Merge branch 'staging-next-21.05' into release-21.05

There's not even half of all binaries yet, but let's move this forward
and get the -small channel going with secure openssl.

15 files changed, 113 insertions, 42 deletions

diff --git a/pkgs/applications/graphics/ImageMagick/7.0.nix b/pkgs/applications/graphics/ImageMagick/7.0.nix
index 5e0605bce9aa..ce1dbc8e3e84 100644
--- a/pkgs/applications/graphics/ImageMagick/7.0.nix
+++ b/pkgs/applications/graphics/ImageMagick/7.0.nix
@@ -18,13 +18,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "imagemagick";
-  version = "7.1.0-4";
+  version = "7.1.0-5";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     rev = version;
-    sha256 = "sha256-CvrSeoKaTigR+4egelwLRr2++CQ5OWUePwX9e1/G1GM=";
+    sha256 = "sha256-iXE3kVpJHMuZ+H6aaZ1GuOUHnP0lO/Q1F5yK8sPPS3M=";
   };
 
   outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
diff --git a/pkgs/applications/networking/sync/rsync/base.nix b/pkgs/applications/networking/sync/rsync/base.nix
index 3479458088ed..39ce5d3a7ea5 100644
--- a/pkgs/applications/networking/sync/rsync/base.nix
+++ b/pkgs/applications/networking/sync/rsync/base.nix
@@ -1,4 +1,4 @@
-{ lib, fetchurl }:
+{ lib, fetchurl, fetchpatch }:
 
 rec {
   version = "3.2.3";
@@ -12,6 +12,13 @@ rec {
     url = "mirror://samba/rsync/rsync-patches-${version}.tar.gz";
     sha256 = "1wj21v57v135n6fnmlm2dxmb9lhrrg62jgkggldp1gb7d6s4arny";
   };
+  extraPatches = [
+    (fetchpatch {
+      name = "CVE-2020-14387.patch";
+      url = "https://git.samba.org/?p=rsync.git;a=patch;h=c3f7414;hp=4c4fce51072c9189cfb11b52aa54fed79f5741bd";
+      sha256 = "000lyx48lns84p53nsdlr45mb9558lrvnsz3yic0y3z6h2izv82x";
+    })
+  ];
 
   meta = with lib; {
     description = "Fast incremental file transfer utility";
diff --git a/pkgs/applications/networking/sync/rsync/default.nix b/pkgs/applications/networking/sync/rsync/default.nix
index a38352a328aa..f6d61dac3909 100644
--- a/pkgs/applications/networking/sync/rsync/default.nix
+++ b/pkgs/applications/networking/sync/rsync/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, perl, libiconv, zlib, popt
+{ lib, stdenv, fetchurl, fetchpatch, perl, libiconv, zlib, popt
 , enableACLs ? !(stdenv.isDarwin || stdenv.isSunOS || stdenv.isFreeBSD), acl ? null
 , enableLZ4 ? true, lz4 ? null
 , enableOpenSSL ? true, openssl ? null
@@ -15,7 +15,7 @@ assert enableXXHash -> xxHash != null;
 assert enableZstd -> zstd != null;
 
 let
-  base = import ./base.nix { inherit lib fetchurl; };
+  base = import ./base.nix { inherit lib fetchurl fetchpatch; };
 in
 stdenv.mkDerivation rec {
   name = "rsync-${base.version}";
@@ -25,7 +25,8 @@ stdenv.mkDerivation rec {
   patchesSrc = base.upstreamPatchTarball;
 
   srcs = [mainSrc] ++ lib.optional enableCopyDevicesPatch patchesSrc;
-  patches = lib.optional enableCopyDevicesPatch "./patches/copy-devices.diff";
+  patches = lib.optional enableCopyDevicesPatch "./patches/copy-devices.diff"
+    ++ base.extraPatches;
 
   buildInputs = [libiconv zlib popt]
                 ++ lib.optional enableACLs acl
diff --git a/pkgs/applications/networking/sync/rsync/rrsync.nix b/pkgs/applications/networking/sync/rsync/rrsync.nix
index 83eb4658d2f3..8ed09c190afb 100644
--- a/pkgs/applications/networking/sync/rsync/rrsync.nix
+++ b/pkgs/applications/networking/sync/rsync/rrsync.nix
@@ -1,7 +1,7 @@
-{ lib, stdenv, fetchurl, perl, rsync }:
+{ lib, stdenv, fetchurl, perl, rsync, fetchpatch }:
 
 let
-  base = import ./base.nix { inherit lib fetchurl; };
+  base = import ./base.nix { inherit lib fetchurl fetchpatch; };
 in
 stdenv.mkDerivation {
   name = "rrsync-${base.version}";
@@ -15,6 +15,8 @@ stdenv.mkDerivation {
   dontConfigure = true;
   dontBuild = true;
 
+  patches = base.extraPatches;
+
   postPatch = ''
     substituteInPlace support/rrsync --replace /usr/bin/rsync ${rsync}/bin/rsync
   '';
diff --git a/pkgs/development/interpreters/python/cpython/default.nix b/pkgs/development/interpreters/python/cpython/default.nix
index 39f2ae0c3e4e..1fe0bf4fa37d 100644
--- a/pkgs/development/interpreters/python/cpython/default.nix
+++ b/pkgs/development/interpreters/python/cpython/default.nix
@@ -193,6 +193,10 @@ in with passthru; stdenv.mkDerivation {
     # (since it will do a futile invocation of gcc (!) to find
     # libuuid, slowing down program startup a lot).
     (./. + "/${sourceVersion.major}.${sourceVersion.minor}/no-ldconfig.patch")
+    # Make sure that the virtualenv activation scripts are
+    # owner-writable, so venvs can be recreated without permission
+    # errors.
+    ./virtualenv-permissions.patch
   ] ++ optionals mimetypesSupport [
     # Make the mimetypes module refer to the right file
     ./mimetypes.patch
diff --git a/pkgs/development/interpreters/python/cpython/virtualenv-permissions.patch b/pkgs/development/interpreters/python/cpython/virtualenv-permissions.patch
new file mode 100644
index 000000000000..c686f21bfbbe
--- /dev/null
+++ b/pkgs/development/interpreters/python/cpython/virtualenv-permissions.patch
@@ -0,0 +1,13 @@
+diff --git a/Lib/venv/__init__.py b/Lib/venv/__init__.py
+index caa7285..ad666ac 100644
+--- a/Lib/venv/__init__.py
++++ b/Lib/venv/__init__.py
+@@ -379,7 +379,7 @@ class EnvBuilder:
+                 if data is not None:
+                     with open(dstfile, 'wb') as f:
+                         f.write(data)
+-                    shutil.copymode(srcfile, dstfile)
++                    os.chmod(dstfile, 0o644)
+ 
+ 
+ def create(env_dir, system_site_packages=False, clear=False,
diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix
index 328ed715baee..a952e6f06d6c 100644
--- a/pkgs/development/interpreters/python/default.nix
+++ b/pkgs/development/interpreters/python/default.nix
@@ -120,10 +120,10 @@ with pkgs;
       sourceVersion = {
         major = "3";
         minor = "8";
-        patch = "9";
+        patch = "11";
         suffix = "";
       };
-      sha256 = "XjkfPsRdopVEGcqwvq79i+OIlepc4zV3w+wUlAxLlXI=";
+      sha256 = "1chg8b0m1yrz50lizid20zha0dmj40z0iih3jqcrg7pyxca126pv";
     };
   };
 
@@ -147,10 +147,10 @@ in {
     sourceVersion = {
       major = "3";
       minor = "6";
-      patch = "13";
+      patch = "14";
       suffix = "";
     };
-    sha256 = "pHpDpTq7QihqLBGWU0P/VnEbnmTo0RvyxnAaT7jOGg8=";
+    sha256 = "1bnm0bx7xf1jpfm0bmzlq19vwm0bvcbl7klx4rvgq05xryhafqr6";
     inherit (darwin) configd;
     inherit passthruFun;
   };
@@ -160,10 +160,10 @@ in {
     sourceVersion = {
       major = "3";
       minor = "7";
-      patch = "10";
+      patch = "11";
       suffix = "";
     };
-    sha256 = "+NgudXLIbsnVXIYnquUEAST9IgOvQAw4PIIbmAMG7ms=";
+    sha256 = "0d57b5a47wapzpkkq5rbvvi4caylc35j5910b64rxxn4nmm1kd6x";
     inherit (darwin) configd;
     inherit passthruFun;
   };
@@ -179,10 +179,10 @@ in {
     sourceVersion = {
       major = "3";
       minor = "9";
-      patch = "4";
+      patch = "6";
       suffix = "";
     };
-    sha256 = "Sw5mRKdvjfhkriSsUApRu/aL0Jj2oXPifTthzcqaoTQ=";
+    sha256 = "12hhw2685i68pwfx5hdkqngzhbji4ccyjmqb5rzvkigg6fpj0y9r";
     inherit (darwin) configd;
     inherit passthruFun;
   };
@@ -193,9 +193,9 @@ in {
       major = "3";
       minor = "10";
       patch = "0";
-      suffix = "a5";
+      suffix = "rc1";
     };
-    sha256 = "BBjlfnA24hnx5rYwOyHnEfZM/Q/dsIlNjxnzev/8XU0=";
+    sha256 = "0f76q6rsvbvrzcnsp0k7sp555krrgvjpcd09l1rybl4249ln2w3r";
     inherit (darwin) configd;
     inherit passthruFun;
   };
diff --git a/pkgs/development/libraries/c-ares/default.nix b/pkgs/development/libraries/c-ares/default.nix
index 20bcf80d9e59..4f571b7f1dd9 100644
--- a/pkgs/development/libraries/c-ares/default.nix
+++ b/pkgs/development/libraries/c-ares/default.nix
@@ -8,13 +8,15 @@
 let self =
 stdenv.mkDerivation rec {
   pname = "c-ares";
-  version = "1.17.1";
+  version = "1.17.2";
 
   src = fetchurl {
     url = "https://c-ares.haxx.se/download/${pname}-${version}.tar.gz";
-    sha256 = "0h7wjfnk2092glqcp9mqaax7xx0s13m501z1gi0gsjl2vvvd0gfp";
+    sha256 = "sha256-SAPIRM4gzlEO8OuD+OpB+iTsqunSgMRoxYLSuyWzkT0=";
   };
 
+  enableParallelBuilding = true;
+
   meta = with lib; {
     description = "A C library for asynchronous DNS requests";
     homepage = "https://c-ares.haxx.se";
diff --git a/pkgs/development/libraries/ffmpeg-full/default.nix b/pkgs/development/libraries/ffmpeg-full/default.nix
index ddcc81f89302..2186c154f804 100644
--- a/pkgs/development/libraries/ffmpeg-full/default.nix
+++ b/pkgs/development/libraries/ffmpeg-full/default.nix
@@ -443,14 +443,6 @@ stdenv.mkDerivation rec {
   buildFlags = [ "all" ]
     ++ optional qtFaststartProgram "tools/qt-faststart"; # Build qt-faststart executable
 
-  doCheck = true;
-  checkPhase = let
-    ldLibraryPathEnv = if stdenv.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH";
-  in ''
-    ${ldLibraryPathEnv}="libavcodec:libavdevice:libavfilter:libavformat:libavresample:libavutil:libpostproc:libswresample:libswscale:''${${ldLibraryPathEnv}}" \
-      make check -j$NIX_BUILD_CORES
-  '';
-
   # Hacky framework patching technique borrowed from the phantomjs2 package
   postInstall = optionalString qtFaststartProgram ''
     cp -a tools/qt-faststart $out/bin/
diff --git a/pkgs/development/libraries/ffmpeg/2.8.nix b/pkgs/development/libraries/ffmpeg/2.8.nix
index 0df810ff10b0..6d94c2e9974b 100644
--- a/pkgs/development/libraries/ffmpeg/2.8.nix
+++ b/pkgs/development/libraries/ffmpeg/2.8.nix
@@ -7,5 +7,4 @@ callPackage ./generic.nix (rec {
   knownVulnerabilities = [
     "CVE-2021-30123"
   ];
-  doCheck = false;
 } // args)
diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix
index 083210b1fef1..7e4a6a080987 100644
--- a/pkgs/development/libraries/ffmpeg/generic.nix
+++ b/pkgs/development/libraries/ffmpeg/generic.nix
@@ -17,8 +17,7 @@
 # Darwin frameworks
 , Cocoa, darwinFrameworks ? [ Cocoa ]
 # Inherit generics
-, branch, sha256, version, patches ? [], knownVulnerabilities ? []
-, doCheck ? true, ...
+, branch, sha256, version, patches ? [], knownVulnerabilities ? [], ...
 }:
 
 /* Maintainer notes:
@@ -188,13 +187,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  inherit doCheck;
-  checkPhase = let
-    ldLibraryPathEnv = if stdenv.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH";
-  in ''
-    ${ldLibraryPathEnv}="libavcodec:libavdevice:libavfilter:libavformat:libavresample:libavutil:libpostproc:libswresample:libswscale:''${${ldLibraryPathEnv}}" \
-      make check -j$NIX_BUILD_CORES
-  '';
+  doCheck = false; # fails
 
   # ffmpeg 3+ generates pkg-config (.pc) files that don't have the
   # form automatically handled by the multiple-outputs hooks.
diff --git a/pkgs/development/libraries/glibc/2.32-master.patch.gz b/pkgs/development/libraries/glibc/2.32-master.patch.gz
index 8ea998b5bea2..b935f821e956 100644
--- a/pkgs/development/libraries/glibc/2.32-master.patch.gz
+++ b/pkgs/development/libraries/glibc/2.32-master.patch.gz
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index ca82f7dc709a..8535215f2f8a 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -42,7 +42,7 @@
 
 let
   version = "2.32";
-  patchSuffix = "-48";
+  patchSuffix = "-54";
   sha256 = "0di848ibffrnwq7g2dvgqrnn4xqhj3h96csn69q4da51ymafl9qn";
 in
 
@@ -61,7 +61,7 @@ stdenv.mkDerivation ({
     [
       /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping.
           $ git fetch --all -p && git checkout origin/release/2.32/master && git describe
-          glibc-2.32-48-g16949aeaa0
+          glibc-2.32-54-g182ffd8e75
           $ git show --minimal --reverse glibc-2.32.. | gzip -9n --rsyncable - > 2.32-master.patch.gz
 
          To compare the archive contents zdiff can be used.
diff --git a/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch b/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch
new file mode 100644
index 000000000000..b0e37e325611
--- /dev/null
+++ b/pkgs/development/libraries/openssl/1.1/macos-yosemite-compat.patch
@@ -0,0 +1,56 @@
+From cef404f1e7a598166cbc2fd2e0048f7e2d752ad5 Mon Sep 17 00:00:00 2001
+From: David Carlier <devnexen@gmail.com>
+Date: Tue, 24 Aug 2021 22:40:14 +0100
+Subject: [PATCH] Darwin platform allows to build on releases before
+ Yosemite/ios 8.
+
+issue #16407 #16408
+---
+ crypto/rand/rand_unix.c |  5 +----
+ include/crypto/rand.h   | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
+index 43f1069d151d..0f4525106af7 100644
+--- a/crypto/rand/rand_unix.c
++++ b/crypto/rand/rand_unix.c
+@@ -34,9 +34,6 @@
+ #if defined(__OpenBSD__)
+ # include <sys/param.h>
+ #endif
+-#if defined(__APPLE__)
+-# include <CommonCrypto/CommonRandom.h>
+-#endif
+ 
+ #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__)
+ # include <sys/types.h>
+@@ -381,7 +378,7 @@ static ssize_t syscall_random(void *buf, size_t buflen)
+         if (errno != ENOSYS)
+             return -1;
+     }
+-#  elif defined(__APPLE__)
++#  elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
+     if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
+ 	    return (ssize_t)buflen;
+ 
+diff --git a/include/crypto/rand.h b/include/crypto/rand.h
+index 5350d3a93119..674f840fd13c 100644
+--- a/include/crypto/rand.h
++++ b/include/crypto/rand.h
+@@ -20,6 +20,16 @@
+ 
+ # include <openssl/rand.h>
+ 
++# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
++#  include <Availability.h>
++#  if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \
++     (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000)
++#   define OPENSSL_APPLE_CRYPTO_RANDOM 1
++#   include <CommonCrypto/CommonCryptoError.h>
++#   include <CommonCrypto/CommonRandom.h>
++#  endif
++# endif
++
+ /* forward declaration */
+ typedef struct rand_pool_st RAND_POOL;
+ 
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 77a6b513ee6e..00bdf14ae157 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -188,14 +188,16 @@ in {
   };
 
   openssl_1_1 = common {
-    version = "1.1.1k";
-    sha256 = "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9";
+    version = "1.1.1l";
+    sha256 = "sha256-C3o+XlnDSCf+DDp0t+yLrvMCuY+oAIjX+RU6oW+na9E=";
     patches = [
       ./1.1/nix-ssl-cert-file.patch
 
       (if stdenv.hostPlatform.isDarwin
        then ./1.1/use-etc-ssl-certs-darwin.patch
        else ./1.1/use-etc-ssl-certs.patch)
+    ] ++ lib.optionals (stdenv.isDarwin) [
+      ./1.1/macos-yosemite-compat.patch
     ];
     withDocs = true;
   };