Merge #156696: staging-next: 21.11 iteration 6

author: Vladimír Čunát <v@cunat.cz> 2022-01-29 19:07:26 +0100
committer: Vladimír Čunát <v@cunat.cz> 2022-01-29 19:07:54 +0100
commit: d46f6eaa6a934a02197eeb06f94b77c83b25d240 (patch)
tree: 7b4ca5ab94002292c16218dd36ecf2e0fc4971e8
parent: Merge pull request #157181 from NixOS/backport-157064-to-release-21.11 (diff)
parent: Merge release-21.11 into staging-next-21.11 (diff)
download: nixpkgs-d46f6eaa6a934a02197eeb06f94b77c83b25d240.tar.gz
19 files changed, 218 insertions, 33 deletions
diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix
index e068f7df50b4..51a9b9af5bfd 100644
--- a/pkgs/applications/editors/vim/common.nix
+++ b/pkgs/applications/editors/vim/common.nix
@@ -1,12 +1,12 @@
 { lib, fetchFromGitHub }:
 rec {
-  version = "8.2.3451";
+  version = "8.2.4186";
 
   src = fetchFromGitHub {
     owner = "vim";
     repo = "vim";
     rev = "v${version}";
-    sha256 = "sha256-8OaEaFyOaL59j0EZkUY+kuR6si79H2dN09f8SnltxbQ=";
+    sha256 = "0g276mbmq69z7c4kgj59r0azxmx9ih2sd8v83dx2gfph6wgw65ph";
   };
 
   enableParallelBuilding = true;
diff --git a/pkgs/build-support/libredirect/default.nix b/pkgs/build-support/libredirect/default.nix
index f87c6d23dd79..3b96cd157c75 100644
--- a/pkgs/build-support/libredirect/default.nix
+++ b/pkgs/build-support/libredirect/default.nix
@@ -1,5 +1,4 @@
-{ stdenv, lib, coreutils }:
-
+{ lib, stdenv, bintools-unwrapped, llvmPackages_13, coreutils }:
 stdenv.mkDerivation rec {
   pname = "libredirect";
   version = "0";
@@ -9,17 +8,36 @@ stdenv.mkDerivation rec {
     cp ${./test.c} test.c
   '';
 
-  libName = "libredirect" + stdenv.targetPlatform.extensions.sharedLibrary;
-
   outputs = ["out" "hook"];
 
+  libName = "libredirect" + stdenv.targetPlatform.extensions.sharedLibrary;
+
   buildPhase = ''
     runHook preBuild
 
-    $CC -Wall -std=c99 -O3 -fPIC -ldl -shared \
-      ${lib.optionalString stdenv.isDarwin "-Wl,-install_name,$out/lib/$libName"} \
-      -o "$libName" \
-      libredirect.c
+    ${if stdenv.isDarwin && stdenv.isAarch64 then ''
+    # We need the unwrapped binutils and clang:
+    # We also want to build a fat library with x86_64, arm64, arm64e in there.
+    # Because we use the unwrapped tools, we need to provide -isystem for headers
+    # and the library search directory for libdl.
+    # We can't build this on x86_64, because the libSystem we point to doesn't
+    # like arm64(e).
+    PATH=${bintools-unwrapped}/bin:${llvmPackages_13.clang-unwrapped}/bin:$PATH \
+      clang -arch x86_64 -arch arm64 -arch arm64e \
+      -isystem ${llvmPackages_13.clang.libc}/include \
+      -isystem ${llvmPackages_13.libclang.lib}/lib/clang/*/include \
+      -L${llvmPackages_13.clang.libc}/lib \
+      -Wl,-install_name,$libName \
+      -Wall -std=c99 -O3 -fPIC libredirect.c \
+      -ldl -shared -o "$libName"
+    '' else if stdenv.isDarwin then ''
+    $CC -Wall -std=c99 -O3 -fPIC libredirect.c \
+      -Wl,-install_name,$out/lib/$libName \
+      -ldl -shared -o "$libName"
+    '' else ''
+    $CC -Wall -std=c99 -O3 -fPIC libredirect.c \
+      -ldl -shared -o "$libName"
+    ''}
 
     if [ -n "$doInstallCheck" ]; then
       $CC -Wall -std=c99 -O3 test.c -o test
@@ -38,6 +56,12 @@ stdenv.mkDerivation rec {
 
     install -vD "$libName" "$out/lib/$libName"
 
+  '' + lib.optionalString (stdenv.isDarwin && stdenv.isAarch64) ''
+    # dylib will be rejected unless dylib rpath gets explictly set
+    install_name_tool \
+      -change $libName $out/lib/$libName \
+      $out/lib/$libName
+  '' + ''
     # Provide a setup hook that injects our library into every process.
     mkdir -p "$hook/nix-support"
     cat <<SETUP_HOOK > "$hook/nix-support/setup-hook"
diff --git a/pkgs/development/compilers/go/1.16.nix b/pkgs/development/compilers/go/1.16.nix
index 433d3f9af7a3..9c8fd4bedcea 100644
--- a/pkgs/development/compilers/go/1.16.nix
+++ b/pkgs/development/compilers/go/1.16.nix
@@ -51,11 +51,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "go";
-  version = "1.16.9";
+  version = "1.16.13";
 
   src = fetchurl {
     url = "https://dl.google.com/go/go${version}.src.tar.gz";
-    sha256 = "sha256-ChzH/XvSBEj3Hr7WTYRhOIUNUJmxjPXMEKT8RRYNjD0=";
+    sha256 = "sha256-sJJmVOrrAe9DgWY49C17FoHy0/QblVnwdzVSK3r61Bo=";
   };
 
   # perl is used for testing go vet
diff --git a/pkgs/development/compilers/rust/1_56.nix b/pkgs/development/compilers/rust/1_56.nix
index 49df8bcd5ecd..3e63abac823c 100644
--- a/pkgs/development/compilers/rust/1_56.nix
+++ b/pkgs/development/compilers/rust/1_56.nix
@@ -17,6 +17,7 @@
 , makeRustPlatform
 , llvmPackages_11
 , llvmPackages_13, llvm_13
+, fetchpatch
 } @ args:
 
 import ./default.nix {
@@ -57,6 +58,23 @@ import ./default.nix {
   selectRustPackage = pkgs: pkgs.rust_1_56;
 
   rustcPatches = [
+    # Patch 0001 was skipped as it doesn't apply cleanly and affects Windows-only code.
+    (fetchpatch {
+      name = "0002-CVE-2022-21658.patch";
+      url = "https://raw.githubusercontent.com/rust-lang/wg-security-response/240384a5fd494d4f8167c0ffa8ef566661003d8a/patches/CVE-2022-21658/0002-Fix-CVE-2022-21658-for-UNIX-like.patch";
+      sha256 = "0gwjp7clh52mg2pps44awwpdq9zq2nci8q97jaljis7h16yx3ra7";
+    })
+    (fetchpatch {
+      name = "0003-CVE-2022-21658.patch";
+      url = "https://raw.githubusercontent.com/rust-lang/wg-security-response/240384a5fd494d4f8167c0ffa8ef566661003d8a/patches/CVE-2022-21658/0003-Fix-CVE-2022-21658-for-WASI.patch";
+      sha256 = "01d77a15gikzkql4q6y43bx1cx8hy8n71v1qmlnzp7wg40v78xrp";
+    })
+    (fetchpatch {
+      name = "0004-CVE-2022-21658.patch";
+      url = "https://raw.githubusercontent.com/rust-lang/wg-security-response/240384a5fd494d4f8167c0ffa8ef566661003d8a/patches/CVE-2022-21658/0004-Update-std-fs-remove_dir_all-documentation.patch";
+      sha256 = "08afz21m1k12245q1jg813cnwl8gc95ajbzqn6mwlppqhhi4wdq2";
+    })
+    # Patch 0005 was skipped as it doesn't apply cleanly and only affects platforms that aren't Linux.
   ];
 }
 
diff --git a/pkgs/development/libraries/expat/CVE-2022-23852-fix.patch b/pkgs/development/libraries/expat/CVE-2022-23852-fix.patch
new file mode 100644
index 000000000000..fbbd080db4ed
--- /dev/null
+++ b/pkgs/development/libraries/expat/CVE-2022-23852-fix.patch
@@ -0,0 +1,26 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+     if (neededSize
diff --git a/pkgs/development/libraries/expat/CVE-2022-23852-test.patch b/pkgs/development/libraries/expat/CVE-2022-23852-test.patch
new file mode 100644
index 000000000000..3dca8f914a8f
--- /dev/null
+++ b/pkgs/development/libraries/expat/CVE-2022-23852-test.patch
@@ -0,0 +1,55 @@
+From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 23 Jan 2022 18:17:04 +0100
+Subject: [PATCH] tests: Cover integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/tests/runtests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index e89e8220..579dad1a 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
+ }
+ END_TEST
+ 
++/* Test for signed integer overflow CVE-2022-23852 */
++#if defined(XML_CONTEXT_BYTES)
++START_TEST(test_get_buffer_3_overflow) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  assert(parser != NULL);
++
++  const char *const text = "\n";
++  const int expectedKeepValue = (int)strlen(text);
++
++  // After this call, variable "keep" in XML_GetBuffer will
++  // have value expectedKeepValue
++  if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
++      == XML_STATUS_ERROR)
++    xml_failure(parser);
++
++  assert(expectedKeepValue > 0);
++  if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
++    fail("enlarging buffer not failed");
++
++  XML_ParserFree(parser);
++}
++END_TEST
++#endif // defined(XML_CONTEXT_BYTES)
++
+ /* Test position information macros */
+ START_TEST(test_byte_info_at_end) {
+   const char *text = "<doc></doc>";
+@@ -11731,6 +11755,9 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_empty_parse);
+   tcase_add_test(tc_basic, test_get_buffer_1);
+   tcase_add_test(tc_basic, test_get_buffer_2);
++#if defined(XML_CONTEXT_BYTES)
++  tcase_add_test(tc_basic, test_get_buffer_3_overflow);
++#endif
+   tcase_add_test(tc_basic, test_byte_info_at_end);
+   tcase_add_test(tc_basic, test_byte_info_at_error);
+   tcase_add_test(tc_basic, test_byte_info_at_cdata);
diff --git a/pkgs/development/libraries/expat/default.nix b/pkgs/development/libraries/expat/default.nix
index 3bfc215aea7b..5bd03824441a 100644
--- a/pkgs/development/libraries/expat/default.nix
+++ b/pkgs/development/libraries/expat/default.nix
@@ -7,13 +7,19 @@
 
 stdenv.mkDerivation rec {
   pname = "expat";
-  version = "2.4.1";
+  version = "2.4.3";
 
   src = fetchurl {
     url = "https://github.com/libexpat/libexpat/releases/download/R_${lib.replaceStrings ["."] ["_"] version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-zwMtDbqbkoY2VI4ysyei1msaq2PE9KE90TLC0dLy+2o=";
+    sha256 = "sha256-sfnxsaXrsKyqiMn/eb+k4UWCO3iqUYXlxdhfBggkd4o=";
   };
 
+  patches = [
+    ./CVE-2022-23852-fix.patch
+    ./CVE-2022-23852-test.patch
+  ];
+  patchFlags = "-p2";
+
   outputs = [ "out" "dev" ]; # TODO: fix referrers
   outputBin = "dev";
 
diff --git a/pkgs/development/libraries/glibc/2.33-master.patch.gz b/pkgs/development/libraries/glibc/2.33-master.patch.gz
index aecf1550feff..13ef601408c5 100644
--- a/pkgs/development/libraries/glibc/2.33-master.patch.gz
+++ b/pkgs/development/libraries/glibc/2.33-master.patch.gz
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 1bc5bf08ee46..d633a202025d 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -44,7 +44,7 @@
 
 let
   version = "2.33";
-  patchSuffix = "-62";
+  patchSuffix = "-78";
   sha256 = "sha256-LiVWAA4QXb1X8Layoy/yzxc73k8Nhd/8z9i35RoGd/8=";
 in
 
@@ -63,7 +63,7 @@ stdenv.mkDerivation ({
     [
       /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping.
           $ git fetch --all -p && git checkout origin/release/2.33/master && git describe
-          glibc-2.33-62-gc493f6a0e4
+          glibc-2.33-71-gac148bdd88
           $ git show --minimal --reverse glibc-2.33.. | gzip -9n --rsyncable - > 2.33-master.patch.gz
 
          To compare the archive contents zdiff can be used.
diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix
index ace18afdeed8..1b4c4212def2 100644
--- a/pkgs/development/libraries/gnutls/default.nix
+++ b/pkgs/development/libraries/gnutls/default.nix
@@ -1,4 +1,5 @@
 { config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip
+, fetchpatch
 , perl, gmp, autoconf, automake, libidn, p11-kit, libiconv
 , unbound, dns-root-data, gettext, util-linux
 , guileBindings ? config.gnutls.guile or false, guile
@@ -31,7 +32,14 @@ stdenv.mkDerivation rec {
   outputInfo = "devdoc";
   outputDoc  = "devdoc";
 
-  patches = [ ./nix-ssl-cert-file.patch ]
+  patches = [
+    ./nix-ssl-cert-file.patch
+    (fetchpatch {
+      name = "GNUTLS-SA-2022-01-17.diff"; # no CVE number (yet)
+      url = "https://gitlab.com/gnutls/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1.diff";
+      sha256 = "bLutc0Uc64B7MiR/dxZuE9zUkHQjjtUO1cSa4ODfuwQ=";
+    })
+  ]
     # Disable native add_system_trust.
     ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch;
 
diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
index 05935e65ea04..a5d41d48629f 100644
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@@ -33,7 +33,7 @@ with lib;
 let
   # Release calendar: https://www.mesa3d.org/release-calendar.html
   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
-  version = "21.2.5";
+  version = "21.2.6";
   branch  = versions.major version;
 
 self = stdenv.mkDerivation {
@@ -47,7 +47,7 @@ self = stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
     ];
-    sha256 = "1fxcdf4qs4vmyjcns7jv62w4jy3gr383ar5b7mr77nb0nxgmhjcf";
+    sha256 = "0m69h3f9fr66h6xjxfc485zfdci6kl8j24ab0kx5k23f7kcj4zhy";
   };
 
   # TODO:
diff --git a/pkgs/development/libraries/webkitgtk/default.nix b/pkgs/development/libraries/webkitgtk/default.nix
index d8b7bbc6d65b..e9026d46bc69 100644
--- a/pkgs/development/libraries/webkitgtk/default.nix
+++ b/pkgs/development/libraries/webkitgtk/default.nix
@@ -64,7 +64,7 @@ assert enableGeoLocation -> geoclue2 != null;
 
 stdenv.mkDerivation rec {
   pname = "webkitgtk";
-  version = "2.34.3";
+  version = "2.34.4";
 
   outputs = [ "out" "dev" ];
 
@@ -72,7 +72,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://webkitgtk.org/releases/${pname}-${version}.tar.xz";
-    sha256 = "sha256-DS83qjLiGjbk3Vpc565c4nQ1wp1oA7liuMkMsMxJxS0=";
+    sha256 = "sha256-l19QGRmbp2mRkYNc914BoYuU47zQEH2nOJ1N3LGrpAY=";
   };
 
   patches = lib.optionals stdenv.isLinux [
diff --git a/pkgs/development/python-modules/ipython/default.nix b/pkgs/development/python-modules/ipython/default.nix
index 7b844228225b..6b77494a61f2 100644
--- a/pkgs/development/python-modules/ipython/default.nix
+++ b/pkgs/development/python-modules/ipython/default.nix
@@ -2,6 +2,7 @@
 , stdenv
 , buildPythonPackage
 , fetchPypi
+, fetchpatch
 , pythonOlder
 # Build dependencies
 , glibcLocales
@@ -18,6 +19,7 @@
 , pexpect
 , appnope
 , backcall
+, pytest
 }:
 
 buildPythonPackage rec {
@@ -30,13 +32,21 @@ buildPythonPackage rec {
     sha256 = "2097be5c814d1b974aea57673176a924c4c8c9583890e7a5f082f547b9975b11";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2022-21699.patch";
+      url = "https://github.com/ipython/ipython/commit/67ca2b3aa9039438e6f80e3fccca556f26100b4d.patch";
+      excludes = [ "docs/source/whatsnew/version7.rst" ];
+      sha256 = "1ybpgfqppkzaz4q15qgacvhicdxfsdacl89sgj2fd9llc5mvfl26";
+    })
+  ];
+
   prePatch = lib.optionalString stdenv.isDarwin ''
     substituteInPlace setup.py --replace "'gnureadline'" " "
   '';
 
   buildInputs = [ glibcLocales ];
 
-  checkInputs = [ nose pygments ];
 
   propagatedBuildInputs = [
     jedi
@@ -52,10 +62,12 @@ buildPythonPackage rec {
 
   LC_ALL="en_US.UTF-8";
 
-  doCheck = false; # Circular dependency with ipykernel
-
+  # full tests normally disabled due to a circular dependency with
+  # ipykernel, but we want to test the CVE-2022-21699 fix in this
+  # branch
+  checkInputs = [ pytest ];
   checkPhase = ''
-    nosetests
+    pytest IPython/tests/cve.py
   '';
 
   pythonImportsCheck = [
diff --git a/pkgs/development/python-modules/pillow/default.nix b/pkgs/development/python-modules/pillow/default.nix
index c6bb944c232b..59e61e0d2e1d 100644
--- a/pkgs/development/python-modules/pillow/default.nix
+++ b/pkgs/development/python-modules/pillow/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, buildPythonPackage, fetchPypi, isPyPy, isPy3k
+{ lib, stdenv, buildPythonPackage, fetchPypi, isPyPy, isPy3k, fetchpatch
 , defusedxml, olefile, freetype, libjpeg, zlib, libtiff, libwebp, tcl, lcms2, tk, libX11
 , libxcb, openjpeg, libimagequant, pyroma, numpy, pytestCheckHook
 }@args:
@@ -14,6 +14,25 @@ import ./generic.nix (rec {
     sha256 = "1361y215ydmdh4il1vay5831aqivmpwgzjqrphqjdiq0ipnz7qyx";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2022-22815.patch";
+      url = "https://github.com/python-pillow/Pillow/commit/1e092419b6806495c683043ab3feb6ce264f3b9c.patch";
+      sha256 = "1mafa8ixh4a4nh98yjp7dhh68kk4sxbzjm468h9gjba0py8657rd";
+    })
+    (fetchpatch {
+      name = "CVE-2022-22816.patch";
+      url = "https://github.com/python-pillow/Pillow/commit/c48271ab354db49cdbd740bc45e13be4f0f7993c.patch";
+      sha256 = "1jr25918lxqljswv1jc7m3nn370xrz0l7g39lbyh5ndjz1dmnpvv";
+    })
+    (fetchpatch {
+      name = "CVE-2022-22817.patch";
+      url = "https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11.patch";
+      excludes = [ "docs/releasenotes/9.0.0.rst" ];
+      sha256 = "13va7lmja9bkp1d8bnwpns9nh7p31kal89cvfky4r95lx0ckrnfv";
+    })
+  ];
+
   meta = with lib; {
     homepage = "https://python-pillow.org/";
     description = "The friendly PIL fork (Python Imaging Library)";
diff --git a/pkgs/development/python-modules/pillow/generic.nix b/pkgs/development/python-modules/pillow/generic.nix
index 3e33f1a8aa0f..24bd16386f22 100644
--- a/pkgs/development/python-modules/pillow/generic.nix
+++ b/pkgs/development/python-modules/pillow/generic.nix
@@ -3,13 +3,14 @@
 , disabled
 , src
 , meta
+, patches ? []
 , ...
 }@args:
 
 with args;
 
 buildPythonPackage rec {
-  inherit pname version src meta;
+  inherit pname version src meta patches;
 
   # Disable imagefont tests, because they don't work well with infinality:
   # https://github.com/python-pillow/Pillow/issues/1259
diff --git a/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh b/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
index 3c49337a937c..acd90b7aa2f0 100644
--- a/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
+++ b/pkgs/os-specific/bsd/netbsd/compat-setup-hook.sh
@@ -3,4 +3,3 @@ getHostRole
 
 export NIX_LDFLAGS${role_post}+=" -lnbcompat"
 export NIX_CFLAGS_COMPILE${role_post}+=" -DHAVE_NBTOOL_CONFIG_H"
-export NIX_CFLAGS_COMPILE${role_post}+=" -include nbtool_config.h"
diff --git a/pkgs/os-specific/bsd/netbsd/default.nix b/pkgs/os-specific/bsd/netbsd/default.nix
index b438ea98a266..b615b2647295 100644
--- a/pkgs/os-specific/bsd/netbsd/default.nix
+++ b/pkgs/os-specific/bsd/netbsd/default.nix
@@ -120,7 +120,17 @@ in lib.makeScopeWithSplicing
   } // lib.optionalAttrs (attrs.headersOnly or false) {
     installPhase = "includesPhase";
     dontBuild = true;
-  } // attrs));
+  } // attrs // {
+    postPatch = lib.optionalString (!stdenv'.hostPlatform.isNetBSD) ''
+      # Files that use NetBSD-specific macros need to have nbtool_config.h
+      # included ahead of them on non-NetBSD platforms.
+      set +e
+      grep -Zlr "^__RCSID
+      ^__BEGIN_DECLS" | xargs -0r grep -FLZ nbtool_config.h |
+          xargs -0tr sed -i '0,/^#/s//#include <nbtool_config.h>\n\0/'
+      set -e
+    '' + attrs.postPatch or "";
+  }));
 
   ##
   ## START BOOTSTRAPPING
@@ -182,6 +192,12 @@ in lib.makeScopeWithSplicing
     configurePlatforms = [ "build" "host" ];
     configureFlags = [
       "--cache-file=config.cache"
+    ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+      # We include this header in our musl package only for legacy
+      # compatibility, and compat works fine without it (and having it
+      # know about sys/cdefs.h breaks packages like glib when built
+      # statically).
+      "ac_cv_header_sys_cdefs_h=no"
     ];
 
     nativeBuildInputs = with buildPackages.netbsd; commonDeps ++ [
diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index 0818d7bde794..86838b29fbda 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   pname = "util-linux";
-  version = "2.37.2";
+  version = "2.37.3";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/util-linux/v${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-agdkwarn+2B++KbdLA9sR9Xl/SeqCIIKuq2ewU4o6dk=";
+    sha256 = "sha256-WQxZLljNa/OFGctGevBc5qGrGAQOPjQY8kvPsvVfl3Y=";
   };
 
   patches = [
diff --git a/pkgs/tools/filesystems/e2fsprogs/default.nix b/pkgs/tools/filesystems/e2fsprogs/default.nix
index 5f1775e77e09..d630c7d43f61 100644
--- a/pkgs/tools/filesystems/e2fsprogs/default.nix
+++ b/pkgs/tools/filesystems/e2fsprogs/default.nix
@@ -4,11 +4,11 @@
 
 stdenv.mkDerivation rec {
   pname = "e2fsprogs";
-  version = "1.46.4";
+  version = "1.46.5";
 
   src = fetchurl {
     url = "mirror://sourceforge/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "0ra2d1wasksy1zy3rgviwdni40dnamchisjrrqqi940y545m493m";
+    sha256 = "1fgvwbj9ihz5svzrd2l0s18k16r4qg3wimrniv71fn3vdcg0shxp";
   };
 
   outputs = [ "bin" "dev" "out" "man" "info" ];
@@ -67,6 +67,7 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     homepage = "http://e2fsprogs.sourceforge.net/";
+    changelog = "http://e2fsprogs.sourceforge.net/e2fsprogs-release.html#${version}";
     description = "Tools for creating and checking ext2/ext3/ext4 filesystems";
     license = with licenses; [
       gpl2Plus
author	Vladimír Čunát <v@cunat.cz>	2022-01-29 19:07:26 +0100
committer	Vladimír Čunát <v@cunat.cz>	2022-01-29 19:07:54 +0100
commit	d46f6eaa6a934a02197eeb06f94b77c83b25d240 (patch)
tree	7b4ca5ab94002292c16218dd36ecf2e0fc4971e8
parent	Merge pull request #157181 from NixOS/backport-157064-to-release-21.11 (diff)
parent	Merge release-21.11 into staging-next-21.11 (diff)
download	nixpkgs-d46f6eaa6a934a02197eeb06f94b77c83b25d240.tar.gz