From 3741ecd57ccaed64713376604a8a44835b883305 Mon Sep 17 00:00:00 2001 From: James Edington Date: Wed, 29 Nov 2017 01:15:37 -0600 Subject: [PATCH 1/8] palemoon: 27.6.0 -> 27.6.2 Small security and bugfix update --- pkgs/applications/networking/browsers/palemoon/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/browsers/palemoon/default.nix b/pkgs/applications/networking/browsers/palemoon/default.nix index e24c21b535bf..736011a13eba 100644 --- a/pkgs/applications/networking/browsers/palemoon/default.nix +++ b/pkgs/applications/networking/browsers/palemoon/default.nix @@ -10,14 +10,14 @@ stdenv.mkDerivation rec { name = "palemoon-${version}"; - version = "27.6.0"; + version = "27.6.2"; src = fetchFromGitHub { name = "palemoon-src"; owner = "MoonchildProductions"; repo = "Pale-Moon"; rev = version + "_Release"; - sha256 = "1v5rbam93fcc7c1l69clr9chi2l0zv0dhjq12v535n8vv9lhahhl"; + sha256 = "0ickxrwl36iyqj3v9qq6hnfl2y652f2ppwi949pfh4f6shm9x0ri"; }; desktopItem = makeDesktopItem { From 131f48d0b1a029c266114acedd4b747ae4793041 Mon Sep 17 00:00:00 2001 From: Kranium Gikos Mendoza Date: Tue, 14 Nov 2017 05:32:13 +1100 Subject: [PATCH 2/8] yq: init at 2.3.3 --- pkgs/development/tools/yq/default.nix | 26 ++++++++++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 ++++ 2 files changed, 30 insertions(+) create mode 100644 pkgs/development/tools/yq/default.nix diff --git a/pkgs/development/tools/yq/default.nix b/pkgs/development/tools/yq/default.nix new file mode 100644 index 000000000000..6ddea86f1a7c --- /dev/null +++ b/pkgs/development/tools/yq/default.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, buildPythonApplication, fetchPypi, pyyaml, jq }: + +buildPythonApplication rec { + + name = "${pname}-${version}"; + pname = "yq"; + version = "2.3.3"; + + propagatedBuildInputs = [ pyyaml jq ]; + + # ValueError: underlying buffer has been detached + doCheck = false; + + src = fetchPypi { + inherit pname version; + sha256 = "14ywdi464z68qclsqzb8r50rzmypknaz74zmpppkahjigfcfppm3"; + }; + + meta = with lib; { + description = "Command-line YAML processor - jq wrapper for YAML documents."; + homepage = https://pypi.python.org/pypi/yq; + license = [ licenses.asl20 ]; + maintainers = [ maintainers.womfoo ]; + }; + +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 57a3b10ed06c..25118406515c 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -7779,6 +7779,10 @@ with pkgs; yodl = callPackage ../development/tools/misc/yodl { }; + yq = callPackage ../development/tools/yq { + inherit (python3Packages) buildPythonApplication fetchPypi pyyaml; + }; + winpdb = callPackage ../development/tools/winpdb { }; grabserial = callPackage ../development/tools/grabserial { }; From 268d3656dbe04fe2eb0423440032dd74937ad427 Mon Sep 17 00:00:00 2001 From: Antoine Eiche Date: Wed, 29 Nov 2017 08:31:28 +0100 Subject: [PATCH 3/8] qemu: fix CVE-2017-15118 See https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html --- pkgs/applications/virtualization/qemu/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 66e5928ca15f..2488bb1ae10e 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -62,7 +62,12 @@ stdenv.mkDerivation rec { patches = [ ./no-etc-install.patch ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch - ++ optional pulseSupport ./fix-hda-recording.patch; + ++ optional pulseSupport ./fix-hda-recording.patch + ++ [ (fetchpatch { + name = "qemu-CVE-2017-15118.patch"; + url = "http://git.qemu.org/?p=qemu.git;a=patch;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183"; + sha256 = "0f9i096dz3h1i8g92y99vak23rjs1shf7prlcxqizsz0fah7wx7h"; }) + ]; hardeningDisable = [ "stackprotector" ]; From ffd7ebdd49966bd4c0fa81de21473d0cf6106146 Mon Sep 17 00:00:00 2001 From: Robert Helgesson Date: Wed, 29 Nov 2017 12:49:58 +0100 Subject: [PATCH 4/8] perl-Log-Contextual: 0.007001 -> 0.008000 --- pkgs/top-level/perl-packages.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 3d70bb0cc252..d72364363cdc 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -8046,10 +8046,10 @@ let self = _self // overrides; _self = with self; { }; LogContextual = buildPerlPackage rec { - name = "Log-Contextual-0.007001"; + name = "Log-Contextual-0.008000"; src = fetchurl { url = "mirror://cpan/authors/id/F/FR/FREW/${name}.tar.gz"; - sha256 = "163c46f9cf4ed921356d300925a1c3ec4d7e0d20d1c678ade9ccc24efd990cd6"; + sha256 = "acd804508740e35c208e0cff575f3dbca2e01b8e64ec00eec3f88c7c4e3d656c"; }; buildInputs = [ TestFatal ]; propagatedBuildInputs = [ DataDumperConcise ExporterDeclare Moo ]; @@ -8057,7 +8057,6 @@ let self = _self // overrides; _self = with self; { homepage = https://github.com/frioux/Log-Contextual; description = "Simple logging interface with a contextual log"; license = with stdenv.lib.licenses; [ artistic1 gpl1Plus ]; - platforms = stdenv.lib.platforms.unix; }; }; From 5f59913c74f3b165594cedcaf7dc475407c2ca7d Mon Sep 17 00:00:00 2001 From: Philipp Hausmann Date: Mon, 30 Oct 2017 16:27:40 +0100 Subject: [PATCH 5/8] FusionInventory: 3.18 -> 3.21 --- .../services/monitoring/fusion-inventory.nix | 3 --- .../monitoring/fusion-inventory/default.nix | 24 +++++++++++++------ .../remove_software_test.patch | 23 ++++++++++++++---- 3 files changed, 35 insertions(+), 15 deletions(-) diff --git a/nixos/modules/services/monitoring/fusion-inventory.nix b/nixos/modules/services/monitoring/fusion-inventory.nix index 1c00f3c299e9..c3b869e00880 100644 --- a/nixos/modules/services/monitoring/fusion-inventory.nix +++ b/nixos/modules/services/monitoring/fusion-inventory.nix @@ -55,9 +55,6 @@ in { description = "Fusion Inventory Agent"; wantedBy = [ "multi-user.target" ]; - environment = { - OPTIONS = "--no-category=software"; - }; serviceConfig = { ExecStart = "${pkgs.fusionInventory}/bin/fusioninventory-agent --conf-file=${configFile} --daemon --no-fork"; }; diff --git a/pkgs/servers/monitoring/fusion-inventory/default.nix b/pkgs/servers/monitoring/fusion-inventory/default.nix index 2e694ede497f..b4f5e325675a 100644 --- a/pkgs/servers/monitoring/fusion-inventory/default.nix +++ b/pkgs/servers/monitoring/fusion-inventory/default.nix @@ -1,22 +1,28 @@ -{ stdenv, fetchurl, buildPerlPackage, perlPackages +{ stdenv, lib, fetchurl, buildPerlPackage, perlPackages, gnused, nix, dmidecode, pciutils, usbutils, iproute, nettools +, fetchFromGitHub, makeWrapper }: buildPerlPackage rec { - version = "2.3.18"; name = "FusionInventory-Agent-${version}"; + version = "2.3.21"; src = fetchurl { - url = "mirror://cpan/authors/id/G/GR/GROUSSE/${name}.tar.gz"; - sha256 = "543d96fa61b8f2a2bc599fe9f694f19d1f2094dc5506bc514d00b8a445bc5401"; + url = "mirror://cpan/authors/id/G/GB/GBOUGARD/${name}.tar.gz"; + sha256 = "0c2ijild03bfw125h2gyaip2mg1jxk72dcanrlx9n6pjh2ay90zh"; }; patches = [ ./remove_software_test.patch ]; postPatch = '' patchShebangs bin + + substituteInPlace "lib/FusionInventory/Agent/Tools/Linux.pm" \ + --replace /sbin/ip ${iproute}/sbin/ip + substituteInPlace "lib/FusionInventory/Agent/Task/Inventory/Linux/Networks.pm" \ + --replace /sbin/ip ${iproute}/sbin/ip ''; buildTools = []; - buildInputs = with perlPackages; [ + buildInputs = [ makeWrapper ] ++ (with perlPackages; [ CGI DataStructureUtil FileCopyRecursive @@ -28,6 +34,7 @@ buildPerlPackage rec { IPCRun JSON LWPProtocolhttps + ModuleInstall NetSNMP TestCompile TestDeep @@ -35,7 +42,7 @@ buildPerlPackage rec { TestMockModule TestMockObject TestNoWarnings - ]; + ]); propagatedBuildInputs = with perlPackages; [ FileWhich LWP @@ -52,7 +59,10 @@ buildPerlPackage rec { cp -r lib $out for cur in $out/bin/*; do - sed -e "s|./lib|$out/lib|" -i "$cur" + if [ -x "$cur" ]; then + sed -e "s|./lib|$out/lib|" -i "$cur" + wrapProgram "$cur" --prefix PATH : ${lib.makeBinPath [nix dmidecode pciutils usbutils nettools]} + fi done ''; diff --git a/pkgs/servers/monitoring/fusion-inventory/remove_software_test.patch b/pkgs/servers/monitoring/fusion-inventory/remove_software_test.patch index 5449f4d3740f..b360f418aa0b 100644 --- a/pkgs/servers/monitoring/fusion-inventory/remove_software_test.patch +++ b/pkgs/servers/monitoring/fusion-inventory/remove_software_test.patch @@ -28,7 +28,7 @@ index 8ee7ff02c..bd5551ab3 100755 skip 'live SNMP test disabled', 6 unless $ENV{TEST_LIVE_SNMP}; diff --git a/t/apps/agent.t b/t/apps/agent.t -index f417b4106..12207f192 100755 +index c0f6fc52f..c83837d70 100755 --- a/t/apps/agent.t +++ b/t/apps/agent.t @@ -12,7 +12,7 @@ use XML::TreePP; @@ -40,15 +40,28 @@ index f417b4106..12207f192 100755 my ($content, $out, $err, $rc); -@@ -73,11 +73,6 @@ subtest "first inventory execution and content" => sub { +@@ -71,11 +71,6 @@ subtest "first inventory execution and content" => sub { + check_content_ok($out); }; - ok( +-ok( - exists $content->{REQUEST}->{CONTENT}->{SOFTWARES}, - 'inventory has software' -); - --ok( + ok( exists $content->{REQUEST}->{CONTENT}->{ENVS}, 'inventory has environment variables' - ); +diff --git a/t/tasks/inventory/linux/softwares.t b/t/tasks/inventory/linux/softwares.t +index 72a0e578c..13944f34f 100755 +--- a/t/tasks/inventory/linux/softwares.t ++++ b/t/tasks/inventory/linux/softwares.t +@@ -89,7 +89,7 @@ my $rpm_packages = [ + PUBLISHER => 'Mageia.Org', + NAME => 'xfsprogs', + COMMENTS => 'Utilities for managing the XFS filesystem', +- INSTALLDATE => '25/03/2012', ++ INSTALLDATE => '24/03/2012', + FILESIZE => '3628382', + FROM => 'rpm', + ARCH => 'x86_64', From 59a737a9220dbd5de9e281744ff83c44ed762377 Mon Sep 17 00:00:00 2001 From: Philipp Hausmann Date: Tue, 28 Nov 2017 08:26:38 +0100 Subject: [PATCH 6/8] FusionInventory: Patch in NixOS support Adds support for the /etc/os-release file and to read installed software from the Nix store. --- .../monitoring/fusion-inventory/default.nix | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/pkgs/servers/monitoring/fusion-inventory/default.nix b/pkgs/servers/monitoring/fusion-inventory/default.nix index b4f5e325675a..34b4e87bf65c 100644 --- a/pkgs/servers/monitoring/fusion-inventory/default.nix +++ b/pkgs/servers/monitoring/fusion-inventory/default.nix @@ -5,14 +5,30 @@ buildPerlPackage rec { name = "FusionInventory-Agent-${version}"; version = "2.3.21"; - src = fetchurl { - url = "mirror://cpan/authors/id/G/GB/GBOUGARD/${name}.tar.gz"; - sha256 = "0c2ijild03bfw125h2gyaip2mg1jxk72dcanrlx9n6pjh2ay90zh"; + + src = fetchFromGitHub { + owner = "fusioninventory"; + repo = "fusioninventory-agent"; + rev = version; + sha256 = "034clffcn0agx85macjgml4lyhvvck7idn94pqd2c77pk6crvw2y"; }; - patches = [ ./remove_software_test.patch ]; + patches = [ + ./remove_software_test.patch + # support for os-release file + (fetchurl { + url = https://github.com/fusioninventory/fusioninventory-agent/pull/396.diff; + sha256 = "0bxrjmff80ab01n23xggci32ajsah6zvcmz5x4hj6ayy6dzwi6jb"; + }) + # support for Nix software inventory + (fetchurl { + url = https://github.com/fusioninventory/fusioninventory-agent/pull/397.diff; + sha256 = "0pyf7mp0zsb3zcqb6yysr1zfp54p9ciwjn1pzayw6s9flmcgrmbw"; + }) + ]; postPatch = '' + patchShebangs bin substituteInPlace "lib/FusionInventory/Agent/Tools/Linux.pm" \ @@ -61,7 +77,7 @@ buildPerlPackage rec { for cur in $out/bin/*; do if [ -x "$cur" ]; then sed -e "s|./lib|$out/lib|" -i "$cur" - wrapProgram "$cur" --prefix PATH : ${lib.makeBinPath [nix dmidecode pciutils usbutils nettools]} + wrapProgram "$cur" --prefix PATH : ${lib.makeBinPath [nix dmidecode pciutils usbutils nettools iproute]} fi done ''; From fc26ff04b236030a47bc3f57ba95017fdab53f8f Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Wed, 29 Nov 2017 17:01:17 +0200 Subject: [PATCH 7/8] llvm: Include aarch64 patch in repo The URL is already a dead link. --- pkgs/development/compilers/llvm/4/llvm.nix | 7 +-- pkgs/development/compilers/llvm/5/llvm.nix | 7 +-- pkgs/development/compilers/llvm/aarch64.patch | 51 +++++++++++++++++++ 3 files changed, 53 insertions(+), 12 deletions(-) create mode 100644 pkgs/development/compilers/llvm/aarch64.patch diff --git a/pkgs/development/compilers/llvm/4/llvm.nix b/pkgs/development/compilers/llvm/4/llvm.nix index 1fe79d9300ab..33147b07599c 100644 --- a/pkgs/development/compilers/llvm/4/llvm.nix +++ b/pkgs/development/compilers/llvm/4/llvm.nix @@ -24,11 +24,6 @@ let src = fetch "llvm" "0l9bf7kdwhlj0kq1hawpyxhna1062z3h7qcz2y8nfl9dz2qksy6s"; - aarch64Patch = fetchpatch { - url = https://reviews.llvm.org/file/data/2oqw5rhhklsapbjrhlpd/PHID-FILE-lvo4fcs6hjvkxb5wneg2/D40423.diff; - sha256 = "0b0h7n7lxw33pn2j061hm9050zn263gmiig937g5cmcvjimxlybb"; - }; - # Used when creating a version-suffixed symlink of libLLVM.dylib shortVersion = with stdenv.lib; concatStringsSep "." (take 2 (splitString "." release_version)); @@ -87,7 +82,7 @@ in stdenv.mkDerivation rec { --replace 'struct sigaltstack' 'stack_t' ) '' + stdenv.lib.optionalString stdenv.isAarch64 '' - patch -p0 < ${aarch64Patch} + patch -p0 < ${../aarch64.patch} ''; # hacky fix: created binaries need to be run before installation diff --git a/pkgs/development/compilers/llvm/5/llvm.nix b/pkgs/development/compilers/llvm/5/llvm.nix index 20b0f4b20c63..8358b6b18c35 100644 --- a/pkgs/development/compilers/llvm/5/llvm.nix +++ b/pkgs/development/compilers/llvm/5/llvm.nix @@ -24,11 +24,6 @@ let src = fetch "llvm" "1nin64vz21hyng6jr19knxipvggaqlkl2l9jpd5czbc4c2pcnpg3"; - aarch64Patch = fetchpatch { - url = https://reviews.llvm.org/file/data/2oqw5rhhklsapbjrhlpd/PHID-FILE-lvo4fcs6hjvkxb5wneg2/D40423.diff; - sha256 = "0b0h7n7lxw33pn2j061hm9050zn263gmiig937g5cmcvjimxlybb"; - }; - # Used when creating a version-suffixed symlink of libLLVM.dylib shortVersion = with stdenv.lib; concatStringsSep "." (take 2 (splitString "." release_version)); @@ -81,7 +76,7 @@ in stdenv.mkDerivation rec { # Revert compiler-rt commit that makes codesign mandatory patch -p1 -i ${./compiler-rt-codesign.patch} -d projects/compiler-rt '' + stdenv.lib.optionalString stdenv.isAarch64 '' - patch -p0 < ${aarch64Patch} + patch -p0 < ${../aarch64.patch} ''; # hacky fix: created binaries need to be run before installation diff --git a/pkgs/development/compilers/llvm/aarch64.patch b/pkgs/development/compilers/llvm/aarch64.patch new file mode 100644 index 000000000000..205074e48e4e --- /dev/null +++ b/pkgs/development/compilers/llvm/aarch64.patch @@ -0,0 +1,51 @@ +--- lib/Support/Unix/Memory.inc ++++ lib/Support/Unix/Memory.inc +@@ -126,8 +126,12 @@ + Result.Address = Addr; + Result.Size = NumPages*PageSize; + +- if (PFlags & MF_EXEC) +- Memory::InvalidateInstructionCache(Result.Address, Result.Size); ++ // Rely on protectMappedMemory to invalidate instruction cache. ++ if (PFlags & MF_EXEC) { ++ EC = Memory::protectMappedMemory (Result, PFlags); ++ if (EC != std::error_code()) ++ return MemoryBlock(); ++ } + + return Result; + } +@@ -156,15 +160,31 @@ + return std::error_code(EINVAL, std::generic_category()); + + int Protect = getPosixProtectionFlags(Flags); +- + uintptr_t Start = alignAddr((uint8_t *)M.Address - PageSize + 1, PageSize); + uintptr_t End = alignAddr((uint8_t *)M.Address + M.Size, PageSize); ++ ++ bool InvalidateCache = (Flags & MF_EXEC); ++ ++#if defined(__arm__) || defined(__aarch64__) ++ // Certain ARM implementations treat icache clear instruction as a memory read, ++ // and CPU segfaults on trying to clear cache on !PROT_READ page. Therefore we need ++ // to temporarily add PROT_READ for the sake of flushing the instruction caches. ++ if (InvalidateCache && !(Protect & PROT_READ)) { ++ int Result = ::mprotect((void *)Start, End - Start, Protect | PROT_READ); ++ if (Result != 0) ++ return std::error_code(errno, std::generic_category()); ++ ++ Memory::InvalidateInstructionCache(M.Address, M.Size); ++ InvalidateCache = false; ++ } ++#endif ++ + int Result = ::mprotect((void *)Start, End - Start, Protect); + + if (Result != 0) + return std::error_code(errno, std::generic_category()); + +- if (Flags & MF_EXEC) ++ if (InvalidateCache) + Memory::InvalidateInstructionCache(M.Address, M.Size); + + return std::error_code(); From 6f8601288b1292726188d2600cfeaa6c5be658ce Mon Sep 17 00:00:00 2001 From: Mateusz Kowalczyk Date: Wed, 29 Nov 2017 16:10:43 +0000 Subject: [PATCH 8/8] bazel: 0.7.0 -> 0.8.0 --- pkgs/development/tools/build-managers/bazel/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/build-managers/bazel/default.nix b/pkgs/development/tools/build-managers/bazel/default.nix index a1452d330be0..41861a6142e5 100644 --- a/pkgs/development/tools/build-managers/bazel/default.nix +++ b/pkgs/development/tools/build-managers/bazel/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation rec { - version = "0.7.0"; + version = "0.8.0"; meta = with stdenv.lib; { homepage = "https://github.com/bazelbuild/bazel/"; @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://github.com/bazelbuild/bazel/releases/download/${version}/bazel-${version}-dist.zip"; - sha256 = "05n4zz2a29y4vr2svc7ya9fx7qxb9151a6gkycxk9qj3v32sk150"; + sha256 = "0y50fhwh135fim39ra4szwzzgyb4ibls3i0hpv3d7asns0hh715a"; }; sourceRoot = ".";