Merge 'staging' into closure-size

- there were many easy merge conflicts
- cc-wrapper needed nontrivial changes

Many other problems might've been created by interaction of the branches,
but stdenv and a few other packages build fine now.

3 files changed, 79 insertions, 28 deletions

diff --git a/pkgs/tools/text/gnugrep/cve-2015-1345.patch b/pkgs/tools/text/gnugrep/cve-2015-1345.patch
new file mode 100644
index 000000000000..7156f475e7e8
--- /dev/null
+++ b/pkgs/tools/text/gnugrep/cve-2015-1345.patch
@@ -0,0 +1,60 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypisetsky@fb.com>
+Date: Thu, 01 Jan 2015 23:36:55 +0000
+Subject: grep -F: fix a heap buffer (read) overrun
+
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file.  In that case, the number of
+bytes read may be far less than the size of the buffer.  However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match.  With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether.  This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* THANKS.in: Update.
+* NEWS (Bug fixes): Mention it.
+
+Prior to this patch, this command would trigger a UMR:
+
+  printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+
+  Use of uninitialised value of size 8
+     at 0x4142BE: bmexec_trans (kwset.c:657)
+     by 0x4143CA: bmexec (kwset.c:678)
+     by 0x414973: kwsexec (kwset.c:848)
+     by 0x414DC4: Fexecute (kwsearch.c:128)
+     by 0x404E2E: grepbuf (grep.c:1238)
+     by 0x4054BF: grep (grep.c:1417)
+     by 0x405CEB: grepdesc (grep.c:1645)
+     by 0x405EC1: grep_command_line_arg (grep.c:1692)
+     by 0x4077D4: main (grep.c:2570)
+
+See the accompanying test for how to trigger the heap buffer overrun.
+
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+
+Nix: @vcunat restricted this to the runtime code only to avoid needing autoreconfiguration.
+---
+diff --git a/src/kwset.c b/src/kwset.c
+index 4003c8d..376f7c3 100644
+--- a/src/kwset.c
++++ b/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
+                     if (! tp)
+                       return -1;
+                     tp++;
++                    if (ep <= tp)
++                      break;
+                   }
+               }
+           }
diff --git a/pkgs/tools/text/gnugrep/default.nix b/pkgs/tools/text/gnugrep/default.nix
index 2c5c54ddec78..e032c58acfd9 100644
--- a/pkgs/tools/text/gnugrep/default.nix
+++ b/pkgs/tools/text/gnugrep/default.nix
@@ -1,23 +1,20 @@
-{ stdenv, fetchurl, xz, pcre, libiconv ? null }:
+{ stdenv, fetchurl, xz, pcre, libiconv }:
 
-let version = "2.14"; in
+let version = "2.21"; in
 
 stdenv.mkDerivation {
   name = "gnugrep-${version}";
 
   src = fetchurl {
     url = "mirror://gnu/grep/grep-${version}.tar.xz";
-    sha256 = "1qbjb1l7f9blckc5pqy8jlf6482hpx4awn2acmhyf5mv9wfq03p7";
+    sha256 = "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j";
   };
 
-  #outputs = [ "out" "doc" ]; ToDo
-
-  buildInputs = [ pcre xz.bin ]
-    ++ stdenv.lib.optional (libiconv != null) libiconv;
+  patches = [ ./cve-2015-1345.patch ];
 
-  patches = [ ./test-localeconv.patch ];
+  #outputs = [ "out" "doc" ]; ToDo
 
-  NIX_LDFLAGS = stdenv.lib.optionalString (libiconv != null) "-L${libiconv}/lib -liconv";
+  buildInputs = [ pcre xz.bin libiconv ];
 
   doCheck = !stdenv.isDarwin;
 
@@ -27,6 +24,18 @@ stdenv.mkDerivation {
     export MKDIR_P="mkdir -p"
   '';
 
+  # Fix reference to sh in bootstrap-tools, and invoke grep via
+  # absolute path rather than looking at argv[0].
+  postInstall =
+    ''
+      rm $out/bin/egrep $out/bin/fgrep
+      echo "#! /bin/sh" > $out/bin/egrep
+      echo "exec $out/bin/grep -E \"\$@\"" >> $out/bin/egrep
+      echo "#! /bin/sh" > $out/bin/fgrep
+      echo "exec $out/bin/grep -F \"\$@\"" >> $out/bin/fgrep
+      chmod +x $out/bin/egrep $out/bin/fgrep
+    '';
+
   meta = {
     homepage = http://www.gnu.org/software/grep/;
     description = "GNU implementation of the Unix grep command";
@@ -39,7 +48,7 @@ stdenv.mkDerivation {
 
     license = stdenv.lib.licenses.gpl3Plus;
 
-    maintainers = [ ];
+    maintainers = [ stdenv.lib.maintainers.eelco ];
     platforms = stdenv.lib.platforms.all;
   };
 
diff --git a/pkgs/tools/text/gnugrep/test-localeconv.patch b/pkgs/tools/text/gnugrep/test-localeconv.patch
deleted file mode 100644
index f5efaf222217..000000000000
--- a/pkgs/tools/text/gnugrep/test-localeconv.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- grep-2.14/gnulib-tests/test-localeconv.c.orig	2013-02-15 18:41:50.213433059 +0000
-+++ grep-2.14/gnulib-tests/test-localeconv.c	2013-02-15 18:50:33.964751303 +0000
-@@ -37,13 +37,13 @@
- 
-     ASSERT (STREQ (l->decimal_point, "."));
-     ASSERT (STREQ (l->thousands_sep, ""));
--#if !defined __FreeBSD__
-+#if !(defined __FreeBSD__ || defined __sun)
-     ASSERT (STREQ (l->grouping, ""));
- #endif
- 
-     ASSERT (STREQ (l->mon_decimal_point, ""));
-     ASSERT (STREQ (l->mon_thousands_sep, ""));
--#if !defined __FreeBSD__
-+#if !(defined __FreeBSD__ || defined __sun)
-     ASSERT (STREQ (l->mon_grouping, ""));
- #endif
-     ASSERT (STREQ (l->positive_sign, ""));