diff options
author | Marius Bakke <mbakke@fastmail.com> | 2017-12-19 01:42:40 +0100 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2017-12-19 01:42:40 +0100 |
commit | 32cd878be0bb7e153fcaa6f3bfa2632867390ff9 (patch) | |
tree | fc1ff93949817c9d172c84d0410ac9225cad57ae /gnu/packages/patches | |
parent | 753425610274ccb59cce13490c096027c61621d0 (diff) | |
parent | 98bd11cfe7b931e9c6d6bf002a8a225fb7a1025b (diff) | |
download | guix-32cd878be0bb7e153fcaa6f3bfa2632867390ff9.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
24 files changed, 671 insertions, 1133 deletions
diff --git a/gnu/packages/patches/borg-fix-archive-corruption-bug.patch b/gnu/packages/patches/borg-fix-archive-corruption-bug.patch new file mode 100644 index 0000000000..0debf119be --- /dev/null +++ b/gnu/packages/patches/borg-fix-archive-corruption-bug.patch @@ -0,0 +1,68 @@ +Fix a bug in `borg check --repair` that corrupts existing archives: + +https://github.com/borgbackup/borg/issues/3444 + +Patches copied from upstream source repository: + +https://github.com/borgbackup/borg/commit/e09892caec8a63d59e909518c4e9c230dbd69774 +https://github.com/borgbackup/borg/commit/a68d28bfa4db30561150c83eb6a0dca5efa4d9e8 + +From a68d28bfa4db30561150c83eb6a0dca5efa4d9e8 Mon Sep 17 00:00:00 2001 +From: Thomas Waldmann <tw@waldmann-edv.de> +Date: Sat, 16 Dec 2017 01:11:40 +0100 +Subject: [PATCH 1/2] modify borg check unit test so it "hangs", see #3444 + +it doesn't infinitely hang, but slows down considerably. +--- + src/borg/testsuite/archiver.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/borg/testsuite/archiver.py b/src/borg/testsuite/archiver.py +index c7def2c7..b3383e97 100644 +--- a/src/borg/testsuite/archiver.py ++++ b/src/borg/testsuite/archiver.py +@@ -3006,7 +3006,7 @@ def test_missing_file_chunk(self): + def test_missing_archive_item_chunk(self): + archive, repository = self.open_archive('archive1') + with repository: +- repository.delete(archive.metadata.items[-5]) ++ repository.delete(archive.metadata.items[0]) + repository.commit() + self.cmd('check', self.repository_location, exit_code=1) + self.cmd('check', '--repair', self.repository_location, exit_code=0) +-- +2.15.1 + + +From e09892caec8a63d59e909518c4e9c230dbd69774 Mon Sep 17 00:00:00 2001 +From: Thomas Waldmann <tw@waldmann-edv.de> +Date: Sat, 16 Dec 2017 01:16:05 +0100 +Subject: [PATCH 2/2] check --repair: fix malfunctioning validator, fixes #3444 + +the major problem was the ('path' in item) expression. +the dict has bytes-typed keys there, so it never succeeded as it +looked for a str key. this is a 1.1 regression, 1.0 was fine. + +the dict -> StableDict change is just for being more specific, +the check triggered correctly as StableDict subclasses dict, +it was just a bit too general. +--- + src/borg/archive.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/borg/archive.py b/src/borg/archive.py +index 239d00b7..be086800 100644 +--- a/src/borg/archive.py ++++ b/src/borg/archive.py +@@ -1457,7 +1457,7 @@ def robust_iterator(archive): + """ + item_keys = frozenset(key.encode() for key in self.manifest.item_keys) + required_item_keys = frozenset(key.encode() for key in REQUIRED_ITEM_KEYS) +- unpacker = RobustUnpacker(lambda item: isinstance(item, dict) and 'path' in item, ++ unpacker = RobustUnpacker(lambda item: isinstance(item, StableDict) and b'path' in item, + self.manifest.item_keys) + _state = 0 + +-- +2.15.1 + diff --git a/gnu/packages/patches/eigen-arm-neon-fixes.patch b/gnu/packages/patches/eigen-arm-neon-fixes.patch new file mode 100644 index 0000000000..0838f30463 --- /dev/null +++ b/gnu/packages/patches/eigen-arm-neon-fixes.patch @@ -0,0 +1,245 @@ +# HG changeset patch +# User Gael Guennebaud <g.gael@free.fr> +# Date 1497514590 -7200 +# Node ID d781c1de98342c5ca29c2fe719d8d3c96a35dcd4 +# Parent 48cd83b2b459aa9f3f5dca135d38760fe0b02a2f +Bug 1436: fix compilation of Jacobi rotations with ARM NEON, some specializations of internal::conj_helper were missing. + +diff --git a/Eigen/Core b/Eigen/Core +--- a/Eigen/Core ++++ b/Eigen/Core +@@ -371,6 +371,7 @@ + #include "src/Core/MathFunctions.h" + #include "src/Core/GenericPacketMath.h" + #include "src/Core/MathFunctionsImpl.h" ++#include "src/Core/arch/Default/ConjHelper.h" + + #if defined EIGEN_VECTORIZE_AVX512 + #include "src/Core/arch/SSE/PacketMath.h" +diff --git a/Eigen/src/Core/arch/AVX/Complex.h b/Eigen/src/Core/arch/AVX/Complex.h +--- a/Eigen/src/Core/arch/AVX/Complex.h ++++ b/Eigen/src/Core/arch/AVX/Complex.h +@@ -204,23 +204,7 @@ + } + }; + +-template<> struct conj_helper<Packet8f, Packet4cf, false,false> +-{ +- EIGEN_STRONG_INLINE Packet4cf pmadd(const Packet8f& x, const Packet4cf& y, const Packet4cf& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet4cf pmul(const Packet8f& x, const Packet4cf& y) const +- { return Packet4cf(Eigen::internal::pmul(x, y.v)); } +-}; +- +-template<> struct conj_helper<Packet4cf, Packet8f, false,false> +-{ +- EIGEN_STRONG_INLINE Packet4cf pmadd(const Packet4cf& x, const Packet8f& y, const Packet4cf& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet4cf pmul(const Packet4cf& x, const Packet8f& y) const +- { return Packet4cf(Eigen::internal::pmul(x.v, y)); } +-}; ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet4cf,Packet8f) + + template<> EIGEN_STRONG_INLINE Packet4cf pdiv<Packet4cf>(const Packet4cf& a, const Packet4cf& b) + { +@@ -400,23 +384,7 @@ + } + }; + +-template<> struct conj_helper<Packet4d, Packet2cd, false,false> +-{ +- EIGEN_STRONG_INLINE Packet2cd pmadd(const Packet4d& x, const Packet2cd& y, const Packet2cd& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet2cd pmul(const Packet4d& x, const Packet2cd& y) const +- { return Packet2cd(Eigen::internal::pmul(x, y.v)); } +-}; +- +-template<> struct conj_helper<Packet2cd, Packet4d, false,false> +-{ +- EIGEN_STRONG_INLINE Packet2cd pmadd(const Packet2cd& x, const Packet4d& y, const Packet2cd& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet2cd pmul(const Packet2cd& x, const Packet4d& y) const +- { return Packet2cd(Eigen::internal::pmul(x.v, y)); } +-}; ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cd,Packet4d) + + template<> EIGEN_STRONG_INLINE Packet2cd pdiv<Packet2cd>(const Packet2cd& a, const Packet2cd& b) + { +diff --git a/Eigen/src/Core/arch/AltiVec/Complex.h b/Eigen/src/Core/arch/AltiVec/Complex.h +--- a/Eigen/src/Core/arch/AltiVec/Complex.h ++++ b/Eigen/src/Core/arch/AltiVec/Complex.h +@@ -224,23 +224,7 @@ + } + }; + +-template<> struct conj_helper<Packet4f, Packet2cf, false,false> +-{ +- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet4f& x, const Packet2cf& y, const Packet2cf& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet4f& x, const Packet2cf& y) const +- { return Packet2cf(internal::pmul<Packet4f>(x, y.v)); } +-}; +- +-template<> struct conj_helper<Packet2cf, Packet4f, false,false> +-{ +- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet2cf& x, const Packet4f& y, const Packet2cf& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet2cf& x, const Packet4f& y) const +- { return Packet2cf(internal::pmul<Packet4f>(x.v, y)); } +-}; ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f) + + template<> EIGEN_STRONG_INLINE Packet2cf pdiv<Packet2cf>(const Packet2cf& a, const Packet2cf& b) + { +@@ -416,23 +400,8 @@ + return pconj(internal::pmul(a, b)); + } + }; +-template<> struct conj_helper<Packet2d, Packet1cd, false,false> +-{ +- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet2d& x, const Packet1cd& y, const Packet1cd& c) const +- { return padd(c, pmul(x,y)); } + +- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet2d& x, const Packet1cd& y) const +- { return Packet1cd(internal::pmul<Packet2d>(x, y.v)); } +-}; +- +-template<> struct conj_helper<Packet1cd, Packet2d, false,false> +-{ +- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet1cd& x, const Packet2d& y, const Packet1cd& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet1cd& x, const Packet2d& y) const +- { return Packet1cd(internal::pmul<Packet2d>(x.v, y)); } +-}; ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d) + + template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b) + { +diff --git a/Eigen/src/Core/arch/Default/ConjHelper.h b/Eigen/src/Core/arch/Default/ConjHelper.h +new file mode 100644 +--- /dev/null ++++ b/Eigen/src/Core/arch/Default/ConjHelper.h +@@ -0,0 +1,29 @@ ++ ++// This file is part of Eigen, a lightweight C++ template library ++// for linear algebra. ++// ++// Copyright (C) 2017 Gael Guennebaud <gael.guennebaud@inria.fr> ++// ++// This Source Code Form is subject to the terms of the Mozilla ++// Public License v. 2.0. If a copy of the MPL was not distributed ++// with this file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++#ifndef EIGEN_ARCH_CONJ_HELPER_H ++#define EIGEN_ARCH_CONJ_HELPER_H ++ ++#define EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(PACKET_CPLX, PACKET_REAL) \ ++ template<> struct conj_helper<PACKET_REAL, PACKET_CPLX, false,false> { \ ++ EIGEN_STRONG_INLINE PACKET_CPLX pmadd(const PACKET_REAL& x, const PACKET_CPLX& y, const PACKET_CPLX& c) const \ ++ { return padd(c, pmul(x,y)); } \ ++ EIGEN_STRONG_INLINE PACKET_CPLX pmul(const PACKET_REAL& x, const PACKET_CPLX& y) const \ ++ { return PACKET_CPLX(Eigen::internal::pmul<PACKET_REAL>(x, y.v)); } \ ++ }; \ ++ \ ++ template<> struct conj_helper<PACKET_CPLX, PACKET_REAL, false,false> { \ ++ EIGEN_STRONG_INLINE PACKET_CPLX pmadd(const PACKET_CPLX& x, const PACKET_REAL& y, const PACKET_CPLX& c) const \ ++ { return padd(c, pmul(x,y)); } \ ++ EIGEN_STRONG_INLINE PACKET_CPLX pmul(const PACKET_CPLX& x, const PACKET_REAL& y) const \ ++ { return PACKET_CPLX(Eigen::internal::pmul<PACKET_REAL>(x.v, y)); } \ ++ }; ++ ++#endif // EIGEN_ARCH_CONJ_HELPER_H +diff --git a/Eigen/src/Core/arch/NEON/Complex.h b/Eigen/src/Core/arch/NEON/Complex.h +--- a/Eigen/src/Core/arch/NEON/Complex.h ++++ b/Eigen/src/Core/arch/NEON/Complex.h +@@ -265,6 +265,8 @@ + } + }; + ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f) ++ + template<> EIGEN_STRONG_INLINE Packet2cf pdiv<Packet2cf>(const Packet2cf& a, const Packet2cf& b) + { + // TODO optimize it for NEON +@@ -456,6 +458,8 @@ + } + }; + ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d) ++ + template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b) + { + // TODO optimize it for NEON +diff --git a/Eigen/src/Core/arch/SSE/Complex.h b/Eigen/src/Core/arch/SSE/Complex.h +--- a/Eigen/src/Core/arch/SSE/Complex.h ++++ b/Eigen/src/Core/arch/SSE/Complex.h +@@ -229,23 +229,7 @@ + } + }; + +-template<> struct conj_helper<Packet4f, Packet2cf, false,false> +-{ +- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet4f& x, const Packet2cf& y, const Packet2cf& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet4f& x, const Packet2cf& y) const +- { return Packet2cf(Eigen::internal::pmul<Packet4f>(x, y.v)); } +-}; +- +-template<> struct conj_helper<Packet2cf, Packet4f, false,false> +-{ +- EIGEN_STRONG_INLINE Packet2cf pmadd(const Packet2cf& x, const Packet4f& y, const Packet2cf& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet2cf pmul(const Packet2cf& x, const Packet4f& y) const +- { return Packet2cf(Eigen::internal::pmul<Packet4f>(x.v, y)); } +-}; ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f) + + template<> EIGEN_STRONG_INLINE Packet2cf pdiv<Packet2cf>(const Packet2cf& a, const Packet2cf& b) + { +@@ -430,23 +414,7 @@ + } + }; + +-template<> struct conj_helper<Packet2d, Packet1cd, false,false> +-{ +- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet2d& x, const Packet1cd& y, const Packet1cd& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet2d& x, const Packet1cd& y) const +- { return Packet1cd(Eigen::internal::pmul<Packet2d>(x, y.v)); } +-}; +- +-template<> struct conj_helper<Packet1cd, Packet2d, false,false> +-{ +- EIGEN_STRONG_INLINE Packet1cd pmadd(const Packet1cd& x, const Packet2d& y, const Packet1cd& c) const +- { return padd(c, pmul(x,y)); } +- +- EIGEN_STRONG_INLINE Packet1cd pmul(const Packet1cd& x, const Packet2d& y) const +- { return Packet1cd(Eigen::internal::pmul<Packet2d>(x.v, y)); } +-}; ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d) + + template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b) + { +diff --git a/Eigen/src/Core/arch/ZVector/Complex.h b/Eigen/src/Core/arch/ZVector/Complex.h +--- a/Eigen/src/Core/arch/ZVector/Complex.h ++++ b/Eigen/src/Core/arch/ZVector/Complex.h +@@ -336,6 +336,9 @@ + } + }; + ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet2cf,Packet4f) ++EIGEN_MAKE_CONJ_HELPER_CPLX_REAL(Packet1cd,Packet2d) ++ + template<> EIGEN_STRONG_INLINE Packet1cd pdiv<Packet1cd>(const Packet1cd& a, const Packet1cd& b) + { + // TODO optimize it for AltiVec diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch deleted file mode 100644 index dbcaea1343..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch +++ /dev/null @@ -1,137 +0,0 @@ -http://www.openwall.com/lists/oss-security/2017/09/01/6 - -CVE-2017-11403: -http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 - -CVE-2017-14103: -http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f - -some changes were made to make the patch apply - -# HG changeset patch -# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> -# Date 1503875721 14400 -# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 -# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad -Attempt to fix Issue 440. - -diff -ru a/coders/png.c b/coders/png.c ---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 -+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400 -@@ -3106,7 +3106,9 @@ - if (length > PNG_MAX_UINT || count == 0) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,CorruptImage,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "chunk length (%lu) > PNG_MAX_UINT",length); -+ return ((Image*)NULL); - } - - chunk=(unsigned char *) NULL; -@@ -3117,13 +3119,16 @@ - if (chunk == (unsigned char *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -- image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Could not allocate chunk memory"); -+ return ((Image*)NULL); - } - if (ReadBlob(image,length,chunk) < length) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,CorruptImage,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " chunk reading was incomplete"); -+ return ((Image*)NULL); - } - p=chunk; - } -@@ -3198,7 +3203,7 @@ - jng_width, jng_height); - MagickFreeMemory(chunk); - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ return ((Image *)NULL); - } - - /* Temporarily set width and height resources to match JHDR */ -@@ -3233,8 +3238,9 @@ - if (color_image == (Image *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -- image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not open color_image blob"); -+ return ((Image *)NULL); - } - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -@@ -3245,7 +3251,9 @@ - if (status == MagickFalse) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not open color_image blob"); -+ return ((Image *)NULL); - } - - if (!image_info->ping && jng_color_type >= 12) -@@ -3255,17 +3263,18 @@ - if (alpha_image_info == (ImageInfo *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError, -- MemoryAllocationFailed, image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image_info",length); -+ return ((Image *)NULL); - } - GetImageInfo(alpha_image_info); - alpha_image=AllocateImage(alpha_image_info); - if (alpha_image == (Image *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError, -- MemoryAllocationFailed, -- alpha_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image"); -+ return ((Image *)NULL); - } - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -@@ -3277,7 +3286,9 @@ - { - DestroyJNGInfo(color_image_info,alpha_image_info); - DestroyImage(alpha_image); -- ThrowReaderException(CoderError,UnableToOpenBlob,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image blob"); -+ return ((Image *)NULL); - } - if (jng_alpha_compression_method == 0) - { -@@ -3613,6 +3624,8 @@ - alpha_image = (Image *)NULL; - DestroyImageInfo(alpha_image_info); - alpha_image_info = (ImageInfo *)NULL; -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Destroy the JNG image"); - DestroyImage(jng_image); - jng_image = (Image *)NULL; - } -@@ -5146,8 +5159,8 @@ - - if (image == (Image *) NULL) - { -- DestroyImageList(previous); - CloseBlob(previous); -+ DestroyImageList(previous); - MngInfoFreeStruct(mng_info,&have_mng_structure); - return((Image *) NULL); - } diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch deleted file mode 100644 index 2cb3d46f62..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch +++ /dev/null @@ -1,28 +0,0 @@ -This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188. - -diff -ur a/coders/png.c b/coders/png.c ---- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400 -+++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400 -@@ -4101,11 +4101,17 @@ - mng_info->image=image; - } - -- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height -- > 65535L)) -- (void) ThrowException(&image->exception,ImageError, -- WidthOrHeightExceedsLimit, -- image->filename); -+ if ((mng_info->mng_width > 65535L) || -+ (mng_info->mng_height > 65535L)) -+ { -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " MNG width or height is too large: %lu, %lu", -+ mng_info->mng_width,mng_info->mng_height); -+ MagickFreeMemory(chunk); -+ ThrowReaderException(CorruptImageError, -+ ImproperImageHeader,image); -+ } -+ - FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width, - mng_info->mng_height); - mng_info->frame.left=0; diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch deleted file mode 100644 index 7036f37438..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch +++ /dev/null @@ -1,16 +0,0 @@ -This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd. - -diff -ur a/coders/wmf.c b/coders/wmf.c ---- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400 -+++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400 -@@ -2719,8 +2719,8 @@ - if(image->exception.severity != UndefinedException) - ThrowException2(exception, - CoderWarning, -- ddata->image->exception.reason, -- ddata->image->exception.description); -+ image->exception.reason, -+ image->exception.description); - - if(logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()"); diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch deleted file mode 100644 index 71af9ffe59..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch +++ /dev/null @@ -1,28 +0,0 @@ -This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978. - -diff -ur a/coders/sun.c b/coders/sun.c ---- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400 -+++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003-2015 GraphicsMagick Group -+% Copyright (C) 2003-2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -577,6 +577,7 @@ - for (bit=7; bit >= 0; bit--) - { - index=((*p) & (0x01 << bit) ? 0x01 : 0x00); -+ VerifyColormapIndex(image,index); - indexes[x+7-bit]=index; - q[x+7-bit]=image->colormap[index]; - } -@@ -587,6 +588,7 @@ - for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--) - { - index=((*p) & (0x01 << bit) ? 0x01 : 0x00); -+ VerifyColormapIndex(image,index); - indexes[x+7-bit]=index; - q[x+7-bit]=image->colormap[index]; - } diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch deleted file mode 100644 index 83478c13b3..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch +++ /dev/null @@ -1,195 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/31/3 -http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503774853 18000 -# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036 -# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d -JNX: Fix DOS issues - -diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c ---- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500 -+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2012-2015 GraphicsMagick Group -+% Copyright (C) 2012-2017 GraphicsMagick Group - % - % This program is covered by multiple licenses, which are described in - % Copyright.txt. You should have received a copy of Copyright.txt with this -@@ -100,6 +100,7 @@ - - char img_label_str[MaxTextExtent]; - -+ - alloc_size = TileInfo->PicSize + 2; - - if (image->logging) -@@ -242,6 +243,9 @@ - total_tiles, - current_tile; - -+ magick_off_t -+ file_size; -+ - /* Open image file. */ - assert(image_info != (const ImageInfo *) NULL); - assert(image_info->signature == MagickSignature); -@@ -254,9 +258,8 @@ - if (status == False) - ThrowReaderException(FileOpenError, UnableToOpenFile, image); - -- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); -- - /* Read JNX image header. */ -+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader)); - JNXHeader.Version = ReadBlobLSBLong(image); - if (JNXHeader.Version > 4) - ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -@@ -266,8 +269,6 @@ - JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image); - JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image); - JNXHeader.Levels = ReadBlobLSBLong(image); -- if (JNXHeader.Levels > 20) -- ThrowReaderException(CorruptImageError, ImproperImageHeader, image); - JNXHeader.Expiration = ReadBlobLSBLong(image); - JNXHeader.ProductID = ReadBlobLSBLong(image); - JNXHeader.CRC = ReadBlobLSBLong(image); -@@ -279,7 +280,41 @@ - if (EOFBlob(image)) - ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); - -+ file_size = GetBlobSize(image); -+ -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "JNX Header:\n" -+ " Version: %u\n" -+ " DeviceSN: %u\n" -+ " MapBounds:\n" -+ " NorthEast: lat = %u, lon = %u\n" -+ " SouthWest: lat = %u, lon = %u\n" -+ " Levels: %u\n" -+ " Expiration: %u\n" -+ " ProductID: %u\n" -+ " CRC: %u\n" -+ " SigVersion: %u\n" -+ " SigOffset: %u\n" -+ " ZOrder: %u", -+ JNXHeader.Version, -+ JNXHeader.DeviceSN, -+ JNXHeader.MapBounds.NorthEast.lat, -+ JNXHeader.MapBounds.NorthEast.lon, -+ JNXHeader.MapBounds.SouthWest.lat, -+ JNXHeader.MapBounds.SouthWest.lon, -+ JNXHeader.Levels, -+ JNXHeader.Expiration, -+ JNXHeader.ProductID, -+ JNXHeader.CRC, -+ JNXHeader.SigVersion, -+ JNXHeader.SigOffset, -+ JNXHeader.ZOrder); -+ -+ if (JNXHeader.Levels > 20) -+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -+ - /* Read JNX image level info. */ -+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); - total_tiles = 0; - current_tile = 0; - for (i = 0; i < JNXHeader.Levels; i++) -@@ -302,11 +337,23 @@ - { - JNXLevelInfo[i].Copyright = NULL; - } -+ -+ if (EOFBlob(image)) -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ -+ if (image->logging) -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Level[%u] Info:" -+ " TileCount: %4u" -+ " TilesOffset: %6u" -+ " Scale: %04u", -+ i, -+ JNXLevelInfo[i].TileCount, -+ JNXLevelInfo[i].TilesOffset, -+ JNXLevelInfo[i].Scale -+ ); - } - -- if (EOFBlob(image)) -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -- - /* Get the current limit */ - SaveLimit = GetMagickResourceLimit(MapResource); - -@@ -316,11 +363,32 @@ - /* Read JNX image data. */ - for (i = 0; i < JNXHeader.Levels; i++) - { -+ /* -+ Validate TileCount against remaining file data -+ */ -+ const magick_off_t current_offset = TellBlob(image); -+ const size_t pos_list_entry_size = -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t); -+ const magick_off_t remaining = file_size-current_offset; -+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount); -+ -+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } -+ - PositionList = MagickAllocateArray(TJNXTileInfo *, - JNXLevelInfo[i].TileCount, - sizeof(TJNXTileInfo)); - if (PositionList == NULL) -- continue; -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -+ image); -+ } - - (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET); - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -333,12 +401,15 @@ - PositionList[j].PicHeight = ReadBlobLSBShort(image); - PositionList[j].PicSize = ReadBlobLSBLong(image); - PositionList[j].PicOffset = ReadBlobLSBLong(image); -- } - -- if (EOFBlob(image)) -- { -- MagickFreeMemory(PositionList); -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ if (EOFBlob(image) || -+ ((magick_off_t) PositionList[j].PicOffset + -+ PositionList[j].PicSize > file_size)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ MagickFreeMemory(PositionList); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } - } - - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -351,6 +422,9 @@ - image = ExtractTileJPG(image, image_info, PositionList+j, exception); - (void) SetMonitorHandler(previous_handler); - -+ if (exception->severity >= ErrorException) -+ break; -+ - current_tile++; - if (QuantumTick(current_tile,total_tiles)) - if (!MagickMonitorFormatted(current_tile,total_tiles,exception, - diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch deleted file mode 100644 index e129fd58fc..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch +++ /dev/null @@ -1,179 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/31/1 -http://openwall.com/lists/oss-security/2017/08/31/2 -http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503779175 18000 -# Node ID 233a720bfd5efd378f133a776507ed41230da617 -# Parent b037d79b6ccd0cfba7ba9ce09b454ed46d688036 -XBM: Fix DOS issues. - -diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c ---- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500 -+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003 -2012 GraphicsMagick Group -+% Copyright (C) 2003-2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -121,13 +121,15 @@ - - static int XBMInteger(Image *image,short int *hex_digits) - { -+ unsigned int -+ flag; -+ - int - c, -- flag, - value; - - value=0; -- flag=0; -+ flag=0U; - for ( ; ; ) - { - c=ReadBlobByte(image); -@@ -158,18 +160,14 @@ - Image - *image; - -- int -- bit; -- -- long -- y; -- - register IndexPacket - *indexes; - -- register long -+ register size_t -+ bytes_per_line, - i, -- x; -+ x, -+ y; - - register PixelPacket - *q; -@@ -177,22 +175,24 @@ - register unsigned char - *p; - -- short int -- hex_digits[256]; -- - unsigned char - *data; - - unsigned int -+ bit, -+ byte, -+ padding, -+ version; -+ -+ int -+ value; -+ -+ short int -+ hex_digits[256]; -+ -+ MagickPassFail - status; - -- unsigned long -- byte, -- bytes_per_line, -- padding, -- value, -- version; -- - /* - Open image file. - */ -@@ -207,6 +207,8 @@ - /* - Read X bitmap header. - */ -+ (void) memset(buffer,0,sizeof(buffer)); -+ name[0]='\0'; - while (ReadBlobString(image,buffer) != (char *) NULL) - if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2) - if ((strlen(name) >= 6) && -@@ -278,6 +280,8 @@ - /* - Initialize hex values. - */ -+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++) -+ hex_digits[i]=(-1); - hex_digits['0']=0; - hex_digits['1']=1; - hex_digits['2']=2; -@@ -311,40 +315,50 @@ - */ - p=data; - if (version == 10) -- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2)) -+ for (i=0; i < (bytes_per_line*image->rows); (i+=2)) - { - value=XBMInteger(image,hex_digits); -+ if (value < 0) -+ { -+ MagickFreeMemory(data); -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } - *p++=(unsigned char) value; - if (!padding || ((i+2) % bytes_per_line)) - *p++=(unsigned char) (value >> 8); - } - else -- for (i=0; i < (long) (bytes_per_line*image->rows); i++) -+ for (i=0; i < (bytes_per_line*image->rows); i++) - { - value=XBMInteger(image,hex_digits); -+ if (value < 0) -+ { -+ MagickFreeMemory(data); -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } - *p++=(unsigned char) value; - } - /* - Convert X bitmap image to pixel packets. - */ - p=data; -- for (y=0; y < (long) image->rows; y++) -+ for (y=0; y < image->rows; y++) - { - q=SetImagePixels(image,0,y,image->columns,1); - if (q == (PixelPacket *) NULL) - break; - indexes=AccessMutableIndexes(image); -- bit=0; -- byte=0; -- for (x=0; x < (long) image->columns; x++) -+ bit=0U; -+ byte=0U; -+ for (x=0; x < image->columns; x++) - { -- if (bit == 0) -+ if (bit == 0U) - byte=(*p++); - indexes[x]=byte & 0x01 ? 0x01 : 0x00; - bit++; -- byte>>=1; -- if (bit == 8) -- bit=0; -+ byte>>=1U; -+ if (bit == 8U) -+ bit=0U; - } - if (!SyncImagePixels(image)) - break; - diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch deleted file mode 100644 index 46f6b032c7..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch +++ /dev/null @@ -1,80 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/28/5 -http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503268616 18000 -# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072 -# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3 -PNM: For binary formats, verify sufficient backing file data before memory request. - -diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c ---- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500 -+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500 -@@ -569,7 +569,7 @@ - (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u", - image->colors); - } -- number_pixels=image->columns*image->rows; -+ number_pixels=MagickArraySize(image->columns,image->rows); - if (number_pixels == 0) - ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image); - if (image->storage_class == PseudoClass) -@@ -858,14 +858,14 @@ - if (1 == bits_per_sample) - { - /* PBM */ -- bytes_per_row=((image->columns+7) >> 3); -+ bytes_per_row=((image->columns+7U) >> 3); - import_options.grayscale_miniswhite=MagickTrue; - quantum_type=GrayQuantum; - } - else - { - /* PGM & XV_332 */ -- bytes_per_row=((bits_per_sample+7)/8)*image->columns; -+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns); - if (XV_332_Format == format) - { - quantum_type=IndexQuantum; -@@ -878,7 +878,8 @@ - } - else - { -- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns; -+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel), -+ image->columns); - if (3 == samples_per_pixel) - { - /* PPM */ -@@ -915,6 +916,28 @@ - is_monochrome=MagickFalse; - } - } -+ -+ /* Validate file size before allocating memory */ -+ if (BlobIsSeekable(image)) -+ { -+ const magick_off_t file_size = GetBlobSize(image); -+ const magick_off_t current_offset = TellBlob(image); -+ if ((file_size > 0) && -+ (current_offset > 0) && -+ (file_size > current_offset)) -+ { -+ const magick_off_t remaining = file_size-current_offset; -+ const magick_off_t needed = (magick_off_t) image->rows * -+ (magick_off_t) bytes_per_row; -+ if ((remaining < (magick_off_t) bytes_per_row) || -+ (remaining < needed)) -+ { -+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile, -+ image->filename); -+ break; -+ } -+ } -+ } - - scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1); - if (scanline_set == (ThreadViewDataSet *) NULL) diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch deleted file mode 100644 index 1f55d90d38..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch +++ /dev/null @@ -1,72 +0,0 @@ -http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa -http://openwall.com/lists/oss-security/2017/09/06/4 - -some changes were made to make the patch apply - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503257388 18000 -# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 -# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f -SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. - -diff -r f87246749079 -r 493da54370aa coders/sun.c ---- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 -+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 -@@ -498,6 +498,12 @@ - if (sun_info.depth < 8) - image->depth=sun_info.depth; - -+ if (image_info->ping) -+ { -+ CloseBlob(image); -+ return(image); -+ } -+ - /* - Compute bytes per line and bytes per image for an unencoded - image. -@@ -522,15 +528,37 @@ - if (bytes_per_image > sun_info.length) - ThrowReaderException(CorruptImageError,ImproperImageHeader,image); - -- if (image_info->ping) -- { -- CloseBlob(image); -- return(image); -- } - if (sun_info.type == RT_ENCODED) - sun_data_length=(size_t) sun_info.length; - else - sun_data_length=bytes_per_image; -+ -+ /* -+ Verify that data length claimed by header is supported by file size -+ */ -+ if (sun_info.type == RT_ENCODED) -+ { -+ if (sun_data_length < bytes_per_image/255U) -+ { -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } -+ } -+ if (BlobIsSeekable(image)) -+ { -+ const magick_off_t file_size = GetBlobSize(image); -+ const magick_off_t current_offset = TellBlob(image); -+ if ((file_size > 0) && -+ (current_offset > 0) && -+ (file_size > current_offset)) -+ { -+ const magick_off_t remaining = file_size-current_offset; -+ if (remaining < (magick_off_t) sun_data_length) -+ { -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } -+ } -+ } -+ - sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); - if (sun_data == (unsigned char *) NULL) - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); - diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch deleted file mode 100644 index 8e1166ba7a..0000000000 --- a/gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch +++ /dev/null @@ -1,210 +0,0 @@ -http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a -http://www.openwall.com/lists/oss-security/2017/09/22/2 - -Some changes were made to make the patch apply. - -Notably, the DestroyJNG() function in the upstream diff has been replaced by -its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(), -and DestroyImage(). See -http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5. - -# HG changeset patch -# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> -# Date 1504014487 14400 -# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06 -# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2 -Fix Issue 439 - -diff -ru a/coders/png.c b/coders/png.c ---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 -+++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400 -@@ -1176,15 +1176,15 @@ - /* allocate space */ - if (length == 0) - { -- (void) ThrowException2(&image->exception,CoderWarning, -- "invalid profile length",(char *) NULL); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "invalid profile length"); - return (MagickFail); - } - info=MagickAllocateMemory(unsigned char *,length); - if (info == (unsigned char *) NULL) - { -- (void) ThrowException2(&image->exception,CoderWarning, -- "unable to copy profile",(char *) NULL); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Unable to copy profile"); - return (MagickFail); - } - /* copy profile, skipping white space and column 1 "=" signs */ -@@ -1197,8 +1197,8 @@ - if (*sp == '\0') - { - MagickFreeMemory(info); -- (void) ThrowException2(&image->exception,CoderWarning, -- "ran out of profile data",(char *) NULL); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "ran out of profile data"); - return (MagickFail); - } - sp++; -@@ -1234,8 +1234,9 @@ - if(SetImageProfile(image,profile_name,info,length) == MagickFail) - { - MagickFreeMemory(info); -- (void) ThrowException(&image->exception,ResourceLimitError, -- MemoryAllocationFailed,"unable to copy profile"); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "unable to copy profile"); -+ return MagickFail; - } - MagickFreeMemory(info); - return MagickTrue; -@@ -3285,7 +3286,6 @@ - if (status == MagickFalse) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- DestroyImage(alpha_image); - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " could not allocate alpha_image blob"); - return ((Image *)NULL); -@@ -3534,7 +3534,7 @@ - CloseBlob(color_image); - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Reading jng_image from color_blob."); -+ " Reading jng_image from color_blob."); - - FormatString(color_image_info->filename,"%.1024s",color_image->filename); - -@@ -3558,13 +3558,18 @@ - - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Copying jng_image pixels to main image."); -+ " Copying jng_image pixels to main image."); - image->rows=jng_height; - image->columns=jng_width; - length=image->columns*sizeof(PixelPacket); -+ if ((jng_height == 0 || jng_width == 0) && logging) -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " jng_width=%lu jng_height=%lu", -+ (unsigned long)jng_width,(unsigned long)jng_height); - for (y=0; y < (long) image->rows; y++) - { -- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception); -+ s=AcquireImagePixels(jng_image,0,y,image->columns,1, -+ &image->exception); - q=SetImagePixels(image,0,y,image->columns,1); - (void) memcpy(q,s,length); - if (!SyncImagePixels(image)) -@@ -3589,45 +3594,79 @@ - CloseBlob(alpha_image); - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Reading opacity from alpha_blob."); -+ " Reading opacity from alpha_blob."); - - FormatString(alpha_image_info->filename,"%.1024s", - alpha_image->filename); - - jng_image=ReadImage(alpha_image_info,exception); - -- for (y=0; y < (long) image->rows; y++) -+ if (jng_image == (Image *)NULL) - { -- s=AcquireImagePixels(jng_image,0,y,image->columns,1, -- &image->exception); -- if (image->matte) -- { -- q=SetImagePixels(image,0,y,image->columns,1); -- for (x=(long) image->columns; x > 0; x--,q++,s++) -- q->opacity=(Quantum) MaxRGB-s->red; -- } -- else -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " jng_image is NULL."); -+ if (color_image_info) -+ DestroyImageInfo(color_image_info); -+ if (alpha_image_info) -+ DestroyImageInfo(alpha_image_info); -+ if (color_image) -+ DestroyImage(color_image); -+ if (alpha_image) -+ DestroyImage(alpha_image); -+ } -+ else -+ { -+ -+ if (logging) - { -- q=SetImagePixels(image,0,y,image->columns,1); -- for (x=(long) image->columns; x > 0; x--,q++,s++) -- { -- q->opacity=(Quantum) MaxRGB-s->red; -- if (q->opacity != OpaqueOpacity) -- image->matte=MagickTrue; -- } -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Read jng_image."); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " jng_image->width=%lu, jng_image->height=%lu", -+ (unsigned long)jng_width,(unsigned long)jng_height); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " image->rows=%lu, image->columns=%lu", -+ (unsigned long)image->rows, -+ (unsigned long)image->columns); - } -- if (!SyncImagePixels(image)) -- break; -- } -- (void) LiberateUniqueFileResource(alpha_image->filename); -- DestroyImage(alpha_image); -- alpha_image = (Image *)NULL; -- DestroyImageInfo(alpha_image_info); -- alpha_image_info = (ImageInfo *)NULL; -- (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Destroy the JNG image"); -- DestroyImage(jng_image); -- jng_image = (Image *)NULL; -+ -+ for (y=0; y < (long) image->rows; y++) -+ { -+ s=AcquireImagePixels(jng_image,0,y,image->columns,1, -+ &image->exception); -+ if (image->matte) -+ { -+ q=SetImagePixels(image,0,y,image->columns,1); -+ for (x=(long) image->columns; x > 0; x--,q++,s++) -+ q->opacity=(Quantum) MaxRGB-s->red; -+ } -+ else -+ { -+ q=SetImagePixels(image,0,y,image->columns,1); -+ for (x=(long) image->columns; x > 0; x--,q++,s++) -+ { -+ q->opacity=(Quantum) MaxRGB-s->red; -+ if (q->opacity != OpaqueOpacity) -+ image->matte=MagickTrue; -+ } -+ } -+ if (!SyncImagePixels(image)) -+ break; -+ } -+ (void) LiberateUniqueFileResource(alpha_image->filename); -+ if (color_image_info) -+ DestroyImageInfo(color_image_info); -+ if (alpha_image_info) -+ DestroyImageInfo(alpha_image_info); -+ if (color_image) -+ DestroyImage(color_image); -+ if (alpha_image) -+ DestroyImage(alpha_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Destroy the JNG image"); -+ DestroyImage(jng_image); -+ jng_image = (Image *)NULL; -+ } - } - } diff --git a/gnu/packages/patches/jemalloc-arm-address-bits.patch b/gnu/packages/patches/jemalloc-arm-address-bits.patch new file mode 100644 index 0000000000..f2ef24c25a --- /dev/null +++ b/gnu/packages/patches/jemalloc-arm-address-bits.patch @@ -0,0 +1,39 @@ +From 8cfc9dec37b312a2686f602bbcdd102ca07cca99 Mon Sep 17 00:00:00 2001 +From: David Goldblatt <davidgoldblatt@fb.com> +Date: Fri, 29 Sep 2017 13:54:08 -0700 +Subject: [PATCH] ARM: Don't extend bit LG_VADDR to compute high address bits. + +In userspace ARM on Linux, zero-ing the high bits is the correct way to do this. +This doesn't fix the fact that we currently set LG_VADDR to 48 on ARM, when in +fact larger virtual address sizes are coming soon. We'll cross that bridge when +we come to it. +--- + include/jemalloc/internal/rtree.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/jemalloc/internal/rtree.h b/include/jemalloc/internal/rtree.h +index b5d4db39..4563db23 100644 +--- a/include/jemalloc/internal/rtree.h ++++ b/include/jemalloc/internal/rtree.h +@@ -178,9 +178,21 @@ rtree_leaf_elm_bits_read(tsdn_t *tsdn, rtree_t *rtree, rtree_leaf_elm_t *elm, + + JEMALLOC_ALWAYS_INLINE extent_t * + rtree_leaf_elm_bits_extent_get(uintptr_t bits) { ++# ifdef __aarch64__ ++ /* ++ * aarch64 doesn't sign extend the highest virtual address bit to set ++ * the higher ones. Instead, the high bits gets zeroed. ++ */ ++ uintptr_t high_bit_mask = ((uintptr_t)1 << LG_VADDR) - 1; ++ /* Mask off the slab bit. */ ++ uintptr_t low_bit_mask = ~(uintptr_t)1; ++ uintptr_t mask = high_bit_mask & low_bit_mask; ++ return (extent_t *)(bits & mask); ++# else + /* Restore sign-extended high bits, mask slab bit. */ + return (extent_t *)((uintptr_t)((intptr_t)(bits << RTREE_NHIB) >> + RTREE_NHIB) & ~((uintptr_t)0x1)); ++# endif + } + + JEMALLOC_ALWAYS_INLINE szind_t diff --git a/gnu/packages/patches/libvdpau-va-gl-unbundle.patch b/gnu/packages/patches/libvdpau-va-gl-unbundle.patch new file mode 100644 index 0000000000..b15e15c2a3 --- /dev/null +++ b/gnu/packages/patches/libvdpau-va-gl-unbundle.patch @@ -0,0 +1,35 @@ +From 18e3ff648356cf06a39372aa4a4bbf2732d9d0f4 Mon Sep 17 00:00:00 2001 +From: Efraim Flashner <efraim@flashner.co.il> +Date: Tue, 12 Dec 2017 21:36:44 +0200 +Subject: [PATCH] don't use bundled libvdpau headers + +--- + CMakeLists.txt | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 0484179..e950707 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -9,16 +9,17 @@ find_package(PkgConfig REQUIRED) + find_package(X11 REQUIRED) + pkg_check_modules(LIBVA libva-x11 REQUIRED) + pkg_check_modules(LIBGL gl REQUIRED) ++pkg_check_modules(LIBVDPAU vdpau REQUIRED) + + set(DRIVER_NAME "vdpau_va_gl" CACHE STRING "driver name") + set(LIB_SUFFIX "" CACHE STRING "library path suffix (if needed)") + set(LIB_INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/lib${LIB_SUFFIX}/vdpau" CACHE PATH "library installation path") + + include_directories ( +- 3rdparty + ${X11_INCLUDE_DIRS} + ${LIBVA_INCLUDE_DIRS} + ${LIBGL_INCLUDE_DIRS} ++ ${LIBVDPAU_INCLUDE_DIRS} + ${GENERATED_INCLUDE_DIRS} + ${CMAKE_BINARY_DIR} + ) +-- +2.15.1 + diff --git a/gnu/packages/patches/picprog-non-intel-support.patch b/gnu/packages/patches/picprog-non-intel-support.patch new file mode 100644 index 0000000000..8908207011 --- /dev/null +++ b/gnu/packages/patches/picprog-non-intel-support.patch @@ -0,0 +1,74 @@ +https://sources.debian.org/data/main/p/picprog/1.9.1-3/debian/patches/20_iopl.patch + +Description: Avoid some functions in some architectures + Upstream uses iopl() function and other architecture-dependent + codes. This patch adds building switches to avoid them in + some architectures. +Author: Koichi Akabe <vbkaisetsu@gmail.com> +Last-Update: 2011-11-30 + +--- picprog-1.9.1.orig/picport.cc ++++ picprog-1.9.1/picport.cc +@@ -38,7 +38,12 @@ + #include <ctime> + + #include <sys/ioctl.h> +-#include <sys/io.h> ++ ++#if defined(__i386__) || defined(__x86_64__) ++ #include <sys/io.h> ++ #define HAVE_IOPL ++#endif ++ + #include <fcntl.h> + #include <sys/time.h> + #include <unistd.h> +@@ -160,8 +165,12 @@ + // Not root. Cannot use realtime scheduling. + use_nanosleep = 0; + } ++#ifdef HAVE_IOPL + if (iopl (3)) + disable_interrupts = 0; ++#else ++ disable_interrupts = 0; ++#endif + + #ifdef CPU_SETSIZE + // When computing the delay loops, we do not want the cpu's to change. +@@ -403,13 +412,17 @@ + { + struct timeval tv1, tv2; + gettimeofday (&tv1, 0); ++#if defined(__i386__) or defined(__x86_64__) + if (tsc_1000ns > 1 && disable_interrupts) + asm volatile("pushf; cli"); ++#endif + set_clock_data (1, b); // set data, clock up + delay (cable_delay); + set_clock_data (0, b); // clock down ++#if defined(__i386__) or defined(__x86_64__) + if (tsc_1000ns > 1 && disable_interrupts) + asm volatile("popf"); ++#endif + gettimeofday (&tv2, 0); + + // We may have spent a long time in an interrupt or in another task +@@ -428,13 +441,17 @@ + { + struct timeval tv1, tv2; + gettimeofday (&tv1, 0); ++#if defined(__i386__) or defined(__x86_64__) + if (tsc_1000ns > 1 && disable_interrupts) + asm volatile("pushf; cli"); ++#endif + set_clock_data (1, 1); // clock up + delay (cable_delay); + set_clock_data (0, 1); // set data up, clock down ++#if defined(__i386__) or defined(__x86_64__) + if (tsc_1000ns > 1 && disable_interrupts) + asm volatile("popf"); ++#endif + gettimeofday (&tv2, 0); + + // We may have spent a long time in an interrupt or in another task diff --git a/gnu/packages/patches/python-scikit-learn-fix-test-non-determinism.patch b/gnu/packages/patches/python-scikit-learn-fix-test-non-determinism.patch new file mode 100644 index 0000000000..90328cc0eb --- /dev/null +++ b/gnu/packages/patches/python-scikit-learn-fix-test-non-determinism.patch @@ -0,0 +1,25 @@ +This patch stops a test sometimes failing because of non-determinism. See +https://github.com/scikit-learn/scikit-learn/pull/9542 + +From ff9f6db6e8b59c2b3528c8137ed4054f57c1d7c4 Mon Sep 17 00:00:00 2001 +From: Hanmin Qin <qinhanmin2005@sina.com> +Date: Sun, 13 Aug 2017 22:13:49 +0800 +Subject: [PATCH] add random_state + +--- + sklearn/tests/test_kernel_ridge.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sklearn/tests/test_kernel_ridge.py b/sklearn/tests/test_kernel_ridge.py +index 4750a096ac6..979875870b6 100644 +--- a/sklearn/tests/test_kernel_ridge.py ++++ b/sklearn/tests/test_kernel_ridge.py +@@ -10,7 +10,7 @@ + from sklearn.utils.testing import assert_array_almost_equal + + +-X, y = make_regression(n_features=10) ++X, y = make_regression(n_features=10, random_state=0) + Xcsr = sp.csr_matrix(X) + Xcsc = sp.csc_matrix(X) + Y = np.array([y, y]).T diff --git a/gnu/packages/patches/qemu-CVE-2017-15118.patch b/gnu/packages/patches/qemu-CVE-2017-15118.patch deleted file mode 100644 index d427317be9..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15118.patch +++ /dev/null @@ -1,58 +0,0 @@ -Fix CVE-2017-15118: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15118 -https://bugzilla.redhat.com/show_bug.cgi?id=1516922 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183 - -From 51ae4f8455c9e32c54770c4ebc25bf86a8128183 Mon Sep 17 00:00:00 2001 -From: Eric Blake <eblake@redhat.com> -Date: Wed, 22 Nov 2017 15:07:22 -0600 -Subject: [PATCH] nbd/server: CVE-2017-15118 Stack smash on large export name - -Introduced in commit f37708f6b8 (2.10). The NBD spec says a client -can request export names up to 4096 bytes in length, even though -they should not expect success on names longer than 256. However, -qemu hard-codes the limit of 256, and fails to filter out a client -that probes for a longer name; the result is a stack smash that can -potentially give an attacker arbitrary control over the qemu -process. - -The smash can be easily demonstrated with this client: -$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a) - -If the qemu NBD server binary (whether the standalone qemu-nbd, or -the builtin server of QMP nbd-server-start) was compiled with --fstack-protector-strong, the ability to exploit the stack smash -into arbitrary execution is a lot more difficult (but still -theoretically possible to a determined attacker, perhaps in -combination with other CVEs). Still, crashing a running qemu (and -losing the VM) is bad enough, even if the attacker did not obtain -full execution control. - -CC: qemu-stable@nongnu.org -Signed-off-by: Eric Blake <eblake@redhat.com> ---- - nbd/server.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/nbd/server.c b/nbd/server.c -index a81801e3bc..92c0fdd03b 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length, - msg = "name length is incorrect"; - goto invalid; - } -+ if (namelen >= sizeof(name)) { -+ msg = "name too long for qemu"; -+ goto invalid; -+ } - if (nbd_read(client->ioc, name, namelen, errp) < 0) { - return -EIO; - } --- -2.15.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-15119.patch b/gnu/packages/patches/qemu-CVE-2017-15119.patch deleted file mode 100644 index 6265ecf8d6..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15119.patch +++ /dev/null @@ -1,68 +0,0 @@ -Fix CVE-2017-15119: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15119 -https://bugzilla.redhat.com/show_bug.cgi?id=1516925 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=fdad35ef6c5839d50dfc14073364ac893afebc30 - -From fdad35ef6c5839d50dfc14073364ac893afebc30 Mon Sep 17 00:00:00 2001 -From: Eric Blake <eblake@redhat.com> -Date: Wed, 22 Nov 2017 16:25:16 -0600 -Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M - -The NBD spec gives us permission to abruptly disconnect on clients -that send outrageously large option requests, rather than having -to spend the time reading to the end of the option. No real -option request requires that much data anyways; and meanwhile, we -already have the practice of abruptly dropping the connection on -any client that sends NBD_CMD_WRITE with a payload larger than 32M. - -For comparison, nbdkit drops the connection on any request with -more than 4096 bytes; however, that limit is probably too low -(as the NBD spec states an export name can theoretically be up -to 4096 bytes, which means a valid NBD_OPT_INFO could be even -longer) - even if qemu doesn't permit exports longer than 256 -bytes. - -It could be argued that a malicious client trying to get us to -read nearly 4G of data on a bad request is a form of denial of -service. In particular, if the server requires TLS, but a client -that does not know the TLS credentials sends any option (other -than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated -payload of nearly 4G, then the server was keeping the connection -alive trying to read all the payload, tying up resources that it -would rather be spending on a client that can get past the TLS -handshake. Hence, this warranted a CVE. - -Present since at least 2.5 when handling known options, and made -worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE -to handle unknown options. - -CC: qemu-stable@nongnu.org -Signed-off-by: Eric Blake <eblake@redhat.com> ---- - nbd/server.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/nbd/server.c b/nbd/server.c -index 7d6801b427..a81801e3bc 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -673,6 +673,12 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags, - } - length = be32_to_cpu(length); - -+ if (length > NBD_MAX_BUFFER_SIZE) { -+ error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)", -+ length, NBD_MAX_BUFFER_SIZE); -+ return -EINVAL; -+ } -+ - trace_nbd_negotiate_options_check_option(option, - nbd_opt_lookup(option)); - if (client->tlscreds && --- -2.15.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-15268.patch b/gnu/packages/patches/qemu-CVE-2017-15268.patch deleted file mode 100644 index 8238c3059f..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15268.patch +++ /dev/null @@ -1,62 +0,0 @@ -Fix CVE-2017-15268: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15268 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a7b20a8efa28e5f22c26c06cd06c2f12bc863493 - -From a7b20a8efa28e5f22c26c06cd06c2f12bc863493 Mon Sep 17 00:00:00 2001 -From: "Daniel P. Berrange" <berrange@redhat.com> -Date: Mon, 9 Oct 2017 14:43:42 +0100 -Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource - -The websocket GSource is monitoring the size of the rawoutput -buffer to determine if the channel can accepts more writes. -The rawoutput buffer, however, is merely a temporary staging -buffer before data is copied into the encoutput buffer. Thus -its size will always be zero when the GSource runs. - -This flaw causes the encoutput buffer to grow without bound -if the other end of the underlying data channel doesn't -read data being sent. This can be seen with VNC if a client -is on a slow WAN link and the guest OS is sending many screen -updates. A malicious VNC client can act like it is on a slow -link by playing a video in the guest and then reading data -very slowly, causing QEMU host memory to expand arbitrarily. - -This issue is assigned CVE-2017-15268, publically reported in - - https://bugs.launchpad.net/qemu/+bug/1718964 - -Reviewed-by: Eric Blake <eblake@redhat.com> -Signed-off-by: Daniel P. Berrange <berrange@redhat.com> ---- - io/channel-websock.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/io/channel-websock.c b/io/channel-websock.c -index d1d471f86e..04bcc059cd 100644 ---- a/io/channel-websock.c -+++ b/io/channel-websock.c -@@ -28,7 +28,7 @@ - #include <time.h> - - --/* Max amount to allow in rawinput/rawoutput buffers */ -+/* Max amount to allow in rawinput/encoutput buffers */ - #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192 - - #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24 -@@ -1208,7 +1208,7 @@ qio_channel_websock_source_check(GSource *source) - if (wsource->wioc->rawinput.offset || wsource->wioc->io_eof) { - cond |= G_IO_IN; - } -- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { -+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { - cond |= G_IO_OUT; - } - --- -2.15.0 - diff --git a/gnu/packages/patches/rsync-CVE-2017-16548.patch b/gnu/packages/patches/rsync-CVE-2017-16548.patch new file mode 100644 index 0000000000..52a75ea241 --- /dev/null +++ b/gnu/packages/patches/rsync-CVE-2017-16548.patch @@ -0,0 +1,31 @@ +https://bugzilla.samba.org/show_bug.cgi?id=13112 +https://git.samba.org/rsync.git/?p=rsync.git;a=patch;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 + +From 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 Mon Sep 17 00:00:00 2001 +From: Wayne Davison <wayned@samba.org> +Date: Sun, 5 Nov 2017 11:33:15 -0800 +Subject: [PATCH] Enforce trailing \0 when receiving xattr name values. Fixes + bug 13112. + +--- + xattrs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xattrs.c b/xattrs.c +index 68305d7..4867e6f 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -824,6 +824,10 @@ void receive_xattr(int f, struct file_struct *file) + out_of_memory("receive_xattr"); + name = ptr + dget_len + extra_len; + read_buf(f, name, name_len); ++ if (name_len < 1 || name[name_len-1] != '\0') { ++ rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n"); ++ exit_cleanup(RERR_FILEIO); ++ } + if (dget_len == datum_len) + read_buf(f, ptr, dget_len); + else { +-- +1.9.1 + diff --git a/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch b/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch new file mode 100644 index 0000000000..74bac0fc33 --- /dev/null +++ b/gnu/packages/patches/rsync-CVE-2017-17433-fix-tests.patch @@ -0,0 +1,42 @@ +https://git.samba.org/?p=rsync.git;a=patch;h=f5e8a17e093065fb20fea00a29540fe2c7896441 +minor edits were made to get the patch to apply + +From f5e8a17e093065fb20fea00a29540fe2c7896441 Mon Sep 17 00:00:00 2001 +From: Wayne Davison <wayned@samba.org> +Date: Sun, 3 Dec 2017 15:49:56 -0800 +Subject: [PATCH] Fix issue with earlier path-check (fixes "make check") and + make a BOOL more explicit. + +--- + checksum.c | 2 +- + receiver.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/receiver.c b/receiver.c +index 9c46242..75cb00d 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -574,15 +574,15 @@ int recv_files(int f_in, int f_out, char *local_name) + file = dir_flist->files[cur_flist->parent_ndx]; + fname = local_name ? local_name : f_name(file, fbuf); + +- if (daemon_filter_list.head +- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) { ++ if (DEBUG_GTE(RECV, 1)) ++ rprintf(FINFO, "recv_files(%s)\n", fname); ++ ++ if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0') ++ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) { + rprintf(FERROR, "attempt to hack rsync failed.\n"); + exit_cleanup(RERR_PROTOCOL); + } + +- if (DEBUG_GTE(RECV, 1)) +- rprintf(FINFO, "recv_files(%s)\n", fname); +- + #ifdef SUPPORT_XATTRS + if (preserve_xattrs && iflags & ITEM_REPORT_XATTR && do_xfers + && !(want_xattr_optim && BITS_SET(iflags, ITEM_XNAME_FOLLOWS|ITEM_LOCAL_CHANGE))) +-- +1.9.1 + diff --git a/gnu/packages/patches/rsync-CVE-2017-17433.patch b/gnu/packages/patches/rsync-CVE-2017-17433.patch new file mode 100644 index 0000000000..84e4067509 --- /dev/null +++ b/gnu/packages/patches/rsync-CVE-2017-17433.patch @@ -0,0 +1,45 @@ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433 +https://git.samba.org/?p=rsync.git;a=patch;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 + +From 3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 Mon Sep 17 00:00:00 2001 +From: Jeriko One <jeriko.one@gmx.us> +Date: Thu, 2 Nov 2017 23:44:19 -0700 +Subject: [PATCH] Check fname in recv_files sooner. + +--- + receiver.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/receiver.c b/receiver.c +index baae3a9..9fdafa1 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name) + file = dir_flist->files[cur_flist->parent_ndx]; + fname = local_name ? local_name : f_name(file, fbuf); + ++ if (daemon_filter_list.head ++ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) { ++ rprintf(FERROR, "attempt to hack rsync failed.\n"); ++ exit_cleanup(RERR_PROTOCOL); ++ } ++ + if (DEBUG_GTE(RECV, 1)) + rprintf(FINFO, "recv_files(%s)\n", fname); + +@@ -645,12 +651,6 @@ int recv_files(int f_in, int f_out, char *local_name) + + cleanup_got_literal = 0; + +- if (daemon_filter_list.head +- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) { +- rprintf(FERROR, "attempt to hack rsync failed.\n"); +- exit_cleanup(RERR_PROTOCOL); +- } +- + if (read_batch) { + int wanted = redoing + ? we_want_redo(ndx) +-- +1.9.1 + diff --git a/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch b/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch new file mode 100644 index 0000000000..0d9298743d --- /dev/null +++ b/gnu/packages/patches/rsync-CVE-2017-17434-pt1.patch @@ -0,0 +1,28 @@ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434 +https://git.samba.org/?p=rsync.git;a=patch;h=5509597decdbd7b91994210f700329d8a35e70a1 + +From 5509597decdbd7b91994210f700329d8a35e70a1 Mon Sep 17 00:00:00 2001 +From: Jeriko One <jeriko.one@gmx.us> +Date: Thu, 16 Nov 2017 17:26:03 -0800 +Subject: [PATCH] Check daemon filter against fnamecmp in recv_files(). + +--- + receiver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/receiver.c b/receiver.c +index 9fdafa1..9c46242 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -722,7 +722,7 @@ int recv_files(int f_in, int f_out, char *local_name) + break; + } + if (!fnamecmp || (daemon_filter_list.head +- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) { ++ && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) { + fnamecmp = fname; + fnamecmp_type = FNAMECMP_FNAME; + } +-- +1.9.1 + diff --git a/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch b/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch new file mode 100644 index 0000000000..fad19d01fb --- /dev/null +++ b/gnu/packages/patches/rsync-CVE-2017-17434-pt2.patch @@ -0,0 +1,39 @@ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434 +https://git.samba.org/?p=rsync.git;a=patch;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9 + +From 70aeb5fddd1b2f8e143276f8d5a085db16c593b9 Mon Sep 17 00:00:00 2001 +From: Jeriko One <jeriko.one@gmx.us> +Date: Thu, 16 Nov 2017 17:05:42 -0800 +Subject: [PATCH] Sanitize xname in read_ndx_and_attrs. + +--- + rsync.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/rsync.c b/rsync.c +index b82e598..a0945ba 100644 +--- a/rsync.c ++++ b/rsync.c +@@ -49,6 +49,7 @@ extern int flist_eof; + extern int file_old_total; + extern int keep_dirlinks; + extern int make_backups; ++extern int sanitize_paths; + extern struct file_list *cur_flist, *first_flist, *dir_flist; + extern struct chmod_mode_struct *daemon_chmod_modes; + #ifdef ICONV_OPTION +@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, + if (iflags & ITEM_XNAME_FOLLOWS) { + if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0) + exit_cleanup(RERR_PROTOCOL); ++ ++ if (sanitize_paths) { ++ sanitize_path(buf, buf, "", 0, SP_DEFAULT); ++ len = strlen(buf); ++ } + } else { + *buf = '\0'; + len = -1; +-- +1.9.1 + diff --git a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch index aaa31f7b93..aaa31f7b93 100644 --- a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch +++ b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch |