Merge release-21.05 into staging-next-21.05

pkgs/applications/editors/emacs/elisp-packages/elpa-packages.nix

@@ -21,7 +21,7 @@ formats commits for you.
 
 */
 
-{ lib, stdenv, texinfo, writeText }:
+{ lib, stdenv, buildPackages, texinfo, writeText }:
 
 self: let
 
@@ -41,7 +41,10 @@ self: let
   }: let
 
     imported = import generated {
-      inherit (self) callPackage;
+      callPackage = pkgs: args: self.callPackage pkgs (args // {
+        # Use custom elpa url fetcher with fallback/uncompress
+        fetchurl = buildPackages.callPackage ./fetchelpa.nix { };
+      });
     };
 
     super = removeAttrs imported [ "dash" ];

pkgs/applications/editors/emacs/elisp-packages/fetchelpa.nix

@@ -0,0 +1,21 @@
+# Elpa only serves the latest version of a given package uncompressed.
+# Once that release is no longer the latest & greatest it gets archived and compressed
+# meaning that both the URL and the hash changes.
+#
+# To work around this issue we fall back to the URL with the .lz suffix and if that's the
+# one we downloaded we uncompress the file to ensure the hash matches regardless of compression.
+
+{ fetchurl, lzip }:
+
+{ url, ... }@args: fetchurl ((removeAttrs args [ "url" ]) // {
+  urls = [
+    url
+    (url + ".lz")
+  ];
+  postFetch = ''
+    if [[ $url == *.lz ]]; then
+      ${lzip}/bin/lzip -c -d $out > uncompressed
+      mv uncompressed $out
+    fi
+  '';
+})

pkgs/development/libraries/folly/default.nix

@@ -19,13 +19,13 @@
 
 stdenv.mkDerivation (rec {
   pname = "folly";
-  version = "2021.01.25.00";
+  version = "2021.08.02.00";
 
   src = fetchFromGitHub {
     owner = "facebook";
     repo = "folly";
     rev = "v${version}";
-    sha256 = "sha256-n2cpXdjPZYNjvSHBZFFn3JFwqYCFWc8qSKwet80LtJE=";
+    sha256 = "sha256-Y2CqPlhbfC++udbbURnI9mvRZswC8kmikp1HY0qJz4k=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/ndpi/3.4-CVE-2021-36082.patch

@@ -0,0 +1,101 @@
+Based on upstream https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3
+adapted by ris to apply to ndpi 3.4
+
+diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
+index 1f3850cb..0d3b705f 100644
+--- a/src/lib/protocols/netbios.c
++++ b/src/lib/protocols/netbios.c
+@@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len
+   int ret = 0, len, idx = inlen;
+   char *b;
+ 
+-  len = (*in++)/2;
++  len = (*in++)/2, inlen--;
+   b  = out;
+   *out = 0;
+ 
+ 
+diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
+index 5b572cae..304d5799 100644
+--- a/src/lib/protocols/tls.c
++++ b/src/lib/protocols/tls.c
+@@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
+ 	i += 4 + extension_len, offset += 4 + extension_len;
+       }
+ 
+-      ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
++      ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
+ 
+-      for(i=0; i<ja3.num_cipher; i++) {
+-	rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
++      for(i=0; (i<ja3.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) {
++	rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
+ 
+ 	if(rc <= 0) break; else ja3_str_len += rc;
+       }
+ 
+-      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
++      if(JA3_STR_LEN > ja3_str_len) {
++      rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+       if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
++      }
+ 
+       /* ********** */
+ 
+-      for(i=0; i<ja3.num_tls_extension; i++) {
+-	int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
++      for(i=0; (i<ja3.num_tls_extension) && (JA3_STR_LEN > ja3_str_len); i++) {
++	int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
+ 
+ 	if(rc <= 0) break; else ja3_str_len += rc;
+       }
+@@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
+ 	      int rc;
+ 
+ 	    compute_ja3c:
+-	      ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
++	      ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
+ 
+ 	      for(i=0; i<ja3.num_cipher; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.cipher[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }
+ 
+-	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
++	      rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+ 	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+ 	      /* ********** */
+ 
+ 	      for(i=0; i<ja3.num_tls_extension; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.tls_extension[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }
+ 
+-	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
++	      rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+ 	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+ 	      /* ********** */
+ 
+ 	      for(i=0; i<ja3.num_elliptic_curve; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.elliptic_curve[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }
+ 
+-	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
++	      rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+ 	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+ 	      for(i=0; i<ja3.num_elliptic_curve_point_format; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }

pkgs/development/libraries/ndpi/default.nix

@@ -14,6 +14,10 @@ stdenv.mkDerivation {
     sha256 = "0xjh9gv0mq0213bjfs5ahrh6m7l7g99jjg8104c0pw54hz0p5pq1";
   };
 
+  patches = [
+    ./3.4-CVE-2021-36082.patch
+  ];
+
   configureScript = "./autogen.sh";
 
   nativeBuildInputs = [which autoconf automake libtool];

pkgs/development/python-modules/yamale/default.nix

@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "yamale";
-  version = "3.0.4";
+  version = "3.0.8";
 
   disabled = !isPy3k;
 
@@ -17,7 +17,7 @@ buildPythonPackage rec {
     owner = "23andMe";
     repo = pname;
     rev = version;
-    sha256 = "1xjvah4r3gpwk4zxql3c9jpllb34k175fm6iq1zvsd2vv2fwf8s2";
+    sha256 = "0bn0himn5fwndaxn205s55bdc4np7lhd940i0lkv0m7ybhbw7dap";
   };
 
   propagatedBuildInputs = [
@@ -28,6 +28,7 @@ buildPythonPackage rec {
   checkInputs = [
     pytest
   ];
+  pythonImportsCheck = [ "yamale" ];
 
   meta = with lib; {
     description = "A schema and validator for YAML";

pkgs/os-specific/linux/openvswitch/default.nix

@@ -1,5 +1,5 @@
-{ lib, stdenv, fetchurl, makeWrapper, pkg-config, util-linux, which
-, procps, libcap_ng, openssl, python3 , perl
+{ lib, stdenv, fetchurl, fetchpatch, makeWrapper, pkg-config, util-linux, which
+, procps, libcap_ng, openssl, python3, perl, autoconf, automake, libtool
 , kernel ? null }:
 
 with lib;
@@ -16,9 +16,22 @@ in stdenv.mkDerivation rec {
     sha256 = "sha256-ZfQg+VTiUNiV+y2yKhMuHLVgvF4rkFHoNFETSBCOWXo=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-36980.patch";
+      url = "https://github.com/openvswitch/ovs/commit/8ce8dc34b5f73b30ce0c1869af9947013c3c6575.patch";
+      sha256 = "1iyaqkiwijl2djjvnnvykh95qlzgvn9hmpszrwzmhwvik5m7b6g6";
+      # we don't run the tests, and the binary example missing from the patch
+      # file upsets the build process
+      excludes = [ "tests/*" ];
+    })
+  ];
+
+  preConfigure = "./boot.sh";
+
   kernel = optional (_kernel != null) _kernel.dev;
 
-  nativeBuildInputs = [ pkg-config makeWrapper ];
+  nativeBuildInputs = [ pkg-config makeWrapper autoconf automake libtool ];
   buildInputs = [ util-linux openssl libcap_ng pythonEnv
                   perl procps which ];
 

pkgs/servers/mail/postsrsd/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "postsrsd";
-  version = "1.10";
+  version = "1.11";
 
   src = fetchFromGitHub {
     owner = "roehling";
     repo = "postsrsd";
     rev = version;
-    sha256 = "sha256-AqOHHOnGqOnIw5hPPiJjUJFiwngTux7gwn8qig0t7hs=";
+    sha256 = "sha256-M1VtH+AToLh9J4zwIznInfFJzqmKElTvqAgI+qqL+Lw=";
   };
 
   cmakeFlags = [ "-DGENERATE_SRS_SECRET=OFF" "-DINIT_FLAVOR=systemd" ];

pkgs/servers/matrix-synapse/0001-setup-add-homeserver-as-console-script.patch

@@ -0,0 +1,33 @@
+From 36ffbb7ad2c535180cae473b470a43f9db4fbdcd Mon Sep 17 00:00:00 2001
+From: Maximilian Bosch <maximilian@mbosch.me>
+Date: Mon, 16 Aug 2021 13:27:28 +0200
+Subject: [PATCH] setup: add homeserver as console script
+
+With this change, it will be added to `$out/bin` in `nixpkgs` directly.
+This became necessary since our old workaround, calling it as script,
+doesn't work anymore since the shebangs were removed[1].
+
+[1] https://github.com/matrix-org/synapse/pull/10415
+---
+ setup.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/setup.py b/setup.py
+index c47856351..27f1d842c 100755
+--- a/setup.py
++++ b/setup.py
+@@ -133,6 +133,11 @@ setup(
+     long_description=long_description,
+     long_description_content_type="text/x-rst",
+     python_requires="~=3.6",
++    entry_points={
++        'console_scripts': [
++            'homeserver = synapse.app.homeserver:main'
++        ]
++    },
+     classifiers=[
+         "Development Status :: 5 - Production/Stable",
+         "Topic :: Communications :: Chat",
+-- 
+2.31.1
+

pkgs/servers/matrix-synapse/default.nix

@@ -24,16 +24,15 @@ let
 in
 with py.pkgs; buildPythonApplication rec {
   pname = "matrix-synapse";
-  version = "1.39.0";
+  version = "1.40.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-dErfNHDUo0yGLbrRQdwbNkMVfnMfbrO3f7bsRwgRQMM=";
+    sha256 = "sha256-5RCeKTAtuFERQSoz4WinGz36tMuKtijnupPR/X02hCU=";
   };
 
   patches = [
-    # adds an entry point for the service
-    ./homeserver-script.patch
+    ./0001-setup-add-homeserver-as-console-script.patch
   ];
 
   buildInputs = [ openssl ];

pkgs/servers/matrix-synapse/homeserver-script.patch

@@ -1,23 +0,0 @@
-diff --git a/homeserver b/homeserver
-new file mode 120000
-index 000000000..2f1d41351
---- /dev/null
-+++ b/homeserver
-@@ -0,0 +1 @@
-+synapse/app/homeserver.py
-\ No newline at end of file
-diff --git a/setup.py b/setup.py
-index 5ce06c898..f1ccd95bc 100755
---- a/setup.py
-+++ b/setup.py
-@@ -115,6 +115,6 @@ setup(
-         "Programming Language :: Python :: 3.6",
-         "Programming Language :: Python :: 3.7",
-     ],
--    scripts=["synctl"] + glob.glob("scripts/*"),
-+    scripts=["synctl", "homeserver"] + glob.glob("scripts/*"),
-     cmdclass={"test": TestCommand},
- )
--- 
-2.22.0
-

pkgs/top-level/emacs-packages.nix

@@ -26,7 +26,7 @@
 let
 
   mkElpaPackages = { pkgs, lib }: import ../applications/editors/emacs/elisp-packages/elpa-packages.nix {
-    inherit (pkgs) stdenv texinfo writeText;
+    inherit (pkgs) stdenv texinfo writeText buildPackages;
     inherit lib;
   };