nixpkgs/pkgs/development/libraries/webkitgtk/default.nix
Philipp Bartsch 3bb38198e9 webkitgtk: 2.32.1 -> 2.32.3
Relevant security advisory:
https://webkitgtk.org/security/WSA-2021-0004.html

CVEs:
CVE-2021-1817,  CVE-2021-1820,  CVE-2021-1825,  CVE-2021-1826,
CVE-2021-21775, CVE-2021-21779, CVE-2021-21806, CVE-2021-30661,
CVE-2021-30663, CVE-2021-30665, CVE-2021-30666, CVE-2021-30682,
CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744,
CVE-2021-30749, CVE-2021-30758, CVE-2021-30761, CVE-2021-30762,
CVE-2021-30795, CVE-2021-30797, CVE-2021-30799
2021-07-23 20:57:02 +02:00

234 lines
5.4 KiB
Nix

{ lib, stdenv
, runCommandNoCC
, fetchurl
, fetchpatch
, perl
, python3
, ruby
, bison
, gperf
, cmake
, ninja
, pkg-config
, gettext
, gobject-introspection
, libnotify
, gnutls
, libgcrypt
, gtk3
, wayland
, libwebp
, enchant2
, xorg
, libxkbcommon
, epoxy
, at-spi2-core
, libxml2
, libsoup
, libsecret
, libxslt
, harfbuzz
, libpthreadstubs
, pcre
, nettle
, libtasn1
, p11-kit
, libidn
, libedit
, readline
, sdk
, libGL
, libGLU
, mesa
, libintl
, libmanette
, openjpeg
, enableGeoLocation ? true
, geoclue2
, sqlite
, enableGLES ? true
, gst-plugins-base
, gst-plugins-bad
, woff2
, bubblewrap
, libseccomp
, systemd
, xdg-dbus-proxy
, substituteAll
, glib
, addOpenGLRunpath
}:
assert enableGeoLocation -> geoclue2 != null;
stdenv.mkDerivation rec {
pname = "webkitgtk";
version = "2.32.3";
outputs = [ "out" "dev" ];
separateDebugInfo = stdenv.isLinux;
src = fetchurl {
url = "https://webkitgtk.org/releases/${pname}-${version}.tar.xz";
sha256 = "sha256-wfSW9axlTv5M72L71PL77u8mWgfF50GeXSkAv+6lLLw=";
};
patches = lib.optionals stdenv.isLinux [
(substituteAll {
src = ./fix-bubblewrap-paths.patch;
inherit (builtins) storeDir;
inherit (addOpenGLRunpath) driverLink;
})
./libglvnd-headers.patch
] ++ lib.optionals stdenv.isDarwin [
(fetchpatch {
url = "https://github.com/WebKit/WebKit/commit/94cdcd289b993ed4d39c17d4b8b90db7c81a9b10.diff";
sha256 = "sha256-ywrTEjf3ATqI0Vvs60TeAZ+m58kCibum4DamRWrQfaA=";
excludes = [ "Source/WebKit/ChangeLog" ];
})
# https://bugs.webkit.org/show_bug.cgi?id=225856
(fetchpatch {
url = "https://bug-225856-attachments.webkit.org/attachment.cgi?id=428797";
sha256 = "sha256-ffo5p2EyyjXe3DxdrvAcDKqxwnoqHtYBtWod+1fOjMU=";
excludes = [ "Source/WebCore/ChangeLog" ];
})
# https://bugs.webkit.org/show_bug.cgi?id=225850
./428774.patch # https://bug-225850-attachments.webkit.org/attachment.cgi?id=428774
(fetchpatch {
url = "https://bug-225850-attachments.webkit.org/attachment.cgi?id=428776";
sha256 = "sha256-ryNRYMsk72SL0lNdh6eaAdDV3OT8KEqVq1H0j581jmQ=";
excludes = [ "Source/WTF/ChangeLog" ];
})
(fetchpatch {
url = "https://bug-225850-attachments.webkit.org/attachment.cgi?id=428778";
sha256 = "sha256-78iP+T2vaIufO8TmIPO/tNDgmBgzlDzalklrOPrtUeo=";
excludes = [ "Source/WebKit/ChangeLog" ];
})
];
preConfigure = lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform) ''
# Ignore gettext in cmake_prefix_path so that find_program doesn't
# pick up the wrong gettext. TODO: Find a better solution for
# this, maybe make cmake not look up executables in
# CMAKE_PREFIX_PATH.
cmakeFlags+=" -DCMAKE_IGNORE_PATH=${lib.getBin gettext}/bin"
'';
nativeBuildInputs = [
bison
cmake
gettext
gobject-introspection
gperf
ninja
perl
perl.pkgs.FileCopyRecursive # used by copy-user-interface-resources.pl
pkg-config
python3
ruby
glib # for gdbus-codegen
] ++ lib.optionals stdenv.isLinux [
wayland # for wayland-scanner
];
buildInputs = [
at-spi2-core
enchant2
epoxy
gnutls
gst-plugins-bad
gst-plugins-base
harfbuzz
libGL
libGLU
mesa # for libEGL headers
libgcrypt
libidn
libintl
] ++ lib.optionals stdenv.isLinux [
libmanette
] ++ [
libnotify
libpthreadstubs
libsecret
libtasn1
libwebp
libxkbcommon
libxml2
libxslt
nettle
openjpeg
p11-kit
pcre
sqlite
woff2
] ++ (with xorg; [
libXdamage
libXdmcp
libXt
libXtst
]) ++ lib.optionals stdenv.isDarwin [
libedit
readline
# Pull a header that contains a definition of proc_pid_rusage().
# (We pick just that one because using the other headers from `sdk` is not
# compatible with our C++ standard library)
(runCommandNoCC "${pname}_headers" {} ''
install -Dm444 "${lib.getDev sdk}"/include/libproc.h "$out"/include/libproc.h
'')
] ++ lib.optionals stdenv.isLinux [
bubblewrap
libseccomp
systemd
wayland
xdg-dbus-proxy
] ++ lib.optional enableGeoLocation geoclue2;
propagatedBuildInputs = [
gtk3
libsoup
];
cmakeFlags = [
"-DENABLE_INTROSPECTION=ON"
"-DPORT=GTK"
"-DUSE_LIBHYPHEN=OFF"
"-DUSE_WPE_RENDERER=OFF"
] ++ lib.optionals stdenv.isDarwin [
"-DENABLE_GAMEPAD=OFF"
"-DENABLE_GTKDOC=OFF"
"-DENABLE_MINIBROWSER=OFF"
"-DENABLE_QUARTZ_TARGET=ON"
"-DENABLE_VIDEO=ON"
"-DENABLE_WEBGL=OFF"
"-DENABLE_WEB_AUDIO=OFF"
"-DENABLE_X11_TARGET=OFF"
"-DUSE_APPLE_ICU=OFF"
"-DUSE_OPENGL_OR_ES=OFF"
"-DUSE_SYSTEM_MALLOC=ON"
] ++ lib.optionals (!stdenv.isLinux) [
"-DUSE_SYSTEMD=OFF"
] ++ lib.optional (stdenv.isLinux && enableGLES) "-DENABLE_GLES2=ON";
postPatch = ''
patchShebangs .
'' + lib.optionalString stdenv.isDarwin ''
# It needs malloc_good_size.
sed 22i'#include <malloc/malloc.h>' -i Source/WTF/wtf/FastMalloc.h
# <CommonCrypto/CommonRandom.h> needs CCCryptorStatus.
sed 43i'#include <CommonCrypto/CommonCryptor.h>' -i Source/WTF/wtf/RandomDevice.cpp
'';
requiredSystemFeatures = [ "big-parallel" ];
meta = with lib; {
description = "Web content rendering engine, GTK port";
homepage = "https://webkitgtk.org/";
license = licenses.bsd2;
platforms = platforms.linux ++ platforms.darwin;
maintainers = teams.gnome.members;
};
}