Merge commit 'a2e06fc3423c4be53181b15c28dfbe0bcf67dd73'

4 files changed, 44 insertions, 233 deletions

diff --git a/nixpkgs/pkgs/development/libraries/glibc/CVE-2018-11236.patch b/nixpkgs/pkgs/development/libraries/glibc/CVE-2018-11236.patch
deleted file mode 100644
index db86e7146f28..000000000000
--- a/nixpkgs/pkgs/development/libraries/glibc/CVE-2018-11236.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
-From: Paul Pluzhnikov <ppluzhnikov@google.com>
-Date: Tue, 8 May 2018 18:12:41 -0700
-Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
- buffer overflow when realpath() input length is close to SSIZE_MAX.
-
-2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
-
-	[BZ #22786]
-	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
-	computation.
-	* stdlib/Makefile (test-bz22786): New test.
-	* stdlib/test-bz22786.c: New test.
----
- ChangeLog             |  8 +++++
- stdlib/Makefile       |  2 +-
- stdlib/canonicalize.c |  2 +-
- stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 100 insertions(+), 2 deletions(-)
- create mode 100644 stdlib/test-bz22786.c
-
-diff --git a/stdlib/Makefile b/stdlib/Makefile
-index af1643c..1ddb1f9 100644
---- a/stdlib/Makefile
-+++ b/stdlib/Makefile
-@@ -84,7 +84,7 @@ tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
- 		   tst-cxa_atexit tst-on_exit test-atexit-race 		    \
- 		   test-at_quick_exit-race test-cxa_atexit-race             \
- 		   test-on_exit-race test-dlclose-exit-race 		    \
--		   tst-makecontext-align
-+		   tst-makecontext-align test-bz22786
- 
- tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
- 		   tst-tls-atexit tst-tls-atexit-nodelete
-diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
-index 4135f3f..390fb43 100644
---- a/stdlib/canonicalize.c
-+++ b/stdlib/canonicalize.c
-@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
- 		extra_buf = __alloca (path_max);
- 
- 	      len = strlen (end);
--	      if ((long int) (n + len) >= path_max)
-+	      if (path_max - n <= len)
- 		{
- 		  __set_errno (ENAMETOOLONG);
- 		  goto error;
-diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
-new file mode 100644
-index 0000000..e7837f9
---- /dev/null
-+++ b/stdlib/test-bz22786.c
-@@ -0,0 +1,90 @@
-+/* Bug 22786: test for buffer overflow in realpath.
-+   Copyright (C) 2018 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <http://www.gnu.org/licenses/>.  */
-+
-+/* This file must be run from within a directory called "stdlib".  */
-+
-+#include <errno.h>
-+#include <limits.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/stat.h>
-+#include <sys/types.h>
-+#include <support/test-driver.h>
-+#include <libc-diag.h>
-+
-+static int
-+do_test (void)
-+{
-+  const char dir[] = "bz22786";
-+  const char lnk[] = "bz22786/symlink";
-+
-+  rmdir (dir);
-+  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
-+    {
-+      printf ("mkdir %s: %m\n", dir);
-+      return EXIT_FAILURE;
-+    }
-+  if (symlink (".", lnk) != 0 && errno != EEXIST)
-+    {
-+      printf ("symlink (%s, %s): %m\n", dir, lnk);
-+      return EXIT_FAILURE;
-+    }
-+
-+  const size_t path_len = (size_t) INT_MAX + 1;
-+
-+  DIAG_PUSH_NEEDS_COMMENT;
-+#if __GNUC_PREREQ (7, 0)
-+  /* GCC 7 warns about too-large allocations; here we need such
-+     allocation to succeed for the test to work.  */
-+  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
-+#endif
-+  char *path = malloc (path_len);
-+  DIAG_POP_NEEDS_COMMENT;
-+
-+  if (path == NULL)
-+    {
-+      printf ("malloc (%zu): %m\n", path_len);
-+      return EXIT_UNSUPPORTED;
-+    }
-+
-+  /* Construct very long path = "bz22786/symlink/aaaa....."  */
-+  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
-+  *(p++) = '/';
-+  memset (p, 'a', path_len - (path - p) - 2);
-+  p[path_len - (path - p) - 1] = '\0';
-+
-+  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
-+  p = realpath (path, NULL);
-+
-+  if (p != NULL || errno != ENAMETOOLONG)
-+    {
-+      printf ("realpath: %s (%m)", p);
-+      return EXIT_FAILURE;
-+    }
-+
-+  /* Cleanup.  */
-+  unlink (lnk);
-+  rmdir (dir);
-+
-+  return 0;
-+}
-+
-+#define TEST_FUNCTION do_test
-+#include <support/test-driver.c>
--- 
-2.9.3
-
diff --git a/nixpkgs/pkgs/development/libraries/glibc/CVE-2018-11237.patch b/nixpkgs/pkgs/development/libraries/glibc/CVE-2018-11237.patch
deleted file mode 100644
index ffc2cec1d577..000000000000
--- a/nixpkgs/pkgs/development/libraries/glibc/CVE-2018-11237.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From f51c8367685dc888a02f7304c729ed5277904aff Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@suse.de>
-Date: Thu, 24 May 2018 14:39:18 +0200
-Subject: [PATCH] Don't write beyond destination in
- __mempcpy_avx512_no_vzeroupper (bug 23196)
-
-When compiled as mempcpy, the return value is the end of the destination
-buffer, thus it cannot be used to refer to the start of it.
-
-(cherry picked from commit 9aaaab7c6e4176e61c59b0a63c6ba906d875dc0e)
----
- ChangeLog                                               | 9 +++++++++
- NEWS                                                    | 7 +++++++
- string/test-mempcpy.c                                   | 1 +
- sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S | 5 +++--
- 4 files changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/string/test-mempcpy.c b/string/test-mempcpy.c
-index c08fba8..d98ecdd 100644
---- a/string/test-mempcpy.c
-+++ b/string/test-mempcpy.c
-@@ -18,6 +18,7 @@
-    <http://www.gnu.org/licenses/>.  */
- 
- #define MEMCPY_RESULT(dst, len) (dst) + (len)
-+#define MIN_PAGE_SIZE 131072
- #define TEST_MAIN
- #define TEST_NAME "mempcpy"
- #include "test-string.h"
-diff --git a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
-index 23c0f7a..effc3ac 100644
---- a/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
-+++ b/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S
-@@ -336,6 +336,7 @@ L(preloop_large):
- 	vmovups	(%rsi), %zmm4
- 	vmovups	0x40(%rsi), %zmm5
- 
-+	mov	%rdi, %r11
- /* Align destination for access with non-temporal stores in the loop.  */
- 	mov	%rdi, %r8
- 	and	$-0x80, %rdi
-@@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop):
- 	cmp	$256, %rdx
- 	ja	L(gobble_256bytes_nt_loop)
- 	sfence
--	vmovups	%zmm4, (%rax)
--	vmovups	%zmm5, 0x40(%rax)
-+	vmovups	%zmm4, (%r11)
-+	vmovups	%zmm5, 0x40(%r11)
- 	jmp	L(check)
- 
- L(preloop_large_bkw):
--- 
-2.9.3
-
diff --git a/nixpkgs/pkgs/development/libraries/glibc/common.nix b/nixpkgs/pkgs/development/libraries/glibc/common.nix
index 32be2205bcc1..50ee5097d1b8 100644
--- a/nixpkgs/pkgs/development/libraries/glibc/common.nix
+++ b/nixpkgs/pkgs/development/libraries/glibc/common.nix
@@ -19,10 +19,12 @@
 
 { stdenv, lib
 , buildPackages
-, fetchurl, fetchpatch
+, fetchurl
 , linuxHeaders ? null
 , gd ? null, libpng ? null
+, libidn2
 , bison
+, python3Minimal
 }:
 
 { name
@@ -34,9 +36,9 @@
 } @ args:
 
 let
-  version = "2.27";
+  version = "2.30";
   patchSuffix = "";
-  sha256 = "0wpwq7gsm7sd6ysidv0z575ckqdg13cr2njyfgrbgh4f65adwwji";
+  sha256 = "1bxqpg91d02qnaz837a5kamm0f43pr1il4r9pknygywsar713i72";
 in
 
 assert withLinuxHeaders -> linuxHeaders != null;
@@ -87,31 +89,30 @@ stdenv.mkDerivation ({
         less linux-*?/arch/x86/kernel/syscall_table_32.S
        */
       ./allow-kernel-2.6.32.patch
+
+      /* Provide a fallback for missing prlimit64 syscall on RHEL 6 -like
+         kernels.
+
+         This patch is maintained by @veprbl. If it gives you trouble, feel
+         free to ping me, I'd be happy to help.
+       */
+      (fetchurl {
+        url = "https://git.savannah.gnu.org/cgit/guix.git/plain/gnu/packages/patches/glibc-reinstate-prlimit64-fallback.patch?id=eab07e78b691ae7866267fc04d31c7c3ad6b0eeb";
+        sha256 = "091bk3kyrx1gc380gryrxjzgcmh1ajcj8s2rjhp2d2yzd5mpd5ps";
+      })
+
       /* Provide utf-8 locales by default, so we can use it in stdenv without depending on our large locale-archive. */
       (fetchurl {
         url = "https://salsa.debian.org/glibc-team/glibc/raw/49767c9f7de4828220b691b29de0baf60d8a54ec/debian/patches/localedata/locale-C.diff";
         sha256 = "0irj60hs2i91ilwg5w7sqrxb695c93xg0ik7yhhq9irprd7fidn4";
       })
-
-      # https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2
-      ./CVE-2018-11236.patch
-      # https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f51c8367685dc888a02f7304c729ed5277904aff
-      ./CVE-2018-11237.patch
     ]
     ++ lib.optionals stdenv.isx86_64 [
       ./fix-x64-abi.patch
       ./2.27-CVE-2019-19126.patch
     ]
     ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
-    ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch
-
-    # Remove after upgrading to glibc 2.28+
-    ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform || stdenv.hostPlatform.isMusl) (fetchpatch {
-      url = "https://sourceware.org/git/?p=glibc.git;a=patch;h=780684eb04298977bc411ebca1eadeeba4877833";
-      name = "correct-pwent-parsing-issue-and-resulting-build.patch";
-      sha256 = "08fja894vzaj8phwfhsfik6jj2pbji7kypy3q8pgxvsd508zdv1q";
-      excludes = [ "ChangeLog" ];
-    });
+    ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;
 
   postPatch =
     ''
@@ -122,6 +123,19 @@ stdenv.mkDerivation ({
       # nscd needs libgcc, and we don't want it dynamically linked
       # because we don't want it to depend on bootstrap-tools libs.
       echo "LDFLAGS-nscd += -static-libgcc" >> nscd/Makefile
+    ''
+    # FIXME: find a solution for infinite recursion in cross builds.
+    # For now it's hopefully acceptable that IDN from libc doesn't reliably work.
+    + lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
+
+      # Ensure that libidn2 is found.
+      patch -p 1 <<EOF
+      --- a/inet/idna.c
+      +++ b/inet/idna.c
+      @@ -25,1 +25,1 @@
+      -#define LIBIDN2_SONAME "libidn2.so.0"
+      +#define LIBIDN2_SONAME "${lib.getLib libidn2}/lib/libidn2.so.0"
+      EOF
     '';
 
   configureFlags =
@@ -153,7 +167,7 @@ stdenv.mkDerivation ({
   outputs = [ "out" "bin" "dev" "static" ];
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ bison ];
+  nativeBuildInputs = [ bison python3Minimal ];
   buildInputs = [ linuxHeaders ] ++ lib.optionals withGd [ gd libpng ];
 
   # Needed to install share/zoneinfo/zone.tab.  Set to impure /bin/sh to
diff --git a/nixpkgs/pkgs/development/libraries/glibc/default.nix b/nixpkgs/pkgs/development/libraries/glibc/default.nix
index 1a17595a1a32..150681ebda18 100644
--- a/nixpkgs/pkgs/development/libraries/glibc/default.nix
+++ b/nixpkgs/pkgs/development/libraries/glibc/default.nix
@@ -49,20 +49,18 @@ callPackage ./common.nix { inherit stdenv; } {
       ++ stdenv.lib.optional stdenv.hostPlatform.isMusl "pie";
 
     NIX_CFLAGS_COMPILE = stdenv.lib.concatStringsSep " "
-      (if !stdenv.hostPlatform.isMusl
-        # TODO: This (returning a string or `null`, instead of a list) is to
-        #       not trigger a mass rebuild due to the introduction of the
-        #       musl-specific flags below.
-        #       At next change to non-musl glibc builds, remove this `then`
-        #       and the above condition, instead keeping only the `else` below.
-        then (stdenv.lib.optionals withGd gdCflags)
-        else
-          (builtins.concatLists [
-            (stdenv.lib.optionals withGd gdCflags)
-            # Fix -Werror build failure when building glibc with musl with GCC >= 8, see:
-            # https://github.com/NixOS/nixpkgs/pull/68244#issuecomment-544307798
-            (stdenv.lib.optional stdenv.hostPlatform.isMusl "-Wno-error=attribute-alias")
-          ]));
+      (builtins.concatLists [
+        (stdenv.lib.optionals withGd gdCflags)
+        # Fix -Werror build failure when building glibc with musl with GCC >= 8, see:
+        # https://github.com/NixOS/nixpkgs/pull/68244#issuecomment-544307798
+        (stdenv.lib.optional stdenv.hostPlatform.isMusl "-Wno-error=attribute-alias")
+        (stdenv.lib.optionals ((stdenv.hostPlatform != stdenv.buildPlatform) || stdenv.hostPlatform.isMusl) [
+          # Ignore "error: '__EI___errno_location' specifies less restrictive attributes than its target '__errno_location'"
+          # New warning as of GCC 9
+          # Same for musl: https://github.com/NixOS/nixpkgs/issues/78805
+          "-Wno-error=missing-attributes"
+        ])
+      ]);
 
     # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for
     # any program we run, because the gcc will have been placed at a new