Merge remote-tracking branch 'origin/staging-16.09' into release-16.09

pkgs/os-specific/linux/util-linux/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkgconfig, zlib, ncurses ? null, perl ? null, pam, systemd, minimal ? false }:
+{ lib, stdenv, fetchurl, pkgconfig, zlib, libseccomp, fetchpatch, autoreconfHook, ncurses ? null, perl ? null, pam, systemd, minimal ? false }:
 
 stdenv.mkDerivation rec {
   name = "util-linux-${version}";
@@ -14,7 +14,11 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./rtcwake-search-PATH-for-shutdown.patch
-  ];
+    (fetchpatch {
+      name = "CVE-2016-2779.diff";
+      url = https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2.patch;
+      sha256 = "0kmigkq4s1b1ijrq8vcg2a5cw4qnm065m7cb1jn1q1f4x99ycy60";
+  })];
 
   outputs = [ "bin" "dev" "out" "man" ];
 
@@ -50,9 +54,11 @@ stdenv.mkDerivation rec {
 
   makeFlags = "usrbin_execdir=$(bin)/bin usrsbin_execdir=$(bin)/sbin";
 
-  nativeBuildInputs = [ pkgconfig ];
+  # autoreconfHook is required for CVE-2016-2779
+  nativeBuildInputs = [ pkgconfig autoreconfHook ];
+  # libseccomp is required for CVE-2016-2779
   buildInputs =
-    [ zlib pam ]
+    [ zlib pam libseccomp ]
     ++ lib.optional (ncurses != null) ncurses
     ++ lib.optional (systemd != null) systemd
     ++ lib.optional (perl != null) perl;

pkgs/shells/bash/bash-4.3-patches.nix

@@ -47,4 +47,6 @@ patch: [
 (patch "044" "16bzaq9fs2kaw2n2k6vvljkjw5k5kx06isnq8hxkfrxz60384f4k")
 (patch "045" "08q02mj9imp2njpgm6f5q5m61i7qzp33rbxxzarixalyisbw6vms")
 (patch "046" "13v8dymwj83wcvrfayjqrs5kqar05bcj4zpiacrjkkchnsk5dd5k")
+(patch "047" "0jkwqviwkqdc13wv3q0g0kapjr68ggs1xzhqy696pfkqgvg4i4n6")
+(patch "048" "18nzlk1idwkq0xd54s83lx8kam8kcvz7yc0mw6hnq2ax3i2ib0jv")
 ]