Merge remote-tracking branch 'upstream/master' into hardened-stdenv

6 files changed, 63 insertions, 17 deletions

diff --git a/pkgs/tools/networking/ndjbdns/default.nix b/pkgs/tools/networking/ndjbdns/default.nix
index 2a7e996f8db2..256f50e5c546 100644
--- a/pkgs/tools/networking/ndjbdns/default.nix
+++ b/pkgs/tools/networking/ndjbdns/default.nix
@@ -1,11 +1,12 @@
 { stdenv, fetchurl, systemd, pkgconfig }:
 
 stdenv.mkDerivation rec {
-  version = "1.05.9";
+  version = "1.06";
   name = "ndjbdns-${version}";
+
   src = fetchurl {
     url = "http://pjp.dgplug.org/ndjbdns/${name}.tar.gz";
-    sha256 = "0gf3hlmr6grcn6dzflf83lqqfp6hk3ldhbc7z0a1rrh059m93ap5";
+    sha256 = "09qi5a9abqm08iqmxj74fzzq9x1w5lzr1jlbzj2hl8hz0g2sgraw";
   };
 
   buildInputs = [ pkgconfig systemd ];
@@ -21,4 +22,4 @@ stdenv.mkDerivation rec {
     platforms = platforms.linux;
   };
 
-}
\ No newline at end of file
+}
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 064745f88558..a0cb0795a261 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -45,6 +45,9 @@ stdenv.mkDerivation rec {
       ./locale_archive.patch
       ./fix-host-key-algorithms-plus.patch
       ./CVE-2015-8325.patch
+
+      # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
+      ./dont_create_privsep_path.patch
     ]
     ++ optional withGssapiPatches gssapiSrc;
 
@@ -66,11 +69,6 @@ stdenv.mkDerivation rec {
     ++ optional stdenv.isDarwin "--disable-libutil"
     ++ optional (!linkOpenssl) "--without-openssl";
 
-  preConfigure = ''
-    configureFlagsArray+=("--with-privsep-path=$out/empty")
-    mkdir -p $out/empty
-  '';
-
   enableParallelBuilding = true;
 
   hardeningEnable = [ "pie" ];
diff --git a/pkgs/tools/networking/openssh/dont_create_privsep_path.patch b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
new file mode 100644
index 000000000000..b6d432d5c5de
--- /dev/null
+++ b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
@@ -0,0 +1,11 @@
+diff -ur openssh-7.2p2_orig/Makefile.in openssh-7.2p2/Makefile.in
+--- openssh-7.2p2_orig/Makefile.in	2016-03-09 19:04:48.000000000 +0100
++++ openssh-7.2p2/Makefile.in	2016-07-16 09:56:05.643903293 +0200
+@@ -301,7 +301,6 @@
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
+-	(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
diff --git a/pkgs/tools/networking/proxychains/default.nix b/pkgs/tools/networking/proxychains/default.nix
index 2b85cef70c55..ed19f9d1674f 100644
--- a/pkgs/tools/networking/proxychains/default.nix
+++ b/pkgs/tools/networking/proxychains/default.nix
@@ -1,10 +1,13 @@
-{ stdenv, fetchgit } :
-stdenv.mkDerivation {
-  name = "proxychains-4.0.1-head";
-  src = fetchgit {
-    url = https://github.com/haad/proxychains.git;
-    rev = "c9b8ce35b24f9d4e80563242b759dff54867163f";
-    sha256 = "163h3d3lpglbzjadf8a9kfaf0i1ds25r7si6ll6d5khn1835zik5";
+{ stdenv, fetchFromGitHub } :
+stdenv.mkDerivation rec {
+  name = "proxychains-${version}";
+  version = "4.2.0";
+
+  src = fetchFromGitHub {
+    owner = "haad";
+    repo = "proxychains";
+    rev = name;
+    sha256 = "015skh3z1jmm8kxbm3nkqv1w56kcvabdmcbmpwzywxr4xnh3x3pc";
   };
 
   meta = {
diff --git a/pkgs/tools/networking/shncpd/default.nix b/pkgs/tools/networking/shncpd/default.nix
new file mode 100644
index 000000000000..be2bc6a75a17
--- /dev/null
+++ b/pkgs/tools/networking/shncpd/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  name = "shncpd-${version}";
+  version = "2016-06-22";
+
+  src = fetchFromGitHub {
+    owner = "jech";
+    repo = "shncpd";
+    rev = "62ef688db7a6535ce11e66c8c93ab64a1bb09484";
+    sha256 = "1sj7a77isc2jmh7gw2naw9l9366kjx6jb909h7spj7daxdwvji8f";
+  };
+
+  hardeningEnable = [ "pie" ];
+
+  preConfigure = ''
+    makeFlags=( "PREFIX=$out" )
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Simple, stupid and slow HNCP daemon";
+    homepage = https://www.irif.univ-paris-diderot.fr/~jch/software/homenet/shncpd.html;
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.fpletz ];
+  };
+}
diff --git a/pkgs/tools/networking/vtun/default.nix b/pkgs/tools/networking/vtun/default.nix
index b0397149e60d..09f48d9fa1ad 100644
--- a/pkgs/tools/networking/vtun/default.nix
+++ b/pkgs/tools/networking/vtun/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, lzo, zlib, yacc, flex }:
+{ stdenv, fetchurl, fetchpatch, openssl, lzo, zlib, yacc, flex }:
 
 stdenv.mkDerivation rec {
   name = "vtun-3.0.3";
@@ -8,7 +8,13 @@ stdenv.mkDerivation rec {
     sha256 = "1jxrxp3klhc8az54d5qn84cbc0vdafg319jh84dxkrswii7vxp39";
   };
 
-  patchPhase = ''
+  patches = [
+    (fetchpatch { url = http://sources.debian.net/data/main/v/vtun/3.0.3-2.2/debian/patches/08-gcc5-inline.patch;
+                 sha256 = "18sys97v2hx6vac5zp3ld7sa6kz4izv3g9dnkm0lflbaxhym2vs1";
+                })
+  ];
+
+  postPatch = ''
     sed -i -e 's/-m 755//' -e 's/-o root -g 0//' Makefile.in
     sed -i '/strip/d' Makefile.in
   '';