From f98a5946b7607ac7541b0122e73c9b9fec69a981 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 18 Feb 2016 20:54:52 +0100 Subject: [PATCH 01/15] glibc: 2.21 -> 2.22 --- pkgs/development/libraries/glibc/common.nix | 8 +- .../libraries/glibc/cve-2014-8121.patch | 230 ------------------ .../libraries/glibc/cve-2015-1781.patch | 27 -- .../libraries/glibc/cve-2015-7547.patch | 91 +++---- .../libraries/glibc/security-4a28f4d5.patch | 53 ---- .../libraries/glibc/security-bdf1ff05.patch | 39 --- 6 files changed, 51 insertions(+), 397 deletions(-) delete mode 100644 pkgs/development/libraries/glibc/cve-2014-8121.patch delete mode 100644 pkgs/development/libraries/glibc/cve-2015-1781.patch delete mode 100644 pkgs/development/libraries/glibc/security-4a28f4d5.patch delete mode 100644 pkgs/development/libraries/glibc/security-bdf1ff05.patch diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 45f5c24e959b..496440b1039f 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -13,7 +13,7 @@ cross: let - version = "2.21"; + version = "2.22"; in @@ -57,10 +57,6 @@ stdenv.mkDerivation ({ patch extends the search path by "/run/current-system/sw/bin". */ ./fix_path_attribute_in_getconf.patch - ./security-4a28f4d5.patch - ./security-bdf1ff05.patch - ./cve-2014-8121.patch - ./cve-2015-1781.patch ./cve-2015-7547.patch ./glibc-locale-incompatibility.patch @@ -165,7 +161,7 @@ stdenv.mkDerivation ({ } else fetchurl { url = "mirror://gnu/glibc/glibc-${version}.tar.gz"; - sha256 = "0f4prv4c0fcpi85wv4028wqxn075197gwxhgf0vp571fiw2pi3wd"; + sha256 = "1rcby0cqgswgqaxyqz0yqc4zizb1kvpi5vlfqp7dh3sa132109m6"; }; # Remove absolute paths from `configure' & co.; build out-of-tree. diff --git a/pkgs/development/libraries/glibc/cve-2014-8121.patch b/pkgs/development/libraries/glibc/cve-2014-8121.patch deleted file mode 100644 index 95a86259dba8..000000000000 --- a/pkgs/development/libraries/glibc/cve-2014-8121.patch +++ /dev/null @@ -1,230 +0,0 @@ -From 03d2730b44cc2236318fd978afa2651753666c55 Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Wed, 29 Apr 2015 14:41:25 +0200 -Subject: [PATCH] CVE-2014-8121: Do not close NSS files database during - iteration [BZ #18007] -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -Robin Hack discovered Samba would enter an infinite loop processing -certain quota-related requests. We eventually tracked this down to a -glibc issue. - -Running a (simplified) test case under strace shows that /etc/passwd -is continuously opened and closed: - -… -open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 -lseek(3, 0, SEEK_CUR) = 0 -read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 -lseek(3, 2717, SEEK_SET) = 2717 -close(3) = 0 -open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 -lseek(3, 0, SEEK_CUR) = 0 -lseek(3, 0, SEEK_SET) = 0 -read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 -lseek(3, 2717, SEEK_SET) = 2717 -close(3) = 0 -open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 -lseek(3, 0, SEEK_CUR) = 0 -… - -The lookup function implementation in -nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is -supposed skip closing the input file if it was already open. - - /* Reset file pointer to beginning or open file. */ \ - status = internal_setent (keep_stream); \ - \ - if (status == NSS_STATUS_SUCCESS) \ - { \ - /* Tell getent function that we have repositioned the file pointer. */ \ - last_use = getby; \ - \ - while ((status = internal_getent (result, buffer, buflen, errnop \ - H_ERRNO_ARG EXTRA_ARGS_VALUE)) \ - == NSS_STATUS_SUCCESS) \ - { break_if_match } \ - \ - if (! keep_stream) \ - internal_endent (); \ - } \ - -keep_stream is initialized from the stayopen flag in internal_setent. -internal_setent is called from the set*ent implementation as: - - status = internal_setent (stayopen); - -However, for non-host database, this flag is always 0, per the -STAYOPEN magic in nss/getXXent_r.c. - -Thus, the fix is this: - -- status = internal_setent (stayopen); -+ status = internal_setent (1); - -This is not a behavioral change even for the hosts database (where the -application can specify the stayopen flag) because with a call to -sethostent(0), the file handle is still not closed in the -implementation of gethostent. ---- - ChangeLog | 8 ++++ - NEWS | 12 +++-- - nss/Makefile | 2 +- - nss/nss_files/files-XXX.c | 2 +- - nss/tst-nss-getpwent.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 136 insertions(+), 6 deletions(-) - create mode 100644 nss/tst-nss-getpwent.c - -diff --git a/nss/Makefile b/nss/Makefile -index d75dad2..65ab7b5 100644 ---- a/nss/Makefile -+++ b/nss/Makefile -@@ -47,7 +47,7 @@ install-bin := getent makedb - makedb-modules = xmalloc hash-string - extra-objs += $(makedb-modules:=.o) - --tests = test-netdb tst-nss-test1 test-digits-dots -+tests = test-netdb tst-nss-test1 test-digits-dots tst-nss-getpwent - xtests = bug-erange - - # Specify rules for the nss_* modules. We have some services. -diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c -index a7a45e5..a7ce5ea 100644 ---- a/nss/nss_files/files-XXX.c -+++ b/nss/nss_files/files-XXX.c -@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen) - - __libc_lock_lock (lock); - -- status = internal_setent (stayopen); -+ status = internal_setent (1); - - if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0) - { -diff --git a/nss/tst-nss-getpwent.c b/nss/tst-nss-getpwent.c -new file mode 100644 -index 0000000..f2e8abc ---- /dev/null -+++ b/nss/tst-nss-getpwent.c -@@ -0,0 +1,118 @@ -+/* Copyright (C) 2015 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+int -+do_test (void) -+{ -+ /* Count the number of entries in the password database, and fetch -+ data from the first and last entries. */ -+ size_t count = 0; -+ struct passwd * pw; -+ char *first_name = NULL; -+ uid_t first_uid = 0; -+ char *last_name = NULL; -+ uid_t last_uid = 0; -+ setpwent (); -+ while ((pw = getpwent ()) != NULL) -+ { -+ if (first_name == NULL) -+ { -+ first_name = strdup (pw->pw_name); -+ if (first_name == NULL) -+ { -+ printf ("strdup: %m\n"); -+ return 1; -+ } -+ first_uid = pw->pw_uid; -+ } -+ -+ free (last_name); -+ last_name = strdup (pw->pw_name); -+ if (last_name == NULL) -+ { -+ printf ("strdup: %m\n"); -+ return 1; -+ } -+ last_uid = pw->pw_uid; -+ ++count; -+ } -+ endpwent (); -+ -+ if (count == 0) -+ { -+ printf ("No entries in the password database.\n"); -+ return 0; -+ } -+ -+ /* Try again, this time interleaving with name-based and UID-based -+ lookup operations. The counts do not match if the interleaved -+ lookups affected the enumeration. */ -+ size_t new_count = 0; -+ setpwent (); -+ while ((pw = getpwent ()) != NULL) -+ { -+ if (new_count == count) -+ { -+ printf ("Additional entry in the password database.\n"); -+ return 1; -+ } -+ ++new_count; -+ struct passwd *pw2 = getpwnam (first_name); -+ if (pw2 == NULL) -+ { -+ printf ("getpwnam (%s) failed: %m\n", first_name); -+ return 1; -+ } -+ pw2 = getpwnam (last_name); -+ if (pw2 == NULL) -+ { -+ printf ("getpwnam (%s) failed: %m\n", last_name); -+ return 1; -+ } -+ pw2 = getpwuid (first_uid); -+ if (pw2 == NULL) -+ { -+ printf ("getpwuid (%llu) failed: %m\n", -+ (unsigned long long) first_uid); -+ return 1; -+ } -+ pw2 = getpwuid (last_uid); -+ if (pw2 == NULL) -+ { -+ printf ("getpwuid (%llu) failed: %m\n", -+ (unsigned long long) last_uid); -+ return 1; -+ } -+ } -+ endpwent (); -+ if (new_count < count) -+ { -+ printf ("Missing entry in the password database.\n"); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+#define TEST_FUNCTION do_test () -+#include "../test-skeleton.c" - diff --git a/pkgs/development/libraries/glibc/cve-2015-1781.patch b/pkgs/development/libraries/glibc/cve-2015-1781.patch deleted file mode 100644 index 6831d5ac7426..000000000000 --- a/pkgs/development/libraries/glibc/cve-2015-1781.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001 -From: Arjun Shankar -Date: Tue, 21 Apr 2015 14:06:31 +0200 -Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow - [BZ#18287] - ---- - ChangeLog | 6 ++++++ - NEWS | 9 ++++++++- - resolv/nss_dns/dns-host.c | 3 ++- - 3 files changed, 16 insertions(+), 2 deletions(-) - -diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c -index b16b0dd..d8c5579 100644 ---- a/resolv/nss_dns/dns-host.c -+++ b/resolv/nss_dns/dns-host.c -@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, - int have_to_map = 0; - uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); - buffer += pad; -- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) -+ buflen = buflen > pad ? buflen - pad : 0; -+ if (__glibc_unlikely (buflen < sizeof (struct host_data))) - { - /* The buffer is too small. */ - too_small: - diff --git a/pkgs/development/libraries/glibc/cve-2015-7547.patch b/pkgs/development/libraries/glibc/cve-2015-7547.patch index 9bf0bcc388cb..55d58c166981 100644 --- a/pkgs/development/libraries/glibc/cve-2015-7547.patch +++ b/pkgs/development/libraries/glibc/cve-2015-7547.patch @@ -1,23 +1,31 @@ +commit b995d95a5943785be3ab862b2d3276f3b4a22481 +Author: Carlos O'Donell +Date: Tue Feb 16 21:26:37 2016 -0500 -CVE-2015-7547 - -2016-02-15 Carlos O'Donell - - [BZ #18665] - * resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set - *herrno_p. - (gaih_getanswer): Document functional behviour. Return tryagain - if any result is tryagain. - * resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero - when freed. - * resolv/res_send.c: Add copyright text. - (__libc_res_nsend): Document that MAXPACKET is expected. - (send_vc): Document. Remove buffer reuse. - (send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the - size of the buffer. Add Dprint for truncated UDP buffer. + CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665). + + * A stack-based buffer overflow was found in libresolv when invoked from + libnss_dns, allowing specially crafted DNS responses to seize control + of execution flow in the DNS client. The buffer overflow occurs in + the functions send_dg (send datagram) and send_vc (send TCP) for the + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC + family. The use of AF_UNSPEC triggers the low-level resolver code to + send out two parallel queries for A and AAAA. A mismanagement of the + buffers used for those queries could result in the response of a query + writing beyond the alloca allocated buffer created by + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove + the overflow. Thanks to the Google Security Team and Red Hat for + reporting the security impact of this issue, and Robert Holiday of + Ciena for reporting the related bug 18665. (CVE-2015-7547) + + See also: + https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html + https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html + + (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca) diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c -index a255d5e..47cfe27 100644 +index 357ac04..a0fe9a8 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, @@ -69,8 +77,8 @@ index a255d5e..47cfe27 100644 + expected application behaviour. Some of the synthesized responses + aren't very well thought out and sometimes appear to imply that + IPv4 responses are always answer 1, and IPv6 responses are always -+ answer 2, but that's not true (see the implemetnation of send_dg -+ and send_vc to see response can arrive in any order, particlarly ++ answer 2, but that's not true (see the implementation of send_dg ++ and send_vc to see response can arrive in any order, particularly + for UDP). However, we expect it holds roughly enough of the time + that this code works, but certainly needs to be fixed to make this + a more robust implementation. @@ -107,12 +115,12 @@ index a255d5e..47cfe27 100644 + ---------------------------------------------- + + [1] If the first response is a success we return success. -+ This ignores the state of the second answer and in fact -+ incorrectly sets errno and h_errno to that of the second ++ This ignores the state of the second answer and in fact ++ incorrectly sets errno and h_errno to that of the second + answer. However because the response is a success we ignore + *errnop and *h_errnop (though that means you touched errno on -+ success). We are being conservative here and returning the -+ likely IPv4 response in the first answer as a success. ++ success). We are being conservative here and returning the ++ likely IPv4 response in the first answer as a success. + + [2] If the first response is a recoverable TRYAGAIN we return + that instead of looking at the second response. The @@ -158,7 +166,7 @@ index a255d5e..47cfe27 100644 if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) status = status2; + /* Do not return a truncated second response (unless it was -+ unavoidable e.g. unrecoverable TRYAGAIN). */ ++ unavoidable e.g. unrecoverable TRYAGAIN). */ + if (status == NSS_STATUS_SUCCESS + && (status2 == NSS_STATUS_TRYAGAIN + && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) @@ -195,7 +203,7 @@ index 4a9b3b3..95470a9 100644 } if (saved_herrno != -1) diff --git a/resolv/res_send.c b/resolv/res_send.c -index a968b95..21843f1 100644 +index 5e53cc2..6511bb1 100644 --- a/resolv/res_send.c +++ b/resolv/res_send.c @@ -1,3 +1,20 @@ @@ -219,7 +227,7 @@ index a968b95..21843f1 100644 /* * Copyright (c) 1985, 1989, 1993 * The Regents of the University of California. All rights reserved. -@@ -355,6 +372,8 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen, +@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen, #ifdef USE_HOOKS if (__glibc_unlikely (statp->qhook || statp->rhook)) { if (anssiz < MAXPACKET && ansp) { @@ -228,7 +236,7 @@ index a968b95..21843f1 100644 u_char *buf = malloc (MAXPACKET); if (buf == NULL) return (-1); -@@ -630,6 +649,77 @@ get_nsaddr (res_state statp, int n) +@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n) return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; } @@ -270,7 +278,7 @@ index a968b95..21843f1 100644 + are needed but ANSCP is NULL, then as much of the response as + possible is read into the buffer, but the results will be truncated. + When truncation happens because of a small answer buffer the DNS -+ packets header feild TC will bet set to 1, indicating a truncated ++ packets header field TC will bet set to 1, indicating a truncated + message and the rest of the socket data will be read and discarded. + + Answers to the query are stored secondly in *ANSP2 up to a max of @@ -306,7 +314,7 @@ index a968b95..21843f1 100644 static int send_vc(res_state statp, const u_char *buf, int buflen, const u_char *buf2, int buflen2, -@@ -639,11 +729,7 @@ send_vc(res_state statp, +@@ -647,11 +737,7 @@ send_vc(res_state statp, { const HEADER *hp = (HEADER *) buf; const HEADER *hp2 = (HEADER *) buf2; @@ -316,19 +324,19 @@ index a968b95..21843f1 100644 - // int anssiz = *anssizp; - HEADER *anhp = (HEADER *) ans; + HEADER *anhp = (HEADER *) *ansp; - struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns]; + struct sockaddr *nsap = get_nsaddr (statp, ns); int truncating, connreset, n; /* On some architectures compiler might emit a warning indicating -@@ -731,6 +817,8 @@ send_vc(res_state statp, +@@ -743,6 +829,8 @@ send_vc(res_state statp, * Receive length & response */ int recvresp1 = 0; + /* Skip the second response if there is no second query. -+ To do that we mark the second response as received. */ ++ To do that we mark the second response as received. */ int recvresp2 = buf2 == NULL; uint16_t rlen16; read_len: -@@ -767,40 +855,14 @@ send_vc(res_state statp, +@@ -779,40 +867,14 @@ send_vc(res_state statp, u_char **thisansp; int *thisresplenp; if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { @@ -372,7 +380,7 @@ index a968b95..21843f1 100644 thisanssizp = anssizp2; thisansp = ansp2; thisresplenp = resplen2; -@@ -804,10 +870,14 @@ send_vc(res_state statp, +@@ -820,10 +882,14 @@ send_vc(res_state statp, anhp = (HEADER *) *thisansp; *thisresplenp = rlen; @@ -391,7 +399,7 @@ index a968b95..21843f1 100644 u_char *newp = malloc (MAXPACKET); if (newp == NULL) { *terrno = ENOMEM; -@@ -819,6 +889,9 @@ send_vc(res_state statp, +@@ -835,6 +901,9 @@ send_vc(res_state statp, if (thisansp == ansp2) *ansp2_malloced = 1; anhp = (HEADER *) newp; @@ -401,7 +409,7 @@ index a968b95..21843f1 100644 len = rlen; } else { Dprint(statp->options & RES_DEBUG, -@@ -948,6 +1021,66 @@ reopen (res_state statp, int *terrno, int ns) +@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, int ns) return 1; } @@ -425,7 +433,7 @@ index a968b95..21843f1 100644 + are needed but ANSCP is NULL, then as much of the response as + possible is read into the buffer, but the results will be truncated. + When truncation happens because of a small answer buffer the DNS -+ packets header feild TC will bet set to 1, indicating a truncated ++ packets header field TC will bet set to 1, indicating a truncated + message, while the rest of the UDP packet is discarded. + + Answers to the query are stored secondly in *ANSP2 up to a max of @@ -468,7 +476,7 @@ index a968b95..21843f1 100644 static int send_dg(res_state statp, const u_char *buf, int buflen, const u_char *buf2, int buflen2, -@@ -957,8 +1090,6 @@ send_dg(res_state statp, +@@ -1006,8 +1135,6 @@ send_dg(res_state statp, { const HEADER *hp = (HEADER *) buf; const HEADER *hp2 = (HEADER *) buf2; @@ -477,16 +485,16 @@ index a968b95..21843f1 100644 struct timespec now, timeout, finish; struct pollfd pfd[1]; int ptimeout; -@@ -991,6 +1122,8 @@ send_dg(res_state statp, +@@ -1040,6 +1167,8 @@ send_dg(res_state statp, int need_recompute = 0; int nwritten = 0; int recvresp1 = 0; + /* Skip the second response if there is no second query. -+ To do that we mark the second response as received. */ ++ To do that we mark the second response as received. */ int recvresp2 = buf2 == NULL; pfd[0].fd = EXT(statp).nssocks[ns]; pfd[0].events = POLLOUT; -@@ -1154,55 +1287,56 @@ send_dg(res_state statp, +@@ -1203,55 +1332,56 @@ send_dg(res_state statp, int *thisresplenp; if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { @@ -570,4 +578,3 @@ index a968b95..21843f1 100644 HEADER *anhp = (HEADER *) *thisansp; socklen_t fromlen = sizeof(struct sockaddr_in6); assert (sizeof(from) <= fromlen); - diff --git a/pkgs/development/libraries/glibc/security-4a28f4d5.patch b/pkgs/development/libraries/glibc/security-4a28f4d5.patch deleted file mode 100644 index 25f994d859c1..000000000000 --- a/pkgs/development/libraries/glibc/security-4a28f4d5.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 4a28f4d55a6cc33474c0792fe93b5942d81bf185 Mon Sep 17 00:00:00 2001 -From: Andreas Schwab -Date: Thu, 26 Feb 2015 14:55:24 +0100 -Subject: [PATCH] Fix read past end of pattern in fnmatch (bug 18032) - ---- - ChangeLog | 7 +++++++ - NEWS | 2 +- - posix/fnmatch_loop.c | 5 ++--- - posix/tst-fnmatch3.c | 8 +++++--- - 4 files changed, 15 insertions(+), 7 deletions(-) - -diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c -index c0cb2fc..72c5d8f 100644 ---- a/posix/fnmatch_loop.c -+++ b/posix/fnmatch_loop.c -@@ -945,14 +945,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used) - } - else if (c == L('[') && *p == L('.')) - { -- ++p; - while (1) - { - c = *++p; -- if (c == '\0') -+ if (c == L('\0')) - return FNM_NOMATCH; - -- if (*p == L('.') && p[1] == L(']')) -+ if (c == L('.') && p[1] == L(']')) - break; - } - p += 2; -diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c -index d27a557..75bc00a 100644 ---- a/posix/tst-fnmatch3.c -+++ b/posix/tst-fnmatch3.c -@@ -21,9 +21,11 @@ - int - do_test (void) - { -- const char *pattern = "[[:alpha:]'[:alpha:]\0]"; -- -- return fnmatch (pattern, "a", 0) != FNM_NOMATCH; -+ if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH) -+ return 1; -+ if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH) -+ return 1; -+ return 0; - } - - #define TEST_FUNCTION do_test () - diff --git a/pkgs/development/libraries/glibc/security-bdf1ff05.patch b/pkgs/development/libraries/glibc/security-bdf1ff05.patch deleted file mode 100644 index b4175694f912..000000000000 --- a/pkgs/development/libraries/glibc/security-bdf1ff05.patch +++ /dev/null @@ -1,39 +0,0 @@ -From bdf1ff052a8e23d637f2c838fa5642d78fcedc33 Mon Sep 17 00:00:00 2001 -From: Paul Pluzhnikov -Date: Sun, 22 Feb 2015 12:01:47 -0800 -Subject: [PATCH] Fix BZ #17269 -- _IO_wstr_overflow integer overflow - ---- - ChangeLog | 6 ++++++ - NEWS | 6 +++--- - libio/wstrops.c | 8 +++++++- - 3 files changed, 16 insertions(+), 4 deletions(-) - -diff --git a/libio/wstrops.c b/libio/wstrops.c -index 43d847d..3993579 100644 ---- a/libio/wstrops.c -+++ b/libio/wstrops.c -@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c) - wchar_t *old_buf = fp->_wide_data->_IO_buf_base; - size_t old_wblen = _IO_wblen (fp); - _IO_size_t new_size = 2 * old_wblen + 100; -- if (new_size < old_wblen) -+ -+ if (__glibc_unlikely (new_size < old_wblen) -+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t))) - return EOF; -+ - new_buf - = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size - * sizeof (wchar_t)); -@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading) - return 1; - - _IO_size_t newsize = offset + 100; -+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t))) -+ return 1; -+ - wchar_t *oldbuf = wd->_IO_buf_base; - wchar_t *newbuf - = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize - From 1ab14aad7ad61fead6bc93145d1169eca91d7b91 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 18 Feb 2016 21:11:15 +0100 Subject: [PATCH 02/15] glibc: Drop hurd support This hasn't been maintained since 2012. Also, renamed glibc's kernelHeaders argument to linuxHeaders. --- pkgs/development/libraries/glibc/builder.sh | 15 +--- pkgs/development/libraries/glibc/common.nix | 86 ++++++------------- pkgs/development/libraries/glibc/default.nix | 28 +----- pkgs/development/libraries/glibc/info.nix | 4 +- pkgs/development/libraries/glibc/locales.nix | 4 +- .../linux/cpufrequtils/default.nix | 2 +- pkgs/os-specific/linux/dietlibc/default.nix | 2 +- pkgs/tools/networking/nbd/default.nix | 4 +- pkgs/top-level/all-packages.nix | 6 +- 9 files changed, 43 insertions(+), 108 deletions(-) diff --git a/pkgs/development/libraries/glibc/builder.sh b/pkgs/development/libraries/glibc/builder.sh index 2836063e3bf4..d0684d6194d0 100644 --- a/pkgs/development/libraries/glibc/builder.sh +++ b/pkgs/development/libraries/glibc/builder.sh @@ -22,22 +22,11 @@ postInstall() { test -f $out/etc/ld.so.cache && rm $out/etc/ld.so.cache - # FIXME: Use `test -n $linuxHeaders' when `kernelHeaders' has been - # renamed. - if test -z "$hurdHeaders"; then + if test -n "$linuxHeaders"; then # Include the Linux kernel headers in Glibc, except the `scsi' # subdirectory, which Glibc provides itself. (cd $out/include && \ - ln -sv $(ls -d $kernelHeaders/include/* | grep -v 'scsi$') .) - fi - - if test -f "$out/lib/libhurduser.so"; then - # libc.so, libhurduser.so, and libmachuser.so depend on each - # other, so add them to libc.so (a RUNPATH on libc.so.0.3 - # would be ignored by the cross-linker.) - echo "adding \`libhurduser.so' and \`libmachuser.so' to the \`libc.so' linker script..." - sed -i "$out/lib/libc.so" \ - -e"s|\(libc\.so\.[^ ]\+\>\)|\1 $out/lib/libhurduser.so $out/lib/libmachuser.so|g" + ln -sv $(ls -d $linuxHeaders/include/* | grep -v 'scsi$') .) fi # Fix for NIXOS-54 (ldd not working on x86_64). Make a symlink diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 496440b1039f..6a468657716e 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -3,10 +3,8 @@ cross: -{ name, fetchurl, fetchgit ? null, stdenv, installLocales ? false -, gccCross ? null, kernelHeaders ? null -, machHeaders ? null, hurdHeaders ? null, libpthreadHeaders ? null -, mig ? null +{ name, fetchurl, lib, stdenv, installLocales ? false +, gccCross ? null, linuxHeaders ? null , profilingLibraries ? false, meta , withGd ? false, gd ? null, libpng ? null , preConfigure ? "", ... }@args: @@ -18,12 +16,9 @@ let in assert cross != null -> gccCross != null; -assert mig != null -> machHeaders != null; -assert machHeaders != null -> hurdHeaders != null; -assert hurdHeaders != null -> libpthreadHeaders != null; stdenv.mkDerivation ({ - inherit kernelHeaders installLocales; + inherit linuxHeaders installLocales; # The host/target system. crossConfig = if cross != null then cross.config else null; @@ -32,9 +27,7 @@ stdenv.mkDerivation ({ enableParallelBuilding = true; - /* Don't try to apply these patches to the Hurd's snapshot, which is - older. */ - patches = stdenv.lib.optionals (hurdHeaders == null) + patches = [ /* Have rpcgen(1) look for cpp(1) in $PATH. */ ./rpcgen-path.patch @@ -96,36 +89,35 @@ stdenv.mkDerivation ({ "--sysconfdir=/etc" "--localedir=/var/run/current-system/sw/lib/locale" "libc_cv_ssp=no" - (if kernelHeaders != null - then "--with-headers=${kernelHeaders}/include" + (if linuxHeaders != null + then "--with-headers=${linuxHeaders}/include" else "--without-headers") (if profilingLibraries then "--enable-profile" else "--disable-profile") - ] ++ stdenv.lib.optionals (cross == null && kernelHeaders != null) [ + ] ++ lib.optionals (cross == null && linuxHeaders != null) [ "--enable-kernel=2.6.32" - ] ++ stdenv.lib.optionals (cross != null) [ + ] ++ lib.optionals (cross != null) [ (if cross.withTLS then "--with-tls" else "--without-tls") (if cross.float == "soft" then "--without-fp" else "--with-fp") - ] ++ stdenv.lib.optionals (cross != null + ] ++ lib.optionals (cross != null && cross.platform ? kernelMajor && cross.platform.kernelMajor == "2.6") [ "--enable-kernel=2.6.0" "--with-__thread" - ] ++ stdenv.lib.optionals (cross == null && stdenv.isArm) [ + ] ++ lib.optionals (cross == null && stdenv.isArm) [ "--host=arm-linux-gnueabi" "--build=arm-linux-gnueabi" # To avoid linking with -lgcc_s (dynamic link) # so the glibc does not depend on its compiler store path "libc_cv_as_needed=no" - ] ++ stdenv.lib.optional withGd "--with-gd"; + ] ++ lib.optional withGd "--with-gd"; installFlags = [ "sysconfdir=$(out)/etc" ]; - buildInputs = stdenv.lib.optionals (cross != null) [ gccCross ] - ++ stdenv.lib.optional (mig != null) mig - ++ stdenv.lib.optionals withGd [ gd libpng ]; + buildInputs = lib.optionals (cross != null) [ gccCross ] + ++ lib.optionals withGd [ gd libpng ]; # Needed to install share/zoneinfo/zone.tab. Set to impure /bin/sh to # prevent a retained dependency on the bootstrap tools in the stdenv-linux @@ -137,32 +129,22 @@ stdenv.mkDerivation ({ # I.e. when gcc is compiled with --with-arch=i686, then the # preprocessor symbol `__i686' will be defined to `1'. This causes # the symbol __i686.get_pc_thunk.dx to be mangled. - NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (stdenv.system == "i686-linux") "-U__i686" + NIX_CFLAGS_COMPILE = lib.optionalString (stdenv.system == "i686-linux") "-U__i686" + " -Wno-error=strict-prototypes"; } # Remove the `gccCross' attribute so that the *native* glibc store path # doesn't depend on whether `gccCross' is null or not. -// (removeAttrs args [ "gccCross" "fetchurl" "fetchgit" "withGd" "gd" "libpng" ]) // +// (removeAttrs args [ "lib" "gccCross" "fetchurl" "withGd" "gd" "libpng" ]) // { name = name + "-${version}" + - stdenv.lib.optionalString (cross != null) "-${cross.config}"; + lib.optionalString (cross != null) "-${cross.config}"; - src = - if hurdHeaders != null - then fetchgit { - # Shamefully the "official" glibc won't build on GNU, so use the one - # maintained by the Hurd folks, `tschwinge/Roger_Whittaker' branch. - # See . - url = "git://git.sv.gnu.org/hurd/glibc.git"; - sha256 = "cecec9dd5a2bafc875c56b058b6d7628a22b250b53747513dec304f31ffdb82d"; - rev = "d3cdecf18e6550b0984a42b43ed48c5fb26501e1"; - } - else fetchurl { - url = "mirror://gnu/glibc/glibc-${version}.tar.gz"; - sha256 = "1rcby0cqgswgqaxyqz0yqc4zizb1kvpi5vlfqp7dh3sa132109m6"; - }; + src = fetchurl { + url = "mirror://gnu/glibc/glibc-${version}.tar.gz"; + sha256 = "1rcby0cqgswgqaxyqz0yqc4zizb1kvpi5vlfqp7dh3sa132109m6"; + }; # Remove absolute paths from `configure' & co.; build out-of-tree. preConfigure = '' @@ -178,17 +160,18 @@ stdenv.mkDerivation ({ configureScript="`pwd`/../$sourceRoot/configure" - ${stdenv.lib.optionalString (stdenv.cc.libc != null) + ${lib.optionalString (stdenv.cc.libc != null) ''makeFlags="$makeFlags BUILD_LDFLAGS=-Wl,-rpath,${stdenv.cc.libc}/lib"'' } ${preConfigure} ''; + preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH"; + meta = { homepage = http://www.gnu.org/software/libc/; - description = "The GNU C Library" - + stdenv.lib.optionalString (hurdHeaders != null) ", for GNU/Hurd"; + description = "The GNU C Library"; longDescription = '' Any Unix-like operating system needs a C library: the library which @@ -199,24 +182,9 @@ stdenv.mkDerivation ({ most systems with the Linux kernel. ''; - license = stdenv.lib.licenses.lgpl2Plus; + license = lib.licenses.lgpl2Plus; - maintainers = [ ]; - #platforms = stdenv.lib.platforms.linux; + maintainers = [ lib.maintainers.eelco ]; + #platforms = lib.platforms.linux; } // meta; -} - -// stdenv.lib.optionalAttrs withGd { - preBuild = "unset NIX_DONT_SET_RPATH"; -} - -// stdenv.lib.optionalAttrs (hurdHeaders != null) { - # Work around the fact that the configure snippet that looks for - # does not honor `--with-headers=$sysheaders' and that - # glibc expects Mach, Hurd, and pthread headers to be in the same place. - CPATH = "${hurdHeaders}/include:${machHeaders}/include:${libpthreadHeaders}/include"; - - # Install NSS stuff in the right place. - # XXX: This will be needed for all new glibcs and isn't Hurd-specific. - makeFlags = ''vardbdir="$out/var/db"''; }) diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 08eaf555e02d..5e25c2dc8bc8 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -1,6 +1,4 @@ -{ stdenv, fetchurl, fetchgit ? null, kernelHeaders -, machHeaders ? null, hurdHeaders ? null, libpthreadHeaders ? null -, mig ? null +{ lib, stdenv, fetchurl, linuxHeaders , installLocales ? true , profilingLibraries ? false , gccCross ? null @@ -16,11 +14,10 @@ let in build cross ({ name = "glibc" - + stdenv.lib.optionalString (hurdHeaders != null) "-hurd" - + stdenv.lib.optionalString debugSymbols "-debug" - + stdenv.lib.optionalString withGd "-gd"; + + lib.optionalString debugSymbols "-debug" + + lib.optionalString withGd "-gd"; - inherit fetchurl fetchgit stdenv kernelHeaders installLocales + inherit lib stdenv fetchurl linuxHeaders installLocales profilingLibraries gccCross withGd gd libpng; builder = ./builder.sh; @@ -58,23 +55,6 @@ in // - (if hurdHeaders != null - then rec { - inherit machHeaders hurdHeaders libpthreadHeaders mig fetchgit; - - propagatedBuildInputs = [ machHeaders hurdHeaders libpthreadHeaders ]; - - passthru = { - # When building GCC itself `propagatedBuildInputs' above is not - # honored, so we pass it here so that the GCC builder can do the right - # thing. - inherit propagatedBuildInputs; - }; - } - else { }) - - // - (if cross != null then { preConfigure = '' diff --git a/pkgs/development/libraries/glibc/info.nix b/pkgs/development/libraries/glibc/info.nix index e4cdb42dd689..1e60856430db 100644 --- a/pkgs/development/libraries/glibc/info.nix +++ b/pkgs/development/libraries/glibc/info.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, texinfo, perl }: +{ lib, stdenv, fetchurl, texinfo, perl }: let build = import ./common.nix; in @@ -6,7 +6,7 @@ let build = import ./common.nix; in build null { name = "glibc-info"; - inherit fetchurl stdenv; + inherit fetchurl stdenv lib; configureFlags = [ "--enable-add-ons" ]; diff --git a/pkgs/development/libraries/glibc/locales.nix b/pkgs/development/libraries/glibc/locales.nix index cbf7af22cac1..9607d7ecb223 100644 --- a/pkgs/development/libraries/glibc/locales.nix +++ b/pkgs/development/libraries/glibc/locales.nix @@ -6,14 +6,14 @@ http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc */ -{ stdenv, fetchurl, writeText, allLocales ? true, locales ? ["en_US.UTF-8/UTF-8"] }: +{ lib, stdenv, fetchurl, writeText, allLocales ? true, locales ? ["en_US.UTF-8/UTF-8"] }: let build = import ./common.nix; in build null { name = "glibc-locales"; - inherit fetchurl stdenv; + inherit fetchurl stdenv lib; installLocales = true; builder = ./locales-builder.sh; diff --git a/pkgs/os-specific/linux/cpufrequtils/default.nix b/pkgs/os-specific/linux/cpufrequtils/default.nix index b7822035c20c..65be409a75e3 100644 --- a/pkgs/os-specific/linux/cpufrequtils/default.nix +++ b/pkgs/os-specific/linux/cpufrequtils/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { -i Makefile ''; - buildInputs = [ stdenv.cc.libc.kernelHeaders libtool gettext ]; + buildInputs = [ stdenv.cc.libc.linuxHeaders libtool gettext ]; meta = { description = "Tools to display or change the CPU governor settings"; diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index b795cb60da6e..d98bfb967356 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation { builder = ./builder.sh; inherit glibc; - kernelHeaders = glibc.kernelHeaders; + kernelHeaders = glibc.linuxHeaders; patches = [ diff --git a/pkgs/tools/networking/nbd/default.nix b/pkgs/tools/networking/nbd/default.nix index 6cb75152af06..967b3863f205 100644 --- a/pkgs/tools/networking/nbd/default.nix +++ b/pkgs/tools/networking/nbd/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation rec { sha256 = "1pkkid657zgjymwxv3fm32cxnq9llfz29rl15vp6mn42vnzbj1di"; }; - buildInputs = [ pkgconfig glib ] ++ stdenv.lib.optional (stdenv ? glibc) stdenv.glibc.kernelHeaders; + buildInputs = + [ pkgconfig glib ] + ++ stdenv.lib.optional (stdenv ? glibc) stdenv.glibc.linuxHeaders; postInstall = '' mkdir -p "$out/share/doc/${name}" diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 38d8bf296423..4cce2e159130 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6707,22 +6707,18 @@ let glfw3 = callPackage ../development/libraries/glfw/3.x.nix { }; glibc = callPackage ../development/libraries/glibc { - kernelHeaders = linuxHeaders; installLocales = config.glibc.locales or false; - machHeaders = null; - hurdHeaders = null; gccCross = null; }; glibc_memusage = callPackage ../development/libraries/glibc { - kernelHeaders = linuxHeaders; installLocales = false; withGd = true; }; glibcCross = forceNativeDrv (glibc.override { gccCross = gccCrossStageStatic; - kernelHeaders = linuxHeadersCross; + linuxHeaders = linuxHeadersCross; }); # We can choose: From 076de98c9461eeb91b266fd44a11a6e7ac1b62ad Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 18 Feb 2016 21:37:26 +0100 Subject: [PATCH 03/15] separateDebugInfo: Restore ELF check --- pkgs/build-support/setup-hooks/separate-debug-info.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/build-support/setup-hooks/separate-debug-info.sh b/pkgs/build-support/setup-hooks/separate-debug-info.sh index 55e3236847df..617bbba58456 100644 --- a/pkgs/build-support/setup-hooks/separate-debug-info.sh +++ b/pkgs/build-support/setup-hooks/separate-debug-info.sh @@ -18,6 +18,7 @@ _separateDebugInfo() { # Skip non-ELF files. exec 10< "$i" read -n 4 -u 10 magic + if ! [[ "$magic" =~ ELF ]]; then continue; fi exec 10<&- # Extract the Build ID. FIXME: there's probably a cleaner way. From 854c27c69c2f38b2e5a7ed5099c88aa0bcc520d1 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 18 Feb 2016 21:58:41 +0100 Subject: [PATCH 04/15] coreutils: 8.24 -> 8.25 --- pkgs/tools/misc/coreutils/default.nix | 41 +++++++++++++-------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index baa3900ad97a..78c272916485 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, perl, gmp ? null +{ lib, stdenv, fetchurl, perl, gmp ? null , aclSupport ? false, acl ? null , selinuxSupport? false, libselinux ? null, libsepol ? null , autoconf, automake114x, texinfo @@ -8,32 +8,33 @@ assert aclSupport -> acl != null; assert selinuxSupport -> libselinux != null && libsepol != null; - -with { inherit (stdenv.lib) optional optionals optionalString optionalAttrs; }; +with lib; let self = stdenv.mkDerivation rec { - name = "coreutils-8.24"; + name = "coreutils-8.25"; src = fetchurl { url = "mirror://gnu/coreutils/${name}.tar.xz"; - sha256 = "0w11jw3fb5sslf0f72kxy7llxgk1ia3a6bcw0c9kmvxrlj355mx2"; + sha256 = "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"; }; - patches = if stdenv.isCygwin then ./coreutils-8.23-4.cygwin.patch else - (if stdenv.isArm then (fetchurl { - url = "http://git.savannah.gnu.org/cgit/coreutils.git/patch/?id=3ba68f9e64fa2eb8af22d510437a0c6441feb5e0"; - sha256 = "1dnlszhc8lihhg801i9sz896mlrgfsjfcz62636prb27k5hmixqz"; - name = "coreutils-tail-inotify-race.patch"; - }) else null); + patches = + lib.optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch + ++ lib.optional stdenv.isArm + (fetchurl { + url = "http://git.savannah.gnu.org/cgit/coreutils.git/patch/?id=3ba68f9e64fa2eb8af22d510437a0c6441feb5e0"; + sha256 = "1dnlszhc8lihhg801i9sz896mlrgfsjfcz62636prb27k5hmixqz"; + name = "coreutils-tail-inotify-race.patch"; + }); # The test tends to fail on btrfs and maybe other unusual filesystems. - postPatch = stdenv.lib.optionalString (!stdenv.isDarwin) '' + postPatch = optionalString (!stdenv.isDarwin) '' sed '2i echo Skipping dd sparse test && exit 0' -i ./tests/dd/sparse.sh sed '2i echo Skipping cp sparse test && exit 0' -i ./tests/cp/sparse.sh '' + # This is required by coreutils-tail-inotify-race.patch to avoid more deps - stdenv.lib.optionalString stdenv.isArm '' + optionalString stdenv.isArm '' touch -r src/stat.c src/tail.c ''; @@ -83,20 +84,18 @@ let enableParallelBuilding = false; NIX_LDFLAGS = optionalString selinuxSupport "-lsepol"; - FORCE_UNSAFE_CONFIGURE = stdenv.lib.optionalString (stdenv.system == "armv7l-linux" || stdenv.isSunOS) "1"; + FORCE_UNSAFE_CONFIGURE = optionalString (stdenv.system == "armv7l-linux" || stdenv.isSunOS) "1"; makeFlags = optionalString stdenv.isDarwin "CFLAGS=-D_FORTIFY_SOURCE=0"; # e.g. ls -> gls; grep -> ggrep - postFixup = # feel free to simplify on a mass rebuild - if withPrefix then + postFixup = optionalString withPrefix '' ( cd "$out/bin" find * -type f -executable -exec mv {} g{} \; ) - '' - else null; + ''; meta = { homepage = http://www.gnu.org/software/coreutils/; @@ -109,11 +108,11 @@ let operating system. ''; - license = stdenv.lib.licenses.gpl3Plus; + license = licenses.gpl3Plus; - platforms = stdenv.lib.platforms.all; + platforms = platforms.all; - maintainers = [ stdenv.lib.maintainers.eelco ]; + maintainers = [ maintainers.eelco ]; }; }; in From bf63de1613396a1a4d1f27fea73f125988d468a7 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 18 Feb 2016 22:30:42 +0100 Subject: [PATCH 05/15] separateDebugInfo: Handle weird filenames properly --- .../build-support/setup-hooks/separate-debug-info.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/pkgs/build-support/setup-hooks/separate-debug-info.sh b/pkgs/build-support/setup-hooks/separate-debug-info.sh index 617bbba58456..cf3d7b07a499 100644 --- a/pkgs/build-support/setup-hooks/separate-debug-info.sh +++ b/pkgs/build-support/setup-hooks/separate-debug-info.sh @@ -11,15 +11,13 @@ _separateDebugInfo() { dst="$dst/lib/debug/.build-id" # Find executables and dynamic libraries. - local -a files=($(find "$prefix" -type f -a \( -perm /0100 -o -name "*.so" -o -name "*.so.*" \))) - local i magic - for i in "${files[@]}"; do + while IFS= read -r -d $'\0' i; do # Skip non-ELF files. - exec 10< "$i" - read -n 4 -u 10 magic + exec {fd}< "$i" + read -n 4 -u $fd magic + exec {fd}<&- if ! [[ "$magic" =~ ELF ]]; then continue; fi - exec 10<&- # Extract the Build ID. FIXME: there's probably a cleaner way. local id="$(readelf -n "$i" | sed 's/.*Build ID: \([0-9a-f]*\).*/\1/; t; d')" @@ -36,7 +34,7 @@ _separateDebugInfo() { # Also a create a symlink .debug. ln -sfn ".build-id/${id:0:2}/${id:2}.debug" "$dst/../$(basename "$i")" - done + done < <(find "$prefix" -type f -a \( -perm /0100 -o -name "*.so" -o -name "*.so.*" \) -print0) } # - We might prefer to compress the debug info during link-time already, From d71a4851e8a2ef52f6d806d65822290cdbae8804 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 18 Feb 2016 22:52:44 +0100 Subject: [PATCH 06/15] Don't try to apply patchelf to non-ELF binaries --- .../setup-hooks/separate-debug-info.sh | 8 ++------ .../tools/misc/patchelf/setup-hook.sh | 17 ++++++++++------- pkgs/stdenv/generic/setup.sh | 11 +++++++++++ 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/pkgs/build-support/setup-hooks/separate-debug-info.sh b/pkgs/build-support/setup-hooks/separate-debug-info.sh index cf3d7b07a499..37753d9ce406 100644 --- a/pkgs/build-support/setup-hooks/separate-debug-info.sh +++ b/pkgs/build-support/setup-hooks/separate-debug-info.sh @@ -13,11 +13,7 @@ _separateDebugInfo() { # Find executables and dynamic libraries. local i magic while IFS= read -r -d $'\0' i; do - # Skip non-ELF files. - exec {fd}< "$i" - read -n 4 -u $fd magic - exec {fd}<&- - if ! [[ "$magic" =~ ELF ]]; then continue; fi + if ! isELF "$i"; then continue; fi # Extract the Build ID. FIXME: there's probably a cleaner way. local id="$(readelf -n "$i" | sed 's/.*Build ID: \([0-9a-f]*\).*/\1/; t; d')" @@ -34,7 +30,7 @@ _separateDebugInfo() { # Also a create a symlink .debug. ln -sfn ".build-id/${id:0:2}/${id:2}.debug" "$dst/../$(basename "$i")" - done < <(find "$prefix" -type f -a \( -perm /0100 -o -name "*.so" -o -name "*.so.*" \) -print0) + done < <(find "$prefix" -type f -print0) } # - We might prefer to compress the debug info during link-time already, diff --git a/pkgs/development/tools/misc/patchelf/setup-hook.sh b/pkgs/development/tools/misc/patchelf/setup-hook.sh index a76fbfbd509c..03b6f362a779 100644 --- a/pkgs/development/tools/misc/patchelf/setup-hook.sh +++ b/pkgs/development/tools/misc/patchelf/setup-hook.sh @@ -5,12 +5,15 @@ fixupOutputHooks+=('if [ -z "$dontPatchELF" ]; then patchELF "$prefix"; fi') patchELF() { - header "patching ELF executables and libraries in $prefix" - if [ -e "$prefix" ]; then - find "$prefix" \( \ - \( -type f -a -name "*.so*" \) -o \ - \( -type f -a -perm -0100 \) \ - \) -print -exec patchelf --shrink-rpath '{}' \; - fi + header "shrinking RPATHs of ELF executables and libraries in $prefix" + + local i + while IFS= read -r -d $'\0' i; do + if [[ "$i" =~ .build-id ]]; then continue; fi + if ! isELF "$i"; then continue; fi + echo "shrinking $i" + patchelf --shrink-rpath "$i" || true + done < <(find "$prefix" -type f -print0) + stopNest } diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 7d25472993c5..8081b69bffd3 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -180,6 +180,17 @@ installBin() { } +# Return success if the specified file is an ELF object. +isELF() { + local fn="$1" + local magic + exec {fd}< "$fn" + read -n 4 -u $fd magic + exec {fd}<&- + if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi +} + + ###################################################################### # Initialisation. From 8bfc5d7e724da7d9642b7b20f8634727280ec9a4 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Sat, 20 Feb 2016 19:10:23 +0200 Subject: [PATCH 07/15] coreutils: Remove ARM patch (coreutils-tail-inotify-race.patch) The patch no longer applies as it's applied in the 8.25 release. While at it don't use FORCE_UNSAFE_CONFIGURE on ARM as I don't see why it's needed and it works for me without it. Build-tested GNU hello on ARMv7 and verified that this affect its hash on i686. --- pkgs/tools/misc/coreutils/default.nix | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 78c272916485..3bd5a9cbc589 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -19,24 +19,13 @@ let sha256 = "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"; }; - patches = - lib.optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch - ++ lib.optional stdenv.isArm - (fetchurl { - url = "http://git.savannah.gnu.org/cgit/coreutils.git/patch/?id=3ba68f9e64fa2eb8af22d510437a0c6441feb5e0"; - sha256 = "1dnlszhc8lihhg801i9sz896mlrgfsjfcz62636prb27k5hmixqz"; - name = "coreutils-tail-inotify-race.patch"; - }); + patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; # The test tends to fail on btrfs and maybe other unusual filesystems. postPatch = optionalString (!stdenv.isDarwin) '' sed '2i echo Skipping dd sparse test && exit 0' -i ./tests/dd/sparse.sh sed '2i echo Skipping cp sparse test && exit 0' -i ./tests/cp/sparse.sh - '' + - # This is required by coreutils-tail-inotify-race.patch to avoid more deps - optionalString stdenv.isArm '' - touch -r src/stat.c src/tail.c - ''; + ''; configureFlags = optionalString stdenv.isSunOS "ac_cv_func_inotify_init=no"; @@ -84,7 +73,7 @@ let enableParallelBuilding = false; NIX_LDFLAGS = optionalString selinuxSupport "-lsepol"; - FORCE_UNSAFE_CONFIGURE = optionalString (stdenv.system == "armv7l-linux" || stdenv.isSunOS) "1"; + FORCE_UNSAFE_CONFIGURE = optionalString stdenv.isSunOS "1"; makeFlags = optionalString stdenv.isDarwin "CFLAGS=-D_FORTIFY_SOURCE=0"; From 59617de6d7f8a05f12bbb652e1c68a6a7e6362b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 21 Feb 2016 10:30:09 +0100 Subject: [PATCH 08/15] glibc: 2.22 -> 2.23 The two patches were included upstream. (Even the one from guix, except for a whitespace difference.) --- pkgs/development/libraries/glibc/common.nix | 10 +- .../libraries/glibc/cve-2015-7547.patch | 580 ------------------ .../glibc/glibc-locale-incompatibility.patch | 25 - 3 files changed, 3 insertions(+), 612 deletions(-) delete mode 100644 pkgs/development/libraries/glibc/cve-2015-7547.patch delete mode 100644 pkgs/development/libraries/glibc/glibc-locale-incompatibility.patch diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 6a468657716e..13d5adcd9b13 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -11,8 +11,8 @@ cross: let - version = "2.22"; - + version = "2.23"; + sha256 = "1lk9a8jv5kyx8hp0wmfzjyk047q95ybyjqbyw5idl7414jxqml1b"; in assert cross != null -> gccCross != null; @@ -49,10 +49,6 @@ stdenv.mkDerivation ({ "/bin:/usr/bin", which is inappropriate on NixOS machines. This patch extends the search path by "/run/current-system/sw/bin". */ ./fix_path_attribute_in_getconf.patch - - ./cve-2015-7547.patch - - ./glibc-locale-incompatibility.patch ]; postPatch = @@ -143,7 +139,7 @@ stdenv.mkDerivation ({ src = fetchurl { url = "mirror://gnu/glibc/glibc-${version}.tar.gz"; - sha256 = "1rcby0cqgswgqaxyqz0yqc4zizb1kvpi5vlfqp7dh3sa132109m6"; + inherit sha256; }; # Remove absolute paths from `configure' & co.; build out-of-tree. diff --git a/pkgs/development/libraries/glibc/cve-2015-7547.patch b/pkgs/development/libraries/glibc/cve-2015-7547.patch deleted file mode 100644 index 55d58c166981..000000000000 --- a/pkgs/development/libraries/glibc/cve-2015-7547.patch +++ /dev/null @@ -1,580 +0,0 @@ -commit b995d95a5943785be3ab862b2d3276f3b4a22481 -Author: Carlos O'Donell -Date: Tue Feb 16 21:26:37 2016 -0500 - - CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665). - - * A stack-based buffer overflow was found in libresolv when invoked from - libnss_dns, allowing specially crafted DNS responses to seize control - of execution flow in the DNS client. The buffer overflow occurs in - the functions send_dg (send datagram) and send_vc (send TCP) for the - NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC - family. The use of AF_UNSPEC triggers the low-level resolver code to - send out two parallel queries for A and AAAA. A mismanagement of the - buffers used for those queries could result in the response of a query - writing beyond the alloca allocated buffer created by - _nss_dns_gethostbyname4_r. Buffer management is simplified to remove - the overflow. Thanks to the Google Security Team and Red Hat for - reporting the security impact of this issue, and Robert Holiday of - Ciena for reporting the related bug 18665. (CVE-2015-7547) - - See also: - https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html - https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html - - (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca) - -diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c -index 357ac04..a0fe9a8 100644 ---- a/resolv/nss_dns/dns-host.c -+++ b/resolv/nss_dns/dns-host.c -@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, - int h_namelen = 0; - - if (ancount == 0) -- return NSS_STATUS_NOTFOUND; -+ { -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+ } - - while (ancount-- > 0 && cp < end_of_message && had_error == 0) - { -@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname, - /* Special case here: if the resolver sent a result but it only - contains a CNAME while we are looking for a T_A or T_AAAA record, - we fail with NOTFOUND instead of TRYAGAIN. */ -- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; -+ if (canon != NULL) -+ { -+ *h_errnop = HOST_NOT_FOUND; -+ return NSS_STATUS_NOTFOUND; -+ } -+ -+ *h_errnop = NETDB_INTERNAL; -+ return NSS_STATUS_TRYAGAIN; - } - - -@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2, - - enum nss_status status = NSS_STATUS_NOTFOUND; - -+ /* Combining the NSS status of two distinct queries requires some -+ compromise and attention to symmetry (A or AAAA queries can be -+ returned in any order). What follows is a breakdown of how this -+ code is expected to work and why. We discuss only SUCCESS, -+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns -+ that apply (though RETURN and MERGE exist). We make a distinction -+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). -+ A recoverable TRYAGAIN is almost always due to buffer size issues -+ and returns ERANGE in errno and the caller is expected to retry -+ with a larger buffer. -+ -+ Lastly, you may be tempted to make significant changes to the -+ conditions in this code to bring about symmetry between responses. -+ Please don't change anything without due consideration for -+ expected application behaviour. Some of the synthesized responses -+ aren't very well thought out and sometimes appear to imply that -+ IPv4 responses are always answer 1, and IPv6 responses are always -+ answer 2, but that's not true (see the implementation of send_dg -+ and send_vc to see response can arrive in any order, particularly -+ for UDP). However, we expect it holds roughly enough of the time -+ that this code works, but certainly needs to be fixed to make this -+ a more robust implementation. -+ -+ ---------------------------------------------- -+ | Answer 1 Status / | Synthesized | Reason | -+ | Answer 2 Status | Status | | -+ |--------------------------------------------| -+ | SUCCESS/SUCCESS | SUCCESS | [1] | -+ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] | -+ | SUCCESS/TRYAGAIN' | SUCCESS | [1] | -+ | SUCCESS/NOTFOUND | SUCCESS | [1] | -+ | SUCCESS/UNAVAIL | SUCCESS | [1] | -+ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] | -+ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] | -+ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] | -+ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] | -+ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] | -+ | TRYAGAIN'/SUCCESS | SUCCESS | [3] | -+ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] | -+ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] | -+ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] | -+ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] | -+ | NOTFOUND/SUCCESS | SUCCESS | [3] | -+ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] | -+ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] | -+ | NOTFOUND/NOTFOUND | NOTFOUND | [3] | -+ | NOTFOUND/UNAVAIL | UNAVAIL | [3] | -+ | UNAVAIL/SUCCESS | UNAVAIL | [4] | -+ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] | -+ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] | -+ | UNAVAIL/NOTFOUND | UNAVAIL | [4] | -+ | UNAVAIL/UNAVAIL | UNAVAIL | [4] | -+ ---------------------------------------------- -+ -+ [1] If the first response is a success we return success. -+ This ignores the state of the second answer and in fact -+ incorrectly sets errno and h_errno to that of the second -+ answer. However because the response is a success we ignore -+ *errnop and *h_errnop (though that means you touched errno on -+ success). We are being conservative here and returning the -+ likely IPv4 response in the first answer as a success. -+ -+ [2] If the first response is a recoverable TRYAGAIN we return -+ that instead of looking at the second response. The -+ expectation here is that we have failed to get an IPv4 response -+ and should retry both queries. -+ -+ [3] If the first response was not a SUCCESS and the second -+ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN, -+ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the -+ result from the second response, otherwise the first responses -+ status is used. Again we have some odd side-effects when the -+ second response is NOTFOUND because we overwrite *errnop and -+ *h_errnop that means that a first answer of NOTFOUND might see -+ its *errnop and *h_errnop values altered. Whether it matters -+ in practice that a first response NOTFOUND has the wrong -+ *errnop and *h_errnop is undecided. -+ -+ [4] If the first response is UNAVAIL we return that instead of -+ looking at the second response. The expectation here is that -+ it will have failed similarly e.g. configuration failure. -+ -+ [5] Testing this code is complicated by the fact that truncated -+ second response buffers might be returned as SUCCESS if the -+ first answer is a SUCCESS. To fix this we add symmetry to -+ TRYAGAIN with the second response. If the second response -+ is a recoverable error we now return TRYAGIN even if the first -+ response was SUCCESS. */ -+ - if (anslen1 > 0) - status = gaih_getanswer_slice(answer1, anslen1, qname, - &pat, &buffer, &buflen, - errnop, h_errnop, ttlp, - &first); -+ - if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND - || (status == NSS_STATUS_TRYAGAIN - /* We want to look at the second answer in case of an -@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2, - &pat, &buffer, &buflen, - errnop, h_errnop, ttlp, - &first); -+ /* Use the second response status in some cases. */ - if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) - status = status2; -+ /* Do not return a truncated second response (unless it was -+ unavoidable e.g. unrecoverable TRYAGAIN). */ -+ if (status == NSS_STATUS_SUCCESS -+ && (status2 == NSS_STATUS_TRYAGAIN -+ && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) -+ status = NSS_STATUS_TRYAGAIN; - } - - return status; -diff --git a/resolv/res_query.c b/resolv/res_query.c -index 4a9b3b3..95470a9 100644 ---- a/resolv/res_query.c -+++ b/resolv/res_query.c -@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, - { - free (*answerp2); - *answerp2 = NULL; -+ *nanswerp2 = 0; - *answerp2_malloced = 0; - } - } -@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, - { - free (*answerp2); - *answerp2 = NULL; -+ *nanswerp2 = 0; - *answerp2_malloced = 0; - } - -@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, - { - free (*answerp2); - *answerp2 = NULL; -+ *nanswerp2 = 0; - *answerp2_malloced = 0; - } - if (saved_herrno != -1) -diff --git a/resolv/res_send.c b/resolv/res_send.c -index 5e53cc2..6511bb1 100644 ---- a/resolv/res_send.c -+++ b/resolv/res_send.c -@@ -1,3 +1,20 @@ -+/* Copyright (C) 2016 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ - /* - * Copyright (c) 1985, 1989, 1993 - * The Regents of the University of California. All rights reserved. -@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen, - #ifdef USE_HOOKS - if (__glibc_unlikely (statp->qhook || statp->rhook)) { - if (anssiz < MAXPACKET && ansp) { -+ /* Always allocate MAXPACKET, callers expect -+ this specific size. */ - u_char *buf = malloc (MAXPACKET); - if (buf == NULL) - return (-1); -@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n) - return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; - } - -+/* The send_vc function is responsible for sending a DNS query over TCP -+ to the nameserver numbered NS from the res_state STATP i.e. -+ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and -+ IPv6 queries at the same serially on the same socket. -+ -+ Please note that for TCP there is no way to disable sending both -+ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP -+ and sends the queries serially and waits for the result after each -+ sent query. This implemetnation should be corrected to honour these -+ options. -+ -+ Please also note that for TCP we send both queries over the same -+ socket one after another. This technically violates best practice -+ since the server is allowed to read the first query, respond, and -+ then close the socket (to service another client). If the server -+ does this, then the remaining second query in the socket data buffer -+ will cause the server to send the client an RST which will arrive -+ asynchronously and the client's OS will likely tear down the socket -+ receive buffer resulting in a potentially short read and lost -+ response data. This will force the client to retry the query again, -+ and this process may repeat until all servers and connection resets -+ are exhausted and then the query will fail. It's not known if this -+ happens with any frequency in real DNS server implementations. This -+ implementation should be corrected to use two sockets by default for -+ parallel queries. -+ -+ The query stored in BUF of BUFLEN length is sent first followed by -+ the query stored in BUF2 of BUFLEN2 length. Queries are sent -+ serially on the same socket. -+ -+ Answers to the query are stored firstly in *ANSP up to a max of -+ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP -+ is non-NULL (to indicate that modifying the answer buffer is allowed) -+ then malloc is used to allocate a new response buffer and ANSCP and -+ ANSP will both point to the new buffer. If more than *ANSSIZP bytes -+ are needed but ANSCP is NULL, then as much of the response as -+ possible is read into the buffer, but the results will be truncated. -+ When truncation happens because of a small answer buffer the DNS -+ packets header field TC will bet set to 1, indicating a truncated -+ message and the rest of the socket data will be read and discarded. -+ -+ Answers to the query are stored secondly in *ANSP2 up to a max of -+ *ANSSIZP2 bytes, with the actual response length stored in -+ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 -+ is non-NULL (required for a second query) then malloc is used to -+ allocate a new response buffer, *ANSSIZP2 is set to the new buffer -+ size and *ANSP2_MALLOCED is set to 1. -+ -+ The ANSP2_MALLOCED argument will eventually be removed as the -+ change in buffer pointer can be used to detect the buffer has -+ changed and that the caller should use free on the new buffer. -+ -+ Note that the answers may arrive in any order from the server and -+ therefore the first and second answer buffers may not correspond to -+ the first and second queries. -+ -+ It is not supported to call this function with a non-NULL ANSP2 -+ but a NULL ANSCP. Put another way, you can call send_vc with a -+ single unmodifiable buffer or two modifiable buffers, but no other -+ combination is supported. -+ -+ It is the caller's responsibility to free the malloc allocated -+ buffers by detecting that the pointers have changed from their -+ original values i.e. *ANSCP or *ANSP2 has changed. -+ -+ If errors are encountered then *TERRNO is set to an appropriate -+ errno value and a zero result is returned for a recoverable error, -+ and a less-than zero result is returned for a non-recoverable error. -+ -+ If no errors are encountered then *TERRNO is left unmodified and -+ a the length of the first response in bytes is returned. */ - static int - send_vc(res_state statp, - const u_char *buf, int buflen, const u_char *buf2, int buflen2, -@@ -647,11 +737,7 @@ send_vc(res_state statp, - { - const HEADER *hp = (HEADER *) buf; - const HEADER *hp2 = (HEADER *) buf2; -- u_char *ans = *ansp; -- int orig_anssizp = *anssizp; -- // XXX REMOVE -- // int anssiz = *anssizp; -- HEADER *anhp = (HEADER *) ans; -+ HEADER *anhp = (HEADER *) *ansp; - struct sockaddr *nsap = get_nsaddr (statp, ns); - int truncating, connreset, n; - /* On some architectures compiler might emit a warning indicating -@@ -743,6 +829,8 @@ send_vc(res_state statp, - * Receive length & response - */ - int recvresp1 = 0; -+ /* Skip the second response if there is no second query. -+ To do that we mark the second response as received. */ - int recvresp2 = buf2 == NULL; - uint16_t rlen16; - read_len: -@@ -779,40 +867,14 @@ send_vc(res_state statp, - u_char **thisansp; - int *thisresplenp; - if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { -+ /* We have not received any responses -+ yet or we only have one response to -+ receive. */ - thisanssizp = anssizp; - thisansp = anscp ?: ansp; - assert (anscp != NULL || ansp2 == NULL); - thisresplenp = &resplen; - } else { -- if (*anssizp != MAXPACKET) { -- /* No buffer allocated for the first -- reply. We can try to use the rest -- of the user-provided buffer. */ --#if __GNUC_PREREQ (4, 7) -- DIAG_PUSH_NEEDS_COMMENT; -- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); --#endif --#if _STRING_ARCH_unaligned -- *anssizp2 = orig_anssizp - resplen; -- *ansp2 = *ansp + resplen; --#else -- int aligned_resplen -- = ((resplen + __alignof__ (HEADER) - 1) -- & ~(__alignof__ (HEADER) - 1)); -- *anssizp2 = orig_anssizp - aligned_resplen; -- *ansp2 = *ansp + aligned_resplen; --#endif --#if __GNUC_PREREQ (4, 7) -- DIAG_POP_NEEDS_COMMENT; --#endif -- } else { -- /* The first reply did not fit into the -- user-provided buffer. Maybe the second -- answer will. */ -- *anssizp2 = orig_anssizp; -- *ansp2 = *ansp; -- } -- - thisanssizp = anssizp2; - thisansp = ansp2; - thisresplenp = resplen2; -@@ -820,10 +882,14 @@ send_vc(res_state statp, - anhp = (HEADER *) *thisansp; - - *thisresplenp = rlen; -- if (rlen > *thisanssizp) { -- /* Yes, we test ANSCP here. If we have two buffers -- both will be allocatable. */ -- if (__glibc_likely (anscp != NULL)) { -+ /* Is the answer buffer too small? */ -+ if (*thisanssizp < rlen) { -+ /* If the current buffer is not the the static -+ user-supplied buffer then we can reallocate -+ it. */ -+ if (thisansp != NULL && thisansp != ansp) { -+ /* Always allocate MAXPACKET, callers expect -+ this specific size. */ - u_char *newp = malloc (MAXPACKET); - if (newp == NULL) { - *terrno = ENOMEM; -@@ -835,6 +901,9 @@ send_vc(res_state statp, - if (thisansp == ansp2) - *ansp2_malloced = 1; - anhp = (HEADER *) newp; -+ /* A uint16_t can't be larger than MAXPACKET -+ thus it's safe to allocate MAXPACKET but -+ read RLEN bytes instead. */ - len = rlen; - } else { - Dprint(statp->options & RES_DEBUG, -@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, int ns) - return 1; - } - -+/* The send_dg function is responsible for sending a DNS query over UDP -+ to the nameserver numbered NS from the res_state STATP i.e. -+ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries -+ along with the ability to send the query in parallel for both stacks -+ (default) or serially (RES_SINGLKUP). It also supports serial lookup -+ with a close and reopen of the socket used to talk to the server -+ (RES_SNGLKUPREOP) to work around broken name servers. -+ -+ The query stored in BUF of BUFLEN length is sent first followed by -+ the query stored in BUF2 of BUFLEN2 length. Queries are sent -+ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP). -+ -+ Answers to the query are stored firstly in *ANSP up to a max of -+ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP -+ is non-NULL (to indicate that modifying the answer buffer is allowed) -+ then malloc is used to allocate a new response buffer and ANSCP and -+ ANSP will both point to the new buffer. If more than *ANSSIZP bytes -+ are needed but ANSCP is NULL, then as much of the response as -+ possible is read into the buffer, but the results will be truncated. -+ When truncation happens because of a small answer buffer the DNS -+ packets header field TC will bet set to 1, indicating a truncated -+ message, while the rest of the UDP packet is discarded. -+ -+ Answers to the query are stored secondly in *ANSP2 up to a max of -+ *ANSSIZP2 bytes, with the actual response length stored in -+ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 -+ is non-NULL (required for a second query) then malloc is used to -+ allocate a new response buffer, *ANSSIZP2 is set to the new buffer -+ size and *ANSP2_MALLOCED is set to 1. -+ -+ The ANSP2_MALLOCED argument will eventually be removed as the -+ change in buffer pointer can be used to detect the buffer has -+ changed and that the caller should use free on the new buffer. -+ -+ Note that the answers may arrive in any order from the server and -+ therefore the first and second answer buffers may not correspond to -+ the first and second queries. -+ -+ It is not supported to call this function with a non-NULL ANSP2 -+ but a NULL ANSCP. Put another way, you can call send_vc with a -+ single unmodifiable buffer or two modifiable buffers, but no other -+ combination is supported. -+ -+ It is the caller's responsibility to free the malloc allocated -+ buffers by detecting that the pointers have changed from their -+ original values i.e. *ANSCP or *ANSP2 has changed. -+ -+ If an answer is truncated because of UDP datagram DNS limits then -+ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to -+ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1 -+ if any progress was made reading a response from the nameserver and -+ is used by the caller to distinguish between ECONNREFUSED and -+ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1). -+ -+ If errors are encountered then *TERRNO is set to an appropriate -+ errno value and a zero result is returned for a recoverable error, -+ and a less-than zero result is returned for a non-recoverable error. -+ -+ If no errors are encountered then *TERRNO is left unmodified and -+ a the length of the first response in bytes is returned. */ - static int - send_dg(res_state statp, - const u_char *buf, int buflen, const u_char *buf2, int buflen2, -@@ -1006,8 +1135,6 @@ send_dg(res_state statp, - { - const HEADER *hp = (HEADER *) buf; - const HEADER *hp2 = (HEADER *) buf2; -- u_char *ans = *ansp; -- int orig_anssizp = *anssizp; - struct timespec now, timeout, finish; - struct pollfd pfd[1]; - int ptimeout; -@@ -1040,6 +1167,8 @@ send_dg(res_state statp, - int need_recompute = 0; - int nwritten = 0; - int recvresp1 = 0; -+ /* Skip the second response if there is no second query. -+ To do that we mark the second response as received. */ - int recvresp2 = buf2 == NULL; - pfd[0].fd = EXT(statp).nssocks[ns]; - pfd[0].events = POLLOUT; -@@ -1203,55 +1332,56 @@ send_dg(res_state statp, - int *thisresplenp; - - if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { -+ /* We have not received any responses -+ yet or we only have one response to -+ receive. */ - thisanssizp = anssizp; - thisansp = anscp ?: ansp; - assert (anscp != NULL || ansp2 == NULL); - thisresplenp = &resplen; - } else { -- if (*anssizp != MAXPACKET) { -- /* No buffer allocated for the first -- reply. We can try to use the rest -- of the user-provided buffer. */ --#if _STRING_ARCH_unaligned -- *anssizp2 = orig_anssizp - resplen; -- *ansp2 = *ansp + resplen; --#else -- int aligned_resplen -- = ((resplen + __alignof__ (HEADER) - 1) -- & ~(__alignof__ (HEADER) - 1)); -- *anssizp2 = orig_anssizp - aligned_resplen; -- *ansp2 = *ansp + aligned_resplen; --#endif -- } else { -- /* The first reply did not fit into the -- user-provided buffer. Maybe the second -- answer will. */ -- *anssizp2 = orig_anssizp; -- *ansp2 = *ansp; -- } -- - thisanssizp = anssizp2; - thisansp = ansp2; - thisresplenp = resplen2; - } - - if (*thisanssizp < MAXPACKET -- /* Yes, we test ANSCP here. If we have two buffers -- both will be allocatable. */ -- && anscp -+ /* If the current buffer is not the the static -+ user-supplied buffer then we can reallocate -+ it. */ -+ && (thisansp != NULL && thisansp != ansp) - #ifdef FIONREAD -+ /* Is the size too small? */ - && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 - || *thisanssizp < *thisresplenp) - #endif - ) { -+ /* Always allocate MAXPACKET, callers expect -+ this specific size. */ - u_char *newp = malloc (MAXPACKET); - if (newp != NULL) { -- *anssizp = MAXPACKET; -- *thisansp = ans = newp; -+ *thisanssizp = MAXPACKET; -+ *thisansp = newp; - if (thisansp == ansp2) - *ansp2_malloced = 1; - } - } -+ /* We could end up with truncation if anscp was NULL -+ (not allowed to change caller's buffer) and the -+ response buffer size is too small. This isn't a -+ reliable way to detect truncation because the ioctl -+ may be an inaccurate report of the UDP message size. -+ Therefore we use this only to issue debug output. -+ To do truncation accurately with UDP we need -+ MSG_TRUNC which is only available on Linux. We -+ can abstract out the Linux-specific feature in the -+ future to detect truncation. */ -+ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { -+ Dprint(statp->options & RES_DEBUG, -+ (stdout, ";; response may be truncated (UDP)\n") -+ ); -+ } -+ - HEADER *anhp = (HEADER *) *thisansp; - socklen_t fromlen = sizeof(struct sockaddr_in6); - assert (sizeof(from) <= fromlen); diff --git a/pkgs/development/libraries/glibc/glibc-locale-incompatibility.patch b/pkgs/development/libraries/glibc/glibc-locale-incompatibility.patch deleted file mode 100644 index 8ca2ce4cd88a..000000000000 --- a/pkgs/development/libraries/glibc/glibc-locale-incompatibility.patch +++ /dev/null @@ -1,25 +0,0 @@ -http://git.savannah.gnu.org/cgit/guix.git/plain/gnu/packages/patches/glibc-locale-incompatibility.patch - -This patch avoids an assertion failure when incompatible locale data -is encountered: - - https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html - ---- glibc-2.22/locale/loadlocale.c 2015-09-22 17:16:02.321981548 +0200 -+++ glibc-2.22/locale/loadlocale.c 2015-09-22 17:17:34.814659064 +0200 -@@ -120,10 +120,11 @@ - _nl_value_type_LC_XYZ array. There are all pointers. */ - switch (category) - { --#define CATTEST(cat) \ -- case LC_##cat: \ -- assert (cnt < (sizeof (_nl_value_type_LC_##cat) \ -- / sizeof (_nl_value_type_LC_##cat[0]))); \ -+#define CATTEST(cat) \ -+ case LC_##cat: \ -+ if (cnt >= (sizeof (_nl_value_type_LC_##cat) \ -+ / sizeof (_nl_value_type_LC_##cat[0]))) \ -+ goto puntdata; \ - break - CATTEST (NUMERIC); - CATTEST (TIME); From 05d4959251f48ab37a6cc94e99d413efafe60d2a Mon Sep 17 00:00:00 2001 From: zimbatm Date: Sat, 20 Feb 2016 21:06:13 +0000 Subject: [PATCH 09/15] gettext: expand all gettext.sh paths --- pkgs/development/libraries/gettext/absolute-paths.diff | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gettext/absolute-paths.diff b/pkgs/development/libraries/gettext/absolute-paths.diff index 6d5cf1c1ba24..af37f61a9a41 100644 --- a/pkgs/development/libraries/gettext/absolute-paths.diff +++ b/pkgs/development/libraries/gettext/absolute-paths.diff @@ -7,7 +7,7 @@ index 1dfa3bb..d6ef8a8 100644 # result. eval_gettext () { - gettext "$1" | (export PATH `envsubst --variables "$1"`; envsubst "$1") -+ @out@/bin/gettext "$1" | (export PATH `envsubst --variables "$1"`; envsubst "$1") ++ @out@/bin/gettext "$1" | (export PATH `@out@/bin/envsubst --variables "$1"`; @out@/bin/envsubst "$1") } # eval_ngettext MSGID MSGID-PLURAL COUNT @@ -15,7 +15,7 @@ index 1dfa3bb..d6ef8a8 100644 # shell variables in the result. eval_ngettext () { - ngettext "$1" "$2" "$3" | (export PATH `envsubst --variables "$1 $2"`; envsubst "$1 $2") -+ @out@/bin/ngettext "$1" "$2" "$3" | (export PATH `envsubst --variables "$1 $2"`; envsubst "$1 $2") ++ @out@/bin/ngettext "$1" "$2" "$3" | (export PATH `@out@/bin/envsubst --variables "$1 $2"`; @out@/bin/envsubst "$1 $2") } # Note: This use of envsubst is much safer than using the shell built-in 'eval' From f05bc0444aac0fe5643254a07b15e7141b5e3146 Mon Sep 17 00:00:00 2001 From: zimbatm Date: Sun, 21 Feb 2016 13:22:44 +0000 Subject: [PATCH 10/15] gettext: 0.19.6 -> 0.19.7 expat is replaced by a bundled version of libxml2 --- .../development/libraries/gettext/default.nix | 35 ++++++++++--------- pkgs/development/libraries/gettext/expat.nix | 10 ------ pkgs/top-level/all-packages.nix | 11 ++---- 3 files changed, 20 insertions(+), 36 deletions(-) delete mode 100644 pkgs/development/libraries/gettext/expat.nix diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 1443626124e1..c96d241ee903 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -1,11 +1,12 @@ -{ stdenv, fetchurl, libiconv, xz }: +{ stdenv, lib, fetchurl, libiconv, xz }: -stdenv.mkDerivation (rec { - name = "gettext-0.19.6"; +stdenv.mkDerivation rec { + name = "gettext-${version}"; + version = "0.19.7"; src = fetchurl { url = "mirror://gnu/gettext/${name}.tar.gz"; - sha256 = "0pb9vp4ifymvdmc31ks3xxcnfqgzj8shll39czmk8c1splclqjzd"; + sha256 = "0gy2b2aydj8r0sapadnjw8cmb8j2rynj28d5qs1mfa800njd51jk"; }; patches = [ ./absolute-paths.diff ]; @@ -14,20 +15,20 @@ stdenv.mkDerivation (rec { LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; configureFlags = [ "--disable-csharp" "--with-xz" ] - ++ (stdenv.lib.optionals stdenv.isCygwin - [ "--disable-java" + ++ lib.optionals stdenv.isCygwin [ + "--disable-java" "--disable-native-java" # Share the cache among the various `configure' runs. "--config-cache" "--with-included-gettext" "--with-included-glib" "--with-included-libcroco" - ]) + ] # avoid retaining reference to CF during stdenv bootstrap - ++ (stdenv.lib.optionals stdenv.isDarwin [ - "gt_cv_func_CFPreferencesCopyAppValue=no" - "gt_cv_func_CFLocaleCopyCurrent=no" - ]); + ++ lib.optionals stdenv.isDarwin [ + "gt_cv_func_CFPreferencesCopyAppValue=no" + "gt_cv_func_CFLocaleCopyCurrent=no" + ]; postPatch = '' substituteAllInPlace gettext-runtime/src/gettext.sh.in @@ -45,16 +46,16 @@ stdenv.mkDerivation (rec { echo gl_cv_func_wcwidth_works=yes > cachefile configureFlags="$configureFlags --cache-file=`pwd`/cachefile" fi - '' + stdenv.lib.optionalString stdenv.isCygwin '' + '' + lib.optionalString stdenv.isCygwin '' sed -i -e "s/\(am_libgettextlib_la_OBJECTS = \)error.lo/\\1/" gettext-tools/gnulib-lib/Makefile.in ''; - buildInputs = [ xz ] ++ stdenv.lib.optional (!stdenv.isLinux) libiconv; + buildInputs = [ xz ] ++ lib.optional (!stdenv.isLinux) libiconv; enableParallelBuilding = true; crossAttrs = { - buildInputs = stdenv.lib.optional (stdenv ? ccCross && stdenv.ccCross.libc ? libiconv) + buildInputs = lib.optional (stdenv ? ccCross && stdenv.ccCross.libc ? libiconv) stdenv.ccCross.libc.libiconv.crossDrv; # Gettext fails to guess the cross compiler configureFlags = "CXX=${stdenv.cross.config}-g++"; @@ -84,8 +85,8 @@ stdenv.mkDerivation (rec { homepage = http://www.gnu.org/software/gettext/; - maintainers = [ ]; - platforms = stdenv.lib.platforms.all; + maintainers = with lib.maintainers; [ zimbatm ]; + platforms = lib.platforms.all; }; } @@ -102,4 +103,4 @@ stdenv.mkDerivation (rec { sed -i gettext-tools/gnulib-lib/Makefile.in \ -e 's/am_libgettextlib_la_OBJECTS =/am_libgettextlib_la_OBJECTS = error.lo/g' ''; -}) +} diff --git a/pkgs/development/libraries/gettext/expat.nix b/pkgs/development/libraries/gettext/expat.nix deleted file mode 100644 index fc6116b39160..000000000000 --- a/pkgs/development/libraries/gettext/expat.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ runCommand, gettext, expat, makeWrapper }: - -runCommand "gettext-expat-${gettext.name}" { buildInputs = [ makeWrapper ]; } '' - mkdir $out - cp -rf ${gettext}/* $out/ - chmod a+w $out/bin - for p in $out/bin/*; do - wrapProgram $p --prefix LD_LIBRARY_PATH : ${expat}/lib - done -'' diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 605d39b6ac9f..2b1c5a781b50 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6675,12 +6675,6 @@ let gettext = callPackage ../development/libraries/gettext { }; - gettextWithExpat = if stdenv.isDarwin - then gettext.overrideDerivation (drv: { - configureFlags = drv.configureFlags ++ [ "--with-libexpat-prefix=${expat}" ]; - }) - else callPackage ../development/libraries/gettext/expat.nix { }; - gd = callPackage ../development/libraries/gd { }; gdal = callPackage ../development/libraries/gdal { }; @@ -6913,9 +6907,7 @@ let cupsSupport = config.gtk2.cups or stdenv.isLinux; }; - gtk3 = callPackage ../development/libraries/gtk+/3.x.nix { - gettext = gettextWithExpat; - }; + gtk3 = callPackage ../development/libraries/gtk+/3.x.nix { }; gtk = pkgs.gtk2; @@ -16065,6 +16057,7 @@ aliases = with self; rec { firefox-wrapper = firefox; # 2016-01 firefox-esr-wrapper = firefox-esr; # 2016-01 fuse_exfat = exfat; # 2015-09-11 + gettextWithExpat = gettext; # 2016-02-19 grantlee5 = qt5.grantlee; # added 2015-12-19 gupnptools = gupnp-tools; # added 2015-12-19 htmlTidy = html-tidy; # added 2014-12-06 From 2f050b5d13784d6ab4b63405db495b7a8485f61a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 24 Feb 2016 11:01:11 +0100 Subject: [PATCH 11/15] stdenvLinux: Use bash instead of sh from bootstrapTools "sh" is also bash, but invoking it as "sh" disables certain features like process substitution. Closes #13395. --- pkgs/stdenv/linux/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix index ac7d8f5c706c..cd49d4a5a742 100644 --- a/pkgs/stdenv/linux/default.nix +++ b/pkgs/stdenv/linux/default.nix @@ -78,7 +78,7 @@ rec { dontPatchShebangs=1 ${commonPreHook} ''; - shell = "${bootstrapTools}/bin/sh"; + shell = "${bootstrapTools}/bin/bash"; initialPath = [bootstrapTools]; fetchurlBoot = import ../../build-support/fetchurl { stdenv = stage0.stdenv; From aff0451c1059db83acb77125f79b76075261dabd Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 24 Feb 2016 11:13:36 +0100 Subject: [PATCH 12/15] patchELF: Use correct directory Borrowed from https://github.com/NixOS/nixpkgs/pull/13395. --- pkgs/development/tools/misc/patchelf/setup-hook.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/misc/patchelf/setup-hook.sh b/pkgs/development/tools/misc/patchelf/setup-hook.sh index 03b6f362a779..563ef57fce11 100644 --- a/pkgs/development/tools/misc/patchelf/setup-hook.sh +++ b/pkgs/development/tools/misc/patchelf/setup-hook.sh @@ -5,7 +5,8 @@ fixupOutputHooks+=('if [ -z "$dontPatchELF" ]; then patchELF "$prefix"; fi') patchELF() { - header "shrinking RPATHs of ELF executables and libraries in $prefix" + local dir="$1" + header "shrinking RPATHs of ELF executables and libraries in $dir" local i while IFS= read -r -d $'\0' i; do @@ -13,7 +14,7 @@ patchELF() { if ! isELF "$i"; then continue; fi echo "shrinking $i" patchelf --shrink-rpath "$i" || true - done < <(find "$prefix" -type f -print0) + done < <(find "$dir" -type f -print0) stopNest } From ef86e9506d5d6ed82ed8af5369b296aa2f3431a2 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 24 Feb 2016 14:01:20 +0100 Subject: [PATCH 13/15] Untested fix for #13401 --- pkgs/development/libraries/openssl/default.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 6300068f09fe..98e168f310d0 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -21,7 +21,9 @@ let patches = [ ./use-etc-ssl-certs.patch ] ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch - ++ optional (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem")) ./darwin-arch.patch; + ++ optional + (versionOlder version "1.0.2" && (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem"))) + ./darwin-arch.patch; nativeBuildInputs = [ perl ]; buildInputs = stdenv.lib.optional withCryptodev cryptodevHeaders; @@ -102,9 +104,9 @@ in { sha256 = "0iik7a3b0mrfrxzngdf7ywfscg9inbw77y0jp2ccw0gdap9xhjvq"; }; - openssl_1_0_2 = common { + openssl_1_0_2 = lowPrio (common { version = "1.0.2f"; sha256 = "932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c"; - }; + }); } From eead3bc5365522720e0162b403895497c8817cd6 Mon Sep 17 00:00:00 2001 From: Kevin Cox Date: Fri, 12 Feb 2016 08:26:46 -0500 Subject: [PATCH 14/15] util-linux: create -Minimal and utillinux (full) Close #12952. Now the full version is used by default, supporting systemd and curses. --- pkgs/desktops/e19/efl.nix | 4 ++-- pkgs/os-specific/linux/systemd/default.nix | 12 ++++++------ pkgs/os-specific/linux/util-linux/default.nix | 9 ++++++++- pkgs/top-level/all-packages.nix | 15 +++++++-------- pkgs/top-level/release-small.nix | 2 +- 5 files changed, 24 insertions(+), 18 deletions(-) diff --git a/pkgs/desktops/e19/efl.nix b/pkgs/desktops/e19/efl.nix index aa662f1ed873..853bee31cc8e 100644 --- a/pkgs/desktops/e19/efl.nix +++ b/pkgs/desktops/e19/efl.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgconfig, openssl, libjpeg, zlib, freetype, fontconfig, fribidi, SDL2, SDL, mesa, giflib, libpng, libtiff, glib, gst_all_1, libpulseaudio, libsndfile, xorg, libdrm, libxkbcommon, udev, utillinuxCurses, dbus, bullet, luajit, python27Packages, openjpeg, doxygen, expat, harfbuzz, jbig2dec, librsvg, dbus_libs, alsaLib, poppler, libraw, libspectre, xineLib, libwebp, curl, libinput }: +{ stdenv, fetchurl, pkgconfig, openssl, libjpeg, zlib, freetype, fontconfig, fribidi, SDL2, SDL, mesa, giflib, libpng, libtiff, glib, gst_all_1, libpulseaudio, libsndfile, xorg, libdrm, libxkbcommon, udev, utillinux, dbus, bullet, luajit, python27Packages, openjpeg, doxygen, expat, harfbuzz, jbig2dec, librsvg, dbus_libs, alsaLib, poppler, libraw, libspectre, xineLib, libwebp, curl, libinput }: stdenv.mkDerivation rec { @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig openssl zlib freetype fontconfig fribidi SDL2 SDL mesa giflib libpng libtiff glib gst_all_1.gstreamer gst_all_1.gst-plugins-base gst_all_1.gst-libav libpulseaudio libsndfile xorg.libXcursor xorg.printproto - xorg.libX11 udev utillinuxCurses ]; + xorg.libX11 udev utillinux ]; propagatedBuildInputs = [ libxkbcommon python27Packages.dbus dbus libjpeg xorg.libXcomposite xorg.libXdamage xorg.libXinerama xorg.libXp xorg.libXtst xorg.libXi xorg.libXext diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index ec5a85ef4ada..cb1521a4005e 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchFromGitHub, pkgconfig, intltool, gperf, libcap, dbus, kmod -, xz, pam, acl, cryptsetup, libuuid, m4, utillinux +, xz, pam, acl, cryptsetup, libuuid, m4, utillinuxMinimal , glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libapparmor, audit, lz4 , kexectools, libmicrohttpd, linuxHeaders, libseccomp , autoreconfHook, gettext, docbook_xsl, docbook_xml_dtd_42, docbook_xml_dtd_45 @@ -75,13 +75,13 @@ stdenv.mkDerivation rec { test -e $i substituteInPlace $i \ --replace /usr/bin/getent ${stdenv.glibc}/bin/getent \ - --replace /bin/mount ${utillinux}/bin/mount \ - --replace /bin/umount ${utillinux}/bin/umount \ - --replace /sbin/swapon ${utillinux}/sbin/swapon \ - --replace /sbin/swapoff ${utillinux}/sbin/swapoff \ + --replace /bin/mount ${utillinuxMinimal}/bin/mount \ + --replace /bin/umount ${utillinuxMinimal}/bin/umount \ + --replace /sbin/swapon ${utillinuxMinimal}/sbin/swapon \ + --replace /sbin/swapoff ${utillinuxMinimal}/sbin/swapoff \ --replace /bin/echo ${coreutils}/bin/echo \ --replace /bin/cat ${coreutils}/bin/cat \ - --replace /sbin/sulogin ${utillinux}/sbin/sulogin \ + --replace /sbin/sulogin ${utillinuxMinimal}/sbin/sulogin \ --replace /usr/lib/systemd/systemd-fsck $out/lib/systemd/systemd-fsck done diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index bcd9aa58bccf..a84740b1a30b 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -1,4 +1,6 @@ -{ stdenv, fetchurl, zlib, ncurses ? null, perl ? null, pam }: +{ stdenv, fetchurl, zlib, ncurses ? null, perl ? null, pam, systemd ? null +, pkgconfig +}: stdenv.mkDerivation rec { name = "util-linux-2.27.1"; @@ -38,11 +40,16 @@ stdenv.mkDerivation rec { --disable-use-tty-group --enable-fs-paths-default=/var/setuid-wrappers:/var/run/current-system/sw/bin:/sbin ${if ncurses == null then "--without-ncurses" else ""} + ${if systemd == null then "" else '' + --with-systemd + --with-systemdsystemunitdir=$out/lib/systemd/system/ + ''} ''; buildInputs = [ zlib pam ] ++ stdenv.lib.optional (ncurses != null) ncurses + ++ stdenv.lib.optional (systemd != null) [ systemd pkgconfig ] ++ stdenv.lib.optional (perl != null) perl; postInstall = '' diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f6125fbdfd86..9563feeb2924 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10021,8 +10021,8 @@ let libuuid = if crossSystem != null && crossSystem.config == "i586-pc-gnu" - then (utillinux // { - crossDrv = lib.overrideDerivation utillinux.crossDrv (args: { + then (utillinuxMinimal // { + crossDrv = lib.overrideDerivation utillinuxMinimal.crossDrv (args: { # `libblkid' fails to build on GNU/Hurd. configureFlags = args.configureFlags + " --disable-libblkid --disable-mount --disable-libmount" @@ -10035,7 +10035,7 @@ let }); }) else if stdenv.isLinux - then utillinux + then utillinuxMinimal else null; light = callPackage ../os-specific/linux/light { }; @@ -10809,13 +10809,12 @@ let usermount = callPackage ../os-specific/linux/usermount { }; - utillinux = callPackage ../os-specific/linux/util-linux { + utillinux = callPackage ../os-specific/linux/util-linux { }; + + utillinuxMinimal = appendToName "minimal" (utillinux.override { ncurses = null; perl = null; - }; - - utillinuxCurses = appendToName "curses" (utillinux.override { - inherit ncurses perl; + systemd = null; }); v4l_utils = callPackage ../os-specific/linux/v4l-utils { diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix index fc428a73743b..017865919739 100644 --- a/pkgs/top-level/release-small.nix +++ b/pkgs/top-level/release-small.nix @@ -169,7 +169,7 @@ with import ./release-lib.nix { inherit supportedSystems; }; upstart = linux; usbutils = linux; utillinux = linux; - utillinuxCurses = linux; + utillinuxMinimal = linux; w3m = all; webkit = linux; wget = all; From 39609a0c9414b398330e42f872e7358e30e133dd Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Thu, 25 Feb 2016 13:53:03 +0300 Subject: [PATCH 15/15] stdenv: set SSL_CERT_FILE only if it isn't already --- pkgs/stdenv/generic/setup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 8081b69bffd3..b49846fa050c 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -384,7 +384,9 @@ paxmark() { true; } # Prevent OpenSSL-based applications from using certificates in # /etc/ssl. -export SSL_CERT_FILE=/no-cert-file.crt +if [ -z "$SSL_CERT_FILE" ]; then + export SSL_CERT_FILE=/no-cert-file.crt +fi ######################################################################