diff options
author | Ricardo Wurmus <rekado@elephly.net> | 2018-06-29 22:51:23 +0200 |
---|---|---|
committer | Ricardo Wurmus <rekado@elephly.net> | 2018-06-29 22:51:23 +0200 |
commit | f1728d43460e63b106dd446e70001d8e100eaf6d (patch) | |
tree | 9d211fabf9e200743be49e25d108d58ed88d2f60 /gnu/packages/patches | |
parent | cda7f4bc8ecf331d623c7d37b01931a46830c648 (diff) | |
parent | 373cc3b74a6ad33fddf75c2d773a97b1775bda8e (diff) | |
download | guix-f1728d43460e63b106dd446e70001d8e100eaf6d.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
34 files changed, 3074 insertions, 608 deletions
diff --git a/gnu/packages/patches/beignet-correct-file-names.patch b/gnu/packages/patches/beignet-correct-file-names.patch new file mode 100644 index 0000000000..2c5d0bbaea --- /dev/null +++ b/gnu/packages/patches/beignet-correct-file-names.patch @@ -0,0 +1,32 @@ +Help CMake find Clang's libraries. +Have it install the ICD file in the right place. + +diff --git a/CMake/FindLLVM.cmake b/CMake/FindLLVM.cmake +index 5457f248..e8e8f94a 100644 +--- a/CMake/FindLLVM.cmake ++++ b/CMake/FindLLVM.cmake +@@ -107,7 +107,7 @@ endif (LLVM_VERSION_NODOT VERSION_GREATER 34) + macro(add_one_lib name) + FIND_LIBRARY(CLANG_LIB + NAMES ${name} +- PATHS ${LLVM_LIBRARY_DIR} NO_DEFAULT_PATH) ++ PATHS ${CLANG_LIBRARY_DIR} NO_DEFAULT_PATH) + set(CLANG_LIBRARIES ${CLANG_LIBRARIES} ${CLANG_LIB}) + unset(CLANG_LIB CACHE) + endmacro() +diff --git a/CMakeLists.txt b/CMakeLists.txt +index c11acbb2..fb99e5c8 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -217,7 +217,7 @@ IF(OCLIcd_FOUND) + "intel-beignet.icd.in" + "${ICD_FILE_NAME}" + ) +- install (FILES ${CMAKE_CURRENT_BINARY_DIR}/${ICD_FILE_NAME} DESTINATION /etc/OpenCL/vendors) ++ install (FILES ${CMAKE_CURRENT_BINARY_DIR}/${ICD_FILE_NAME} DESTINATION etc/OpenCL/vendors COMPONENT config) + ELSE(OCLIcd_FOUND) + MESSAGE(STATUS "Looking for OCL ICD header file - not found") + MESSAGE(FATAL_ERROR "OCL ICD loader miss. If you really want to disable OCL ICD support, please run cmake with option -DOCLICD_COMPAT=0.") +-- +2.14.3 + diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch new file mode 100644 index 0000000000..ddef014651 --- /dev/null +++ b/gnu/packages/patches/bind-CVE-2018-5738.patch @@ -0,0 +1,100 @@ +Fix CVE-2018-5738: + +https://kb.isc.org/article/AA-01616/0/CVE-2018-5738 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738 + +diff --git a/bin/named/server.c b/bin/named/server.c +index f63554e..847c4ff 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + CHECKM(named_config_getport(config, &port), "port"); + dns_view_setdstport(view, port); + +- CHECK(configure_view_acl(vconfig, config, named_g_config, +- "allow-query", NULL, actx, +- named_g_mctx, &view->queryacl)); +- + /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. +@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + "allow-query-cache-on", NULL, actx, + named_g_mctx, &view->cacheonacl)); + /* +- * Set "allow-query-cache", "allow-recursion", and +- * "allow-recursion-on" acls if configured in named.conf. +- * (Ignore the global defaults for now, because these ACLs +- * can inherit from each other when only some of them set at +- * the options/view level.) ++ * Set the "allow-query", "allow-query-cache", "allow-recursion", ++ * and "allow-recursion-on" ACLs if configured in named.conf, but ++ * NOT from the global defaults. This is done by leaving the third ++ * argument to configure_view_acl() NULL. ++ * ++ * We ignore the global defaults here because these ACLs ++ * can inherit from each other. If any are still unset after ++ * applying the inheritance rules, we'll look up the defaults at ++ * that time. + */ +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", +- NULL, actx, named_g_mctx, &view->cacheacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query", NULL, actx, ++ named_g_mctx, &view->queryacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query-cache", NULL, actx, ++ named_g_mctx, &view->cacheacl)); + + if (strcmp(view->name, "_bind") != 0 && + view->rdclass != dns_rdataclass_chaos) + { ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion", NULL, actx, + named_g_mctx, &view->recursionacl)); ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion-on", NULL, actx, + named_g_mctx, &view->recursiononacl)); +@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + * the global config. + */ + if (view->recursionacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion", NULL, + actx, named_g_mctx, + &view->recursionacl)); + } + if (view->recursiononacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion-on", NULL, + actx, named_g_mctx, + &view->recursiononacl)); + } + if (view->cacheacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-query-cache", NULL, + actx, named_g_mctx, +@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + CHECK(dns_acl_none(mctx, &view->cacheacl)); + } + ++ if (view->queryacl == NULL) { ++ /* global default only */ ++ CHECK(configure_view_acl(NULL, NULL, named_g_config, ++ "allow-query", NULL, ++ actx, named_g_mctx, ++ &view->queryacl)); ++ } ++ + /* + * Ignore case when compressing responses to the specified + * clients. This causes case not always to be preserved, diff --git a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch new file mode 100644 index 0000000000..fbd596862b --- /dev/null +++ b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch @@ -0,0 +1,36 @@ +Fix a regression in Binutils 2.30 where some symbols are incorrectly assumed +to be addresses: + +https://sourceware.org/bugzilla/show_bug.cgi?id=22764 + +Patch taken from upstream (with ChangeLog entries and tests omitted): + +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=279b2f94168ee91e02ccd070d27c983fc001fe12 + +diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c +index af448f9..2737773 100644 +--- a/bfd/elfnn-aarch64.c ++++ b/bfd/elfnn-aarch64.c +@@ -7189,10 +7189,19 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info, + #if ARCH_SIZE == 64 + case BFD_RELOC_AARCH64_32: + #endif +- if (bfd_link_pic (info) +- && (sec->flags & SEC_ALLOC) != 0 +- && (sec->flags & SEC_READONLY) != 0) ++ if (bfd_link_pic (info) && (sec->flags & SEC_ALLOC) != 0) + { ++ if (h != NULL ++ /* This is an absolute symbol. It represents a value instead ++ of an address. */ ++ && ((h->root.type == bfd_link_hash_defined ++ && bfd_is_abs_section (h->root.u.def.section)) ++ /* This is an undefined symbol. */ ++ || h->root.type == bfd_link_hash_undefined)) ++ break; ++ ++ /* For local symbols, defined global symbols in a non-ABS section, ++ it is assumed that the value is an address. */ + int howto_index = bfd_r_type - BFD_RELOC_AARCH64_RELOC_START; + _bfd_error_handler + /* xgettext:c-format */ diff --git a/gnu/packages/patches/dovecot-trees-support-dovecot-2.3.patch b/gnu/packages/patches/dovecot-trees-support-dovecot-2.3.patch new file mode 100644 index 0000000000..314f6b6de0 --- /dev/null +++ b/gnu/packages/patches/dovecot-trees-support-dovecot-2.3.patch @@ -0,0 +1,60 @@ +From: Tobias Geerinckx-Rice <me@tobias.gr> +Date: Mon, 25 Jun 2018 00:34:52 +0200 +Subject: dovecot-trees: Fix build with dovecot 2.3. + +The following patch was taken verbatim from the upstream repository[0] +and will be included in the next release. + +[0]: https://0xacab.org/riseuplabs/trees/commit/e136c32a044701d68b0235b8405357c5fca62a11 +--- +From e136c32a044701d68b0235b8405357c5fca62a11 Mon Sep 17 00:00:00 2001 +From: David Goulet <dgoulet@ev0ke.net> +Date: Tue, 10 Apr 2018 13:48:01 -0400 +Subject: [PATCH] Support dovecot 2.3 + +Untested but it builds now properly. Thanks to "smorks" for the report! + +Fixes #16 + +Signed-off-by: David Goulet <dgoulet@ev0ke.net> +--- + src/trees-istream.c | 4 ++++ + src/trees-ostream.c | 7 +++++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/trees-istream.c b/src/trees-istream.c +index b08ff16..e94be7d 100644 +--- a/src/trees-istream.c ++++ b/src/trees-istream.c +@@ -431,5 +431,9 @@ trees_istream_create(struct istream *input, + sstream->out_byte_count = 0; + #endif + ++#if DOVECOT_PREREQ(2, 3) ++ return i_stream_create(&sstream->istream, input, i_stream_get_fd(input), 0); ++#else + return i_stream_create(&sstream->istream, input, i_stream_get_fd(input)); ++#endif /* DOVECOT_PREREQ */ + } +diff --git a/src/trees-ostream.c b/src/trees-ostream.c +index 1b25a91..0cb7867 100644 +--- a/src/trees-ostream.c ++++ b/src/trees-ostream.c +@@ -174,7 +174,14 @@ trees_ostream_sendv(struct ostream_private *stream, + static int + trees_ostream_flush(struct ostream_private *stream) + { ++ /* This is pretty ugly but unfortunately between 2.2 and 2.3, Dovecot changed ++ * the expected value to be non zero in 2.3+ . */ ++#if DOVECOT_PREREQ(2, 3) ++ ssize_t result = 1; ++#else + ssize_t result = 0; ++#endif /* DOVECOT_PREREQ */ ++ + struct trees_ostream *sstream = (struct trees_ostream *) stream; + + if (sstream->flushed) { +-- +2.17.1 + diff --git a/gnu/packages/patches/doxygen-gcc-ice.patch b/gnu/packages/patches/doxygen-gcc-ice.patch new file mode 100644 index 0000000000..fbfedcb7ab --- /dev/null +++ b/gnu/packages/patches/doxygen-gcc-ice.patch @@ -0,0 +1,25 @@ +Work around this GCC ICE: <https://bugs.gnu.org/31708>. It shows up +only when doing native compiles on armhf-linux. + +Yes it's a terrible patch, but it does the job. + +--- doxygen-1.8.13/qtools/qutfcodec.cpp 1970-01-01 01:00:00.000000000 +0100 ++++ doxygen-1.8.13/qtools/qutfcodec.cpp 2018-06-08 14:14:29.614009929 +0200 +@@ -189,7 +189,7 @@ int QUtf16Codec::heuristicContentMatch(c + } + + +- ++volatile const void *bomPointer = &QChar::byteOrderMark; + + class QUtf16Encoder : public QTextEncoder { + bool headerdone; +@@ -209,7 +209,7 @@ public: + headerdone = TRUE; + len_in_out = (1+uc.length())*(int)sizeof(QChar); + QCString d(len_in_out); +- memcpy(d.rawData(),&QChar::byteOrderMark,sizeof(QChar)); ++ memcpy(d.rawData(),(void *)bomPointer,sizeof(QChar)); + memcpy(d.rawData()+sizeof(QChar),uc.unicode(),uc.length()*sizeof(QChar)); + return d; + } diff --git a/gnu/packages/patches/elixir-disable-failing-tests.patch b/gnu/packages/patches/elixir-disable-failing-tests.patch deleted file mode 100644 index 547598b292..0000000000 --- a/gnu/packages/patches/elixir-disable-failing-tests.patch +++ /dev/null @@ -1,284 +0,0 @@ -Most of these tests fail for unknown reasons when run in the chroot -environment of a Guix build process. - -Common failures are: - - * Mix.Shell.cmd() fails with error 130 - * The git_repo fixture cannot be found - * Communication with spawned processes fails with EPIPE - * Failure to copy files - - -diff --git a/lib/elixir/test/elixir/kernel/cli_test.exs b/lib/elixir/test/elixir/kernel/cli_test.exs -index 3ffd56c..1232d19 100644 ---- a/lib/elixir/test/elixir/kernel/cli_test.exs -+++ b/lib/elixir/test/elixir/kernel/cli_test.exs -@@ -39,6 +39,7 @@ end - defmodule Kernel.CLI.OptionParsingTest do - use ExUnit.Case, async: true - -+ @tag :skip - test "properly parses paths" do - root = fixture_path("../../..") |> to_charlist - list = elixir('-pa "#{root}/*" -pz "#{root}/lib/*" -e "IO.inspect(:code.get_path, limit: :infinity)"') -@@ -57,6 +58,7 @@ end - defmodule Kernel.CLI.AtExitTest do - use ExUnit.Case, async: true - -+ @tag :skip - test "invokes at_exit callbacks" do - assert elixir(fixture_path("at_exit.exs") |> to_charlist) == - 'goodbye cruel world with status 1\n' -@@ -66,6 +68,7 @@ end - defmodule Kernel.CLI.ErrorTest do - use ExUnit.Case, async: true - -+ @tag :skip - test "properly format errors" do - assert :string.str('** (throw) 1', elixir('-e "throw 1"')) == 0 - assert :string.str('** (ErlangError) erlang error: 1', elixir('-e "error 1"')) == 0 -@@ -86,6 +89,7 @@ defmodule Kernel.CLI.CompileTest do - {:ok, [tmp_dir_path: tmp_dir_path, beam_file_path: beam_file_path, fixture: fixture]} - end - -+ @tag :skip - test "compiles code", context do - assert elixirc('#{context[:fixture]} -o #{context[:tmp_dir_path]}') == '' - assert File.regular?(context[:beam_file_path]) -@@ -96,6 +100,7 @@ defmodule Kernel.CLI.CompileTest do - Code.delete_path context[:tmp_dir_path] - end - -+ @tag :skip - test "fails on missing patterns", context do - output = elixirc('#{context[:fixture]} non_existing.ex -o #{context[:tmp_dir_path]}') - assert :string.str(output, 'non_existing.ex') > 0, "expected non_existing.ex to be mentioned" -@@ -103,6 +108,7 @@ defmodule Kernel.CLI.CompileTest do - refute File.exists?(context[:beam_file_path]), "expected the sample to not be compiled" - end - -+ @tag :skip - test "fails on missing write access to .beam file", context do - compilation_args = '#{context[:fixture]} -o #{context[:tmp_dir_path]}' - -diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -index 801d852..40fc5bc 100644 ---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs -+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -@@ -60,16 +60,19 @@ defmodule Kernel.DialyzerTest do - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on rewrites", context do - copy_beam! context, Dialyzer.Rewrite - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on raise", context do - copy_beam! context, Dialyzer.Raise - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on macrocallback", context do - copy_beam! context, Dialyzer.Macrocallback - copy_beam! context, Dialyzer.Macrocallback.Impl -diff --git a/lib/elixir/test/elixir/system_test.exs b/lib/elixir/test/elixir/system_test.exs -index aafa559..0f9c178 100644 ---- a/lib/elixir/test/elixir/system_test.exs -+++ b/lib/elixir/test/elixir/system_test.exs -@@ -53,7 +53,8 @@ defmodule SystemTest do - assert System.endianness in [:little, :big] - assert System.endianness == System.compiled_endianness - end -- -+ -+ @tag :skip - test "argv/0" do - list = elixir('-e "IO.inspect System.argv" -- -o opt arg1 arg2 --long-opt 10') - {args, _} = Code.eval_string list, [] -diff --git a/lib/mix/test/mix/dep_test.exs b/lib/mix/test/mix/dep_test.exs -index fff3351..d6ed1b3 100644 ---- a/lib/mix/test/mix/dep_test.exs -+++ b/lib/mix/test/mix/dep_test.exs -@@ -244,6 +244,7 @@ defmodule Mix.DepTest do - end - end - -+ @tag :skip - test "remote converger" do - deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"}, - {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo")}] -@@ -301,6 +302,7 @@ defmodule Mix.DepTest do - end - end - -+ @tag :skip - test "remote converger is not invoked if deps diverge" do - deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"}, - {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo"), only: :test}] - -diff --git a/lib/mix/test/mix/shell/io_test.exs b/lib/mix/test/mix/shell/io_test.exs -index 9bfb6b4..d982ef3 100644 ---- a/lib/mix/test/mix/shell/io_test.exs -+++ b/lib/mix/test/mix/shell/io_test.exs -@@ -29,6 +29,7 @@ defmodule Mix.Shell.IOTest do - assert capture_io("", fn -> refute yes?("Ok?") end) - end - -+ @tag :skip - test "runs a given command" do - assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == "hello\n" - -diff --git a/lib/mix/test/mix/shell/quiet_test.exs b/lib/mix/test/mix/shell/quiet_test.exs -index 626429b..99fab35 100644 ---- a/lib/mix/test/mix/shell/quiet_test.exs -+++ b/lib/mix/test/mix/shell/quiet_test.exs -@@ -29,6 +29,7 @@ defmodule Mix.Shell.QuietTest do - assert capture_io("", fn -> refute yes?("Ok?") end) - end - -+ @tag :skip - test "runs a given command" do - assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == "" - -diff --git a/lib/mix/test/mix/tasks/cmd_test.exs b/lib/mix/test/mix/tasks/cmd_test.exs -index db4bf06..4d441f7 100644 ---- a/lib/mix/test/mix/tasks/cmd_test.exs -+++ b/lib/mix/test/mix/tasks/cmd_test.exs -@@ -3,6 +3,7 @@ Code.require_file "../../test_helper.exs", __DIR__ - defmodule Mix.Tasks.CmdTest do - use MixTest.Case - -+ @tag :skip - test "runs the command for each app" do - in_fixture "umbrella_dep/deps/umbrella", fn -> - Mix.Project.in_project(:umbrella, ".", fn _ -> -diff --git a/lib/mix/test/mix/tasks/deps.tree_test.exs b/lib/mix/test/mix/tasks/deps.tree_test.exs -index 4f09ff3..c371997 100644 ---- a/lib/mix/test/mix/tasks/deps.tree_test.exs -+++ b/lib/mix/test/mix/tasks/deps.tree_test.exs -@@ -29,6 +29,7 @@ defmodule Mix.Tasks.Deps.TreeTest do - end - end - -+ @tag :skip - test "shows the dependency tree", context do - Mix.Project.push ConvergedDepsApp - -@@ -109,6 +110,7 @@ defmodule Mix.Tasks.Deps.TreeTest do - end - end - -+ @tag :skip - test "shows the dependency tree in DOT graph format", context do - Mix.Project.push ConvergedDepsApp - -diff --git a/lib/mix/test/mix/tasks/deps_test.exs b/lib/mix/test/mix/tasks/deps_test.exs -index b061777..cc45cf8 100644 ---- a/lib/mix/test/mix/tasks/deps_test.exs -+++ b/lib/mix/test/mix/tasks/deps_test.exs -@@ -96,6 +96,7 @@ - end - end - -+ @tag :skip - test "prints list of dependencies and their lock status" do - Mix.Project.push DepsApp - -@@ -409,6 +409,7 @@ defmodule Mix.Tasks.DepsTest do - end - end - -+ @tag :skip - test "fails on diverged dependencies by requirement" do - Mix.Project.push ConvergedDepsApp - -@@ -440,6 +441,7 @@ defmodule Mix.Tasks.DepsTest do - end - end - -+ @tag :skip - test "fails on diverged dependencies even when optional" do - Mix.Project.push ConvergedDepsApp - -@@ -469,6 +471,7 @@ defmodule Mix.Tasks.DepsTest do - end - end - -+ @tag :skip - test "works with converged dependencies" do - Mix.Project.push ConvergedDepsApp - -@@ -491,6 +494,7 @@ defmodule Mix.Tasks.DepsTest do - purge [GitRepo, GitRepo.Mixfile] - end - -+ @tag :skip - test "works with overridden dependencies" do - Mix.Project.push OverriddenDepsApp - -diff --git a/lib/mix/test/mix/umbrella_test.exs b/lib/mix/test/mix/umbrella_test.exs -index 69f9428..406668a 100644 ---- a/lib/mix/test/mix/umbrella_test.exs -+++ b/lib/mix/test/mix/umbrella_test.exs -@@ -98,6 +98,7 @@ defmodule Mix.UmbrellaTest do - end - end - -+ @tag :skip - test "loads umbrella child dependencies in all environments" do - in_fixture "umbrella_dep/deps/umbrella", fn -> - Mix.Project.in_project :umbrella, ".", fn _ -> - -diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -index 792222c..e90beb9 100644 ---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs -+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -@@ -54,6 +54,7 @@ defmodule Kernel.DialyzerTest do - {:ok, [outdir: dir, dialyzer: dialyzer]} - end - -+ @tag :skip - test "no warnings on valid remote calls", context do - copy_beam! context, Dialyzer.RemoteCall - assert_dialyze_no_warnings! context -@@ -78,11 +79,13 @@ defmodule Kernel.DialyzerTest do - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on struct update", context do - copy_beam! context, Dialyzer.StructUpdate - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on protocol calls with opaque types", context do - copy_beam! context, Dialyzer.ProtocolOpaque - copy_beam! context, Dialyzer.ProtocolOpaque.Entity -@@ -90,6 +93,7 @@ defmodule Kernel.DialyzerTest do - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on and/2 and or/2", context do - copy_beam! context, Dialyzer.BooleanCheck - assert_dialyze_no_warnings! context - -diff --git a/Makefile b/Makefile -index 2fc4f9a..aef8366 100644 ---- a/Makefile -+++ b/Makefile -@@ -201,7 +201,7 @@ $(TEST_EBIN)/%.beam: $(TEST_ERL)/%.erl - $(Q) mkdir -p $(TEST_EBIN) - $(Q) $(ERLC) -o $(TEST_EBIN) $< - --test_elixir: test_stdlib test_ex_unit test_logger test_mix test_eex test_iex -+test_elixir: test_stdlib test_ex_unit test_logger test_eex test_iex - - test_stdlib: compile - @ echo "==> elixir (exunit)" - diff --git a/gnu/packages/patches/flann-cmake-3.11.patch b/gnu/packages/patches/flann-cmake-3.11.patch new file mode 100644 index 0000000000..1fb76eca0a --- /dev/null +++ b/gnu/packages/patches/flann-cmake-3.11.patch @@ -0,0 +1,84 @@ +Fixes this issue: + <https://github.com/mariusmuja/flann/issues/369>. +Patch from Buildroot: + <https://github.com/buildroot/buildroot/commit/45a39b3e2ba42b72d19bfcef30db1b8da9ead51a>. + +From fa5ec96a94646492a3f908e12905b3e48a8e800b Mon Sep 17 00:00:00 2001 +From: Romain Naour <romain.naour@gmail.com> +Date: Wed, 18 Apr 2018 20:24:13 +0200 +Subject: [PATCH] src/cpp: fix cmake >= 3.11 build + +CMake < 3.11 doesn't support add_library() without any source file +(i.e add_library(foo SHARED)). But flann CMake use a trick that use +an empty string "" as source list (i.e add_library(foo SHARED "")). +This look like a bug in CMake < 3.11. + +With CMake >= 3.11, the new behaviour of add_library() break the +existing flann CMake code. + +From CMake Changelog [1]: +"add_library() and add_executable() commands can now be called without + any sources and will not complain as long as sources are added later + via the target_sources() command." + +Note: flann CMake code doesn't use target_sources() since no source file +are provided intentionally since the flann shared library is created by +linking with the flann_cpp_s static library with this line: + +target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive) + +If you try to use "add_library(flann_cpp SHARED ${CPP_SOURCES})" (as it should +be normally done), the link fail due to already defined symbol. + +They are building the shared version using the static library "to speedup the +build time" [3] + +This issue is already reported upstream [2] with a proposed solution. + +Upstream status: Pending + +Fixes: +http://autobuild.buildroot.net/results/b2f/b2febfaf8c44ce477b3e4a5b9b976fd25e8d7454 + +[1] https://cmake.org/cmake/help/v3.11/release/3.11.html +[2] https://github.com/mariusmuja/flann/issues/369 +[3] https://github.com/mariusmuja/flann/commit/0fd62b43be2fbb0b8d791ee36290791224dc030c + +Signed-off-by: Romain Naour <romain.naour@gmail.com> +--- + src/cpp/CMakeLists.txt | 4 ++-- + src/cpp/empty.cpp | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + create mode 100644 src/cpp/empty.cpp + +diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt +index b44a735..a816863 100644 +--- a/src/cpp/CMakeLists.txt ++++ b/src/cpp/CMakeLists.txt +@@ -29,7 +29,7 @@ if (BUILD_CUDA_LIB) + endif() + + if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC) +- add_library(flann_cpp SHARED "") ++ add_library(flann_cpp SHARED "empty.cpp") + set_target_properties(flann_cpp PROPERTIES LINKER_LANGUAGE CXX) + target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive) + +@@ -85,7 +85,7 @@ if (BUILD_C_BINDINGS) + set_property(TARGET flann_s PROPERTY COMPILE_DEFINITIONS FLANN_STATIC) + + if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC) +- add_library(flann SHARED "") ++ add_library(flann SHARED "empty.cpp") + set_target_properties(flann PROPERTIES LINKER_LANGUAGE CXX) + target_link_libraries(flann -Wl,-whole-archive flann_s -Wl,-no-whole-archive) + else() +diff --git a/src/cpp/empty.cpp b/src/cpp/empty.cpp +new file mode 100644 +index 0000000..40a8c17 +--- /dev/null ++++ b/src/cpp/empty.cpp +@@ -0,0 +1 @@ ++/* empty */ +-- +2.14.3 diff --git a/gnu/packages/patches/gcc-8-strmov-store-file-names.patch b/gnu/packages/patches/gcc-8-strmov-store-file-names.patch new file mode 100644 index 0000000000..f8e6b951b2 --- /dev/null +++ b/gnu/packages/patches/gcc-8-strmov-store-file-names.patch @@ -0,0 +1,110 @@ +Make sure that statements such as: + + strcpy (dst, "/gnu/store/…"); + +or + + static const char str[] = "/gnu/store/…"; + … + strcpy (dst, str); + +do not result in chunked /gnu/store strings that are undetectable by +Guix's GC and its grafting code. See <https://bugs.gnu.org/24703> +and <https://bugs.gnu.org/30395>. + +--- gcc-5.3.0/gcc/builtins.c 2016-10-18 10:50:46.080616285 +0200 ++++ gcc-5.3.0/gcc/builtins.c 2016-11-09 15:26:43.693042737 +0100 +@@ -3012,6 +3012,58 @@ determine_block_size (tree len, rtx len_rtx, + GET_MODE_MASK (GET_MODE (len_rtx))); + } + ++extern void debug_tree (tree); ++ ++/* Return true if STR contains the string "/gnu/store". */ ++ ++bool ++store_reference_p (tree str) ++{ ++ if (getenv ("GUIX_GCC_DEBUG") != NULL) ++ debug_tree (str); ++ ++ if (TREE_CODE (str) == ADDR_EXPR) ++ str = TREE_OPERAND (str, 0); ++ ++ if (TREE_CODE (str) == VAR_DECL ++ && TREE_STATIC (str) ++ && TREE_READONLY (str)) ++ { ++ /* STR may be a 'static const' variable whose initial value ++ is a string constant. See <https://bugs.gnu.org/30395>. */ ++ str = DECL_INITIAL (str); ++ if (str == NULL_TREE) ++ return false; ++ } ++ ++ if (TREE_CODE (str) != STRING_CST) ++ return false; ++ ++ int len; ++ const char *store; ++ ++ store = getenv ("NIX_STORE") ? getenv ("NIX_STORE") : "/gnu/store"; ++ len = strlen (store); ++ ++ /* Size of the hash part of store file names, including leading slash and ++ trailing hyphen. */ ++ const int hash_len = 34; ++ ++ if (TREE_STRING_LENGTH (str) < len + hash_len) ++ return false; ++ ++ /* We cannot use 'strstr' because 'TREE_STRING_POINTER' returns a string ++ that is not necessarily NUL-terminated. */ ++ ++ for (int i = 0; i < TREE_STRING_LENGTH (str) - (len + hash_len); i++) ++ { ++ if (strncmp (TREE_STRING_POINTER (str) + i, store, len) == 0) ++ return true; ++ } ++ ++ return false; ++} ++ + /* Try to verify that the sizes and lengths of the arguments to a string + manipulation function given by EXP are within valid bounds and that + the operation does not lead to buffer overflow or read past the end. +@@ -3605,6 +3657,13 @@ expand_builtin_memory_copy_args (tree dest, tree src, tree len, + unsigned HOST_WIDE_INT max_size; + unsigned HOST_WIDE_INT probable_max_size; + ++ /* Do not emit block moves, which translate to the 'movabs' instruction on ++ x86_64, when SRC refers to store items. That way, store references ++ remain visible to the Guix GC and grafting code. See ++ <https://bugs.gnu.org/24703>. */ ++ if (store_reference_p (src)) ++ return NULL_RTX; ++ + /* If DEST is not a pointer type, call the normal function. */ + if (dest_align == 0) + return NULL_RTX; +--- gcc-5.5.0/gcc/gimple-fold.c 2018-03-20 11:36:16.709442004 +0100 ++++ gcc-5.5.0/gcc/gimple-fold.c 2018-03-20 11:46:43.838487065 +0100 +@@ -635,6 +635,8 @@ var_decl_component_p (tree var) + return SSA_VAR_P (inner); + } + ++extern bool store_reference_p (tree); ++ + /* If the SIZE argument representing the size of an object is in a range + of values of which exactly one is valid (and that is zero), return + true, otherwise false. */ +@@ -742,6 +744,9 @@ gimple_fold_builtin_memory_op (gimple_stmt_iterator *gsi, + off0 = build_int_cst (build_pointer_type_for_mode (char_type_node, + ptr_mode, true), 0); + ++ if (store_reference_p (src)) ++ return false; ++ + /* If we can perform the copy efficiently with first doing all loads + and then all stores inline it that way. Currently efficiently + means that we can load all the memory into a single integer diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch deleted file mode 100644 index d76f0df369..0000000000 --- a/gnu/packages/patches/heimdal-CVE-2017-11103.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2017-11103: - -https://orpheus-lyre.info/ -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 -https://security-tracker.debian.org/tracker/CVE-2017-11103 - -Patch lifted from upstream source repository: - -https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea - -From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001 -From: Jeffrey Altman <jaltman@secure-endpoints.com> -Date: Wed, 12 Apr 2017 15:40:42 -0400 -Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation - -In _krb5_extract_ticket() the KDC-REP service name must be obtained from -encrypted version stored in 'enc_part' instead of the unencrypted version -stored in 'ticket'. Use of the unecrypted version provides an -opportunity for successful server impersonation and other attacks. - -Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. - -Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c ---- - lib/krb5/ticket.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c -index d95d96d1b..b8d81c6ad 100644 ---- a/lib/krb5/ticket.c -+++ b/lib/krb5/ticket.c -@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context, - /* check server referral and save principal */ - ret = _krb5_principalname2krb5_principal (context, - &tmp_principal, -- rep->kdc_rep.ticket.sname, -- rep->kdc_rep.ticket.realm); -+ rep->enc_part.sname, -+ rep->enc_part.srealm); - if (ret) - goto out; - if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ --- -2.13.3 - diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch deleted file mode 100644 index 714af60304..0000000000 --- a/gnu/packages/patches/heimdal-CVE-2017-6594.patch +++ /dev/null @@ -1,85 +0,0 @@ -Fix CVE-2017-6594: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594 -https://security-tracker.debian.org/tracker/CVE-2017-6594 - -Patch lifted from upstream source repository: - -https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837 - -To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and -files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified. - -From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni <viktor@twosigma.com> -Date: Wed, 10 Aug 2016 23:31:14 +0000 -Subject: [PATCH] Fix transit path validation CVE-2017-6594 - -Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm -to not be added to the transit path of issued tickets. This may, in -some cases, enable bypass of capath policy in Heimdal versions 1.5 -through 7.2. - -Note, this may break sites that rely on the bug. With the bug some -incomplete [capaths] worked, that should not have. These may now break -authentication in some cross-realm configurations. ---- - NEWS | 14 ++++++++++++++ - kdc/krb5tgs.c | 12 ++++++++++-- - tests/kdc/check-kdc.in | 17 +++++++++++++++++ - tests/kdc/krb5.conf.in | 4 ++++ - 4 files changed, 45 insertions(+), 2 deletions(-) - -diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c -index 6048b9c55..98503812f 100644 ---- a/kdc/krb5tgs.c -+++ b/kdc/krb5tgs.c -@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context, - "Decoding transited encoding"); - return ret; - } -+ -+ /* -+ * If the realm of the presented tgt is neither the client nor the server -+ * realm, it is a transit realm and must be added to transited set. -+ */ - if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { -- /* not us, so add the previous realm to transited set */ - if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { - ret = ERANGE; - goto free_realms; -@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context, - const char *server_name, - hdb_entry_ex *client, - krb5_principal client_principal, -+ const char *tgt_realm, - hdb_entry_ex *krbtgt, - krb5_enctype krbtgt_etype, - krb5_principals spp, -@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context, - &tgt->transited, &et, - krb5_principal_get_realm(context, client_principal), - krb5_principal_get_realm(context, server->entry.principal), -- krb5_principal_get_realm(context, krbtgt->entry.principal)); -+ tgt_realm); - if(ret) - goto out; - -@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context, - krb5_keyblock sessionkey; - krb5_kvno kvno; - krb5_data rspac; -+ const char *tgt_realm = /* Realm of TGT issuer */ -+ krb5_principal_get_realm(context, krbtgt->entry.principal); - -@@ -2324,6 +2331,7 @@ server_lookup: - spn, - client, - cp, -+ tgt_realm, - krbtgt_out, - tkey_sign->key.keytype, - spp, --- -2.13.3 - diff --git a/gnu/packages/patches/icecat-bug-1413868-pt1.patch b/gnu/packages/patches/icecat-bug-1413868-pt1.patch new file mode 100644 index 0000000000..18382dc33a --- /dev/null +++ b/gnu/packages/patches/icecat-bug-1413868-pt1.patch @@ -0,0 +1,663 @@ +Based on <https://hg.mozilla.org/releases/mozilla-esr52/rev/431fa5dd4016> +Adapted to apply cleanly to GNU IceCat. + +# HG changeset patch +# User Honza Bambas <honzab.moz@firemni.cz> +# Date 1528830658 14400 +# Node ID 431fa5dd4016bdab7e4bb0d3c4df85468fe337b0 +# Parent e8e9e1ef79f2a18c61ec1b87cfb214c8d4960f8e +Bug 1413868. r=valentin, a=RyanVM + +diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp +--- a/toolkit/xre/nsAppRunner.cpp ++++ b/toolkit/xre/nsAppRunner.cpp +@@ -4,16 +4,17 @@ + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + #include "mozilla/dom/ContentParent.h" + #include "mozilla/dom/ContentChild.h" + #include "mozilla/ipc/GeckoChildProcessHost.h" + + #include "mozilla/ArrayUtils.h" + #include "mozilla/Attributes.h" ++#include "mozilla/FilePreferences.h" + #include "mozilla/ChaosMode.h" + #include "mozilla/IOInterposer.h" + #include "mozilla/Likely.h" + #include "mozilla/MemoryChecking.h" + #include "mozilla/Poison.h" + #include "mozilla/Preferences.h" + #include "mozilla/ScopeExit.h" + #include "mozilla/Services.h" +@@ -4304,16 +4305,20 @@ XREMain::XRE_mainRun() + // Need to write out the fact that the profile has been removed and potentially + // that the selected/default profile changed. + mProfileSvc->Flush(); + } + } + + mDirProvider.DoStartup(); + ++ // As FilePreferences need the profile directory, we must initialize right here. ++ mozilla::FilePreferences::InitDirectoriesWhitelist(); ++ mozilla::FilePreferences::InitPrefs(); ++ + OverrideDefaultLocaleIfNeeded(); + + #ifdef MOZ_CRASHREPORTER + nsCString userAgentLocale; + // Try a localized string first. This pref is always a localized string in + // IceCatMobile, and might be elsewhere, too. + if (NS_SUCCEEDED(Preferences::GetLocalizedCString("general.useragent.locale", &userAgentLocale))) { + CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("useragent_locale"), userAgentLocale); +diff --git a/toolkit/xre/nsEmbedFunctions.cpp b/toolkit/xre/nsEmbedFunctions.cpp +--- a/toolkit/xre/nsEmbedFunctions.cpp ++++ b/toolkit/xre/nsEmbedFunctions.cpp +@@ -46,16 +46,17 @@ + #include "nsX11ErrorHandler.h" + #include "nsGDKErrorHandler.h" + #include "base/at_exit.h" + #include "base/command_line.h" + #include "base/message_loop.h" + #include "base/process_util.h" + #include "chrome/common/child_process.h" + ++#include "mozilla/FilePreferences.h" + #include "mozilla/ipc/BrowserProcessSubThread.h" + #include "mozilla/ipc/GeckoChildProcessHost.h" + #include "mozilla/ipc/IOThreadChild.h" + #include "mozilla/ipc/ProcessChild.h" + #include "ScopedXREEmbed.h" + + #include "mozilla/plugins/PluginProcessChild.h" + #include "mozilla/dom/ContentProcess.h" +@@ -680,16 +681,18 @@ XRE_InitChildProcess(int aArgc, + ::SetProcessShutdownParameters(0x280 - 1, SHUTDOWN_NORETRY); + #endif + + #if defined(MOZ_SANDBOX) && defined(XP_WIN) + // We need to do this after the process has been initialised, as + // InitLoggingIfRequired may need access to prefs. + mozilla::sandboxing::InitLoggingIfRequired(aChildData->ProvideLogFunction); + #endif ++ mozilla::FilePreferences::InitDirectoriesWhitelist(); ++ mozilla::FilePreferences::InitPrefs(); + + OverrideDefaultLocaleIfNeeded(); + + #if defined(MOZ_CRASHREPORTER) + #if defined(MOZ_CONTENT_SANDBOX) && !defined(MOZ_WIDGET_GONK) + AddContentSandboxLevelAnnotation(); + #endif + #endif +diff --git a/xpcom/io/FilePreferences.cpp b/xpcom/io/FilePreferences.cpp +new file mode 100644 +--- /dev/null ++++ b/xpcom/io/FilePreferences.cpp +@@ -0,0 +1,271 @@ ++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ ++/* vim: set ts=8 sts=2 et sw=2 tw=80: */ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++* License, v. 2.0. If a copy of the MPL was not distributed with this ++* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#include "FilePreferences.h" ++ ++#include "mozilla/Preferences.h" ++#include "nsAppDirectoryServiceDefs.h" ++#include "nsDirectoryServiceDefs.h" ++#include "nsDirectoryServiceUtils.h" ++ ++namespace mozilla { ++namespace FilePreferences { ++ ++static bool sBlockUNCPaths = false; ++typedef nsTArray<nsString> Paths; ++ ++static Paths& PathArray() ++{ ++ static Paths sPaths; ++ return sPaths; ++} ++ ++static void AllowDirectory(char const* directory) ++{ ++ nsCOMPtr<nsIFile> file; ++ NS_GetSpecialDirectory(directory, getter_AddRefs(file)); ++ if (!file) { ++ return; ++ } ++ ++ nsString path; ++ if (NS_FAILED(file->GetTarget(path))) { ++ return; ++ } ++ ++ // The whitelist makes sense only for UNC paths, because this code is used ++ // to block only UNC paths, hence, no need to add non-UNC directories here ++ // as those would never pass the check. ++ if (!StringBeginsWith(path, NS_LITERAL_STRING("\\\\"))) { ++ return; ++ } ++ ++ if (!PathArray().Contains(path)) { ++ PathArray().AppendElement(path); ++ } ++} ++ ++void InitPrefs() ++{ ++ sBlockUNCPaths = Preferences::GetBool("network.file.disable_unc_paths", false); ++} ++ ++void InitDirectoriesWhitelist() ++{ ++ // NS_GRE_DIR is the installation path where the binary resides. ++ AllowDirectory(NS_GRE_DIR); ++ // NS_APP_USER_PROFILE_50_DIR and NS_APP_USER_PROFILE_LOCAL_50_DIR are the two ++ // parts of the profile we store permanent and local-specific data. ++ AllowDirectory(NS_APP_USER_PROFILE_50_DIR); ++ AllowDirectory(NS_APP_USER_PROFILE_LOCAL_50_DIR); ++} ++ ++namespace { // anon ++ ++class Normalizer ++{ ++public: ++ Normalizer(const nsAString& aFilePath, const char16_t aSeparator); ++ bool Get(nsAString& aNormalizedFilePath); ++ ++private: ++ bool ConsumeItem(); ++ bool ConsumeSeparator(); ++ bool IsEOF() { return mFilePathCursor == mFilePathEnd; } ++ ++ bool ConsumeName(); ++ bool CheckParentDir(); ++ bool CheckCurrentDir(); ++ ++ nsString::const_char_iterator mFilePathCursor; ++ nsString::const_char_iterator mFilePathEnd; ++ ++ nsDependentSubstring mItem; ++ char16_t const mSeparator; ++ nsTArray<nsDependentSubstring> mStack; ++}; ++ ++Normalizer::Normalizer(const nsAString& aFilePath, const char16_t aSeparator) ++ : mFilePathCursor(aFilePath.BeginReading()) ++ , mFilePathEnd(aFilePath.EndReading()) ++ , mSeparator(aSeparator) ++{ ++} ++ ++bool Normalizer::ConsumeItem() ++{ ++ if (IsEOF()) { ++ return false; ++ } ++ ++ nsString::const_char_iterator nameBegin = mFilePathCursor; ++ while (mFilePathCursor != mFilePathEnd) { ++ if (*mFilePathCursor == mSeparator) { ++ break; // don't include the separator ++ } ++ ++mFilePathCursor; ++ } ++ ++ mItem.Rebind(nameBegin, mFilePathCursor); ++ return true; ++} ++ ++bool Normalizer::ConsumeSeparator() ++{ ++ if (IsEOF()) { ++ return false; ++ } ++ ++ if (*mFilePathCursor != mSeparator) { ++ return false; ++ } ++ ++ ++mFilePathCursor; ++ return true; ++} ++ ++bool Normalizer::Get(nsAString& aNormalizedFilePath) ++{ ++ aNormalizedFilePath.Truncate(); ++ ++ if (IsEOF()) { ++ return true; ++ } ++ if (ConsumeSeparator()) { ++ aNormalizedFilePath.Append(mSeparator); ++ } ++ ++ if (IsEOF()) { ++ return true; ++ } ++ if (ConsumeSeparator()) { ++ aNormalizedFilePath.Append(mSeparator); ++ } ++ ++ while (!IsEOF()) { ++ if (!ConsumeName()) { ++ return false; ++ } ++ } ++ ++ for (auto const& name : mStack) { ++ aNormalizedFilePath.Append(name); ++ } ++ ++ return true; ++} ++ ++bool Normalizer::ConsumeName() ++{ ++ if (!ConsumeItem()) { ++ return true; ++ } ++ ++ if (CheckCurrentDir()) { ++ return true; ++ } ++ ++ if (CheckParentDir()) { ++ if (!mStack.Length()) { ++ // This means there are more \.. than valid names ++ return false; ++ } ++ ++ mStack.RemoveElementAt(mStack.Length() - 1); ++ return true; ++ } ++ ++ if (mItem.IsEmpty()) { ++ // this means an empty name (a lone slash), which is illegal ++ return false; ++ } ++ ++ if (ConsumeSeparator()) { ++ mItem.Rebind(mItem.BeginReading(), mFilePathCursor); ++ } ++ mStack.AppendElement(mItem); ++ ++ return true; ++} ++ ++bool Normalizer::CheckCurrentDir() ++{ ++ if (mItem == NS_LITERAL_STRING(".")) { ++ ConsumeSeparator(); ++ // EOF is acceptable ++ return true; ++ } ++ ++ return false; ++} ++ ++bool Normalizer::CheckParentDir() ++{ ++ if (mItem == NS_LITERAL_STRING("..")) { ++ ConsumeSeparator(); ++ // EOF is acceptable ++ return true; ++ } ++ ++ return false; ++} ++ ++} // anon ++ ++bool IsBlockedUNCPath(const nsAString& aFilePath) ++{ ++ if (!sBlockUNCPaths) { ++ return false; ++ } ++ ++ if (!StringBeginsWith(aFilePath, NS_LITERAL_STRING("\\\\"))) { ++ return false; ++ } ++ ++ nsAutoString normalized; ++ if (!Normalizer(aFilePath, L'\\').Get(normalized)) { ++ // Broken paths are considered invalid and thus inaccessible ++ return true; ++ } ++ ++ for (const auto& allowedPrefix : PathArray()) { ++ if (StringBeginsWith(normalized, allowedPrefix)) { ++ if (normalized.Length() == allowedPrefix.Length()) { ++ return false; ++ } ++ if (normalized[allowedPrefix.Length()] == L'\\') { ++ return false; ++ } ++ ++ // When we are here, the path has a form "\\path\prefixevil" ++ // while we have an allowed prefix of "\\path\prefix". ++ // Note that we don't want to add a slash to the end of a prefix ++ // so that opening the directory (no slash at the end) still works. ++ break; ++ } ++ } ++ ++ return true; ++} ++ ++void testing::SetBlockUNCPaths(bool aBlock) ++{ ++ sBlockUNCPaths = aBlock; ++} ++ ++void testing::AddDirectoryToWhitelist(nsAString const & aPath) ++{ ++ PathArray().AppendElement(aPath); ++} ++ ++bool testing::NormalizePath(nsAString const & aPath, nsAString & aNormalized) ++{ ++ Normalizer normalizer(aPath, L'\\'); ++ return normalizer.Get(aNormalized); ++} ++ ++} // ::FilePreferences ++} // ::mozilla +diff --git a/xpcom/io/FilePreferences.h b/xpcom/io/FilePreferences.h +new file mode 100644 +--- /dev/null ++++ b/xpcom/io/FilePreferences.h +@@ -0,0 +1,25 @@ ++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ ++/* vim: set ts=8 sts=2 et sw=2 tw=80: */ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++* License, v. 2.0. If a copy of the MPL was not distributed with this ++* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#include "nsIObserver.h" ++ ++namespace mozilla { ++namespace FilePreferences { ++ ++void InitPrefs(); ++void InitDirectoriesWhitelist(); ++bool IsBlockedUNCPath(const nsAString& aFilePath); ++ ++namespace testing { ++ ++void SetBlockUNCPaths(bool aBlock); ++void AddDirectoryToWhitelist(nsAString const& aPath); ++bool NormalizePath(nsAString const & aPath, nsAString & aNormalized); ++ ++} ++ ++} // FilePreferences ++} // mozilla +diff --git a/xpcom/io/moz.build b/xpcom/io/moz.build +--- a/xpcom/io/moz.build ++++ b/xpcom/io/moz.build +@@ -79,24 +79,26 @@ EXPORTS += [ + 'nsUnicharInputStream.h', + 'nsWildCard.h', + 'SlicedInputStream.h', + 'SpecialSystemDirectory.h', + ] + + EXPORTS.mozilla += [ + 'Base64.h', ++ 'FilePreferences.h', + 'SnappyCompressOutputStream.h', + 'SnappyFrameUtils.h', + 'SnappyUncompressInputStream.h', + ] + + UNIFIED_SOURCES += [ + 'Base64.cpp', + 'crc32c.c', ++ 'FilePreferences.cpp', + 'nsAnonymousTemporaryFile.cpp', + 'nsAppFileLocationProvider.cpp', + 'nsBinaryStream.cpp', + 'nsDirectoryService.cpp', + 'nsEscape.cpp', + 'nsInputStreamTee.cpp', + 'nsIOUtil.cpp', + 'nsLinebreakConverter.cpp', +diff --git a/xpcom/io/nsLocalFileWin.cpp b/xpcom/io/nsLocalFileWin.cpp +--- a/xpcom/io/nsLocalFileWin.cpp ++++ b/xpcom/io/nsLocalFileWin.cpp +@@ -41,16 +41,17 @@ + #include <stdio.h> + #include <stdlib.h> + #include <mbstring.h> + + #include "nsXPIDLString.h" + #include "prproces.h" + #include "prlink.h" + ++#include "mozilla/FilePreferences.h" + #include "mozilla/Mutex.h" + #include "SpecialSystemDirectory.h" + + #include "nsTraceRefcnt.h" + #include "nsXPCOMCIDInternal.h" + #include "nsThreadUtils.h" + #include "nsXULAppAPI.h" + +@@ -1162,16 +1163,20 @@ nsLocalFile::InitWithPath(const nsAStrin + char16_t secondChar = *(++begin); + + // just do a sanity check. if it has any forward slashes, it is not a Native path + // on windows. Also, it must have a colon at after the first char. + if (FindCharInReadable(L'/', begin, end)) { + return NS_ERROR_FILE_UNRECOGNIZED_PATH; + } + ++ if (FilePreferences::IsBlockedUNCPath(aFilePath)) { ++ return NS_ERROR_FILE_ACCESS_DENIED; ++ } ++ + if (secondChar != L':' && (secondChar != L'\\' || firstChar != L'\\')) { + return NS_ERROR_FILE_UNRECOGNIZED_PATH; + } + + if (secondChar == L':') { + // Make sure we have a valid drive, later code assumes the drive letter + // is a single char a-z or A-Z. + if (PathGetDriveNumberW(aFilePath.Data()) == -1) { +@@ -1974,16 +1979,20 @@ nsLocalFile::CopySingleFile(nsIFile* aSo + bool path1Remote, path2Remote; + if (!IsRemoteFilePath(filePath.get(), path1Remote) || + !IsRemoteFilePath(destPath.get(), path2Remote) || + path1Remote || path2Remote) { + dwCopyFlags |= COPY_FILE_NO_BUFFERING; + } + } + ++ if (FilePreferences::IsBlockedUNCPath(destPath)) { ++ return NS_ERROR_FILE_ACCESS_DENIED; ++ } ++ + if (!move) { + copyOK = ::CopyFileExW(filePath.get(), destPath.get(), nullptr, + nullptr, nullptr, dwCopyFlags); + } else { + copyOK = ::MoveFileExW(filePath.get(), destPath.get(), + MOVEFILE_REPLACE_EXISTING); + + // Check if copying the source file to a different volume, +diff --git a/xpcom/tests/gtest/TestFilePreferencesWin.cpp b/xpcom/tests/gtest/TestFilePreferencesWin.cpp +new file mode 100644 +--- /dev/null ++++ b/xpcom/tests/gtest/TestFilePreferencesWin.cpp +@@ -0,0 +1,141 @@ ++#include "gtest/gtest.h" ++ ++#include "mozilla/FilePreferences.h" ++#include "nsIFile.h" ++#include "nsXPCOMCID.h" ++ ++TEST(FilePreferencesWin, Normalization) ++{ ++ nsAutoString normalized; ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("foo"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("foo")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\foo"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\foo")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("foo\\some"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("foo\\some")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\.\\foo"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\."), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\.\\"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\.\\."), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\."), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\.\\"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\bar\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\..\\"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\.."), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\foo\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\..\\bar\\..\\"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\..\\bar"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\bar")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\..\\..\\"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\")); ++ ++ mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\.\\..\\.\\..\\"), normalized); ++ ASSERT_TRUE(normalized == NS_LITERAL_STRING("\\\\")); ++ ++ bool result; ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\.."), normalized); ++ ASSERT_FALSE(result); ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\..\\"), normalized); ++ ASSERT_FALSE(result); ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\.\\..\\"), normalized); ++ ASSERT_FALSE(result); ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\\\bar"), normalized); ++ ASSERT_FALSE(result); ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\foo\\bar\\..\\..\\..\\..\\"), normalized); ++ ASSERT_FALSE(result); ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\\\"), normalized); ++ ASSERT_FALSE(result); ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\.\\\\"), normalized); ++ ASSERT_FALSE(result); ++ ++ result = mozilla::FilePreferences::testing::NormalizePath( ++ NS_LITERAL_STRING("\\\\..\\\\"), normalized); ++ ASSERT_FALSE(result); ++} ++ ++TEST(FilePreferencesWin, AccessUNC) ++{ ++ nsCOMPtr<nsIFile> lf = do_CreateInstance(NS_LOCAL_FILE_CONTRACTID); ++ ++ nsresult rv; ++ ++ mozilla::FilePreferences::testing::SetBlockUNCPaths(false); ++ ++ rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\..\\evil\\share")); ++ ASSERT_EQ(rv, NS_OK); ++ ++ mozilla::FilePreferences::testing::SetBlockUNCPaths(true); ++ ++ rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\..\\evil\\share")); ++ ASSERT_EQ(rv, NS_ERROR_FILE_ACCESS_DENIED); ++ ++ mozilla::FilePreferences::testing::AddDirectoryToWhitelist(NS_LITERAL_STRING("\\\\nice")); ++ ++ rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\share")); ++ ASSERT_EQ(rv, NS_OK); ++ ++ rv = lf->InitWithPath(NS_LITERAL_STRING("\\\\nice\\..\\evil\\share")); ++ ASSERT_EQ(rv, NS_ERROR_FILE_ACCESS_DENIED); ++} +diff --git a/xpcom/tests/gtest/moz.build b/xpcom/tests/gtest/moz.build +--- a/xpcom/tests/gtest/moz.build ++++ b/xpcom/tests/gtest/moz.build +@@ -51,16 +51,21 @@ UNIFIED_SOURCES += [ + if CONFIG['MOZ_DEBUG'] and CONFIG['OS_ARCH'] not in ('WINNT') and CONFIG['OS_TARGET'] != 'Android': + # FIXME bug 523392: TestDeadlockDetector doesn't like Windows + # Bug 1054249: Doesn't work on Android + UNIFIED_SOURCES += [ + 'TestDeadlockDetector.cpp', + 'TestDeadlockDetectorScalability.cpp', + ] + ++if CONFIG['OS_TARGET'] == 'WINNT': ++ UNIFIED_SOURCES += [ ++ 'TestFilePreferencesWin.cpp', ++ ] ++ + if CONFIG['WRAP_STL_INCLUDES'] and not CONFIG['CLANG_CL']: + UNIFIED_SOURCES += [ + 'TestSTLWrappers.cpp', + ] + + # Compile TestAllocReplacement separately so Windows headers don't pollute + # the global namespace for other files. + SOURCES += [ + diff --git a/gnu/packages/patches/java-commons-collections-fix-java8.patch b/gnu/packages/patches/java-commons-collections-fix-java8.patch new file mode 100644 index 0000000000..322fd7f699 --- /dev/null +++ b/gnu/packages/patches/java-commons-collections-fix-java8.patch @@ -0,0 +1,299 @@ +From e760d181abd20ecb98654af63faec7b2a4d61189 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=A1bor=20Boskovits?= <boskovits@gmail.com> +Date: Mon, 25 Jun 2018 15:02:25 +0200 +Subject: [PATCH] Rename removes in maps to fix java8. + +* src/java/org/apache/commons/collections/MultiHashMap.java: +Rename "V MultiHashMap#remove(K, V)" +to "boolean MulitHashMap#removeMapping(K, V)". +* src/java/org/apache/commons/collections/MultiMap.java: +Rename "V MultiMap#remove(K, V)" +to "boolean MultiMap#removeMapping(K, V)". +* src/java/org/apache/commons/collections/map/MultiKeyMap.java: +Rename "V MultiKeyMap#remove(...)" +to "V MultiKeyMap#removeMultiKey(...)". +* src/java/org/apache/commons/collections/map/MultiValueMap.java: +Rename "V MultiValueMap#remove(K, V)" +to "boolean MultiValueMap#removeMapping(K, V)". +* src/test/org/apache/commons/collections/TestMultiHashMap.java: +Adjust accordingly. +* src/test/org/apache/commons/collections/map/TestMultiKeyMap.java: +Adjust accordingly. +* src/test/org/apache/commons/collections/map/TestMultiValueMap.java: +Adjust accordingly. +--- + .../commons/collections/MultiHashMap.java | 8 ++++---- + .../apache/commons/collections/MultiMap.java | 2 +- + .../commons/collections/map/MultiKeyMap.java | 8 ++++---- + .../commons/collections/map/MultiValueMap.java | 8 ++++---- + .../commons/collections/TestMultiHashMap.java | 16 ++++++++-------- + .../collections/map/TestMultiKeyMap.java | 16 ++++++++-------- + .../collections/map/TestMultiValueMap.java | 18 +++++++++--------- + 7 files changed, 38 insertions(+), 38 deletions(-) + +diff --git a/src/java/org/apache/commons/collections/MultiHashMap.java b/src/java/org/apache/commons/collections/MultiHashMap.java +index 7fec9af..482ecbd 100644 +--- a/src/java/org/apache/commons/collections/MultiHashMap.java ++++ b/src/java/org/apache/commons/collections/MultiHashMap.java +@@ -331,21 +331,21 @@ public class MultiHashMap extends HashMap implements MultiMap { + * @param item the value to remove + * @return the value removed (which was passed in), null if nothing removed + */ +- public Object remove(Object key, Object item) { ++ public boolean removeMapping(Object key, Object item) { + Collection valuesForKey = getCollection(key); + if (valuesForKey == null) { +- return null; ++ return false; + } + boolean removed = valuesForKey.remove(item); + if (removed == false) { +- return null; ++ return false; + } + // remove the list if it is now empty + // (saves space, and allows equals to work) + if (valuesForKey.isEmpty()){ + remove(key); + } +- return item; ++ return true; + } + + /** +diff --git a/src/java/org/apache/commons/collections/MultiMap.java b/src/java/org/apache/commons/collections/MultiMap.java +index be9455b..fe54234 100644 +--- a/src/java/org/apache/commons/collections/MultiMap.java ++++ b/src/java/org/apache/commons/collections/MultiMap.java +@@ -66,7 +66,7 @@ public interface MultiMap extends Map { + * @throws ClassCastException if the key or value is of an invalid type + * @throws NullPointerException if the key or value is null and null is invalid + */ +- public Object remove(Object key, Object item); ++ public boolean removeMapping(Object key, Object item); + + //----------------------------------------------------------------------- + /** +diff --git a/src/java/org/apache/commons/collections/map/MultiKeyMap.java b/src/java/org/apache/commons/collections/map/MultiKeyMap.java +index 9e3e02d..0b99b65 100644 +--- a/src/java/org/apache/commons/collections/map/MultiKeyMap.java ++++ b/src/java/org/apache/commons/collections/map/MultiKeyMap.java +@@ -197,7 +197,7 @@ public class MultiKeyMap + * @param key2 the second key + * @return the value mapped to the removed key, null if key not in map + */ +- public Object remove(Object key1, Object key2) { ++ public Object removeMultiKey(Object key1, Object key2) { + int hashCode = hash(key1, key2); + int index = map.hashIndex(hashCode, map.data.length); + AbstractHashedMap.HashEntry entry = map.data[index]; +@@ -327,7 +327,7 @@ public class MultiKeyMap + * @param key3 the third key + * @return the value mapped to the removed key, null if key not in map + */ +- public Object remove(Object key1, Object key2, Object key3) { ++ public Object removeMultiKey(Object key1, Object key2, Object key3) { + int hashCode = hash(key1, key2, key3); + int index = map.hashIndex(hashCode, map.data.length); + AbstractHashedMap.HashEntry entry = map.data[index]; +@@ -467,7 +467,7 @@ public class MultiKeyMap + * @param key4 the fourth key + * @return the value mapped to the removed key, null if key not in map + */ +- public Object remove(Object key1, Object key2, Object key3, Object key4) { ++ public Object removeMultiKey(Object key1, Object key2, Object key3, Object key4) { + int hashCode = hash(key1, key2, key3, key4); + int index = map.hashIndex(hashCode, map.data.length); + AbstractHashedMap.HashEntry entry = map.data[index]; +@@ -617,7 +617,7 @@ public class MultiKeyMap + * @param key5 the fifth key + * @return the value mapped to the removed key, null if key not in map + */ +- public Object remove(Object key1, Object key2, Object key3, Object key4, Object key5) { ++ public Object removeMultiKey(Object key1, Object key2, Object key3, Object key4, Object key5) { + int hashCode = hash(key1, key2, key3, key4, key5); + int index = map.hashIndex(hashCode, map.data.length); + AbstractHashedMap.HashEntry entry = map.data[index]; +diff --git a/src/java/org/apache/commons/collections/map/MultiValueMap.java b/src/java/org/apache/commons/collections/map/MultiValueMap.java +index f44999b..86eaeb0 100644 +--- a/src/java/org/apache/commons/collections/map/MultiValueMap.java ++++ b/src/java/org/apache/commons/collections/map/MultiValueMap.java +@@ -153,19 +153,19 @@ public class MultiValueMap extends AbstractMapDecorator implements MultiMap { + * @param value the value to remove + * @return the value removed (which was passed in), null if nothing removed + */ +- public Object remove(Object key, Object value) { ++ public boolean removeMapping(Object key, Object value) { + Collection valuesForKey = getCollection(key); + if (valuesForKey == null) { +- return null; ++ return false; + } + boolean removed = valuesForKey.remove(value); + if (removed == false) { +- return null; ++ return false; + } + if (valuesForKey.isEmpty()) { + remove(key); + } +- return value; ++ return true; + } + + /** +diff --git a/src/test/org/apache/commons/collections/TestMultiHashMap.java b/src/test/org/apache/commons/collections/TestMultiHashMap.java +index eca833a..a1de943 100644 +--- a/src/test/org/apache/commons/collections/TestMultiHashMap.java ++++ b/src/test/org/apache/commons/collections/TestMultiHashMap.java +@@ -217,7 +217,7 @@ public class TestMultiHashMap extends AbstractTestMap { + MultiHashMap one = new MultiHashMap(); + Integer value = new Integer(1); + one.put("One", value); +- one.remove("One", value); ++ one.removeMapping("One", value); + + MultiHashMap two = new MultiHashMap(); + assertEquals(two, one); +@@ -269,7 +269,7 @@ public class TestMultiHashMap extends AbstractTestMap { + assertEquals(4, map.totalSize()); + map.remove("A"); + assertEquals(3, map.totalSize()); +- map.remove("B", "BC"); ++ map.removeMapping("B", "BC"); + assertEquals(2, map.totalSize()); + } + +@@ -292,7 +292,7 @@ public class TestMultiHashMap extends AbstractTestMap { + map.remove("A"); + assertEquals(0, map.size("A")); + assertEquals(3, map.size("B")); +- map.remove("B", "BC"); ++ map.removeMapping("B", "BC"); + assertEquals(0, map.size("A")); + assertEquals(2, map.size("B")); + } +@@ -464,11 +464,11 @@ public class TestMultiHashMap extends AbstractTestMap { + map.put("A", "AA"); + map.put("A", "AB"); + map.put("A", "AC"); +- assertEquals(null, map.remove("C", "CA")); +- assertEquals(null, map.remove("A", "AD")); +- assertEquals("AC", map.remove("A", "AC")); +- assertEquals("AB", map.remove("A", "AB")); +- assertEquals("AA", map.remove("A", "AA")); ++ assertEquals(false, map.removeMapping("C", "CA")); ++ assertEquals(false, map.removeMapping("A", "AD")); ++ assertEquals(true, map.removeMapping("A", "AC")); ++ assertEquals(true, map.removeMapping("A", "AB")); ++ assertEquals(true, map.removeMapping("A", "AA")); + assertEquals(new MultiHashMap(), map); + } + +diff --git a/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java b/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java +index b1ee3d0..b18f480 100644 +--- a/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java ++++ b/src/test/org/apache/commons/collections/map/TestMultiKeyMap.java +@@ -315,34 +315,34 @@ public class TestMultiKeyMap extends AbstractTestIterableMap { + switch (key.size()) { + case 2: + assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1))); +- assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1))); ++ assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1))); + assertEquals(size - 1, multimap.size()); +- assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1))); ++ assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1))); + break; + case 3: + assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2))); +- assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2))); ++ assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2))); + assertEquals(size - 1, multimap.size()); +- assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2))); ++ assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2))); + break; + case 4: + assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3))); +- assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3))); ++ assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3))); + assertEquals(size - 1, multimap.size()); +- assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3))); ++ assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3))); + break; + case 5: + assertEquals(true, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4))); +- assertEquals(value, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4))); ++ assertEquals(value, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4))); + assertEquals(size - 1, multimap.size()); +- assertEquals(null, multimap.remove(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4))); ++ assertEquals(null, multimap.removeMultiKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4))); + assertEquals(false, multimap.containsKey(key.getKey(0), key.getKey(1), key.getKey(2), key.getKey(3), key.getKey(4))); + break; + default: +diff --git a/src/test/org/apache/commons/collections/map/TestMultiValueMap.java b/src/test/org/apache/commons/collections/map/TestMultiValueMap.java +index b9a5ac8..9ecc269 100644 +--- a/src/test/org/apache/commons/collections/map/TestMultiValueMap.java ++++ b/src/test/org/apache/commons/collections/map/TestMultiValueMap.java +@@ -161,7 +161,7 @@ public class TestMultiValueMap extends TestCase { + MultiValueMap one = new MultiValueMap(); + Integer value = new Integer(1); + one.put("One", value); +- one.remove("One", value); ++ one.removeMapping("One", value); + + MultiValueMap two = new MultiValueMap(); + assertEquals(two, one); +@@ -187,7 +187,7 @@ public class TestMultiValueMap extends TestCase { + assertEquals(4, map.totalSize()); + map.remove("A"); + assertEquals(3, map.totalSize()); +- map.remove("B", "BC"); ++ map.removeMapping("B", "BC"); + assertEquals(2, map.totalSize()); + } + +@@ -204,7 +204,7 @@ public class TestMultiValueMap extends TestCase { + assertEquals(2, map.size()); + map.remove("A"); + assertEquals(2, map.size()); +- map.remove("B", "BC"); ++ map.removeMapping("B", "BC"); + assertEquals(2, map.size()); + } + +@@ -227,7 +227,7 @@ public class TestMultiValueMap extends TestCase { + map.remove("A"); + assertEquals(0, map.size("A")); + assertEquals(3, map.size("B")); +- map.remove("B", "BC"); ++ map.removeMapping("B", "BC"); + assertEquals(0, map.size("A")); + assertEquals(2, map.size("B")); + } +@@ -338,11 +338,11 @@ public class TestMultiValueMap extends TestCase { + map.put("A", "AA"); + map.put("A", "AB"); + map.put("A", "AC"); +- assertEquals(null, map.remove("C", "CA")); +- assertEquals(null, map.remove("A", "AD")); +- assertEquals("AC", map.remove("A", "AC")); +- assertEquals("AB", map.remove("A", "AB")); +- assertEquals("AA", map.remove("A", "AA")); ++ assertEquals(false, map.removeMapping("C", "CA")); ++ assertEquals(false, map.removeMapping("A", "AD")); ++ assertEquals(true, map.removeMapping("A", "AC")); ++ assertEquals(true, map.removeMapping("A", "AB")); ++ assertEquals(true, map.removeMapping("A", "AA")); + assertEquals(new MultiValueMap(), map); + } + +-- +2.18.0 + diff --git a/gnu/packages/patches/libreoffice-icu.patch b/gnu/packages/patches/libreoffice-icu.patch new file mode 100644 index 0000000000..2985d564aa --- /dev/null +++ b/gnu/packages/patches/libreoffice-icu.patch @@ -0,0 +1,126 @@ +This patch fixes the build of Libreoffice 6.0.5 with icu 61.1. +It was downloaded from https://bugs.gentoo.org/651702. + +--- a/forms/source/xforms/datatypes.hxx ++++ a/forms/source/xforms/datatypes.hxx +@@ -36,6 +36,8 @@ + + #include <memory> + ++using icu::RegexMatcher; ++ + + namespace xforms + { +--- a/i18npool/inc/collator_unicode.hxx ++++ a/i18npool/inc/collator_unicode.hxx +@@ -26,6 +26,8 @@ + + #include <unicode/tblcoll.h> + ++using icu::RuleBasedCollator; ++ + // ---------------------------------------------------- + // class Collator_Unicode + // ---------------------------------------------------- +--- a/i18npool/source/breakiterator/breakiterator_unicode.cxx ++++ a/i18npool/source/breakiterator/breakiterator_unicode.cxx +@@ -30,6 +30,9 @@ + #include <rtl/ustring.hxx> + #include <string.h> + ++using icu::BreakIterator; ++using icu::RuleBasedBreakIterator; ++ + U_CDECL_BEGIN + extern const char OpenOffice_dat[]; + U_CDECL_END +--- a/i18npool/source/collator/collator_unicode.cxx ++++ a/i18npool/source/collator/collator_unicode.cxx +@@ -29,6 +29,8 @@ + #include <com/sun/star/i18n/CollatorOptions.hpp> + #include <cppuhelper/supportsservice.hxx> + ++using icu::Collator; ++ + using namespace ::com::sun::star; + using namespace ::com::sun::star::i18n; + using namespace ::com::sun::star::lang; +--- a/i18npool/source/collator/gencoll_rule.cxx ++++ a/i18npool/source/collator/gencoll_rule.cxx +@@ -31,6 +31,8 @@ + + #include <unicode/tblcoll.h> + ++using icu::RuleBasedCollator; ++ + /* Main Procedure */ + + void data_write(char* file, char* name, sal_uInt8 *data, sal_Int32 len) +--- a/i18npool/source/ordinalsuffix/ordinalsuffix.cxx ++++ a/i18npool/source/ordinalsuffix/ordinalsuffix.cxx +@@ -29,6 +29,8 @@ + #include <unicode/normlzr.h> + #include <memory> + ++using icu::NumberFormat; ++ + using namespace ::com::sun::star::i18n; + using namespace ::com::sun::star::uno; + using namespace ::com::sun::star; +--- a/i18npool/source/transliteration/ignoreDiacritics_CTL.cxx ++++ a/i18npool/source/transliteration/ignoreDiacritics_CTL.cxx +@@ -12,6 +12,8 @@ + #include <unicode/translit.h> + #include <unicode/uchar.h> + ++using icu::UnicodeString; ++ + namespace i18npool { + + ignoreDiacritics_CTL::ignoreDiacritics_CTL() +--- a/i18nutil/source/utility/unicode.cxx ++++ a/i18nutil/source/utility/unicode.cxx +@@ -34,6 +34,9 @@ + // which (obviously) breaks UnicodeType::CURRENCY_SYMBOL + #undef CURRENCY_SYMBOL + ++using icu::NumberFormat; ++using icu::UnicodeString; ++ + using namespace ::com::sun::star::i18n; + + template<class L, typename T> +--- a/lotuswordpro/source/filter/localtime.cxx ++++ a/lotuswordpro/source/filter/localtime.cxx +@@ -57,6 +57,8 @@ + #include <limits.h> + #include <unicode/timezone.h> + ++using icu::TimeZone; ++ + const long DAY_SEC =24 * 60 * 60; + const long YEAR_SEC = 365 * DAY_SEC; + const long FOURYEAR_SEC = 4 * YEAR_SEC + DAY_SEC; +--- a/opencl/source/openclconfig.cxx ++++ a/opencl/source/openclconfig.cxx +@@ -17,6 +17,8 @@ + #include <sal/log.hxx> + #include <sal/types.h> + ++using icu::RegexMatcher; ++ + OpenCLConfig::OpenCLConfig() : + mbUseOpenCL(true) + { +--- a/vcl/inc/scrptrun.h ++++ a/vcl/inc/scrptrun.h +@@ -45,6 +45,8 @@ + #include <unicode/uscript.h> + #include <vector> + ++using icu::UObject; ++ + namespace vcl { + + struct ParenStackEntry diff --git a/gnu/packages/patches/libtiff-CVE-2018-10963.patch b/gnu/packages/patches/libtiff-CVE-2018-10963.patch new file mode 100644 index 0000000000..d31c12399d --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2018-10963.patch @@ -0,0 +1,40 @@ +Fix CVE-2018-10963: + +http://bugzilla.maptools.org/show_bug.cgi?id=2795 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9 + +From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 12 May 2018 14:24:15 +0200 +Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963 + +--- + libtiff/tif_dirwrite.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 2430de6d..c15a28db 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) + } + break; + default: +- assert(0); /* we should never get here */ +- break; ++ TIFFErrorExt(tif->tif_clientdata,module, ++ "Cannot write tag %d (%s)", ++ TIFFFieldTag(o), ++ o->field_name ? o->field_name : "unknown"); ++ goto bad; + } + } + } +-- +2.17.0 + diff --git a/gnu/packages/patches/libtiff-CVE-2018-8905.patch b/gnu/packages/patches/libtiff-CVE-2018-8905.patch new file mode 100644 index 0000000000..f49815789e --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2018-8905.patch @@ -0,0 +1,61 @@ +Fix CVE-2018-8095: + +http://bugzilla.maptools.org/show_bug.cgi?id=2780 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d + +From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 12 May 2018 15:32:31 +0200 +Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905 + +The fix consists in using the similar code LZWDecode() to validate we +don't write outside of the output buffer. +--- + libtiff/tif_lzw.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index 4ccb443c..94d85e38 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + char *tp; + unsigned char *bp; + int code, nbits; ++ int len; + long nextbits, nextdata, nbitsmask; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + +@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s) + } while (--occ); + break; + } +- assert(occ >= codep->length); +- op += codep->length; +- occ -= codep->length; +- tp = op; ++ len = codep->length; ++ tp = op + len; + do { +- *--tp = codep->value; +- } while( (codep = codep->next) != NULL ); ++ int t; ++ --tp; ++ t = codep->value; ++ codep = codep->next; ++ *tp = (char)t; ++ } while (codep && tp > op); ++ assert(occ >= len); ++ op += len; ++ occ -= len; + } else { + *op++ = (char)code; + occ--; +-- +2.17.0 + diff --git a/gnu/packages/patches/libyaml-CVE-2014-9130.patch b/gnu/packages/patches/libyaml-CVE-2014-9130.patch deleted file mode 100644 index 800358c0d6..0000000000 --- a/gnu/packages/patches/libyaml-CVE-2014-9130.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fixes CVE-2014-9130 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130 - -Upstream source: -https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2 - -# HG changeset patch -# User Kirill Simonov <xi@resolvent.net> -# Date 1417197312 21600 -# Node ID 2b9156756423e967cfd09a61d125d883fca6f4f2 -# Parent 053f53a381ff6adbbc93a31ab7fdee06a16c8a33 -Removed invalid simple key assertion (thank to Jonathan Gray). - -diff --git a/src/scanner.c b/src/scanner.c ---- a/src/scanner.c -+++ b/src/scanner.c -@@ -1106,13 +1106,6 @@ - && parser->indent == (ptrdiff_t)parser->mark.column); - - /* -- * A simple key is required only when it is the first token in the current -- * line. Therefore it is always allowed. But we add a check anyway. -- */ -- -- assert(parser->simple_key_allowed || !required); /* Impossible. */ -- -- /* - * If the current position may start a simple key, save it. - */ - diff --git a/gnu/packages/patches/maven-generate-component-xml.patch b/gnu/packages/patches/maven-generate-component-xml.patch new file mode 100644 index 0000000000..6cb23c7858 --- /dev/null +++ b/gnu/packages/patches/maven-generate-component-xml.patch @@ -0,0 +1,171 @@ +From da9e282d834f0e2128501a8154128dc95b4c599d Mon Sep 17 00:00:00 2001 +From: Julien Lepiller <julien@lepiller.eu> +Date: Sat, 9 Sep 2017 20:34:38 +0200 +Subject: [PATCH] Add a script to generate component.xml files. + +plexus-component-metadata is normally used for this task, but it +depends on maven-core, which depends on maven-model-builder, which needs +plexus-component-metadata. This script is meant to break this dependency +cycle. +--- + components.sh | 132 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 132 insertions(+) + create mode 100755 components.sh + +diff --git a/components.sh b/components.sh +new file mode 100755 +index 0000000..c6748bd +--- /dev/null ++++ b/components.sh +@@ -0,0 +1,148 @@ ++## This script generates a rough plexus/components.xml file. It is meant to ++## replace plexus-component-metadata as it eventually has a recursive dependency ++## on itself. ++## ++## This script must be run in the source directory (usually src/main/java). ++ ++# Finds the complete name from a class name. ++function find_role() { ++ role=$1 ++ # Find role ++ case $role in ++ "SettingsWriter" | "SettingsReader") ++ role=org.apache.maven.settings.io.$role ++ ;; ++ "SecDispatcher") ++ role=org.sonatype.plexus.components.sec.dispatcher.$role ++ ;; ++ "SettingsDecrypter") ++ role=org.apache.maven.settings.crypto.$role ++ ;; ++ "SettingsBuilder") ++ role=org.apache.maven.settings.building.$role ++ ;; ++ "SettingsValidator") ++ role=org.apache.maven.settings.validation.$role ++ ;; ++ "LoggerFactory") ++ role=org.eclipse.aether.spi.log.$role ++ ;; ++ "RemoteRepositoryManager" | "VersionResolver" | "VersionRangeResolver" \ ++ | "ArtifactResolver" | "RepositoryEventDispatcher" | "MetadataResolver" \ ++ | "SyncContextFactory" | "MetadataGeneratorFactory" | "MetadatResolver" \ ++ | "ArtifactDescriptorReader") ++ role=org.eclipse.aether.impl.$role ++ ;; ++ "ModelBuilder" | "ModelProcessor") ++ role=org.apache.maven.model.building.$role ++ ;; ++ "ModelValidator") ++ role=org.apache.maven.model.validation.$role ++ ;; ++ "ProfileInjector" | "ProfileSelector") ++ role=org.apache.maven.model.profile.$role ++ ;; ++ "ProfileActivator") ++ role=org.apache.maven.model.profile.activation.$role ++ ;; ++ "SuperPomProvider") ++ role=org.apache.maven.model.superpom.$role ++ ;; ++ "ReportConfigurationExpander" | "PluginConfigurationExpander" \ ++ | "ReportingConverter" | "LifecycleBindingsInjector") ++ role=org.apache.maven.model.plugin.$role ++ ;; ++ "ModelLocator") ++ role=org.apache.maven.model.locator.$role ++ ;; ++ "ModelPathTranslator" | "PathTranslator" | "UrlNormalizer" | "ModelUrlNormalizer") ++ role=org.apache.maven.model.path.$role ++ ;; ++ "DependencyManagementInjector" | "PluginManagementInjector") ++ role=org.apache.maven.model.management.$role ++ ;; ++ "ModelWriter" | "ModelReader") ++ role=org.apache.maven.model.io.$role ++ ;; ++ "DependencyManagementImporter") ++ role=org.apache.maven.model.composition.$role ++ ;; ++ "ModelNormalizer") ++ role=org.apache.maven.model.normalization.$role ++ ;; ++ "ModelInterpolator") ++ role=org.apache.maven.model.interpolation.$role ++ ;; ++ "InheritanceAssembler") ++ role=org.apache.maven.model.inheritance.$role ++ ;; ++ *) ++ role=$role ++ ;; ++ esac ++ echo $role ++} ++ ++function generate_xml() { ++echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" ++echo "<component-set>" ++echo "<components>" ++ ++for file in `find -name '*.java'`; do ++ annot=`grep "@Component" $file` ++ if [ "$?" == "0" ]; then ++ # We have a component! ++ role=$(echo $annot | sed 's|.*role = \(.*\).class.*|\1|') ++ role_hint=$(echo $annot | sed 's|.*hint = "\(.*\)" .*|\1|') ++ if [ "$role_hint" = "$annot" ]; then ++ role_hint=default ++ fi ++ implem=$(echo $file | sed -e 's|^\./||' -e 's|\.java||' -e 's|/|.|g') ++ role=$(find_role $role) ++ ++ echo "<component>" ++ echo " <role>$role</role>" ++ echo " <role-hint>$role_hint</role-hint>" ++ echo " <implementation>$implem</implementation>" ++ echo " <description />" ++ echo " <isolated-realm>false</isolated-realm>" ++ echo " <requirements>" ++ reqn=1 ++ cont=true ++ while [ "$cont" = "true" ]; do ++ requirement=$(grep "@Requirement" $file -A1 | head -n ${reqn} | tail -1) ++ ((reqn++)) ++ property=$(grep "@Requirement" $file -A1 | head -n ${reqn} | tail -1) ++ if (echo $requirement | grep "@Requirement" >/dev/null); then ++ ((reqn++)) ++ ((reqn++)) ++ optional=$(echo $requirement | sed 's|.*optional = \(.*\) .*|\1|') ++ req_role=$(echo $requirement | sed 's|.*role = \(.*\).class .*|\1|') ++ if (echo $req_role | grep "@Requirement" >/dev/null); then ++ req_role=$(echo $property | sed 's|.*private \(.*\) .*|\1|') ++ fi ++ req_role=$(find_role $req_role) ++ req_name=$(echo $property | sed 's|[^ ]* [^ ]* \([^ ;]*\).*|\1|') ++ echo " <requirement>" ++ echo " <role>$req_role</role>" ++ echo " <field-name>$req_name</field-name>" ++ if (echo $optional | grep "@Requirement" >/dev/null); then ++ : ++ else ++ echo " <optional>$optional</optional>" ++ fi ++ echo " </requirement>" ++ else ++ cont=false ++ fi ++ done ++ echo " </requirements>" ++ echo "</component>" ++ fi ++done ++ ++echo "</components>" ++echo "</component-set>" ++} ++ ++(cd $1; generate_xml) > $2 +-- +2.14.1 + diff --git a/gnu/packages/patches/maven-generate-javax-inject-named.patch b/gnu/packages/patches/maven-generate-javax-inject-named.patch new file mode 100644 index 0000000000..b8eba5ab90 --- /dev/null +++ b/gnu/packages/patches/maven-generate-javax-inject-named.patch @@ -0,0 +1,31 @@ +From 1d20c0e403f1a38d4aca830e0eb4db03ba43efd3 Mon Sep 17 00:00:00 2001 +From: Julien Lepiller <julien@lepiller.eu> +Date: Tue, 19 Sep 2017 22:21:29 +0200 +Subject: [PATCH] Add sisu-maven-plugin replacement + +--- + sisu.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + create mode 100755 sisu.sh + +diff --git a/sisu.sh b/sisu.sh +new file mode 100755 +index 0000000..979f373 +--- /dev/null ++++ b/sisu.sh +@@ -0,0 +1,12 @@ ++## This script generates a rough javax.inject.Named file. It is meant to ++## replace sisu-maven-plugin as it eventually has a recursive dependency ++## on maven. ++## ++## This script must be run in the source directory (usually src/main/java). ++ ++for file in `(cd $1; find -name '*.java')`; do ++ annot=`grep "^@Named" $1/$file` ++ if [ "$annot" != "" ]; then ++ echo $file | sed -e 's|^\./||' -e 's|\.java||' -e 's|/|.|g' ++ fi ++done > $2 +-- +2.14.1 + diff --git a/gnu/packages/patches/mrrescue-support-love-11.patch b/gnu/packages/patches/mrrescue-support-love-11.patch new file mode 100644 index 0000000000..2786a6b01b --- /dev/null +++ b/gnu/packages/patches/mrrescue-support-love-11.patch @@ -0,0 +1,213 @@ +From: Tobias Geerinckx-Rice <me@tobias.gr> +Date: Tue, 19 Jun 2018 04:37:46 +0200 +Subject: gnu: mrrescue: Support Love 11. + +The patch below was copied verbatim from an as-yet-unmerged PR[0] to +make Mr. Rescue run on a newer version of the Löve engine. + +[0]: https://github.com/SimonLarsen/mrrescue/pull/17 +--- +From ab23031e0c2faecb77fde1be8a41d6f8ea4e6eda Mon Sep 17 00:00:00 2001 +From: Mystro256 <alexjnewt@hotmail.com> +Date: Sun, 10 Jun 2018 21:19:23 -0400 +Subject: [PATCH] Love 11 support + +--- + conf.lua | 2 +- + config.lua | 6 +++--- + highscore_entry.lua | 4 ++-- + highscore_list.lua | 4 ++-- + ingame.lua | 6 +++--- + ingame_menu.lua | 4 ++-- + joystick.lua | 4 ++-- + main.lua | 2 +- + resources.lua | 4 ++-- + util.lua | 4 ++-- + 10 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/conf.lua b/conf.lua +index 8776da4..f00b216 100644 +--- a/conf.lua ++++ b/conf.lua +@@ -1,6 +1,6 @@ + function love.conf(t) + t.identity = "mrrescue" +- t.version = "0.10.0" ++ t.version = "11.0" + t.console = false + t.accelerometerjoystick = true + t.gammacorrect = false +diff --git a/config.lua b/config.lua +index 63eeb04..71c2b66 100644 +--- a/config.lua ++++ b/config.lua +@@ -38,7 +38,7 @@ function loadConfig() + config[i] = v + end + end +- if love.filesystem.exists("settings") then ++ if love.filesystem.getInfo("settings")~= nil then + local data = love.filesystem.read("settings") + local file = TSerial.unpack(data) + for i,v in pairs(file) do +@@ -52,7 +52,7 @@ function loadConfig() + end + + function loadHighscores() +- if love.filesystem.exists("highscores") then ++ if love.filesystem.getInfo("highscores")~= nil then + local data = love.filesystem.read("highscores") + local file = TSerial.unpack(data) + for i=1,3 do +@@ -64,7 +64,7 @@ function loadHighscores() + end + + function loadStats() +- if love.filesystem.exists("stats") then ++ if love.filesystem.getInfo("stats")~= nil then + local data = love.filesystem.read("stats") + stats = TSerial.unpack(data) + end +diff --git a/highscore_entry.lua b/highscore_entry.lua +index 2f763af..3b3bb73 100644 +--- a/highscore_entry.lua ++++ b/highscore_entry.lua +@@ -45,9 +45,9 @@ function highscore_entry.draw() + for ix = 1,10 do + if highscore_entry.selection == char then + lg.rectangle("fill", 33+ix*16, 66+iy*16, 14, 14) +- lg.setColor(0,0,0,255) ++ lg.setColor(0,0,0,1) + lg.print(KEYBOARD:sub(char,char), 37+ix*16, 70+iy*16) +- lg.setColor(255,255,255,255) ++ lg.setColor(1,1,1,1) + else + lg.print(KEYBOARD:sub(char,char), 37+ix*16, 70+iy*16) + end +diff --git a/highscore_list.lua b/highscore_list.lua +index 6a17973..b66d0e2 100644 +--- a/highscore_list.lua ++++ b/highscore_list.lua +@@ -31,10 +31,10 @@ function highscore_list.draw() + if scores[i] then + if highscore_list.level == highscore_list.hllevel + and highscore_list.hlpos == i then +- lg.setColor(25,118,115,255) ++ lg.setColor(25/255,118/255,115/255,1) + lg.print(scores[i].name, 48, 14+i*16) + lg.print(scores[i].score, 105, 14+i*16) +- lg.setColor(255,255,255,255) ++ lg.setColor(1,1,1,1) + else + lg.print(scores[i].name, 48, 14+i*16) + lg.print(scores[i].score, 105, 14+i*16) +diff --git a/ingame.lua b/ingame.lua +index 52004f1..f5c6f7c 100644 +--- a/ingame.lua ++++ b/ingame.lua +@@ -189,16 +189,16 @@ function ingame.draw() + lg.pop() + + if map.type == MT_NORMAL then +- lg.setBlendMode("multiply") ++ lg.setBlendMode("multiply", "premultiplied") + lg.draw(canvas, 0,0) + lg.setBlendMode("alpha") + end + + -- Draw red screen if hit + if player.heat > 0 then +- lg.setColor(255,255,255,cap(player.heat*255, 16, 255)) ++ lg.setColor(1,1,1,cap(player.heat*255, 16, 255)/255) + lg.draw(img.red_screen, quad.red_screen, 0,0) +- lg.setColor(255,255,255,255) ++ lg.setColor(1,1,1,1) + end + + -- Draw hud +diff --git a/ingame_menu.lua b/ingame_menu.lua +index 9fcf768..82a8459 100644 +--- a/ingame_menu.lua ++++ b/ingame_menu.lua +@@ -18,10 +18,10 @@ function ingame_menu.draw() + lg.pop() + + lg.scale(config.scale) +- lg.setColor(0,0,0,238) ++ lg.setColor(0,0,0,238/255) + lg.rectangle("fill", 0, 0, WIDTH, HEIGHT) + +- lg.setColor(255,255,255,255) ++ lg.setColor(1,1,1,1) + lg.printf("PAUSED", 0, 46, WIDTH, "center") + lg.print("RESUME", 103, 92) + lg.print("QUIT", 103, 106) +diff --git a/joystick.lua b/joystick.lua +index 50ccadb..72d545e 100644 +--- a/joystick.lua ++++ b/joystick.lua +@@ -22,11 +22,11 @@ function joystick.draw() + lg.printf("SET JOYSTICK", 0, 39, WIDTH, "center") + for i=1,4 do + if joystick.waiting == true and joystick.selection == i then +- lg.setColor(195,52,41) ++ lg.setColor(195/255,52/255,41/255) + end + lg.print(string.upper(joykeynames[i]), 65, 53+i*13) + lg.print(config.joykeys[joykeynames[i]], 165, 53+i*13) +- lg.setColor(255,255,255) ++ lg.setColor(1,1,1) + end + lg.print("DEFAULT", 65, 118) + lg.print("BACK", 65, 131) +diff --git a/main.lua b/main.lua +index 9433e42..56096fa 100644 +--- a/main.lua ++++ b/main.lua +@@ -273,7 +273,7 @@ function love.releaseerrhand(msg) + local font = love.graphics.newFont(14) + love.graphics.setFont(font) + +- love.graphics.setColor(255, 255, 255, 255) ++ love.graphics.setColor(1, 1, 1, 1) + + love.graphics.clear() + +diff --git a/resources.lua b/resources.lua +index e5aa70d..1bab520 100644 +--- a/resources.lua ++++ b/resources.lua +@@ -7,7 +7,7 @@ local snd = {} -- sound Sources + + local IMAGE_FILES = { + "splash", "tangram", "lovesplashpixel", "howto", +- "tiles", "door", "boldfont", "captain_dialog", "captain_dialog_sad", ++ "tiles", "door", "captain_dialog", "captain_dialog_sad", + "boss_health", "highscore_panes", "exclamation", "stats_screen", + "awards", "hud", "hud2", "hud_people", "item_slots", "water_bar", + "reserve_bar", "overloaded_bar", "temperature_bar", "temperature_bar_blink", +@@ -147,7 +147,7 @@ function loadResources() + img.stream:setWrap("repeat", "clamp") + + -- Create fonts +- font.bold = lg.newImageFont(img.boldfont, " ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,!'-:*@<>+/_$&?", 2) ++ font.bold = lg.newImageFont("data/boldfont.png", " ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.,!'-:*@<>+/_$&?", 2) + lg.setFont(font.bold) + + -- Create quads +diff --git a/util.lua b/util.lua +index b9976da..656600a 100644 +--- a/util.lua ++++ b/util.lua +@@ -105,9 +105,9 @@ end + + + function drawBox(x,y,w,h) +- lg.setColor(30,23,18) ++ lg.setColor(30/255,23/255,18/255) + lg.rectangle("fill",x+1,y+1,w-2,h-2) +- lg.setColor(255,255,255) ++ lg.setColor(1,1,1) + -- Draw sides + lg.draw(img.menu_box, quad.box_left, x, y+1, 0, 1, (h-2)) + lg.draw(img.menu_box, quad.box_left, x+w, y+1, 0, -1, (h-2)) diff --git a/gnu/packages/patches/mumble-1.2.19-abs.patch b/gnu/packages/patches/mumble-1.2.19-abs.patch new file mode 100644 index 0000000000..683325f4bc --- /dev/null +++ b/gnu/packages/patches/mumble-1.2.19-abs.patch @@ -0,0 +1,31 @@ +From ea861fe86743c8402bbad77d8d1dd9de8dce447e Mon Sep 17 00:00:00 2001 +From: Mikkel Krautz <mikkel@krautz.dk> +Date: Fri, 29 Dec 2017 14:47:25 +0100 +Subject: [PATCH] AudioOutput: do not use non-existant template version of + std::abs. + +This change fixes AudioOutput to use the float overload of std::abs: + + float std::abs(float); + +instead of a non-existant template version (for newer Boost 1.66). + +Fixes mumble-voip/mumble#3281 + +--- + src/mumble/AudioOutput.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mumble/AudioOutput.cpp b/src/mumble/AudioOutput.cpp +index cbe0c0e2b..7a0a5e2ab 100644 +--- a/src/mumble/AudioOutput.cpp ++++ b/src/mumble/AudioOutput.cpp +@@ -437,7 +437,7 @@ bool AudioOutput::mix(void *outbuff, unsigned int nsamp) { + top[2] = 0.0f; + } + +- if (std::abs<float>(front[0] * top[0] + front[1] * top[1] + front[2] * top[2]) > 0.01f) { ++ if (std::abs(front[0] * top[0] + front[1] * top[1] + front[2] * top[2]) > 0.01f) { + // Not perpendicular. Assume Y up and rotate 90 degrees. + + float azimuth = 0.0f; diff --git a/gnu/packages/patches/nyx-show-header-stats-with-python3.patch b/gnu/packages/patches/nyx-show-header-stats-with-python3.patch new file mode 100644 index 0000000000..5b20f180f7 --- /dev/null +++ b/gnu/packages/patches/nyx-show-header-stats-with-python3.patch @@ -0,0 +1,70 @@ +From: Tobias Geerinckx-Rice <me@tobias.gr> +Date: Fri, 22 Jun 2018 02:56:39 +0200 +Subject: nyx: Show header stats. + +The following patch was taken verbatim from the upstream repository and +will be included in the next release. +--- +commit 3494111cc81ad4985e81d0c1ea5e451d8f7a2bcc +Author: Damian Johnson <atagar@torproject.org> +Date: Mon Feb 5 20:07:40 2018 -0800 + + Header stats missing with python3 + + Ick! took me a while to find this. Python3 changed division from providing ints + to floats. This in turn caused our header panel to call addstr with float x/y + coordinates, which made that funciton fail silently. End result is that when + the header panel showed two columns of stats the right column was missing. + + Caught thanks to Stijn. + +diff --git a/nyx/panel/header.py b/nyx/panel/header.py +index 09e3838..fb6f2f7 100644 +--- a/nyx/panel/header.py ++++ b/nyx/panel/header.py +@@ -155,7 +155,7 @@ class HeaderPanel(nyx.panel.DaemonPanel): + # space available for content + + interface = nyx_interface() +- left_width = max(subwindow.width / 2, 77) if is_wide else subwindow.width ++ left_width = max(subwindow.width // 2, 77) if is_wide else subwindow.width + right_width = subwindow.width - left_width + + _draw_platform_section(subwindow, 0, 0, left_width, vals) +diff --git a/web/changelog/index.html b/web/changelog/index.html +index 333fa84..196d82b 100644 +--- a/web/changelog/index.html ++++ b/web/changelog/index.html +@@ -74,6 +74,12 @@ + </ul> + </li> + ++ <li><span class="component">Header</span> ++ <ul> ++ <li>Right column of stats missing when using python 3.x</li> ++ </ul> ++ </li> ++ + <li><span class="component">Connections</span> + <ul> + <li>Geoip information unavailable for inbound connections</li> +diff --git a/web/changelog/legacy.html b/web/changelog/legacy.html +index a380806..02d405f 100644 +--- a/web/changelog/legacy.html ++++ b/web/changelog/legacy.html +@@ -137,13 +137,13 @@ + </ul> + </li> + +- <li><span class="component">Startup</span> ++ <li><span class="component">Graph</span> + <ul> + <li>Crash when pausing if we showed accounting stats</li> + </ul> + </li> + +- <li><span class="component">Startup</span> ++ <li><span class="component">Logging</span> + <ul> + <li>Skip reading from malformed tor log files</li> + <li>Unable to log GUARD events</li> diff --git a/gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch b/gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch new file mode 100644 index 0000000000..39fb7aa226 --- /dev/null +++ b/gnu/packages/patches/ocaml-enable-ocamldoc-reproducibility.patch @@ -0,0 +1,149 @@ +From a87c3f20e846c00e53d695497dba7038edbd12f0 Mon Sep 17 00:00:00 2001 +From: Valentin Lorentz <progval@progval.net> +Date: Thu, 13 Aug 2015 11:59:04 +0200 +Subject: [PATCH] Enable ocamldoc to build reproducible manpages + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794586 +Signed-off-by: Stephane Glondu <steph@glondu.net> +--- + ocamldoc/odoc_man.ml | 15 +++++---------- + ocamldoc/odoc_misc.ml | 12 ++++++++++-- + ocamldoc/odoc_misc.mli | 7 ++++++- + 3 files changed, 21 insertions(+), 13 deletions(-) + +diff --git a/ocamldoc/odoc_man.ml b/ocamldoc/odoc_man.ml +index 615c5e172..3c85aa32a 100644 +--- a/ocamldoc/odoc_man.ml ++++ b/ocamldoc/odoc_man.ml +@@ -864,14 +864,13 @@ class man = + (** Generate the man page for the given class.*) + method generate_for_class cl = + Odoc_info.reset_type_names () ; +- let date = Unix.time () in + let file = self#file_name cl.cl_name in + try + let chanout = self#open_out file in + let b = new_buf () in + bs b (".TH \""^cl.cl_name^"\" "); + bs b !man_section ; +- bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" "); ++ bs b (" source: "^Odoc_misc.current_date^" "); + bs b "OCamldoc "; + bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n"); + +@@ -923,14 +922,13 @@ class man = + (** Generate the man page for the given class type.*) + method generate_for_class_type ct = + Odoc_info.reset_type_names () ; +- let date = Unix.time () in + let file = self#file_name ct.clt_name in + try + let chanout = self#open_out file in + let b = new_buf () in + bs b (".TH \""^ct.clt_name^"\" "); + bs b !man_section ; +- bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" "); ++ bs b (" source: "^Odoc_misc.current_date^" "); + bs b "OCamldoc "; + bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n"); + +@@ -1016,14 +1014,13 @@ class man = + (** Generate the man file for the given module type. + @raise Failure if an error occurs.*) + method generate_for_module_type mt = +- let date = Unix.time () in + let file = self#file_name mt.mt_name in + try + let chanout = self#open_out file in + let b = new_buf () in + bs b (".TH \""^mt.mt_name^"\" "); + bs b !man_section ; +- bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" "); ++ bs b (" source: "^Odoc_misc.current_date^" "); + bs b "OCamldoc "; + bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n"); + +@@ -1099,14 +1096,13 @@ class man = + (** Generate the man file for the given module. + @raise Failure if an error occurs.*) + method generate_for_module m = +- let date = Unix.time () in + let file = self#file_name m.m_name in + try + let chanout = self#open_out file in + let b = new_buf () in + bs b (".TH \""^m.m_name^"\" "); + bs b !man_section ; +- bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" "); ++ bs b (" source: "^Odoc_misc.current_date^" "); + bs b "OCamldoc "; + bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n"); + +@@ -1206,14 +1202,13 @@ class man = + | Res_const (_,f) -> f.vc_name + ) + in +- let date = Unix.time () in + let file = self#file_name name in + try + let chanout = self#open_out file in + let b = new_buf () in + bs b (".TH \""^name^"\" "); + bs b !man_section ; +- bs b (" "^(Odoc_misc.string_of_date ~hour: false date)^" "); ++ bs b (" source: "^Odoc_misc.current_date^" "); + bs b "OCamldoc "; + bs b ("\""^(match !Global.title with Some t -> t | None -> "")^"\"\n"); + bs b ".SH NAME\n"; +diff --git a/ocamldoc/odoc_misc.ml b/ocamldoc/odoc_misc.ml +index 4c74476da..456225f62 100644 +--- a/ocamldoc/odoc_misc.ml ++++ b/ocamldoc/odoc_misc.ml +@@ -223,9 +223,9 @@ let apply_opt f v_opt = + None -> None + | Some v -> Some (f v) + +-let string_of_date ?(hour=true) d = ++let string_of_date ?(absolute=false) ?(hour=true) d = + let add_0 s = if String.length s < 2 then "0"^s else s in +- let t = Unix.localtime d in ++ let t = (if absolute then Unix.gmtime else Unix.localtime) d in + (string_of_int (t.Unix.tm_year + 1900))^"-"^ + (add_0 (string_of_int (t.Unix.tm_mon + 1)))^"-"^ + (add_0 (string_of_int t.Unix.tm_mday))^ +@@ -238,6 +238,14 @@ let string_of_date ?(hour=true) d = + "" + ) + ++let current_date = ++ let time = ++ try ++ float_of_string (Sys.getenv "SOURCE_DATE_EPOCH") ++ with ++ Not_found -> Unix.time () ++ in string_of_date ~absolute: true ~hour: false time ++ + + let rec text_list_concat sep l = + match l with +diff --git a/ocamldoc/odoc_misc.mli b/ocamldoc/odoc_misc.mli +index dd5a7fcb9..38ff0612b 100644 +--- a/ocamldoc/odoc_misc.mli ++++ b/ocamldoc/odoc_misc.mli +@@ -62,7 +62,12 @@ val apply_opt : ('a -> 'b) -> 'a option -> 'b option + + (** Return a string representing a date given as a number of seconds + since 1970. The hour is optionnaly displayed. *) +-val string_of_date : ?hour:bool -> float -> string ++val string_of_date : ?absolute:bool -> ?hour:bool -> float -> string ++ ++(* Value returned by string_of_date for current time. ++ * Uses environment variable SOURCE_DATE_EPOCH if set; falls back to ++ * current timestamp otherwise. *) ++val current_date : string + + (** Return the first sentence (until the first dot) of a text. + Don't stop in the middle of [Code], [Verbatim], [List], [Lnum], +-- +2.17.1 + diff --git a/gnu/packages/patches/opensmtpd-fix-crash.patch b/gnu/packages/patches/opensmtpd-fix-crash.patch new file mode 100644 index 0000000000..0030167533 --- /dev/null +++ b/gnu/packages/patches/opensmtpd-fix-crash.patch @@ -0,0 +1,44 @@ +From 9b5f70b93e038df5446bd37a4adac5a0380748e7 Mon Sep 17 00:00:00 2001 +From: johannes <johannes.brechtmann@gmail.com> +Date: Wed, 21 Feb 2018 23:57:11 +0100 +Subject: [PATCH] crypt_checkpass: include HAVE_CRYPT_H definition, add NULL + check + +--- + openbsd-compat/crypt_checkpass.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/openbsd-compat/crypt_checkpass.c b/openbsd-compat/crypt_checkpass.c +index dafd2dae..d10b3a57 100644 +--- a/openbsd-compat/crypt_checkpass.c ++++ b/openbsd-compat/crypt_checkpass.c +@@ -1,5 +1,6 @@ + /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */ + ++#include "includes.h" + #include <errno.h> + #ifdef HAVE_CRYPT_H + #include <crypt.h> +@@ -10,6 +11,8 @@ + int + crypt_checkpass(const char *pass, const char *goodhash) + { ++ char *c; ++ + if (goodhash == NULL) + goto fail; + +@@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash) + if (strlen(goodhash) == 0 && strlen(pass) == 0) + return 0; + +- if (strcmp(crypt(pass, goodhash), goodhash) == 0) ++ c = crypt(pass, goodhash); ++ if (c == NULL) ++ goto fail; ++ ++ if (strcmp(c, goodhash) == 0) + return 0; + + fail: + diff --git a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch new file mode 100644 index 0000000000..2d54ed03b9 --- /dev/null +++ b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch @@ -0,0 +1,215 @@ +Fix CVE-2018-0495: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 +https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/949ff36623eafc3523a9f91784992965018ffb05 + +From 949ff36623eafc3523a9f91784992965018ffb05 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz <rsalz@openssl.org> +--- + CHANGES | 4 ++ + crypto/ecdsa/ecdsatest.c | 9 ++++- + crypto/ecdsa/ecs_ossl.c | 82 ++++++++++++++++++++++++++++++++-------- + 3 files changed, 79 insertions(+), 16 deletions(-) + +diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c +index 0f301f86d9..a130fc9117 100644 +--- a/crypto/ecdsa/ecdsatest.c ++++ b/crypto/ecdsa/ecdsatest.c +@@ -137,7 +137,7 @@ int restore_rand(void) + return 1; + } + +-static int fbytes_counter = 0; ++static int fbytes_counter = 0, use_fake = 0; + static const char *numbers[8] = { + "651056770906015076056810763456358567190100156695615665659", + "6140507067065001063065065565667405560006161556565665656654", +@@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num) + int ret; + BIGNUM *tmp = NULL; + ++ if (use_fake == 0) ++ return old_rand->bytes(buf, num); ++ ++ use_fake = 0; ++ + if (fbytes_counter >= 8) + return 0; + tmp = BN_new(); +@@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in) + /* create the key */ + if ((key = EC_KEY_new_by_curve_name(nid)) == NULL) + goto x962_int_err; ++ use_fake = 1; + if (!EC_KEY_generate_key(key)) + goto x962_int_err; + BIO_printf(out, "."); + (void)BIO_flush(out); + /* create the signature */ ++ use_fake = 1; + signature = ECDSA_do_sign(digest, 20, key); + if (signature == NULL) + goto x962_int_err; +diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c +index 16d4f59b9b..1d37551803 100644 +--- a/crypto/ecdsa/ecs_ossl.c ++++ b/crypto/ecdsa/ecs_ossl.c +@@ -252,6 +252,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, + { + int ok = 0, i; + BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL; ++ BIGNUM *blind = NULL, *blindm = NULL; + const BIGNUM *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -269,14 +270,25 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, + } + + ret = ECDSA_SIG_new(); +- if (!ret) { ++ if (ret == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + return NULL; + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ order = BN_CTX_get(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -315,26 +327,70 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to + * generate new kinv and r values + */ + if (in_kinv != NULL && in_r != NULL) { +- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, +- ECDSA_R_NEED_NEW_SETUP_VALUES); ++ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } else +@@ -349,15 +405,11 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, + ECDSA_SIG_free(ret); + ret = NULL; + } +- if (ctx) ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- if (m) +- BN_clear_free(m); +- if (tmp) +- BN_clear_free(tmp); +- if (order) +- BN_free(order); +- if (kinv) ++ } ++ if (kinv != NULL) + BN_clear_free(kinv); + return ret; + } +-- +2.17.1 + diff --git a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch new file mode 100644 index 0000000000..50b95306a5 --- /dev/null +++ b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch @@ -0,0 +1,50 @@ +Fix CVE-2018-0732: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732 + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/3984ef0b72831da8b3ece4745cac4f8575b19098 + +From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 +From: Guido Vranken <guidovranken@gmail.com> +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken <guidovranken@gmail.com> + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 387558f146..f235e0d682 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -130,10 +130,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.17.1 + diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch new file mode 100644 index 0000000000..15dedbcbd0 --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch @@ -0,0 +1,152 @@ +Fix CVE-2018-0495: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 +https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a + +From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz <rsalz@openssl.org> +--- + CHANGES | 4 +++ + crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++----- + 2 files changed, 67 insertions(+), 7 deletions(-) + +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 72e2f0f28b..449be0e92a 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + EC_KEY *eckey) + { + int ok = 0, i; +- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; ++ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; ++ BIGNUM *blindm = NULL; + const BIGNUM *order, *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_secure_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, ++ BN_RAND_BOTTOM_ANY)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to +@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + ECDSA_SIG_free(ret); + ret = NULL; + } ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- BN_clear_free(m); +- BN_clear_free(tmp); + BN_clear_free(kinv); + return ret; + } +-- +2.17.1 + diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch new file mode 100644 index 0000000000..dfea6e7d06 --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch @@ -0,0 +1,50 @@ +Fix CVE-2018-0732: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732 + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4 + +From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 +From: Guido Vranken <guidovranken@gmail.com> +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken <guidovranken@gmail.com> + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index fce9ff47f3..58003d7087 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -78,10 +78,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.17.1 + diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch deleted file mode 100644 index 75c6362021..0000000000 --- a/gnu/packages/patches/password-store-gnupg-compat.patch +++ /dev/null @@ -1,28 +0,0 @@ -Copied from upstream mailing list: -https://lists.zx2c4.com/pipermail/password-store/2018-February/003216.html. - -From 9b0c86159d754cc88dd3642564eed527153dfb7f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org> -Date: Sat, 24 Feb 2018 12:05:46 +0100 -Subject: [PATCH] tests: fix compatibility with GnuPG 2.2.5 - ---- - tests/t0300-reencryption.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh -index 6d5811d..6d15364 100755 ---- a/tests/t0300-reencryption.sh -+++ b/tests/t0300-reencryption.sh -@@ -10,7 +10,7 @@ canonicalize_gpg_keys() { - $GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u - } - gpg_keys_from_encrypted_file() { -- $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u -+ $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | grep "public key is" | cut -d ' ' -f 5 | LC_ALL=C sort -u - } - gpg_keys_from_group() { - local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)" --- -2.16.2 - diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch new file mode 100644 index 0000000000..6460cf5855 --- /dev/null +++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch @@ -0,0 +1,36 @@ +Fix CVE-2018-12015: + +https://security-tracker.debian.org/tracker/CVE-2018-12015 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015 +https://rt.cpan.org/Ticket/Display.html?id=125523 + +Patch taken from this upstream commit and adapted to apply to +the bundled copy in the Perl distribution: + +https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 + +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm +index 6244369..a83975f 100644 +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm +@@ -845,6 +845,20 @@ sub _extract_file { + return; + } + ++ ### If a file system already contains a block device with the same name as ++ ### the being extracted regular file, we would write the file's content ++ ### to the block device. So remove the existing file (block device) now. ++ ### If an archive contains multiple same-named entries, the last one ++ ### should replace the previous ones. So remove the old file now. ++ ### If the old entry is a symlink to a file outside of the CWD, the new ++ ### entry would create a file there. This is CVE-2018-12015 ++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. ++ if (-l $full || -e _) { ++ if (!unlink $full) { ++ $self->_error( qq[Could not remove old file '$full': $!] ); ++ return; ++ } ++ } + if( length $entry->type && $entry->is_file ) { + my $fh = IO::File->new; + $fh->open( $full, '>' ) or ( diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch deleted file mode 100644 index e1e71a332a..0000000000 --- a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001 -From: jakirkham <jakirkham@gmail.com> -Date: Fri, 7 Jul 2017 05:57:56 -0400 -Subject: [PATCH] Drop ordereddict requirement (#84) - -* Drop ordereddict requirement - -As Python 2.7 is the minimum Python supported, every version of Python -should have `ordereddict` preincluded in the standard library one way or -another. So we can drop this dependency and just handle the differences -between Python 2 and Python 3. ---- - nosetimer/plugin.py | 5 +---- - setup.py | 1 - - 2 files changed, 1 insertion(+), 5 deletions(-) - -diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py -index ef28e11..d093a51 100644 ---- a/nosetimer/plugin.py -+++ b/nosetimer/plugin.py -@@ -12,10 +12,7 @@ - except ImportError: - import queue as Queue - --try: -- from collections import OrderedDict --except ImportError: -- from ordereddict import OrderedDict -+from collections import OrderedDict - - - # define constants -diff --git a/setup.py b/setup.py -index 6a55b82..d249325 100755 ---- a/setup.py -+++ b/setup.py -@@ -27,7 +27,6 @@ - install_requires=[ - 'nose', - 'termcolor', -- 'ordereddict', - ], - license='MIT', - entry_points={ diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch b/gnu/packages/patches/qemu-CVE-2018-11806.patch new file mode 100644 index 0000000000..f021dfa747 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2018-11806.patch @@ -0,0 +1,105 @@ +Fix CVE-2018-11806: + +https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c + +From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 5 Jun 2018 23:38:35 +0530 +Subject: [PATCH] slirp: correct size computation while concatenating mbuf + +While reassembling incoming fragmented datagrams, 'm_cat' routine +extends the 'mbuf' buffer, if it has insufficient room. It computes +a wrong buffer size, which leads to overwriting adjacent heap buffer +area. Correct this size computation in m_cat. + +Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +--- + slirp/mbuf.c | 11 +++++------ + slirp/mbuf.h | 8 +++----- + 2 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/slirp/mbuf.c b/slirp/mbuf.c +index 5ff24559fd..18cbf759a7 100644 +--- a/slirp/mbuf.c ++++ b/slirp/mbuf.c +@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + * If there's no room, realloc + */ + if (M_FREEROOM(m) < n->m_len) +- m_inc(m,m->m_size+MINCSIZE); ++ m_inc(m, m->m_len + n->m_len); + + memcpy(m->m_data+m->m_len, n->m_data, n->m_len); + m->m_len += n->m_len; +@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n) + } + + +-/* make m size bytes large */ ++/* make m 'size' bytes large from m_data */ + void + m_inc(struct mbuf *m, int size) + { +@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size) + + if (m->m_flags & M_EXT) { + datasize = m->m_data - m->m_ext; +- m->m_ext = g_realloc(m->m_ext, size); ++ m->m_ext = g_realloc(m->m_ext, size + datasize); + m->m_data = m->m_ext + datasize; + } else { + char *dat; + datasize = m->m_data - m->m_dat; +- dat = g_malloc(size); ++ dat = g_malloc(size + datasize); + memcpy(dat, m->m_dat, m->m_size); + + m->m_ext = dat; +@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size) + m->m_flags |= M_EXT; + } + +- m->m_size = size; +- ++ m->m_size = size + datasize; + } + + +diff --git a/slirp/mbuf.h b/slirp/mbuf.h +index 893601ff9d..33b84485d6 100644 +--- a/slirp/mbuf.h ++++ b/slirp/mbuf.h +@@ -33,8 +33,6 @@ + #ifndef MBUF_H + #define MBUF_H + +-#define MINCSIZE 4096 /* Amount to increase mbuf if too small */ +- + /* + * Macros for type conversion + * mtod(m,t) - convert mbuf pointer to data pointer of correct type +@@ -72,11 +70,11 @@ struct mbuf { + struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ + int m_flags; /* Misc flags */ + +- int m_size; /* Size of data */ ++ int m_size; /* Size of mbuf, from m_dat or m_ext */ + struct socket *m_so; + +- caddr_t m_data; /* Location of data */ +- int m_len; /* Amount of data in this mbuf */ ++ caddr_t m_data; /* Current location of data */ ++ int m_len; /* Amount of data in this mbuf, from m_data */ + + Slirp *slirp; + bool resolution_requested; +-- +2.17.1 + diff --git a/gnu/packages/patches/strace-kernel-4.16.patch b/gnu/packages/patches/strace-kernel-4.16.patch deleted file mode 100644 index e86d3be439..0000000000 --- a/gnu/packages/patches/strace-kernel-4.16.patch +++ /dev/null @@ -1,92 +0,0 @@ -Fix test failure when using Linux-Libre >= 4.16. - -Taken from upstream: -https://github.com/strace/strace/commit/bcff87c31c0f27c678a43d6b7f67dab363a974fa - -From bcff87c31c0f27c678a43d6b7f67dab363a974fa Mon Sep 17 00:00:00 2001 -From: Masatake YAMATO <yamato@redhat.com> -Date: Wed, 2 May 2018 17:11:07 +0900 -Subject: [PATCH] tests/ioctl_kvm_run.c: handle cpuid at the end of vcpu dentry - -Since Linux 4.16, kernel appends the cpuid as suffix to the entry -for a kvm vcpu in /proc/$pid/fd like: - - anon_inode:kvm-vcpu:0 - -That was - - anon_inode:kvm-vcpu - -This kernel change causes the test case failure on newer kernels. -Update the test to deal with the new name as well as the old one. - -* tests/ioctl_kvm_run.c: Include unistd.h for using readlink(2). -(vcpu_dev_should_have_cpuid): New function for detecting whether -a proc entry for given fd has the cpuid suffix or not. -(main): Trim vcpu_dev to remove the cpuid suffix if needed. -(vcpu_dev): Remove const modifier. ---- - tests/ioctl_kvm_run.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/tests/ioctl_kvm_run.c b/tests/ioctl_kvm_run.c -index 179461430..e1bef5796 100644 ---- a/tests/ioctl_kvm_run.c -+++ b/tests/ioctl_kvm_run.c -@@ -40,6 +40,7 @@ - # include <string.h> - # include <sys/ioctl.h> - # include <sys/mman.h> -+# include <unistd.h> - # include <linux/kvm.h> - - static int -@@ -56,7 +57,7 @@ kvm_ioctl(int fd, unsigned long cmd, const char *cmd_str, void *arg) - - static const char dev[] = "/dev/kvm"; - static const char vm_dev[] = "anon_inode:kvm-vm"; --static const char vcpu_dev[] = "anon_inode:kvm-vcpu"; -+static char vcpu_dev[] = "anon_inode:kvm-vcpu:0"; - static size_t page_size; - - extern const char code[]; -@@ -165,6 +166,23 @@ run_kvm(const int vcpu_fd, struct kvm_run *const run, const size_t mmap_size, - } - } - -+static int -+vcpu_dev_should_have_cpuid(int fd) -+{ -+ int r = 0; -+ char *filename = NULL; -+ char buf[sizeof(vcpu_dev)]; -+ -+ if (asprintf(&filename, "/proc/%d/fd/%d", getpid(), fd) < 0) -+ error_msg_and_fail("asprintf"); -+ -+ if (readlink(filename, buf, sizeof(buf)) == sizeof(buf) - 1 -+ && (memcmp(buf, vcpu_dev, sizeof(buf) - 1) == 0)) -+ r = 1; -+ free(filename); -+ return r; -+} -+ - int - main(void) - { -@@ -208,6 +226,15 @@ main(void) - (unsigned long) page_size, (unsigned long) page_size, mem); - - int vcpu_fd = KVM_IOCTL(vm_fd, KVM_CREATE_VCPU, NULL); -+ if (!vcpu_dev_should_have_cpuid(vcpu_fd)) -+ /* -+ * This is an older kernel that doesn't place a cpuid -+ * at the end of the dentry associated with vcpu_fd. -+ * Trim the cpuid part of vcpu_dev like: -+ * "anon_inode:kvm-vcpu:0" -> "anon_inode:kvm-vcpu" -+ */ -+ vcpu_dev[strlen (vcpu_dev) - 2] = '\0'; -+ - printf("ioctl(%d<%s>, KVM_CREATE_VCPU, 0) = %d<%s>\n", - vm_fd, vm_dev, vcpu_fd, vcpu_dev); - diff --git a/gnu/packages/patches/upx-fix-CVE-2017-15056.patch b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch new file mode 100644 index 0000000000..525980e73e --- /dev/null +++ b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch @@ -0,0 +1,96 @@ +From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001 +From: Pierre Neidhardt <ambrevar@gmail.com> +Date: Sat, 16 Jun 2018 16:35:00 +0200 +Subject: [PATCH] Protect against bad crafted input + +Also check for wrap-around when checking oversize involving e_shoff and e_shnum. + +raised by https://github.com/upx/upx/pull/190 + modified: p_lx_elf.cpp +--- + src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp +index 822a7652..41e805ee 100644 +--- a/src/p_lx_elf.cpp ++++ b/src/p_lx_elf.cpp +@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f) + sz_phdrs = 0; + return; + } ++ if (0==e_phnum) throwCantUnpack("0==e_phnum"); + e_phoff = get_te32(&ehdri.e_phoff); ++ unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr); ++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { ++ throwCantUnpack("bad e_phoff"); ++ } + e_shoff = get_te32(&ehdri.e_shoff); ++ unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr); ++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { ++ throwCantUnpack("bad e_shoff"); ++ } + sz_phdrs = e_phnum * e_phentsize; + + if (f && Elf32_Ehdr::ET_DYN!=e_type) { +@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f) + sz_phdrs = 0; + return; + } ++ if (0==e_phnum) throwCantUnpack("0==e_phnum"); + e_phoff = get_te64(&ehdri.e_phoff); ++ upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr); ++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { ++ throwCantUnpack("bad e_phoff"); ++ } + e_shoff = get_te64(&ehdri.e_shoff); ++ upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr); ++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { ++ throwCantUnpack("bad e_shoff"); ++ } + sz_phdrs = e_phnum * e_phentsize; + + if (f && Elf64_Ehdr::ET_DYN!=e_type) { +@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft) + + void PackLinuxElf64::unpack(OutputFile *fo) + { ++ if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr ++ throwCantUnpack("bad e_phoff"); ++ } + unsigned const c_phnum = get_te16(&ehdri.e_phnum); + upx_uint64_t old_data_off = 0; + upx_uint64_t old_data_len = 0; +@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo) + unsigned total_out = 0; + unsigned c_adler = upx_adler32(NULL, 0); + unsigned u_adler = upx_adler32(NULL, 0); ++ if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) { ++ throwCantUnpack("bad compressed e_phnum"); ++ } + + // Packed ET_EXE has no PT_DYNAMIC. + // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. +@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const + + void PackLinuxElf32::unpack(OutputFile *fo) + { ++ if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr ++ throwCantUnpack("bad e_phoff"); ++ } + unsigned const c_phnum = get_te16(&ehdri.e_phnum); + unsigned old_data_off = 0; + unsigned old_data_len = 0; +@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo) + unsigned total_out = 0; + unsigned c_adler = upx_adler32(NULL, 0); + unsigned u_adler = upx_adler32(NULL, 0); ++ if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) { ++ throwCantUnpack("bad compressed e_phnum"); ++ } + + // Packed ET_EXE has no PT_DYNAMIC. + // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. +-- +2.17.0 + diff --git a/gnu/packages/patches/x265-fix-ppc64le-build.patch b/gnu/packages/patches/x265-fix-ppc64le-build.patch new file mode 100644 index 0000000000..f71d2436ab --- /dev/null +++ b/gnu/packages/patches/x265-fix-ppc64le-build.patch @@ -0,0 +1,25 @@ +https://sources.debian.org/data/main/x/x265/2.8-3/debian/patches/0003-Fix-build-error-on-on-ppc64le.patch + +This patch also fixes building on armhf-linux and aarch64-linux + +From: Jayashree <jayashree.c@multicorewareinc.com> +Date: Fri, 25 May 2018 10:26:05 +0530 +Subject: Fix build error on on ppc64le + +--- + source/common/param.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source/common/param.cpp b/source/common/param.cpp +index 31bcbc7..4a6d0c8 100644 +--- a/source/common/param.cpp ++++ b/source/common/param.cpp +@@ -633,7 +633,7 @@ int x265_param_parse(x265_param* p, const char* name, const char* value) + if (bValueWasNull) + p->cpuid = atobool(value); + else +- p->cpuid = parseCpuName(value, bError); ++ p->cpuid = parseCpuName(value, bError, false); + #endif + } + OPT("fps") |