diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2016-09-24 18:54:31 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2016-09-24 18:54:31 +0200 |
| commit | fffc7638cda106c4864e0b986ff498b4f939a847 (patch) | |
| tree | 12b83c1bc7d39a65df8dbff46390c8465347f202 /pkgs/development/libraries | |
| parent | d2965a7d85f7ce3f5ce265ca8dc3b73feaae226f (diff) | |
| parent | e2a9617185321c38482cab343e5d4a6a182b7ce9 (diff) | |
| download | nixlib-fffc7638cda106c4864e0b986ff498b4f939a847.tar nixlib-fffc7638cda106c4864e0b986ff498b4f939a847.tar.gz nixlib-fffc7638cda106c4864e0b986ff498b4f939a847.tar.bz2 nixlib-fffc7638cda106c4864e0b986ff498b4f939a847.tar.lz nixlib-fffc7638cda106c4864e0b986ff498b4f939a847.tar.xz nixlib-fffc7638cda106c4864e0b986ff498b4f939a847.tar.zst nixlib-fffc7638cda106c4864e0b986ff498b4f939a847.zip | |
Merge branch 'master' into staging
Diffstat (limited to 'pkgs/development/libraries')
| -rw-r--r-- | pkgs/development/libraries/appstream-glib/default.nix | 8 | ||||
| -rw-r--r-- | pkgs/development/libraries/botan/unstable.nix | 4 | ||||
| -rw-r--r-- | pkgs/development/libraries/ffmpeg/2.8.nix | 4 | ||||
| -rw-r--r-- | pkgs/development/libraries/jansson/default.nix | 4 | ||||
| -rw-r--r-- | pkgs/development/libraries/libxmlxx/default.nix | 10 | ||||
| -rw-r--r-- | pkgs/development/libraries/mesa/symlink-drivers.patch | 59 | ||||
| -rw-r--r-- | pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff | 256 | ||||
| -rw-r--r-- | pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff | 279 | ||||
| -rw-r--r-- | pkgs/development/libraries/openssl/default.nix | 20 | ||||
| -rw-r--r-- | pkgs/development/libraries/rabbitmq-c/0.4.nix | 21 | ||||
| -rw-r--r-- | pkgs/development/libraries/strigi/default.nix | 11 | ||||
| -rw-r--r-- | pkgs/development/libraries/webkitgtk/2.10.nix | 86 | ||||
| -rw-r--r-- | pkgs/development/libraries/webkitgtk/2.14.nix | 63 |
13 files changed, 142 insertions, 683 deletions
diff --git a/pkgs/development/libraries/appstream-glib/default.nix b/pkgs/development/libraries/appstream-glib/default.nix index 8450def08452..caaa826ae67d 100644 --- a/pkgs/development/libraries/appstream-glib/default.nix +++ b/pkgs/development/libraries/appstream-glib/default.nix @@ -1,20 +1,20 @@ { stdenv, fetchFromGitHub, pkgconfig, gettext, gtk3, intltool, glib , gtk_doc, autoconf, automake, libtool, libarchive, libyaml , gobjectIntrospection, sqlite, libsoup, gcab, attr, acl, docbook_xsl -, libuuid, json_glib +, libuuid, json_glib, autoconf-archive }: stdenv.mkDerivation rec { - name = "appstream-glib-0.5.12"; + name = "appstream-glib-0.6.3"; src = fetchFromGitHub { owner = "hughsie"; repo = "appstream-glib"; rev = stdenv.lib.replaceStrings ["." "-"] ["_" "_"] name; - sha256 = "00b0441f409vzgy0znn42k093w7hwv3495qvsakxnhvk1h1ws23s"; + sha256 = "12l0vzhi9vpyrnf7vrpq21rb26mb6yskp5zgngdjyjanwhzmc617"; }; - nativeBuildInputs = [ autoconf automake libtool pkgconfig intltool ]; + nativeBuildInputs = [ autoconf automake libtool pkgconfig intltool autoconf-archive ]; buildInputs = [ glib gtk_doc gettext sqlite libsoup gcab attr acl docbook_xsl libuuid json_glib libarchive libyaml gtk3 gobjectIntrospection ]; diff --git a/pkgs/development/libraries/botan/unstable.nix b/pkgs/development/libraries/botan/unstable.nix index 4e004da32175..170e7a757490 100644 --- a/pkgs/development/libraries/botan/unstable.nix +++ b/pkgs/development/libraries/botan/unstable.nix @@ -2,8 +2,8 @@ callPackage ./generic.nix (args // { baseVersion = "1.11"; - revision = "30"; - sha256 = "09d1cvg6dnfi225wipc1fw691bq7xxdcmgkq8smldc5kivf3mbwd"; + revision = "31"; + sha256 = "1vnx75g5zzzbgsrwnmnhqdal29gcn63g0ldyj0g9cky8ha8iqx8f"; openssl = null; postPatch = "sed '1i#include <cmath>' -i src/tests/test_bigint.cpp"; }) diff --git a/pkgs/development/libraries/ffmpeg/2.8.nix b/pkgs/development/libraries/ffmpeg/2.8.nix index 63e6ec2f6952..04336c9ee4d3 100644 --- a/pkgs/development/libraries/ffmpeg/2.8.nix +++ b/pkgs/development/libraries/ffmpeg/2.8.nix @@ -1,7 +1,7 @@ { callPackage, ... } @ args: callPackage ./generic.nix (args // rec { - version = "${branch}.7"; + version = "${branch}.8"; branch = "2.8"; - sha256 = "1rggcy8kflmlvdyf5yqv0zshycysyqz45fl06v8zsh2n6d5cwxw7"; + sha256 = "19h6xmlcb933hgpfd40mjwkral8v389v25sx660a3p7aiyalh25p"; }) diff --git a/pkgs/development/libraries/jansson/default.nix b/pkgs/development/libraries/jansson/default.nix index f0f9cc65cb2b..a24005487bee 100644 --- a/pkgs/development/libraries/jansson/default.nix +++ b/pkgs/development/libraries/jansson/default.nix @@ -1,11 +1,11 @@ {stdenv, fetchurl}: stdenv.mkDerivation rec { - name = "jansson-2.7"; + name = "jansson-2.8"; src = fetchurl { url = "http://www.digip.org/jansson/releases/${name}.tar.gz"; - sha256 = "1mvq9p85khsl818i4vbszyfab0fd45mdrwrxjkzw05mk1xcyc1br"; + sha256 = "0v7v82mv7x44rpcxmrpnmb8hqimx67qwsp2cz9mv3y0f37iykwnf"; }; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/libxmlxx/default.nix b/pkgs/development/libraries/libxmlxx/default.nix index 72afc1d55eb5..65e10c5a3995 100644 --- a/pkgs/development/libraries/libxmlxx/default.nix +++ b/pkgs/development/libraries/libxmlxx/default.nix @@ -1,11 +1,13 @@ { stdenv, fetchurl, pkgconfig, libxml2, glibmm, perl }: stdenv.mkDerivation rec { - name = "libxml++-2.38.1"; + name = "libxml++-${maj_ver}.${min_ver}"; + maj_ver = "2.40"; + min_ver = "1"; src = fetchurl { - url = "mirror://gnome/sources/libxml++/2.38/${name}.tar.xz"; - sha256 = "0px0ljcf9rsfa092dzmm097yn7wln6d5fgsvj9lnrnq3kcc2j9c8"; + url = "mirror://gnome/sources/libxml++/${maj_ver}/${name}.tar.xz"; + sha256 = "1sb3akryklvh2v6m6dihdnbpf1lkx441v972q9hlz1sq6bfspm2a"; }; nativeBuildInputs = [ pkgconfig perl ]; @@ -14,8 +16,6 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ libxml2 ]; - configureFlags = "--disable-documentation"; #doesn't build without this for some reason - meta = with stdenv.lib; { homepage = http://libxmlplusplus.sourceforge.net/; description = "C++ wrapper for the libxml2 XML parser library"; diff --git a/pkgs/development/libraries/mesa/symlink-drivers.patch b/pkgs/development/libraries/mesa/symlink-drivers.patch index b96e8e0b816e..68c0f1da26b6 100644 --- a/pkgs/development/libraries/mesa/symlink-drivers.patch +++ b/pkgs/development/libraries/mesa/symlink-drivers.patch @@ -1,7 +1,7 @@ -diff -ru -x '*~' mesa-11.1.4-orig/src/gallium/targets/dri/Makefile.am mesa-11.1.4/src/gallium/targets/dri/Makefile.am ---- mesa-11.1.4-orig/src/gallium/targets/dri/Makefile.am 2016-05-09 14:20:52.000000000 +0200 -+++ mesa-11.1.4/src/gallium/targets/dri/Makefile.am 2016-05-22 17:56:03.396185082 +0200 -@@ -126,14 +126,13 @@ +diff -ru -x '*~' mesa-12.0.3-orig/src/gallium/targets/dri/Makefile.am mesa-12.0.3/src/gallium/targets/dri/Makefile.am +--- mesa-12.0.3-orig/src/gallium/targets/dri/Makefile.am 2016-09-08 18:57:48.000000000 +0200 ++++ mesa-12.0.3/src/gallium/targets/dri/Makefile.am 2016-09-22 14:42:19.173575498 +0200 +@@ -134,14 +134,13 @@ done; endif @@ -19,9 +19,25 @@ diff -ru -x '*~' mesa-11.1.4-orig/src/gallium/targets/dri/Makefile.am mesa-11.1. uninstall-hook: for i in $(TARGET_DRIVERS); do \ -diff -ru -x '*~' mesa-11.1.4-orig/src/gallium/targets/vdpau/Makefile.am mesa-11.1.4/src/gallium/targets/vdpau/Makefile.am ---- mesa-11.1.4-orig/src/gallium/targets/vdpau/Makefile.am 2016-01-29 13:21:30.000000000 +0100 -+++ mesa-11.1.4/src/gallium/targets/vdpau/Makefile.am 2016-05-22 20:54:12.722358242 +0200 +diff -ru -x '*~' mesa-12.0.3-orig/src/gallium/targets/va/Makefile.am mesa-12.0.3/src/gallium/targets/va/Makefile.am +--- mesa-12.0.3-orig/src/gallium/targets/va/Makefile.am 2016-09-08 18:57:48.000000000 +0200 ++++ mesa-12.0.3/src/gallium/targets/va/Makefile.am 2016-09-22 14:45:39.635963339 +0200 +@@ -71,10 +71,10 @@ + # gallium_drv_video.so in the set of final installed files. + install-data-hook: + for i in $(TARGET_DRIVERS); do \ +- ln -f $(DESTDIR)$(vadir)/gallium_drv_video.so \ ++ ln -srf $(DESTDIR)$(vadir)/gallium_drv_video.so \ + $(DESTDIR)$(vadir)/$${i}_drv_video.so; \ + done; \ +- $(RM) $(DESTDIR)$(vadir)/gallium_drv_video.* ++ $(RM) $(DESTDIR)$(vadir)/gallium_drv_video.la + + uninstall-hook: + for i in $(TARGET_DRIVERS); do \ +diff -ru -x '*~' mesa-12.0.3-orig/src/gallium/targets/vdpau/Makefile.am mesa-12.0.3/src/gallium/targets/vdpau/Makefile.am +--- mesa-12.0.3-orig/src/gallium/targets/vdpau/Makefile.am 2016-05-24 21:19:37.000000000 +0200 ++++ mesa-12.0.3/src/gallium/targets/vdpau/Makefile.am 2016-09-22 14:42:19.173575498 +0200 @@ -103,15 +103,14 @@ done; endif @@ -49,10 +65,31 @@ diff -ru -x '*~' mesa-11.1.4-orig/src/gallium/targets/vdpau/Makefile.am mesa-11. uninstall-hook: for i in $(TARGET_DRIVERS); do \ -diff -ru -x '*~' mesa-11.1.4-orig/src/mesa/drivers/dri/Makefile.am mesa-11.1.4/src/mesa/drivers/dri/Makefile.am ---- mesa-11.1.4-orig/src/mesa/drivers/dri/Makefile.am 2016-01-18 08:39:26.000000000 +0100 -+++ mesa-11.1.4/src/mesa/drivers/dri/Makefile.am 2016-05-22 17:55:46.251244940 +0200 -@@ -86,14 +86,13 @@ +diff -ru -x '*~' mesa-12.0.3-orig/src/gallium/targets/xvmc/Makefile.am mesa-12.0.3/src/gallium/targets/xvmc/Makefile.am +--- mesa-12.0.3-orig/src/gallium/targets/xvmc/Makefile.am 2016-05-24 21:19:37.000000000 +0200 ++++ mesa-12.0.3/src/gallium/targets/xvmc/Makefile.am 2016-09-22 14:54:22.291014543 +0200 +@@ -73,7 +73,7 @@ + j=libXvMCgallium.$(LIB_EXT); \ + k=libXvMC$${i}.$(LIB_EXT); \ + l=$${k}.$(XVMC_MAJOR).$(XVMC_MINOR).0; \ +- ln -f $${dest_dir}/$${j}.$(XVMC_MAJOR).$(XVMC_MINOR).0 \ ++ ln -srf $${dest_dir}/$${j}.$(XVMC_MAJOR).$(XVMC_MINOR).0 \ + $${dest_dir}/$${l}; \ + ln -sf $${l} \ + $${dest_dir}/$${k}.$(XVMC_MAJOR).$(XVMC_MINOR); \ +@@ -82,7 +82,7 @@ + ln -sf $${l} \ + $${dest_dir}/$${k}; \ + done; \ +- $(RM) $${dest_dir}/libXvMCgallium.* ++ $(RM) $${dest_dir}/libXvMCgallium.la + + uninstall-hook: + for i in $(TARGET_DRIVERS); do \ +diff -ru -x '*~' mesa-12.0.3-orig/src/mesa/drivers/dri/Makefile.am mesa-12.0.3/src/mesa/drivers/dri/Makefile.am +--- mesa-12.0.3-orig/src/mesa/drivers/dri/Makefile.am 2016-09-08 18:57:48.000000000 +0200 ++++ mesa-12.0.3/src/mesa/drivers/dri/Makefile.am 2016-09-22 14:42:19.173575498 +0200 +@@ -94,14 +94,13 @@ done; endif diff --git a/pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff b/pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff deleted file mode 100644 index f8a4b7c22573..000000000000 --- a/pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff +++ /dev/null @@ -1,256 +0,0 @@ -From 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Thu, 5 May 2016 11:10:26 +0100 -Subject: [PATCH] Avoid some undefined pointer arithmetic - -A common idiom in the codebase is: - -if (p + len > limit) -{ - return; /* Too long */ -} - -Where "p" points to some malloc'd data of SIZE bytes and -limit == p + SIZE - -"len" here could be from some externally supplied data (e.g. from a TLS -message). - -The rules of C pointer arithmetic are such that "p + len" is only well -defined where len <= SIZE. Therefore the above idiom is actually -undefined behaviour. - -For example this could cause problems if some malloc implementation -provides an address for "p" such that "p + len" actually overflows for -values of len that are too big and therefore p + len < limit! - -Issue reported by Guido Vranken. - -CVE-2016-2177 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - ssl/s3_srvr.c | 14 +++++++------- - ssl/ssl_sess.c | 2 +- - ssl/t1_lib.c | 48 ++++++++++++++++++++++++++---------------------- - 3 files changed, 34 insertions(+), 30 deletions(-) - -diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c -index 04cf93a..6c74caa 100644 ---- a/ssl/s3_srvr.c -+++ b/ssl/s3_srvr.c -@@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s) - - session_length = *(p + SSL3_RANDOM_SIZE); - -- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { -+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s) - /* get the session-id */ - j = *(p++); - -- if (p + j > d + n) { -+ if ((d + n) - p < j) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s) - - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { - /* cookie stuff */ -- if (p + 1 > d + n) { -+ if ((d + n) - p < 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - cookie_len = *(p++); - -- if (p + cookie_len > d + n) { -+ if ((d + n ) - p < cookie_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s) - p += cookie_len; - } - -- if (p + 2 > d + n) { -+ if ((d + n ) - p < 2) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s) - } - - /* i bytes of cipher data + 1 byte for compression length later */ -- if ((p + i + 1) > (d + n)) { -+ if ((d + n) - p < i + 1) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -@@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s) - - /* compression */ - i = *(p++); -- if ((p + i) > (d + n)) { -+ if ((d + n) - p < i) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index 48fc451..a97d060 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - int r; - #endif - -- if (session_id + len > limit) { -+ if (limit - session_id < len) { - fatal = 1; - goto err; - } -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 0bdb77d..8ed1793 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - -- if (data >= (limit - 2)) -+ if (limit - data <= 2) - return; - data += 2; - -- if (data > (limit - 4)) -+ if (limit - data < 4) - return; - n2s(data, type); - n2s(data, size); -@@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - if (type != TLSEXT_TYPE_server_name) - return; - -- if (data + size > limit) -+ if (limit - data < size) - return; - data += size; - -@@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - const size_t len1 = sizeof(kSafariExtensionsBlock); - const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - -- if (data + len1 + len2 != limit) -+ if (limit - data != (int)(len1 + len2)) - return; - if (memcmp(data, kSafariExtensionsBlock, len1) != 0) - return; -@@ -971,7 +971,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - } else { - const size_t len = sizeof(kSafariExtensionsBlock); - -- if (data + len != limit) -+ if (limit - data != (int)(len)) - return; - if (memcmp(data, kSafariExtensionsBlock, len) != 0) - return; -@@ -1019,19 +1019,19 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, - if (data == limit) - goto ri_check; - -- if (data > (limit - 2)) -+ if (limit - data < 2) - goto err; - - n2s(data, len); - -- if (data + len != limit) -+ if (limit - data != len) - goto err; - -- while (data <= (limit - 4)) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (limit)) -+ if (limit - data < size) - goto err; - # if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -@@ -1460,20 +1460,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); - # endif - -- if (data >= (d + n - 2)) -+ if ((d + n) - data <= 2) - goto ri_check; - - n2s(data, length); -- if (data + length != d + n) { -+ if ((d + n) - data != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - -- while (data <= (d + n - 4)) { -+ while ((d + n) - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (d + n)) -+ if ((d + n) - data < size) - goto ri_check; - - if (s->tlsext_debug_cb) -@@ -2179,29 +2179,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - /* Skip past DTLS cookie */ - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { - i = *(p++); -- p += i; -- if (p >= limit) -+ -+ if (limit - p <= i) - return -1; -+ -+ p += i; - } - /* Skip past cipher list */ - n2s(p, i); -- p += i; -- if (p >= limit) -+ if (limit - p <= i) - return -1; -+ p += i; -+ - /* Skip past compression algorithm list */ - i = *(p++); -- p += i; -- if (p > limit) -+ if (limit - p < i) - return -1; -+ p += i; -+ - /* Now at start of extensions */ -- if ((p + 2) >= limit) -+ if (limit - p <= 2) - return 0; - n2s(p, i); -- while ((p + 4) <= limit) { -+ while (limit - p >= 4) { - unsigned short type, size; - n2s(p, type); - n2s(p, size); -- if (p + size > limit) -+ if (limit - p < size) - return 0; - if (type == TLSEXT_TYPE_session_ticket) { - int r; --- -1.9.1 - diff --git a/pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff b/pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff deleted file mode 100644 index ca934c20a674..000000000000 --- a/pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff +++ /dev/null @@ -1,279 +0,0 @@ -From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Thu, 5 May 2016 11:10:26 +0100 -Subject: [PATCH] Avoid some undefined pointer arithmetic - -A common idiom in the codebase is: - -if (p + len > limit) -{ - return; /* Too long */ -} - -Where "p" points to some malloc'd data of SIZE bytes and -limit == p + SIZE - -"len" here could be from some externally supplied data (e.g. from a TLS -message). - -The rules of C pointer arithmetic are such that "p + len" is only well -defined where len <= SIZE. Therefore the above idiom is actually -undefined behaviour. - -For example this could cause problems if some malloc implementation -provides an address for "p" such that "p + len" actually overflows for -values of len that are too big and therefore p + len < limit! - -Issue reported by Guido Vranken. - -CVE-2016-2177 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - ssl/s3_srvr.c | 14 +++++++------- - ssl/ssl_sess.c | 2 +- - ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++-------------------------- - 3 files changed, 38 insertions(+), 34 deletions(-) - -diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c -index ab28702..ab7f690 100644 ---- a/ssl/s3_srvr.c -+++ b/ssl/s3_srvr.c -@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) - - session_length = *(p + SSL3_RANDOM_SIZE); - -- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { -+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) - /* get the session-id */ - j = *(p++); - -- if (p + j > d + n) { -+ if ((d + n) - p < j) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) - - if (SSL_IS_DTLS(s)) { - /* cookie stuff */ -- if (p + 1 > d + n) { -+ if ((d + n) - p < 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - cookie_len = *(p++); - -- if (p + cookie_len > d + n) { -+ if ((d + n ) - p < cookie_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) - } - } - -- if (p + 2 > d + n) { -+ if ((d + n ) - p < 2) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) - } - - /* i bytes of cipher data + 1 byte for compression length later */ -- if ((p + i + 1) > (d + n)) { -+ if ((d + n) - p < i + 1) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) - - /* compression */ - i = *(p++); -- if ((p + i) > (d + n)) { -+ if ((d + n) - p < i) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index b182998..54ee783 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - int r; - #endif - -- if (session_id + len > limit) { -+ if (limit - session_id < len) { - fatal = 1; - goto err; - } -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fb64607..cdac011 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - -- if (data >= (limit - 2)) -+ if (limit - data <= 2) - return; - data += 2; - -- if (data > (limit - 4)) -+ if (limit - data < 4) - return; - n2s(data, type); - n2s(data, size); -@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - if (type != TLSEXT_TYPE_server_name) - return; - -- if (data + size > limit) -+ if (limit - data < size) - return; - data += size; - -@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - const size_t len1 = sizeof(kSafariExtensionsBlock); - const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - -- if (data + len1 + len2 != limit) -+ if (limit - data != (int)(len1 + len2)) - return; - if (memcmp(data, kSafariExtensionsBlock, len1) != 0) - return; -@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - } else { - const size_t len = sizeof(kSafariExtensionsBlock); - -- if (data + len != limit) -+ if (limit - data != (int)(len)) - return; - if (memcmp(data, kSafariExtensionsBlock, len) != 0) - return; -@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - if (data == limit) - goto ri_check; - -- if (data > (limit - 2)) -+ if (limit - data < 2) - goto err; - - n2s(data, len); - -- if (data + len != limit) -+ if (limit - data != len) - goto err; - -- while (data <= (limit - 4)) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (limit)) -+ if (limit - data < size) - goto err; - # if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, - if (s->hit || s->cert->srv_ext.meths_count == 0) - return 1; - -- if (data >= limit - 2) -+ if (limit - data <= 2) - return 1; - n2s(data, len); - -- if (data > limit - len) -+ if (limit - data < len) - return 1; - -- while (data <= limit - 4) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > limit) -+ if (limit - data < size) - return 1; - if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) - return 0; -@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); - # endif - -- if (data >= (d + n - 2)) -+ if ((d + n) - data <= 2) - goto ri_check; - - n2s(data, length); -- if (data + length != d + n) { -+ if ((d + n) - data != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - -- while (data <= (d + n - 4)) { -+ while ((d + n) - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (d + n)) -+ if ((d + n) - data < size) - goto ri_check; - - if (s->tlsext_debug_cb) -@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - i = *(p++); -- p += i; -- if (p >= limit) -+ -+ if (limit - p <= i) - return -1; -+ -+ p += i; - } - /* Skip past cipher list */ - n2s(p, i); -- p += i; -- if (p >= limit) -+ if (limit - p <= i) - return -1; -+ p += i; -+ - /* Skip past compression algorithm list */ - i = *(p++); -- p += i; -- if (p > limit) -+ if (limit - p < i) - return -1; -+ p += i; -+ - /* Now at start of extensions */ -- if ((p + 2) >= limit) -+ if (limit - p <= 2) - return 0; - n2s(p, i); -- while ((p + 4) <= limit) { -+ while (limit - p >= 4) { - unsigned short type, size; - n2s(p, type); - n2s(p, size); -- if (p + size > limit) -+ if (limit - p < size) - return 0; - if (type == TLSEXT_TYPE_session_ticket) { - int r; --- -1.9.1 - diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index c023965c0f63..f684969f9054 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -106,26 +106,18 @@ let in { openssl_1_0_1 = common { - version = "1.0.1t"; - sha256 = "4a6ee491a2fdb22e519c76fdc2a628bb3cec12762cd456861d207996c8a07088"; - patches = [ - # https://git.openssl.org/?p=openssl.git;a=commit;h=6f35f6deb5ca7daebe289f86477e061ce3ee5f46 - ./1.0.1-CVE-2016-2177.diff - ]; + version = "1.0.1u"; + sha256 = "0fb7y9pwbd76pgzd7xzqfrzibmc0vf03sl07f34z5dhm2b5b84j3"; }; openssl_1_0_2 = common { - version = "1.0.2h"; - sha256 = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"; - patches = [ - # https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7 - ./1.0.2-CVE-2016-2177.diff - ]; + version = "1.0.2i"; + sha256 = "0vyy038676cv3m2523fi9ll9nkjxadqdnz18zdp5nm6925yli1wj"; }; openssl_1_1_0 = common { - version = "1.1.0"; - sha256 = "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm"; + version = "1.1.0a"; + sha256 = "0as40a1lipl9qfax7495jc1xfb049ygavkaxxk4y5kcn8birdrn2"; }; } diff --git a/pkgs/development/libraries/rabbitmq-c/0.4.nix b/pkgs/development/libraries/rabbitmq-c/0.4.nix deleted file mode 100644 index 2c92ba5618cf..000000000000 --- a/pkgs/development/libraries/rabbitmq-c/0.4.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ stdenv, fetchurl, cmake, openssl, popt, xmlto }: - -stdenv.mkDerivation rec { - version = "0.4.1"; - name = "rabbitmq-c-${version}"; - - src = fetchurl { - name = "${name}.tar.gz"; - url = "https://github.com/alanxz/rabbitmq-c/releases/download/v${version}/${name}.tar.gz"; - sha256 = "01m4n043hzhhxky8z67zj3r4gbg3mwcqbwqr9nms9lqbfaa70x93"; - }; - - buildInputs = [ cmake openssl popt xmlto ]; - - meta = { - description = "RabbitMQ C AMQP client library"; - homepage = https://github.com/alanxz/rabbitmq-c; - license = stdenv.lib.licenses.mit; - platforms = with stdenv.lib.platforms; linux; - }; -} diff --git a/pkgs/development/libraries/strigi/default.nix b/pkgs/development/libraries/strigi/default.nix index ee89eda327d0..faba57d155fb 100644 --- a/pkgs/development/libraries/strigi/default.nix +++ b/pkgs/development/libraries/strigi/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { url = "http://www.vandenoever.info/software/strigi/${name}.tar.bz2"; sha256 = "12grxzqwnvbyqw7q1gnz42lypadxmq89vk2qpxczmpmc4nk63r23"; }; - + includeAllQtDirs = true; CLUCENE_HOME = clucene_core; @@ -24,6 +24,15 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # Strigi installs some libraries in an incorrect place + # ($out/$out/lib instead of $out/lib), so move them to the right + # place. + postInstall = + '' + mv $out/$out/lib/* $out/lib + rm -rf $out/nix + ''; + meta = { homepage = http://strigi.sourceforge.net; description = "A very fast and efficient crawler to index data on your harddrive"; diff --git a/pkgs/development/libraries/webkitgtk/2.10.nix b/pkgs/development/libraries/webkitgtk/2.10.nix deleted file mode 100644 index e74cc6421b24..000000000000 --- a/pkgs/development/libraries/webkitgtk/2.10.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ stdenv, fetchurl, fetchpatch, perl, python, ruby, bison, gperf, cmake -, pkgconfig, gettext, gobjectIntrospection, libnotify -, gtk2, gtk3, wayland, libwebp, enchant -, libxml2, libsoup, libsecret, libxslt, harfbuzz, libpthreadstubs -, enableGeoLocation ? false, geoclue2, sqlite, xorg -, enableCredentialStorage ? !stdenv.isDarwin -, gst-plugins-base, readline, libedit -}: - -assert enableGeoLocation -> geoclue2 != null; -assert stdenv.isDarwin -> !enableCredentialStorage; - -with stdenv.lib; -stdenv.mkDerivation rec { - name = "webkitgtk-${version}"; - version = "2.10.9"; - - meta = { - description = "Web content rendering engine, GTK+ port"; - homepage = "http://webkitgtk.org/"; - license = licenses.bsd2; - platforms = platforms.linux; - hydraPlatforms = []; - maintainers = with maintainers; [ koral ]; - }; - - preConfigure = "patchShebangs Tools"; - - src = fetchurl { - url = "http://webkitgtk.org/releases/${name}.tar.xz"; - sha256 = "0sg935wpkgyd5ypd5fj25vd7ri8s6sbrmssb53xbgcc02xs8vcdv"; - }; - - patches = [ - ./finding-harfbuzz-icu.patch - ] ++ optional stdenv.isDarwin ./adding-libintl.patch; - - cmakeFlags = [ - "-DPORT=GTK" - "-DUSE_LIBHYPHEN=OFF" - ] ++ optionals (!enableCredentialStorage) [ - "-DENABLE_CREDENTIAL_STORAGE=OFF" - ] ++ optionals (!enableGeoLocation) [ - "-DENABLE_GEOLOCATION=OFF" - ] ++ optionals stdenv.isDarwin [ - "-DENABLE_WEBKIT=ON" - "-DENABLE_X11_TARGET=OFF" - "-DENABLE_QUARTZ_TARGET=ON" - "-DENABLE_TOOLS=ON" - "-DENABLE_MINIBROWSER=ON" - "-DENABLE_PLUGIN_PROCESS_GTK2=OFF" - "-DENABLE_VIDEO=OFF" - "-DENABLE_WEB_AUDIO=OFF" - "-DENABLE_OPENGL=OFF" - "-DENABLE_INTROSPECTION=OFF" - "-DUSE_LIBNOTIFY=OFF" - "-DCMAKE_SHARED_LINKER_FLAGS=-L/path/to/nonexistent/folder" - ]; - - # XXX: WebKit2 missing include path for gst-plugins-base. - # Filled: https://bugs.webkit.org/show_bug.cgi?id=148894 - NIX_CFLAGS_COMPILE = "-I${gst-plugins-base.dev}/include/gstreamer-1.0"; - - nativeBuildInputs = [ - cmake perl python ruby bison gperf sqlite - pkgconfig gettext gobjectIntrospection - ]; - - buildInputs = [ - gtk2 libwebp enchant libnotify - libxml2 libxslt harfbuzz libpthreadstubs - gst-plugins-base xorg.libXt - ] ++ optionals enableCredentialStorage [ - libsecret - ] ++ (if stdenv.isDarwin then [ - readline libedit - ] else [ - wayland - ]) ++ optional enableGeoLocation geoclue2; - - propagatedBuildInputs = [ - libsoup gtk3 - ]; - - enableParallelBuilding = true; -} diff --git a/pkgs/development/libraries/webkitgtk/2.14.nix b/pkgs/development/libraries/webkitgtk/2.14.nix new file mode 100644 index 000000000000..fca358ed4305 --- /dev/null +++ b/pkgs/development/libraries/webkitgtk/2.14.nix @@ -0,0 +1,63 @@ +{ stdenv, fetchurl, perl, python, ruby, bison, gperf, cmake +, pkgconfig, gettext, gobjectIntrospection, libnotify, gnutls +, gtk2, gtk3, wayland, libwebp, enchant, xlibs, libxkbcommon, epoxy, at_spi2_core +, libxml2, libsoup, libsecret, libxslt, harfbuzz, libpthreadstubs +, enableGeoLocation ? true, geoclue2, sqlite +, gst-plugins-base +}: + +assert enableGeoLocation -> geoclue2 != null; + +with stdenv.lib; +stdenv.mkDerivation rec { + name = "webkitgtk-${version}"; + version = "2.14.0"; + + meta = { + description = "Web content rendering engine, GTK+ port"; + homepage = "http://webkitgtk.org/"; + license = licenses.bsd2; + platforms = platforms.linux; + hydraPlatforms = []; + maintainers = with maintainers; [ ]; + }; + + preConfigure = "patchShebangs Tools"; + + src = fetchurl { + url = "http://webkitgtk.org/releases/${name}.tar.xz"; + sha256 = "02paj0anbnqn1z3hn5c4csmq9nga995rzagiplj3sjk2dj1ss4q5"; + }; + + # see if we can clean this up.... + + patches = [ ./finding-harfbuzz-icu.patch ]; + + cmakeFlags = [ + "-DPORT=GTK" + "-DUSE_LIBHYPHEN=0" + "-DENABLE_GLES2=ON" + ]; + + # XXX: WebKit2 missing include path for gst-plugins-base. + # Filled: https://bugs.webkit.org/show_bug.cgi?id=148894 + #NIX_CFLAGS_COMPILE = "-I${gst-plugins-base.dev}/include/gstreamer-1.0"; + + nativeBuildInputs = [ + cmake perl python ruby bison gperf sqlite + pkgconfig gettext gobjectIntrospection + ]; + + buildInputs = [ + gtk2 wayland libwebp enchant libnotify gnutls + libxml2 libsecret libxslt harfbuzz libpthreadstubs + gst-plugins-base libxkbcommon epoxy at_spi2_core + ] ++ optional enableGeoLocation geoclue2 + ++ (with xlibs; [ libXdmcp libXt libXtst ]); + + propagatedBuildInputs = [ + libsoup gtk3 + ]; + + enableParallelBuilding = true; +} |