From 72f441d0904d4cd87dbe2110b531880178dee088 Mon Sep 17 00:00:00 2001
From: Stefan Huchler <stefan.huchler@mail.de>
Date: Wed, 25 Oct 2017 13:28:41 +0200
Subject: [PATCH 1/9] kodi: downgrades kodiPlugin.joystick to compatible
 version 1.3.2

---
 pkgs/applications/video/kodi/plugins.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/video/kodi/plugins.nix b/pkgs/applications/video/kodi/plugins.nix
index e98500f8e76..52c39e837a1 100644
--- a/pkgs/applications/video/kodi/plugins.nix
+++ b/pkgs/applications/video/kodi/plugins.nix
@@ -149,14 +149,14 @@ rec {
 
   joystick = mkKodiABIPlugin rec {
     namespace = "peripheral.joystick";
-    version = "1.3.6";
+    version = "1.3.2";
     plugin = namespace;
 
     src = fetchFromGitHub {
       owner = "kodi-game";
       repo = namespace;
-      rev = "5b480ccdd4a87f2ca3283a7b8d1bd69a114af0db";
-      sha256 = "1zf5zwghx96bqk7bx53qra27lfbgfdi1dsk4s3hwixr8ii72cqpp";
+      rev = "96171dd32899553ffe8fc775fca66e8df5ff5cf1";
+      sha256 = "18m61v8z9fbh4imvzhh4g9629r9df49g2yk9ycaczirg131dhfbh";
     };
 
     meta = with stdenv.lib; {

From 2492f4556590e0565bcbf3cebb38b1b99b89f1c3 Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Tue, 28 Nov 2017 00:14:05 +0100
Subject: [PATCH 2/9] ffmpeg-3.4: apply fix CVE CVE-2017-16840

Details at [1].

[1] http://git.videolan.org/?p=ffmpeg.git;a=commit;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74
---
 pkgs/development/libraries/ffmpeg/3.4.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/ffmpeg/3.4.nix b/pkgs/development/libraries/ffmpeg/3.4.nix
index 513654e98f7..9890d030e44 100644
--- a/pkgs/development/libraries/ffmpeg/3.4.nix
+++ b/pkgs/development/libraries/ffmpeg/3.4.nix
@@ -1,4 +1,4 @@
-{ stdenv, callPackage
+{ stdenv, callPackage, fetchpatch
 # Darwin frameworks
 , Cocoa, CoreMedia
 , ...
@@ -9,4 +9,13 @@ callPackage ./generic.nix (args // rec {
   branch = "3.4";
   sha256 = "0pn8g3ab937ahslqd41crk0g4j4fh7kwimsrlfc0rl0pc3z132ax";
   darwinFrameworks = [ Cocoa CoreMedia ];
+
+  patches = [
+    (fetchpatch{
+      name = "CVE-2017-16840.patch";
+      url = "http://git.videolan.org/?p=ffmpeg.git;a=patch;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74";
+      sha256 = "1rjr9lc71cyy43wsa2zxb9ygya292h9jflvr5wk61nf0vp97gjg3";
+    })
+  ];
+
 })

From 64d8cc7fc4e1509bf63cd81838b633428c09de98 Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Tue, 28 Nov 2017 00:24:02 +0100
Subject: [PATCH 3/9] ffmpeg-full-3.4: apply patch for CVE-2017-16840

---
 pkgs/development/libraries/ffmpeg-full/default.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/ffmpeg-full/default.nix b/pkgs/development/libraries/ffmpeg-full/default.nix
index b50025aa108..3fb131068da 100644
--- a/pkgs/development/libraries/ffmpeg-full/default.nix
+++ b/pkgs/development/libraries/ffmpeg-full/default.nix
@@ -238,7 +238,15 @@ stdenv.mkDerivation rec {
     sha256 = "1vzvpx8ixy8m44f8qwp833hv253hpghybgzbc4n8b3div3j0dvmf";
   };
 
-  patchPhase = ''patchShebangs .
+  patchPhase = let
+    cve_2017_16840_patch = (fetchurl{
+      name = "CVE-2017-16840.patch";
+      url = "http://git.videolan.org/?p=ffmpeg.git;a=patch;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74";
+      sha256 = "1rjr9lc71cyy43wsa2zxb9ygya292h9jflvr5wk61nf0vp97gjg3";
+    });
+  in
+  '' patch -p1 < ${cve_2017_16840_patch}
+     patchShebangs .
   '' + stdenv.lib.optionalString stdenv.isDarwin ''
     sed -i 's/#ifndef __MAC_10_11/#if 1/' ./libavcodec/audiotoolboxdec.c
   '' + stdenv.lib.optionalString (frei0r != null) ''

From fe1f2285803fb5da7a4f265822fd34987b30e279 Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Tue, 28 Nov 2017 00:24:02 +0100
Subject: [PATCH 4/9] ffmpeg-full-3.4: apply patch for CVE-2017-16840

---
 pkgs/development/libraries/ffmpeg-full/default.nix | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/ffmpeg-full/default.nix b/pkgs/development/libraries/ffmpeg-full/default.nix
index b50025aa108..41e863d4512 100644
--- a/pkgs/development/libraries/ffmpeg-full/default.nix
+++ b/pkgs/development/libraries/ffmpeg-full/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, perl, texinfo, yasm
+{ stdenv, fetchurl, fetchpatch, pkgconfig, perl, texinfo, yasm
 , hostPlatform
 /*
  *  Licensing options (yes some are listed twice, filters and such are not listed)
@@ -238,7 +238,16 @@ stdenv.mkDerivation rec {
     sha256 = "1vzvpx8ixy8m44f8qwp833hv253hpghybgzbc4n8b3div3j0dvmf";
   };
 
-  patchPhase = ''patchShebangs .
+  patches = [
+    (fetchurl {
+      name = "CVE-2017-16840.patch";
+      url = "http://git.videolan.org/?p=ffmpeg.git;a=patch;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74";
+      sha256 = "0zx0vh110hrykk7j863j04bx6igm2q8dlkv25mf5g4rbxafpqig3";
+    })
+  ];
+
+  prePatch = ''
+    patchShebangs .
   '' + stdenv.lib.optionalString stdenv.isDarwin ''
     sed -i 's/#ifndef __MAC_10_11/#if 1/' ./libavcodec/audiotoolboxdec.c
   '' + stdenv.lib.optionalString (frei0r != null) ''

From c06c2cda5105b51056a6d0921ab9567f673ed337 Mon Sep 17 00:00:00 2001
From: Orivej Desh <orivej@gmx.fr>
Date: Tue, 28 Nov 2017 17:57:38 +0000
Subject: [PATCH 5/9] git-up: mark as broken

---
 pkgs/applications/version-management/git-up/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/applications/version-management/git-up/default.nix b/pkgs/applications/version-management/git-up/default.nix
index 4b6ba9398b4..45c97868c4b 100644
--- a/pkgs/applications/version-management/git-up/default.nix
+++ b/pkgs/applications/version-management/git-up/default.nix
@@ -31,5 +31,6 @@ python2Packages.buildPythonApplication rec {
     license = licenses.mit;
     maintainers = with maintainers; [ peterhoeg ];
     platforms = platforms.all;
+    broken = true; # Incompatible with Git 2.15 object store.
   };
 }

From 6c60c6ec3b1f08b970a1d7c3f16c04ca1804329c Mon Sep 17 00:00:00 2001
From: Orivej Desh <orivej@gmx.fr>
Date: Tue, 28 Nov 2017 18:11:06 +0000
Subject: [PATCH 6/9] snabb: disable parallel building

https://hydra.nixos.org/build/64827817
---
 pkgs/tools/networking/snabb/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/snabb/default.nix b/pkgs/tools/networking/snabb/default.nix
index 3b405561ef9..f3baddd2653 100644
--- a/pkgs/tools/networking/snabb/default.nix
+++ b/pkgs/tools/networking/snabb/default.nix
@@ -31,7 +31,9 @@ stdenv.mkDerivation rec {
     cp src/snabb $out/bin
   '';
 
-  enableParallelBuilding = true;
+  # Dependencies are underspecified: "make -C src obj/arch/sse2_c.o" fails with
+  # "Fatal error: can't create obj/arch/sse2_c.o: No such file or directory".
+  enableParallelBuilding = false;
 
   meta = with stdenv.lib; {
     homepage = https://github.com/SnabbCo/snabbswitch;
@@ -49,4 +51,3 @@ stdenv.mkDerivation rec {
     maintainers = [ maintainers.lukego maintainers.domenkozar ];
   };
 }
-

From fb6f2048139aa2bbff04b5d28cc19cdce844477f Mon Sep 17 00:00:00 2001
From: dywedir <dywedir@protonmail.ch>
Date: Tue, 28 Nov 2017 20:28:43 +0200
Subject: [PATCH 7/9] ocamlPackages.reason: 3.0.2 -> 3.0.3

---
 pkgs/development/compilers/reason/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/compilers/reason/default.nix b/pkgs/development/compilers/reason/default.nix
index f3ae4036a2a..54d39d8fa63 100644
--- a/pkgs/development/compilers/reason/default.nix
+++ b/pkgs/development/compilers/reason/default.nix
@@ -3,13 +3,13 @@
 
 buildOcaml rec {
   name = "reason";
-  version = "3.0.2";
+  version = "3.0.3";
 
   src = fetchFromGitHub {
     owner = "facebook";
     repo = "reason";
-    rev = "v${version}";
-    sha256 = "1rpaazy0m76qidxwdr51qrgs3ryyz875rndwp9p30siqd04raswq";
+    rev = version;
+    sha256 = "19kp1cnxi6dq89xh07c14q7kzkawbxdkwrvn1rl48l78d04agnxx";
   };
 
   propagatedBuildInputs = [ menhir merlin_extend ppx_tools_versioned ];

From 574edcd6b22f204fa2a08a2c8b9b27aab02b0c89 Mon Sep 17 00:00:00 2001
From: Joerg Thalheim <joerg@thalheim.io>
Date: Tue, 28 Nov 2017 18:35:35 +0000
Subject: [PATCH 8/9] awesome: fix LUA_PATH/LUA_CPATH to lgi

Otherwise it would not start.
---
 pkgs/applications/window-managers/awesome/default.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkgs/applications/window-managers/awesome/default.nix b/pkgs/applications/window-managers/awesome/default.nix
index ec73150a506..4043c05e3d6 100644
--- a/pkgs/applications/window-managers/awesome/default.nix
+++ b/pkgs/applications/window-managers/awesome/default.nix
@@ -10,7 +10,7 @@
 with luaPackages; stdenv.mkDerivation rec {
   name = "awesome-${version}";
   version = "4.2";
-  
+
   src = fetchFromGitHub {
     owner = "awesomewm";
     repo = "awesome";
@@ -25,10 +25,10 @@ with luaPackages; stdenv.mkDerivation rec {
     imagemagick
     makeWrapper
     pkgconfig
-    xmlto docbook_xml_dtd_45 
+    xmlto docbook_xml_dtd_45
     docbook_xsl findXMLCatalogs
   ];
-   
+
   propagatedUserEnvPkgs = [ hicolor_icon_theme ];
   buildInputs = [ cairo librsvg dbus gdk_pixbuf gobjectIntrospection
                   git lgi libpthreadstubs libstartup_notification
@@ -49,8 +49,8 @@ with luaPackages; stdenv.mkDerivation rec {
   postInstall = ''
     wrapProgram $out/bin/awesome \
       --set GDK_PIXBUF_MODULE_FILE "$GDK_PIXBUF_MODULE_FILE" \
-      --prefix LUA_CPATH ";" '"${lgi}/lib/lua/${lua.luaversion}/?.so"' \
-      --prefix LUA_PATH ";" '"${lgi}/share/lua/${lua.luaversion}/?.lua;${lgi}/share/lua/${lua.luaversion}/lgi/?.lua"' \
+      --prefix LUA_CPATH ";" '${lgi}/lib/lua/${lua.luaversion}/?.so' \
+      --prefix LUA_PATH ";" '${lgi}/share/lua/${lua.luaversion}/?.lua' \
       --prefix GI_TYPELIB_PATH : "$GI_TYPELIB_PATH" \
       --prefix LD_LIBRARY_PATH : "$LD_LIBRARY_PATH" \
       --prefix PATH : "${stdenv.lib.makeBinPath [ compton unclutter procps iproute coreutils curl alsaUtils findutils xterm ]}"

From e0368f5076abdedb671ef223d183d1a43b786e14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 28 Nov 2017 20:42:26 +0100
Subject: [PATCH 9/9] gnutls: use mirror://gnupg (fix #32147)

ftp.gnutls.org stopped working with curl; it's not clear yet why.
---
 pkgs/development/libraries/gnutls/3.5.10.nix | 2 +-
 pkgs/development/libraries/gnutls/3.5.nix    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/gnutls/3.5.10.nix b/pkgs/development/libraries/gnutls/3.5.10.nix
index a1eab1a84c1..a44e2b04ed7 100644
--- a/pkgs/development/libraries/gnutls/3.5.10.nix
+++ b/pkgs/development/libraries/gnutls/3.5.10.nix
@@ -4,7 +4,7 @@ callPackage ./generic.nix (args // rec {
   version = "3.5.10";
 
   src = fetchurl {
-    url = "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-${version}.tar.xz";
+    url = "mirror://gnupg/gnutls/v3.5/gnutls-${version}.tar.xz";
     sha256 = "17apwvdkkazh5w8z8mbanpj2yj8s2002qwy46wz4v3akpa33wi5g";
   };
 })
diff --git a/pkgs/development/libraries/gnutls/3.5.nix b/pkgs/development/libraries/gnutls/3.5.nix
index 55c917f212e..0422592e70d 100644
--- a/pkgs/development/libraries/gnutls/3.5.nix
+++ b/pkgs/development/libraries/gnutls/3.5.nix
@@ -4,7 +4,7 @@ callPackage ./generic.nix (args // rec {
   version = "3.5.15";
 
   src = fetchurl {
-    url = "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-${version}.tar.xz";
+    url = "mirror://gnupg/gnutls/v3.5/gnutls-${version}.tar.xz";
     sha256 = "1mgsxkbs44csw07ngwbqns2y2s03m975lk1sl5ay87wbic882q04";
   };