Merge branch 'staging-next'

Security fixes for a few packages are included.

10 files changed, 53 insertions, 13 deletions

diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/reexported_libraries b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/reexported_libraries
index 494426eba6d..edc2e759a29 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/reexported_libraries
+++ b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/reexported_libraries
@@ -19,7 +19,7 @@
 
 /usr/lib/system/libsystem_configuration.dylib
 /usr/lib/system/libsystem_coreservices.dylib
-# /usr/lib/system/libsystem_coretls.dylib # Removed in 10.13
+# /usr/lib/system/libsystem_coretls.dylib  # Removed in 10.13
 /usr/lib/system/libsystem_dnssd.dylib
 /usr/lib/system/libsystem_info.dylib
 
@@ -28,7 +28,7 @@
 
 /usr/lib/system/libsystem_m.dylib
 /usr/lib/system/libsystem_malloc.dylib
-/usr/lib/system/libsystem_network.dylib
+# /usr/lib/system/libsystem_network.dylib  # Removed in 10.14
 /usr/lib/system/libsystem_networkextension.dylib
 /usr/lib/system/libsystem_notify.dylib
 /usr/lib/system/libsystem_platform.dylib
diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols
index e298ae47f72..4d83c5cfe9b 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols
+++ b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_c_symbols
@@ -51,8 +51,6 @@ ___bt_setcur
 ___bt_split
 ___bt_sync
 ___buf_free
-___cVersionNumber
-___cVersionString
 ___call_hash
 ___cleanup
 ___cmp_D2A
diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols
index 000af8ad7b7..4d1a1f521b0 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols
+++ b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/system_kernel_symbols
@@ -57,8 +57,6 @@ ___ioctl
 ___iopolicysys
 ___kdebug_trace
 ___kdebug_trace64
-___kernelVersionNumber
-___kernelVersionString
 ___kill
 ___lchown
 ___libkernel_init
diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix
index fc13d97429c..5211fd2a61b 100644
--- a/pkgs/os-specific/linux/cryptsetup/default.nix
+++ b/pkgs/os-specific/linux/cryptsetup/default.nix
@@ -20,6 +20,10 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  postPatch = ''
+    patchShebangs tests
+  '';
+
   NIX_LDFLAGS = "-lgcc_s";
 
   configureFlags = [
diff --git a/pkgs/os-specific/linux/fuse/common.nix b/pkgs/os-specific/linux/fuse/common.nix
index d23ae7594be..15470479a3a 100644
--- a/pkgs/os-specific/linux/fuse/common.nix
+++ b/pkgs/os-specific/linux/fuse/common.nix
@@ -4,6 +4,7 @@
 , fusePackages, utillinux, gettext
 , meson, ninja, pkgconfig
 , autoreconfHook
+, python3Packages, which
 }:
 
 let
@@ -58,6 +59,14 @@ in stdenv.mkDerivation rec {
       ./makeconf.sh
     '');
 
+  checkInputs = [ which ] ++ (with python3Packages; [ python pytest ]);
+
+  checkPhase = ''
+    python3 -m pytest test/
+  '';
+
+  doCheck = false; # v2: no tests, v3: all tests get skipped in a sandbox
+
   postFixup = "cd $out\n" + (if isFuse3 then ''
     install -D -m444 etc/fuse.conf $common/etc/fuse.conf
     install -D -m444 etc/udev/rules.d/99-fuse3.rules $common/etc/udev/rules.d/99-fuse.rules
diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix
index e2be136adee..949c8135df7 100644
--- a/pkgs/os-specific/linux/libaio/default.nix
+++ b/pkgs/os-specific/linux/libaio/default.nix
@@ -14,10 +14,20 @@ stdenv.mkDerivation rec {
     sha256 = "1kqpiswjn549s3w3m89bw5qkl7bw5pvq6gp5cdzd926ymlgivj5c";
   }) ];
 
+  postPatch = ''
+    patchShebangs harness
+
+    # Makefile is too optimistic, gcc is too smart
+    substituteInPlace harness/Makefile \
+      --replace "-Werror" ""
+  '';
+
   makeFlags = "prefix=$(out)";
 
   hardeningDisable = stdenv.lib.optional (stdenv.isi686) "stackprotector";
 
+  checkTarget = "partcheck"; # "check" needs root
+
   meta = {
     description = "Library for asynchronous I/O in Linux";
     homepage = http://lse.sourceforge.net/io/aio.html;
diff --git a/pkgs/os-specific/linux/numactl/default.nix b/pkgs/os-specific/linux/numactl/default.nix
index 9928897ae4d..4506945ffba 100644
--- a/pkgs/os-specific/linux/numactl/default.nix
+++ b/pkgs/os-specific/linux/numactl/default.nix
@@ -23,6 +23,15 @@ stdenv.mkDerivation rec {
       sha256 = "080b0sygmg7104qbbh1amh3b322yyiajwi2d3d0vayffgva0720v";
     });
 
+  postPatch = ''
+    patchShebangs test
+  '';
+
+  # You probably shouldn't ever run these! They will reconfigure Linux
+  # NUMA settings, which on my build machine makes the rest of package
+  # building ~5% slower until reboot. Ugh!
+  doCheck = false; # never ever!
+
   meta = with stdenv.lib; {
     description = "Library and tools for non-uniform memory access (NUMA) machines";
     homepage = http://oss.sgi.com/projects/libnuma/;
diff --git a/pkgs/os-specific/linux/pmount/default.nix b/pkgs/os-specific/linux/pmount/default.nix
index ea34075210d..f0f706157ed 100644
--- a/pkgs/os-specific/linux/pmount/default.nix
+++ b/pkgs/os-specific/linux/pmount/default.nix
@@ -34,6 +34,8 @@ stdenv.mkDerivation rec {
     substituteInPlace ./src/Makefile --replace '-o root -g root -m 4755 ' '-m 755 '
   '';
 
+  doCheck = false; # fails 1 out of 1 tests with "Error: could not open fstab-type file: No such file or directory"
+
   meta = {
     homepage = http://pmount.alioth.debian.org/;
     description = "Mount removable devices as normal user";
diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix
index 8a87d3fce58..f02f1baafe6 100644
--- a/pkgs/os-specific/linux/syslinux/default.nix
+++ b/pkgs/os-specific/linux/syslinux/default.nix
@@ -21,19 +21,23 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  nativeBuildInputs = [ nasm perl python ];
-  buildInputs = [ libuuid makeWrapper ];
-
-  enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
-  hardeningDisable = [ "pic" "stackprotector" "fortify" ];
-
-  preBuild = ''
+  postPatch = ''
     substituteInPlace Makefile --replace /bin/pwd $(type -P pwd)
     substituteInPlace gpxe/src/Makefile.housekeeping --replace /bin/echo $(type -P echo)
     substituteInPlace utils/ppmtolss16 --replace /usr/bin/perl $(type -P perl)
     substituteInPlace gpxe/src/Makefile --replace /usr/bin/perl $(type -P perl)
+
+    # fix tests
+    substituteInPlace tests/unittest/include/unittest/unittest.h \
+      --replace /usr/include/ ""
   '';
 
+  nativeBuildInputs = [ nasm perl python ];
+  buildInputs = [ libuuid makeWrapper ];
+
+  enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
+  hardeningDisable = [ "pic" "stackprotector" "fortify" ];
+
   stripDebugList = "bin sbin share/syslinux/com32";
 
   makeFlags = [
@@ -47,6 +51,8 @@ stdenv.mkDerivation rec {
     "bios"
   ];
 
+  doCheck = false; # fails. some fail in a sandbox, others require qemu
+
   postInstall = ''
     wrapProgram $out/bin/syslinux \
       --prefix PATH : "${mtools}/bin"
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index 39fae463207..55758190efd 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -22,6 +22,8 @@ in stdenv.mkDerivation rec {
   outputs = [ "bin" "dev" "out" "man" ];
 
   postPatch = ''
+    patchShebangs tests/run.sh
+
     substituteInPlace include/pathnames.h \
       --replace "/bin/login" "${shadow}/bin/login"
     substituteInPlace sys-utils/eject.c \
@@ -54,6 +56,8 @@ in stdenv.mkDerivation rec {
     [ zlib pam ]
     ++ lib.filter (p: p != null) [ ncurses systemd perl ];
 
+  doCheck = false; # "For development purpose only. Don't execute on production system!"
+
   postInstall = ''
     rm "$bin/bin/su" # su should be supplied by the su package (shadow)
   '' + lib.optionalString minimal ''