/tools/graphics/graphviz/base.nix
index a65f5ce455c..f225f2196cc 100644
--- a/pkgs/tools/graphics/graphviz/base.nix
+++ b/pkgs/tools/graphics/graphviz/base.nix
@@ -1,13 +1,11 @@
 { rev, sha256, version }:
 
-{ stdenv, fetchFromGitLab, autoreconfHook, pkgconfig, cairo, expat, flex
+{ lib, stdenv, fetchFromGitLab, autoreconfHook, pkg-config, cairo, expat, flex
 , fontconfig, gd, gettext, gts, libdevil, libjpeg, libpng, libtool, pango
-, yacc, fetchpatch, xorg ? null, ApplicationServices ? null }:
-
-assert stdenv.isDarwin -> ApplicationServices != null;
+, bison, fetchpatch, xorg, ApplicationServices, python3 }:
 
 let
-  inherit (stdenv.lib) optional optionals optionalString;
+  inherit (lib) optional optionals optionalString;
   raw_patch =
     # https://gitlab.com/graphviz/graphviz/issues/1367 CVE-2018-10196
     fetchpatch {
@@ -17,13 +15,20 @@ let
       excludes = ["tests/*"]; # we don't run them and they don't apply
     };
   # the patch needs a small adaption for older versions
-  patchToUse = if stdenv.lib.versionAtLeast version "2.37" then raw_patch else
+  patchToUse = if lib.versionAtLeast version "2.37" then raw_patch else
   stdenv.mkDerivation {
     inherit (raw_patch) name;
     buildCommand = "sed s/dot_root/agroot/g ${raw_patch} > $out";
   };
   # 2.42 has the patch included
-  patches = optional (stdenv.lib.versionOlder version "2.42") patchToUse;
+  patches = optional (lib.versionOlder version "2.42") patchToUse
+  ++ optionals (lib.versionOlder version "2.46.0") [
+    (fetchpatch {
+      name = "CVE-2020-18032.patch";
+      url = "https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b.patch";
+      sha256 = "1nkw9ism8lkfvxsp5fh95i2l5s5cbjsidbb3g1kjfv10rxkyb41m";
+    })
+  ];
 in
 
 stdenv.mkDerivation {
@@ -36,23 +41,23 @@ stdenv.mkDerivation {
     inherit sha256 rev;
   };
 
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ autoreconfHook pkg-config python3 ];
 
   buildInputs = [
-    libpng libjpeg expat yacc libtool fontconfig gd gts libdevil flex pango
+    libpng libjpeg expat bison libtool fontconfig gd gts libdevil flex pango
     gettext
   ] ++ optionals (xorg != null) (with xorg; [ libXrender libXaw libXpm ])
     ++ optionals (stdenv.isDarwin) [ ApplicationServices ];
 
   hardeningDisable = [ "fortify" ];
 
-  CPPFLAGS = stdenv.lib.optionalString (xorg != null && stdenv.isDarwin)
+  CPPFLAGS = lib.optionalString (xorg != null && stdenv.isDarwin)
     "-I${cairo.dev}/include/cairo";
 
   configureFlags = [
     "--with-ltdl-lib=${libtool.lib}/lib"
     "--with-ltdl-include=${libtool}/include"
-  ] ++ stdenv.lib.optional (xorg == null) "--without-x";
+  ] ++ lib.optional (xorg == null) "--without-x";
 
   inherit patches;
 
@@ -79,7 +84,9 @@ stdenv.mkDerivation {
       --replace /usr/bin/vimdot $out/bin/vimdot \
   '';
 
-  meta = with stdenv.lib; {
+  enableParallelBuilding = true;
+
+  meta = with lib; {
     homepage = "https://graphviz.org";
     description = "Graph visualization tools";
     license = licenses.epl10;
diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix
index c79fe3aaf4d..0662205d17e 100644
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@@ -1,5 +1,5 @@
 import ./base.nix rec {
-  rev = "da4c2ec6f24ca1b6d1752c6b5bc4389e55682147"; # use rev as tags have disappeared before
-  version = "2.42.2";
-  sha256 = "0lacl11amyvj04j78m63qifljl4c0nkyy50z4bkg8mg9j4hjdy0x";
+  rev = "a11eb938514725493324d18db1686f9a99c8569f"; # use rev as tags have disappeared before
+  version = "2.47.2";
+  sha256 = "sha256-6JFjM/2xl7KVmGhSr6RWgO23UwLDyAif3ONsBG4t/Wc=";
  }