From e9adf383e685bdb9812111fa8ec50450b16cfb11 Mon Sep 17 00:00:00 2001
From: Orivej Desh <orivej@gmx.fr>
Date: Tue, 25 Apr 2017 09:31:06 +0000
Subject: Fix parsing @args.rsp compiler arguments

---
 pkgs/build-support/cc-wrapper/utils.sh | 67 ++++++++++++++++++++++++----------
 1 file changed, 48 insertions(+), 19 deletions(-)

(limited to 'pkgs/build-support')

diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh
index aba5f3295a98..d17930e8ab5d 100644
--- a/pkgs/build-support/cc-wrapper/utils.sh
+++ b/pkgs/build-support/cc-wrapper/utils.sh
@@ -23,26 +23,55 @@ badPath() {
         "${p:0:${#NIX_BUILD_TOP}}" != "$NIX_BUILD_TOP"
 }
 
+# @args.rsp parser.
+# Char classes: space, other, backslash, single quote, double quote.
+# States: 0 - outside, 1/2 - unquoted arg/slash, 3/4 - 'arg'/slash, 5/6 - "arg"/slash.
+# State transitions:
+rspT=(01235 01235 11111 33413 33333 55651 55555)
+# Push char on transition:
+rspC[01]=1 rspC[11]=1 rspC[21]=1 rspC[33]=1 rspC[43]=1 rspC[55]=1 rspC[65]=1
+
+rspParse() {
+    rsp=()
+    local s="$1"
+    local state=0
+    local arg=''
+
+    for (( i=0; i<${#s}; i++ )); do
+        local c="${s:$i:1}"
+        local cls=1
+        case "$c" in
+            ' ' | $'\t' | $'\r' | $'\n') cls=0 ;;
+            '\') cls=2 ;;
+            "'") cls=3 ;;
+            '"') cls=4 ;;
+        esac
+        local nextstates="${rspT[$state]}"
+        local nextstate="${nextstates:$cls:1}"
+        if [ "${rspC[$state$nextstate]}" ]; then
+            arg+="$c"
+        elif [ "$state$nextstate" = "10" ]; then
+            rsp+=("$arg")
+            arg=''
+        fi
+        state="$nextstate"
+    done
+
+    if [ "$state" -ne 0 ]; then
+        rsp+=("$arg")
+    fi
+}
+
 expandResponseParams() {
-    local inparams=("$@")
-    local n=0
-    local p
     params=()
-    while [ $n -lt ${#inparams[*]} ]; do
-        p=${inparams[n]}
-        case $p in
-            @*)
-                if [ -e "${p:1}" ]; then
-                    args=$(<"${p:1}")
-                    eval 'for arg in '${args//$/\\$}'; do params+=("$arg"); done'
-                else
-                    params+=("$p")
-                fi
-                ;;
-            *)
-                params+=("$p")
-                ;;
-        esac
-        n=$((n + 1))
+    while [ $# -gt 0 ]; do
+        local p="$1"
+        shift
+        if [ "${p:0:1}" = '@' -a -e "${p:1}" ]; then
+            rspParse "$(<"${p:1}")"
+            set -- "${rsp[@]}" "$@"
+        else
+            params+=("$p")
+        fi
     done
 }
-- 
cgit 1.4.1


From 33962a4420cc908af5f64083a6bfe843dc0c7ecb Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Thu, 4 May 2017 16:52:07 +0100
Subject: stdenv: fix "grep: invalid range"

---
 pkgs/build-support/setup-hooks/multiple-outputs.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pkgs/build-support')

diff --git a/pkgs/build-support/setup-hooks/multiple-outputs.sh b/pkgs/build-support/setup-hooks/multiple-outputs.sh
index eafc770a8e17..62a6491b8dc0 100644
--- a/pkgs/build-support/setup-hooks/multiple-outputs.sh
+++ b/pkgs/build-support/setup-hooks/multiple-outputs.sh
@@ -61,7 +61,7 @@ _multioutConfig() {
             local shareDocName="$(sed -n "s/^PACKAGE_TARNAME='\(.*\)'$/\1/p" < "$confScript")"
         fi
                                     # PACKAGE_TARNAME sometimes contains garbage.
-        if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z-_0-9]'; then
+        if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z0-9_-]'; then
             shareDocName="$(echo "$name" | sed 's/-[^a-zA-Z].*//')"
         fi
     fi
-- 
cgit 1.4.1


From 94d164dd7f20c785a543d1fb1d5bd359fb38bd25 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 4 May 2017 20:06:40 +0200
Subject: Add a setup hook for detecting $TMPDIR references in RPATHs and
 wrapper scripts

---
 pkgs/build-support/setup-hooks/audit-tmpdir.sh | 41 ++++++++++++++++++++++++++
 pkgs/stdenv/generic/default.nix                |  1 +
 pkgs/stdenv/generic/setup.sh                   | 12 ++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 pkgs/build-support/setup-hooks/audit-tmpdir.sh

(limited to 'pkgs/build-support')

diff --git a/pkgs/build-support/setup-hooks/audit-tmpdir.sh b/pkgs/build-support/setup-hooks/audit-tmpdir.sh
new file mode 100644
index 000000000000..ffaa61f2d809
--- /dev/null
+++ b/pkgs/build-support/setup-hooks/audit-tmpdir.sh
@@ -0,0 +1,41 @@
+# Check whether RPATHs or wrapper scripts contain references to
+# $TMPDIR. This is a serious security bug because it allows any user
+# to inject files into search paths of other users' processes.
+#
+# It might be better to have Nix scan build output for any occurrence
+# of $TMPDIR (which would also be good for reproducibility), but at
+# the moment that would produce too many spurious errors (e.g. debug
+# info or assertion messages that refer to $TMPDIR).
+
+fixupOutputHooks+=('if [ -z "$noAuditTmpdir" -a -e "$prefix" ]; then auditTmpdir "$prefix"; fi')
+
+auditTmpdir() {
+    local dir="$1"
+    [ -e "$dir" ] || return 0
+
+    header "checking for references to $TMPDIR in $dir..."
+
+    local i
+    while IFS= read -r -d $'\0' i; do
+        if [[ "$i" =~ .build-id ]]; then continue; fi
+
+        if isELF "$i"; then
+            if patchelf --print-rpath "$i" | grep -q -F "$TMPDIR"; then
+                echo "RPATH of binary $i contains a forbidden reference to $TMPDIR"
+                exit 1
+            fi
+        fi
+
+        if  isScript "$i"; then
+            if [ -e "$(dirname $i)/.$(basename $i)-wrapped" ]; then
+                if grep -q -F "$TMPDIR" "$i"; then
+                    echo "wrapper script $i contains a forbidden reference to $TMPDIR"
+                    exit 1
+                fi
+            fi
+        fi
+
+    done < <(find "$dir" -type f -print0)
+
+    stopNest
+}
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index a063a1ed2dc9..43b35082161d 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -94,6 +94,7 @@ let
       ../../build-support/setup-hooks/compress-man-pages.sh
       ../../build-support/setup-hooks/strip.sh
       ../../build-support/setup-hooks/patch-shebangs.sh
+      ../../build-support/setup-hooks/audit-tmpdir.sh
       ../../build-support/setup-hooks/multiple-outputs.sh
       ../../build-support/setup-hooks/move-sbin.sh
       ../../build-support/setup-hooks/move-lib64.sh
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index de33ab565982..eb63b18e5f3d 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -199,6 +199,18 @@ isELF() {
     if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
 }
 
+# Return success if the specified file is a script (i.e. starts with
+# "#!").
+isScript() {
+    local fn="$1"
+    local magic
+    if ! [ -x /bin/sh ]; then return 0; fi
+    exec {fd}< "$fn"
+    read -n 2 -u $fd magic
+    exec {fd}<&-
+    if [[ "$magic" =~ \#! ]]; then return 0; else return 1; fi
+}
+
 
 ######################################################################
 # Initialisation.
-- 
cgit 1.4.1