Merge branch 'staging'

- I can see some regressions, especially due to fetchzip rename c3255fe. - Darwin is only half-rebuilt on Hydra ATM. - But there quite a few security fixes within.
NixOS · Nov 1, 2017 · 06d7e54 · 06d7e54
2 parents 26e4f6f + c4be15a
commit 06d7e54
Show file tree

Hide file tree

Showing 38 changed files with 346 additions and 204 deletions.
diff --git a/pkgs/build-support/closure-info.nix b/pkgs/build-support/closure-info.nix
@@ -8,7 +8,10 @@
 
 { rootPaths }:
 
-if builtins.langVersion >= 5 then
+#if builtins.langVersion >= 5 then
+# FIXME: it doesn't work on Hydra, failing to find mkdir;
+#   perhaps .attrs.sh clobbers PATH with new nix?
+if false then
 
   # Nix >= 1.12: Include NAR hash / size info.
 

diff --git a/pkgs/build-support/fetchgit/gitrepotoname.nix b/pkgs/build-support/fetchgit/gitrepotoname.nix
diff --git a/pkgs/build-support/fetchzip/default.nix b/pkgs/build-support/fetchzip/default.nix
@@ -11,10 +11,11 @@
   stripRoot ? true
 , url
 , extraPostFetch ? ""
+, name ? "source"
 , ... } @ args:
 
 lib.overrideDerivation (fetchurl ({
-  name = args.name or (baseNameOf url);
+  inherit name;
 
   recursiveHash = true;
 

diff --git a/pkgs/desktops/gnome-3/default.nix b/pkgs/desktops/gnome-3/default.nix
@@ -45,7 +45,7 @@ let
     hitori gnome-taquin
   ];
 
-  inherit (pkgs) glib gtk2 webkitgtk216x gtk3 gtkmm3 libcanberra_gtk2
+  inherit (pkgs) glib gtk2 webkitgtk gtk3 gtkmm3 libcanberra_gtk2
     clutter clutter-gst clutter_gtk cogl gtkvnc;
   inherit (pkgs.gnome2) ORBit2;
   libsoup = pkgs.libsoup.override { gnomeSupport = true; };
@@ -56,7 +56,6 @@ let
   gtkmm = gtkmm3;
   vala = pkgs.vala_0_32;
   gegl_0_3 = pkgs.gegl_0_3.override { inherit gtk; };
-  webkitgtk = webkitgtk216x;
 
 # Simplify the nixos module and gnome packages
   defaultIconTheme = adwaita-icon-theme;

diff --git a/pkgs/development/compilers/rust/rustc.nix b/pkgs/development/compilers/rust/rustc.nix
@@ -85,6 +85,9 @@ stdenv.mkDerivation {
     # https://reviews.llvm.org/rL281650
     rm -vr src/test/run-pass/issue-36474.rs || true
 
+    # On Hydra: `TcpListener::bind(&addr)`: Address already in use (os error 98)'
+    sed '/^ *fn fast_rebind()/i#[ignore]' -i src/libstd/net/tcp.rs
+
     # Disable some failing gdb tests. Try re-enabling these when gdb
     # is updated past version 7.12.
     rm src/test/debuginfo/basic-types-globals.rs

diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix
@@ -116,9 +116,7 @@ let
       platforms = platforms.all;
     };
   };
-
 in rec {
-
   perl = perl524;
 
   perl522 = common {
@@ -127,8 +125,7 @@ in rec {
   };
 
   perl524 = common {
-    version = "5.24.2";
-    sha256 = "1x4yj814a79lcarwb3ab6bbcb36hvb5n4ph4zg3yb0nabsjfi6v0";
+    version = "5.24.3";
+    sha256 = "1m2px85kq2fyp2d4rx3bw9kg3car67qfqwrs5vlv96dx0x8rl06b";
   };
-
 }
diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix
@@ -27,7 +27,7 @@ with stdenv.lib;
 
 let
   majorVersion = "3.6";
-  minorVersion = "2";
+  minorVersion = "3";
   minorVersionSuffix = "";
   pythonVersion = majorVersion;
   version = "${majorVersion}.${minorVersion}${minorVersionSuffix}";
@@ -48,7 +48,7 @@ in stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://www.python.org/ftp/python/${majorVersion}.${minorVersion}/Python-${version}.tar.xz";
-    sha256 = "1ab4vlpdax1ihpiyiwchlgsk36apl4kgdw271wvl9l8ywhxpfacj";
+    sha256 = "1nl1raaagr4car787a2hmjv2dw6gqny53xfd6wisbgx4r5kxk9yd";
   };
 
   NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s";

diff --git a/pkgs/development/libraries/cyrus-sasl/default.nix b/pkgs/development/libraries/cyrus-sasl/default.nix
@@ -1,4 +1,5 @@
-{ lib, stdenv, fetchurl, openssl, openldap, kerberos, db, gettext, pam, fixDarwinDylibNames, autoreconfHook, enableLdap ? false }:
+{ lib, stdenv, fetchurl, openssl, openldap, kerberos, db, gettext,
+  pam, fixDarwinDylibNames, autoreconfHook, fetchpatch, enableLdap ? false }:
 
 with stdenv.lib;
 stdenv.mkDerivation rec {
@@ -21,6 +22,10 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./missing-size_t.patch # https://bugzilla.redhat.com/show_bug.cgi?id=906519
+    (fetchpatch { # CVE-2013-4122
+      url = "http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.26-glibc217-crypt.diff";
+      sha256 = "05l7dh1w9d5fvzg0pjwzqh0fy4ah8y5cv6v67s4ssbq8xwd4pkf2";
+    })
   ] ++ lib.optional stdenv.isFreeBSD (
       fetchurl {
         url = "http://www.linuxfromscratch.org/patches/blfs/svn/cyrus-sasl-2.1.26-fixes-3.patch";

diff --git a/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch b/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
@@ -0,0 +1,11 @@
+--- a/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ b/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+
+ 	/*
diff --git a/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch b/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch
@@ -0,0 +1,11 @@
+--- db-5.3.28/src/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ db-5.3.28/src/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+
+ 	/*
diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix
@@ -3,7 +3,7 @@
 import ./generic.nix (args // rec {
   version = "4.8.30";
   sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0";
-  extraPatches = [ ./clang-4.8.patch ];
+  extraPatches = [ ./clang-4.8.patch ./CVE-2017-10140-4.8-cwd-db_config.patch ];
 
   drvArgs.hardeningDisable = [ "format" ];
   drvArgs.doCheck = false;

diff --git a/pkgs/development/libraries/db/db-5.3.nix b/pkgs/development/libraries/db/db-5.3.nix
@@ -3,5 +3,5 @@
 import ./generic.nix (args // rec {
   version = "5.3.28";
   sha256 = "0a1n5hbl7027fbz5lm0vp0zzfp1hmxnz14wx3zl9563h83br5ag0";
-  extraPatches = [ ./clang-5.3.patch ];
+  extraPatches = [ ./clang-5.3.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
diff --git a/pkgs/development/libraries/db/db-6.0.nix b/pkgs/development/libraries/db/db-6.0.nix
@@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
   version = "6.0.20";
   sha256 = "00r2aaglq625y8r9xd5vw2y070plp88f1mb2gbq3kqsl7128lsl0";
   license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
diff --git a/pkgs/development/libraries/db/db-6.2.nix b/pkgs/development/libraries/db/db-6.2.nix
@@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
   version = "6.2.23";
   sha256 = "1isxx4jfmnh913jzhp8hhfngbk6dsg46f4kjpvvc56maj64jqqa7";
   license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
diff --git a/pkgs/development/libraries/lame/default.nix b/pkgs/development/libraries/lame/default.nix
@@ -59,7 +59,7 @@ stdenv.mkDerivation rec {
     description = "A high quality MPEG Audio Layer III (MP3) encoder";
     homepage    = http://lame.sourceforge.net;
     license     = licenses.lgpl2;
-    maintainers = with maintainers; [ codyopel ];
+    maintainers = with maintainers; [ codyopel fpletz ];
     platforms   = platforms.all;
   };
 }
diff --git a/pkgs/development/libraries/lame/gcc-4.9.patch b/pkgs/development/libraries/lame/gcc-4.9.patch
diff --git a/pkgs/development/libraries/libarchive/CVE-2017-14166.patch b/pkgs/development/libraries/libarchive/CVE-2017-14166.patch
@@ -0,0 +1,36 @@
+From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Tue, 5 Sep 2017 18:12:19 +0200
+Subject: [PATCH] Do something sensible for empty strings to make fuzzers
+ happy.
+
+---
+ libarchive/archive_read_support_format_xar.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
+index 7a22beb9d..93eeacc5e 100644
+--- a/libarchive/archive_read_support_format_xar.c
++++ b/libarchive/archive_read_support_format_xar.c
+@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
+ 	uint64_t l;
+ 	int digit;
+
++	if (char_cnt == 0)
++		return (0);
++
+ 	l = 0;
+ 	digit = *p - '0';
+ 	while (digit >= 0 && digit < 10  && char_cnt-- > 0) {
+@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
+ {
+ 	int64_t l;
+ 	int digit;
+-        
++
++	if (char_cnt == 0)
++		return (0);
++
+ 	l = 0;
+ 	while (char_cnt-- > 0) {
+ 		if (*p >= '0' && *p <= '7')
diff --git a/pkgs/development/libraries/libarchive/CVE-2017-14502.patch b/pkgs/development/libraries/libarchive/CVE-2017-14502.patch
@@ -0,0 +1,28 @@
+From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Sat, 9 Sep 2017 17:47:32 +0200
+Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR
+ archives.
+
+Reported-By: OSS-Fuzz issue 573
+---
+ libarchive/archive_read_support_format_rar.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index cbb14c32d..751de6979 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
+         return (ARCHIVE_FATAL);
+       }
+       filename[filename_size++] = '\0';
+-      filename[filename_size++] = '\0';
++      /*
++       * Do not increment filename_size here as the computations below
++       * add the space for the terminating NUL explicitly.
++       */
++      filename[filename_size] = '\0';
+
+       /* Decoded unicode form is UTF-16BE, so we have to update a string
+        * conversion object for it. */
diff --git a/pkgs/development/libraries/libarchive/default.nix b/pkgs/development/libraries/libarchive/default.nix
@@ -17,6 +17,11 @@ stdenv.mkDerivation rec {
     sha256 = "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd";
   };
 
+  patches = [
+    ./CVE-2017-14166.patch
+    ./CVE-2017-14502.patch
+  ];
+
   outputs = [ "out" "lib" "dev" ];
 
   nativeBuildInputs = [ pkgconfig ];

diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
@@ -66,7 +66,7 @@ let
 in
 
 let
-  version = "17.2.2";
+  version = "17.2.4";
   branch  = head (splitString "." version);
   driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32";
 in
@@ -81,7 +81,7 @@ stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
       "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz"
     ];
-    sha256 = "10jplvxg7rlbp7569w08z0igwlsjjfb7q3n07zgfr8d5sr224lng";
+    sha256 = "0l75q9l4g15y66rqk2swqvj18qj60hpimv0f97jk44bfrpz0i92v";
   };
 
   prePatch = "patchShebangs .";

diff --git a/pkgs/development/libraries/pcre/CVE-2017-7186.patch b/pkgs/development/libraries/pcre/CVE-2017-7186.patch