Merge #168140: staging-next 2022-04-10

2022-04-12 18:00:24 +02:00 · 2022-04-12 18:00:24 +02:00 · e1118817a1
commit e1118817a1
parent 72f3b1a4d1 2bed314598
16 changed files with 132 additions and 17 deletions
--- a/pkgs/development/interpreters/perl/default.nix
+++ b/pkgs/development/interpreters/perl/default.nix
@ -1,6 +1,7 @@
 { config, lib, stdenv, fetchurl, fetchpatch, fetchFromGitHub, pkgs, buildPackages
 , callPackage
 , enableThreading ? true, coreutils, makeWrapper
+, zlib
 }:

 # Note: this package is used for bootstrapping fetchurl, and thus
@ -115,6 +116,16 @@ let
        cf_by="nixpkgs"
        cf_time="$(date -d "@$SOURCE_DATE_EPOCH")"
        EOF
+
+        # Compress::Raw::Zlib should use our zlib package instead of the one
+        # included with the distribution
+        cat > ./cpan/Compress-Raw-Zlib/config.in <<EOF
+        BUILD_ZLIB   = False
+        INCLUDE      = ${zlib.dev}/include
+        LIB          = ${zlib.out}/lib
+        OLD_ZLIB     = False
+        GZIP_OS_CODE = AUTO_DETECT
+        EOF
      '' + optionalString stdenv.isDarwin ''
        substituteInPlace hints/darwin.sh --replace "env MACOSX_DEPLOYMENT_TARGET=10.3" ""
      '' + optionalString (!enableThreading) ''
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@ -127,6 +127,13 @@ stdenv.mkDerivation ({
      ./nix-nss-open-files.patch

      ./0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch
+
+      /* Fix segfault in getpwuid when stat fails
+         https://sourceware.org/bugzilla/show_bug.cgi?id=28752 */
+      (fetchurl {
+        url = "https://patchwork.sourceware.org/project/glibc/patch/20220314175316.3239120-2-sam@gentoo.org/raw/";
+        sha256 = "sq0BoPqXHQ69Vq4zJobCspe4XRfnAiuac/wqzVQJESc=";
+      })
    ]
    ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
    ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;
--- a/pkgs/development/libraries/libtiff/default.nix
+++ b/pkgs/development/libraries/libtiff/default.nix
@ -53,6 +53,36 @@ stdenv.mkDerivation rec {
      url = "https://gitlab.com/libtiff/libtiff/-/commit/561599c99f987dc32ae110370cfdd7df7975586b.patch";
      sha256 = "0ycirjjc1vigj03kwjb92n6jszsl9p17ccw5hry7lli9gxyyr0an";
    })
+    (fetchpatch {
+      name = "CVE-2022-0891.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/46dc8fcd4d38c3b6f35ab28e532aee80e6f609d6.patch";
+      sha256 = "1zn2pgsmbrjx3g2bpdggvwwbp6i348mikwlx4ws482h2379vmyj1";
+    })
+    (fetchpatch {
+      name = "CVE-2022-0865.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/5e18004500cda10d9074bdb6166b054e95b659ed.patch";
+      sha256 = "131b9ial6avl2agwk31wp2jkrx59955f4r0dikx1jdaywqb7zhd1";
+    })
+    (fetchpatch {
+      name = "CVE-2022-0924.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665.patch";
+      sha256 = "1aqaynp74ijxr3rizvbyz23ncs71pbbcw5src1zv46473sy55s8p";
+    })
+    (fetchpatch {
+      name = "CVE-2022-0907.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/f2b656e2e64adde07a6cffd5c8e96bd81a850fea.patch";
+      sha256 = "0nsplq671qx0f35qww9mx27raqp3nvslz8iv7f3hxdgldylmh2vs";
+    })
+    (fetchpatch {
+      name = "CVE-2022-0909.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/f8d0f9aa1ba04c9ae3bfe869a18141a8b8117ad7.patch";
+      sha256 = "1plhk6ildl16bp0k3wvzfd4a97hqfqfbbn7vjinsaasf4v0x3q5j";
+    })
+    (fetchpatch {
+      name = "CVE-2022-0908.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85.patch";
+      sha256 = "0i61kkjaixdn2p933lpma9s6i0772vhxjxxcwyqagw96lmszrcm7";
+    })
  ];

  postPatch = ''
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@ -154,6 +154,7 @@ self = stdenv.mkDerivation {
    meson pkg-config ninja
    intltool bison flex file
    python3Packages.python python3Packages.Mako
+    jdupes
  ] ++ lib.optionals (elem "wayland" eglPlatforms) [
    wayland-scanner
  ];
@ -230,7 +231,7 @@ self = stdenv.mkDerivation {
    done

    # NAR doesn't support hard links, so convert them to symlinks to save space.
-    ${jdupes}/bin/jdupes --hard-links --link-soft --recurse "$drivers"
+    jdupes --hard-links --link-soft --recurse "$drivers"

    # add RPATH so the drivers can find the moved libgallium and libdricore9
    # moved here to avoid problems with stripping patchelfed files
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@ -12,13 +12,13 @@ in

 stdenv.mkDerivation rec {
  pname = "sqlite${optionalString interactive "-interactive"}";
-  version = "3.38.1";
+  version = "3.38.2";

  # nixpkgs-update: no auto update
  # NB! Make sure to update ./tools.nix src (in the same directory).
  src = fetchurl {
    url = "https://sqlite.org/2022/sqlite-autoconf-${archiveVersion version}.tar.gz";
-    sha256 = "sha256-jjqM65eU2Wg5lZDS3fnVwESpfdg9OLlhM2SiReyKL8Q=";
+    sha256 = "sha256-55dKoUMLrWkKXp95pu5chJKtqCadxnWHWtD7dH18raQ=";
  };

  outputs = [ "bin" "dev" "out" ];
--- a/pkgs/development/libraries/sqlite/tools.nix
+++ b/pkgs/development/libraries/sqlite/tools.nix
@ -4,12 +4,12 @@ let
  archiveVersion = import ./archive-version.nix lib;
  mkTool = { pname, makeTarget, description, homepage }: stdenv.mkDerivation rec {
    inherit pname;
-    version = "3.38.1";
+    version = "3.38.2";

    # nixpkgs-update: no auto update
    src = assert version == sqlite.version; fetchurl {
      url = "https://sqlite.org/2022/sqlite-src-${archiveVersion version}.zip";
-      sha256 = "sha256-F3rv2oF/qfUoJeF0hYf3wnqbXmtTpIHNQ0YfJ0bZMdg=";
+      sha256 = "sha256-x8DwcKM4yS6wiAWQXAXyVPpG0cTdo1SKAkdPb7VnMpo=";
    };

    nativeBuildInputs = [ unzip ];
--- a/pkgs/development/libraries/zlib/default.nix
+++ b/pkgs/development/libraries/zlib/default.nix
@ -40,6 +40,10 @@ stdenv.mkDerivation (rec {
      --replace 'ARFLAGS="-o"' 'ARFLAGS="-r"'
  '';

+  patches = [
+    ./fix-configure-issue-cross.patch
+  ];
+
  outputs = [ "out" "dev" ]
    ++ lib.optional splitStaticOutput "static";
  setOutputFlags = false;
--- a/pkgs/development/libraries/zlib/fix-configure-issue-cross.patch
+++ b/pkgs/development/libraries/zlib/fix-configure-issue-cross.patch
@ -0,0 +1,24 @@
+From 05796d3d8d5546cf1b4dfe2cd72ab746afae505d Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Mon, 28 Mar 2022 18:34:10 -0700
+Subject: [PATCH] Fix configure issue that discarded provided CC definition.
+
+---
+ configure | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure b/configure
+index 52ff4a04e..3fa3e8618 100755
+--- a/configure
+++ b/configure
+@@ -174,7 +174,10 @@ if test -z "$CC"; then
+   else
+     cc=${CROSS_PREFIX}cc
+   fi
+else
+  cc=${CC}
+ fi
+
+ cflags=${CFLAGS-"-O3"}
+ # to force the asm version use: CFLAGS="-O3 -DASMV" ./configure
+ case "$cc" in
--- a/pkgs/development/python-modules/pycurl/default.nix
+++ b/pkgs/development/python-modules/pycurl/default.nix
@ -71,11 +71,6 @@ buildPythonPackage rec {
    "test_libcurl_ssl_gnutls"
    # AssertionError: assert 'crypto' in ['curl']
    "test_ssl_in_static_libs"
-    # pycurl.error: (27, '')
-    "test_getinfo_raw_certinfo"
-    "test_request_with_certinfo"
-    "test_request_with_verifypeer"
-    "test_request_without_certinfo"
  ];

  meta = with lib; {
--- a/pkgs/development/python-modules/twisted/default.nix
+++ b/pkgs/development/python-modules/twisted/default.nix
@ -31,7 +31,7 @@ buildPythonPackage rec {

  # Patch t.p._inotify to point to libc. Without this,
  # twisted.python.runtime.platform.supportsINotify() == False
-  patchPhase = lib.optionalString stdenv.isLinux ''
+  postPatch = lib.optionalString stdenv.isLinux ''
    substituteInPlace src/twisted/python/_inotify.py --replace \
      "ctypes.util.find_library(\"c\")" "'${stdenv.glibc.out}/lib/libc.so.6'"
  '';
@ -45,13 +45,13 @@ buildPythonPackage rec {
  '';

  checkPhase = ''
-    ${python.interpreter} -m unittest discover -s twisted/test
+    ${python.interpreter} -m unittest discover -s src/twisted/test
  '';
  # Tests require network
  doCheck = false;

  meta = with lib; {
-    homepage = "https://twistedmatrix.com/";
+    homepage = "https://github.com/twisted/twisted";
    description = "Twisted, an event-driven networking engine written in Python";
    longDescription = ''
      Twisted is an event-driven networking engine written in Python
--- a/pkgs/os-specific/linux/audit/default.nix
+++ b/pkgs/os-specific/linux/audit/default.nix
@ -69,6 +69,13 @@ stdenv.mkDerivation rec {
      sha256 = "0qjq41ridyamajz9v9nyplgq7f8nn3fxw375s9sa5a0igsrx9pm0";
      excludes = [ "ChangeLog" ];
    })
+    # Fix pending upstream inclusion for linux-headers-5.17 support:
+    #  https://github.com/linux-audit/audit-userspace/pull/253
+    (fetchpatch {
+      name = "ignore-flexible-array.patch";
+      url = "https://github.com/linux-audit/audit-userspace/commit/beed138222421a2eb4212d83cb889404bd7efc49.patch";
+      sha256 = "1hf02zaxv6x0wmn4ca9fj48y2shks7vfna43i1zz58xw9jq7sza0";
+    })
  ];

  postPatch = ''
--- a/pkgs/servers/dns/pdns/default.nix
+++ b/pkgs/servers/dns/pdns/default.nix
@ -20,6 +20,11 @@ stdenv.mkDerivation rec {
    libyamlcpp libsodium curl unixODBC openssl systemd lmdb tinycdb
  ];

+  # Configure phase requires 64-bit time_t even on 32-bit platforms.
+  NIX_CFLAGS_COMPILE = lib.optionals stdenv.hostPlatform.is32bit [
+    "-D_TIME_BITS=64" "-D_FILE_OFFSET_BITS=64"
+  ];
+
  configureFlags = [
    "--disable-silent-rules"
    "--enable-dns-over-tls"
--- a/pkgs/tools/compression/gzip/default.nix
+++ b/pkgs/tools/compression/gzip/default.nix
@ -11,11 +11,11 @@

 stdenv.mkDerivation rec {
  pname = "gzip";
-  version = "1.11";
+  version = "1.12";

  src = fetchurl {
    url = "mirror://gnu/gzip/${pname}-${version}.tar.xz";
-    sha256 = "01vrly90rvc98af6rcmrb3gwv1l6pylasvsdka23dffwizb9b6lv";
+    sha256 = "sha256-zl4D5Rn2N+H4FAEazjXE+HszwLur7sNbr1+9NHnpGVY=";
  };

  outputs = [ "out" "man" "info" ];
--- a/pkgs/tools/networking/curl/7.82.0-openssl-fix-CN-check.patch
+++ b/pkgs/tools/networking/curl/7.82.0-openssl-fix-CN-check.patch
@ -0,0 +1,30 @@
+From 911714d617c106ed5d553bf003e34ec94ab6a136 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 8 Mar 2022 13:38:13 +0100
+Subject: [PATCH] openssl: fix CN check error code
+
+Due to a missing 'else' this returns error too easily.
+
+Regressed in: d15692ebb
+
+Reported-by: Kristoffer Gleditsch
+Fixes #8559
+Closes #8560
+---
+ lib/vtls/openssl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 0b79fc50a9c5..4618beeb3867 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -1817,7 +1817,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
+               memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
+               peer_CN[peerlen] = '\0';
+             }
+-            result = CURLE_OUT_OF_MEMORY;
+            else
+              result = CURLE_OUT_OF_MEMORY;
+           }
+         }
+         else /* not a UTF8 name */
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@ -66,6 +66,7 @@ stdenv.mkDerivation rec {

  patches = [
    ./7.79.1-darwin-no-systemconfiguration.patch
+    ./7.82.0-openssl-fix-CN-check.patch
  ];

  outputs = [ "bin" "dev" "out" "man" "devdoc" ];
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -6,11 +6,11 @@ in

  openssh = common rec {
    pname = "openssh";
-    version = "8.9p1";
+    version = "9.0p1";

    src = fetchurl {
      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
-      sha256 = "sha256:1ry5prcax0134v6srkgznpl9ch5snkgq7yvjqvd8c5mbnxa7cjgx";
+      sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3";
    };

    extraPatches = [ ./ssh-keysign-8.5.patch ];