Merge branch 'staging'

There are security fixes inside.
NixOS · Nov 7, 2016 · 593b46f · 593b46f
2 parents 3e6d04d + 83f28fd
commit 593b46f
Show file tree

Hide file tree

Showing 10 changed files with 135 additions and 60 deletions.
diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -24,7 +24,7 @@ nonFlagArgs=0
 [[ "@prog@" = *++ ]] && isCpp=1 || isCpp=0
 cppInclude=1
 
-params=("$@")
+expandResponseParams "$@"
 n=0
 while [ $n -lt ${#params[*]} ]; do
     p=${params[n]}

diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
@@ -16,7 +16,7 @@ source @out@/nix-support/utils.sh
 
 
 # Optionally filter out paths not refering to the store.
-params=("$@")
+expandResponseParams "$@"
 if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
         -a \( -z "$NIX_IGNORE_LD_THROUGH_GCC" -o -z "$NIX_LDFLAGS_SET" \) ]; then
     rest=()

diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh
@@ -22,3 +22,27 @@ badPath() {
         "${p:0:4}" != "/tmp" -a \
         "${p:0:${#NIX_BUILD_TOP}}" != "$NIX_BUILD_TOP"
 }
+
+expandResponseParams() {
+    local inparams=("$@")
+    local n=0
+    local p
+    params=()
+    while [ $n -lt ${#inparams[*]} ]; do
+        p=${inparams[n]}
+        case $p in
+            @*)
+                if [ -e "${p:1}" ]; then
+                    args=$(<"${p:1}")
+                    eval 'for arg in '$args'; do params+=("$arg"); done'
+                else
+                    params+=("$p")
+                fi
+                ;;
+            *)
+                params+=("$p")
+                ;;
+        esac
+        n=$((n + 1))
+    done
+}
diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix
@@ -2,6 +2,7 @@
 
 let
   version = "4.0.6";
+  debversion = "3";
 in
 stdenv.mkDerivation rec {
   name = "libtiff-${version}";
@@ -19,36 +20,47 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  patches = [
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/01-CVE-2015-8665_and_CVE-2015-8683.patch";
-      sha256 = "1c4zmvxj124873al8fvkiv8zq7wx5mv2vd4f1y9w8liv92cm7hkc";
+  patches = let p = "https://sources.debian.net/data/main/t/tiff/${version}-${debversion}/debian/patches"; in [
+    (fetchurl {
+      url = "${p}/01-CVE-2015-8665_and_CVE-2015-8683.patch";
+      sha256 = "0qiiqpbbsf01b59x01z38cg14pmg1ggcsqm9n1gsld6rr5wm3ryz";
     })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/02-fix_potential_out-of-bound_writes_in_decode_functions.patch";
-      sha256 = "0rsc7zh7cdhgcmx2vbjfaqrb0g93a3924ngqkrzb14w5j2fqfbxv";
+    (fetchurl {
+      url = "${p}/02-fix_potential_out-of-bound_writes_in_decode_functions.patch";
+      sha256 = "1ph057w302i2s94rhdw6ksyvpsmg1nlanvc0251x01s23gkdbakv";
     })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/03-fix_potential_out-of-bound_write_in_NeXTDecode.patch";
-      sha256 = "1s01xhp4sl04yhqhqwp50gh43ykcqk230mmbv62vhy2jh7v0ky3a";
+    (fetchurl {
+      url = "${p}/03-fix_potential_out-of-bound_write_in_NeXTDecode.patch";
+      sha256 = "1nhjg2gdvyzi4wa2g7nwmzm7nssz9dpdfkwms1rp8i1034qdlgc6";
     })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch";
-      sha256 = "0by35qxpzv9ib3mnh980gd30jf3qmsfp2kl730rq4pq66wpzg9m8";
+    (fetchurl {
+      url = "${p}/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch";
+      sha256 = "0n47yk9wcvc9j72yvm5bhpaqq0yfz8jnq9zxbnzx5id9gdxmrkn3";
     })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/05-CVE-2016-6223.patch";
-      sha256 = "0rh8ia0wsf5yskzwdjrlbiilc9m0lq0igs42k6922pl3sa1lxzv1";
+    (fetchurl {
+      url = "${p}/05-CVE-2016-6223.patch";
+      sha256 = "0r80hil9k6scdjppgyljhm0s2z6c8cm259f0ic0xvxidfaim6g2r";
     })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/06-CVE-2016-5321.patch";
-      sha256 = "0n0igfxbd3kqvvj2k2xgysrp63l4v2gd110fwkk4apfpm0hvzwh0";
+    (fetchurl {
+      url = "${p}/06-CVE-2016-5321.patch";
+      sha256 = "1aacymlqv6cam8i4nbma9v05r3v3xjpagns7q0ii268h0mhzq6qg";
     })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/t/tiff/4.0.6-2/debian/patches/07-CVE-2016-5323.patch";
-      sha256 = "1j6w8g6qizkx5h4aq95kxzx6bgkn4jhc8l22swwhvlkichsh4910";
+    (fetchurl {
+      url = "${p}/07-CVE-2016-5323.patch";
+      sha256 = "1xr5hy2fxa71j3fcc1l998pxyblv207ygzyhibwb1lia5zjgblch";
+    })
+    (fetchurl {
+      url = "${p}/08-CVE-2016-3623_CVE-2016-3624.patch";
+      sha256 = "1xnvwjvgyxi387h1sdiyp4360a3176jmipb7ghm8vwiz7cisdn9z";
+    })
+    (fetchurl {
+      url = "${p}/09-CVE-2016-5652.patch";
+      sha256 = "1yqfq32gzh21ab2jfqkq13gaz0nin0492l06adzsyhr5brvdhnx8";
+    })
+    (fetchurl {
+      url = "${p}/10-CVE-2016-3658.patch";
+      sha256 = "01kb8rfk30fgjf1hy0m088yhjfld1yyh4bk3gkg8jx3dl9bd076d";
     })
-
   ];
 
   doCheck = true;

diff --git a/pkgs/development/tools/build-managers/cmake/2.8.nix b/pkgs/development/tools/build-managers/cmake/2.8.nix
@@ -5,6 +5,8 @@
 with stdenv.lib;
 
 assert wantPS -> (ps != null);
+assert stdenv ? cc;
+assert stdenv.cc ? libc;
 
 let
   os = stdenv.lib.optionalString;
@@ -31,9 +33,8 @@ stdenv.mkDerivation rec {
       url = "http://www.cmake.org/Bug/file_download.php?file_id=4660&type=bug";
       sha256 = "136z63ff83hnwd247cq4m8m8164pklzyl5i2csf5h6wd8p01pdkj";
     })] ++
-    # Don't search in non-Nix locations such as /usr, but do search in
-    # Nixpkgs' Glibc.
-    optional (stdenv ? glibc) ./search-path.patch ++
+    # Don't search in non-Nix locations such as /usr, but do search in our libc.
+    [ ./search-path.patch ] ++
     optional (stdenv ? cross) (fetchurl {
       name = "fix-darwin-cross-compile.patch";
       url = "http://public.kitware.com/Bug/file_download.php?"
@@ -50,22 +51,25 @@ stdenv.mkDerivation rec {
   CMAKE_PREFIX_PATH = concatStringsSep ":"
     (concatMap (p: [ (p.dev or p) (p.out or p) ]) buildInputs);
 
-  configureFlags =
-    "--docdir=/share/doc/${name} --mandir=/share/man --system-libs --no-system-libarchive"
-    + stdenv.lib.optionalString useQt4 " --qt-gui";
+  configureFlags = [
+    "--docdir=/share/doc/${name}"
+    "--mandir=/share/man"
+    "--system-libs"
+    "--no-system-libarchive"
+   ] ++ stdenv.lib.optional useQt4 "--qt-gui";
 
   setupHook = ./setup-hook.sh;
 
   dontUseCmakeConfigure = true;
 
-  preConfigure = with stdenv; optionalString (stdenv ? glibc)
-    ''
+  preConfigure = with stdenv; ''
       source $setupHook
       fixCmakeFiles .
       substituteInPlace Modules/Platform/UnixPaths.cmake \
-        --subst-var-by glibc_bin ${getBin glibc} \
-        --subst-var-by glibc_dev ${getDev glibc} \
-        --subst-var-by glibc_lib ${getLib glibc}
+        --subst-var-by libc_bin ${getBin cc.libc} \
+        --subst-var-by libc_dev ${getDev cc.libc} \
+        --subst-var-by libc_lib ${getLib cc.libc}
+      configureFlags="--parallel=''${NIX_BUILD_CORES:-1} $configureFlags"
     '';
 
   meta = {

diff --git a/pkgs/development/tools/build-managers/cmake/default.nix b/pkgs/development/tools/build-managers/cmake/default.nix
@@ -7,11 +7,13 @@
 with stdenv.lib;
 
 assert wantPS -> (ps != null);
+assert stdenv ? cc;
+assert stdenv.cc ? libc;
 
 let
   os = stdenv.lib.optionalString;
   majorVersion = "3.6";
-  minorVersion = "0";
+  minorVersion = "2";
   version = "${majorVersion}.${minorVersion}";
 in
 
@@ -22,13 +24,11 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "${meta.homepage}files/v${majorVersion}/cmake-${version}.tar.gz";
-    sha256 = "0w3n2i02jpbgai4dxsigm1c1i1qb5v70wyxckzwrxvs0ri0fs1gx";
+    sha256 = "0imkz04ncz6cv5659qfd4scm99k3siq7zrrsa8pvp663d8mf76hq";
   };
 
-  patches =
-    # Don't search in non-Nix locations such as /usr, but do search in
-    # Nixpkgs' Glibc.
-    optional (stdenv ? glibc) ./search-path-3.2.patch
+  # Don't search in non-Nix locations such as /usr, but do search in our libc.
+  patches = [ ./search-path-3.2.patch ]
     ++ optional stdenv.isCygwin ./3.2.2-cygwin.patch;
 
   outputs = [ "out" ];
@@ -43,15 +43,15 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = optional wantPS ps;
 
-  preConfigure = with stdenv; optionalString (stdenv ? glibc)
-    ''
+  preConfigure = with stdenv; ''
       fixCmakeFiles .
       substituteInPlace Modules/Platform/UnixPaths.cmake \
-        --subst-var-by glibc_bin ${getBin glibc} \
-        --subst-var-by glibc_dev ${getDev glibc} \
-        --subst-var-by glibc_lib ${getLib glibc}
+        --subst-var-by libc_bin ${getBin cc.libc} \
+        --subst-var-by libc_dev ${getDev cc.libc} \
+        --subst-var-by libc_lib ${getLib cc.libc}
       substituteInPlace Modules/FindCxxTest.cmake \
         --replace "$""{PYTHON_EXECUTABLE}" ${stdenv.shell}
+      configureFlags="--parallel=''${NIX_BUILD_CORES:-1} $configureFlags"
     '';
   configureFlags =
     [ "--docdir=share/doc/${name}"

diff --git a/pkgs/development/tools/build-managers/cmake/search-path-3.2.patch b/pkgs/development/tools/build-managers/cmake/search-path-3.2.patch
@@ -25,7 +25,7 @@ diff -ru3 cmake-3.4.3/Modules/Platform/UnixPaths.cmake cmake-3.4.3-new/Modules/P
 -  /usr/pkg/include
 -  /opt/csw/include /opt/include
 -  /usr/openwin/include
-+  @glibc_dev@/include
++  @libc_dev@/include
    )
 -
  list(APPEND CMAKE_SYSTEM_LIBRARY_PATH
@@ -39,26 +39,26 @@ diff -ru3 cmake-3.4.3/Modules/Platform/UnixPaths.cmake cmake-3.4.3-new/Modules/P
 -  /usr/pkg/lib
 -  /opt/csw/lib /opt/lib
 -  /usr/openwin/lib
-+  @glibc_lib@/lib
++  @libc_lib@/lib
    )
 
  list(APPEND CMAKE_SYSTEM_PROGRAM_PATH
 -  /usr/pkg/bin
-+  @glibc_bin@/bin
++  @libc_bin@/bin
    )
 
  list(APPEND CMAKE_PLATFORM_IMPLICIT_LINK_DIRECTORIES
 -  /lib /lib32 /lib64 /usr/lib /usr/lib32 /usr/lib64
-+  @glibc_lib@/lib
++  @libc_lib@/lib
    )
 
  list(APPEND CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES
 -  /usr/include
-+  @glibc_dev@/include
++  @libc_dev@/include
    )
  list(APPEND CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES
 -  /usr/include
-+  @glibc_dev@/include
++  @libc_dev@/include
    )
 
  # Enable use of lib64 search path variants by default.
diff --git a/pkgs/development/tools/build-managers/cmake/search-path.patch b/pkgs/development/tools/build-managers/cmake/search-path.patch
@@ -53,7 +53,7 @@ diff -ru3 cmake-2.8.12.2/Modules/Platform/UnixPaths.cmake cmake-2.8.12.2-new/Mod
 -  /usr/pkg/include
 -  /opt/csw/include /opt/include
 -  /usr/openwin/include
-+  @glibc_dev@/include
++  @libc_dev@/include
    )
 
  list(APPEND CMAKE_SYSTEM_LIBRARY_PATH
@@ -67,26 +67,26 @@ diff -ru3 cmake-2.8.12.2/Modules/Platform/UnixPaths.cmake cmake-2.8.12.2-new/Mod
 -  /usr/pkg/lib
 -  /opt/csw/lib /opt/lib
 -  /usr/openwin/lib
-+  @glibc_lib@/lib
++  @libc_lib@/lib
    )
 
  list(APPEND CMAKE_SYSTEM_PROGRAM_PATH
 -  /usr/pkg/bin
-+  @glibc_bin@/bin
++  @libc_bin@/bin
    )
 
  list(APPEND CMAKE_PLATFORM_IMPLICIT_LINK_DIRECTORIES
 -  /lib /usr/lib /usr/lib32 /usr/lib64
-+  @glibc_lib@/lib
++  @libc_lib@/lib
    )
 
  list(APPEND CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES
 -  /usr/include
-+  @glibc_dev@/include
++  @libc_dev@/include
    )
  list(APPEND CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES
 -  /usr/include
-+  @glibc_dev@/include
++  @libc_dev@/include
    )
 
  # Enable use of lib64 search path variants by default.
diff --git a/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch b/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch
@@ -0,0 +1,35 @@
+commit 7340f67b9860ea0531c1450e5aa261c50f67165d
+Author: Paul Eggert <[email protected]>
+Date:   Sat Oct 29 21:04:40 2016 -0700
+
+    When extracting, skip ".." members
+
+    * NEWS: Document this.
+    * src/extract.c (extract_archive): Skip members whose names
+    contain "..".
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+
+   fatal_exit_hook = extract_finish;
+
+   set_next_block_after (current_header);
+
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0";
   };
 
-  patches = [ ]; # FIXME: remove on another stdenv rebuild
+  patches = [ ./CVE-2016-6321.patch ]; # FIXME: remove on another stdenv rebuild
 
   # avoid retaining reference to CF during stdenv bootstrap
   configureFlags = stdenv.lib.optionals stdenv.isDarwin [