NixOS · Nov 19, 2017
diff --git a/‎nixos/modules/services/x11/display-managers/gdm.nix
-3 b/‎nixos/modules/services/x11/display-managers/gdm.nix
-3
diff --git a/‎nixos/release.nix
+1 b/‎nixos/release.nix
+1
diff --git a/‎nixos/tests/couchdb.nix
+56 b/‎nixos/tests/couchdb.nix
+56
diff --git a/‎pkgs/applications/editors/geany/default.nix
+2-2 b/‎pkgs/applications/editors/geany/default.nix
+2-2
diff --git a/‎pkgs/applications/networking/cluster/minikube/default.nix
+2-2 b/‎pkgs/applications/networking/cluster/minikube/default.nix
+2-2
diff --git a/‎pkgs/applications/networking/corebird/default.nix
+2-2 b/‎pkgs/applications/networking/corebird/default.nix
+2-2
diff --git a/‎pkgs/applications/networking/gmailieer/default.nix
+2-2 b/‎pkgs/applications/networking/gmailieer/default.nix
+2-2
diff --git a/‎pkgs/applications/networking/mailreaders/notmuch/default.nix
+2-2 b/‎pkgs/applications/networking/mailreaders/notmuch/default.nix
+2-2
diff --git a/‎pkgs/desktops/gnome-3/core/gdm/default.nix
+1 b/‎pkgs/desktops/gnome-3/core/gdm/default.nix
+1
diff --git a/‎pkgs/development/libraries/audiofile/default.nix
+51-2 b/‎pkgs/development/libraries/audiofile/default.nix
+51-2
diff --git a/‎pkgs/development/libraries/libsndfile/default.nix
+17-12 b/‎pkgs/development/libraries/libsndfile/default.nix
+17-12
diff --git a/‎pkgs/development/libraries/openjpeg/2.1.nix
+4-33 b/‎pkgs/development/libraries/openjpeg/2.1.nix
+4-33
@@ -122,11 +122,8 @@ in
       "rc-local.service"
       "systemd-machined.service"
       "systemd-user-sessions.service"
-      "getty@tty1.service"
     ];
 
-    systemd.services."getty@tty1".enable = false;
-    systemd.services.display-manager.conflicts = [ "getty@tty1.service" ];
     systemd.services.display-manager.serviceConfig = {
       # Restart = "always"; - already defined in xserver.nix
       KillMode = "mixed";
 
@@ -235,6 +235,7 @@ in rec {
   tests.containers-tmpfs = callTest tests/containers-tmpfs.nix {};
   tests.containers-hosts = callTest tests/containers-hosts.nix {};
   tests.containers-macvlans = callTest tests/containers-macvlans.nix {};
+  tests.couchdb = callTest tests/couchdb.nix {};
   tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; });
   tests.docker-edge = hydraJob (import tests/docker-edge.nix { system = "x86_64-linux"; });
   tests.dovecot = callTest tests/dovecot.nix {};
 
@@ -0,0 +1,56 @@
+import ./make-test.nix ({ pkgs, lib, ...}:
+
+with lib;
+
+{
+  name = "couchdb";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ fpletz ];
+  };
+
+  nodes = {
+    couchdb1 =
+      { pkgs, config, ... }:
+
+      { environment.systemPackages = with pkgs; [ jq ];
+        services.couchdb.enable = true;
+      };
+
+    couchdb2 =
+      { pkgs, config, ... }:
+
+      { environment.systemPackages = with pkgs; [ jq ];
+        services.couchdb.enable = true;
+        services.couchdb.package = pkgs.couchdb2;
+      };
+  };
+
+  testScript = let
+    curlJqCheck = action: path: jqexpr: result:
+      pkgs.writeScript "curl-jq-check-${action}-${path}.sh" ''
+        RESULT=$(curl -X ${action} http://127.0.0.1:5984/${path} | jq -r '${jqexpr}')
+        echo $RESULT >&2
+        if [ "$RESULT" != "${result}" ]; then
+          exit 1
+        fi
+      '';
+  in ''
+    startAll;
+
+    $couchdb1->waitForUnit("couchdb.service");
+    $couchdb1->waitUntilSucceeds("${curlJqCheck "GET" "" ".couchdb" "Welcome"}");
+    $couchdb1->waitUntilSucceeds("${curlJqCheck "GET" "_all_dbs" ". | length" "2"}");
+    $couchdb1->succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}");
+    $couchdb1->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "3"}");
+    $couchdb1->succeed("${curlJqCheck "DELETE" "foo" ".ok" "true"}");
+    $couchdb1->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "2"}");
+
+    $couchdb2->waitForUnit("couchdb.service");
+    $couchdb2->waitUntilSucceeds("${curlJqCheck "GET" "" ".couchdb" "Welcome"}");
+    $couchdb2->waitUntilSucceeds("${curlJqCheck "GET" "_all_dbs" ". | length" "0"}");
+    $couchdb2->succeed("${curlJqCheck "PUT" "foo" ".ok" "true"}");
+    $couchdb2->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "1"}");
+    $couchdb2->succeed("${curlJqCheck "DELETE" "foo" ".ok" "true"}");
+    $couchdb2->succeed("${curlJqCheck "GET" "_all_dbs" ". | length" "0"}");
+  '';
+})
@@ -3,15 +3,15 @@
 with stdenv.lib;
 
 let
-  version = "1.31";
+  version = "1.32";
 in
 
 stdenv.mkDerivation rec {
   name = "geany-${version}";
 
   src = fetchurl {
     url = "http://download.geany.org/${name}.tar.bz2";
-    sha256 = "30fdb906bb76c4251a8bcf83ee267db28c26ef6ab867668a782cec1164a3aba5";
+    sha256 = "8b7be10b95d0614eb07f845ba2280f7c026eacd5739d8fac4d5d26606f8c3c2d";
   };
 
   NIX_LDFLAGS = if stdenv.isDarwin then "-lintl" else null;
 
@@ -1,5 +1,5 @@
 { stdenv, buildGoPackage, fetchFromGitHub, fetchurl, go-bindata, kubernetes, libvirt, qemu, docker-machine-kvm,
-  gpgme, makeWrapper }:
+  gpgme, makeWrapper, hostPlatform, vmnet }:
 
 let
   binPath = [ kubernetes ]
@@ -36,7 +36,7 @@ in buildGoPackage rec {
 
   # kubernetes is here only to shut up a loud warning when generating the completions below. minikube checks very eagerly
   # that kubectl is on the $PATH, even if it doesn't use it at all to generate the completions
-  buildInputs = [ go-bindata makeWrapper kubernetes gpgme ];
+  buildInputs = [ go-bindata makeWrapper kubernetes gpgme ] ++ stdenv.lib.optional hostPlatform.isDarwin vmnet;
   subPackages = [ "cmd/minikube" ];
 
   preBuild = ''
 
@@ -3,14 +3,14 @@
 , glib_networking }:
 
 stdenv.mkDerivation rec {
-  version = "1.7.1";
+  version = "1.7.2";
   name = "corebird-${version}";
 
   src = fetchFromGitHub {
     owner = "baedert";
     repo = "corebird";
     rev = version;
-    sha256 = "1g6wkzrl6j0mmgafpv0jpqa906s1x7p5hmiqdgs9qwm7q2wlwrqd";
+    sha256 = "0mydxxga4h1663xchb3543rk3k8frlmlyy5wz20zh38fpdlkhyf1";
   };
 
   preConfigure = ''
 
@@ -2,13 +2,13 @@
 
 python3Packages.buildPythonApplication rec {
   name = "gmailieer";
-  version = "0.3";
+  version = "0.4";
 
   src = fetchFromGitHub {
     owner = "gauteh";
     repo = "gmailieer";
     rev = "v${version}";
-    sha256 = "1app783gf0p9p196nqsgbyl6s1bp304dfav86fqiq86h1scld787";
+    sha256 = "0vpc8nrh3cx91pcw45jjr2jllkqbx6w2khq7nyqv59gc4q5mz0p2";
   };
 
   propagatedBuildInputs = with python3Packages; [
 
@@ -12,7 +12,7 @@
 with stdenv.lib;
 
 stdenv.mkDerivation rec {
-  version = "0.25";
+  version = "0.25.2";
   name = "notmuch-${version}";
 
   passthru = {
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "http://notmuchmail.org/releases/${name}.tar.gz";
-    sha256 = "02z6d87ip1hkipz8d7w0sfklg8dd5fd5vlgp768640ixg0gqvlk5";
+    sha256 = "0ai6vbs9wzwfz7jcphgqsqpcbq137l34xhmcli4h5c8n82fvmdp4";
   };
 
   nativeBuildInputs = [ pkgconfig ];
 
@@ -14,6 +14,7 @@ stdenv.mkDerivation rec {
   configureFlags = [ "--sysconfdir=/etc"
                      "--localstatedir=/var"
                      "--with-plymouth=yes"
+                     "--with-initial-vt=7"
                      "--with-systemdsystemunitdir=$(out)/etc/systemd/system" ];
 
   nativeBuildInputs = [ autoreconfHook pkgconfig ];
 
@@ -1,4 +1,14 @@
-{ stdenv, fetchurl, alsaLib, AudioUnit, CoreServices }:
+{ stdenv, fetchurl, fetchpatch, alsaLib, AudioUnit, CoreServices }:
+
+let
+
+  fetchDebianPatch = { name, debname, sha256 }:
+    fetchpatch {
+      inherit sha256 name;
+      url = "https://anonscm.debian.org/cgit/pkg-multimedia/audiofile.git/plain/debian/patches/${debname}?h=debian/0.3.6-4";
+    };
+
+in
 
 stdenv.mkDerivation rec {
   name = "audiofile-0.3.6";
@@ -15,7 +25,46 @@ stdenv.mkDerivation rec {
     sha256 = "0rb927zknk9kmhprd8rdr4azql4gn2dp75a36iazx2xhkbqhvind";
   };
 
-  patches = [ ./CVE-2015-7747.patch ./gcc-6.patch ];
+  patches = [
+    ./gcc-6.patch
+    ./CVE-2015-7747.patch
+
+    (fetchDebianPatch {
+      name = "CVE-2017-6829.patch";
+      debname = "04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch";
+      sha256 = "04qxl51i64c53v69q2kx61qdq474f4vapk8rq97cipj7yrar392m";
+    })
+    (fetchDebianPatch {
+      name = "CVE-2017-6827+CVE-2017-6828+CVE-2017-6832+CVE-2017-6835+CVE-2017-6837.patch";
+      debname = "05_Always-check-the-number-of-coefficients.patch";
+      sha256 = "1ih03kfkabffi6ymp6832q470i28rsds78941vzqlshnqjb2nnxw";
+    })
+    (fetchDebianPatch {
+      name = "CVE-2017-6839.patch";
+      debname = "06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch";
+      sha256 = "0a8s2z8rljlj03p7l1is9s4fml8vyzvyvfrh1m6xj5a8vbi635d0";
+    })
+    (fetchDebianPatch {
+      name = "CVE-2017-6830+CVE-2017-6834+CVE-2017-6836+CVE-2017-6838.patch";
+      debname = "07_Check-for-multiplication-overflow-in-sfconvert.patch";
+      sha256 = "0rfba8rkasl5ycvc0kqlzinkl3rvyrrjvjhpc45h423wmjk2za2l";
+    })
+    (fetchDebianPatch {
+      name = "audiofile-fix-multiplyCheckOverflow-signature.patch";
+      debname = "08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch";
+      sha256 = "032p5jqp7q7jgc5axdnazz00zm7hd26z6m5j55ifs0sykr5lwldb";
+    })
+    (fetchDebianPatch {
+      name = "CVE-2017-6831.patch";
+      debname = "09_Actually-fail-when-error-occurs-in-parseFormat.patch";
+      sha256 = "0csikmj8cbiy6cigg0rmh67jrr0sgm56dfrnrxnac3m9635nxlac";
+    })
+    (fetchDebianPatch {
+      name = "CVE-2017-6833.patch";
+      debname = "10_Check-for-division-by-zero-in-BlockCodec-runPull.patch";
+      sha256 = "1rlislkjawq98bbcf1dgl741zd508wwsg85r37ca7pfdf6wgl6z7";
+    })
+  ];
 
   meta = with stdenv.lib; {
     description = "Library for reading and writing audio files in various formats";
 
@@ -11,25 +11,30 @@ stdenv.mkDerivation rec {
   };
 
   patches = [
-    # CVE-2017-12562
     (fetchurl {
-       url = "https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8.patch";
-       sha256 = "1jg3wq30wdn9nv52mcyv6jyi4d80h4r1h9p96czcria7l91yh4sy";
+      name = "CVE-2017-12562.patch";
+      url = "https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8.patch";
+      sha256 = "1jg3wq30wdn9nv52mcyv6jyi4d80h4r1h9p96czcria7l91yh4sy";
     })
-    # CVE-2017-6892
     (fetchurl {
-       url = "https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748.patch";
-       sha256 = "05xkmz2ihc1zcj73sbmj1ikrv9qlcym2bkp1v6ak7w53ky619mwq";
+      name = "CVE-2017-6892.patch";
+      url = "https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748.patch";
+      sha256 = "05xkmz2ihc1zcj73sbmj1ikrv9qlcym2bkp1v6ak7w53ky619mwq";
     })
-    # CVE-2017-8361, CVE-2017-8363, CVE-2017-8363
     (fetchurl {
-       url = "https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3.patch";
-       sha256 = "0ccndnvjzx5fw18zvy03vnb29rr81h5vsh1m16msqbxk8ibndln2";
+      name = "CVE-2017-8361+CVE-2017-8363+CVE-2017-8365.patch";
+      url = "https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3.patch";
+      sha256 = "0ccndnvjzx5fw18zvy03vnb29rr81h5vsh1m16msqbxk8ibndln2";
     })
-    # CVE-2017-8362
     (fetchurl {
-       url = "https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808.patch";
-       sha256 = "1xyv30ga71cpy4wx5f76sc4dma91la2lcc6s9f3pk9rndyi7gj9x";
+      name = "CVE-2017-8362.patch";
+      url = "https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808.patch";
+      sha256 = "1xyv30ga71cpy4wx5f76sc4dma91la2lcc6s9f3pk9rndyi7gj9x";
+    })
+    (fetchurl {
+      name = "CVE-2017-14634.patch";
+      url = "https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788.patch";
+      sha256 = "0kc7vp22qsxidhvmlc6nfamw7k92n0hcfpmwhb3gaksjamwhb2df";
     })
   ];
 
 
@@ -1,37 +1,8 @@
 { callPackage, fetchpatch, ... } @ args:
 
 callPackage ./generic.nix (args // rec {
-  version = "2.1.2";
-  branch = "2.1";
-  revision = "v2.1.2";
-  sha256 = "0kdcl9sqjz0vagli4ad6bxq1r8ma086m0prpkm5x3dxp37hpjp8h";
-
-  patches = [
-    # Fetched from https://github.com/szukw000/openjpeg/commit/cadff5fb6e73398de26a92e96d3d7cac893af255
-    # Referenced from https://bugzilla.redhat.com/show_bug.cgi?id=1405135
-    # Put in our source code to make sure we don't lose it, since that
-    # referenced commit is someone else's fork, and not actually up-stream.
-    ./CVE-2016-9580-and-CVE-2016-9581.patch
-
-    (fetchpatch {
-      url = "https://bugzilla.suse.com/attachment.cgi?id=707359&action=diff&context=patch&collapsed=&headers=1&format=raw";
-      name = "CVE-2016-9112.patch";
-      sha256 = "18hqx73wdzfybr5n5k6pzhbhdlmawiqbjci8n82zykxiyfgp18pd";
-    })
-    (fetchpatch {
-      url = "https://bugzilla.suse.com/attachment.cgi?id=707354&action=diff&context=patch&collapsed=&headers=1&format=raw";
-      name = "CVE-2016-9114.patch";
-      sha256 = "0qam3arw9kdbh4501xim2pyldl708dnpyjwvjmwc9gc7hcq4gfi3";
-    })
-    (fetchpatch {
-      url = "https://bugzilla.suse.com/attachment.cgi?id=707356&action=diff&context=patch&collapsed=&headers=1&format=raw";
-      name = "CVE-2016-9116.patch";
-      sha256 = "0yyb3pxqi5sr44a48bacngzp206j4z49lzkg6hbkz1nra9na61a3";
-    })
-    (fetchpatch {
-      url = "https://bugzilla.suse.com/attachment.cgi?id=707358&action=diff&context=patch&collapsed=&headers=1&format=raw";
-      name = "CVE-2016-9118.patch";
-      sha256 = "125n8bmh07y7697s0y82ypb39rxgj0bdn8rcywbvamscagwg2wy9";
-    })
-  ];
+  version = "2.3.0";
+  branch = "2.3";
+  revision = "v${version}";
+  sha256 = "08plxrnfl33sn2vh5nwbsngyv6b1sfpplvx881crm1v1ai10m2lz";
 })