Merge branch 'master' into staging

... to get the openssl mass rebuild: 942dbf89c.

4 files changed, 24 insertions, 9 deletions

diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix
index d481bb934d4c..c7d1adfdd182 100644
--- a/pkgs/applications/graphics/ImageMagick/default.nix
+++ b/pkgs/applications/graphics/ImageMagick/default.nix
@@ -11,8 +11,8 @@ let
     else throw "ImageMagick is not supported on this platform.";
 
   cfg = {
-    version = "6.9.5-10";
-    sha256 = "0cxjzqzca80vf6sfx4z9zq4wq2w0vy9ajp9kf88jb4na8mwsn198";
+    version = "6.9.6-2";
+    sha256 = "139h9lycxw3lszn052m34xm0rqyanin4nb529vxjcrkkzqilh91r";
     patches = [];
   }
     # Freeze version on mingw so we don't need to port the patch too often.
diff --git a/pkgs/applications/graphics/PythonMagick/default.nix b/pkgs/applications/graphics/PythonMagick/default.nix
index 5ab7d4d8a694..a8d0d490f8bb 100644
--- a/pkgs/applications/graphics/PythonMagick/default.nix
+++ b/pkgs/applications/graphics/PythonMagick/default.nix
@@ -2,7 +2,7 @@
 
 let
 
-  version = "0.9.12";
+  version = "0.9.14";
 
 in
 
@@ -10,8 +10,8 @@ stdenv.mkDerivation rec {
   name = "pythonmagick-${version}";
 
   src = fetchurl {
-    url = "http://www.imagemagick.org/download/python/releases/PythonMagick-${version}.tar.xz";
-    sha256 = "1l1kr3d7l40fkxgs6mrlxj65alv2jizm9hhgg9i9g90a8qj8642b";
+    url = "mirror://imagemagick/python/releases/PythonMagick-${version}.tar.xz";
+    sha256 = "1flkdfi3c19wy2qcfzax1cqvmmri10rvmhc2y85gmagqvv01zz22";
   };
 
   buildInputs = [python boost pkgconfig imagemagick];
diff --git a/pkgs/applications/graphics/gimp/plugins/default.nix b/pkgs/applications/graphics/gimp/plugins/default.nix
index 1d32ea724faf..9fd669551dec 100644
--- a/pkgs/applications/graphics/gimp/plugins/default.nix
+++ b/pkgs/applications/graphics/gimp/plugins/default.nix
@@ -57,6 +57,7 @@ rec {
       sed -e 's,^\(GIMP_PLUGIN_DIR=\).*,\1'"$out/${gimp.name}-plugins", \
        -e 's,^\(GIMP_DATA_DIR=\).*,\1'"$out/share/${gimp.name}", -i configure
     '';
+    hardeningDisable = [ "format" ];
     meta = with stdenv.lib; {
       description = "The GIMP Animation Package";
       homepage = http://www.gimp.org;
diff --git a/pkgs/applications/graphics/graphicsmagick/default.nix b/pkgs/applications/graphics/graphicsmagick/default.nix
index 70d8feaa2753..2e573e09b31a 100644
--- a/pkgs/applications/graphics/graphicsmagick/default.nix
+++ b/pkgs/applications/graphics/graphicsmagick/default.nix
@@ -1,6 +1,6 @@
-{stdenv, fetchurl, bzip2, freetype, graphviz, ghostscript
-, libjpeg, libpng, libtiff, libxml2, zlib, libtool, xz
-, libX11, libwebp, quantumdepth ? 8}:
+{ stdenv, fetchurl, fetchpatch, bzip2, freetype, graphviz, ghostscript
+, libjpeg, libpng, libtiff, libxml2, zlib, libtool, xz, libX11
+, libwebp, quantumdepth ? 8 }:
 
 let version = "1.3.25"; in
 
@@ -12,7 +12,21 @@ stdenv.mkDerivation {
     sha256 = "17xcc7pfcmiwpfr1g8ys5a7bdnvqzka53vg3kkzhwwz0s99gljyn";
   };
 
-  patches = [ ./disable-popen.patch ];
+  patches = [
+    ./disable-popen.patch
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/g/graphicsmagick/1.3.25-4/debian/patches/CVE-2016-7996_CVE-2016-7997.patch";
+      sha256 = "0xsby2z8n7cnnln7szjznq7iaabq323wymvdjra59yb41aix74r2";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/g/graphicsmagick/1.3.25-4/debian/patches/CVE-2016-7800_part1.patch";
+      sha256 = "02s0x9bkbnm5wrd0d2x9ld4d9z5xqpfk310lyylyr5zlnhqxmwgn";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/g/graphicsmagick/1.3.25-4/debian/patches/CVE-2016-7800_part2.patch";
+      sha256 = "1h4xv3i1aq5avsd584rwa5sa7ca8f7w9ggmh7j2llqq5kymwsv5f";
+    })
+  ];
 
   configureFlags = [
     "--enable-shared"