Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 523fb3c77e3b
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 800e422653f9
Choose a head ref
  • 14 commits
  • 12 files changed
  • 9 contributors

Commits on Sep 17, 2017

  1. hardened-config: additional refcount checking 

    (cherry picked from commit edd0d2f)
    @joachifm
    joachifm committed Sep 17, 2017
    Copy the full SHA
    84f5bb3 View commit details

  2. hardened-config: enable the randstruct plugin 

    (cherry picked from commit 9a763f8)
    @joachifm
    joachifm committed Sep 17, 2017
    Copy the full SHA
    e15669f View commit details

  3. hardened-config: build with fortify source 

    (cherry picked from commit dd170cd)
    @joachifm
    joachifm committed Sep 17, 2017
    Copy the full SHA
    34f867d View commit details

  4. linuxPackages: hardened-config: disable BUG_ON_DATA_CORRUPTION for … 

    …older kernels

They don't support it.

(cherry picked from commit 616a7fe)
    @oxij @joachifm
    oxij authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    ec00da8 View commit details

  5. linuxPackages: hardened-config: check kernelArch, not system 

    (cherry picked from commit c345761)
    @oxij @joachifm
    oxij authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    e8af562 View commit details

  6. linuxPackages: hardened-config: enable DEBUG_PI_LIST 

    (cherry picked from commit 62fa45e)
    @oxij @joachifm
    oxij authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    5ae9a94 View commit details

  7. nixos/tests: expand hardened tests 

    (cherry picked from commit 586d04c)
    @joachifm
    joachifm committed Sep 17, 2017
    Copy the full SHA
    884ac05 View commit details

  8. namecoin service: fix typo 

    (cherry picked from commit fea9e08)
    @infinisil @joachifm
    infinisil authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    2fd44d9 View commit details

  9. nixos/tinc: Fix tinc cli wrapper for tinc 1.0. 

    tinc prior to 1.1 doesn't have the `tinc` executable,
and `tincd` isn't of any use while the daemon already runs.

(cherry picked from commit 8cea87c)
    @florianjacob @joachifm
    florianjacob authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    c69ee73 View commit details

  10. rabbitmq_server: 3.6.6 -> 3.6.10 

    (cherry picked from commit 2c58562)

Addresses some known vulns in 3.6.6: https://pivotal.io/security/cve-2017-4965
    @phunehehe @joachifm
    phunehehe authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    76b36ad View commit details

  11. ktorrent: Add missing meta.license 

    (cherry picked from commit f814c3d)
    @polendri @joachifm
    polendri authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    9882b7f View commit details

  12. monero: 0.10.3.1 -> 0.11.0.0 

    (cherry picked from commit 21e135c)
    @mattcode55 @joachifm
    mattcode55 authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    777e002 View commit details

  13. k2pdfopt: 2.32 -> 2.42 

    (cherry picked from commit 8c28954)
    @danielfullmer @joachifm
    danielfullmer authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    4f7e499 View commit details

  14. hostapd/wpa_supplicant: update urls 

    (cherry picked from commit daf07c9)
    @mguentner @joachifm
    mguentner authored and joachifm committed Sep 17, 2017
    Copy the full SHA
    800e422 View commit details
2 changes: 1 addition & 1 deletion nixos/modules/services/networking/namecoind.nix
View file
Original file line number Diff line number Diff line change
@@ -173,7 +173,7 @@ in

serviceConfig = {
User = "namecoin";
Griup = "namecoin";
Group = "namecoin";
ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole";
ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
6 changes: 4 additions & 2 deletions nixos/modules/services/networking/tinc.nix
View file
Original file line number Diff line number Diff line change
@@ -199,8 +199,10 @@ in
buildInputs = [ pkgs.makeWrapper ];
buildCommand = ''
mkdir -p $out/bin
${concatStringsSep "\n" (mapAttrsToList (network: data: ''
makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" --add-flags "--pidfile=/run/tinc.${network}.pid"
${concatStringsSep "\n" (mapAttrsToList (network: data:
optionalString (versionAtLeast data.package.version "1.1pre") ''
makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \
--add-flags "--pidfile=/run/tinc.${network}.pid"
'') cfg.networks)}
'';
};
10 changes: 10 additions & 0 deletions nixos/tests/hardened.nix
View file
Original file line number Diff line number Diff line change
@@ -32,5 +32,15 @@ import ./make-test.nix ({ pkgs, ...} : {
subtest "userns", sub {
$machine->fail("unshare --user");
};
# Test dmesg restriction
subtest "dmesg", sub {
$machine->fail("su -l alice -c dmesg");
};
# Test access to kcore
subtest "kcore", sub {
$machine->fail("cat /proc/kcore");
};
'';
})
183 changes: 85 additions & 98 deletions pkgs/applications/misc/k2pdfopt/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,113 +1,100 @@
# Build procedure lifted from https://aur.archlinux.org/packages/k2/k2pdfopt/PKGBUILD
{ stdenv, fetchzip, fetchurl, writeScript, libX11, libXext, autoconf, automake, libtool
, leptonica, libpng, libtiff, zlib, openjpeg, freetype, jbig2dec, djvulibre
, openssl }:

let
mupdf_src = fetchurl {
url = http://www.mupdf.com/downloads/archive/mupdf-1.6-source.tar.gz;
sha256 = "0qx51rj6alzcagcixm59rvdpm54w6syrwr4184v439jh14ryw4wq";
};

tess_src = fetchurl {
url = http://tesseract-ocr.googlecode.com/files/tesseract-ocr-3.02.02.tar.gz;
sha256 = "0g81m9y4iydp7kgr56mlkvjdwpp3mb01q385yhdnyvra7z5kkk96";
};

gocr_src = fetchurl {
url = http://www-e.uni-magdeburg.de/jschulen/ocr/gocr-0.49.tar.gz;
sha256 = "06hpzp7rkkwfr1fvmc8kcfz9v490i9yir7f7imh13gmka0fr6afc";
};

in stdenv.mkDerivation rec {
{ stdenv, fetchzip, fetchurl, fetchpatch, cmake, pkgconfig
, zlib, libpng
, enableGSL ? true, gsl
, enableGhostScript ? true, ghostscript
, enableMuPDF ? true, jbig2dec, openjpeg, freetype, harfbuzz, mupdf
, enableJPEG2K ? true, jasper
, enableDJVU ? true, djvulibre
, enableGOCR ? false, gocr # Disabled by default due to crashes
, enableTesseract ? true, leptonica, tesseract
}:

with stdenv.lib;

stdenv.mkDerivation rec {
name = "k2pdfopt-${version}";
version = "2.32";
version = "2.42";

src = fetchzip {
url = "http://www.willus.com/k2pdfopt/src/k2pdfopt_v${version}_src.zip";
sha256 = "1v3cj5bwpjvy7s66sfqcmkxs91f7nxaykjpdjm2wn87vn6q7n19m";
sha256 = "1zag4jmkr0qrcpqqb5davmvdrabhdyz87q4zz0xpfkl6xw2dn9bk";
};

buildInputs = [ libX11 libXext autoconf automake libtool leptonica libpng libtiff zlib
openjpeg freetype jbig2dec djvulibre openssl ];
NIX_LDFLAGS = "-lX11 -lXext";

hardeningDisable = [ "format" ];

k2_pa = ./k2pdfopt.patch;
tess_pa = ./tesseract.patch;

builder = writeScript "builder.sh" ''
. ${stdenv}/setup
set -e
plibs=`pwd`/patched_libraries
tar zxf ${mupdf_src}
cp $src/mupdf_mod/font.c $src/mupdf_mod/string.c mupdf-1.6-source/source/fitz/
cp $src/mupdf_mod/pdf-* mupdf-1.6-source/source/pdf
tar zxf ${tess_src}
cp $src/tesseract_mod/dawg.cpp tesseract-ocr/dict
cp $src/tesseract_mod/tessdatamanager.cpp tesseract-ocr/ccutil
cp $src/tesseract_mod/tessedit.cpp tesseract-ocr/ccmain
cp $src/tesseract_mod/tesscapi.cpp tesseract-ocr/api
cp $src/include_mod/tesseract.h $src/include_mod/leptonica.h tesseract-ocr/api
cp -a $src k2pdfopt_v2.21
chmod -R +w k2pdfopt_v2.21
patch -p0 -i $tess_pa
patch -p0 -i $k2_pa
cd tesseract-ocr
./autogen.sh
substituteInPlace "configure" \
--replace 'LIBLEPT_HEADERSDIR="/usr/local/include /usr/include"' \
'LIBLEPT_HEADERSDIR=${leptonica}/include'
./configure --prefix=$plibs --disable-shared
make install
cd ..
tar zxf ${gocr_src}
cd gocr-0.49
./configure
cp src/{gocr.h,pnm.h,unicode.h,list.h} $plibs/include
cp include/config.h $plibs/include
make libs
cp src/libPgm2asc.a $plibs/lib
cd ../mupdf-1.6-source
make prefix=$plibs install
install -Dm644 build/debug/libmujs.a $plibs/lib
cd ../k2pdfopt_v2.21/k2pdfoptlib
gcc -Ofast -Wall -c *.c -I ../include_mod/ -I $plibs/include \
-I . -I ../willuslib
ar rcs libk2pdfopt.a *.o
cd ../willuslib
gcc -Ofast -Wall -c *.c -I ../include_mod/ -I $plibs/include
ar rcs libwillus.a *.o
cd ..
gcc -Wall -Ofast -o k2pdfopt.o -c k2pdfopt.c -I k2pdfoptlib/ -I willuslib/ \
-I include_mod/ -I $plibs/include
g++ -Ofast k2pdfopt.o -o k2pdfopt -I willuslib/ -I k2pdfoptlib/ -I include_mod/ \
-I $plibs/include -L $plibs/lib/ \
-L willuslib/ -L k2pdfoptlib/ -lk2pdfopt -lwillus -ldjvulibre -lz -lmupdf \
-ljbig2dec -ljpeg -lopenjp2 -lpng -lfreetype -lpthread -lmujs \
-lPgm2asc -llept -ltesseract -lcrypto
mkdir -p $out/bin
cp k2pdfopt $out/bin
patches = [ ./k2pdfopt.patch ];

nativeBuildInputs = [ cmake pkgconfig ];

buildInputs =
let
mupdf_modded = mupdf.overrideAttrs (attrs: {
name = "mupdf-1.10a";
src = fetchurl {
url = "http://mupdf.com/downloads/archive/mupdf-1.10a-source.tar.gz";
sha256 = "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a";
};
# Excluded the pdf-*.c files, since they mostly just broke the #includes
prePatch = ''
cp ${src}/mupdf_mod/{font,stext-device,string}.c source/fitz/
cp ${src}/mupdf_mod/font-win32.c source/pdf/
'';
# Patches from previous 1.10a version in nixpkgs
patches = [
# Compatibility with new openjpeg
(fetchpatch {
name = "mupdf-1.9a-openjpeg-2.1.1.patch";
url = "https://git.archlinux.org/svntogit/community.git/plain/mupdf/trunk/0001-mupdf-openjpeg.patch?id=5a28ad0a8999a9234aa7848096041992cc988099";
sha256 = "1i24qr4xagyapx4bijjfksj4g3bxz8vs5c2mn61nkm29c63knp75";
})

(fetchurl {
name = "CVE-2017-5896.patch";
url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27";
sha256 = "14k7x47ifx82sds1c06ibzbmcparfg80719jhgwjk6w1vkh4r693";
})
];
});
leptonica_modded = leptonica.overrideAttrs (attrs: {
prePatch = ''
cp ${src}/leptonica_mod/* src/
'';
});
tesseract_modded = tesseract.overrideAttrs (attrs: {
prePatch = ''
cp ${src}/tesseract_mod/{ambigs.cpp,ccutil.h,ccutil.cpp} ccutil/
cp ${src}/tesseract_mod/dawg.cpp api/
cp ${src}/tesseract_mod/{imagedata.cpp,tessdatamanager.cpp} ccstruct/
cp ${src}/tesseract_mod/openclwrapper.h opencl/
cp ${src}/tesseract_mod/{tessedit.cpp,thresholder.cpp} ccmain/
cp ${src}/tesseract_mod/tess_lang_mod_edge.h cube/
cp ${src}/tesseract_mod/tesscapi.cpp api/
cp ${src}/include_mod/{tesseract.h,leptonica.h} api/
'';
patches = [ ./tesseract.patch ];
});
in
[ zlib libpng ] ++
optional enableGSL gsl ++
optional enableGhostScript ghostscript ++
optionals enableMuPDF [ jbig2dec openjpeg freetype harfbuzz mupdf_modded ] ++
optionals enableJPEG2K [ jasper ] ++
optional enableDJVU djvulibre ++
optional enableGOCR gocr ++
optionals enableTesseract [ leptonica_modded tesseract_modded ];

dontUseCmakeBuildDir = true;

cmakeFlags = [ "-DCMAKE_C_FLAGS=-I${src}/include_mod" ];

installPhase = ''
install -D -m 755 k2pdfopt $out/bin/k2pdfopt
'';

meta = with stdenv.lib; {
description = "Optimizes PDF/DJVU files for mobile e-readers (e.g. the Kindle) and smartphones";
homepage = http://www.willus.com/k2pdfopt;
license = licenses.gpl3;
platforms = platforms.linux;
maintainers = [ maintainers.bosu ];
maintainers = with maintainers; [ bosu danielfullmer ];
};
}

Loading