Merge remote-tracking branch 'upstream/master' into HEAD

4 files changed, 49 insertions, 11 deletions

diff --git a/pkgs/development/libraries/libsndfile/default.nix b/pkgs/development/libraries/libsndfile/default.nix
index 75e1374a228..21710375ed7 100644
--- a/pkgs/development/libraries/libsndfile/default.nix
+++ b/pkgs/development/libraries/libsndfile/default.nix
@@ -10,6 +10,29 @@ stdenv.mkDerivation rec {
     sha256 = "1afzm7jx34jhqn32clc5xghyjglccam2728yxlx37yj2y0lkkwqz";
   };
 
+  patches = [
+    # CVE-2017-12562
+    (fetchurl {
+       url = "https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8.patch";
+       sha256 = "1jg3wq30wdn9nv52mcyv6jyi4d80h4r1h9p96czcria7l91yh4sy";
+    })
+    # CVE-2017-6892
+    (fetchurl {
+       url = "https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748.patch";
+       sha256 = "05xkmz2ihc1zcj73sbmj1ikrv9qlcym2bkp1v6ak7w53ky619mwq";
+    })
+    # CVE-2017-8361, CVE-2017-8363, CVE-2017-8363
+    (fetchurl {
+       url = "https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3.patch";
+       sha256 = "0ccndnvjzx5fw18zvy03vnb29rr81h5vsh1m16msqbxk8ibndln2";
+    })
+    # CVE-2017-8362
+    (fetchurl {
+       url = "https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808.patch";
+       sha256 = "1xyv30ga71cpy4wx5f76sc4dma91la2lcc6s9f3pk9rndyi7gj9x";
+    })
+  ];
+
   buildInputs = [ pkgconfig flac libogg libvorbis ]
     ++ stdenv.lib.optionals stdenv.isDarwin [ Carbon AudioToolbox ];
 
diff --git a/pkgs/development/libraries/libxslt/default.nix b/pkgs/development/libraries/libxslt/default.nix
index 8a24b700ecf..1c27b6e3233 100644
--- a/pkgs/development/libraries/libxslt/default.nix
+++ b/pkgs/development/libraries/libxslt/default.nix
@@ -17,7 +17,14 @@ stdenv.mkDerivation rec {
     sha256 = "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm";
   };
 
-  patches = stdenv.lib.optional stdenv.isSunOS ./patch-ah.patch;
+  patches = [
+    (fetchpatch {
+      name = "CVE-2017-5029";
+      url = "https://git.gnome.org/browse/libxslt/"
+        + "patch/?id=08ab2774b870de1c7b5a48693df75e8154addae5";
+      sha256 = "10azfmyffjf9d7b5js4ipxw9f20qi0kw3zq34bpqmbcpq3l338ky";
+    })
+  ] ++ stdenv.lib.optional stdenv.isSunOS ./patch-ah.patch;
 
   # fixes: can't build x86_64-unknown-cygwin shared library unless -no-undefined is specified
   postPatch = optionalString hostPlatform.isCygwin ''
diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix
index 29d0a1a3a4c..69f0ce929d1 100644
--- a/pkgs/development/libraries/opencv/3.x.nix
+++ b/pkgs/development/libraries/opencv/3.x.nix
@@ -17,6 +17,7 @@
 , enableEigen     ? false, eigen
 , enableOpenblas  ? false, openblas
 , enableCuda      ? false, cudatoolkit, gcc5
+, enableTesseract ? false, tesseract, leptonica
 , AVFoundation, Cocoa, QTKit
 }:
 
@@ -44,6 +45,9 @@ let
     sha256 = "11dsq8dwh1k6f7zglbc26xwsjw184ggf2531mhf7v77kd72k19fm";
   };
 
+  # Contrib must be built in order to enable Tesseract support:
+  buildContrib = enableContrib || enableTesseract;
+
   vggFiles = fetchFromGitHub {
     owner  = "opencv";
     repo   = "opencv_3rdparty";
@@ -66,7 +70,7 @@ stdenv.mkDerivation rec {
   inherit version src;
 
   postUnpack =
-    (lib.optionalString enableContrib ''
+    (lib.optionalString buildContrib ''
       cp --no-preserve=mode -r "${contribSrc}/modules" "$NIX_BUILD_TOP/opencv_contrib"
 
       # This fixes the build on macOS.
@@ -118,7 +122,7 @@ stdenv.mkDerivation rec {
           ln -s "${ippicv}" "${dir}/${name}"
         ''
     ) +
-    (lib.optionalString enableContrib ''
+    (lib.optionalString buildContrib ''
       cmakeFlagsArray+=("-DOPENCV_EXTRA_MODULES_PATH=$NIX_BUILD_TOP/opencv_contrib")
     '');
 
@@ -137,8 +141,12 @@ stdenv.mkDerivation rec {
     ++ lib.optionals enableGStreamer (with gst_all_1; [ gstreamer gst-plugins-base ])
     ++ lib.optional enableEigen eigen
     ++ lib.optional enableOpenblas openblas
+    # There is seemingly no compile-time flag for Tesseract.  It's
+    # simply enabled automatically if contrib is built, and it detects
+    # tesseract & leptonica.
+    ++ lib.optionals enableTesseract [ tesseract leptonica ]
     ++ lib.optionals enableCuda [ cudatoolkit gcc5 ]
-    ++ lib.optional enableContrib protobuf3_1
+    ++ lib.optional buildContrib protobuf3_1
     ++ lib.optionals stdenv.isDarwin [ AVFoundation Cocoa QTKit ];
 
   propagatedBuildInputs = lib.optional enablePython pythonPackages.numpy;
@@ -158,7 +166,7 @@ stdenv.mkDerivation rec {
     (opencvFlag "CUDA" enableCuda)
     (opencvFlag "CUBLAS" enableCuda)
   ] ++ lib.optionals enableCuda [ "-DCUDA_FAST_MATH=ON" ]
-    ++ lib.optional enableContrib "-DBUILD_PROTOBUF=off"
+    ++ lib.optional buildContrib "-DBUILD_PROTOBUF=off"
     ++ lib.optionals stdenv.isDarwin ["-DWITH_OPENCL=OFF" "-DWITH_LAPACK=OFF"];
 
   enableParallelBuilding = true;
diff --git a/pkgs/development/libraries/portaudio/default.nix b/pkgs/development/libraries/portaudio/default.nix
index 3882e1fb08a..41f29a1a6b1 100644
--- a/pkgs/development/libraries/portaudio/default.nix
+++ b/pkgs/development/libraries/portaudio/default.nix
@@ -1,15 +1,15 @@
-{ stdenv, fetchurl, alsaLib, pkgconfig
+{ stdenv, fetchurl, alsaLib, pkgconfig, libjack2
 , AudioUnit, AudioToolbox, CoreAudio, CoreServices, Carbon }:
 
 stdenv.mkDerivation rec {
-  name = "portaudio-19-20140130";
-  
+  name = "portaudio-190600-20161030";
+
   src = fetchurl {
-    url = http://www.portaudio.com/archives/pa_stable_v19_20140130.tgz;
-    sha256 = "0mwddk4qzybaf85wqfhxqlf0c5im9il8z03rd4n127k8y2jj9q4g";
+    url = http://www.portaudio.com/archives/pa_stable_v190600_20161030.tgz;
+    sha256 = "04qmin6nj144b8qb9kkd9a52xfvm0qdgm8bg8jbl7s3frmyiv8pm";
   };
 
-  buildInputs = [ pkgconfig ]
+  buildInputs = [ pkgconfig libjack2 ]
     ++ stdenv.lib.optional (!stdenv.isDarwin) alsaLib;
 
   configureFlags = [ "--disable-mac-universal" ];