From 24eb66569527ec84eb35cd80ce407f2106c3a368 Mon Sep 17 00:00:00 2001
From: Matthew Bauer <mjbauer95@gmail.com>
Date: Sat, 21 Oct 2017 02:27:09 -0500
Subject: [PATCH 01/25] cmake: setup CMAKE_FRAMEWORK_PATH

This tells cmake how to find macOS frameworks.

Fixes #26197
---
 pkgs/development/tools/build-managers/cmake/setup-hook.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/tools/build-managers/cmake/setup-hook.sh b/pkgs/development/tools/build-managers/cmake/setup-hook.sh
index bf876e81cda..331f907ae61 100755
--- a/pkgs/development/tools/build-managers/cmake/setup-hook.sh
+++ b/pkgs/development/tools/build-managers/cmake/setup-hook.sh
@@ -84,6 +84,9 @@ makeCmakeFindLibs(){
         -L*)
           export CMAKE_LIBRARY_PATH="$CMAKE_LIBRARY_PATH${CMAKE_LIBRARY_PATH:+:}${flag:2}"
           ;;
+        -F*)
+          export CMAKE_FRAMEWORK_PATH="$CMAKE_FRAMEWORK_PATH${CMAKE_FRAMEWORK_PATH:+:}${flag:2}"
+          ;;
         -isystem)
           isystem_seen=1
           ;;

From f906d6d18e87f4e2ee8a47d4f6040c77fd6c7f1e Mon Sep 17 00:00:00 2001
From: Jon Banafato <jon@jonafato.com>
Date: Sat, 21 Oct 2017 22:38:46 -0400
Subject: [PATCH 02/25] python36: 3.6.2 -> 3.6.3

---
 pkgs/development/interpreters/python/cpython/3.6/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix
index 127c093501c..1614159a7ef 100644
--- a/pkgs/development/interpreters/python/cpython/3.6/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix
@@ -27,7 +27,7 @@ with stdenv.lib;
 
 let
   majorVersion = "3.6";
-  minorVersion = "2";
+  minorVersion = "3";
   minorVersionSuffix = "";
   pythonVersion = majorVersion;
   version = "${majorVersion}.${minorVersion}${minorVersionSuffix}";
@@ -48,7 +48,7 @@ in stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://www.python.org/ftp/python/${majorVersion}.${minorVersion}/Python-${version}.tar.xz";
-    sha256 = "1ab4vlpdax1ihpiyiwchlgsk36apl4kgdw271wvl9l8ywhxpfacj";
+    sha256 = "1nl1raaagr4car787a2hmjv2dw6gqny53xfd6wisbgx4r5kxk9yd";
   };
 
   NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s";

From a505abc9487ad2d6a069a9f236fc4156b7dd7c91 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sun, 22 Oct 2017 13:58:28 +0200
Subject: [PATCH 03/25] libcap: already patch Make.Rules in prePatch

Make.Rules gets already included during compilation, so set paths before
invoking make. This fixes wrong paths in libcap.pc.
---
 pkgs/os-specific/linux/libcap/default.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/libcap/default.nix b/pkgs/os-specific/linux/libcap/default.nix
index 1cc8ab60d75..17cd40e427b 100644
--- a/pkgs/os-specific/linux/libcap/default.nix
+++ b/pkgs/os-specific/linux/libcap/default.nix
@@ -30,9 +30,8 @@ stdenv.mkDerivation rec {
 
     # ensure capsh can find bash in $PATH
     substituteInPlace progs/capsh.c --replace execve execvpe
-  '';
 
-  preInstall = ''
+    # set prefixes
     substituteInPlace Make.Rules \
       --replace 'prefix=/usr' "prefix=$lib" \
       --replace 'exec_prefix=' "exec_prefix=$out" \

From 9bd930560292209b569158a0a591b59108dd4dd9 Mon Sep 17 00:00:00 2001
From: Tim Steinbach <tim@nequissimus.com>
Date: Mon, 23 Oct 2017 08:33:11 -0400
Subject: [PATCH 04/25] curl: 7.56.0 -> 7.56.1

---
 pkgs/tools/networking/curl/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index c01dbbaa3a7..d67b34371fe 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -21,11 +21,11 @@ assert scpSupport -> libssh2 != null;
 assert c-aresSupport -> c-ares != null;
 
 stdenv.mkDerivation rec {
-  name = "curl-7.56.0";
+  name = "curl-7.56.1";
 
   src = fetchurl {
     url = "http://curl.haxx.se/download/${name}.tar.bz2";
-    sha256 = "1pvr2bqfhk46bzq2x2hskmnq3wc8qxlps7apm9q1qiixb9ra8q6y";
+    sha256 = "142zidvlmrz31yx480nrhh47hl01d7jbaagin23pspl7cw1ng515";
   };
 
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];

From 5072f4792e890c809a43763c8e0b283a22ee0c14 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 24 Oct 2017 13:03:20 +0200
Subject: [PATCH 05/25] db{48,53,60,62}: add patch to fix CVE-2017-10140

---
 .../db/CVE-2017-10140-4.8-cwd-db_config.patch         | 11 +++++++++++
 .../libraries/db/CVE-2017-10140-cwd-db_config.patch   | 11 +++++++++++
 pkgs/development/libraries/db/db-4.8.nix              |  2 +-
 pkgs/development/libraries/db/db-5.3.nix              |  2 +-
 pkgs/development/libraries/db/db-6.0.nix              |  2 +-
 pkgs/development/libraries/db/db-6.2.nix              |  2 +-
 6 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100644 pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
 create mode 100644 pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch

diff --git a/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch b/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
new file mode 100644
index 00000000000..ed916fcf4d1
--- /dev/null
+++ b/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
@@ -0,0 +1,11 @@
+--- a/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ b/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*
diff --git a/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch b/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch
new file mode 100644
index 00000000000..652e962bbe1
--- /dev/null
+++ b/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch
@@ -0,0 +1,11 @@
+--- db-5.3.28/src/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ db-5.3.28/src/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*
diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix
index bce91e5a940..76e30e921ba 100644
--- a/pkgs/development/libraries/db/db-4.8.nix
+++ b/pkgs/development/libraries/db/db-4.8.nix
@@ -3,7 +3,7 @@
 import ./generic.nix (args // rec {
   version = "4.8.30";
   sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0";
-  extraPatches = [ ./clang-4.8.patch ];
+  extraPatches = [ ./clang-4.8.patch ./CVE-2017-10140-4.8-cwd-db_config.patch ];
 
   drvArgs.hardeningDisable = [ "format" ];
   drvArgs.doCheck = false;
diff --git a/pkgs/development/libraries/db/db-5.3.nix b/pkgs/development/libraries/db/db-5.3.nix
index 066eca4e63d..7894e4c7326 100644
--- a/pkgs/development/libraries/db/db-5.3.nix
+++ b/pkgs/development/libraries/db/db-5.3.nix
@@ -3,5 +3,5 @@
 import ./generic.nix (args // rec {
   version = "5.3.28";
   sha256 = "0a1n5hbl7027fbz5lm0vp0zzfp1hmxnz14wx3zl9563h83br5ag0";
-  extraPatches = [ ./clang-5.3.patch ];
+  extraPatches = [ ./clang-5.3.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
diff --git a/pkgs/development/libraries/db/db-6.0.nix b/pkgs/development/libraries/db/db-6.0.nix
index b7c5667b883..bafca3bd52d 100644
--- a/pkgs/development/libraries/db/db-6.0.nix
+++ b/pkgs/development/libraries/db/db-6.0.nix
@@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
   version = "6.0.20";
   sha256 = "00r2aaglq625y8r9xd5vw2y070plp88f1mb2gbq3kqsl7128lsl0";
   license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
diff --git a/pkgs/development/libraries/db/db-6.2.nix b/pkgs/development/libraries/db/db-6.2.nix
index f897e3744af..96f7668aa90 100644
--- a/pkgs/development/libraries/db/db-6.2.nix
+++ b/pkgs/development/libraries/db/db-6.2.nix
@@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
   version = "6.2.23";
   sha256 = "1isxx4jfmnh913jzhp8hhfngbk6dsg46f4kjpvvc56maj64jqqa7";
   license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })

From f269f319856f41ae562bf91a44e612d22f1e5f88 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 24 Oct 2017 11:05:14 +0200
Subject: [PATCH 06/25] lame: 3.99.5 -> 3.100 for multiple CVEs

Fixes CVE-2017-9410, CVE-2017-9411, CVE-2017-9412.
---
 pkgs/development/libraries/lame/default.nix   |  8 ++---
 pkgs/development/libraries/lame/gcc-4.9.patch | 33 -------------------
 2 files changed, 3 insertions(+), 38 deletions(-)
 delete mode 100644 pkgs/development/libraries/lame/gcc-4.9.patch

diff --git a/pkgs/development/libraries/lame/default.nix b/pkgs/development/libraries/lame/default.nix
index b324494faff..8ad7cb95a5d 100644
--- a/pkgs/development/libraries/lame/default.nix
+++ b/pkgs/development/libraries/lame/default.nix
@@ -23,15 +23,13 @@ in
 with stdenv.lib;
 stdenv.mkDerivation rec {
   name = "lame-${version}";
-  version = "3.99.5";
+  version = "3.100";
 
   src = fetchurl {
     url = "mirror://sourceforge/lame/${name}.tar.gz";
-    sha256 = "1zr3kadv35ii6liia0bpfgxpag27xcivp571ybckpbz4b10nnd14";
+    sha256 = "07nsn5sy3a8xbmw1bidxnsj5fj6kg9ai04icmqw40ybkp353dznx";
   };
 
-  patches = [ ./gcc-4.9.patch ];
-
   outputs = [ "out" "lib" "doc" ]; # a small single header
   outputMan = "out";
 
@@ -61,7 +59,7 @@ stdenv.mkDerivation rec {
     description = "A high quality MPEG Audio Layer III (MP3) encoder";
     homepage    = http://lame.sourceforge.net;
     license     = licenses.lgpl2;
-    maintainers = with maintainers; [ codyopel ];
+    maintainers = with maintainers; [ codyopel fpletz ];
     platforms   = platforms.all;
   };
 }
diff --git a/pkgs/development/libraries/lame/gcc-4.9.patch b/pkgs/development/libraries/lame/gcc-4.9.patch
deleted file mode 100644
index 59f8e00e4a8..00000000000
--- a/pkgs/development/libraries/lame/gcc-4.9.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-fix sse optimizations build on 32-bit with gcc 4.9
-http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=351af417bae0d09bd5a3753d1237f03adf591933
-
-xmm_quantize_sub.c: In function 'init_xrpow_core_sse':
-xmm_quantize_sub.c:65:18: warning: SSE vector return without SSE enabled changes the ABI [-W
-psabi]
-     const __m128 vec_fabs_mask = _mm_loadu_ps(&fabs_mask._float[0]);
-                  ^
-In file included from xmm_quantize_sub.c:37:0:
-/usr/lib/gcc/i686-w64-mingw32/4.9.0/include/xmmintrin.h:933:1: error: inlining failed in call to always_inline '_mm_loadu_ps': target specific option mismatch
- _mm_loadu_ps (float const *__P)
- ^
-xmm_quantize_sub.c:65:18: error: called from here
-     const __m128 vec_fabs_mask = _mm_loadu_ps(&fabs_mask._float[0]);
-                  ^
---- lame/libmp3lame/vector/xmm_quantize_sub.c.orig	2014-06-08 12:16:19.455468042 -0700
-+++ lame/libmp3lame/vector/xmm_quantize_sub.c	2014-06-08 12:16:09.592356980 -0700
-@@ -35,6 +35,7 @@
- #ifdef HAVE_XMMINTRIN_H
- 
- #include <xmmintrin.h>
-+#pragma GCC target("sse")
- 
- typedef union {
-     int32_t _i_32[4]; /* unions are initialized by its first member */
-@@ -124,6 +125,7 @@
- }
- 
- 
-+#pragma GCC target("sse2")
- void
- fht_SSE2(FLOAT * fz, int n)
- {

From aebae6c20850ea1c29d2dad9d29b4db6c09e317c Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 24 Oct 2017 10:58:16 +0200
Subject: [PATCH 07/25] webkitgtk: 2.16.6 -> 2.18.1 for multiple CVEs

See https://webkitgtk.org/security/WSA-2017-0008.html
---
 pkgs/desktops/gnome-3/default.nix                   |  3 +--
 .../libraries/webkitgtk/{2.16.nix => 2.18.nix}      | 13 +++++--------
 .../development/libraries/wxwidgets/3.0/default.nix |  6 +++---
 pkgs/top-level/all-packages.nix                     |  6 +++---
 4 files changed, 12 insertions(+), 16 deletions(-)
 rename pkgs/development/libraries/webkitgtk/{2.16.nix => 2.18.nix} (88%)

diff --git a/pkgs/desktops/gnome-3/default.nix b/pkgs/desktops/gnome-3/default.nix
index 10e5f97c38f..585f79ddea6 100644
--- a/pkgs/desktops/gnome-3/default.nix
+++ b/pkgs/desktops/gnome-3/default.nix
@@ -45,7 +45,7 @@ let
     hitori gnome-taquin
   ];
 
-  inherit (pkgs) glib gtk2 webkitgtk216x gtk3 gtkmm3 libcanberra_gtk2
+  inherit (pkgs) glib gtk2 webkitgtk gtk3 gtkmm3 libcanberra_gtk2
     clutter clutter-gst clutter_gtk cogl gtkvnc;
   inherit (pkgs.gnome2) ORBit2;
   libsoup = pkgs.libsoup.override { gnomeSupport = true; };
@@ -56,7 +56,6 @@ let
   gtkmm = gtkmm3;
   vala = pkgs.vala_0_32;
   gegl_0_3 = pkgs.gegl_0_3.override { inherit gtk; };
-  webkitgtk = webkitgtk216x;
 
 # Simplify the nixos module and gnome packages
   defaultIconTheme = adwaita-icon-theme;
diff --git a/pkgs/development/libraries/webkitgtk/2.16.nix b/pkgs/development/libraries/webkitgtk/2.18.nix
similarity index 88%
rename from pkgs/development/libraries/webkitgtk/2.16.nix
rename to pkgs/development/libraries/webkitgtk/2.18.nix
index d6999353414..e1b520eb10b 100644
--- a/pkgs/development/libraries/webkitgtk/2.16.nix
+++ b/pkgs/development/libraries/webkitgtk/2.18.nix
@@ -4,7 +4,7 @@
 , libxml2, libsoup, libsecret, libxslt, harfbuzz, libpthreadstubs, pcre, nettle, libtasn1, p11_kit
 , libidn, libedit, readline, mesa, libintlOrEmpty
 , enableGeoLocation ? true, geoclue2, sqlite
-, gst-plugins-base
+, gst-plugins-base, gst-plugins-bad
 }:
 
 assert enableGeoLocation -> geoclue2 != null;
@@ -12,7 +12,7 @@ assert enableGeoLocation -> geoclue2 != null;
 with stdenv.lib;
 stdenv.mkDerivation rec {
   name = "webkitgtk-${version}";
-  version = "2.16.6";
+  version = "2.18.1";
 
   meta = {
     description = "Web content rendering engine, GTK+ port";
@@ -42,7 +42,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "http://webkitgtk.org/releases/${name}.tar.xz";
-    sha256 = "08abxbhi2n1pfby9f2c20z8mpmbvbs2z7vf0p5ckq4jkz46na8zw";
+    sha256 = "15fp7szmkpannx7avsynf0nv3y343qwq0fvq3rz2m2mw5wq7pnww";
   };
 
   # see if we can clean this up....
@@ -77,10 +77,7 @@ stdenv.mkDerivation rec {
   "-DENABLE_GTKDOC=OFF"
   ];
 
-  # XXX: WebKit2 missing include path for gst-plugins-base.
-  # Filled: https://bugs.webkit.org/show_bug.cgi?id=148894
-  NIX_CFLAGS_COMPILE = "-I${gst-plugins-base.dev}/include/gstreamer-1.0"
-                     + (optionalString stdenv.isDarwin " -lintl");
+  NIX_CFLAGS_COMPILE = optionalString stdenv.isDarwin " -lintl";
 
   nativeBuildInputs = [
     cmake perl python2 ruby bison gperf
@@ -90,7 +87,7 @@ stdenv.mkDerivation rec {
   buildInputs = libintlOrEmpty ++ [
     gtk2 libwebp enchant libnotify gnutls pcre nettle libidn
     libxml2 libsecret libxslt harfbuzz libpthreadstubs libtasn1 p11_kit
-    sqlite gst-plugins-base libxkbcommon epoxy at_spi2_core
+    sqlite gst-plugins-base gst-plugins-bad libxkbcommon epoxy at_spi2_core
   ] ++ optional enableGeoLocation geoclue2
     ++ (with xlibs; [ libXdmcp libXt libXtst ])
     ++ optionals stdenv.isDarwin [ libedit readline mesa ]
diff --git a/pkgs/development/libraries/wxwidgets/3.0/default.nix b/pkgs/development/libraries/wxwidgets/3.0/default.nix
index 35300ed9419..2375de4b1bf 100644
--- a/pkgs/development/libraries/wxwidgets/3.0/default.nix
+++ b/pkgs/development/libraries/wxwidgets/3.0/default.nix
@@ -3,13 +3,13 @@
 , withMesa ? true, mesa_glu ? null, mesa_noglu ? null
 , compat24 ? false, compat26 ? true, unicode ? true
 , withGtk2 ? true
-, withWebKit ? false, webkitgtk24x-gtk2 ? null, webkitgtk216x ? null
+, withWebKit ? false, webkitgtk24x-gtk2 ? null, webkitgtk218x ? null
 , AGL ? null, Carbon ? null, Cocoa ? null, Kernel ? null, QTKit ? null
 }:
 
 
 assert withMesa -> mesa_glu != null && mesa_noglu != null;
-assert withWebKit -> (if withGtk2 then webkitgtk24x-gtk2 else webkitgtk216x) != null;
+assert withWebKit -> (if withGtk2 then webkitgtk24x-gtk2 else webkitgtk218x) != null;
 
 with stdenv.lib;
 
@@ -30,7 +30,7 @@ stdenv.mkDerivation {
     [ (if withGtk2 then gtk2 else gtk3) libXinerama libSM libXxf86vm xf86vidmodeproto gstreamer
       gst-plugins-base GConf ]
     ++ optional withMesa mesa_glu
-    ++ optional withWebKit (if withGtk2 then webkitgtk24x-gtk2 else webkitgtk216x)
+    ++ optional withWebKit (if withGtk2 then webkitgtk24x-gtk2 else webkitgtk218x)
     ++ optionals stdenv.isDarwin [ setfile Carbon Cocoa Kernel QTKit ];
 
   nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index bfb50c82969..057f878dedc 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10948,7 +10948,7 @@ with pkgs;
 
   wcslib = callPackage ../development/libraries/wcslib { };
 
-  webkitgtk = webkitgtk216x;
+  webkitgtk = webkitgtk218x;
 
   webkitgtk24x-gtk3 = callPackage ../development/libraries/webkitgtk/2.4.nix {
     harfbuzz = harfbuzz-icu;
@@ -10956,9 +10956,9 @@ with pkgs;
     inherit (darwin) libobjc;
   };
 
-  webkitgtk216x = callPackage ../development/libraries/webkitgtk/2.16.nix {
+  webkitgtk218x = callPackage ../development/libraries/webkitgtk/2.16.nix {
     harfbuzz = harfbuzz-icu;
-    gst-plugins-base = gst_all_1.gst-plugins-base;
+    inherit (gst_all_1) gst-plugins-base gst-plugins-bad;
   };
 
   webkitgtk217x = callPackage ../development/libraries/webkitgtk/2.17.nix {

From 658335d6a88b623ab926dea99425e2716afa7f4e Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 24 Oct 2017 11:06:29 +0200
Subject: [PATCH 08/25] cdrdao: does not build with lame 3.100

---
 pkgs/tools/cd-dvd/cdrdao/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix
index 3b8040e2b91..25d94593f5e 100644
--- a/pkgs/tools/cd-dvd/cdrdao/default.nix
+++ b/pkgs/tools/cd-dvd/cdrdao/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, lame, libvorbis, libmad, pkgconfig, libao}:
+{stdenv, fetchurl, libvorbis, libmad, pkgconfig, libao}:
 
 stdenv.mkDerivation {
   name = "cdrdao-1.2.3";
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
   makeFlags = "RM=rm LN=ln MV=mv";
 
   nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ lame libvorbis libmad libao ];
+  buildInputs = [ libvorbis libmad libao ];
 
   hardeningDisable = [ "format" ];
 

From 4d92b5fb928d090b1faee93e2811f9c7f68085f4 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 24 Oct 2017 16:08:22 +0200
Subject: [PATCH 09/25] webkitgtk218x: fix evaluation

---
 pkgs/top-level/all-packages.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 88dd4d49fcf..9f6b1445298 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10952,7 +10952,7 @@ with pkgs;
     inherit (darwin) libobjc;
   };
 
-  webkitgtk218x = callPackage ../development/libraries/webkitgtk/2.16.nix {
+  webkitgtk218x = callPackage ../development/libraries/webkitgtk/2.18.nix {
     harfbuzz = harfbuzz-icu;
     inherit (gst_all_1) gst-plugins-base gst-plugins-bad;
   };

From 0967f0e858dd8eaca73278d98ccd7b7fc848cc82 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Tue, 24 Oct 2017 17:51:31 +0200
Subject: [PATCH 10/25] sqlite: 3.20.0 -> 3.20.1

---
 pkgs/development/libraries/sqlite/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix
index 6dc09ddd39f..4a10f912883 100644
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@@ -3,11 +3,11 @@
 assert interactive -> readline != null && ncurses != null;
 
 stdenv.mkDerivation {
-  name = "sqlite-3.20.0";
+  name = "sqlite-3.20.1";
 
   src = fetchurl {
-    url = "http://sqlite.org/2017/sqlite-autoconf-3200000.tar.gz";
-    sha256 = "1876dapm1xx5aqd2d8l7ymmkd2z9rybh99rp5f5rd4zz57vcc51q";
+    url = "http://sqlite.org/2017/sqlite-autoconf-3200100.tar.gz";
+    sha256 = "0hh7jnxfwvs2qlvmjwrgkvxb8sk4x8hj04m54fq9h1xw55dmjrpc";
   };
 
   outputs = [ "bin" "dev" "out" ];

From 7b64943e8b731994eba1bdab48bc3479c5c0500c Mon Sep 17 00:00:00 2001
From: adisbladis <adis@blad.is>
Date: Fri, 27 Oct 2017 12:05:19 +0800
Subject: [PATCH 11/25] util-linux: 2.30.2 -> 2.31

---
 pkgs/os-specific/linux/util-linux/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index 3d4309b7177..f54f3ab311a 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -4,15 +4,15 @@
 let
   version = lib.concatStringsSep "." ([ majorVersion ]
     ++ lib.optional (patchVersion != "") patchVersion);
-  majorVersion = "2.30";
-  patchVersion = "2";
+  majorVersion = "2.31";
+  patchVersion = "";
 
 in stdenv.mkDerivation rec {
   name = "util-linux-${version}";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/util-linux/v${majorVersion}/${name}.tar.xz";
-    sha256 = "1p494mwd8v6p6mpmmjybkc7bz1qwp9x4cdi8hdvp2nwvkr4fanvv";
+    sha256 = "12nw108xjhm63sh2n5a0qs33vpvbvb6rln96l9j50p7wykf7rgpr";
   };
 
   patches = [

From 2da692dfc17a15cc18e9609889cfc38b991499c6 Mon Sep 17 00:00:00 2001
From: adisbladis <adis@blad.is>
Date: Fri, 27 Oct 2017 12:01:29 +0800
Subject: [PATCH 12/25] unbound: 1.6.6 -> 1.6.7

---
 pkgs/tools/networking/unbound/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix
index cb462a2cedd..b124352fd7b 100644
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "unbound-${version}";
-  version = "1.6.6";
+  version = "1.6.7";
 
   src = fetchurl {
     url = "http://unbound.net/downloads/${name}.tar.gz";
-    sha256 = "145kska9a63yf32y3jg91y5ikcmsb7qvbcm7a8k6fgh96gf18awp";
+    sha256 = "17qwfmlls0w9kpkya3dlpn44b3kr87wsswzg3gawc13hh8yx8ysf";
   };
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB

From 51ade421c4b9a703b8f66fd79fac9ef33e7241f6 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Sun, 29 Oct 2017 12:43:47 +0100
Subject: [PATCH 13/25] sqlite: 3.20.1 -> 3.21.0

---
 pkgs/development/libraries/sqlite/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix
index 4a10f912883..0625183fb7d 100644
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@@ -3,11 +3,11 @@
 assert interactive -> readline != null && ncurses != null;
 
 stdenv.mkDerivation {
-  name = "sqlite-3.20.1";
+  name = "sqlite-3.21.0";
 
   src = fetchurl {
-    url = "http://sqlite.org/2017/sqlite-autoconf-3200100.tar.gz";
-    sha256 = "0hh7jnxfwvs2qlvmjwrgkvxb8sk4x8hj04m54fq9h1xw55dmjrpc";
+    url = "http://sqlite.org/2017/sqlite-autoconf-3210000.tar.gz";
+    sha256 = "1qxvzdjwzw6k0kqjfabj86rnq87xdbwbca7laxxdhnh0fmkm3pfp";
   };
 
   outputs = [ "bin" "dev" "out" ];

From d266a456ab34b680261fa04bfb78b11a0bfb605f Mon Sep 17 00:00:00 2001
From: Tim Steinbach <tim@nequissimus.com>
Date: Mon, 30 Oct 2017 08:54:14 -0400
Subject: [PATCH 14/25] perl: 5.24.2 -> 5.24.3

---
 pkgs/development/interpreters/perl/default.nix | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix
index 5246c5b0e59..97e395d2a6d 100644
--- a/pkgs/development/interpreters/perl/default.nix
+++ b/pkgs/development/interpreters/perl/default.nix
@@ -116,9 +116,7 @@ let
       platforms = platforms.all;
     };
   };
-
 in rec {
-
   perl = perl524;
 
   perl522 = common {
@@ -127,8 +125,7 @@ in rec {
   };
 
   perl524 = common {
-    version = "5.24.2";
-    sha256 = "1x4yj814a79lcarwb3ab6bbcb36hvb5n4ph4zg3yb0nabsjfi6v0";
+    version = "5.24.3";
+    sha256 = "1m2px85kq2fyp2d4rx3bw9kg3car67qfqwrs5vlv96dx0x8rl06b";
   };
-
 }

From 119ebee6a4f66d4e623e058e897bdd5928ba478b Mon Sep 17 00:00:00 2001
From: Samuel Leathers <sam@appliedtrust.com>
Date: Mon, 30 Oct 2017 13:25:31 +0100
Subject: [PATCH 15/25] pcre: 8.40 -> 8.41 (fixes multiple CVEs)

---
 .../libraries/pcre/CVE-2017-7186.patch        | 52 -------------------
 pkgs/development/libraries/pcre/default.nix   |  6 +--
 2 files changed, 2 insertions(+), 56 deletions(-)
 delete mode 100644 pkgs/development/libraries/pcre/CVE-2017-7186.patch

diff --git a/pkgs/development/libraries/pcre/CVE-2017-7186.patch b/pkgs/development/libraries/pcre/CVE-2017-7186.patch
deleted file mode 100644
index e9e1997e47c..00000000000
--- a/pkgs/development/libraries/pcre/CVE-2017-7186.patch
+++ /dev/null
@@ -1,52 +0,0 @@
---- a/pcre_internal.h	2016/05/21 13:34:44	1649
-+++ b/pcre_internal.h	2017/02/24 17:30:30	1688
-@@ -2772,6 +2772,9 @@
- extern const pcre_uint16 PRIV(ucd_stage2)[];
- extern const pcre_uint32 PRIV(ucp_gentype)[];
- extern const pcre_uint32 PRIV(ucp_gbtable)[];
-+#ifdef COMPILE_PCRE32
-+extern const ucd_record  PRIV(dummy_ucd_record)[];
-+#endif
- #ifdef SUPPORT_JIT
- extern const int         PRIV(ucp_typerange)[];
- #endif
-@@ -2780,9 +2783,15 @@
- /* UCD access macros */
- 
- #define UCD_BLOCK_SIZE 128
--#define GET_UCD(ch) (PRIV(ucd_records) + \
-+#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
-         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
-         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
-+        
-+#ifdef COMPILE_PCRE32
-+#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
-+#else
-+#define GET_UCD(ch) REAL_GET_UCD(ch)
-+#endif 
- 
- #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
- #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
---- a/pcre_ucd.c	2014/06/19 07:51:39	1490
-+++ b/pcre_ucd.c	2017/02/24 17:30:30	1688
-@@ -38,6 +38,20 @@
- const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
- #else
- 
-+/* If the 32-bit library is run in non-32-bit mode, character values
-+greater than 0x10ffff may be encountered. For these we set up a
-+special record. */
-+
-+#ifdef COMPILE_PCRE32
-+const ucd_record PRIV(dummy_ucd_record)[] = {{
-+  ucp_Common,    /* script */
-+  ucp_Cn,        /* type unassigned */
-+  ucp_gbOther,   /* grapheme break property */
-+  0,             /* case set */
-+  0,             /* other case */
-+  }};
-+#endif
-+
- /* When recompiling tables with a new Unicode version, please check the
- types in this structure definition from pcre_internal.h (the actual
- field names will be different):
diff --git a/pkgs/development/libraries/pcre/default.nix b/pkgs/development/libraries/pcre/default.nix
index d19410f735f..e6055151301 100644
--- a/pkgs/development/libraries/pcre/default.nix
+++ b/pkgs/development/libraries/pcre/default.nix
@@ -9,7 +9,7 @@ with stdenv.lib;
 assert elem variant [ null "cpp" "pcre16" "pcre32" ];
 
 let
-  version = "8.40";
+  version = "8.41";
   pname = if (variant == null) then "pcre"
     else  if (variant == "cpp") then "pcre-cpp"
     else  variant;
@@ -19,7 +19,7 @@ in stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-${version}.tar.bz2";
-    sha256 = "1x7lpjn7jhk0n3sdvggxrlrhab8kkfjwl7qix0ypw9nlx8lpmqh0";
+    sha256 = "0c5m469p5pd7jip621ipq6hbgh7128lzh7xndllfgh77ban7wb76";
   };
 
   outputs = [ "bin" "dev" "out" "doc" "man" ];
@@ -31,8 +31,6 @@ in stdenv.mkDerivation rec {
   ]
     ++ optional (variant != null) "--enable-${variant}";
 
-  patches = [ ./CVE-2017-7186.patch ];
-
   buildInputs = optional (hostPlatform.libc == "msvcrt") windows.mingw_w64_pthreads;
 
   doCheck = !(with hostPlatform; isCygwin || isFreeBSD) && hostPlatform == buildPlatform;

From 029522249bce9a5e217247a9a961f9931f4a79f1 Mon Sep 17 00:00:00 2001
From: "Ricardo M. Correia" <rcorreia@wizy.org>
Date: Mon, 16 Oct 2017 15:09:23 +0200
Subject: [PATCH 16/25] gnumake: fix occasional hangs in parallel builds

https://savannah.gnu.org/bugs/?49014
https://savannah.gnu.org/bugs/?51159
---
 .../build-managers/gnumake/4.2/default.nix    |   1 +
 .../build-managers/gnumake/4.2/pselect.patch  | 170 ++++++++++++++++++
 2 files changed, 171 insertions(+)
 create mode 100644 pkgs/development/tools/build-managers/gnumake/4.2/pselect.patch

diff --git a/pkgs/development/tools/build-managers/gnumake/4.2/default.nix b/pkgs/development/tools/build-managers/gnumake/4.2/default.nix
index 253aadb86d7..7914d8ebb4f 100644
--- a/pkgs/development/tools/build-managers/gnumake/4.2/default.nix
+++ b/pkgs/development/tools/build-managers/gnumake/4.2/default.nix
@@ -19,6 +19,7 @@ stdenv.mkDerivation {
     # and /usr/lib. It's a stupid feature anyway. Likewise, when searching for
     # included Makefiles, don't look in /usr/include and friends.
     ./impure-dirs.patch
+    ./pselect.patch
   ];
 
   nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/development/tools/build-managers/gnumake/4.2/pselect.patch b/pkgs/development/tools/build-managers/gnumake/4.2/pselect.patch
new file mode 100644
index 00000000000..5a03acb2f7c
--- /dev/null
+++ b/pkgs/development/tools/build-managers/gnumake/4.2/pselect.patch
@@ -0,0 +1,170 @@
+From b552b05251980f693c729e251f93f5225b400714 Mon Sep 17 00:00:00 2001
+From: Paul Smith <psmith@gnu.org>
+Date: Sat, 3 Jun 2017 16:20:51 -0400
+Subject: [SV 51159] Use a non-blocking read with pselect to avoid hangs.
+
+* posixos.c (set_blocking): Set blocking on a file descriptor.
+(jobserver_setup): Set non-blocking on the jobserver read side.
+(jobserver_parse_auth): Ditto.
+(jobserver_acquire_all): Set blocking to avoid a busy-wait loop.
+(jobserver_acquire): If the non-blocking read() returns without
+taking a token then try again.
+---
+ posixos.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 71 insertions(+), 26 deletions(-)
+
+diff --git posixos.c posixos.c
+index e642d7f..dbafa51 100644
+--- posixos.c
++++ posixos.c
+@@ -62,6 +62,24 @@ make_job_rfd (void)
+ #endif
+ }
+ 
++static void
++set_blocking (int fd, int blocking)
++{
++  // If we're not using pselect() don't change the blocking
++#ifdef HAVE_PSELECT
++  int flags;
++  EINTRLOOP (flags, fcntl (fd, F_GETFL));
++  if (flags >= 0)
++    {
++      int r;
++      flags = blocking ? (flags & ~O_NONBLOCK) : (flags | O_NONBLOCK);
++      EINTRLOOP (r, fcntl (fd, F_SETFL, flags));
++      if (r < 0)
++        pfatal_with_name ("fcntl(O_NONBLOCK)");
++    }
++#endif
++}
++
+ unsigned int
+ jobserver_setup (int slots)
+ {
+@@ -86,6 +104,9 @@ jobserver_setup (int slots)
+         pfatal_with_name (_("init jobserver pipe"));
+     }
+ 
++  /* When using pselect() we want the read to be non-blocking.  */
++  set_blocking (job_fds[0], 0);
++
+   return 1;
+ }
+ 
+@@ -121,6 +142,9 @@ jobserver_parse_auth (const char *auth)
+       return 0;
+     }
+ 
++  /* When using pselect() we want the read to be non-blocking.  */
++  set_blocking (job_fds[0], 0);
++
+   return 1;
+ }
+ 
+@@ -169,7 +193,10 @@ jobserver_acquire_all (void)
+ {
+   unsigned int tokens = 0;
+ 
+-  /* Close the write side, so the read() won't hang.  */
++  /* Use blocking reads to wait for all outstanding jobs.  */
++  set_blocking (job_fds[0], 1);
++
++  /* Close the write side, so the read() won't hang forever.  */
+   close (job_fds[1]);
+   job_fds[1] = -1;
+ 
+@@ -236,18 +263,12 @@ jobserver_pre_acquire (void)
+ unsigned int
+ jobserver_acquire (int timeout)
+ {
+-  sigset_t empty;
+-  fd_set readfds;
+   struct timespec spec;
+   struct timespec *specp = NULL;
+-  int r;
+-  char intake;
++  sigset_t empty;
+ 
+   sigemptyset (&empty);
+ 
+-  FD_ZERO (&readfds);
+-  FD_SET (job_fds[0], &readfds);
+-
+   if (timeout)
+     {
+       /* Alarm after one second (is this too granular?)  */
+@@ -256,28 +277,52 @@ jobserver_acquire (int timeout)
+       specp = &spec;
+     }
+ 
+-  r = pselect (job_fds[0]+1, &readfds, NULL, NULL, specp, &empty);
+-
+-  if (r == -1)
++  while (1)
+     {
+-      /* Better be SIGCHLD.  */
+-      if (errno != EINTR)
+-        pfatal_with_name (_("pselect jobs pipe"));
+-      return 0;
+-    }
++      fd_set readfds;
++      int r;
++      char intake;
+ 
+-  if (r == 0)
+-    /* Timeout.  */
+-    return 0;
++      FD_ZERO (&readfds);
++      FD_SET (job_fds[0], &readfds);
+ 
+-  /* The read FD is ready: read it!  */
+-  EINTRLOOP (r, read (job_fds[0], &intake, 1));
+-  if (r < 0)
+-    pfatal_with_name (_("read jobs pipe"));
++      r = pselect (job_fds[0]+1, &readfds, NULL, NULL, specp, &empty);
++      if (r < 0)
++        switch (errno)
++          {
++          case EINTR:
++            /* SIGCHLD will show up as an EINTR.  */
++            return 0;
++
++          case EBADF:
++            /* Someone closed the jobs pipe.
++               That shouldn't happen but if it does we're done.  */
++              O (fatal, NILF, _("job server shut down"));
+ 
+-  /* What does it mean if read() returns 0?  It shouldn't happen because only
+-     the master make can reap all the tokens and close the write side...??  */
+-  return r > 0;
++          default:
++            pfatal_with_name (_("pselect jobs pipe"));
++          }
++
++      if (r == 0)
++        /* Timeout.  */
++        return 0;
++
++      /* The read FD is ready: read it!  This is non-blocking.  */
++      EINTRLOOP (r, read (job_fds[0], &intake, 1));
++
++      if (r < 0)
++        {
++          /* Someone sniped our token!  Try again.  */
++          if (errno == EAGAIN)
++            continue;
++
++          pfatal_with_name (_("read jobs pipe"));
++        }
++
++      /* read() should never return 0: only the master make can reap all the
++         tokens and close the write side...??  */
++      return r > 0;
++    }
+ }
+ 
+ #else
+-- 
+cgit v1.0-41-gc330
+

From c3255fe8ec326d2c8fe9462d49ed83aa64d3e68f Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Mon, 30 Oct 2017 17:17:07 +0100
Subject: [PATCH 17/25] fetchzip and friends: Set "name" to "source" by default

This makes them produce the same store paths as builtins.fetchgit,
builtins.fetchTarball etc. See
https://github.com/NixOS/nix/commit/65b5f177b5fbb1b0778ede047a13a3cee9c59cfe.
---
 pkgs/build-support/fetchgit/gitrepotoname.nix | 19 -------------------
 pkgs/build-support/fetchzip/default.nix       |  3 ++-
 pkgs/top-level/all-packages.nix               | 12 +++++-------
 3 files changed, 7 insertions(+), 27 deletions(-)
 delete mode 100644 pkgs/build-support/fetchgit/gitrepotoname.nix

diff --git a/pkgs/build-support/fetchgit/gitrepotoname.nix b/pkgs/build-support/fetchgit/gitrepotoname.nix
deleted file mode 100644
index 90005b54569..00000000000
--- a/pkgs/build-support/fetchgit/gitrepotoname.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{ lib }:
-
-let
-  inherit (lib) removeSuffix hasPrefix removePrefix splitString stringToCharacters concatMapStrings last elem;
-
-  allowedChars = stringToCharacters "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-._?=";
-  sanitizeStoreName = s:
-    let
-      s' = concatMapStrings (c: if elem c allowedChars then c else "") (stringToCharacters s);
-      s'' = if hasPrefix "." s' then "_${removePrefix "." s'}" else s';
-    in
-      s'';
-in
-  urlOrRepo: rev:
-    let
-      repo' = last (splitString ":" (baseNameOf (removeSuffix ".git" (removeSuffix "/" urlOrRepo))));
-      rev' = baseNameOf rev;
-    in
-     "${sanitizeStoreName repo'}-${sanitizeStoreName rev'}-src"
diff --git a/pkgs/build-support/fetchzip/default.nix b/pkgs/build-support/fetchzip/default.nix
index 751dba56930..4a5381d71f2 100644
--- a/pkgs/build-support/fetchzip/default.nix
+++ b/pkgs/build-support/fetchzip/default.nix
@@ -11,10 +11,11 @@
   stripRoot ? true
 , url
 , extraPostFetch ? ""
+, name ? "source"
 , ... } @ args:
 
 lib.overrideDerivation (fetchurl ({
-  name = args.name or (baseNameOf url);
+  inherit name;
 
   recursiveHash = true;
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 69f1dfc88a4..7295ce09c23 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -195,10 +195,8 @@ with pkgs;
 
   fetchzip = callPackage ../build-support/fetchzip { };
 
-  gitRepoToName = callPackage ../build-support/fetchgit/gitrepotoname.nix { };
-
   fetchFromGitHub = {
-    owner, repo, rev, name ? gitRepoToName repo rev,
+    owner, repo, rev, name ? "source",
     fetchSubmodules ? false, private ? false,
     githubBase ? "github.com", varPrefix ? null,
     ... # For hash agility
@@ -231,7 +229,7 @@ with pkgs;
   in fetcher fetcherArgs // { meta.homepage = baseUrl; inherit rev; };
 
   fetchFromBitbucket = {
-    owner, repo, rev, name ? gitRepoToName repo rev,
+    owner, repo, rev, name ? "source",
     ... # For hash agility
   }@args: fetchzip ({
     inherit name;
@@ -242,7 +240,7 @@ with pkgs;
 
   # cgit example, snapshot support is optional in cgit
   fetchFromSavannah = {
-    repo, rev, name ? gitRepoToName repo rev,
+    repo, rev, name ? "source",
     ... # For hash agility
   }@args: fetchzip ({
     inherit name;
@@ -252,7 +250,7 @@ with pkgs;
 
   # gitlab example
   fetchFromGitLab = {
-    owner, repo, rev, name ? gitRepoToName repo rev,
+    owner, repo, rev, name ? "source",
     ... # For hash agility
   }@args: fetchzip ({
     inherit name;
@@ -262,7 +260,7 @@ with pkgs;
 
   # gitweb example, snapshot support is optional in gitweb
   fetchFromRepoOrCz = {
-    repo, rev, name ? gitRepoToName repo rev,
+    repo, rev, name ? "source",
     ... # For hash agility
   }@args: fetchzip ({
     inherit name;

From 5d41dda02db3f538fb253056575c151192d4ce41 Mon Sep 17 00:00:00 2001
From: Tim Steinbach <tim@nequissimus.com>
Date: Mon, 30 Oct 2017 08:40:48 -0400
Subject: [PATCH 18/25] cyrus_sasl: Fix CVE-2013-4122

---
 pkgs/development/libraries/cyrus-sasl/default.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/cyrus-sasl/default.nix b/pkgs/development/libraries/cyrus-sasl/default.nix
index 5dbf134cf45..68398e93764 100644
--- a/pkgs/development/libraries/cyrus-sasl/default.nix
+++ b/pkgs/development/libraries/cyrus-sasl/default.nix
@@ -1,4 +1,5 @@
-{ lib, stdenv, fetchurl, openssl, openldap, kerberos, db, gettext, pam, fixDarwinDylibNames, autoreconfHook, enableLdap ? false }:
+{ lib, stdenv, fetchurl, openssl, openldap, kerberos, db, gettext,
+  pam, fixDarwinDylibNames, autoreconfHook, fetchpatch, enableLdap ? false }:
 
 with stdenv.lib;
 stdenv.mkDerivation rec {
@@ -21,6 +22,10 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./missing-size_t.patch # https://bugzilla.redhat.com/show_bug.cgi?id=906519
+    (fetchpatch { # CVE-2013-4122
+      url = "http://sourceforge.net/projects/miscellaneouspa/files/glibc217/cyrus-sasl-2.1.26-glibc217-crypt.diff";
+      sha256 = "05l7dh1w9d5fvzg0pjwzqh0fy4ah8y5cv6v67s4ssbq8xwd4pkf2";
+    })
   ] ++ lib.optional stdenv.isFreeBSD (
       fetchurl {
         url = "http://www.linuxfromscratch.org/patches/blfs/svn/cyrus-sasl-2.1.26-fixes-3.patch";

From d76572fa89094119ce284d698957680b461a887b Mon Sep 17 00:00:00 2001
From: adisbladis <adis@blad.is>
Date: Tue, 31 Oct 2017 02:17:02 +0800
Subject: [PATCH 19/25] libarchive: Fixes for CVE-2017-14166 and CVE-2017-14502

---
 .../libraries/libarchive/CVE-2017-14166.patch | 36 +++++++++++++++++++
 .../libraries/libarchive/CVE-2017-14502.patch | 28 +++++++++++++++
 .../libraries/libarchive/default.nix          |  5 +++
 3 files changed, 69 insertions(+)
 create mode 100644 pkgs/development/libraries/libarchive/CVE-2017-14166.patch
 create mode 100644 pkgs/development/libraries/libarchive/CVE-2017-14502.patch

diff --git a/pkgs/development/libraries/libarchive/CVE-2017-14166.patch b/pkgs/development/libraries/libarchive/CVE-2017-14166.patch
new file mode 100644
index 00000000000..b729ae41e0a
--- /dev/null
+++ b/pkgs/development/libraries/libarchive/CVE-2017-14166.patch
@@ -0,0 +1,36 @@
+From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Tue, 5 Sep 2017 18:12:19 +0200
+Subject: [PATCH] Do something sensible for empty strings to make fuzzers
+ happy.
+
+---
+ libarchive/archive_read_support_format_xar.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
+index 7a22beb9d..93eeacc5e 100644
+--- a/libarchive/archive_read_support_format_xar.c
++++ b/libarchive/archive_read_support_format_xar.c
+@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
+ 	uint64_t l;
+ 	int digit;
+ 
++	if (char_cnt == 0)
++		return (0);
++
+ 	l = 0;
+ 	digit = *p - '0';
+ 	while (digit >= 0 && digit < 10  && char_cnt-- > 0) {
+@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
+ {
+ 	int64_t l;
+ 	int digit;
+-        
++
++	if (char_cnt == 0)
++		return (0);
++
+ 	l = 0;
+ 	while (char_cnt-- > 0) {
+ 		if (*p >= '0' && *p <= '7')
diff --git a/pkgs/development/libraries/libarchive/CVE-2017-14502.patch b/pkgs/development/libraries/libarchive/CVE-2017-14502.patch
new file mode 100644
index 00000000000..dad8a93a8a8
--- /dev/null
+++ b/pkgs/development/libraries/libarchive/CVE-2017-14502.patch
@@ -0,0 +1,28 @@
+From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Sat, 9 Sep 2017 17:47:32 +0200
+Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR
+ archives.
+
+Reported-By: OSS-Fuzz issue 573
+---
+ libarchive/archive_read_support_format_rar.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index cbb14c32d..751de6979 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
+         return (ARCHIVE_FATAL);
+       }
+       filename[filename_size++] = '\0';
+-      filename[filename_size++] = '\0';
++      /*
++       * Do not increment filename_size here as the computations below
++       * add the space for the terminating NUL explicitly.
++       */
++      filename[filename_size] = '\0';
+ 
+       /* Decoded unicode form is UTF-16BE, so we have to update a string
+        * conversion object for it. */
diff --git a/pkgs/development/libraries/libarchive/default.nix b/pkgs/development/libraries/libarchive/default.nix
index fb1faf8d1b1..e0242802fd3 100644
--- a/pkgs/development/libraries/libarchive/default.nix
+++ b/pkgs/development/libraries/libarchive/default.nix
@@ -17,6 +17,11 @@ stdenv.mkDerivation rec {
     sha256 = "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd";
   };
 
+  patches = [
+    ./CVE-2017-14166.patch
+    ./CVE-2017-14502.patch
+  ];
+
   outputs = [ "out" "lib" "dev" ];
 
   nativeBuildInputs = [ pkgconfig ];

From 41267f612f2930ef989a28c2bfa9f882d9ec56c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Mon, 30 Oct 2017 22:35:54 +0100
Subject: [PATCH 20/25] mesa: maintenance 17.2.2 -> 17.2.4

---
 pkgs/development/libraries/mesa/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
index 0fde0192726..fe34a8bb88f 100644
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@@ -66,7 +66,7 @@ let
 in
 
 let
-  version = "17.2.2";
+  version = "17.2.4";
   branch  = head (splitString "." version);
   driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32";
 in
@@ -81,7 +81,7 @@ stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
       "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz"
     ];
-    sha256 = "10jplvxg7rlbp7569w08z0igwlsjjfb7q3n07zgfr8d5sr224lng";
+    sha256 = "0l75q9l4g15y66rqk2swqvj18qj60hpimv0f97jk44bfrpz0i92v";
   };
 
   prePatch = "patchShebangs .";

From ea6a4068cf89444accdd079accfd7c26eff63e8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Domen=20Ko=C5=BEar?= <domen@dev.si>
Date: Mon, 30 Oct 2017 23:33:20 +0000
Subject: [PATCH 21/25] darwin: build apple stuff in parallel

---
 pkgs/os-specific/darwin/apple-source-releases/default.nix   | 6 +++++-
 .../darwin/apple-source-releases/xnu/default.nix            | 4 ----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix
index 0e838994887..965632b5788 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix
@@ -144,6 +144,10 @@ let
   appleDerivation_ = name: version: sha256: attrs: stdenv.mkDerivation ({
     inherit version;
     name = "${name}-${version}";
+    enableParallelBuilding = true;
+    meta = {
+      platforms = stdenv.lib.platforms.darwin;
+    };
   } // (if attrs ? srcs then {} else {
     src  = fetchApple version sha256 name;
   }) // attrs);
@@ -153,7 +157,7 @@ let
       name = builtins.elemAt (stdenv.lib.splitString "/" namePath) 0;
       appleDerivation = appleDerivation_ name version sha256;
       callPackage = pkgs.newScope (packages // pkgs.darwin // { inherit appleDerivation name version; });
-    in callPackage (./. + builtins.toPath "/${namePath}");
+    in callPackage (./. + "/${namePath}");
 
   libsecPackage = pkgs.callPackage ./libsecurity_generic {
     inherit applePackage appleDerivation_;
diff --git a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix
index fd0d00d81cf..0ce9c54e48c 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix
@@ -127,8 +127,4 @@ appleDerivation {
     mkdir $out/Library/PrivateFrameworks
     mv $out/Library/Frameworks/IOKit.framework $out/Library/PrivateFrameworks
   '';
-
-  meta = {
-    platforms = stdenv.lib.platforms.darwin;
-  };
 }

From 5618691751b6a0151d22a436622616545981472b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 31 Oct 2017 11:25:56 +0100
Subject: [PATCH 22/25] perl-DBD-SQLite: 1.50 -> 1.54

- This fixes tests after sqlite update, also tested via nixStable
  and via building some other perl reverse dependencies.
- The patch was conflicting due to upstream changes,
  but those changes allowed us to minimize the patch.
- meta from nix-generate-from-cpan
/cc #30927.
---
 .../perl-modules/DBD-SQLite/default.nix       | 19 +++++-----
 .../DBD-SQLite/external-sqlite.patch          | 36 ++++---------------
 2 files changed, 18 insertions(+), 37 deletions(-)

diff --git a/pkgs/development/perl-modules/DBD-SQLite/default.nix b/pkgs/development/perl-modules/DBD-SQLite/default.nix
index bf3089ebfb9..a2a439b295b 100644
--- a/pkgs/development/perl-modules/DBD-SQLite/default.nix
+++ b/pkgs/development/perl-modules/DBD-SQLite/default.nix
@@ -1,25 +1,24 @@
 { stdenv, fetchurl, buildPerlPackage, DBI, sqlite }:
 
 buildPerlPackage rec {
-  name = "DBD-SQLite-1.50";
+  name = "DBD-SQLite-${version}";
+  version = "1.54";
 
   src = fetchurl {
     url = "mirror://cpan/authors/id/I/IS/ISHIGAKI/${name}.tar.gz";
-    sha256 = "1qcw2nzla03ywrl6mx1qklvbc8n5bn4gxqbjnvadfkwlffmi7i9s";
+    sha256 = "3929a6dbd8d71630f0cb57f85dcef9588cd7ac4c9fa12db79df77b9d3a4d7269";
   };
 
   propagatedBuildInputs = [ DBI ];
-
-  makeMakerFlags = "SQLITE_LOCATION=${sqlite.dev}";
+  buildInputs = [ sqlite ];
 
   patches = [
     # Support building against our own sqlite.
     ./external-sqlite.patch
   ];
 
-  sqlite_dev = sqlite.dev;
-  sqlite_out = sqlite.out;
-  postPatch = "substituteAllInPlace Makefile.PL; cat Makefile.PL";
+  SQLITE_INC = sqlite.dev + "/include";
+  SQLITE_LIB = sqlite.out + "/lib";
 
   preBuild =
     ''
@@ -39,5 +38,9 @@ buildPerlPackage rec {
   # (e.g. "database is locked(5) at dbdimp.c line 402 at t/07busy.t").
   #doCheck = false;
 
-  meta.platforms = stdenv.lib.platforms.unix;
+  meta = with stdenv.lib; {
+    description = "Self Contained SQLite RDBMS in a DBI Driver";
+    license = with licenses; [ artistic1 gpl1Plus ];
+    platforms = platforms.unix;
+  };
 }
diff --git a/pkgs/development/perl-modules/DBD-SQLite/external-sqlite.patch b/pkgs/development/perl-modules/DBD-SQLite/external-sqlite.patch
index 1f90546b252..5aafa461d94 100644
--- a/pkgs/development/perl-modules/DBD-SQLite/external-sqlite.patch
+++ b/pkgs/development/perl-modules/DBD-SQLite/external-sqlite.patch
@@ -1,33 +1,11 @@
-diff --git a/Makefile.PL b/Makefile.PL
-index 606b28d..0cea060 100644
---- a/Makefile.PL
-+++ b/Makefile.PL
-@@ -128,24 +128,10 @@ SCOPE: {
- # the system SQLite. We expect that anyone sophisticated enough to use
+--- a/Makefile.PL	2016-04-21 15:44:34.000000000 +0200
++++ b/Makefile.PL	2017-10-31 11:04:28.389959946 +0100
+@@ -129,7 +129,7 @@
  # a system sqlite is also sophisticated enough to have a patching system
  # that can change the if ( 0 ) to if ( 1 )
--my ($sqlite_local, $sqlite_base, $sqlite_lib, $sqlite_inc);
+ my ($sqlite_local, $sqlite_base, $sqlite_lib, $sqlite_inc);
 -if ( 0 ) {
--	require File::Spec;
--	if ( $sqlite_base = (grep(/SQLITE_LOCATION=.*/, @ARGV))[0] ) {
--		$sqlite_base =~ /=(.*)/;
--		$sqlite_base = $1;
--		$sqlite_lib = File::Spec->catdir( $sqlite_base, 'lib'     );
--		$sqlite_inc = File::Spec->catdir( $sqlite_base, 'include' );
--	}
--	if ( $sqlite_local = (grep(/USE_LOCAL_SQLITE=.*/, @ARGV))[0] ) {
--		$sqlite_local =~ /=(.*)/;
--		$sqlite_local = "$1" ? 1 : 0;
--		if ( $sqlite_local ) {
--			# Keep these from making into CFLAGS/LDFLAGS
--			undef $sqlite_lib;
--			undef $sqlite_inc;
--		}
--	}
-+my ($sqlite_local, $sqlite_lib, $sqlite_inc);
 +if ( 1 ) {
-+		$sqlite_lib = '@sqlite_out@/lib';
-+		$sqlite_inc = '@sqlite_dev@/include';
- 
- 	# Now check for a compatible sqlite3
- 	unless ( $sqlite_local ) {
+ 	require File::Spec;
+ 	if ( $sqlite_base = (grep(/SQLITE_LOCATION=.*/, @ARGV))[0] ) {
+ 		$sqlite_base =~ /=(.*)/;

From fe83d911577dce6a3ed35a30332cb699dd9438d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 31 Oct 2017 19:39:07 +0100
Subject: [PATCH 23/25] rustc: disable a test failing on Hydra repeatedly

The problem doesn't happen for me locally, but on Hydra
we tend to experience more flakiness in networking tests.
---
 pkgs/development/compilers/rust/rustc.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/compilers/rust/rustc.nix b/pkgs/development/compilers/rust/rustc.nix
index 6eb160add26..a113f5db480 100644
--- a/pkgs/development/compilers/rust/rustc.nix
+++ b/pkgs/development/compilers/rust/rustc.nix
@@ -85,6 +85,9 @@ stdenv.mkDerivation {
     # https://reviews.llvm.org/rL281650
     rm -vr src/test/run-pass/issue-36474.rs || true
 
+    # On Hydra: `TcpListener::bind(&addr)`: Address already in use (os error 98)'
+    sed '/^ *fn fast_rebind()/i#[ignore]' -i src/libstd/net/tcp.rs
+
     # Disable some failing gdb tests. Try re-enabling these when gdb
     # is updated past version 7.12.
     rm src/test/debuginfo/basic-types-globals.rs

From 732057238787f1ed5769d7946525834b7999b269 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Wed, 1 Nov 2017 07:40:49 +0100
Subject: [PATCH 24/25] closure-info: half-blind attempt to fix on Hydra

I'm not sure why these started to block channel several days ago.
I've been unable to reproduce the failures locally.
---
 pkgs/build-support/closure-info.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/closure-info.nix b/pkgs/build-support/closure-info.nix
index f1b0930cdcf..537cc1fbb75 100644
--- a/pkgs/build-support/closure-info.nix
+++ b/pkgs/build-support/closure-info.nix
@@ -19,7 +19,7 @@ if builtins.langVersion >= 5 then
 
     exportReferencesGraph.closure = rootPaths;
 
-    PATH = "${coreutils}/bin:${jq}/bin";
+    nativeBuildInputs = [ jq ];
 
     builder = builtins.toFile "builder"
       ''

From c4be15a83b95b882357990488a7c8ccd47feb94b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Wed, 1 Nov 2017 08:07:15 +0100
Subject: [PATCH 25/25] closure-info: another half-blind attempt to fix on
 Hydra

The previous one was very bad and worsened the situation.
But even running with some nix-1.12 I'm unable to reproduce
the original failure.  Let's unblock channels for now.
---
 pkgs/build-support/closure-info.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/closure-info.nix b/pkgs/build-support/closure-info.nix
index 537cc1fbb75..4d178ac96c5 100644
--- a/pkgs/build-support/closure-info.nix
+++ b/pkgs/build-support/closure-info.nix
@@ -8,7 +8,10 @@
 
 { rootPaths }:
 
-if builtins.langVersion >= 5 then
+#if builtins.langVersion >= 5 then
+# FIXME: it doesn't work on Hydra, failing to find mkdir;
+#   perhaps .attrs.sh clobbers PATH with new nix?
+if false then
 
   # Nix >= 1.12: Include NAR hash / size info.
 
@@ -19,7 +22,7 @@ if builtins.langVersion >= 5 then
 
     exportReferencesGraph.closure = rootPaths;
 
-    nativeBuildInputs = [ jq ];
+    PATH = "${coreutils}/bin:${jq}/bin";
 
     builder = builtins.toFile "builder"
       ''