CVS commit: pkgsrc/shells/nushell

["pin" <pin%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   pin
Date:           Thu Apr 11 14:15:12 UTC 2024

Modified Files:
        pkgsrc/shells/nushell: Makefile cargo-depends.mk distinfo
Added Files:
        pkgsrc/shells/nushell/patches: patch-Cargo.toml

Log Message:
shells/nushell: update to 0.92.2

This is the 0.92.2 patch release of Nushell.

This hot-fix addresses a security concern with how arguments are passed to
external commands on Windows.

The underlying vulnerability was found in the interaction of the Rust standard
library we use and the Windows command invocation logic and documented as
CVE-2024-24576

To address this concern, we update the version of the Rust compiler and
standard library used to build Nushell to the latest stable version (1.77.2).

Note: Distributors of Nushell need to upgrade their Rust toolchain to provide
a patched Nushell build.

pkgsrc note: As CVE-2024-24576 only affects Windows, we are patching away the
requirement for MSRV 1.72.2 back to 1.75.0


To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 pkgsrc/shells/nushell/Makefile
cvs rdiff -u -r1.35 -r1.36 pkgsrc/shells/nushell/cargo-depends.mk
cvs rdiff -u -r1.42 -r1.43 pkgsrc/shells/nushell/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/shells/nushell/patches/patch-Cargo.toml

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/shells/nushell/Makefile
diff -u pkgsrc/shells/nushell/Makefile:1.53 pkgsrc/shells/nushell/Makefile:1.54
--- pkgsrc/shells/nushell/Makefile:1.53 Thu Apr 11 09:06:33 2024
+++ pkgsrc/shells/nushell/Makefile      Thu Apr 11 14:15:11 2024
@@ -1,10 +1,6 @@
-# $NetBSD: Makefile,v 1.53 2024/04/11 09:06:33 pin Exp $
+# $NetBSD: Makefile,v 1.54 2024/04/11 14:15:11 pin Exp $
 
-# Please don't update to 0.92.2
-# The latest version has Rust-1.77.2 as minimum required version.
-# This is due to CVE-2024-24576 that only affects Windows.
-# see, https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html
-DISTNAME=      nushell-0.92.1
+DISTNAME=      nushell-0.92.2
 CATEGORIES=    shells
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=nushell/}
 

Index: pkgsrc/shells/nushell/cargo-depends.mk
diff -u pkgsrc/shells/nushell/cargo-depends.mk:1.35 pkgsrc/shells/nushell/cargo-depends.mk:1.36
--- pkgsrc/shells/nushell/cargo-depends.mk:1.35 Fri Apr  5 07:31:25 2024
+++ pkgsrc/shells/nushell/cargo-depends.mk      Thu Apr 11 14:15:11 2024
@@ -1,4 +1,4 @@
-# $NetBSD: cargo-depends.mk,v 1.35 2024/04/05 07:31:25 pin Exp $
+# $NetBSD: cargo-depends.mk,v 1.36 2024/04/11 14:15:11 pin Exp $
 
 CARGO_CRATE_DEPENDS+=  addr2line-0.21.0
 CARGO_CRATE_DEPENDS+=  adler-1.0.2

Index: pkgsrc/shells/nushell/distinfo
diff -u pkgsrc/shells/nushell/distinfo:1.42 pkgsrc/shells/nushell/distinfo:1.43
--- pkgsrc/shells/nushell/distinfo:1.42 Fri Apr  5 07:31:25 2024
+++ pkgsrc/shells/nushell/distinfo      Thu Apr 11 14:15:11 2024
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.42 2024/04/05 07:31:25 pin Exp $
+$NetBSD: distinfo,v 1.43 2024/04/11 14:15:11 pin Exp $
 
 BLAKE2s (addr2line-0.21.0.crate) = aa7d8fa248d0454d92b962f5d741ba41c55564299d33e6814e70dfe0b71bbcc7
 SHA512 (addr2line-0.21.0.crate) = afde7660dda30dee240e79df1fb5b92d4572520bf17a134ef3765e2a077af9e13713952d52e27fae420109b40f6e24dbce1056687dbcbead858ffc21cc7dc69b
@@ -888,9 +888,9 @@ Size (num_threads-0.1.6.crate) = 7334 by
 BLAKE2s (number_prefix-0.4.0.crate) = e2e6caf7fd792ec56ec5665184ed1b66469de944c998ee8e0eee92eb0f7105b5
 SHA512 (number_prefix-0.4.0.crate) = a43b668d7314218b86ca7451daa9dfef71f6c9f6616bc34c12d94ae6030f182bcca9da83905cb46f3d49d0aa81385a787e92e4f3ae239658067adc249f8174df
 Size (number_prefix-0.4.0.crate) = 6922 bytes
-BLAKE2s (nushell-0.92.1.tar.gz) = 2a7c80dce2a8286ca60e70671bbf864f0539d1e8a744ff746e4c32ba8cc491d4
-SHA512 (nushell-0.92.1.tar.gz) = 05e3b5f2ab7d8a90352cfd2deb6ba45f80ea1d5fea9bccad32f1b32842d7151f8945a27d044ce428d400065629506051054abfb0256c9db47bd19ccb91e18fc4
-Size (nushell-0.92.1.tar.gz) = 2926995 bytes
+BLAKE2s (nushell-0.92.2.tar.gz) = f16b0f8c413d8f2138b7d26728b3642fccfffc8d4027fce93fa2fc919c3e20a6
+SHA512 (nushell-0.92.2.tar.gz) = cedbec49b8bbddcec2f4c419c09655ce7566db0509ca1f44b7052f8c0eb8484717333838613b4e88d4ae71af9d2ed6a9bcdf13f4b0075f33582818e1ed9c1326
+Size (nushell-0.92.2.tar.gz) = 2927111 bytes
 BLAKE2s (objc-0.2.7.crate) = e34a570a877d402bef4a22098157a24171ada921812037222da0b82a1424f391
 SHA512 (objc-0.2.7.crate) = 7178870c8e4e9154b4c7b4953b3164946b7ce72c956a02b9ba18889353c72be735824bd73e44a485e42ad5f97994820d9153ac684629342755a6a63711ab5988
 Size (objc-0.2.7.crate) = 22036 bytes
@@ -1899,4 +1899,4 @@ Size (zstd-safe-7.0.0.crate) = 20463 byt
 BLAKE2s (zstd-sys-2.0.9+zstd.1.5.5.crate) = ffa04e8df7b5d33c5be50d34ccf82d0f6a9568f2582f982abcd2419b21a3bf9e
 SHA512 (zstd-sys-2.0.9+zstd.1.5.5.crate) = 604c01eae4975745aca1dc1d351db98fec34f7036143e59dfeb4d36e6ee18ac9f3871a288557c8ebdc9e816967a008da43154dc9a0eb3cac85071ccb05bf58aa
 Size (zstd-sys-2.0.9+zstd.1.5.5.crate) = 728791 bytes
-SHA1 (patch-crates_nu-command_src_filesystem_ucp.rs) = 8b96dbc6e05c6445b8e3e87df87b90eac6d657d9
+SHA1 (patch-Cargo.toml) = 97e652df1725ed14591a97a4bebb2f46f2bc0426

Added files:

Index: pkgsrc/shells/nushell/patches/patch-Cargo.toml
diff -u /dev/null pkgsrc/shells/nushell/patches/patch-Cargo.toml:1.1
--- /dev/null   Thu Apr 11 14:15:12 2024
+++ pkgsrc/shells/nushell/patches/patch-Cargo.toml      Thu Apr 11 14:15:12 2024
@@ -0,0 +1,15 @@
+$NetBSD: patch-Cargo.toml,v 1.1 2024/04/11 14:15:12 pin Exp $
+
+Don't require latest to fix a bug that only affects Windows.
+
+--- Cargo.toml.orig    2024-04-11 09:59:36.434842357 +0000
++++ Cargo.toml
+@@ -10,7 +10,7 @@ homepage = "https://www.nushell.sh";
+ license = "MIT"
+ name = "nu"
+ repository = "https://github.com/nushell/nushell";
+-rust-version = "1.77.2"
++rust-version = "1.75.0"
+ version = "0.92.2"
+ 
+ # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html