freetype: major update, including some CVE security

- There's no fontconfig update yet, as I failed to debug it yet. - Infinality patches are now taken from a different (maintained) source.
2014-06-09 19:47:31 +02:00 · 2014-06-09 19:47:31 +02:00 · c50f0e47e1
commit c50f0e47e1
parent ff327554e9
4 changed files with 53 additions and 44 deletions
--- a/pkgs/applications/display-managers/slim/default.nix
+++ b/pkgs/applications/display-managers/slim/default.nix
@ -24,6 +24,8 @@ stdenv.mkDerivation rec {

  cmakeFlags = [ "-DUSE_PAM=1" ];

+  NIX_CFLAGS_COMPILE = "-I${freetype}/include/freetype";
+
  enableParallelBuilding = true;

  buildInputs =
--- a/pkgs/development/libraries/fontconfig/default.nix
+++ b/pkgs/development/libraries/fontconfig/default.nix
@ -8,18 +8,22 @@ stdenv.mkDerivation rec {
    sha256 = "0llraqw86jmw4vzv7inskp3xxm2gc64my08iwq5mzncgfdbfza4f";
  };

-  infinality_patch = with freetype.infinality; if useInfinality
-    then let subvers = "1";
+  infinality_patch =
+    let subvers = "1";
      in fetchurl {
        url = http://www.infinality.net/fedora/linux/zips/fontconfig-infinality-1-20130104_1.tar.bz2;
        sha256 = "1fm5xx0mx2243jrq5rxk4v0ajw2nawpj23399h710bx6hd1rviq7";
      }
-    else null;
+    ;

  propagatedBuildInputs = [ freetype ];
  buildInputs = [ pkgconfig expat ];

-  configureFlags = "--sysconfdir=/etc --with-cache-dir=/var/cache/fontconfig --disable-docs --with-default-fonts=";
+  configureFlags = [
+    "--with-cache-dir=/var/cache/fontconfig"
+    "--disable-docs"
+    "--with-default-fonts="
+  ];

  # We should find a better way to access the arch reliably.
  crossArch = stdenv.cross.arch or null;
@ -32,10 +36,12 @@ stdenv.mkDerivation rec {

  enableParallelBuilding = true;

-  # Don't try to write to /etc/fonts or /var/cache/fontconfig at install time.
-  installFlags = "sysconfdir=$(out)/etc RUN_FC_CACHE_TEST=false fc_cachedir=$(TMPDIR)/dummy";
+  doCheck = true;

-  postInstall = stdenv.lib.optionalString freetype.infinality.useInfinality ''
+  # Don't try to write to /var/cache/fontconfig at install time.
+  installFlags = "fc_cachedir=$(TMPDIR)/dummy";
+
+  postInstall = ''
    cd "$out/etc/fonts" && tar xvf ${infinality_patch}
  '';

--- a/pkgs/development/libraries/freetype/default.nix
+++ b/pkgs/development/libraries/freetype/default.nix
@ -1,57 +1,52 @@
-{ stdenv, fetchurl, gnumake
+{ stdenv, fetchurl, fetchpatch, pkgconfig, which, zlib, bzip2, libpng, gnumake
  # FreeType supports sub-pixel rendering.  This is patented by
  # Microsoft, so it is disabled by default.  This option allows it to
  # be enabled.  See http://www.freetype.org/patents.html.
-, useEncumberedCode ? false
-, useInfinality ? true
+, useEncumberedCode ? true
 }:

-assert !(useEncumberedCode && useInfinality); # probably wouldn't make sense
-
 let
+  version = "2.5.3";

-  version = "2.4.12";
-
+  fetch_bohoomil = name: sha256: fetchpatch {
+    url = https://raw.githubusercontent.com/bohoomil/fontconfig-ultimate/8a155db28f264520596cc3e76eb44824bdb30f8e/01_freetype2-iu/ + name;
+    inherit sha256;
+  };
 in
-
+with { inherit (stdenv.lib) optional optionalString; };
 stdenv.mkDerivation rec {
  name = "freetype-${version}";

  src = fetchurl {
    url = "mirror://sourceforge/freetype/${name}.tar.bz2";
-    sha256 = "10akr2c37iv9y7fkgwp2szgwjyl2g6qmk9z1m596iaw9cr41g2m7";
+    sha256 = "0pppcn73b5pwd7zdi9yfx16f5i93y18q7q4jmlkwmwrfsllqp160";
  };

-  infinality_patch =
-    if useInfinality then fetchurl {
-      url = http://www.infinality.net/fedora/linux/zips/freetype-infinality-2.4.12-20130514_01-x86_64.tar.bz2;
-      sha256 = "1lg2nzvxmwzwdfhxranw8iyflhr72cw9p11rkpgq1scxbp37668m";
-    } else null;
-
-  configureFlags = "--disable-static";
-
-  NIX_CFLAGS_COMPILE = with stdenv.lib;
-    " -fno-strict-aliasing" # from Gentoo, see https://bugzilla.redhat.com/show_bug.cgi?id=506840
-    + optionalString useEncumberedCode " -DFT_CONFIG_OPTION_SUBPIXEL_RENDERING=1"
-    + optionalString useInfinality " -DTT_CONFIG_OPTION_SUBPIXEL_HINTING=1";
-
  patches = [ ./enable-validation.patch ] # from Gentoo
-    ++ stdenv.lib.optional useInfinality [ infinality_patch ];
+    ++ [
+      (fetch_bohoomil "freetype-2.5.3-pkgconfig.patch" "1dpfdh8kmka3gzv14glz7l79i545zizah6wma937574v5z2iy3nn")
+      (fetch_bohoomil "fix_segfault_with_harfbuzz.diff" "1nx36inqrw717b86cla2miprdb3hii4vndw95k0jbbhfmax9k6fy")
+    ]
+    ++ optional useEncumberedCode
+      (fetch_bohoomil "infinality-2.5.3.patch" "0mxiybcb4wwbicrjiinh1b95rv543bh05sdqk1v0ipr3fxfrb47q")
+    ;

+  propagatedBuildInputs = [ zlib bzip2 libpng ]; # needed when linking against freetype
+  # dependence on harfbuzz is looser than the reverse dependence
+  buildInputs = [ pkgconfig which ]
+    # FreeType requires GNU Make, which is not part of stdenv on FreeBSD.
+    ++ optional (!stdenv.isLinux) gnumake;
+
+  # from Gentoo, see https://bugzilla.redhat.com/show_bug.cgi?id=506840
+  NIX_CFLAGS_COMPILE = "-fno-strict-aliasing";
  # The asm for armel is written with the 'asm' keyword.
-  CFLAGS = stdenv.lib.optionalString stdenv.isArm "-std=gnu99";
-
-  # FreeType requires GNU Make, which is not part of stdenv on FreeBSD.
-  buildInputs = stdenv.lib.optional (!stdenv.isLinux) gnumake;
+  CFLAGS = optionalString stdenv.isArm "-std=gnu99";

  enableParallelBuilding = true;

  doCheck = true;

-  postInstall =
-    ''
-      ln -s freetype2/freetype $out/include/freetype
-    '';
+  postInstall = ''ln -s freetype2 "$out"/include/freetype''; # compat hack

  crossAttrs = {
    # Somehow it calls the unwrapped gcc, "i686-pc-linux-gnu-gcc", instead
@ -60,13 +55,11 @@ stdenv.mkDerivation rec {
    configureFlags = "--disable-static CC_BUILD=gcc";
  };

-  passthru.infinality.useInfinality = useInfinality; # for fontconfig
-
-  meta = {
+  meta = with stdenv.lib; {
    description = "A font rendering engine";
    homepage = http://www.freetype.org/;
-    license = if useEncumberedCode then "unfree"
-      else "GPLv2+"; # or the FreeType License (BSD + advertising clause)
-    platforms = stdenv.lib.platforms.all;
+    license = licenses.gpl2Plus; # or the FreeType License (BSD + advertising clause)
+    #ToDo: encumbered = useEncumberedCode;
+    platforms = platforms.all;
  };
 }
--- a/pkgs/servers/x11/xorg/overrides.nix
+++ b/pkgs/servers/x11/xorg/overrides.nix
@ -73,6 +73,10 @@ in
      '';
  };

+  libXfont = attrs: attrs // {
+    propagatedBuildInputs = [ args.freetype ]; # propagate link reqs. like bzip2
+  };
+
  libXxf86vm = attrs: attrs // {
    preConfigure = setMalloc0ReturnsNullCrossCompiling;
  };
@ -111,6 +115,10 @@ in
  libXft = attrs: attrs // {
    propagatedBuildInputs = [ xorg.libXrender args.freetype args.fontconfig ];
    preConfigure = setMalloc0ReturnsNullCrossCompiling;
+    # the include files need ft2build.h, and Requires.private isn't enough for us
+    postInstall = ''
+      sed "/^Requires:/s/$/, freetype2/" -i "$out/lib/pkgconfig/xft.pc"
+    '';
  };

  libXext = attrs: attrs // {