From f7fbe207f79f8af8529db61939e831a8c9d95351 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 12 Jul 2025 16:15:28 +0200 Subject: [PATCH 1/3] poppler: 25.05.0 -> 25.07.0 Fixes CVE-2025-52886. https://securitylab.github.com/advisories/GHSL-2025-054_poppler/ Changes: https://gitlab.freedesktop.org/poppler/poppler/-/blob/poppler-25.06.0/NEWS https://gitlab.freedesktop.org/poppler/poppler/-/blob/poppler-25.07.0/NEWS --- pkgs/development/libraries/poppler/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/poppler/default.nix b/pkgs/development/libraries/poppler/default.nix index e2dfaa031fe6..17ad87827a80 100644 --- a/pkgs/development/libraries/poppler/default.nix +++ b/pkgs/development/libraries/poppler/default.nix @@ -55,13 +55,13 @@ let domain = "gitlab.freedesktop.org"; owner = "poppler"; repo = "test"; - rev = "91ee031c882634c36f2f0f2f14eb6646dd542fb9"; - hash = "sha256-bImTdlhMAA79kwbKPrHN3a9vVrtsgBh3rFjH3B7tEbQ="; + rev = "c79c6839e859dbee6b73ac260788fa2de8618ba4"; + hash = "sha256-j66AsBUnFpO5athVgQmf4vcyXxYcJ/plJtHg+3vXG4Y="; }; in stdenv.mkDerivation (finalAttrs: { pname = "poppler-${suffix}"; - version = "25.05.0"; # beware: updates often break cups-filters build, check scribus too! + version = "25.07.0"; # beware: updates often break cups-filters build, check scribus too! outputs = [ "out" @@ -70,7 +70,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "https://poppler.freedesktop.org/poppler-${finalAttrs.version}.tar.xz"; - hash = "sha256-mxYnxbdoFqxeQFKgP1tgW6QLRc8GsCyt0EeWILSZqzg="; + hash = "sha256-xQSpBm29/r43etU87GQf2XHulsTh6Mp05snAPUbYF64="; }; nativeBuildInputs = From 71c84e007545533be67296465d02f1bb09c58595 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 12 Jul 2025 16:51:54 +0200 Subject: [PATCH 2/3] inkscape: fix build with poppler 25.07.0 --- pkgs/applications/graphics/inkscape/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/applications/graphics/inkscape/default.nix b/pkgs/applications/graphics/inkscape/default.nix index 2f71bf8d3506..e7e7ce9b44ae 100644 --- a/pkgs/applications/graphics/inkscape/default.nix +++ b/pkgs/applications/graphics/inkscape/default.nix @@ -97,6 +97,16 @@ stdenv.mkDerivation (finalAttrs: { # Fix path to ps2pdf binary inherit ghostscript; }) + (fetchpatch { + name = "fix-build-poppler-25.06.0.patch"; + url = "https://gitlab.com/inkscape/inkscape/-/commit/97bd8f29a61e691ceea98ca2444b974cf4256ae0.patch"; + hash = "sha256-bYRd/KUh/7qFb7x0EuUgQYA9P8abcTf5XS67gzaAiXA="; + }) + (fetchpatch { + name = "fix-build-poppler-25.07.0.patch"; + url = "https://gitlab.com/inkscape/inkscape/-/commit/ce52c5f96106ae5747171663a46831f21aa52d95.patch"; + hash = "sha256-3Yj+neSRSSQPeeZkHJ0P6v3Sis/lg9xiygktI6Z+zDY="; + }) ]; postPatch = '' From a7e801b185f6d893fb4fae83f4c304195152d7a9 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 12 Jul 2025 17:32:34 +0200 Subject: [PATCH 3/3] scribus: fix build with poppler 25.07.0 --- pkgs/applications/office/scribus/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/applications/office/scribus/default.nix b/pkgs/applications/office/scribus/default.nix index 6e5fbf8b34ad..82f01c55d53e 100644 --- a/pkgs/applications/office/scribus/default.nix +++ b/pkgs/applications/office/scribus/default.nix @@ -105,6 +105,16 @@ stdenv.mkDerivation (finalAttrs: { url = "https://aur.archlinux.org/cgit/aur.git/plain/fix_build_with_poppler_25.02.0.patch?h=scribus-unstable"; hash = "sha256-t9xJA6KGMGAdUFyjI8OlTNilewyMr1FFM7vjHOM15Xg="; }) + (fetchpatch { + name = "fix-build-poppler-25.06.0.patch"; + url = "https://github.com/scribusproject/scribus/commit/8dcf8d777bd85a0741c455961f2de382e3ed47ec.patch"; + hash = "sha256-JBHCgvEJnYrUdtLnFSXTfr1FFin4uUNUnddYwfRbn7k="; + }) + (fetchpatch { + name = "fix-build-poppler-25.07.0.patch"; + url = "https://github.com/scribusproject/scribus/commit/ff6c6abfa8683028e548a269dee6a859b6f63335.patch"; + hash = "sha256-N4jve5feehsX5H0RXdxR4ableKL+c/rTyqCwkEf37Dk="; + }) ]; meta = {