From 07849e749abb46b48db7123de8b40cb40bc08724 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Thu, 13 Oct 2016 07:58:54 -0500 Subject: [PATCH 01/10] cmake: When there is no stdenv.glibc, still fix search paths. Apply all of the fixups from preConfigure as well! For testing purposes I added the following assert: assert (stdenv ? glibc) -> (stdenv.glibc == stdenv.cc.libc); To ensure behavior in the case there is a 'stdenv.glibc' (linux-only?) wasn't changed, which passes in the configurations I could think of. Not including that since it seems like a bad requirement moving forward. --- .../tools/build-managers/cmake/2.8.nix | 25 +++++++++++-------- .../tools/build-managers/cmake/default.nix | 17 ++++++------- .../cmake/search-path-3.2.patch | 12 ++++----- .../build-managers/cmake/search-path.patch | 12 ++++----- 4 files changed, 34 insertions(+), 32 deletions(-) diff --git a/pkgs/development/tools/build-managers/cmake/2.8.nix b/pkgs/development/tools/build-managers/cmake/2.8.nix index d824c3e2c964..52c577aedb35 100644 --- a/pkgs/development/tools/build-managers/cmake/2.8.nix +++ b/pkgs/development/tools/build-managers/cmake/2.8.nix @@ -5,6 +5,8 @@ with stdenv.lib; assert wantPS -> (ps != null); +assert stdenv ? cc; +assert stdenv.cc ? libc; let os = stdenv.lib.optionalString; @@ -31,9 +33,8 @@ stdenv.mkDerivation rec { url = "http://www.cmake.org/Bug/file_download.php?file_id=4660&type=bug"; sha256 = "136z63ff83hnwd247cq4m8m8164pklzyl5i2csf5h6wd8p01pdkj"; })] ++ - # Don't search in non-Nix locations such as /usr, but do search in - # Nixpkgs' Glibc. - optional (stdenv ? glibc) ./search-path.patch ++ + # Don't search in non-Nix locations such as /usr, but do search in our libc. + [ ./search-path.patch ] ++ optional (stdenv ? cross) (fetchurl { name = "fix-darwin-cross-compile.patch"; url = "http://public.kitware.com/Bug/file_download.php?" @@ -50,22 +51,24 @@ stdenv.mkDerivation rec { CMAKE_PREFIX_PATH = concatStringsSep ":" (concatMap (p: [ (p.dev or p) (p.out or p) ]) buildInputs); - configureFlags = - "--docdir=/share/doc/${name} --mandir=/share/man --system-libs --no-system-libarchive" - + stdenv.lib.optionalString useQt4 " --qt-gui"; + configureFlags = [ + "--docdir=/share/doc/${name}" + "--mandir=/share/man" + "--system-libs" + "--no-system-libarchive" + ] ++ stdenv.lib.optional useQt4 "--qt-gui"; setupHook = ./setup-hook.sh; dontUseCmakeConfigure = true; - preConfigure = with stdenv; optionalString (stdenv ? glibc) - '' + preConfigure = with stdenv; '' source $setupHook fixCmakeFiles . substituteInPlace Modules/Platform/UnixPaths.cmake \ - --subst-var-by glibc_bin ${getBin glibc} \ - --subst-var-by glibc_dev ${getDev glibc} \ - --subst-var-by glibc_lib ${getLib glibc} + --subst-var-by libc_bin ${getBin cc.libc} \ + --subst-var-by libc_dev ${getDev cc.libc} \ + --subst-var-by libc_lib ${getLib cc.libc} ''; meta = { diff --git a/pkgs/development/tools/build-managers/cmake/default.nix b/pkgs/development/tools/build-managers/cmake/default.nix index 52822178c023..012ece041b21 100644 --- a/pkgs/development/tools/build-managers/cmake/default.nix +++ b/pkgs/development/tools/build-managers/cmake/default.nix @@ -7,6 +7,8 @@ with stdenv.lib; assert wantPS -> (ps != null); +assert stdenv ? cc; +assert stdenv.cc ? libc; let os = stdenv.lib.optionalString; @@ -25,10 +27,8 @@ stdenv.mkDerivation rec { sha256 = "0w3n2i02jpbgai4dxsigm1c1i1qb5v70wyxckzwrxvs0ri0fs1gx"; }; - patches = - # Don't search in non-Nix locations such as /usr, but do search in - # Nixpkgs' Glibc. - optional (stdenv ? glibc) ./search-path-3.2.patch + # Don't search in non-Nix locations such as /usr, but do search in our libc. + patches = [ ./search-path-3.2.patch ] ++ optional stdenv.isCygwin ./3.2.2-cygwin.patch; outputs = [ "out" ]; @@ -43,13 +43,12 @@ stdenv.mkDerivation rec { propagatedBuildInputs = optional wantPS ps; - preConfigure = with stdenv; optionalString (stdenv ? glibc) - '' + preConfigure = with stdenv; '' fixCmakeFiles . substituteInPlace Modules/Platform/UnixPaths.cmake \ - --subst-var-by glibc_bin ${getBin glibc} \ - --subst-var-by glibc_dev ${getDev glibc} \ - --subst-var-by glibc_lib ${getLib glibc} + --subst-var-by libc_bin ${getBin cc.libc} \ + --subst-var-by libc_dev ${getDev cc.libc} \ + --subst-var-by libc_lib ${getLib cc.libc} substituteInPlace Modules/FindCxxTest.cmake \ --replace "$""{PYTHON_EXECUTABLE}" ${stdenv.shell} ''; diff --git a/pkgs/development/tools/build-managers/cmake/search-path-3.2.patch b/pkgs/development/tools/build-managers/cmake/search-path-3.2.patch index b61982efb9a7..ba7438d2c0f9 100644 --- a/pkgs/development/tools/build-managers/cmake/search-path-3.2.patch +++ b/pkgs/development/tools/build-managers/cmake/search-path-3.2.patch @@ -25,7 +25,7 @@ diff -ru3 cmake-3.4.3/Modules/Platform/UnixPaths.cmake cmake-3.4.3-new/Modules/P - /usr/pkg/include - /opt/csw/include /opt/include - /usr/openwin/include -+ @glibc_dev@/include ++ @libc_dev@/include ) - list(APPEND CMAKE_SYSTEM_LIBRARY_PATH @@ -39,26 +39,26 @@ diff -ru3 cmake-3.4.3/Modules/Platform/UnixPaths.cmake cmake-3.4.3-new/Modules/P - /usr/pkg/lib - /opt/csw/lib /opt/lib - /usr/openwin/lib -+ @glibc_lib@/lib ++ @libc_lib@/lib ) list(APPEND CMAKE_SYSTEM_PROGRAM_PATH - /usr/pkg/bin -+ @glibc_bin@/bin ++ @libc_bin@/bin ) list(APPEND CMAKE_PLATFORM_IMPLICIT_LINK_DIRECTORIES - /lib /lib32 /lib64 /usr/lib /usr/lib32 /usr/lib64 -+ @glibc_lib@/lib ++ @libc_lib@/lib ) list(APPEND CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES - /usr/include -+ @glibc_dev@/include ++ @libc_dev@/include ) list(APPEND CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES - /usr/include -+ @glibc_dev@/include ++ @libc_dev@/include ) # Enable use of lib64 search path variants by default. diff --git a/pkgs/development/tools/build-managers/cmake/search-path.patch b/pkgs/development/tools/build-managers/cmake/search-path.patch index 6d6ca74ccadc..9fc949661686 100644 --- a/pkgs/development/tools/build-managers/cmake/search-path.patch +++ b/pkgs/development/tools/build-managers/cmake/search-path.patch @@ -53,7 +53,7 @@ diff -ru3 cmake-2.8.12.2/Modules/Platform/UnixPaths.cmake cmake-2.8.12.2-new/Mod - /usr/pkg/include - /opt/csw/include /opt/include - /usr/openwin/include -+ @glibc_dev@/include ++ @libc_dev@/include ) list(APPEND CMAKE_SYSTEM_LIBRARY_PATH @@ -67,26 +67,26 @@ diff -ru3 cmake-2.8.12.2/Modules/Platform/UnixPaths.cmake cmake-2.8.12.2-new/Mod - /usr/pkg/lib - /opt/csw/lib /opt/lib - /usr/openwin/lib -+ @glibc_lib@/lib ++ @libc_lib@/lib ) list(APPEND CMAKE_SYSTEM_PROGRAM_PATH - /usr/pkg/bin -+ @glibc_bin@/bin ++ @libc_bin@/bin ) list(APPEND CMAKE_PLATFORM_IMPLICIT_LINK_DIRECTORIES - /lib /usr/lib /usr/lib32 /usr/lib64 -+ @glibc_lib@/lib ++ @libc_lib@/lib ) list(APPEND CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES - /usr/include -+ @glibc_dev@/include ++ @libc_dev@/include ) list(APPEND CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES - /usr/include -+ @glibc_dev@/include ++ @libc_dev@/include ) # Enable use of lib64 search path variants by default. From 48d7c7751a4a320a8bc68a54f9c528aa9bea1482 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Thu, 13 Oct 2016 08:07:58 -0500 Subject: [PATCH 02/10] cmake: bootstrap in parallel Builds on previous commit so this happens without needing stdenv.glibc. --- pkgs/development/tools/build-managers/cmake/2.8.nix | 1 + pkgs/development/tools/build-managers/cmake/default.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/pkgs/development/tools/build-managers/cmake/2.8.nix b/pkgs/development/tools/build-managers/cmake/2.8.nix index 52c577aedb35..a197c69edff5 100644 --- a/pkgs/development/tools/build-managers/cmake/2.8.nix +++ b/pkgs/development/tools/build-managers/cmake/2.8.nix @@ -69,6 +69,7 @@ stdenv.mkDerivation rec { --subst-var-by libc_bin ${getBin cc.libc} \ --subst-var-by libc_dev ${getDev cc.libc} \ --subst-var-by libc_lib ${getLib cc.libc} + configureFlags="--parallel=''${NIX_BUILD_CORES:-1} $configureFlags" ''; meta = { diff --git a/pkgs/development/tools/build-managers/cmake/default.nix b/pkgs/development/tools/build-managers/cmake/default.nix index 012ece041b21..9cc8d9875708 100644 --- a/pkgs/development/tools/build-managers/cmake/default.nix +++ b/pkgs/development/tools/build-managers/cmake/default.nix @@ -51,6 +51,7 @@ stdenv.mkDerivation rec { --subst-var-by libc_lib ${getLib cc.libc} substituteInPlace Modules/FindCxxTest.cmake \ --replace "$""{PYTHON_EXECUTABLE}" ${stdenv.shell} + configureFlags="--parallel=''${NIX_BUILD_CORES:-1} $configureFlags" ''; configureFlags = [ "--docdir=share/doc/${name}" From 31f0fdef32f014eee619ce27c0b5f44b255c311f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 29 Oct 2016 22:07:48 +0200 Subject: [PATCH 03/10] cmake: minor update 3.6.0 -> 3.6.2 --- pkgs/development/tools/build-managers/cmake/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/build-managers/cmake/default.nix b/pkgs/development/tools/build-managers/cmake/default.nix index 9cc8d9875708..1e4bacb07254 100644 --- a/pkgs/development/tools/build-managers/cmake/default.nix +++ b/pkgs/development/tools/build-managers/cmake/default.nix @@ -13,7 +13,7 @@ assert stdenv.cc ? libc; let os = stdenv.lib.optionalString; majorVersion = "3.6"; - minorVersion = "0"; + minorVersion = "2"; version = "${majorVersion}.${minorVersion}"; in @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "${meta.homepage}files/v${majorVersion}/cmake-${version}.tar.gz"; - sha256 = "0w3n2i02jpbgai4dxsigm1c1i1qb5v70wyxckzwrxvs0ri0fs1gx"; + sha256 = "0imkz04ncz6cv5659qfd4scm99k3siq7zrrsa8pvp663d8mf76hq"; }; # Don't search in non-Nix locations such as /usr, but do search in our libc. From 1ad1edbb32ce01ba8b47d8e8dad357b0edd6a4dc Mon Sep 17 00:00:00 2001 From: David McFarland Date: Sun, 30 Oct 2016 10:41:41 -0300 Subject: [PATCH 04/10] cc-wrapper: expand response files Fixes #11762 --- pkgs/build-support/cc-wrapper/cc-wrapper.sh | 2 +- pkgs/build-support/cc-wrapper/ld-wrapper.sh | 2 +- pkgs/build-support/cc-wrapper/utils.sh | 24 +++++++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 894ea95b5fa0..6287f83ed379 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -23,7 +23,7 @@ getVersion=0 nonFlagArgs=0 [[ "@prog@" = *++ ]] && isCpp=1 || isCpp=0 -params=("$@") +expandResponseParams "$@" n=0 while [ $n -lt ${#params[*]} ]; do p=${params[n]} diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 28d73f046e68..391b5744d02a 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -16,7 +16,7 @@ source @out@/nix-support/utils.sh # Optionally filter out paths not refering to the store. -params=("$@") +expandResponseParams "$@" if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ -a \( -z "$NIX_IGNORE_LD_THROUGH_GCC" -o -z "$NIX_LDFLAGS_SET" \) ]; then rest=() diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh index 3ab512d85c4e..481d642f9674 100644 --- a/pkgs/build-support/cc-wrapper/utils.sh +++ b/pkgs/build-support/cc-wrapper/utils.sh @@ -22,3 +22,27 @@ badPath() { "${p:0:4}" != "/tmp" -a \ "${p:0:${#NIX_BUILD_TOP}}" != "$NIX_BUILD_TOP" } + +expandResponseParams() { + local inparams=("$@") + local n=0 + local p + params=() + while [ $n -lt ${#inparams[*]} ]; do + p=${inparams[n]} + case $p in + @*) + if [ -e "${p:1}" ]; then + args=$(<"${p:1}") + eval 'for arg in '$args'; do params+=("$arg"); done' + else + params+=("$p") + fi + ;; + *) + params+=("$p") + ;; + esac + n=$((n + 1)) + done +} From 9665fa4fd036faf7c2a67ef758428709a2bea7f8 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Fri, 4 Nov 2016 00:05:52 +0100 Subject: [PATCH 05/10] mesa: 12.0.1 -> 13.0.0 --- pkgs/development/libraries/mesa/default.nix | 10 +++------ .../libraries/mesa/dlopen-absolute-paths.diff | 22 ------------------- 2 files changed, 3 insertions(+), 29 deletions(-) delete mode 100644 pkgs/development/libraries/mesa/dlopen-absolute-paths.diff diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix index 5ff884fd3c1d..3475a5997eaf 100644 --- a/pkgs/development/libraries/mesa/default.nix +++ b/pkgs/development/libraries/mesa/default.nix @@ -26,7 +26,7 @@ if ! lists.elem stdenv.system platforms.mesaPlatforms then else let - version = "12.0.3"; + version = "13.0.0"; branch = head (splitString "." version); driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32"; in @@ -40,7 +40,7 @@ stdenv.mkDerivation { "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz" "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz" ]; - sha256 = "1dc86dd9b51272eee1fad3df65e18cda2e556ef1bc0b6e07cd750b9757f493b1"; + sha256 = "09yp4wh89srxqqzsnrqgw4gmx68mgxic5nbrprl6l1l2zzmv9vcl"; }; prePatch = "patchShebangs ."; @@ -51,11 +51,7 @@ stdenv.mkDerivation { patches = [ ./glx_ro_text_segm.patch # fix for grsecurity/PaX ./symlink-drivers.patch - ] ++ optional stdenv.isLinux - (substituteAll { - src = ./dlopen-absolute-paths.diff; - libudev = systemd.lib; - }); + ]; postPatch = '' substituteInPlace src/egl/main/egldriver.c \ diff --git a/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff b/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff deleted file mode 100644 index 9a5226572239..000000000000 --- a/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/loader.c b/loader.c -index 4fdf3c2..69ea22d 100644 ---- a/src/loader/loader.c -+++ b/src/loader/loader.c -@@ -112,7 +112,7 @@ static void *udev_handle = NULL; - static void * - udev_dlopen_handle(void) - { -- char name[80]; -+ char name[256]; - unsigned flags = RTLD_NOLOAD | RTLD_LOCAL | RTLD_LAZY; - int version; - -@@ -126,7 +126,7 @@ udev_dlopen_handle(void) - /* First try opening an already linked libudev, then try loading one */ - do { - for (version = 1; version >= 0; version--) { -- snprintf(name, sizeof(name), "libudev.so.%d", version); -+ snprintf(name, sizeof(name), "@libudev@/lib/libudev.so.%d", version); - udev_handle = dlopen(name, flags); - if (udev_handle) - return udev_handle; From ac59e2f184fe0beeec2920dc9d6d9830813d9212 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Fri, 4 Nov 2016 23:05:26 -0400 Subject: [PATCH 06/10] tar: patch for CVE-2016-6321 https://lwn.net/Vulnerabilities/705216/ --- .../archivers/gnutar/CVE-2016-6321.patch | 35 +++++++++++++++++++ pkgs/tools/archivers/gnutar/default.nix | 2 +- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 pkgs/tools/archivers/gnutar/CVE-2016-6321.patch diff --git a/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch b/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch new file mode 100644 index 000000000000..c53d92891fc4 --- /dev/null +++ b/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch @@ -0,0 +1,35 @@ +commit 7340f67b9860ea0531c1450e5aa261c50f67165d +Author: Paul Eggert +Date: Sat Oct 29 21:04:40 2016 -0700 + + When extracting, skip ".." members + + * NEWS: Document this. + * src/extract.c (extract_archive): Skip members whose names + contain "..". + +diff --git a/src/extract.c b/src/extract.c +index f982433..7904148 100644 +--- a/src/extract.c ++++ b/src/extract.c +@@ -1629,12 +1629,20 @@ extract_archive (void) + { + char typeflag; + tar_extractor_t fun; ++ bool skip_dotdot_name; + + fatal_exit_hook = extract_finish; + + set_next_block_after (current_header); + ++ skip_dotdot_name = (!absolute_names_option ++ && contains_dot_dot (current_stat_info.orig_file_name)); ++ if (skip_dotdot_name) ++ ERROR ((0, 0, _("%s: Member name contains '..'"), ++ quotearg_colon (current_stat_info.orig_file_name))); ++ + if (!current_stat_info.file_name[0] ++ || skip_dotdot_name + || (interactive_option + && !confirm ("extract", current_stat_info.file_name))) + { diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix index 16660fea3e72..80c84236b8db 100644 --- a/pkgs/tools/archivers/gnutar/default.nix +++ b/pkgs/tools/archivers/gnutar/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"; }; - patches = [ ]; # FIXME: remove on another stdenv rebuild + patches = [ ./CVE-2016-6321.patch ]; # FIXME: remove on another stdenv rebuild # avoid retaining reference to CF during stdenv bootstrap configureFlags = stdenv.lib.optionals stdenv.isDarwin [ From 5ad7cf37283a1efb4e74d0798d6d7579042719e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 5 Nov 2016 08:15:42 +0100 Subject: [PATCH 07/10] Revert #20139: mesa: 12.0.1 -> 13.0.0 x.y.0 aren't considered stable for general deployment; let's wait a bit for 13.0.1. This reverts commit 1c6b3bdc3532a6d2394cef6db1889fc9f0b94ff7, reversing changes made to d0ae7b973d8a4f064324a058a83385a68b177e72. --- pkgs/development/libraries/mesa/default.nix | 10 ++++++--- .../libraries/mesa/dlopen-absolute-paths.diff | 22 +++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 pkgs/development/libraries/mesa/dlopen-absolute-paths.diff diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix index 3475a5997eaf..5ff884fd3c1d 100644 --- a/pkgs/development/libraries/mesa/default.nix +++ b/pkgs/development/libraries/mesa/default.nix @@ -26,7 +26,7 @@ if ! lists.elem stdenv.system platforms.mesaPlatforms then else let - version = "13.0.0"; + version = "12.0.3"; branch = head (splitString "." version); driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32"; in @@ -40,7 +40,7 @@ stdenv.mkDerivation { "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz" "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz" ]; - sha256 = "09yp4wh89srxqqzsnrqgw4gmx68mgxic5nbrprl6l1l2zzmv9vcl"; + sha256 = "1dc86dd9b51272eee1fad3df65e18cda2e556ef1bc0b6e07cd750b9757f493b1"; }; prePatch = "patchShebangs ."; @@ -51,7 +51,11 @@ stdenv.mkDerivation { patches = [ ./glx_ro_text_segm.patch # fix for grsecurity/PaX ./symlink-drivers.patch - ]; + ] ++ optional stdenv.isLinux + (substituteAll { + src = ./dlopen-absolute-paths.diff; + libudev = systemd.lib; + }); postPatch = '' substituteInPlace src/egl/main/egldriver.c \ diff --git a/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff b/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff new file mode 100644 index 000000000000..9a5226572239 --- /dev/null +++ b/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff @@ -0,0 +1,22 @@ +diff --git a/loader.c b/loader.c +index 4fdf3c2..69ea22d 100644 +--- a/src/loader/loader.c ++++ b/src/loader/loader.c +@@ -112,7 +112,7 @@ static void *udev_handle = NULL; + static void * + udev_dlopen_handle(void) + { +- char name[80]; ++ char name[256]; + unsigned flags = RTLD_NOLOAD | RTLD_LOCAL | RTLD_LAZY; + int version; + +@@ -126,7 +126,7 @@ udev_dlopen_handle(void) + /* First try opening an already linked libudev, then try loading one */ + do { + for (version = 1; version >= 0; version--) { +- snprintf(name, sizeof(name), "libudev.so.%d", version); ++ snprintf(name, sizeof(name), "@libudev@/lib/libudev.so.%d", version); + udev_handle = dlopen(name, flags); + if (udev_handle) + return udev_handle; From d9db3208890b805569a9a85fe15fff624010fa99 Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Sun, 6 Nov 2016 09:57:26 +0000 Subject: [PATCH 08/10] libtiff: patch for some more CVEs, fix patch urls --- .../development/libraries/libtiff/default.nix | 30 ++++++++++++++----- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix index b632b910f01f..45810283e052 100644 --- a/pkgs/development/libraries/libtiff/default.nix +++ b/pkgs/development/libraries/libtiff/default.nix @@ -2,6 +2,7 @@ let version = "4.0.6"; + debversion = "3"; in stdenv.mkDerivation rec { name = "libtiff-${version}"; @@ -19,35 +20,48 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - patches = [ + patches = let p = "https://sources.debian.net/data/main/t/tiff/${version}-${debversion}/debian/patches"; in [ (fetchpatch { - url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/01-CVE-2015-8665_and_CVE-2015-8683.patch"; + url = "${p}/01-CVE-2015-8665_and_CVE-2015-8683.patch"; sha256 = "1c4zmvxj124873al8fvkiv8zq7wx5mv2vd4f1y9w8liv92cm7hkc"; }) (fetchpatch { - url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/02-fix_potential_out-of-bound_writes_in_decode_functions.patch"; + url = "${p}/02-fix_potential_out-of-bound_writes_in_decode_functions.patch"; sha256 = "0rsc7zh7cdhgcmx2vbjfaqrb0g93a3924ngqkrzb14w5j2fqfbxv"; }) (fetchpatch { - url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/03-fix_potential_out-of-bound_write_in_NeXTDecode.patch"; + url = "${p}/03-fix_potential_out-of-bound_write_in_NeXTDecode.patch"; sha256 = "1s01xhp4sl04yhqhqwp50gh43ykcqk230mmbv62vhy2jh7v0ky3a"; }) (fetchpatch { - url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch"; + url = "${p}/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch"; sha256 = "0by35qxpzv9ib3mnh980gd30jf3qmsfp2kl730rq4pq66wpzg9m8"; }) (fetchpatch { - url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/05-CVE-2016-6223.patch"; + url = "${p}/05-CVE-2016-6223.patch"; sha256 = "0rh8ia0wsf5yskzwdjrlbiilc9m0lq0igs42k6922pl3sa1lxzv1"; }) (fetchpatch { - url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/06-CVE-2016-5321.patch"; + url = "${p}/06-CVE-2016-5321.patch"; sha256 = "0n0igfxbd3kqvvj2k2xgysrp63l4v2gd110fwkk4apfpm0hvzwh0"; }) (fetchpatch { - url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/07-CVE-2016-5323.patch"; + url = "${p}/07-CVE-2016-5323.patch"; sha256 = "1j6w8g6qizkx5h4aq95kxzx6bgkn4jhc8l22swwhvlkichsh4910"; }) + (fetchpatch { + url = "${p}/08-CVE-2016-3623_CVE-2016-3624.patch"; + sha256 = "1xnvwjvgyxi387h1sdiyp4360a3176jmipb7ghm8vwiz7cisdn9z"; + }) + (fetchpatch { + url = "${p}/09-CVE-2016-5652.patch"; + sha256 = "1yqfq32gzh21ab2jfqkq13gaz0nin0492l06adzsyhr5brvdhnx8"; + }) + (fetchpatch { + url = "${p}/10-CVE-2016-3658.patch"; + sha256 = "01kb8rfk30fgjf1hy0m088yhjfld1yyh4bk3gkg8jx3dl9bd076d"; + }) + ]; From ac5950a4a91aa2cafd9f1cdfb772275a3de7c641 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 6 Nov 2016 11:37:47 +0100 Subject: [PATCH 09/10] libtiff: the new hashes are for fetchurl, really ... and there's not much reason to use fetchpatch in this case anyway. --- pkgs/development/libraries/libtiff/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix index 45810283e052..1911a5a93b09 100644 --- a/pkgs/development/libraries/libtiff/default.nix +++ b/pkgs/development/libraries/libtiff/default.nix @@ -49,15 +49,15 @@ stdenv.mkDerivation rec { url = "${p}/07-CVE-2016-5323.patch"; sha256 = "1j6w8g6qizkx5h4aq95kxzx6bgkn4jhc8l22swwhvlkichsh4910"; }) - (fetchpatch { + (fetchurl { url = "${p}/08-CVE-2016-3623_CVE-2016-3624.patch"; sha256 = "1xnvwjvgyxi387h1sdiyp4360a3176jmipb7ghm8vwiz7cisdn9z"; }) - (fetchpatch { + (fetchurl { url = "${p}/09-CVE-2016-5652.patch"; sha256 = "1yqfq32gzh21ab2jfqkq13gaz0nin0492l06adzsyhr5brvdhnx8"; }) - (fetchpatch { + (fetchurl { url = "${p}/10-CVE-2016-3658.patch"; sha256 = "01kb8rfk30fgjf1hy0m088yhjfld1yyh4bk3gkg8jx3dl9bd076d"; }) From 83f28fdd73cd7af05bbbe90531e4623c3305afb0 Mon Sep 17 00:00:00 2001 From: Jan Malakhovski Date: Sun, 6 Nov 2016 21:42:54 +0100 Subject: [PATCH 10/10] libtiff: `fetchpatch` -> `fetchurl` See #20206. vcunat doesn't consider this important, but it is perhaps nicer and now is a moment we can afford to rehash. --- .../development/libraries/libtiff/default.nix | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix index 1911a5a93b09..394e6c2c170f 100644 --- a/pkgs/development/libraries/libtiff/default.nix +++ b/pkgs/development/libraries/libtiff/default.nix @@ -21,33 +21,33 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; patches = let p = "https://sources.debian.net/data/main/t/tiff/${version}-${debversion}/debian/patches"; in [ - (fetchpatch { + (fetchurl { url = "${p}/01-CVE-2015-8665_and_CVE-2015-8683.patch"; - sha256 = "1c4zmvxj124873al8fvkiv8zq7wx5mv2vd4f1y9w8liv92cm7hkc"; + sha256 = "0qiiqpbbsf01b59x01z38cg14pmg1ggcsqm9n1gsld6rr5wm3ryz"; }) - (fetchpatch { + (fetchurl { url = "${p}/02-fix_potential_out-of-bound_writes_in_decode_functions.patch"; - sha256 = "0rsc7zh7cdhgcmx2vbjfaqrb0g93a3924ngqkrzb14w5j2fqfbxv"; + sha256 = "1ph057w302i2s94rhdw6ksyvpsmg1nlanvc0251x01s23gkdbakv"; }) - (fetchpatch { + (fetchurl { url = "${p}/03-fix_potential_out-of-bound_write_in_NeXTDecode.patch"; - sha256 = "1s01xhp4sl04yhqhqwp50gh43ykcqk230mmbv62vhy2jh7v0ky3a"; + sha256 = "1nhjg2gdvyzi4wa2g7nwmzm7nssz9dpdfkwms1rp8i1034qdlgc6"; }) - (fetchpatch { + (fetchurl { url = "${p}/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch"; - sha256 = "0by35qxpzv9ib3mnh980gd30jf3qmsfp2kl730rq4pq66wpzg9m8"; + sha256 = "0n47yk9wcvc9j72yvm5bhpaqq0yfz8jnq9zxbnzx5id9gdxmrkn3"; }) - (fetchpatch { + (fetchurl { url = "${p}/05-CVE-2016-6223.patch"; - sha256 = "0rh8ia0wsf5yskzwdjrlbiilc9m0lq0igs42k6922pl3sa1lxzv1"; + sha256 = "0r80hil9k6scdjppgyljhm0s2z6c8cm259f0ic0xvxidfaim6g2r"; }) - (fetchpatch { + (fetchurl { url = "${p}/06-CVE-2016-5321.patch"; - sha256 = "0n0igfxbd3kqvvj2k2xgysrp63l4v2gd110fwkk4apfpm0hvzwh0"; + sha256 = "1aacymlqv6cam8i4nbma9v05r3v3xjpagns7q0ii268h0mhzq6qg"; }) - (fetchpatch { + (fetchurl { url = "${p}/07-CVE-2016-5323.patch"; - sha256 = "1j6w8g6qizkx5h4aq95kxzx6bgkn4jhc8l22swwhvlkichsh4910"; + sha256 = "1xr5hy2fxa71j3fcc1l998pxyblv207ygzyhibwb1lia5zjgblch"; }) (fetchurl { url = "${p}/08-CVE-2016-3623_CVE-2016-3624.patch"; @@ -61,8 +61,6 @@ stdenv.mkDerivation rec { url = "${p}/10-CVE-2016-3658.patch"; sha256 = "01kb8rfk30fgjf1hy0m088yhjfld1yyh4bk3gkg8jx3dl9bd076d"; }) - - ]; doCheck = true;