diff options
Diffstat (limited to 'pkgs/tools')
118 files changed, 369 insertions, 189 deletions
diff --git a/pkgs/tools/X11/x2vnc/default.nix b/pkgs/tools/X11/x2vnc/default.nix index a0d1013b8726..31ad524cf8f3 100644 --- a/pkgs/tools/X11/x2vnc/default.nix +++ b/pkgs/tools/X11/x2vnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { xorg.libXrandr xorg.randrproto ]; - preInstall = "mkdir -p $out"; + hardeningDisable = [ "format" ]; meta = { homepage = http://fredrik.hubbe.net/x2vnc.html; diff --git a/pkgs/tools/X11/x2x/default.nix b/pkgs/tools/X11/x2x/default.nix index 06d08195688a..dd529011557a 100644 --- a/pkgs/tools/X11/x2x/default.nix +++ b/pkgs/tools/X11/x2x/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ imake libX11 libXtst libXext ]; + hardeningDisable = [ "format" ]; + configurePhase = '' xmkmf makeFlags="BINDIR=$out/bin x2x" diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index 57d8d82759ce..cef071bb3b61 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; + hardeningDisable = [ "format" ]; + meta = { homepage = https://packages.debian.org/source/xbindkeys-config; description = "Graphical interface for configuring xbindkeys"; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 22b8a607fd34..e7164bf07b6c 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; + hardeningDisable = [ "format" ]; + buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/cromfs/default.nix b/pkgs/tools/archivers/cromfs/default.nix index 23aa02bcac7f..042880b39c9b 100644 --- a/pkgs/tools/archivers/cromfs/default.nix +++ b/pkgs/tools/archivers/cromfs/default.nix @@ -10,9 +10,6 @@ stdenv.mkDerivation rec { postPatch = "patchShebangs configure"; - # Removing the static linking, as it doesn't compile in x86_64. - makeFlags = "cromfs-driver util/mkcromfs util/unmkcromfs util/cvcromfs"; - installPhase = '' install -d $out/bin install cromfs-driver $out/bin diff --git a/pkgs/tools/archivers/dar/default.nix b/pkgs/tools/archivers/dar/default.nix index 92a81f9e5d67..b64b6e4ca0a2 100644 --- a/pkgs/tools/archivers/dar/default.nix +++ b/pkgs/tools/archivers/dar/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = { homepage = http://dar.linux.free.fr/; description = "Disk ARchiver, allows backing up files into indexed archives"; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index e806a962eabb..41043cda5b65 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; + hardeningDisable = [ "format" ]; + preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the # gnulib in sharutils is updated. diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index b5d03bc18b27..da0983fc0970 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; + hardeningDisable = [ "format" ]; + patches = [ ./CVE-2014-8139.diff ./CVE-2014-8140.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index 5868dcf10a7f..0cb4fbbf3f03 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = { description = "A GTK+ front-end for command line archiving tools"; maintainers = [ stdenv.lib.maintainers.domenkozar ]; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 431ed354d21c..145b81c95bc8 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; + hardeningDisable = [ "format" ]; + makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; installFlags = "prefix=$(out) INSTALL=cp"; diff --git a/pkgs/tools/backup/partclone/default.nix b/pkgs/tools/backup/partclone/default.nix index 9aea0c80c6fa..54756a29cd6d 100644 --- a/pkgs/tools/backup/partclone/default.nix +++ b/pkgs/tools/backup/partclone/default.nix @@ -1,21 +1,25 @@ -{stdenv, fetchFromGitHub -, pkgconfig, libuuid -, e2fsprogs, automake, autoconf +{ stdenv, fetchFromGitHub, autoreconfHook +, pkgconfig, libuuid, e2fsprogs }: -stdenv.mkDerivation { - name = "partclone-stable"; - enableParallelBuilding = true; + +stdenv.mkDerivation rec { + name = "partclone-${version}"; + version = "0.2.89"; src = fetchFromGitHub { owner = "Thomas-Tsai"; repo = "partclone"; - rev = "stable"; - sha256 = "0q3brjmnldpr89nhbiajxg3gncz0nagc34n7q2723lpz7bn28w3z"; + rev = version; + sha256 = "0gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481"; }; - buildInputs = [e2fsprogs pkgconfig libuuid automake autoconf]; + nativeBuildInputs = [ autoreconfHook pkgconfig ]; + buildInputs = [ + e2fsprogs libuuid stdenv.cc.libc + (stdenv.lib.getOutput "static" stdenv.cc.libc) + ]; - installPhase = ''make INSTPREFIX=$out install''; + enableParallelBuilding = true; meta = { description = "Utilities to save and restore used blocks on a partition"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index 744d67c75248..5121ecc9477c 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi efibootmgr dosfstools imagemagick ]; + hardeningDisable = [ "stackprotector" ]; + HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" else if stdenv.system == "i686-linux" then "ia32" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 95d0f1051be9..caf37ccbe1d5 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; + hardeningDisable = [ "format" ]; + # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. patches = [ ./adjust-includes-for-glibc-212.patch ]; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 5353a8d432f7..36382c9e8c9f 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; + hardeningDisable = [ "format" ]; + # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 5d6a8634b1ba..64571e24d9a3 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; description = "XZ, general-purpose data compression software, successor of LZMA"; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index 4ddab385a427..5a3451810a12 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; + hardeningDisable = [ "format" ]; + meta = { description = "Samba mounted via FUSE"; homepage = http://www.ricardis.tudelft.nl/~vincent/fusesmb/; diff --git a/pkgs/tools/filesystems/jfsutils/default.nix b/pkgs/tools/filesystems/jfsutils/default.nix index 46ded088c696..16d95bd19336 100644 --- a/pkgs/tools/filesystems/jfsutils/default.nix +++ b/pkgs/tools/filesystems/jfsutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha1 = "291e8bd9d615cf3d27e4000117c81a3602484a50"; }; - patches = [ ./types.patch ]; + patches = [ ./types.patch ./hardening-format.patch ]; buildInputs = [ libuuid ]; diff --git a/pkgs/tools/filesystems/jfsutils/hardening-format.patch b/pkgs/tools/filesystems/jfsutils/hardening-format.patch new file mode 100644 index 000000000000..dd2a93a81ec6 --- /dev/null +++ b/pkgs/tools/filesystems/jfsutils/hardening-format.patch @@ -0,0 +1,37 @@ +--- a/fscklog/fscklog.c 2016-01-29 04:59:54.102223291 +0000 ++++ b/fscklog/fscklog.c 2016-01-29 05:00:10.707552565 +0000 +@@ -252,8 +252,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", basename(file_name), line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } +--- a/fscklog/display.c 2016-01-29 05:05:42.582133444 +0000 ++++ b/fscklog/display.c 2016-01-29 05:05:47.541231780 +0000 +@@ -182,7 +182,7 @@ + } else { + /* the record looks ok */ + msg_txt = &log_entry[log_entry_pos]; +- printf(msg_txt); ++ printf("%s", msg_txt); + /* + * set up for the next record + */ +--- a/logdump/helpers.c 2016-01-29 05:06:26.081996021 +0000 ++++ b/logdump/helpers.c 2016-01-29 05:06:43.097333425 +0000 +@@ -95,8 +95,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", file_name, line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } diff --git a/pkgs/tools/filesystems/reiser4progs/default.nix b/pkgs/tools/filesystems/reiser4progs/default.nix index cd32025e5b66..681fc1c80ef0 100644 --- a/pkgs/tools/filesystems/reiser4progs/default.nix +++ b/pkgs/tools/filesystems/reiser4progs/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [libaal]; + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace configure --replace " -static" "" ''; diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index 7cb924c6cf13..b912bab68260 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; + hardeningDisable = [ "fortify" ]; + NIX_CFLAGS_COMPILE = "-std=gnu90"; preConfigure = '' diff --git a/pkgs/tools/filesystems/xtreemfs/default.nix b/pkgs/tools/filesystems/xtreemfs/default.nix index adee80d9c5d0..2a85adb60b56 100644 --- a/pkgs/tools/filesystems/xtreemfs/default.nix +++ b/pkgs/tools/filesystems/xtreemfs/default.nix @@ -42,15 +42,19 @@ stdenv.mkDerivation rec { substituteInPlace etc/init.d/generate_initd_scripts.sh \ --replace "/bin/bash" "${stdenv.shell}" + substituteInPlace cpp/thirdparty/gtest-1.7.0/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + + substituteInPlace cpp/thirdparty/protobuf-2.5.0/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + + substituteInPlace cpp/thirdparty/protobuf-2.5.0/gtest/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + # do not put cmake into buildInputs export PATH="$PATH:${cmake}/bin" ''; - preBuild = '' - substituteInPlace configure \ - --replace "/usr/bin/file" "${file}/bin/file" - ''; - doCheck = false; postInstall = '' diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index b35b929da404..d6a31bd5c7f7 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,13 +9,14 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "GNU barcode generator"; maintainers = with maintainers; [ raskin ]; platforms = with platforms; allBut darwin; downloadPage = "http://ftp.gnu.org/gnu/barcode/"; updateWalker = true; - inherit version; homepage = http://ftp.gnu.org/gnu/barcode/; }; } diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index 78a66721b0c9..a3d343cea577 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -10,7 +10,9 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libXt libXaw libXres utilmacros ]; - preConfigure = "configureFlags=--with-appdefaultdir=$out/share/X11/app-defaults/editres"; + configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; + + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index cf2c5598d2a9..e7fb3e773c1d 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; homepage = http://www.ggobi.org/; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index 5fa78a3e3b8c..255ec2d536f6 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -12,10 +12,13 @@ stdenv.mkDerivation rec { sha256 = "39b8e1f2ba4cc1f5bdc8e39c7be35e5f831253008e4ee2c176984f080416676c"; }; - buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc + buildInputs = [ + pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd libwebp - ]; - + ]; + + hardeningDisable = [ "format" "fortify" ]; + configureFlags = [ "--with-pngincludedir=${libpng.dev}/include" "--with-pnglibdir=${libpng.out}/lib" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index edbe9cd33747..9c125433c3a6 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; + hardeningDisable = [ "fortify" ]; + preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile ''; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 975c5dc13e8e..1162b338ed75 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,9 +12,11 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; + hardeningDisable = [ "fortify" ]; + patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch - + # NOTE: Once this patch is removed, flex can probably be removed from # buildInputs. ./cve-2014-9157.patch diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix index 8d0b7d2d9f49..0bb0bb00efa5 100644 --- a/pkgs/tools/graphics/jbig2enc/default.nix +++ b/pkgs/tools/graphics/jbig2enc/default.nix @@ -1,4 +1,6 @@ -{stdenv, fetchurl, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: stdenv.mkDerivation { +{ stdenv, fetchurl, fetchpatch, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: + +stdenv.mkDerivation { name = "jbig2enc-0.28"; src = fetchurl { diff --git a/pkgs/tools/graphics/lprof/default.nix b/pkgs/tools/graphics/lprof/default.nix index 0aee233e79bb..7f6a15da33d3 100644 --- a/pkgs/tools/graphics/lprof/default.nix +++ b/pkgs/tools/graphics/lprof/default.nix @@ -7,6 +7,8 @@ stdenv.mkDerivation { name = "lprof-1.11.4.1"; buildInputs = [ scons qt3 lcms1 libtiff vigra ]; + hardeningDisable = [ "format" ]; + preConfigure = '' export QTDIR=${qt3} export qt_directory=${qt3} diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix index bebf7680ded3..3c724ccc2b83 100644 --- a/pkgs/tools/graphics/netpbm/default.nix +++ b/pkgs/tools/graphics/netpbm/default.nix @@ -3,11 +3,11 @@ , enableX11 ? false, libX11 }: stdenv.mkDerivation rec { - name = "netpbm-10.66.00"; + name = "netpbm-10.70.00"; src = fetchurl { url = "mirror://gentoo/distfiles/${name}.tar.xz"; - sha256 = "1z33pxdir92m7jlvp5c2q44gxwj7jyf8skiqkr71kgirw4w4zsbz"; + sha256 = "14vxmzbwsy4rzrqjnzr4cvz1s0amacq69faps3v1j1kr05lcns0j"; }; postPatch = /* CVE-2005-2471, from Arch */ '' @@ -15,8 +15,6 @@ stdenv.mkDerivation rec { --replace '"-DSAFER"' '"-DPARANOIDSAFER"' ''; - NIX_CFLAGS_COMPILE = "-fPIC"; # Gentoo adds this on every platform - buildInputs = [ pkgconfig flex zlib perl libpng libjpeg libxml2 makeWrapper libtiff ] ++ lib.optional enableX11 libX11; diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index decd6fb56fd3..f66d01ef7aa3 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + # Inspired by linux-install/nifskope.spec.in. installPhase = '' diff --git a/pkgs/tools/graphics/ploticus/default.nix b/pkgs/tools/graphics/ploticus/default.nix index ff28959148fc..b855410f37f2 100644 --- a/pkgs/tools/graphics/ploticus/default.nix +++ b/pkgs/tools/graphics/ploticus/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation { buildInputs = [ zlib libX11 libpng ]; + hardeningDisable = [ "format" ]; + patches = [ ./ploticus-install.patch ]; meta = with stdenv.lib; { diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index 3cf0c5c3c89a..c6bde4c5b0c3 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -25,6 +25,8 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit + hardeningDisable = [ "format" ]; + doCheck = true; meta = { diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index 38efa0236b2e..6814a06e3b95 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - # configurePhase = '' - # sed -i s,/usr,$out, Makefile - # ''; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib.static}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index f0e86ddfb1de..606e546af293 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchgit}: +{ stdenv, fetchgit }: let s = rec { @@ -16,14 +16,19 @@ in stdenv.mkDerivation { inherit (s) name version; inherit buildInputs; + src = fetchgit { inherit (s) rev url sha256; }; + + NIX_CFLAGS_COMPILE = "-Wno-error=unused-result"; + installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} cp qrcode "$out/bin" cp DOCUMENTATION LICENCE "$out/share/doc/qrcode" ''; + meta = { inherit (s) version; description = ''A small QR-code tool''; diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index 3e8e824d1c65..948bba6d459f 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; + hardeningDisable = [ "format" ]; + patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; prefixPatch1 = diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index 2751da42a4c3..9a181e7d087d 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { [ imagemagickBig pkgconfig python pygtk perl libX11 libv4l qt4 lzma gtk2 autoreconfHook ]; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { description = "Bar code reader"; longDescription = '' diff --git a/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix b/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix index 81bfffb25464..2dbab7129555 100644 --- a/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix +++ b/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchFromGitHub -, automake, autoconf, libtool, pkgconfig +, autoreconfHook, pkgconfig , ibus, m17n_lib, m17n_db, gettext, python3, pygobject3 }: @@ -19,11 +19,7 @@ stdenv.mkDerivation rec { python3 pygobject3 ]; - nativeBuildInputs = [ automake autoconf libtool pkgconfig ]; - - preConfigure = '' - autoreconf --verbose --force --install - ''; + nativeBuildInputs = [ autoreconfHook pkgconfig ]; meta = with stdenv.lib; { isIbusEngine = true; diff --git a/pkgs/tools/misc/calamares/default.nix b/pkgs/tools/misc/calamares/default.nix index 98fcf9182d4b..7c7c0b0a5ec3 100644 --- a/pkgs/tools/misc/calamares/default.nix +++ b/pkgs/tools/misc/calamares/default.nix @@ -1,15 +1,16 @@ -{ stdenv, fetchgit, cmake, polkit-qt, libyamlcpp, python, boost, parted +{ stdenv, fetchurl, cmake, polkit-qt, libyamlcpp, python, boost, parted , extra-cmake-modules, kconfig, ki18n, kcoreaddons, solid, utillinux, libatasmart , ckbcomp, glibc, tzdata, xkeyboard_config, qtbase, qtsvg, qttools }: stdenv.mkDerivation rec { - name = "calamares-${version}"; - version = "1.0"; - - src = fetchgit { - url = "https://github.com/calamares/calamares.git"; - rev = "dabfb68a68cb012a90cd7b94a22e1ea08f7dd8ad"; - sha256 = "12n161fmzybi20pxcjikqnckhzh175ni5da122p74bx7fzv7q41p"; + name = "${pname}-${version}"; + pname = "calamares"; + version = "1.1.4.2"; + + # release including submodule + src = fetchurl { + url = "https://github.com/${pname}/${pname}/releases/download/v${version}/${name}.tar.gz"; + sha256 = "1mh0nmzc3i1aqcj79q2s3vpccn0mirlfbj26sfyb0v6gcrvf707d"; }; buildInputs = [ diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index ea9ee271ebfd..e1d9bb921fd9 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,12 +20,17 @@ let sha256 = "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; # The test tends to fail on btrfs and maybe other unusual filesystems. postPatch = optionalString (!stdenv.isDarwin) '' sed '2i echo Skipping dd sparse test && exit 0' -i ./tests/dd/sparse.sh sed '2i echo Skipping cp sparse test && exit 0' -i ./tests/cp/sparse.sh + sed '2i echo Skipping rm deep-2 test && exit 0' -i ./tests/rm/deep-2.sh + sed '2i echo Skipping du long-from-unreadable test && exit 0' -i ./tests/du/long-from-unreadable.sh ''; outputs = [ "out" "info" ]; diff --git a/pkgs/tools/misc/ddccontrol/automake.patch b/pkgs/tools/misc/ddccontrol/automake.patch new file mode 100644 index 000000000000..a890654ca7c7 --- /dev/null +++ b/pkgs/tools/misc/ddccontrol/automake.patch @@ -0,0 +1,14 @@ +diff --git a/src/gnome-ddcc-applet/Makefile.am b/src/gnome-ddcc-applet/Makefile.am +index d85ff56..b13e74c 100644 +--- a/src/gnome-ddcc-applet/Makefile.am ++++ b/src/gnome-ddcc-applet/Makefile.am +@@ -6,7 +6,8 @@ DDCC_LDADD = ../lib/libddccontrol.la + + EXTRA_DIST = GNOME_ddcc-applet.server.in.in GNOME_ddcc-applet.xml + +-pkglib_PROGRAMS = ddcc-applet ++programfilesdir = $(pkglibdir) ++programfiles_PROGRAMS = ddcc-applet + ddcc_applet_SOURCES = ddcc-applet.c ddcc-applet.h + + ddcc_applet_LDADD = $(GNOME_LDFLAGS) $(DDCC_LDADD) diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index 2d5d10054b5b..fb11a3b87567 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -1,39 +1,25 @@ -{ stdenv -, fetchurl -, intltool -, libtool -, autoconf -, automake110x -, perl -, perlPackages -, libxml2 -, pciutils -, pkgconfig -, gtk -, ddccontrol-db +{ stdenv, fetchurl, autoreconfHook, intltool, perl, perlPackages, libxml2 +, pciutils, pkgconfig, gtk, ddccontrol-db }: let version = "0.4.2"; in stdenv.mkDerivation { name = "ddccontrol-${version}"; + src = fetchurl { url = "mirror://sourceforge/ddccontrol/ddccontrol-${version}.tar.bz2"; sha1 = "fd5c53286315a61a18697a950e63ed0c8d5acff1"; }; - buildInputs = - [ - intltool - libtool - autoconf - automake110x - perl - perlPackages.libxml_perl - libxml2 - pciutils - pkgconfig - gtk - ddccontrol-db - ]; + + nativeBuildInputs = [ autoreconfHook intltool pkgconfig ]; + + buildInputs = [ + perl perlPackages.libxml_perl libxml2 pciutils gtk ddccontrol-db + ]; + + patches = [ ./automake.patch ]; + + hardeningDisable = [ "format" ]; prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") @@ -43,9 +29,6 @@ stdenv.mkDerivation { sed "s/$oldPath/$newPath/" <configure.ac.old >configure.ac rm configure.ac.old ''; - preConfigure = '' - autoreconf --install - ''; meta = with stdenv.lib; { description = "A program used to control monitor parameters by software"; diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index bdc018aec34a..7d17dee8b53c 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [flex]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; description = "Utility designed to clean up filenames"; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index a50717d53992..80fb3c6a694c 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; + hardeningDisable = [ "format" ]; + patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure ''; diff --git a/pkgs/tools/misc/fondu/default.nix b/pkgs/tools/misc/fondu/default.nix index 516abfd2eb50..7610bb88f390 100644 --- a/pkgs/tools/misc/fondu/default.nix +++ b/pkgs/tools/misc/fondu/default.nix @@ -3,12 +3,16 @@ stdenv.mkDerivation rec { version = "060102"; name = "fondu-${version}"; + src = fetchurl { url = "http://fondu.sourceforge.net/fondu_src-${version}.tgz"; sha256 = "152prqad9jszjmm4wwqrq83zk13ypsz09n02nrk1gg0fcxfm7fr2"; }; + makeFlags = "DESTDIR=$(out)"; + hardeningDisable = [ "fortify" ]; + meta = { platforms = stdenv.lib.platforms.unix; }; diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index 104d3fad8d09..1ba4bceb7876 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; + hardeningDisable = [ "format" ]; + meta = { description = "Bitmap Font Editor"; longDescription = '' diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index ae1df626fe5d..15b1740638e2 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,6 +52,8 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; + hardeningDisable = [ "all" ]; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index d6534fc5ee61..a690ef2084b2 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,6 +36,8 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; + hardeningDisable = [ "stackprotector" ]; + prePatch = '' unpackFile $gentooPatches rm patch/400_all_grub-0.97-reiser4-20050808-gentoo.patch diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 6ae672db7a55..377d6faefa01 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,6 +47,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; + hardeningDisable = [ "stackprotector" "pic" ]; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/grub4dos/default.nix b/pkgs/tools/misc/grub4dos/default.nix index ec784d8e1a4c..7e9b82a6a3f9 100644 --- a/pkgs/tools/misc/grub4dos/default.nix +++ b/pkgs/tools/misc/grub4dos/default.nix @@ -17,6 +17,8 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ nasm ]; + hardeningDisable = [ "stackprotector" ]; + configureFlags = [ "--host=${arch}-pc-linux-gnu" ]; postInstall = '' diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index a79b9018c545..6ee14a0ce937 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation { preConfigure = "cd src"; + # not possible due to assembler code + hardeningDisable = [ "pic" "stackprotector" ]; + NIX_CFLAGS_COMPILE = "-Wno-error"; makeFlags = diff --git a/pkgs/tools/misc/lrzsz/default.nix b/pkgs/tools/misc/lrzsz/default.nix index 729faa7a95d9..11351790becc 100644 --- a/pkgs/tools/misc/lrzsz/default.nix +++ b/pkgs/tools/misc/lrzsz/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1wcgfa9fsigf1gri74gq0pa7pyajk12m4z69x7ci9c6x9fqkd2y2"; }; + hardeningDisable = [ "format" ]; + configureFlags = [ "--program-transform-name=s/^l//" ]; meta = with stdenv.lib; { diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index f9c8ac4b8387..77149a179900 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; + hardeningDisable = [ "stackprotector" "pic" ]; + buildFlags = "memtest.bin"; installPhase = '' diff --git a/pkgs/tools/misc/mmv/default.nix b/pkgs/tools/misc/mmv/default.nix index ed2f54d693d0..417583ecc9eb 100644 --- a/pkgs/tools/misc/mmv/default.nix +++ b/pkgs/tools/misc/mmv/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0399c027ea1e51fd607266c1e33573866d4db89f64a74be8b4a1d2d1ff1fdeef"; }; + hardeningDisable = [ "format" ]; + patches = [ # Use Debian patched version, as upstream is no longer maintained and it # contains a _lot_ of fixes. diff --git a/pkgs/tools/misc/mstflint/default.nix b/pkgs/tools/misc/mstflint/default.nix index 32953483daae..1d1ff991f3b8 100644 --- a/pkgs/tools/misc/mstflint/default.nix +++ b/pkgs/tools/misc/mstflint/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, zlib, libibmad }: -stdenv.mkDerivation { - name = "mstflint-3.7.0-1.18"; +stdenv.mkDerivation rec { + name = "mstflint-4.4.0-1.12.gd1edd58"; src = fetchurl { - url = "https://www.openfabrics.org/downloads/mstflint/mstflint-3.7.0-1.18.gcdb9f80.tar.gz"; - sha256 = "10x4l3i58ynnni18i8qq1gfbqd2028r4jd3frshiwrl9yrj7sxn2"; + url = "https://www.openfabrics.org/downloads/mstflint/${name}.tar.gz"; + sha256 = "0kg33i5s5zdc7kigww62r0b824zfw06r757fl6jwrq7lj91j0380"; }; buildInputs = [ zlib libibmad ]; diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index ff7279d0d57c..f92069e7b9f5 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -12,12 +12,12 @@ stdenv.mkDerivation rec { sed -i -e 's,/etc/pal\.conf,'$out/etc/pal.conf, src/input.c ''; - preBuild = '' - export makeFlags="prefix=$out" - ''; + makeFlags = "prefix=$(out)"; buildInputs = [ glib gettext readline pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://palcal.sourceforge.net/; description = "Command-line calendar program that can keep track of events"; diff --git a/pkgs/tools/misc/recutils/default.nix b/pkgs/tools/misc/recutils/default.nix index 4d6829e99a4c..6dd40e8476f3 100644 --- a/pkgs/tools/misc/recutils/default.nix +++ b/pkgs/tools/misc/recutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { doCheck = true; + hardeningDisable = [ "format" ]; + buildInputs = [ curl emacs ] ++ (stdenv.lib.optionals doCheck [ check bc ]); meta = { diff --git a/pkgs/tools/misc/rpm-ostree/default.nix b/pkgs/tools/misc/rpm-ostree/default.nix index 997d8279e04e..f96e70650b7c 100644 --- a/pkgs/tools/misc/rpm-ostree/default.nix +++ b/pkgs/tools/misc/rpm-ostree/default.nix @@ -20,8 +20,6 @@ in stdenv.mkDerivation rec { sha256 = "19jvnmy9zinx0j5nvy3h5abfv9d988kvyza09gljx16gll8qkbbf"; }; - NIX_CFLAGS_LINK = "-L${elfutils}/lib"; - buildInputs = [ which autoconf automake pkgconfig libtool libcap ostree rpm glib libgsystem json_glib libarchive libhif librepo gtk_doc libxslt docbook_xsl docbook_xml_dtd_42 diff --git a/pkgs/tools/misc/sam-ba/default.nix b/pkgs/tools/misc/sam-ba/default.nix index 1b7315ebedf6..cca18007c580 100644 --- a/pkgs/tools/misc/sam-ba/default.nix +++ b/pkgs/tools/misc/sam-ba/default.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation rec { homepage = "http://www.at91.com/linux4sam/bin/view/Linux4SAM/SoftwareTools"; # License in <source>/doc/readme.txt license = "BSD-like (partly binary-only)"; # according to Buildroot - platforms = [ "i686-linux" "x86_64-linux" ]; + platforms = [ "x86_64-linux" ]; # patchelf fails on i686-linux maintainers = [ maintainers.bjornfor ]; }; } diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index d0576cc069a7..8d4f00ee8478 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; + hardeningDisable = [ "format" ]; + prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; meta = { diff --git a/pkgs/tools/misc/svtplay-dl/default.nix b/pkgs/tools/misc/svtplay-dl/default.nix index 1169752b9cac..d3d1197943eb 100644 --- a/pkgs/tools/misc/svtplay-dl/default.nix +++ b/pkgs/tools/misc/svtplay-dl/default.nix @@ -22,7 +22,7 @@ in stdenv.mkDerivation rec { substituteInPlace lib/svtplay_dl/fetcher/rtmp.py \ --replace '"rtmpdump"' '"${rtmpdump}/bin/rtmpdump"' - substituteInPlace run-tests.sh \ + substituteInPlace scripts/run-tests.sh \ --replace 'PYTHONPATH=lib' 'PYTHONPATH=lib:$PYTHONPATH' ''; @@ -34,7 +34,7 @@ in stdenv.mkDerivation rec { ''; doCheck = true; - checkPhase = "sh run-tests.sh -2"; + checkPhase = "sh scripts/run-tests.sh -2"; meta = with stdenv.lib; { homepage = https://github.com/spaam/svtplay-dl; diff --git a/pkgs/tools/misc/ttyrec/default.nix b/pkgs/tools/misc/ttyrec/default.nix index 63b91adb4936..a836a2a0d0e9 100644 --- a/pkgs/tools/misc/ttyrec/default.nix +++ b/pkgs/tools/misc/ttyrec/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { patches = [ ./clang-fixes.patch ]; - makeFlags = [] + makeFlags = [ "CFLAGS=-DSVR4" ] ++ stdenv.lib.optional stdenv.cc.isClang "CC=clang"; installPhase = '' diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index bf73dbcbf2fc..4ef050b409e5 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - doCheck = true; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index ea61e0633282..567783f63138 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,11 +8,14 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ unzip libogg libvorbis ]; + patchPhase = '' chmod -v +x configure configureFlags="--mandir=$out/share/man" - ''; + ''; meta = with stdenv.lib; { homepage = http://sjeng.org/vorbisgain.html; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index 411a549a6861..a18c03b126ac 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; + hardeningDisable = [ "format" ]; + meta = { description = "Converter from Microsoft Word formats to human-editable ones"; platforms = stdenv.lib.platforms.unix; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index 80025164cb68..5574e3274cd6 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; + hardeningDisable = [ "format" ]; + patchPhase = '' # Patch the destination directory sed -i include/builddefs.in -e "s|^PKG_LIB_DIR\s*=.*|PKG_LIB_DIR=$out/lib/xfstests|" diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 9d2afe752571..f5b5893d5437 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; + hardeningEnable = [ "pie" ]; + configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" ]; diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 778cfc3b5ed6..91232b4ffa74 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -pv $out/bin cp dhcpdump $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6b47e0cae840..14bde9a5fa5b 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; + hardeningEnable = [ "pie" ]; + postBuild = optionalString stdenv.isLinux '' make -C contrib/lease-tools ''; diff --git a/pkgs/tools/networking/easyrsa/2.x.nix b/pkgs/tools/networking/easyrsa/2.x.nix index 493243cf81c8..b33034515fb6 100644 --- a/pkgs/tools/networking/easyrsa/2.x.nix +++ b/pkgs/tools/networking/easyrsa/2.x.nix @@ -1,5 +1,5 @@ -{ stdenv, fetchurl, autoconf, automake111x, makeWrapper -, gnugrep, openssl}: +{ stdenv, fetchurl, autoreconfHook, makeWrapper +, gnugrep, openssl }: stdenv.mkDerivation rec { name = "easyrsa-2.2.0"; @@ -9,20 +9,12 @@ stdenv.mkDerivation rec { sha256 = "1xq4by5frb6ikn53ss3y8v7ss639dccxfq8jfrbk07ynkmk668qk"; }; - # Copy missing files and autoreconf - preConfigure = '' - cp ${automake111x}/share/automake/install-sh . - cp ${automake111x}/share/automake/missing . - - autoreconf - ''; - preBuild = '' mkdir -p $out/share/easy-rsa ''; - nativeBuildInputs = [ autoconf makeWrapper automake111x ]; - buildInputs = [ gnugrep openssl]; + nativeBuildInputs = [ autoreconfHook makeWrapper ]; + buildInputs = [ gnugrep openssl ]; # Make sane defaults and patch default config vars postInstall = '' diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 623b42d6fc1b..a9f2419b1368 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -1,20 +1,19 @@ -{ stdenv, fetchurl, tcl }: +{ stdenv, fetchFromGitHub, tcl }: stdenv.mkDerivation rec { name = "eggdrop-${version}"; - version = "1.6.21"; + version = "1.6.21-nix1"; - src = fetchurl { - url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz"; - sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs"; + src = fetchFromGitHub { + owner = "eggheads"; + repo = "eggdrop"; + rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331"; + sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5"; }; buildInputs = [ tcl ]; - patches = [ - # https://github.com/eggheads/eggdrop/issues/123 - ./b34a33255f56bbd2317c26da12d702796d67ed50.patch - ]; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/flannel/default.nix b/pkgs/tools/networking/flannel/default.nix index 53b5e4839ba1..2eea08b92383 100644 --- a/pkgs/tools/networking/flannel/default.nix +++ b/pkgs/tools/networking/flannel/default.nix @@ -7,6 +7,8 @@ buildGoPackage rec { goPackagePath = "github.com/coreos/flannel"; + hardeningDisable = [ "fortify" ]; + src = fetchFromGitHub { inherit rev; owner = "coreos"; diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd636..13f8cedc673d 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 4b1633947b09..0ae993db332e 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; + hardeningDisable = [ "format" ]; + patches = [ ./path-to-cat.patch ./no-gets.patch ./scm_c_string.patch ]; configureFlags = [ diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 0f75bd44d69b..7a1eac59eeae 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,10 +9,12 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Mini PXE server"; maintainers = [ maintainers.raskin ]; platforms = ["x86_64-linux"]; license = stdenv.lib.licenses.free; }; -} \ No newline at end of file +} diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 433a3349702d..4c42771be170 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; + hardeningEnable = [ "pie" ]; + postInstall = '' rm -rf $out/share/doc ''; diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index d0e8ea4b1d9b..e3e2053e2ce6 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }: +{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }: with stdenv.lib; @@ -15,13 +15,11 @@ in stdenv.mkDerivation { sha256 = "08ycz053wa29ckgr93132hr3vrd84r3bks9q807qanri0n35y256"; }; - buildInputs = [ openssl automake autoconf ppp ]; + buildInputs = [ openssl ppp autoreconfHook ]; - preConfigure = '' - aclocal - autoconf - automake --add-missing + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" ''; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index dab638301820..8f4c0aa54dfa 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -71,6 +71,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningEnable = [ "pie" ]; + postInstall = '' # Install ssh-copy-id, it's very useful. cp contrib/ssh-copy-id $out/bin/ diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix index f07cfe4d0724..ed559f5d5c9f 100644 --- a/pkgs/tools/networking/quicktun/default.nix +++ b/pkgs/tools/networking/quicktun/default.nix @@ -11,8 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i"; }; - CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"; - buildInputs = [ libsodium ]; phases = [ "unpackPhase" "buildPhase" "installPhase" ]; diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 42d4a8177563..1c8ef67a7830 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; + hardeningEnable = [ "pie" ]; + meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; description = "IPv6 Router Advertisement Daemon"; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index f9eff5b12d55..19cdb884bd1a 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; + hardeningEnable = [ "pie" ]; + meta = { description = "A utility for bidirectional data transfer between two independent data channels"; homepage = http://www.dest-unreach.org/socat/; diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index 2f12aaa7ee23..114247682c7a 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.29"; + version = "5.31"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423"; + sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7"; }; buildInputs = [ openssl ]; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 9827b62c6c4a..3a5117653c83 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ncurses]; meta = { diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index d10e645dc874..1c8829a07b27 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx"; }; - buildInputs = [libevent]; + buildInputs = [ libevent ]; preConfigure = '' sed -i 's|libevent.a|libevent.so|' configure @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; + hardeningDisable = [ "format" ]; + meta = { description = "Lightweight userspace bandwidth shaper"; license = stdenv.lib.licenses.bsd3; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 9d4ae5d671ac..c2c707fbc77a 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; + hardeningDisable = [ "format" ]; + buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 88ee459f8168..3a3709a9df00 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; diff --git a/pkgs/tools/networking/vlan/default.nix b/pkgs/tools/networking/vlan/default.nix index 9c9376550dfb..41ece0537ab4 100644 --- a/pkgs/tools/networking/vlan/default.nix +++ b/pkgs/tools/networking/vlan/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1jjc5f26hj7bk8nkjxsa8znfxcf8pgry2ipnwmj2fr6ky0dhm3rv"; }; + hardeningDisable = [ "format" ]; + preBuild = '' # Ouch, the tarball contains pre-compiled binaries. @@ -18,12 +20,12 @@ stdenv.mkDerivation rec { '' mkdir -p $out/sbin cp vconfig $out/sbin/ - + mkdir -p $out/share/man/man8 cp vconfig.8 $out/share/man/man8/ ''; - meta = { + meta = { description = "User mode programs to enable VLANs on Ethernet devices"; platforms = stdenv.lib.platforms.linux; }; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index 8ab9001573a2..fea6ccedd34f 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation { buildInputs = [gettext]; + hardeningDisable = [ "fortify" ]; + preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index c1f76bca14b1..cd9499d9146d 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "08n2i3dyh5vnrb74a6wlqqn67c9nwkq0v0v651zzha495mqbciq7"; }; + hardeningDisable = [ "fortify" ]; + makeFlags = "PREFIX=$(out)"; buildInputs = [ curl ]; diff --git a/pkgs/tools/package-management/rpm/default.nix b/pkgs/tools/package-management/rpm/default.nix index c0a4f7f693d5..f4a7273d8cc7 100644 --- a/pkgs/tools/package-management/rpm/default.nix +++ b/pkgs/tools/package-management/rpm/default.nix @@ -11,13 +11,9 @@ stdenv.mkDerivation rec { buildInputs = [ cpio zlib bzip2 file libarchive nspr nss db xz python lua pkgconfig autoreconfHook ]; # rpm/rpmlib.h includes popt.h, and then the pkg-config file mentions these as linkage requirements - propagatedBuildInputs = [ popt nss db bzip2 libarchive ]; + propagatedBuildInputs = [ popt elfutils nss db bzip2 libarchive ]; - # Note: we don't add elfutils to buildInputs, since it provides a - # bad `ld' and other stuff. - NIX_CFLAGS_COMPILE = "-I${nspr.dev}/include/nspr -I${nss.dev}/include/nss -I${elfutils}/include"; - - NIX_CFLAGS_LINK = "-L${elfutils}/lib"; + NIX_CFLAGS_COMPILE = "-I${nspr.dev}/include/nspr -I${nss.dev}/include/nss"; postPatch = '' # For Python3, the original expression evaluates as 'python3.4' but we want 'python3.4m' here diff --git a/pkgs/tools/security/ccrypt/default.nix b/pkgs/tools/security/ccrypt/default.nix index e6a63a2f2882..0afa91086890 100644 --- a/pkgs/tools/security/ccrypt/default.nix +++ b/pkgs/tools/security/ccrypt/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://ccrypt.sourceforge.net/; description = "Utility for encrypting and decrypting files and streams with AES-256"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index c2dbb31bec45..26e0d0e45e13 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; description = "A simple GTK+ application to demonstrate and test libfprint's capabilities"; diff --git a/pkgs/tools/security/gnupg/21.nix b/pkgs/tools/security/gnupg/21.nix index 418f622fafdb..34042d802ccb 100644 --- a/pkgs/tools/security/gnupg/21.nix +++ b/pkgs/tools/security/gnupg/21.nix @@ -15,11 +15,11 @@ assert x11Support -> pinentry != null; stdenv.mkDerivation rec { name = "gnupg-${version}"; - version = "2.1.14"; + version = "2.1.15"; src = fetchurl { url = "mirror://gnupg/gnupg/${name}.tar.bz2"; - sha256 = "0hmsiscpdpdqd8kcjpzkz2gzcc3cnrvswk9p1jzi4sivd7lxwl4l"; + sha256 = "1pgz02gd84ab94w4xdg67p9z8kvkyr9d523bvcxxd2hviwh1m362"; }; buildInputs = [ @@ -27,10 +27,6 @@ stdenv.mkDerivation rec { readline libusb gnutls adns openldap zlib bzip2 ]; - # gpgsm-linking is fixed by commit (c49c43d7) in the gnupg master branch; - # fix-gpgsm-linking.patch should be dropped after gnupg 2.1.15 is released - patches = [ ./fix-gpgsm-linking.patch ]; - postPatch = stdenv.lib.optionalString stdenv.isLinux '' sed -i 's,"libpcsclite\.so[^"]*","${pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; #" fix Emacs syntax highlighting :-( diff --git a/pkgs/tools/security/gnupg/fix-gpgsm-linking.patch b/pkgs/tools/security/gnupg/fix-gpgsm-linking.patch deleted file mode 100644 index 290d43f5b0d4..000000000000 --- a/pkgs/tools/security/gnupg/fix-gpgsm-linking.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/tests/gpgscm/Makefile.in -+++ b/tests/gpgscm/Makefile.in -@@ -457,7 +457,7 @@ - scheme-config.h opdefines.h scheme.c scheme.h scheme-private.h - - gpgscm_LDADD = $(LDADD) $(common_libs) \ -- $(NETLIBS) $(LIBICONV) $(LIBREADLINE) \ -+ $(NETLIBS) $(LIBICONV) $(LIBREADLINE) $(LIBINTL) \ - $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) - - t_child_SOURCES = t-child.c diff --git a/pkgs/tools/security/john/default.nix b/pkgs/tools/security/john/default.nix index d428d67fdc9f..c44f144bea68 100644 --- a/pkgs/tools/security/john/default.nix +++ b/pkgs/tools/security/john/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "08q92sfdvkz47rx6qjn7qv57cmlpy7i7rgddapq5384mb413vjds"; }; + patches = [ ./gcc5.patch ]; + postPatch = '' sed -ri -e ' s!^(#define\s+CFG_[A-Z]+_NAME\s+).*/!\1"'"$out"'/etc/john/! diff --git a/pkgs/tools/security/john/gcc5.patch b/pkgs/tools/security/john/gcc5.patch new file mode 100644 index 000000000000..73da83483f90 --- /dev/null +++ b/pkgs/tools/security/john/gcc5.patch @@ -0,0 +1,14 @@ +diff --git a/src/common.h b/src/common.h +--- a/src/common.h ++++ b/src/common.h +@@ -31,7 +31,9 @@ typedef unsigned long long ARCH_WORD_64; + #define is_aligned(PTR, CNT) ((((ARCH_WORD)(const void *)(PTR))&(CNT-1))==0) + + #ifdef __GNUC__ +-#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) ++#if __GNUC__ >= 5 ++#define MAYBE_INLINE __attribute__((gnu_inline)) inline ++#elif __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) + #define MAYBE_INLINE __attribute__((always_inline)) inline + #elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1) + #define MAYBE_INLINE __attribute__((always_inline)) diff --git a/pkgs/tools/security/scrypt/default.nix b/pkgs/tools/security/scrypt/default.nix index 893b7b319000..1835dbdb620b 100644 --- a/pkgs/tools/security/scrypt/default.nix +++ b/pkgs/tools/security/scrypt/default.nix @@ -12,8 +12,6 @@ stdenv.mkDerivation rec { buildInputs = [ openssl ]; patchPhase = '' - substituteInPlace Makefile \ - --replace "command -p mv" "mv" substituteInPlace Makefile.in \ --replace "command -p mv" "mv" substituteInPlace autocrap/Makefile.am \ diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 854f67f2aeec..506b1d398d54 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,12 +12,15 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; + hardeningDisable = [ "pic" "stackprotector" ]; + configurePhase = '' for a in lcptools utils tb_polgen; do substituteInPlace $a/Makefile --replace /usr/sbin /sbin done substituteInPlace docs/Makefile --replace /usr/share /share ''; + installFlags = "DESTDIR=$(out)"; meta = with stdenv.lib; { diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 2ddea737c8bb..3d03f19cb6f8 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; + hardeningEnable = [ "pie" ]; + preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 makeFlags="DESTROOT=$out" diff --git a/pkgs/tools/system/facter/default.nix b/pkgs/tools/system/facter/default.nix index de9b79d79c35..0ebfe36f59dc 100644 --- a/pkgs/tools/system/facter/default.nix +++ b/pkgs/tools/system/facter/default.nix @@ -13,9 +13,7 @@ stdenv.mkDerivation rec { # since we cant expand $out in cmakeFlags preConfigure = "cmakeFlags+=\" -DRUBY_LIB_INSTALL=$out/lib/ruby\""; - libyamlcpp_ = libyamlcpp.override { makePIC = true; }; - - buildInputs = [ boost cmake curl leatherman libyamlcpp_ openssl ruby utillinux ]; + buildInputs = [ boost cmake curl leatherman libyamlcpp openssl ruby utillinux ]; meta = with stdenv.lib; { homepage = https://github.com/puppetlabs/facter; diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index cfac89237795..0114c1d41ff6 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + preInstall = '' mkdir -p $out/{bin,share/man/man8} ''; diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 3d3809610e4d..7800bfa08313 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "gdmap-0.8.1"; - + src = fetchurl { url = "mirror://sourceforge/gdmap/${name}.tar.gz"; sha256 = "0nr8l88cg19zj585hczj8v73yh21k7j13xivhlzl8jdk0j0cj052"; @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; description = "Recursive rectangle map of disk usage"; diff --git a/pkgs/tools/system/rowhammer-test/default.nix b/pkgs/tools/system/rowhammer-test/default.nix index 728b15bb2988..226ec4351ea4 100644 --- a/pkgs/tools/system/rowhammer-test/default.nix +++ b/pkgs/tools/system/rowhammer-test/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { sha256 = "1fbfcnm5gjish47wdvikcsgzlb5vnlfqlzzm6mwiw2j5qkq0914i"; }; + NIX_CFLAGS_COMPILE = stdenv.lib.optional stdenv.isi686 "-Wno-error=format"; + buildPhase = "sh -e make.sh"; installPhase = '' diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index 2f38c9b374af..f3e6b15ed2c5 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; + hardeningDisable = [ "format" ]; + configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" diff --git a/pkgs/tools/system/stress-ng/default.nix b/pkgs/tools/system/stress-ng/default.nix index c45cc8a596b1..cdc7122fcc4b 100644 --- a/pkgs/tools/system/stress-ng/default.nix +++ b/pkgs/tools/system/stress-ng/default.nix @@ -2,10 +2,10 @@ stdenv.mkDerivation rec { name = "stress-ng-${version}"; - version = "0.06.11"; + version = "0.06.14"; src = fetchurl { - sha256 = "0481aji9hdq8qbslrrc87r2p2pn8jxf913ac8wm5kxj02yqf7ccv"; + sha256 = "06kycxfwkdrm2vs9xk8cb6c1mki29ymrrqwwxxqx4icnwvq135hv"; url = "http://kernel.ubuntu.com/~cking/tarballs/stress-ng/${name}.tar.gz"; }; @@ -15,7 +15,11 @@ stdenv.mkDerivation rec { substituteInPlace Makefile --replace "/usr" "" ''; - enableParallelBuilding = true; + # Won't build on i686 because the binary will be linked again in the + # install phase without checking the dependencies. This will prevent + # triggering the rebuild. Why this only happens on i686 remains a + # mystery, though. :-( + enableParallelBuilding = (!stdenv.isi686); installFlags = [ "DESTDIR=$(out)" ]; diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index e9199a8f0632..fc0889012c2e 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -2,12 +2,15 @@ stdenv.mkDerivation rec { name = "which-2.21"; - + src = fetchurl { url = "mirror://gnu/which/${name}.tar.gz"; sha256 = "1bgafvy3ypbhhfznwjv1lxmd6mci3x1byilnnkc7gcr486wlb8pl"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; platforms = platforms.all; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index 7de6a8dd5745..4a32e972a5b3 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; longDescription = '' diff --git a/pkgs/tools/text/convertlit/default.nix b/pkgs/tools/text/convertlit/default.nix index 331fc3fea359..ffc2dc1c4d5c 100644 --- a/pkgs/tools/text/convertlit/default.nix +++ b/pkgs/tools/text/convertlit/default.nix @@ -1,22 +1,24 @@ -{stdenv, fetchurl, unzip, libtommath}: +{stdenv, fetchzip, libtommath}: stdenv.mkDerivation { name = "convertlit-1.8"; - - src = fetchurl { + + src = fetchzip { url = http://www.convertlit.com/convertlit18src.zip; - sha256 = "1fjpwncyc2r3ipav7c9m7jxy6i7mphbyqj3gsm046425p7sqa2np"; + sha256 = "182nsin7qscgbw2h92m0zadh3h8q410h5cza6v486yjfvla3dxjx"; + stripRoot = false; }; - buildInputs = [unzip libtommath]; + buildInputs = [libtommath]; - sourceRoot = "."; + hardeningDisable = [ "format" ]; buildPhase = '' cd lib make cd ../clit18 - substituteInPlace Makefile --replace ../libtommath-0.30/libtommath.a -ltommath + substituteInPlace Makefile \ + --replace ../libtommath-0.30/libtommath.a -ltommath make ''; diff --git a/pkgs/tools/text/diffutils/default.nix b/pkgs/tools/text/diffutils/default.nix index 420e0a37ba7e..587c89554aa5 100644 --- a/pkgs/tools/text/diffutils/default.nix +++ b/pkgs/tools/text/diffutils/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, xz, coreutils ? null }: stdenv.mkDerivation rec { - name = "diffutils-3.3"; + name = "diffutils-3.5"; src = fetchurl { url = "mirror://gnu/diffutils/${name}.tar.xz"; - sha256 = "1761vymxbp4wb5rzjvabhdkskk95pghnn67464byvzb5mfl8jpm2"; + sha256 = "0csmqfz8ks23kdjsq0v2ll1acqiz8lva06dj19mwmymrsp69ilys"; }; outputs = [ "out" "info" ]; diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 4df52eef669e..75922a6c830c 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Tools to manipulate patch files"; homepage = http://cyberelk.net/tim/software/patchutils; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index e2f6142a2a0f..ec99e8b4a27a 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; + hardeningDisable = [ "format" ]; + unpackPhase = "tar xf $src"; installTargets = "install install.man"; installFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man/man1"; diff --git a/pkgs/tools/typesetting/bibtex-tools/default.nix b/pkgs/tools/typesetting/bibtex-tools/default.nix deleted file mode 100644 index a822a181a653..000000000000 --- a/pkgs/tools/typesetting/bibtex-tools/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{stdenv, fetchurl, hevea, tetex, strategoxt, aterm, sdf}: - -stdenv.mkDerivation { - name = "bibtex-tools-0.2pre13026"; - src = fetchurl { - url = http://tarballs.nixos.org/bibtex-tools-0.2pre13026.tar.gz; - md5 = "2d8a5de7c53eb670307048eb3d14cdd6"; - }; - configureFlags = " - --with-aterm=${aterm} - --with-sdf=${sdf} - --with-strategoxt=${strategoxt} - --with-hevea=${hevea} - --with-latex=${tetex}"; - buildInputs = [aterm sdf strategoxt hevea]; - meta.broken = true; -} diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index 8d6c88a0004e..c3d226a2acb0 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation { name = "tetex-3.0"; - + src = fetchurl { url = ftp://cam.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-3.0.tar.gz; md5 = "944a4641e79e61043fdaf8f38ecbb4b3"; @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; + hardeningDisable = [ "format" ]; + # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' sed -i 57d texk/kpathsea/c-std.h diff --git a/pkgs/tools/typesetting/tex/tex4ht/default.nix b/pkgs/tools/typesetting/tex/tex4ht/default.nix index 8380abf2e948..5aaae2c06b2a 100644 --- a/pkgs/tools/typesetting/tex/tex4ht/default.nix +++ b/pkgs/tools/typesetting/tex/tex4ht/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ tetex unzip ]; + hardeningDisable = [ "format" ]; + buildPhase = '' cd src for f in tex4ht t4ht htcmd ; do diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index b98b9103ce74..26aebd567724 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec { perl ]; + hardeningDisable = [ "format" ]; + postPatch = '' for i in texk/kpathsea/mktex*; do sed -i '/^mydir=/d' "$i" @@ -128,6 +130,8 @@ core-big = stdenv.mkDerivation { inherit (common) src; + hardeningDisable = [ "format" ]; + buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; configureFlags = common.configureFlags diff --git a/pkgs/tools/typesetting/xmlroff/default.nix b/pkgs/tools/typesetting/xmlroff/default.nix index 7bd34f402504..daa79d8e352c 100644 --- a/pkgs/tools/typesetting/xmlroff/default.nix +++ b/pkgs/tools/typesetting/xmlroff/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { configureFlags = "--disable-pangoxsl --disable-gp"; + hardeningDisable = [ "format" ]; + preBuild = '' substituteInPlace tools/insert-file-as-string.pl --replace "/usr/bin/perl" "${perl}/bin/perl" substituteInPlace Makefile --replace "docs" "" diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 40fe5eb01477..0e90a5071b75 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { sha256 = "01y4xpfdvd4zgv6fmcjny9mr1gbfd4y2i4adp657ydw6fqyi8kw6"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ libdv libjpeg libpng pkgconfig ] ++ lib.optional (!withMinimal) [ gtk libX11 SDL SDL_gfx ]; diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index 7d395afebecb..162a1b6d5a47 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw libXext xextproto libSM libICE libXpm libXp |