From f565274fe530d2c3008ec6e2f27a1381a0978ce0 Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Tue, 23 Jan 2018 21:11:44 -0600
Subject: [PATCH 1/7] rhash: 1.3.3 -> 1.3.5

1.3.5: https://github.com/rhash/RHash/releases/tag/v1.3.5
1.3.4: https://github.com/rhash/RHash/releases/tag/v1.3.4

* still need makefile bug workarounds
* cleanup a bit
* port darwin patch--
  don't believe still needed but shouldn't hurt.
---
 pkgs/tools/security/rhash/darwin.patch | 25 -------------------------
 pkgs/tools/security/rhash/default.nix  | 20 ++++++--------------
 2 files changed, 6 insertions(+), 39 deletions(-)

diff --git a/pkgs/tools/security/rhash/darwin.patch b/pkgs/tools/security/rhash/darwin.patch
index 76ad8fe9abd..058791cdd88 100644
--- a/pkgs/tools/security/rhash/darwin.patch
+++ b/pkgs/tools/security/rhash/darwin.patch
@@ -11,28 +11,3 @@ index e40dbc3..e198b93 100644
  SHRDLFLAGS = $(LDFLAGS) $(ADDLDFLAGS)
  HEADERS = calc_sums.h hash_print.h common_func.h hash_update.h file_mask.h file_set.h find_file.h hash_check.h output.h parse_cmdline.h rhash_main.h win_utils.h version.h
  SOURCES = calc_sums.c hash_print.c common_func.c hash_update.c file_mask.c file_set.c find_file.c hash_check.c output.c parse_cmdline.c rhash_main.c win_utils.c
-diff --git a/librhash/Makefile b/librhash/Makefile
-index 2f9bcc9..0c5aaad 100644
---- a/librhash/Makefile
-+++ b/librhash/Makefile
-@@ -28,8 +28,8 @@ PREFIX  = /usr/local
- INCDIR  = $(PREFIX)/include
- LIBDIR  = $(PREFIX)/lib
- LIBRARY = librhash.a
--SONAME  = librhash.so.0
--SOLINK  = librhash.so
-+SONAME  = librhash.0.dylib
-+SOLINK  = librhash.dylib
- TEST_TARGET = test_hashes
- TEST_SHARED = test_shared
- # Set variables according to GNU coding standard
-@@ -182,8 +182,7 @@ test-dll: $(DLLNAME) test_hashes.o
- 
- # shared and static libraries
- $(SONAME): $(SOURCES)
--	sed -n '1s/.*/{ global:/p; s/^RHASH_API.* \([a-z0-9_]\+\)(.*/  \1;/p; $$s/.*/local: *; };/p' $(SO_HEADERS) > exports.sym
--	$(CC) -fpic $(ALLCFLAGS) -shared $(SOURCES) -Wl,--version-script,exports.sym,-soname,$(SONAME) $(LIBLDFLAGS) -o $@
-+	$(CC) -fpic $(ALLCFLAGS) -dynamiclib $(SOURCES) $(LIBLDFLAGS) -Wl,-install_name,$(PREFIX)/lib/$@ -o $@
- 	ln -s $(SONAME) $(SOLINK)
- # use 'nm -Cg --defined-only $@' to view exported symbols
- 
diff --git a/pkgs/tools/security/rhash/default.nix b/pkgs/tools/security/rhash/default.nix
index 68c3edc4cd2..14121b3bc04 100644
--- a/pkgs/tools/security/rhash/default.nix
+++ b/pkgs/tools/security/rhash/default.nix
@@ -1,31 +1,23 @@
 { stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  version = "1.3.3";
+  version = "1.3.5";
   name = "rhash-${version}";
 
   src = fetchurl {
     url = "mirror://sourceforge/rhash/${name}-src.tar.gz";
-    sha1 = "0981bdc98ba7ef923b1a6cd7fd8bb0374cff632e";
-    sha256 = "0nii6p4m2x8rkaf8r6smgfwb1q4hpf117kkg64yr6gyqgdchnljv";
+    sha256 = "0bhz3xdl6r06k1bqigdjz42l31iqz2qdpg7zk316i7p2ra56iq4q";
   };
 
   patches = stdenv.lib.optional stdenv.isDarwin ./darwin.patch;
 
-  installFlags = [ "DESTDIR=$(out)" "PREFIX=/" ];
+  makeFlags = [ "DESTDIR=$(out)" "PREFIX=/" "AR:=$(AR)" "CC:=$(CC)" ];
 
-  # we build the static library because of two makefile bugs
-  # * .h files installed for static library target only
-  # * .so.0 -> .so link only created in the static library install target
-  buildPhase = ''
-    make lib-shared lib-static build-shared CC=$CC AR=$AR PREFIX=$out
-  '';
+  buildFlags = [ "build-shared" "lib-shared" ];
 
-  # we don't actually want the static library, so we remove it after it
-  # gets installed
   installPhase = ''
-    make DESTDIR="$out" PREFIX="/" install-shared install-lib-shared install-lib-static
-    rm $out/lib/librhash.a
+    make $makeFlags -C librhash install-lib-shared install-headers install-so-link
+    make $makeFlags install-shared
   '';
 
   meta = with stdenv.lib; {

From 088274bf2c22dc97a518a9322be57a20da6b0f2b Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Mon, 5 Feb 2018 08:43:27 -0600
Subject: [PATCH 2/7] rhash: 1.3.5 -> 2018-02-05

Latest git is much more build-friendly.
---
 pkgs/tools/security/rhash/default.nix | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/pkgs/tools/security/rhash/default.nix b/pkgs/tools/security/rhash/default.nix
index 14121b3bc04..485b34cff88 100644
--- a/pkgs/tools/security/rhash/default.nix
+++ b/pkgs/tools/security/rhash/default.nix
@@ -1,24 +1,23 @@
-{ stdenv, fetchurl }:
+{ stdenv, fetchFromGitHub, which }:
 
 stdenv.mkDerivation rec {
-  version = "1.3.5";
+  version = "2018-02-05";
   name = "rhash-${version}";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/rhash/${name}-src.tar.gz";
-    sha256 = "0bhz3xdl6r06k1bqigdjz42l31iqz2qdpg7zk316i7p2ra56iq4q";
+  src = fetchFromGitHub {
+    owner = "rhash";
+    repo = "RHash";
+    rev = "cc26d54ff5df0f692907a5e3132a5eeca559ed61";
+    sha256 = "1ldagp931lmxxpyvsb9rrar4iqwmv94m6lfjzkbkshpmk3p5ng7h";
   };
 
-  patches = stdenv.lib.optional stdenv.isDarwin ./darwin.patch;
+  nativeBuildInputs = [ which ];
 
-  makeFlags = [ "DESTDIR=$(out)" "PREFIX=/" "AR:=$(AR)" "CC:=$(CC)" ];
+  # configure script is not autotools-based, doesn't support these options
+  configurePlatforms = [ ];
 
-  buildFlags = [ "build-shared" "lib-shared" ];
-
-  installPhase = ''
-    make $makeFlags -C librhash install-lib-shared install-headers install-so-link
-    make $makeFlags install-shared
-  '';
+  installTargets = [ "install" "install-lib-shared" "install-lib-so-link" ];
+  postInstall = "make -C librhash install-headers";
 
   meta = with stdenv.lib; {
     homepage = http://rhash.anz.ru;

From 9ccbb2aa37023e834cc5b6bd0e0262e377a23df8 Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Mon, 5 Feb 2018 09:06:24 -0600
Subject: [PATCH 3/7] rhash: Remove unused darwin patch

---
 pkgs/tools/security/rhash/darwin.patch | 13 -------------
 1 file changed, 13 deletions(-)
 delete mode 100644 pkgs/tools/security/rhash/darwin.patch

diff --git a/pkgs/tools/security/rhash/darwin.patch b/pkgs/tools/security/rhash/darwin.patch
deleted file mode 100644
index 058791cdd88..00000000000
--- a/pkgs/tools/security/rhash/darwin.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/Makefile b/Makefile
-index e40dbc3..e198b93 100644
---- a/Makefile
-+++ b/Makefile
-@@ -17,7 +17,7 @@ ALLCFLAGS = -pipe $(CFLAGS) $(ADDCFLAGS) \
-   -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations
- LDLIBRHASH = -Llibrhash -lrhash
- ALLLDFLAGS = $(LDLIBRHASH) $(LDFLAGS) $(ADDLDFLAGS)
--SHAREDLIB  = librhash/librhash.so.0
-+SHAREDLIB  = librhash/librhash.0.dylib
- SHRDLFLAGS = $(LDFLAGS) $(ADDLDFLAGS)
- HEADERS = calc_sums.h hash_print.h common_func.h hash_update.h file_mask.h file_set.h find_file.h hash_check.h output.h parse_cmdline.h rhash_main.h win_utils.h version.h
- SOURCES = calc_sums.c hash_print.c common_func.c hash_update.c file_mask.c file_set.c find_file.c hash_check.c output.c parse_cmdline.c rhash_main.c win_utils.c

From 6ec60e8c4446c5093fff01a810ed30ed94d7603d Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Mon, 5 Feb 2018 11:26:01 -0600
Subject: [PATCH 4/7] busybox-sandbox-shell: extract basic shell to new
 attribute

Nix will use this shell if the attribute is present,
avoiding duplicating changes in the future.
---
 .../linux/busybox/sandbox-shell.nix           | 26 +++++++++++++++++++
 pkgs/tools/package-management/nix/default.nix | 26 ++-----------------
 pkgs/top-level/all-packages.nix               |  1 +
 3 files changed, 29 insertions(+), 24 deletions(-)
 create mode 100644 pkgs/os-specific/linux/busybox/sandbox-shell.nix

diff --git a/pkgs/os-specific/linux/busybox/sandbox-shell.nix b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
new file mode 100644
index 00000000000..1755bd4f3f7
--- /dev/null
+++ b/pkgs/os-specific/linux/busybox/sandbox-shell.nix
@@ -0,0 +1,26 @@
+{ busybox }:
+
+# Minimal shell for use as basic /bin/sh in sandbox builds
+busybox.override {
+  useMusl = true;
+  enableStatic = true;
+  enableMinimal = true;
+  extraConfig = ''
+    CONFIG_FEATURE_FANCY_ECHO y
+    CONFIG_FEATURE_SH_MATH y
+    CONFIG_FEATURE_SH_MATH_64 y
+
+    CONFIG_ASH y
+    CONFIG_ASH_OPTIMIZE_FOR_SIZE y
+
+    CONFIG_ASH_ALIAS y
+    CONFIG_ASH_BASH_COMPAT y
+    CONFIG_ASH_CMDCMD y
+    CONFIG_ASH_ECHO y
+    CONFIG_ASH_GETOPTS y
+    CONFIG_ASH_INTERNAL_GLOB y
+    CONFIG_ASH_JOB_CONTROL y
+    CONFIG_ASH_PRINTF y
+    CONFIG_ASH_TEST y
+  '';
+}
diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix
index 1e53f450964..3f77e47868b 100644
--- a/pkgs/tools/package-management/nix/default.nix
+++ b/pkgs/tools/package-management/nix/default.nix
@@ -1,7 +1,7 @@
 { lib, stdenv, fetchurl, fetchFromGitHub, perl, curl, bzip2, sqlite, openssl ? null, xz
 , pkgconfig, boehmgc, perlPackages, libsodium, aws-sdk-cpp, brotli
 , autoreconfHook, autoconf-archive, bison, flex, libxml2, libxslt, docbook5, docbook5_xsl
-, libseccomp, busybox
+, libseccomp, busybox-sandbox-shell
 , hostPlatform
 , storeDir ? "/nix/store"
 , stateDir ? "/nix/var"
@@ -10,29 +10,7 @@
 
 let
 
-  sh = busybox.override {
-    useMusl = true;
-    enableStatic = true;
-    enableMinimal = true;
-    extraConfig = ''
-      CONFIG_FEATURE_FANCY_ECHO y
-      CONFIG_FEATURE_SH_MATH y
-      CONFIG_FEATURE_SH_MATH_64 y
-
-      CONFIG_ASH y
-      CONFIG_ASH_OPTIMIZE_FOR_SIZE y
-
-      CONFIG_ASH_ALIAS y
-      CONFIG_ASH_BASH_COMPAT y
-      CONFIG_ASH_CMDCMD y
-      CONFIG_ASH_ECHO y
-      CONFIG_ASH_GETOPTS y
-      CONFIG_ASH_INTERNAL_GLOB y
-      CONFIG_ASH_JOB_CONTROL y
-      CONFIG_ASH_PRINTF y
-      CONFIG_ASH_TEST y
-    '';
-  };
+  sh = busybox-sandbox-shell;
 
   common = { name, suffix ? "", src, fromGit ? false }: stdenv.mkDerivation rec {
     inherit name src;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 92f81ee2861..f873e682d9d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -12593,6 +12593,7 @@ with pkgs;
   bridge-utils = callPackage ../os-specific/linux/bridge-utils { };
 
   busybox = callPackage ../os-specific/linux/busybox { };
+  busybox-sandbox-shell = callPackage ../os-specific/linux/busybox/sandbox-shell.nix { };
 
   cachefilesd = callPackage ../os-specific/linux/cachefilesd { };
 

From ceeacd52052a2ebd27a6648f7604db7aea7e4b69 Mon Sep 17 00:00:00 2001
From: Josef Kemetmueller <josef.kemetmueller@gmail.com>
Date: Mon, 5 Feb 2018 20:25:43 +0000
Subject: [PATCH 5/7] graphviz: Explicitly specify libltdl directories

This should prevent the build from picking up /usr/lib/libltdl.so in
non-chroot builds on non-nixOS.
---
 pkgs/tools/graphics/graphviz/base.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/graphviz/base.nix b/pkgs/tools/graphics/graphviz/base.nix
index 8a46b302dcd..f61c7923d79 100644
--- a/pkgs/tools/graphics/graphviz/base.nix
+++ b/pkgs/tools/graphics/graphviz/base.nix
@@ -31,7 +31,10 @@ stdenv.mkDerivation rec {
   CPPFLAGS = stdenv.lib.optionalString (xorg != null && stdenv.isDarwin)
     "-I${cairo.dev}/include/cairo";
 
-  configureFlags = optional (xorg == null) "--without-x";
+  configureFlags = [
+    "--with-ltdl-lib=${libtool.lib}/lib"
+    "--with-ltdl-include=${libtool}/include"
+  ] ++ stdenv.lib.optional (xorg == null) [ "--without-x" ];
 
   postPatch = ''
     for f in $(find . -name Makefile.in); do

From bd92592e7ed7de61ae48c9b84ab15ba2c3c70032 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?=
 <robert.schuetz@stud.uni-heidelberg.de>
Date: Fri, 9 Feb 2018 17:52:28 +0100
Subject: [PATCH 6/7] pythonPackages.pytz: 2017.3 -> 2018.3

---
 pkgs/development/python-modules/pytz/default.nix | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/python-modules/pytz/default.nix b/pkgs/development/python-modules/pytz/default.nix
index 96f0ad136a0..65f3d80bdaa 100644
--- a/pkgs/development/python-modules/pytz/default.nix
+++ b/pkgs/development/python-modules/pytz/default.nix
@@ -2,12 +2,11 @@
 
 buildPythonPackage rec {
   pname = "pytz";
-  version = "2017.3";
+  version = "2018.3";
 
   src = fetchPypi {
     inherit pname version;
-    extension = "zip";
-    sha256 = "fae4cffc040921b8a2d60c6cf0b5d662c1190fe54d718271db4eb17d44a185b7";
+    sha256 = "410bcd1d6409026fbaa65d9ed33bf6dd8b1e94a499e32168acfc7b332e4095c0";
   };
 
   checkPhase = ''

From 256ba86fffc079b6035637eed1a85b2ff299d239 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 10 Feb 2018 11:29:19 +0100
Subject: [PATCH 7/7] libtasn1: 4.12 -> 4.13 (security)

/cc #34787.
---
 pkgs/development/libraries/libtasn1/default.nix | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/pkgs/development/libraries/libtasn1/default.nix b/pkgs/development/libraries/libtasn1/default.nix
index ccdc3aba611..cc5b19f7a59 100644
--- a/pkgs/development/libraries/libtasn1/default.nix
+++ b/pkgs/development/libraries/libtasn1/default.nix
@@ -1,21 +1,13 @@
 { stdenv, fetchurl, perl, texinfo }:
 
 stdenv.mkDerivation rec {
-  name = "libtasn1-4.12";
+  name = "libtasn1-4.13";
 
   src = fetchurl {
     url = "mirror://gnu/libtasn1/${name}.tar.gz";
-    sha256 = "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7";
+    sha256 = "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky";
   };
 
-  patches = [
-    (fetchurl {
-      name = "CVE-2017-10790.patch";
-      url = "https://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=patch;h=d8d805e1f2e6799bb2dff4871a8598dc83088a39";
-      sha256 = "1v5w0dazp9qc2v7pc8b6g7s4dz5ak10hzrn35hx66q76yzrrzp7i";
-    })
-  ];
-
   outputs = [ "out" "dev" "devdoc" ];
   outputBin = "dev";