diff options
author | Ludovic Courtès <ludo@gnu.org> | 2017-01-23 22:33:10 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2017-01-23 22:33:10 +0100 |
commit | 58ea4d407c2e4adbe51b2d7b71dc8bef095677c7 (patch) | |
tree | 0fd70c0cb82d7980a7ff82500dec7bfd0d535d3f /gnu/packages/patches | |
parent | fcd75bdbfa99d14363b905afbf914eec20e69df8 (diff) | |
parent | 84b60a7cdfca1421a478894e279104a0c18a7c6d (diff) | |
download | guix-58ea4d407c2e4adbe51b2d7b71dc8bef095677c7.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
35 files changed, 2347 insertions, 163 deletions
diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch new file mode 100644 index 0000000000..b1c990f282 --- /dev/null +++ b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch @@ -0,0 +1,39 @@ +Fix buffer overflow processing long words in Mangle(). + +Patch adpated from upstream commit, omitting changes to 'NEWS': + +https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb + +From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001 +From: Jan Dittberner <jan@dittberner.info> +Date: Thu, 25 Aug 2016 17:17:53 +0200 +Subject: [PATCH] Fix a buffer overflow processing long words + +A buffer overflow processing long words has been discovered. This commit +applies the patch from +https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch +by Howard Guo. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and +http://www.openwall.com/lists/oss-security/2016/08/23/8 +--- + src/NEWS | 1 + + src/lib/rules.c | 5 ++--- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/lib/rules.c b/src/lib/rules.c +index d193cc0..3a2aa46 100644 +--- a/lib/rules.c ++++ b/lib/rules.c +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */ + { + int limit; + register char *ptr; +- static char area[STRINGSIZE]; +- char area2[STRINGSIZE]; +- area[0] = '\0'; ++ static char area[STRINGSIZE * 2] = {0}; ++ char area2[STRINGSIZE * 2] = {0}; + strcpy(area, input); + + for (ptr = control; *ptr; ptr++) diff --git a/gnu/packages/patches/duplicity-piped-password.patch b/gnu/packages/patches/duplicity-piped-password.patch deleted file mode 100644 index db50f5df32..0000000000 --- a/gnu/packages/patches/duplicity-piped-password.patch +++ /dev/null @@ -1,20 +0,0 @@ -This test, on three occasions, is failing with the error: - - EOF: End Of File (EOF) in read_nonblocking(). Braindead platform. - ---- duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:14:52.146001614 -0500 -+++ duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:13:20.333546342 -0500 -@@ -156,13 +156,6 @@ - self.run_duplicity(options=["remove-older-than", "50000", "--force", self.backend_url]) - self.assertEqual(self.get_backend_files(), second_chain) - -- def test_piped_password(self): -- """Make sure that prompting for a password works""" -- self.set_environ("PASSPHRASE", None) -- self.backup("full", "testfiles/empty_dir", -- passphrase_input=[self.sign_passphrase, self.sign_passphrase]) -- self.restore(passphrase_input=[self.sign_passphrase]) -- - - class OldFilenamesFinalTest(FinalTest): - diff --git a/gnu/packages/patches/duplicity-test_selection-tmp.patch b/gnu/packages/patches/duplicity-test_selection-tmp.patch deleted file mode 100644 index 8f66be4dcc..0000000000 --- a/gnu/packages/patches/duplicity-test_selection-tmp.patch +++ /dev/null @@ -1,18 +0,0 @@ -Reported upstream at https://bugs.launchpad.net/duplicity/+bug/1375019 - ---- duplicity-0.6.24/testing/unit/test_selection.py 2014-05-09 08:27:40.000000000 -0500 -+++ duplicity-0.6.24/testing/unit/test_selection.py 2014-09-28 12:28:53.932324380 -0500 -@@ -431,10 +431,10 @@ - [(), ('1',), ('1', '1'), ('1', '2'), ('1', '3')]) - - self.root = Path("/") -- self.ParseTest([("--exclude", "/home/*"), -- ("--include", "/home"), -+ self.ParseTest([("--exclude", "/tmp/*"), -+ ("--include", "/tmp"), - ("--exclude", "/")], -- [(), ("home",)]) -+ [(), ("tmp",)]) - - if __name__ == "__main__": - unittest.main() diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch new file mode 100644 index 0000000000..d9f7ac6a36 --- /dev/null +++ b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch @@ -0,0 +1,34 @@ +Fix an out-of-bounds heap read in Type_MLU_Read(): + +http://seclists.org/oss-sec/2016/q3/288 +https://bugzilla.redhat.com/show_bug.cgi?id=1367357 + +Patch copied from upstream source repository: + +https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2 + +From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 +From: Marti <marti.maria@tktbrainpower.com> +Date: Mon, 15 Aug 2016 23:31:39 +0200 +Subject: [PATCH] Added an extra check to MLU bounds + +Thanks to Ibrahim el-sayed for spotting the bug +--- + src/cmstypes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cmstypes.c b/src/cmstypes.c +index cb61860..c7328b9 100644 +--- a/src/cmstypes.c ++++ b/src/cmstypes.c +@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU + + // Check for overflow + if (Offset < (SizeOfHeader + 8)) goto Error; ++ if ((Offset + Len) > SizeOfTag + 8) goto Error; + + // True begin of the string + BeginOfThisString = Offset - SizeOfHeader - 8; +-- +2.11.0 + diff --git a/gnu/packages/patches/libtiff-CVE-2016-10092.patch b/gnu/packages/patches/libtiff-CVE-2016-10092.patch new file mode 100644 index 0000000000..d5fd796169 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10092.patch @@ -0,0 +1,42 @@ +Fix CVE-2016-10092: + +http://bugzilla.maptools.org/show_bug.cgi?id=2620 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092 +https://security-tracker.debian.org/tracker/CVE-2016-10092 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) + mode so that the output buffer is correctly incremented to avoid write + outside bounds. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1178; previous revision: 1.1177 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.47; previous revision: 1.46 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.46 +retrieving revision 1.47 +diff -u -r1.46 -r1.47 +--- libtiff/tools/tiffcrop.c 18 Nov 2016 14:58:46 -0000 1.46 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -3698,7 +3698,7 @@ + (unsigned long) strip, (unsigned long)rows); + return 0; + } +- bufp += bytes_read; ++ bufp += stripsize; + } + + return 1; diff --git a/gnu/packages/patches/libtiff-CVE-2016-10093.patch b/gnu/packages/patches/libtiff-CVE-2016-10093.patch new file mode 100644 index 0000000000..5897ec1029 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10093.patch @@ -0,0 +1,53 @@ +Fix CVE-2016-10093: + +http://bugzilla.maptools.org/show_bug.cgi?id=2610 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093 +https://security-tracker.debian.org/tracker/CVE-2016-10093 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: fix uint32 underflow/overflow that can cause + heap-based buffer overflow. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1187; previous revision: 1.1186 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.59; previous revision: 1.58 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.58 +retrieving revision 1.59 +diff -u -r1.58 -r1.59 +--- libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 +@@ -1163,7 +1163,7 @@ + + static void + cpStripToTile(uint8* out, uint8* in, +- uint32 rows, uint32 cols, int outskew, int inskew) ++ uint32 rows, uint32 cols, int outskew, int64 inskew) + { + while (rows-- > 0) { + uint32 j = cols; +@@ -1320,7 +1320,7 @@ + tdata_t tilebuf; + uint32 imagew = TIFFScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew; ++ int64 iskew = (int64)imagew - (int64)tilew; + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +@@ -1348,7 +1348,7 @@ + status = 0; + goto done; + } +- if (colb + tilew > imagew) { ++ if (colb > iskew) { + uint32 width = imagew - colb; + uint32 oskew = tilew - width; + cpStripToTile(bufp + colb, diff --git a/gnu/packages/patches/libtiff-CVE-2016-10094.patch b/gnu/packages/patches/libtiff-CVE-2016-10094.patch new file mode 100644 index 0000000000..9018773565 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10094.patch @@ -0,0 +1,34 @@ +Fix CVE-2016-10094: + +http://bugzilla.maptools.org/show_bug.cgi?id=2640 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094 +https://security-tracker.debian.org/tracker/CVE-2016-10094 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1199; previous revision: 1.1198 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.101; previous revision: 1.100 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.100 +retrieving revision 1.101 +diff -u -r1.100 -r1.101 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:28:17 -0000 1.101 +@@ -2895,7 +2895,7 @@ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count >= 4) { ++ if (count > 4) { + int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch b/gnu/packages/patches/libtiff-CVE-2017-5225.patch new file mode 100644 index 0000000000..3158b49360 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-5225.patch @@ -0,0 +1,86 @@ +Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp): + +http://bugzilla.maptools.org/show_bug.cgi?id=2656 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 +https://security-tracker.debian.org/tracker/CVE-2017-5225 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based +overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + + +less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1210; previous revision: 1.1209 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.61; previous revision: 1.60 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.60 +retrieving revision 1.61 +diff -u -r1.60 -r1.61 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 ++++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61 +#@@ -1,4 +1,4 @@ +#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */ +#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */ +# +# /* +# * Copyright (c) 1988-1997 Sam Leffler +@@ -591,7 +591,7 @@ + static int + tiffcp(TIFF* in, TIFF* out) + { +- uint16 bitspersample, samplesperpixel = 1; ++ uint16 bitspersample = 1, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; + copyFunc cf; + uint32 width, length; +@@ -1067,6 +1067,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpContig2SeparateByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1120,6 +1130,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpSeparate2ContigByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1784,7 +1804,7 @@ + uint32 w, l, tw, tl; + int bychunk; + +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { + fprintf(stderr, + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", diff --git a/gnu/packages/patches/libtiff-assertion-failure.patch b/gnu/packages/patches/libtiff-assertion-failure.patch new file mode 100644 index 0000000000..ef747fbdd7 --- /dev/null +++ b/gnu/packages/patches/libtiff-assertion-failure.patch @@ -0,0 +1,60 @@ +Fix assertion failure in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert +check. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1188; previous revision: 1.1187 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.60; previous revision: 1.59 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.59 +retrieving revision 1.60 +diff -u -r1.59 -r1.60 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 +@@ -45,7 +45,6 @@ + #include <string.h> + + #include <ctype.h> +-#include <assert.h> + + #ifdef HAVE_UNISTD_H + # include <unistd.h> +@@ -1393,7 +1392,12 @@ + status = 0; + goto done; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ status = 0; ++ goto done; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { +@@ -1584,7 +1588,12 @@ + _TIFFfree(obuf); + return 0; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { diff --git a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch new file mode 100644 index 0000000000..2a96b68521 --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch @@ -0,0 +1,63 @@ +Fix divide-by-zero in OJPEGDecodeRaw(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure +in + OJPEGPreDecode(). This will avoid a divide by zero, and potential other +issues. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1177; previous revision: 1.1176 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c +new revision: 1.66; previous revision: 1.65 + +Index: libtiff/libtiff/tif_ojpeg.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v +retrieving revision 1.65 +retrieving revision 1.66 +diff -u -r1.65 -r1.66 +--- libtiff/libtiff/tif_ojpeg.c 4 Sep 2016 21:32:56 -0000 1.65 ++++ libtiff/libtiff/tif_ojpeg.c 3 Dec 2016 11:15:18 -0000 1.66 +@@ -1,4 +1,4 @@ +-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ + + /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 + specification is now totally obsolete and deprecated for new applications and +@@ -244,6 +244,7 @@ + + typedef struct { + TIFF* tif; ++ int decoder_ok; + #ifndef LIBJPEG_ENCAP_EXTERNAL + JMP_BUF exit_jmpbuf; + #endif +@@ -722,6 +723,7 @@ + } + sp->write_curstrile++; + } ++ sp->decoder_ok = 1; + return(1); + } + +@@ -784,8 +786,14 @@ + static int + OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) + { ++ static const char module[]="OJPEGDecode"; + OJPEGState* sp=(OJPEGState*)tif->tif_data; + (void)s; ++ if( !sp->decoder_ok ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); ++ return 0; ++ } + if (sp->libjpeg_jpeg_query_style==0) + { + if (OJPEGDecodeRaw(tif,buf,cc)==0) diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch new file mode 100644 index 0000000000..d3f1c2b60e --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch @@ -0,0 +1,104 @@ +Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2597 +http://bugzilla.maptools.org/show_bug.cgi?id=2607 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1183; previous revision: 1.1182 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.57; previous revision: 1.56 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1378,7 +1378,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) +@@ -1387,6 +1387,12 @@ + (void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample"); ++ status = 0; ++ goto done; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1186; previous revision: 1.1185 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.58; previous revision: 1.57 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.57 +retrieving revision 1.58 +diff -u -r1.57 -r1.58 +--- libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1569,7 +1569,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tl, tw; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + obuf = _TIFFmalloc(TIFFTileSize(out)); + if (obuf == NULL) +@@ -1578,6 +1578,12 @@ + (void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch new file mode 100644 index 0000000000..823293f1cf --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch @@ -0,0 +1,57 @@ +Fix divide-by-zero in readSeparateStripsIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is +missing. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1180; previous revision: 1.1179 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 13:00:04 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -1164,7 +1164,7 @@ + tdata_t obuf; + + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps); + bytes_per_sample = (bps + 7) / 8; + if( width == 0 || + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || +@@ -4760,7 +4760,7 @@ + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32 j; + int32 bytes_read = 0; +- uint16 bps, planar; ++ uint16 bps = 0, planar; + uint32 nstrips; + uint32 strips_per_sample; + uint32 src_rowsize, dst_rowsize, rows_processed, rps; +@@ -4780,7 +4780,7 @@ + } + + memset (srcbuffs, '\0', sizeof(srcbuffs)); +- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar); + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); + if (rps > length) diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch new file mode 100644 index 0000000000..6dbd4666cd --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero.patch @@ -0,0 +1,67 @@ +Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero: + +http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by zero. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1173; previous revision: 1.1172 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c +new revision: 1.50; previous revision: 1.49 +/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h +new revision: 1.90; previous revision: 1.89 + +Index: libtiff/libtiff/tif_read.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v +retrieving revision 1.49 +retrieving revision 1.50 +diff -u -r1.49 -r1.50 +--- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49 ++++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 +@@ -1,4 +1,4 @@ +-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */ ++/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -346,7 +346,7 @@ + rowsperstrip=td->td_rowsperstrip; + if (rowsperstrip>td->td_imagelength) + rowsperstrip=td->td_imagelength; +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); + stripinplane=(strip%stripsperplane); + plane=(uint16)(strip/stripsperplane); + rows=td->td_imagelength-stripinplane*rowsperstrip; +Index: libtiff/libtiff/tiffiop.h +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v +retrieving revision 1.89 +retrieving revision 1.90 +diff -u -r1.89 -r1.90 +--- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89 ++++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90 +@@ -1,4 +1,4 @@ +-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */ ++/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -250,6 +250,10 @@ + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ + 0U) ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ ++#define TIFFhowmany_32_maxuint_compat(x, y) \ ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) diff --git a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch new file mode 100644 index 0000000000..2d5e23586d --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch @@ -0,0 +1,131 @@ +Fix heap-based buffer overflow in _TIFFmemcpy(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. + The fix for LUV has not been tested, but suffers from the same kind + of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1175; previous revision: 1.1174 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v <-- libtiff/tif_luv.c +new revision: 1.44; previous revision: 1.43 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v <-- +libtiff/tif_pixarlog.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/libtiff/tif_luv.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v +retrieving revision 1.43 +retrieving revision 1.44 +diff -u -r1.43 -r1.44 +--- libtiff/libtiff/tif_luv.c 4 Sep 2016 21:32:56 -0000 1.43 ++++ libtiff/libtiff/tif_luv.c 2 Dec 2016 23:05:51 -0000 1.44 +@@ -1,4 +1,4 @@ +-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1997 Greg Ward Larson +@@ -158,6 +158,7 @@ + typedef struct logLuvState LogLuvState; + + struct logLuvState { ++ int encoder_state; /* 1 if encoder correctly initialized */ + int user_datafmt; /* user data format */ + int encode_meth; /* encoding method */ + int pixel_size; /* bytes per pixel */ +@@ -1552,6 +1553,7 @@ + td->td_photometric, "must be either LogLUV or LogL"); + break; + } ++ sp->encoder_state = 1; + return (1); + notsupported: + TIFFErrorExt(tif->tif_clientdata, module, +@@ -1563,19 +1565,27 @@ + static void + LogLuvClose(TIFF* tif) + { ++ LogLuvState* sp = (LogLuvState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* + * For consistency, we always want to write out the same + * bitspersample and sampleformat for our TIFF file, + * regardless of the data format being used by the application. + * Since this routine is called after tags have been set but + * before they have been recorded in the file, we reset them here. ++ * Note: this is really a nasty approach. See PixarLogClose + */ +- td->td_samplesperpixel = +- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; +- td->td_bitspersample = 16; +- td->td_sampleformat = SAMPLEFORMAT_INT; ++ if( sp->encoder_state ) ++ { ++ /* See PixarLogClose. Might avoid issues with tags whose size depends ++ * on those below, but not completely sure this is enough. */ ++ td->td_samplesperpixel = ++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; ++ td->td_bitspersample = 16; ++ td->td_sampleformat = SAMPLEFORMAT_INT; ++ } + } + + static void +Index: libtiff/libtiff/tif_pixarlog.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/libtiff/tif_pixarlog.c 23 Sep 2016 22:12:18 -0000 1.48 ++++ libtiff/libtiff/tif_pixarlog.c 2 Dec 2016 23:05:51 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ ++/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1996-1997 Sam Leffler +@@ -1233,8 +1233,10 @@ + static void + PixarLogClose(TIFF* tif) + { ++ PixarLogState* sp = (PixarLogState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* In a really sneaky (and really incorrect, and untruthful, and + * troublesome, and error-prone) maneuver that completely goes against + * the spirit of TIFF, and breaks TIFF, on close, we covertly +@@ -1243,8 +1245,19 @@ + * readers that don't know about PixarLog, or how to set + * the PIXARLOGDATFMT pseudo-tag. + */ +- td->td_bitspersample = 8; +- td->td_sampleformat = SAMPLEFORMAT_UINT; ++ ++ if (sp->state&PLSTATE_INIT) { ++ /* We test the state to avoid an issue such as in ++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 ++ * What appends in that case is that the bitspersample is 1 and ++ * a TransferFunction is set. The size of the TransferFunction ++ * depends on 1<<bitspersample. So if we increase it, an access ++ * out of the buffer will happen at directory flushing. ++ * Another option would be to clear those targs. ++ */ ++ td->td_bitspersample = 8; ++ td->td_sampleformat = SAMPLEFORMAT_UINT; ++ } + } + + static void diff --git a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch new file mode 100644 index 0000000000..68889b121b --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch @@ -0,0 +1,132 @@ +Fix heap-based buffer overflow in TIFFFillStrip(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2608 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to + instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, +rowsperstrip), + instead of a logic based on the total size of data. Which is faulty is + the total size of data is not sufficient to fill the whole image, and +thus + results in reading outside of the StripByCounts/StripOffsets arrays +when + using TIFFReadScanline(). + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + + * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done + for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 +since + the above change is a better fix that makes it unnecessary. + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1176; previous revision: 1.1175 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- +libtiff/tif_dirread.c +new revision: 1.205; previous revision: 1.204 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c +new revision: 1.38; previous revision: 1.37 + +Index: libtiff/libtiff/tif_dirread.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v +retrieving revision 1.204 +retrieving revision 1.205 +diff -u -r1.204 -r1.205 +--- libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204 ++++ libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ ++/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -5502,8 +5502,7 @@ + uint64 rowblockbytes; + uint64 stripbytes; + uint32 strip; +- uint64 nstrips64; +- uint32 nstrips32; ++ uint32 nstrips; + uint32 rowsperstrip; + uint64* newcounts; + uint64* newoffsets; +@@ -5534,18 +5533,17 @@ + return; + + /* +- * never increase the number of strips in an image ++ * never increase the number of rows per strip + */ + if (rowsperstrip >= td->td_rowsperstrip) + return; +- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); +- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ +- return; +- nstrips32 = (uint32)nstrips64; ++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); ++ if( nstrips == 0 ) ++ return; + +- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); +- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripOffsets\" array"); + if (newcounts == NULL || newoffsets == NULL) { + /* +@@ -5562,18 +5560,18 @@ + * Fill the strip information arrays with new bytecounts and offsets + * that reflect the broken-up format. + */ +- for (strip = 0; strip < nstrips32; strip++) { ++ for (strip = 0; strip < nstrips; strip++) { + if (stripbytes > bytecount) + stripbytes = bytecount; + newcounts[strip] = stripbytes; +- newoffsets[strip] = offset; ++ newoffsets[strip] = stripbytes ? offset : 0; + offset += stripbytes; + bytecount -= stripbytes; + } + /* + * Replace old single strip info with multi-strip info. + */ +- td->td_stripsperimage = td->td_nstrips = nstrips32; ++ td->td_stripsperimage = td->td_nstrips = nstrips; + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + + _TIFFfree(td->td_stripbytecount); +Index: libtiff/libtiff/tif_strip.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v +retrieving revision 1.37 +retrieving revision 1.38 +diff -u -r1.37 -r1.38 +--- libtiff/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37 ++++ libtiff/libtiff/tif_strip.c 3 Dec 2016 11:02:15 -0000 1.38 +@@ -1,4 +1,4 @@ +-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */ ++/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -63,15 +63,6 @@ + TIFFDirectory *td = &tif->tif_dir; + uint32 nstrips; + +- /* If the value was already computed and store in td_nstrips, then return it, +- since ChopUpSingleUncompressedStrip might have altered and resized the +- since the td_stripbytecount and td_stripoffset arrays to the new value +- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in +- tif_dirread.c ~line 3612. +- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ +- if( td->td_nstrips ) +- return td->td_nstrips; +- + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : + TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch new file mode 100644 index 0000000000..f0fef08bf3 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch @@ -0,0 +1,67 @@ +Fix heap buffer overflow in tiffcp when parsing number of inks: + +http://bugzilla.maptools.org/show_bug.cgi?id=2599 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is +called, + limit the return number of inks to SamplesPerPixel, so that code that +parses + ink names doesn't go past the end of the buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1184; previous revision: 1.1183 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c +new revision: 1.128; previous revision: 1.127 + +Index: libtiff/libtiff/tif_dir.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v +retrieving revision 1.127 +retrieving revision 1.128 +diff -u -r1.127 -r1.128 +--- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127 ++++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */ ++/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -854,6 +854,32 @@ + if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ + return 0; + ++ if( tag == TIFFTAG_NUMBEROFINKS ) ++ { ++ int i; ++ for (i = 0; i < td->td_customValueCount; i++) { ++ uint16 val; ++ TIFFTagValue *tv = td->td_customValues + i; ++ if (tv->info->field_tag != tag) ++ continue; ++ val = *(uint16 *)tv->value; ++ /* Truncate to SamplesPerPixel, since the */ ++ /* setting code for INKNAMES assume that there are SamplesPerPixel */ ++ /* inknames. */ ++ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ ++ if( val > td->td_samplesperpixel ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", ++ "Truncating NumberOfInks from %u to %u", ++ val, td->td_samplesperpixel); ++ val = td->td_samplesperpixel; ++ } ++ *va_arg(ap, uint16*) = val; ++ return 1; ++ } ++ return 0; ++ } ++ + /* + * We want to force the custom code to be used for custom + * fields even if the tag happens to match a well known diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch new file mode 100644 index 0000000000..8166c55758 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch @@ -0,0 +1,60 @@ +Fix heap-based buffer overflow in combineSeparateSamples16bits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap allocated +buffer. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1179; previous revision: 1.1178 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.48; previous revision: 1.47 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.47 +retrieving revision 1.48 +diff -u -r1.47 -r1.48 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -4815,10 +4815,17 @@ + nstrips = TIFFNumberOfStrips(in); + strips_per_sample = nstrips /spp; + ++ /* Add 3 padding bytes for combineSeparateSamples32bits */ ++ if( (size_t) stripsize > 0xFFFFFFFFU - 3U ) ++ { ++ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } ++ + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + srcbuffs[s] = NULL; +- buff = _TIFFmalloc(stripsize); ++ buff = _TIFFmalloc(stripsize + 3); + if (!buff) + { + TIFFError ("readSeparateStripsIntoBuffer", +@@ -4827,6 +4834,9 @@ + _TIFFfree (srcbuffs[i]); + return 0; + } ++ buff[stripsize] = 0; ++ buff[stripsize+1] = 0; ++ buff[stripsize+2] = 0; + srcbuffs[s] = buff; + } + diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch new file mode 100644 index 0000000000..92742d8757 --- /dev/null +++ b/gnu/packages/patches/libtiff-invalid-read.patch @@ -0,0 +1,64 @@ +Fix invalid read in t2p_writeproc(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2639 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1198; previous revision: 1.1197 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.100; previous revision: 1.99 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.99 +retrieving revision 1.100 +diff -u -r1.99 -r1.100 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:13:26 -0000 1.99 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 +@@ -2896,6 +2896,7 @@ + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { + if (count >= 4) { ++ int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; +@@ -2903,22 +2904,23 @@ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; + xuint32 = bufferoffset; +- bufferoffset -= 2; +- bufferoffset += TIFFReadRawTile( ++ bufferoffset -= 2; ++ retTIFFReadRawTile= TIFFReadRawTile( + input, + tile, + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); ++ if( retTIFFReadRawTile < 0 ) ++ { ++ _TIFFfree(buffer); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return(0); ++ } ++ bufferoffset += retTIFFReadRawTile; + /* Overwrite SOI marker of image scan with previously */ + /* saved end of JpegTables */ + buffer[xuint32-2]=table_end[0]; + buffer[xuint32-1]=table_end[1]; +- } else { +- bufferoffset += TIFFReadRawTile( +- input, +- tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), +- -1); + } + } + t2pWriteFile(output, (tdata_t) buffer, bufferoffset); diff --git a/gnu/packages/patches/libtiff-null-dereference.patch b/gnu/packages/patches/libtiff-null-dereference.patch new file mode 100644 index 0000000000..8c6345b804 --- /dev/null +++ b/gnu/packages/patches/libtiff-null-dereference.patch @@ -0,0 +1,42 @@ +Fix NULL pointer dereference in TIFFReadRawData(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2594 + + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffinfo.c: fix null pointer dereference in -r mode when + * the +image has + no StripByteCount tag. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1182; previous revision: 1.1181 +/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v <-- tools/tiffinfo.c +new revision: 1.26; previous revision: 1.25 + +Index: libtiff/tools/tiffinfo.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v +retrieving revision 1.25 +retrieving revision 1.26 +diff -u -r1.25 -r1.26 +--- libtiff/tools/tiffinfo.c 12 Nov 2016 20:06:05 -0000 1.25 ++++ libtiff/tools/tiffinfo.c 3 Dec 2016 14:18:49 -0000 1.26 +@@ -1,4 +1,4 @@ +-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */ ++/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -417,7 +417,7 @@ + uint64* stripbc=NULL; + + TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc); +- if (nstrips > 0) { ++ if (stripbc != NULL && nstrips > 0) { + uint32 bufsize = (uint32) stripbc[0]; + tdata_t buf = _TIFFmalloc(bufsize); + tstrip_t s; diff --git a/gnu/packages/patches/libtiff-tiffcp-underflow.patch b/gnu/packages/patches/libtiff-tiffcp-underflow.patch new file mode 100644 index 0000000000..5615cbb3e1 --- /dev/null +++ b/gnu/packages/patches/libtiff-tiffcp-underflow.patch @@ -0,0 +1,41 @@ +Fix a integer underflow in tiffcp that led to heap overflows in +TIFFReverseBits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2598 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that + can cause various issues, such as buffer overflows in the library. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1174; previous revision: 1.1173 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.56; previous revision: 1.55 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.55 +retrieving revision 1.56 +diff -u -r1.55 -r1.56 +--- libtiff/tools/tiffcp.c 8 Oct 2016 15:54:57 -0000 1.55 ++++ libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -985,7 +985,7 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 row = 0; + _TIFFmemset(buf, 0, stripsize); +- for (s = 0; s < ns; s++) { ++ for (s = 0; s < ns && row < imagelength; s++) { + tsize_t cc = (row + rowsperstrip > imagelength) ? + TIFFVStripSize(in, imagelength - row) : stripsize; + if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 diff --git a/gnu/packages/patches/libxt-guix-search-paths.patch b/gnu/packages/patches/libxt-guix-search-paths.patch new file mode 100644 index 0000000000..c618f48da5 --- /dev/null +++ b/gnu/packages/patches/libxt-guix-search-paths.patch @@ -0,0 +1,126 @@ +--- libXt-1.1.5/src/Intrinsic.c 2015-05-01 07:36:20.000000000 +0200 ++++ Intrinsic.c 2016-12-12 00:42:16.567388450 +0100 +@@ -1303,21 +1303,101 @@ + } else (void) strcpy(*rest, string); + } + +-/* +- * default path used if environment variable XFILESEARCHPATH +- * is not defined. Also substitued for %D. +- * The exact value should be documented in the implementation +- * notes for any Xt implementation. ++ ++ ++/* ++ Return the default search path for the function ++ XtResolvePathname to use if XFILESEARCHPATH is ++ not defined. ++ ++ It returns the combination the set of values which are the 6 "stems" below, ++ prepended with "/run/current-system/profile", and $GUIX_PROFILE and ++ "$HOME/.guix-profile" ++ ++ These values provide the default paths where Guix/GuixSD can expect ++ to find resources for installed packages. + */ +-static const char *implementation_default_path(void) ++static const char *guix_default_path(void) + { +-#if defined(WIN32) +- static char xfilesearchpath[] = ""; +- +- return xfilesearchpath; +-#else +- return XFILESEARCHPATHDEFAULT; +-#endif ++ static const char *search_path_default_stem[] = { ++ "/lib/X11/%L/%T/%N%C%S", ++ "/lib/X11/%l/%T/%N%C%S", ++ "/lib/X11/%T/%N%C%S", ++ "/lib/X11/%L/%T/%N%S", ++ "/lib/X11/%l/%T/%N%S", ++ "/lib/X11/%T/%N%S" ++ }; ++ ++#define SIZEOF_STEMS (strlen (search_path_default_stem[0]) \ ++ + strlen (search_path_default_stem[1]) \ ++ + strlen (search_path_default_stem[2]) \ ++ + strlen (search_path_default_stem[3]) \ ++ + strlen (search_path_default_stem[4]) \ ++ + strlen (search_path_default_stem[5])) ++ ++ ++ int i; ++ const char *current_profile = "/run/current-system/profile"; ++ char *home = getenv ("HOME"); ++ char *guix_profile = getenv ("GUIX_PROFILE"); ++ ++ size_t bytesAllocd = SIZEOF_STEMS + 1; ++ ++ /* This function is evaluated multiple times and the calling ++ code assumes that it is idempotent. So we must not allow ++ (say) a changed environment variable to cause it to return ++ something different. */ ++ static char *path = NULL; ++ if (path) ++ return path; ++ ++ bytesAllocd += 6 * (1 + strlen (current_profile)); ++ ++ if (guix_profile != NULL) ++ { ++ bytesAllocd += SIZEOF_STEMS; ++ bytesAllocd += 6 * (1 + strlen (guix_profile)); ++ } ++ ++ if (home != NULL) ++ { ++ bytesAllocd += SIZEOF_STEMS; ++ bytesAllocd += 6 * (1 + strlen(home) + strlen ("/.guix-profile")); ++ } ++ ++ path = XtMalloc(bytesAllocd); ++ if (path == NULL) _XtAllocError(NULL); ++ ++ memset (path, 0, bytesAllocd); ++ ++ for (i = 0 ; i < 6 ; ++i) ++ { ++ strcat (path, current_profile); ++ strcat (path, search_path_default_stem[i]); ++ strcat (path, ":"); ++ } ++ ++ if (guix_profile != NULL) ++ for (i = 0 ; i < 6 ; ++i) ++ { ++ strcat (path, guix_profile); ++ strcat (path, search_path_default_stem[i]); ++ strcat (path, ":"); ++ } ++ ++ if (home != NULL) ++ for (i = 0 ; i < 6 ; ++i) ++ { ++ strcat (path, home); ++ strcat (path, "/.guix-profile"); ++ strcat (path, search_path_default_stem[i]); ++ strcat (path, ":"); ++ } ++ ++ /* Remove final : */ ++ path[strlen(path) - 1] = '\0'; ++ ++ return path; + } + + +@@ -1345,7 +1425,7 @@ + { + XtPerDisplay pd; + static const char *defaultPath = NULL; +- const char *impl_default = implementation_default_path(); ++ const char *impl_default = guix_default_path(); + int idef_len = strlen(impl_default); + char *massagedPath; + int bytesAllocd, bytesLeft; diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch new file mode 100644 index 0000000000..e752e57ec5 --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch @@ -0,0 +1,188 @@ +Fix CVE-2016-10132: + +https://bugs.ghostscript.com/show_bug.cgi?id=697381 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132 + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569 + +From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001 +From: Tor Andersson <tor@ccxvii.net> +Date: Fri, 2 Dec 2016 14:56:20 -0500 +Subject: [PATCH] Fix 697381: check allocation when compiling regular + expressions. + +Also use allocator callback function. +--- + thirdparty/mujs/jsgc.c | 2 +- + thirdparty/mujs/jsregexp.c | 2 +- + thirdparty/mujs/jsstate.c | 6 ------ + thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++---------- + thirdparty/mujs/regexp.h | 7 +++++++ + 5 files changed, 44 insertions(+), 18 deletions(-) + +diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c +index 4f7e7dc..f80111e 100644 +--- a/thirdparty/mujs/jsgc.c ++++ b/thirdparty/mujs/jsgc.c +@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj) + jsG_freeproperty(J, obj->head); + if (obj->type == JS_CREGEXP) { + js_free(J, obj->u.r.source); +- js_regfree(obj->u.r.prog); ++ js_regfreex(J->alloc, J->actx, obj->u.r.prog); + } + if (obj->type == JS_CITERATOR) + jsG_freeiterator(J, obj->u.iter.head); +diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c +index a2d5156..7b09c06 100644 +--- a/thirdparty/mujs/jsregexp.c ++++ b/thirdparty/mujs/jsregexp.c +@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags) + if (flags & JS_REGEXP_I) opts |= REG_ICASE; + if (flags & JS_REGEXP_M) opts |= REG_NEWLINE; + +- prog = js_regcomp(pattern, opts, &error); ++ prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error); + if (!prog) + js_syntaxerror(J, "regular expression: %s", error); + +diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c +index 638cab3..fd5bcf6 100644 +--- a/thirdparty/mujs/jsstate.c ++++ b/thirdparty/mujs/jsstate.c +@@ -9,12 +9,6 @@ + + static void *js_defaultalloc(void *actx, void *ptr, int size) + { +- if (size == 0) { +- free(ptr); +- return NULL; +- } +- if (!ptr) +- return malloc((size_t)size); + return realloc(ptr, (size_t)size); + } + +diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c +index 9852be2..01c18a3 100644 +--- a/thirdparty/mujs/regexp.c ++++ b/thirdparty/mujs/regexp.c +@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog) + } + #endif + +-Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp) + { + struct cstate g; + Renode *node; + Reinst *split, *jump; + int i; + +- g.prog = malloc(sizeof (Reprog)); +- g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2); ++ g.pstart = NULL; ++ g.prog = NULL; + + if (setjmp(g.kaboom)) { + if (errorp) *errorp = g.error; +- free(g.pstart); +- free(g.prog); ++ alloc(ctx, g.pstart, 0); ++ alloc(ctx, g.prog, 0); + return NULL; + } + ++ g.prog = alloc(ctx, NULL, sizeof (Reprog)); ++ if (!g.prog) ++ die(&g, "cannot allocate regular expression"); ++ g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2); ++ if (!g.pstart) ++ die(&g, "cannot allocate regular expression parse list"); ++ + g.source = pattern; + g.ncclass = 0; + g.nsub = 1; +@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) + die(&g, "syntax error"); + + g.prog->nsub = g.nsub; +- g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst)); ++ g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst)); ++ if (!g.prog->start) ++ die(&g, "cannot allocate regular expression instruction list"); + + split = emit(g.prog, I_SPLIT); + split->x = split + 3; +@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) + dumpprog(g.prog); + #endif + +- free(g.pstart); ++ alloc(ctx, g.pstart, 0); + + if (errorp) *errorp = NULL; + return g.prog; + } + +-void regfree(Reprog *prog) ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog) + { + if (prog) { +- free(prog->start); +- free(prog); ++ alloc(ctx, prog->start, 0); ++ alloc(ctx, prog, 0); + } + } + ++static void *default_alloc(void *ctx, void *p, int n) ++{ ++ return realloc(p, (size_t)n); ++} ++ ++Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++{ ++ return regcompx(default_alloc, NULL, pattern, cflags, errorp); ++} ++ ++void regfree(Reprog *prog) ++{ ++ regfreex(default_alloc, NULL, prog); ++} ++ + /* Match */ + + static int isnewline(int c) +diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h +index 4bb4615..6bb73e8 100644 +--- a/thirdparty/mujs/regexp.h ++++ b/thirdparty/mujs/regexp.h +@@ -1,6 +1,8 @@ + #ifndef regexp_h + #define regexp_h + ++#define regcompx js_regcompx ++#define regfreex js_regfreex + #define regcomp js_regcomp + #define regexec js_regexec + #define regfree js_regfree +@@ -8,6 +10,11 @@ + typedef struct Reprog Reprog; + typedef struct Resub Resub; + ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp); ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ Reprog *prog); ++ + Reprog *regcomp(const char *pattern, int cflags, const char **errorp); + int regexec(Reprog *prog, const char *string, Resub *sub, int eflags); + void regfree(Reprog *prog); +-- +2.9.1 + diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch new file mode 100644 index 0000000000..d73849262c --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch @@ -0,0 +1,36 @@ +Fix CVE-2016-10133: + +https://bugs.ghostscript.com/show_bug.cgi?id=697401 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133 + +Patch lifted from upstream source repository: + +https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24 + +From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001 +From: Tor Andersson <tor.andersson@gmail.com> +Date: Thu, 12 Jan 2017 14:47:01 +0100 +Subject: [PATCH] Fix 697401: Error when dropping extra arguments to + lightweight functions. + +--- + thirdparty/mujs/jsrun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c +index ee80845..782a6f9 100644 +--- a/thirdparty/mujs/jsrun.c ++++ b/thirdparty/mujs/jsrun.c +@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen + jsR_savescope(J, scope); + + if (n > F->numparams) { +- js_pop(J, F->numparams - n); ++ js_pop(J, n - F->numparams); + n = F->numparams; + } + for (i = n; i < F->varlen; ++i) +-- +2.9.1 + diff --git a/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch new file mode 100644 index 0000000000..1f7a4cadb7 --- /dev/null +++ b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch @@ -0,0 +1,69 @@ +Fix test failure of test_XXX caused by upgrade of gpgme from 1.6.0 to +1.8.0: + +====================================================================== +FAIL: test_encrypt_to_signonly (tests.test_encrypt_decrypt.EncryptDecryptTestCase) +---------------------------------------------------------------------- +Traceback (most recent call last): + File "/tmp/guix-build-python2-pygpgme-0.3.drv-0/pygpgme-0.3/tests/test_encrypt_decrypt.py", line 185, in test_encrypt_to_signonly + self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN) +AssertionError: 7 != 0 + +---------------------------------------------------------------------- + +Patch copied from the Debian package pygpgme-0.3-1.2: + +https://sources.debian.net/src/pygpgme/0.3-1.2/debian/patches/0005-Fix-test-failures-with-pinentry.patch/ + +From: "Dr. Tobias Quathamer" <toddy@debian.org> +Date: Thu, 24 Nov 2016 12:20:54 +0100 +Subject: Fix test failures with pinentry + +--- + tests/test_encrypt_decrypt.py | 5 +++-- + tests/test_passphrase.py | 2 ++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tests/test_encrypt_decrypt.py b/tests/test_encrypt_decrypt.py +index 21ae83e..05707e1 100644 +--- a/tests/test_encrypt_decrypt.py ++++ b/tests/test_encrypt_decrypt.py +@@ -132,6 +132,7 @@ class EncryptDecryptTestCase(GpgHomeTestCase): + os.write(fd, b'Symmetric passphrase\n') + ctx = gpgme.Context() + ctx.armor = True ++ ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK + ctx.passphrase_cb = passphrase + ctx.encrypt(None, 0, plaintext, ciphertext) + self.assertTrue( +@@ -182,8 +183,8 @@ class EncryptDecryptTestCase(GpgHomeTestCase): + ctx.encrypt([recipient], gpgme.ENCRYPT_ALWAYS_TRUST, + plaintext, ciphertext) + except gpgme.GpgmeError as exc: +- self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN) +- self.assertEqual(exc.args[1], gpgme.ERR_GENERAL) ++ self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_GPGME) ++ self.assertEqual(exc.args[1], gpgme.ERR_UNUSABLE_PUBKEY) + else: + self.fail('gpgme.GpgmeError not raised') + +diff --git a/tests/test_passphrase.py b/tests/test_passphrase.py +index 35b3c59..05e6811 100644 +--- a/tests/test_passphrase.py ++++ b/tests/test_passphrase.py +@@ -34,6 +34,7 @@ class PassphraseTestCase(GpgHomeTestCase): + ctx = gpgme.Context() + key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3') + ctx.signers = [key] ++ ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK + plaintext = BytesIO(b'Hello World\n') + signature = BytesIO() + +@@ -55,6 +56,7 @@ class PassphraseTestCase(GpgHomeTestCase): + ctx = gpgme.Context() + key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3') + ctx.signers = [key] ++ ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK + ctx.passphrase_cb = self.passphrase_cb + plaintext = BytesIO(b'Hello World\n') + signature = BytesIO() diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch new file mode 100644 index 0000000000..825edaa815 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-10155.patch @@ -0,0 +1,49 @@ +From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Mon, 28 Nov 2016 17:49:04 -0800 +Subject: [PATCH] watchdog: 6300esb: add exit function + +When the Intel 6300ESB watchdog is hot unplug. The timer allocated +in realize isn't freed thus leaking memory leak. This patch avoid +this through adding the exit function. + +http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e +this patch is from qemu-git. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/watchdog/wdt_i6300esb.c | 9 +++++++++ + 1 files changed, 9 insertions(+), 0 deletions(-) + +diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c +index a83d951..49b3cd1 100644 +--- a/hw/watchdog/wdt_i6300esb.c ++++ b/hw/watchdog/wdt_i6300esb.c +@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) + /* qemu_register_coalesced_mmio (addr, 0x10); ? */ + } + ++static void i6300esb_exit(PCIDevice *dev) ++{ ++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); ++ ++ timer_del(d->timer); ++ timer_free(d->timer); ++} ++ + static WatchdogTimerModel model = { + .wdt_name = "i6300esb", + .wdt_description = "Intel 6300ESB", +@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) + k->config_read = i6300esb_config_read; + k->config_write = i6300esb_config_write; + k->realize = i6300esb_realize; ++ k->exit = i6300esb_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; + k->class_id = PCI_CLASS_SYSTEM_OTHER; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch new file mode 100644 index 0000000000..d0c0c82a4a --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5525.patch @@ -0,0 +1,55 @@ +From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Wed, 14 Dec 2016 18:30:21 -0800 +Subject: [PATCH] audio: ac97: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401 +this patch is from qemu-git + +Currently the ac97 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/audio/ac97.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c +index cbd959e..c306575 100644 +--- a/hw/audio/ac97.c ++++ b/hw/audio/ac97.c +@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) + ac97_on_reset (&s->dev.qdev); + } + ++static void ac97_exit(PCIDevice *dev) ++{ ++ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); ++ ++ AUD_close_in(&s->card, s->voice_pi); ++ AUD_close_out(&s->card, s->voice_po); ++ AUD_close_in(&s->card, s->voice_mc); ++ AUD_remove_card(&s->card); ++} ++ + static int ac97_init (PCIBus *bus) + { + pci_create_simple (bus, -1, "AC97"); +@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = ac97_realize; ++ k->exit = ac97_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; + k->revision = 0x01; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch new file mode 100644 index 0000000000..5a6d796458 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5526.patch @@ -0,0 +1,58 @@ +From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Wed, 14 Dec 2016 18:32:22 -0800 +Subject: [PATCH] audio: es1370: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da +this patch is from qemu-git. + +Currently the es1370 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/audio/es1370.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+), 0 deletions(-) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 8449b5f..883ec69 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) + es1370_reset (s); + } + ++static void es1370_exit(PCIDevice *dev) ++{ ++ ES1370State *s = ES1370(dev); ++ int i; ++ ++ for (i = 0; i < 2; ++i) { ++ AUD_close_out(&s->card, s->dac_voice[i]); ++ } ++ ++ AUD_close_in(&s->card, s->adc_voice); ++ AUD_remove_card(&s->card); ++} ++ + static int es1370_init (PCIBus *bus) + { + pci_create_simple (bus, -1, TYPE_ES1370); +@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = es1370_realize; ++ k->exit = es1370_exit; + k->vendor_id = PCI_VENDOR_ID_ENSONIQ; + k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; + k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch new file mode 100644 index 0000000000..50911f4f36 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5552.patch @@ -0,0 +1,44 @@ +From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@gmail.com> +Date: Thu, 29 Dec 2016 03:11:26 -0500 +Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the virgl_renderer_resource_attach_iov function fails the +'res_iovs' will be leaked. Add check of the return value to +free the 'res_iovs' when failing. + +http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689 +this patch is from qemu-git. + +Signed-off-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/virtio-gpu-3d.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index e29f099..b13ced3 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, +- res_iovs, att_rb.nr_entries); ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ res_iovs, att_rb.nr_entries); ++ ++ if (ret != 0) ++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); + } + + static void virgl_resource_detach_backing(VirtIOGPU *g, +-- +1.7.0.4 + diff --git a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch b/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch deleted file mode 100644 index f592f5cd51..0000000000 --- a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch +++ /dev/null @@ -1,17 +0,0 @@ -The tests currently fail due to use of 'skip' rather than 'pending' to skip a -test usually not skipped by upstream. This patch has been proposed upstream -at https://github.com/lsegal/yard/pull/1033 - -diff --git a/spec/templates/helpers/html_helper_spec.rb b/spec/templates/helpers/html_helper_spec.rb -index 84624c3..9c4fc2b 100644 ---- a/spec/templates/helpers/html_helper_spec.rb -+++ b/spec/templates/helpers/html_helper_spec.rb -@@ -184,7 +184,7 @@ describe YARD::Templates::Helpers::HtmlHelper do - it "creates tables (markdown specific)" do - log.enter_level(Logger::FATAL) do - unless markup_class(:markdown).to_s == "RedcarpetCompat" -- skip "This test depends on a markdown engine that supports tables" -+ pending "This test depends on a markdown engine that supports tables" - end - end - diff --git a/gnu/packages/patches/tipp10-fix-compiling.patch b/gnu/packages/patches/tipp10-fix-compiling.patch new file mode 100644 index 0000000000..4c206d4d83 --- /dev/null +++ b/gnu/packages/patches/tipp10-fix-compiling.patch @@ -0,0 +1,213 @@ +Description: Debian patches to make tipp10 compile +Author: Christoph Martin <chrism@debian.org> +Last-Update: 2016-07-20 + +https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0001-FixCompiling + +--- a/widget/tickerboard.cpp ++++ b/widget/tickerboard.cpp +@@ -97,7 +97,8 @@ void TickerBoard::startTicker(bool wasPa + + if (tickerSpeed == 50) { + scrollOffset = 290; +- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-290, 0, qr); //contentsRect()); + } + + startFlag = true; +@@ -153,7 +154,8 @@ void TickerBoard::changeChar() { + scrollOffset = 0; + } else { + scrollOffset = 290; +- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-290, 0, qr); //contentsRect()); + } + splitLesson(); + } +@@ -242,7 +244,8 @@ void TickerBoard::progress() { + + // Move ticker 1 pixel to left + scrollOffset++; +- scroll(-1, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-1, 0, qr); //contentsRect()); + + if ((lessonOffset - scrollOffset) <= 30) { + setSpeed(tickerSpeed); +@@ -265,14 +268,16 @@ void TickerBoard::progress() { + // 160 pixels overage (because the user must see at least the next word) + if ((lessonOffset - scrollOffset) > 200) { + scrollOffset += (lessonOffset - scrollOffset) - 200; +- scroll(-((lessonOffset - scrollOffset) - 200), 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-((lessonOffset - scrollOffset) - 200), 0, qr); //contentsRect()); + } + } else { + // If the user types faster than the ticker, move ticker faster after + // 160 pixels overage (because the user must see at least the next word) + if ((lessonOffset - scrollOffset) > 280) { + scrollOffset += 570; +- scroll(-570, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-570, 0, qr); //contentsRect()); + } + + } +--- a/widget/settingspages.cpp ++++ b/widget/settingspages.cpp +@@ -501,7 +501,7 @@ void DatabasePage::writeSettings() { + QSettings settings; + #endif + settings.beginGroup("database"); +- settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString::QString(APP_USER_DB)); ++ settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString(APP_USER_DB)); + settings.endGroup(); + } + +--- a/widget/lessondialog.cpp ++++ b/widget/lessondialog.cpp +@@ -89,7 +89,7 @@ void LessonDialog::updateContent() { + *lessonData = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts); + // Delete empty lines + for (int i = 0; i < lessonData->size(); i++) { +- if (QString::QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") { ++ if (QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") { + lessonData->removeAt(i); + } + } +@@ -259,7 +259,7 @@ void LessonDialog::clickSave() { + contentList = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts); + // Delete empty lines + for (i = 0; i < contentList.size(); i++) { +- if (QString::QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") { ++ if (QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") { + contentList.removeAt(i); + } + } +--- a/sql/chartablesql.cpp ++++ b/sql/chartablesql.cpp +@@ -57,7 +57,7 @@ QVariant CharSqlModel::data(const QModel + // Read the unicode value + unicode = value.toInt(); + // Convert unicode to a char +- unicodeToChar = QString::QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'"; ++ unicodeToChar = QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'"; + return unicodeToChar; + } else { + // Last column (error weight) +--- a/sql/startsql.cpp ++++ b/sql/startsql.cpp +@@ -344,7 +344,7 @@ bool StartSql::updateOwnLesson(QString l + for (i = 0; i < content.size(); i++) { + //simplifiedContent = QString::QString( + // content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive).simplified(); +- simplifiedContent = trim(QString::QString( ++ simplifiedContent = trim(QString( + content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive)); + + if (!query.exec("INSERT INTO own_content VALUES(NULL,'" + +--- a/def/defines.h ++++ b/def/defines.h +@@ -27,9 +27,9 @@ Foundation, Inc., 51 Franklin Street, Fi + #define DEFINES_H + + // OS constants +-#define APP_WIN true ++#define APP_WIN false + #define APP_MAC false +-#define APP_X11 false ++#define APP_X11 true + #define APP_PORTABLE false //at least one of the 3 OS must be true too! + + // Languages +@@ -47,6 +47,7 @@ Foundation, Inc., 51 Franklin Street, Fi + #define APP_URL "http://www.tipp10.com" + #define APP_DB "tipp10v2.template" + #define APP_USER_DB "tipp10v2.db" ++#define APP_SHARE_DIR "/usr/share/tipp10" + + // Update constants + #define UPDATE_URL "www.tipp10.com" +--- a/tipp10.pro ++++ b/tipp10.pro +@@ -88,3 +88,15 @@ SOURCES += main.cpp \ + sql/startsql.cpp \ + games/abcrainwidget.cpp \ + games/charball.cpp ++ ++target.path = /usr/bin/ ++INSTALLS += target ++share.path = /usr/share/tipp10/ ++share.files = release/* *wav ++INSTALLS += share ++desktop.path = /usr/share/applications/ ++desktop.files = tipp10.desktop ++INSTALLS += desktop ++pixmap.path = /usr/share/pixmaps/ ++pixmap.files = tipp10.png ++INSTALLS += pixmap +--- a/sql/connection.h ++++ b/sql/connection.h +@@ -179,11 +179,13 @@ static bool createConnection() { + CANCEL_NO, "Betroffener Pfad:\n" + dbPath);*/ + // Try to create new databae in user path + // Exist a database in the program dir? +- if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) { ++ // if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) { ++ if (QFile::exists(QString(APP_SHARE_DIR) + "/" + dbNameTemplate)) { + //if (QFile::exists(":/" + dbNameTemplate)) { + // A database exist in the program dir + // -> copy database to user home dir +- QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate); ++ // QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate); ++ QFile file(QString(APP_SHARE_DIR) + "/" + dbNameTemplate); + //QFile file(":/" + dbNameTemplate); + if (file.copy(dbPath)) { + QFile::setPermissions(dbPath, QFile::permissions(dbPath) | QFile::WriteUser); +@@ -229,7 +231,8 @@ static bool createConnection() { + // Exist a database in user's home dir? + if (!QFile::exists(dbPath)) { + // Exist a database template in the program dir? +- dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate; ++ // dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate; ++ dbPath = QString(APP_SHARE_DIR) + "/" + dbNameTemplate; + //dbPath = ":/" + dbNameTemplate; + if (QFile::exists(dbPath)) { + // A database template exist in the program dir +--- a/widget/helpbrowser.cpp ++++ b/widget/helpbrowser.cpp +@@ -52,13 +52,15 @@ HelpBrowser::HelpBrowser(QString link, Q + textBrowser->setOpenExternalLinks(true); + + textBrowser->setSource(QString("file:///") + +- QCoreApplication::applicationDirPath() + ++ // QCoreApplication::applicationDirPath() + ++ APP_SHARE_DIR + + QString("/help/") + language + QString("/index.html")); + + if (link != "") { + + textBrowser->setSource(QString("file:///") + +- QCoreApplication::applicationDirPath() + ++ // QCoreApplication::applicationDirPath() + ++ APP_SHARE_DIR + + QString("/help/") + language + QString("/content/") + link); + + } +--- a/tipp10.desktop ++++ b/tipp10.desktop +@@ -1,10 +1,10 @@ + [Desktop Entry] +-Encoding=UTF-8 + Name=TIPP10 + Comment=Touch Typing Tutor + Comment[de]=10-Finger-Schreibtrainer +-Exec=tipp10 ++Exec=/usr/bin/tipp10 + Icon=tipp10.png + Terminal=false + Type=Application + Categories=Education; ++Keywords=learning;touchtyping diff --git a/gnu/packages/patches/tipp10-remove-license-code.patch b/gnu/packages/patches/tipp10-remove-license-code.patch new file mode 100644 index 0000000000..4b7487e726 --- /dev/null +++ b/gnu/packages/patches/tipp10-remove-license-code.patch @@ -0,0 +1,332 @@ +Description: Remove license dialog and license key checking + +https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0002-RemoveLicenseCode + +--- a/main.cpp ++++ b/main.cpp +@@ -33,7 +33,6 @@ Foundation, Inc., 51 Franklin Street, Fi + #include "def/defines.h" + #include "sql/connection.h" + #include "widget/mainwindow.h" +-#include "widget/licensedialog.h" + #include "widget/illustrationdialog.h" + + int main(int argc, char *argv[]) { +@@ -59,7 +58,7 @@ int main(int argc, char *argv[]) { + QSettings settings; + #endif + +- // Read/write language, license key and show illustration flag ++ // Read/write language and show illustration flag + settings.beginGroup("general"); + QString languageGui = settings.value("language_gui", + QLocale::system().name()).toString(); +@@ -101,7 +100,6 @@ int main(int argc, char *argv[]) { + QString languageLesson = settings.value("language_lesson", + "").toString(); + +- QString licenseKey = settings.value("licensekey", "").toString(); + bool showIllustration = settings.value("check_illustration", true).toBool(); + bool useNativeStyle = settings.value("check_native_style", false).toBool(); + settings.endGroup(); +--- a/tipp10.pro ++++ b/tipp10.pro +@@ -43,7 +43,6 @@ HEADERS += def/defines.h \ + widget/helpbrowser.h \ + widget/companylogo.h \ + widget/errormessage.h \ +- widget/licensedialog.h \ + widget/txtmessagedialog.h \ + widget/checkversion.h \ + sql/connection.h \ +@@ -78,7 +77,6 @@ SOURCES += main.cpp \ + widget/helpbrowser.cpp \ + widget/companylogo.cpp \ + widget/errormessage.cpp \ +- widget/licensedialog.cpp \ + widget/txtmessagedialog.cpp \ + widget/checkversion.cpp \ + sql/lessontablesql.cpp \ +--- a/widget/licensedialog.cpp ++++ /dev/null +@@ -1,168 +0,0 @@ +-/* +-Copyright (c) 2006-2009, Tom Thielicke IT Solutions +- +-This program is free software; you can redistribute it and/or +-modify it under the terms of the GNU General Public License +-as published by the Free Software Foundation; either version 2 +-of the License. +- +-This program is distributed in the hope that it will be useful, +-but WITHOUT ANY WARRANTY; without even the implied warranty of +-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-GNU General Public License for more details. +- +-You should have received a copy of the GNU General Public License +-along with this program; if not, write to the Free Software +-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +-02110-1301, USA. +-*/ +- +-/**************************************************************** +-** +-** Implementation of the LicenseDialog class +-** File name: licensedialog.cpp +-** +-****************************************************************/ +- +-#include <QHBoxLayout> +-#include <QVBoxLayout> +-#include <QMessageBox> +-#include <QSettings> +-#include <QCoreApplication> +- +-#include "licensedialog.h" +-#include "def/defines.h" +- +-LicenseDialog::LicenseDialog(QWidget *parent) : QDialog(parent) { +- +- setWindowFlags(windowFlags() ^ Qt::WindowContextHelpButtonHint); +- +- setWindowTitle(tr("Lizenznummer")); +- setWindowIcon(QIcon(":/img/" + QString(ICON_FILENAME))); +- +- // Create texbox +- createLineEdit(); +- +- // Create buttons +- createButtons(); +- +- // Set the layout of all widgets created above +- createLayout(); +- +- lineLicensing->setFocus(); +-} +- +-void LicenseDialog::createButtons() { +- //Buttons +- buttonOk = new QPushButton(this); +- buttonDemo = new QPushButton(this); +- +- buttonOk->setText(tr("&Ok")); +- buttonDemo->setText(tr("&Demo starten")); +- buttonDemo->setToolTip(tr("Im Demo-Modus koennen pro Lektion nur\n" +- "10 Schriftzeichen eingegeben werden")); +- +- buttonOk->setDefault(true); +- // Widget connections +- connect(buttonOk, SIGNAL(clicked()), this, SLOT(clickOk())); +- connect(buttonDemo, SIGNAL(clicked()), this, SLOT(clickDemo())); +-} +- +-void LicenseDialog::createLineEdit() { +- +- lineLicensing = new QLineEdit(); +- lineLicensing->setInputMask(">NNNNNNNNNNNNNN"); +- +- labelLicensing = new QLabel(tr("Bitte geben Sie Ihre Lizenznummer " +- "(ohne Leerzeichen) ein, " +- "die Sie im Arbeitsbuch (Schulbuch) auf Seite 3 finden:")); +- +- labelLicensing->setWordWrap(true); +-} +- +-void LicenseDialog::createLayout() { +- // Button layout horizontal +- QHBoxLayout *buttonLayoutHorizontal = new QHBoxLayout; +- buttonLayoutHorizontal->addStretch(1); +- buttonLayoutHorizontal->addWidget(buttonDemo); +- buttonLayoutHorizontal->addWidget(buttonOk); +- // Full layout of all widgets vertical +- QVBoxLayout *mainLayout = new QVBoxLayout; +- mainLayout->addSpacing(1); +- mainLayout->addWidget(labelLicensing); +- mainLayout->addSpacing(1); +- mainLayout->addWidget(lineLicensing); +- mainLayout->addSpacing(1); +- mainLayout->addLayout(buttonLayoutHorizontal); +- mainLayout->setMargin(15); +- mainLayout->setSpacing(15); +- // Pass layout to parent widget (this) +- this->setLayout(mainLayout); +-} +- +-void LicenseDialog::clickOk() { +- +- // Check license key +- if (!checkLicenseKey(lineLicensing->text())) { +- +- // License key is wrong +- +- // Message to the user +- QMessageBox::information(0, APP_NAME, +- tr("Die eingegebene Lizenznummer ist leider nicht " +- "korrekt.\nBitte ueberpruefen Sie die Schreibweise.")); +- +- lineLicensing->setFocus(); +- +- } else { +- +- // License key is ok +- writeSettings(); +- accept(); +- } +-} +- +-void LicenseDialog::clickDemo() { +- accept(); +-} +- +-bool LicenseDialog::checkLicenseKey(QString licenseKey) { +- if (licenseKey.size() == 14 && +- licenseKey[0].isLetter() && +- licenseKey[1].isLetter() && +- (licenseKey.mid(2, 2) == "39" || +- licenseKey.mid(2, 2) == "41" || +- licenseKey.mid(2, 2) == "43" || +- licenseKey.mid(2, 2) == "49" || +- licenseKey.mid(2, 2) == "99") && +- licenseKey[4].isDigit() && +- licenseKey[5].isDigit() && +- licenseKey[6].isDigit() && +- licenseKey[7].isLetter() && +- licenseKey[8].isDigit() && +- licenseKey[9].isDigit() && +- licenseKey[10].isDigit() && +- licenseKey[11].isDigit() && +- licenseKey[12].isLetter() && +- licenseKey[13].isLetter()) { +- +- return true; +- } +- return false; +-} +- +-void LicenseDialog::writeSettings() { +- // Saves settings of the startwiget +- // (uses the default constructor of QSettings, passing +- // the application and company name see main function) +- #if APP_PORTABLE +- QSettings settings(QCoreApplication::applicationDirPath() + +- "/portable/settings.ini", QSettings::IniFormat); +- #else +- QSettings settings; +- #endif +- +- settings.beginGroup("general"); +- settings.setValue("licensekey", lineLicensing->text()); +- settings.endGroup(); +-} +--- a/widget/licensedialog.h ++++ /dev/null +@@ -1,85 +0,0 @@ +-/* +-Copyright (c) 2006-2009, Tom Thielicke IT Solutions +- +-This program is free software; you can redistribute it and/or +-modify it under the terms of the GNU General Public License +-as published by the Free Software Foundation; either version 2 +-of the License. +- +-This program is distributed in the hope that it will be useful, +-but WITHOUT ANY WARRANTY; without even the implied warranty of +-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-GNU General Public License for more details. +- +-You should have received a copy of the GNU General Public License +-along with this program; if not, write to the Free Software +-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +-02110-1301, USA. +-*/ +- +-/**************************************************************** +-** +-** Definition of the LicenseDialog class +-** File name: licensedialog.h +-** +-****************************************************************/ +- +-#ifndef LICENSEDIALOG_H +-#define LICENSEDIALOG_H +- +-#include <QDialog> +-#include <QWidget> +-#include <QPushButton> +-#include <QLabel> +-#include <QLineEdit> +-#include <QString> +- +-//! The LicenseDialog class provides a license input widget. +-/*! +- The LicenseDialog class shows a dialog to enter a license key. +- +- @author Tom Thielicke, s712715 +- @version 0.0.1 +- @date 09.09.2008 +-*/ +-class LicenseDialog : public QDialog { +- Q_OBJECT +- +- public: +- +- //! Constructor, creates two table objects and provide it in two tabs. +- LicenseDialog(QWidget *parent = 0); +- +- bool checkLicenseKey(QString licenseKey); +- +- public slots: +- +- private slots: +- +- //! Start button pressed +- void clickOk(); +- +- //! Demo button pressed +- void clickDemo(); +- +- private: +- +- //! Creates a cancel and a ok button. +- void createButtons(); +- +- //! Creates a textbox. +- void createLineEdit(); +- +- //! Creates the layout of the complete class. +- void createLayout(); +- +- //! Writes user settings +- void writeSettings(); +- +- QPushButton *buttonOk; +- QPushButton *buttonDemo; +- QLabel *labelLicensing; +- QLineEdit *lineLicensing; +-}; +- +-#endif //LICENSEDIALOG_H +--- a/widget/mainwindow.cpp ++++ b/widget/mainwindow.cpp +@@ -116,11 +116,6 @@ void MainWindow::closeEvent(QCloseEvent + } + } + +-bool MainWindow::checkLicenseKey(QString licenseKey) { +- +- return false; +-} +- + void MainWindow::createMenu() { + //Mac-Version: + //----------- +--- a/widget/mainwindow.h ++++ b/widget/mainwindow.h +@@ -39,7 +39,6 @@ Foundation, Inc., 51 Franklin Street, Fi + #include "trainingwidget.h" + #include "evaluationwidget.h" + #include "illustrationdialog.h" +-#include "licensedialog.h" + #include "games/abcrainwidget.h" + #include "helpbrowser.h" + diff --git a/gnu/packages/patches/totem-debug-format-fix.patch b/gnu/packages/patches/totem-debug-format-fix.patch deleted file mode 100644 index 7ddd31ee10..0000000000 --- a/gnu/packages/patches/totem-debug-format-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- totem-3.20.1/src/backend/bacon-video-widget.c.orig 2016-03-22 12:45:32.000000000 -0400 -+++ totem-3.20.1/src/backend/bacon-video-widget.c 2016-05-11 02:49:55.299109551 -0400 -@@ -2334,7 +2334,7 @@ - if (!gst_toc_entry_get_start_stop_times (entry, &start, &stop)) { - GST_DEBUG ("Chapter #%d (couldn't get times)", i); - } else { -- GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, start, stop); -+ GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, (long) start, (long) stop); - } - } - diff --git a/gnu/packages/patches/upower-builddir.patch b/gnu/packages/patches/upower-builddir.patch index 13cef5876a..d59d4364b8 100644 --- a/gnu/packages/patches/upower-builddir.patch +++ b/gnu/packages/patches/upower-builddir.patch @@ -37,7 +37,7 @@ Patch by Andy Wingo <wingo@igalia.com> - if (g_file_test ("../etc/UPower.conf", G_FILE_TEST_EXISTS)) - g_setenv ("UPOWER_CONF_FILE_NAME", "../etc/UPower.conf", TRUE); - else -- g_setenv ("UPOWER_CONF_FILE_NAME", "../../etc/UPower.conf", TRUE); +- g_setenv ("UPOWER_CONF_FILE_NAME", "../../../etc/UPower.conf", TRUE); - /* tests go here */ g_test_add_func ("/power/backend", up_test_backend_func); diff --git a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch b/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch deleted file mode 100644 index 969ed7e41e..0000000000 --- a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch +++ /dev/null @@ -1,24 +0,0 @@ -Removes references to mibstore.h and miInitializeBackingStore, which -have been removed from xorg-server. Zack Rusin <zackr@vmware.com> -wrote: "It was a noop for at least 5 years and it has been removed." -See: http://patches.openembedded.org/patch/46133/ - ---- xf86-video-glint-1.2.8/src/glint_driver.c.~1~ 2012-07-15 22:50:47.000000000 -0400 -+++ xf86-video-glint-1.2.8/src/glint_driver.c 2014-12-19 00:42:39.162714279 -0500 -@@ -52,8 +52,6 @@ - #include "compiler.h" - #include "mipointer.h" - --#include "mibstore.h" -- - #include "pm3_regs.h" - #include "glint_regs.h" - #include "IBM.h" -@@ -2904,7 +2902,6 @@ - } - } - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - diff --git a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch b/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch deleted file mode 100644 index 48588ed0e4..0000000000 --- a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch +++ /dev/null @@ -1,72 +0,0 @@ -Removes references to mibstore.h and miInitializeBackingStore, which -have been removed from xorg-server. Zack Rusin <zackr@vmware.com> -wrote: "It was a noop for at least 5 years and it has been removed." -See: http://patches.openembedded.org/patch/46133/ - -diff -ru xf86-video-nv-2.1.20.orig/src/g80_driver.c xf86-video-nv-2.1.20/src/g80_driver.c ---- xf86-video-nv-2.1.20.orig/src/g80_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/g80_driver.c 2014-12-17 10:11:42.197579082 -0500 -@@ -34,7 +34,6 @@ - #include <xf86Resources.h> - #endif - #include <mipointer.h> --#include <mibstore.h> - #include <micmap.h> - #include <xf86cmap.h> - #include <fb.h> -@@ -833,7 +832,6 @@ - } - } - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/nv_driver.c xf86-video-nv-2.1.20/src/nv_driver.c ---- xf86-video-nv-2.1.20.orig/src/nv_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/nv_driver.c 2014-12-17 10:11:39.037563413 -0500 -@@ -2550,7 +2550,6 @@ - if (!pNv->NoAccel) - NVAccelInit(pScreen); - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/nv_include.h xf86-video-nv-2.1.20/src/nv_include.h ---- xf86-video-nv-2.1.20.orig/src/nv_include.h 2012-07-17 02:48:19.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/nv_include.h 2014-12-17 10:11:22.089479372 -0500 -@@ -24,9 +24,6 @@ - /* All drivers initialising the SW cursor need this */ - #include "mipointer.h" - --/* All drivers implementing backing store need this */ --#include "mibstore.h" -- - #include "micmap.h" - - #include "xf86DDC.h" -diff -ru xf86-video-nv-2.1.20.orig/src/riva_driver.c xf86-video-nv-2.1.20/src/riva_driver.c ---- xf86-video-nv-2.1.20.orig/src/riva_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/riva_driver.c 2014-12-17 10:11:31.101524060 -0500 -@@ -1168,7 +1168,6 @@ - if (!pRiva->NoAccel) - RivaAccelInit(pScreen); - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/riva_include.h xf86-video-nv-2.1.20/src/riva_include.h ---- xf86-video-nv-2.1.20.orig/src/riva_include.h 2012-07-17 02:48:45.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/riva_include.h 2014-12-17 10:11:12.229430478 -0500 -@@ -22,9 +22,6 @@ - /* All drivers initialising the SW cursor need this */ - #include "mipointer.h" - --/* All drivers implementing backing store need this */ --#include "mibstore.h" -- - #include "micmap.h" - - #include "xf86DDC.h" |