16 files changed, 116 insertions, 81 deletions

diff --git a/pkgs/applications/audio/cmusfm/default.nix b/pkgs/applications/audio/cmusfm/default.nix
new file mode 100644
index 000000000000..e528e9699a73
--- /dev/null
+++ b/pkgs/applications/audio/cmusfm/default.nix
@@ -0,0 +1,36 @@
+{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, curl, libnotify, gdk_pixbuf }:
+
+stdenv.mkDerivation rec {
+  version = "2018-10-11";
+  name = "cmusfm-unstable-${version}";
+  src = fetchFromGitHub {
+    owner = "Arkq";
+    repo = "cmusfm";
+    rev = "ad2fd0aad3f4f1a25add1b8c2f179e8859885873";
+    sha256 = "0wpwdwgyrp64nvwc6shy0n387p31j6aw6cnmfi9x2y1jhl5hbv6b";
+  };
+  # building
+  configureFlags = [ "--enable-libnotify" ];
+  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  buildInputs = [ curl libnotify gdk_pixbuf ];
+
+  meta = with stdenv.lib; {
+    description = "Last.fm and Libre.fm standalone scrobbler for the cmus music player";
+    longDescription = ''
+      Features:
+      + Listening now notification support
+      + Off-line played track cache for later submission
+      + POSIX ERE-based file name parser
+      + Desktop notification support (optionally)
+      + Customizable scrobbling service
+      + Small memory footprint
+      Configuration:
+      + run `cmusfm init` to generate configuration file under ~/.config/cmus/cmusfm.conf
+      + Inside cmus run `:set status_display_program=cmusfm` to set up cmusfm
+    '';
+    homepage = https://github.com/Arkq/cmusfm/;
+    maintainers = with stdenv.lib.maintainers; [ CharlesHD ];
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux ++ platforms.darwin;
+  };
+}
diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index 7c165627f72e..d1ae317ff9a4 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -7,7 +7,16 @@ gatherLibraries() {
 addEnvHooks "$targetOffset" gatherLibraries
 
 isExecutable() {
-    readelf -h "$1" 2> /dev/null | grep -q '^ *Type: *EXEC\>'
+    # For dynamically linked ELF files it would be enough to check just for the
+    # INTERP section. However, we won't catch statically linked executables as
+    # they only have an ELF type of EXEC but no INTERP.
+    #
+    # So what we do here is just check whether *either* the ELF type is EXEC
+    # *or* there is an INTERP section. This also catches position-independent
+    # executables, as they typically have an INTERP section but their ELF type
+    # is DYN.
+    LANG=C readelf -h -l "$1" 2> /dev/null \
+        | grep -q '^ *Type: *EXEC\>\|^ *INTERP\>'
 }
 
 # We cache dependencies so that we don't need to search through all of them on
@@ -157,7 +166,7 @@ autoPatchelf() {
       isELF "$file" || continue
       if isExecutable "$file"; then
           # Skip if the executable is statically linked.
-          readelf -l "$file" | grep -q "^ *INTERP\\>" || continue
+          LANG=C readelf -l "$file" | grep -q "^ *INTERP\\>" || continue
       fi
       autoPatchelfFile "$file"
     done < <(find "$prefix" -type f -print0)
diff --git a/pkgs/desktops/gnustep/libobjc2/default.nix b/pkgs/desktops/gnustep/libobjc2/default.nix
index a3e718187c7f..3aba235b3a79 100644
--- a/pkgs/desktops/gnustep/libobjc2/default.nix
+++ b/pkgs/desktops/gnustep/libobjc2/default.nix
@@ -24,5 +24,6 @@ stdenv.mkDerivation rec {
     license = licenses.mit;
     maintainers = with maintainers; [ ashalkhakov matthewbauer ];
     platforms = platforms.unix;
+    badPlatforms = [ "aarch64-linux" ];
   };
 }
diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 2c9d9d307ae3..56ffd6ee54ee 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -370,6 +370,7 @@ self: super: {
   safecopy = dontCheck super.safecopy;
   sai-shape-syb = dontCheck super.sai-shape-syb;
   scp-streams = dontCheck super.scp-streams;
+  sdl2 = dontCheck super.sdl2; # the test suite needs an x server
   sdl2-ttf = dontCheck super.sdl2-ttf; # as of version 0.2.1, the test suite requires user intervention
   separated = dontCheck super.separated;
   shadowsocks = dontCheck super.shadowsocks;
diff --git a/pkgs/development/libraries/grpc/default.nix b/pkgs/development/libraries/grpc/default.nix
index a21e2aacde2a..e568ea9eb650 100644
--- a/pkgs/development/libraries/grpc/default.nix
+++ b/pkgs/development/libraries/grpc/default.nix
@@ -26,6 +26,8 @@ stdenv.mkDerivation rec {
     rm -vf BUILD
   '';
 
+  NIX_CFLAGS_COMPILE = "-Wno-error=unknown-warning-option";
+
   enableParallelBuilds = true;
 
   meta = with stdenv.lib; {
diff --git a/pkgs/development/libraries/gsasl/default.nix b/pkgs/development/libraries/gsasl/default.nix
index 71da2c716f84..a1df933149fd 100644
--- a/pkgs/development/libraries/gsasl/default.nix
+++ b/pkgs/development/libraries/gsasl/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--with-gssapi-impl=mit" ];
 
-  doCheck = true;
+  doCheck = !stdenv.hostPlatform.isDarwin;
 
   meta = {
     description = "GNU SASL, Simple Authentication and Security Layer library";
diff --git a/pkgs/development/libraries/libid3tag/CVE-2017-11550-and-CVE-2017-11551.patch b/pkgs/development/libraries/libid3tag/CVE-2017-11550-and-CVE-2017-11551.patch
new file mode 100644
index 000000000000..b1f9d0978cec
--- /dev/null
+++ b/pkgs/development/libraries/libid3tag/CVE-2017-11550-and-CVE-2017-11551.patch
@@ -0,0 +1,13 @@
+Common subdirectories: libid3tag-0.15.1b/msvc++ and libid3tag-0.15.1b-patched/msvc++
+diff -uwp libid3tag-0.15.1b/utf16.c libid3tag-0.15.1b-patched/utf16.c
+--- libid3tag-0.15.1b/utf16.c	2004-01-23 10:41:32.000000000 +0100
++++ libid3tag-0.15.1b-patched/utf16.c	2018-11-01 13:12:00.866050641 +0100
+@@ -250,6 +250,8 @@ id3_ucs4_t *id3_utf16_deserialize(id3_by
+   id3_ucs4_t *ucs4;
+ 
+   end = *ptr + (length & ~1);
++  if (end == *ptr)
++    return 0;
+ 
+   utf16 = malloc((length / 2 + 1) * sizeof(*utf16));
+   if (utf16 == 0)
diff --git a/pkgs/development/libraries/libid3tag/default.nix b/pkgs/development/libraries/libid3tag/default.nix
index 0289a5331f89..4b7d9bdc2e32 100644
--- a/pkgs/development/libraries/libid3tag/default.nix
+++ b/pkgs/development/libraries/libid3tag/default.nix
@@ -14,7 +14,10 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [ zlib gperf ];
 
-  patches = [ ./debian-patches.patch ];
+  patches = [
+    ./debian-patches.patch
+    ./CVE-2017-11550-and-CVE-2017-11551.patch
+  ];
 
   preConfigure = ''
     configureFlagsArray+=(
diff --git a/pkgs/development/r-modules/default.nix b/pkgs/development/r-modules/default.nix
index f40c0fcb5592..428d6c60546e 100644
--- a/pkgs/development/r-modules/default.nix
+++ b/pkgs/development/r-modules/default.nix
@@ -942,6 +942,10 @@ let
       PKGCONFIG_LIBS = "-Wl,-rpath,${pkgs.openssl.out}/lib -L${pkgs.openssl.out}/lib -L${pkgs.cyrus_sasl.out}/lib -L${pkgs.zlib.out}/lib -lssl -lcrypto -lsasl2 -lz";
     });
 
+    ps = old.ps.overrideDerivation (attrs: {
+      preConfigure = "patchShebangs configure";
+    });
+
     rlang = old.rlang.overrideDerivation (attrs: {
       preConfigure = "patchShebangs configure";
     });
diff --git a/pkgs/development/tools/jq/darwin-strptime-test.patch b/pkgs/development/tools/jq/darwin-strptime-test.patch
deleted file mode 100644
index 4ea83fc164a3..000000000000
--- a/pkgs/development/tools/jq/darwin-strptime-test.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/tests/jq.test b/tests/jq.test
-index 4a4018b..f5aa7d5 100644
---- a/src/tests/jq.test
-+++ b/src/tests/jq.test
-@@ -1144,9 +1144,9 @@ bsearch(4)
- [1,2,3]
- -4
- 
--[strptime("%Y-%m-%dT%H:%M:%SZ")|(.,mktime)]
-+[strptime("%Y-%m-%dT%H:%M:%SZ")|mktime]
- "2015-03-05T23:51:47Z"
--[[2015,2,5,23,51,47,4,63],1425599507]
-+[1425599507]
- 
- strftime("%Y-%m-%dT%H:%M:%SZ")
- [2015,2,5,23,51,47,4,63]
diff --git a/pkgs/development/tools/jq/default.nix b/pkgs/development/tools/jq/default.nix
index 712ec64bd416..b7b2b5066b9f 100644
--- a/pkgs/development/tools/jq/default.nix
+++ b/pkgs/development/tools/jq/default.nix
@@ -2,33 +2,17 @@
 
 stdenv.mkDerivation rec {
   name = "jq-${version}";
-  version="1.5";
+  version="1.6";
 
   src = fetchurl {
     url="https://github.com/stedolan/jq/releases/download/jq-${version}/jq-${version}.tar.gz";
-    sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
+    sha256="1a76f46a652i2g333kfvrl6mp2w7whf6h1yly519izg4y967h9cn";
   };
 
   outputs = [ "bin" "doc" "man" "dev" "lib" "out" ];
 
   buildInputs = [ oniguruma ];
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2015-8863.patch";
-      url = https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.diff;
-      sha256 = "18bjanzvklfzlzzd690y88725l7iwl4f6wnr429na5pfmircbpvh";
-    })
-    (fetchpatch {
-      name = "CVE-2016-4074.patch";
-      url = https://patch-diff.githubusercontent.com/raw/stedolan/jq/pull/1214.diff;
-      sha256 = "1w8bapnyp56di6p9casbfczfn8258rw0z16grydavdjddfm280l9";
-    })
-  ]
-    ++ stdenv.lib.optional stdenv.isDarwin ./darwin-strptime-test.patch;
-
-  patchFlags = [ "-p2" ]; # `src` subdir was introduced after v1.5 was released
-
   configureFlags =
     [
     "--bindir=\${bin}/bin"
diff --git a/pkgs/development/tools/pyre/default.nix b/pkgs/development/tools/pyre/default.nix
index 99e53610c01c..382e733cb98b 100644
--- a/pkgs/development/tools/pyre/default.nix
+++ b/pkgs/development/tools/pyre/default.nix
@@ -1,9 +1,15 @@
 { stdenv, fetchFromGitHub, ocamlPackages, makeWrapper, writeScript
-, dune, python3, rsync, fetchpatch }:
+, dune, python3, rsync, fetchpatch, buck }:
 let
   # Manually set version - the setup script requires
   # hg and git + keeping the .git directory around.
-  pyre-version = "0.0.14";
+  pyre-version = "0.0.17";  # also change typeshed revision below with $pyre-src/.typeshed-version
+  pyre-src = fetchFromGitHub {
+    owner = "facebook";
+    repo = "pyre-check";
+    rev = "v${pyre-version}";
+    sha256 = "0y86a3g5xbgh0byksyx5jw7yq7w840x85dhz9inz6mkg5j06mcis";
+  };
   versionFile = writeScript "version.ml" ''
     cat > "./version.ml" <<EOF
     open Core
@@ -20,12 +26,7 @@ let
  pyre-bin = stdenv.mkDerivation {
   name = "pyre-${pyre-version}";
 
-  src = fetchFromGitHub {
-    owner = "facebook";
-    repo = "pyre-check";
-    rev = "v${pyre-version}";
-    sha256 = "0c8xzaa3ljqb6llr041sydw0l4xqn7x21nw9vaymdxh35nx9bp2v";
-  };
+  src = pyre-src;
 
   nativeBuildInputs = [ makeWrapper ];
 
@@ -49,7 +50,6 @@ let
     export HOME=.
 
     # "external" because https://github.com/facebook/pyre-check/pull/8/files
-    cp Makefile.template Makefile
     sed "s/%VERSION%/external/" dune.in > dune
 
     cp ${versionFile} ./scripts/generate-version-number.sh
@@ -77,20 +77,18 @@ let
     description = "A performant type-checker for Python 3";
     homepage = https://pyre-check.org;
     license = licenses.mit;
-    platforms = with platforms; linux;
+    platforms = ocamlPackages.ocaml.meta.platforms;
     maintainers = with maintainers; [ teh ];
   };
 };
 typeshed = stdenv.mkDerivation {
   name = "typeshed";
-  # typeshed doesn't have versions, it seems to be synchronized with
-  # mypy relases. I'm assigning a random version here (same as pyre).
   version = pyre-version;
   src = fetchFromGitHub {
     owner = "python";
     repo = "typeshed";
-    rev = "a08c6ea";
-    sha256 = "0wy8yh43vhyyc4g7iqnmlj66kz5in02y5qc0c4jdckhpa3mchaqk";
+    rev = "bc3f9fe1d3c43b00c04cedb23e0eeebc9e1734b6";
+    sha256 = "06b2kj4n49h4sgi8hn5kalmir8llhanfdc7f1924cxvrkj5ry94b";
   };
   phases = [ "unpackPhase" "installPhase" ];
   installPhase = "cp -r $src $out";
@@ -98,19 +96,8 @@ typeshed = stdenv.mkDerivation {
 in python3.pkgs.buildPythonApplication rec {
   pname = "pyre-check";
   version = pyre-version;
-  src = fetchFromGitHub {
-    owner = "facebook";
-    repo = "pyre-check";
-    rev = "v${pyre-version}";
-    sha256 = "0ig7bx2kfn2kbxw74wysh5365yp5gyby42l9l29iclrzdghgk32l";
-  };
-  patches = [
-    (fetchpatch {
-      url = "https://github.com/facebook/pyre-check/commit/b473d2ed9fc11e7c1cd0c7b8c42f521e5cdc2003.patch";
-      sha256 = "05xvyp7j4n6z92bxf64rxfq5pvaadxgx1c8c5qziy75vdz72lkcy";
-    })
-    ./pyre-bdist-wheel.patch
-  ];
+  src = pyre-src;
+  patches = [ ./pyre-bdist-wheel.patch ];
 
   # The build-pypi-package script does some funky stuff with build
   # directories - easier to patch it a bit than to replace it
@@ -119,15 +106,21 @@ in python3.pkgs.buildPythonApplication rec {
     mkdir ./build
     substituteInPlace scripts/build-pypi-package.sh \
         --replace 'NIX_BINARY_FILE' '${pyre-bin}/bin/pyre.bin' \
-        --replace 'BUILD_ROOT="$(mktemp -d)"' "BUILD_ROOT=$(pwd)/build"
+        --replace 'BUILD_ROOT="$(mktemp -d)"' "BUILD_ROOT=$PWD/build"
+    substituteInPlace client/buck.py \
+        --replace '"buck"' '"${buck}/bin/buck"'
+    substituteInPlace client/tests/buck_test.py \
+        --replace '"buck"' '"${buck}/bin/buck"'
   '';
 
-  buildInputs = [ pyre-bin rsync ];
+  buildInputs = [ pyre-bin ];
+  nativeBuildInputs = [ rsync ]; # only required for build-pypi-package.sh
   propagatedBuildInputs = with python3.pkgs; [ docutils typeshed ];
   buildPhase = ''
     bash scripts/build-pypi-package.sh --version ${pyre-version} --bundle-typeshed ${typeshed}
     cp -r build/dist dist
   '';
-
-  doCheck = false; # can't open file 'nix_run_setup':
+  checkPhase = ''
+    bash scripts/run-python-tests.sh
+  '';
 }
diff --git a/pkgs/development/tools/rust/cargo-asm/default.nix b/pkgs/development/tools/rust/cargo-asm/default.nix
index ca793bf49080..246f5b18843c 100644
--- a/pkgs/development/tools/rust/cargo-asm/default.nix
+++ b/pkgs/development/tools/rust/cargo-asm/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, rustPlatform }:
+{ stdenv, fetchFromGitHub, rustPlatform, Security }:
 
 rustPlatform.buildRustPackage rec {
   name = "cargo-asm-${version}";
@@ -13,6 +13,8 @@ rustPlatform.buildRustPackage rec {
 
   cargoSha256 = "1m2j6i8hc8isdlj77gv9m6sk6q0x3bvzpva2k16g27i1ngy1989b";
 
+  buildInputs = stdenv.lib.optional stdenv.isDarwin Security;
+
   # Test checks against machine code output, which fails with some
   # LLVM/compiler versions.
   doCheck = false;
diff --git a/pkgs/games/gemrb/default.nix b/pkgs/games/gemrb/default.nix
index 0e9025259224..fc7bf7168ddf 100644
--- a/pkgs/games/gemrb/default.nix
+++ b/pkgs/games/gemrb/default.nix
@@ -1,5 +1,6 @@
 { stdenv, fetchFromGitHub, cmake
-, freetype, SDL2, SDL2_mixer, openal, zlib, libpng, python, libvorbis }:
+, freetype, SDL2, SDL2_mixer, openal, zlib, libpng, python, libvorbis
+, libiconv }:
 
 stdenv.mkDerivation rec {
   name = "gemrb-${version}";
@@ -13,7 +14,7 @@ stdenv.mkDerivation rec {
   };
 
   # TODO: make libpng, libvorbis, sdl_mixer, freetype, vlc, glew (and other gl reqs) optional
-  buildInputs = [ freetype python openal SDL2 SDL2_mixer zlib libpng libvorbis ];
+  buildInputs = [ freetype python openal SDL2 SDL2_mixer zlib libpng libvorbis libiconv ];
 
   nativeBuildInputs = [ cmake ];
 
diff --git a/pkgs/tools/package-management/nix-du/default.nix b/pkgs/tools/package-management/nix-du/default.nix
index 24672296506d..59ec714261b1 100644
--- a/pkgs/tools/package-management/nix-du/default.nix
+++ b/pkgs/tools/package-management/nix-du/default.nix
@@ -1,25 +1,23 @@
-{ stdenv, fetchFromGitHub, rustPlatform, nix, boost, graphviz }:
+{ stdenv, fetchFromGitHub, rustPlatform, nix, boost, graphviz, darwin }:
 rustPlatform.buildRustPackage rec {
   name = "nix-du-${version}";
-  version = "0.2.0";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "symphorien";
     repo = "nix-du";
     rev = "v${version}";
-    sha256 = "1n1qgqjbwbb59xnzgz0dn8h8pckh6yq3crh0w6x2sngijwh678x8";
+    sha256 = "1x6qpivxbn94034jfdxb97xi97fhcdv2z7llq2ccfc80mgd0gz8l";
   };
-  cargoSha256 = "1qidbrkdpf4kliyvy2040qi3a67s8mr2r46rjcblr1v2gar0xgs0";
+  cargoSha256 = "0sva4lnhccm6ly7pa6m99s3fqkmh1dzv7r2727nsg2f55prd4kxc";
 
-  # switch to true when nix includes https://github.com/NixOS/nix/pull/2223 and 
-  # https://github.com/NixOS/nix/pull/2234
-  doCheck = false;
+  doCheck = true;
   checkInputs = [ graphviz ];
 
   buildInputs = [
     boost
     nix
-  ];
+  ] ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
 
   meta = with stdenv.lib; {
     description = "A tool to determine which gc-roots take space in your nix store";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 62cef2d50689..f214f7043b89 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -7357,7 +7357,9 @@ with pkgs;
   cargo-tree = callPackage ../tools/package-management/cargo-tree { };
   cargo-update = callPackage ../tools/package-management/cargo-update { };
 
-  cargo-asm = callPackage ../development/tools/rust/cargo-asm { };
+  cargo-asm = callPackage ../development/tools/rust/cargo-asm {
+    inherit (darwin.apple_sdk.frameworks) Security;
+  };
   cargo-fuzz = callPackage ../development/tools/rust/cargo-fuzz { };
 
   pyo3-pack = callPackage ../development/tools/rust/pyo3-pack { };
@@ -16052,6 +16054,8 @@ with pkgs;
     pulseaudioSupport = config.pulseaudio or false;
   };
 
+  cmusfm = callPackage ../applications/audio/cmusfm { };
+
   cni = callPackage ../applications/networking/cluster/cni {};
   cni-plugins = callPackage ../applications/networking/cluster/cni/plugins.nix {};