diff options
author | Leo Famulari <leo@famulari.name> | 2017-07-23 03:42:12 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-07-23 03:42:12 -0400 |
commit | 6c1a317e29c45e85e3a0e050612cdefe470b100c (patch) | |
tree | e65dedf933090b1a9f8398655b3b20eba49fae96 /gnu/packages/patches | |
parent | b7158b767b7fd9f0379dfe08083c48a0cf0f3d50 (diff) | |
parent | 9478c05955643f8ff95dabccc1e42b20abb88049 (diff) | |
download | guix-6c1a317e29c45e85e3a0e050612cdefe470b100c.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/bigloo-gc-shebangs.patch | 18 | ||||
-rw-r--r-- | gnu/packages/patches/chicken-CVE-2017-11343.patch | 57 | ||||
-rw-r--r-- | gnu/packages/patches/evince-CVE-2017-1000083.patch | 109 | ||||
-rw-r--r-- | gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 | ||||
-rw-r--r-- | gnu/packages/patches/heimdal-CVE-2017-6594.patch | 85 | ||||
-rw-r--r-- | gnu/packages/patches/hop-linker-flags.patch | 60 | ||||
-rw-r--r-- | gnu/packages/patches/libusb-0.1-disable-tests.patch | 15 | ||||
-rw-r--r-- | gnu/packages/patches/metabat-fix-compilation.patch | 39 | ||||
-rw-r--r-- | gnu/packages/patches/python-fake-factory-fix-build-32bit.patch | 36 | ||||
-rw-r--r-- | gnu/packages/patches/python-pyopenssl-17.1.0-test-overflow.patch | 36 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-11334.patch | 52 | ||||
-rw-r--r-- | gnu/packages/patches/quassel-fix-tls-check.patch | 25 | ||||
-rw-r--r-- | gnu/packages/patches/sooperlooper-build-with-wx-30.patch | 179 | ||||
-rw-r--r-- | gnu/packages/patches/spice-CVE-2017-7506.patch | 158 | ||||
-rw-r--r-- | gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch | 42 |
15 files changed, 806 insertions, 150 deletions
diff --git a/gnu/packages/patches/bigloo-gc-shebangs.patch b/gnu/packages/patches/bigloo-gc-shebangs.patch deleted file mode 100644 index 367708610a..0000000000 --- a/gnu/packages/patches/bigloo-gc-shebangs.patch +++ /dev/null @@ -1,18 +0,0 @@ -Patch shebangs in source that gets unpacked by `configure'. - ---- bigloo4.1a/gc/install-gc-7.4.0 2014-02-04 14:55:03.000000000 +0100 -+++ bigloo4.1a/gc/install-gc-7.4.0 2014-02-04 14:55:36.000000000 +0100 -@@ -29,10 +29,12 @@ fi - - # untar the two versions of the GC - $tar xfz $src -C ../gc || (echo "$tar xfz $src failed"; exit 1) --/bin/rm -rf "../gc/$gc"_fth -+rm -rf "../gc/$gc"_fth -+find ../gc/$gc -perm /111 -type f | xargs sed -i -e"s|/bin/sh|`type -P sh`|g" - mv ../gc/$gc "../gc/$gc"_fth || (echo "mv $gc failed"; exit 1) - - $tar xfz $src -C ../gc || (echo "$tar xfz $src failed"; exit 1) -+find ../gc/$gc -perm /111 -type f | xargs sed -i -e"s|/bin/sh|`type -P sh`|g" - - # general Bigloo patch - (cd "../gc/$gc"_fth && $patch -p1 < ../$gc.patch > /dev/null) diff --git a/gnu/packages/patches/chicken-CVE-2017-11343.patch b/gnu/packages/patches/chicken-CVE-2017-11343.patch new file mode 100644 index 0000000000..1d46ad50d9 --- /dev/null +++ b/gnu/packages/patches/chicken-CVE-2017-11343.patch @@ -0,0 +1,57 @@ +Fix CVE-2017-11343: + +https://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11343 + +Patch copied from upstream mailing list: + +http://lists.gnu.org/archive/html/chicken-hackers/2017-06/txtod8Pa1wGU0.txt + +From ae2633195cc5f4f61c9da4ac90f0c14c010dcc3d Mon Sep 17 00:00:00 2001 +From: Peter Bex <address@hidden> +Date: Fri, 30 Jun 2017 15:39:45 +0200 +Subject: [PATCH 2/2] Initialize symbol table after setting up randomization + +Otherwise, the symbol table wouldn't be correctly randomized. +--- + NEWS | 3 +++ + runtime.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +#diff --git a/NEWS b/NEWS +#index f4b0e041..6588b30e 100644 +#--- a/NEWS +#+++ b/NEWS +#@@ -96,6 +96,9 @@ +# buffer overrun and/or segfault (thanks to Lemonboy). +# - CVE-2017-9334: `length' no longer crashes on improper lists (fixes +# #1375, thanks to "megane"). +#+ - The randomization factor of the symbol table was set before +#+ the random seed was set, causing it to have a fixed value on many +#+ platforms. +# +# - Core Libraries +# - Unit "posix": If file-lock, file-lock/blocking or file-unlock are +diff --git a/runtime.c b/runtime.c +index 81c54dd2..a4580abc 100644 +--- a/runtime.c ++++ b/runtime.c +@@ -799,7 +799,6 @@ int CHICKEN_initialize(int heap, int stack, int symbols, void *toplevel) + C_initial_timer_interrupt_period = INITIAL_TIMER_INTERRUPT_PERIOD; + C_timer_interrupt_counter = INITIAL_TIMER_INTERRUPT_PERIOD; + memset(signal_mapping_table, 0, sizeof(int) * NSIG); +- initialize_symbol_table(); + C_dlerror = "cannot load compiled code dynamically - this is a statically linked executable"; + error_location = C_SCHEME_FALSE; + C_pre_gc_hook = NULL; +@@ -816,6 +815,7 @@ int CHICKEN_initialize(int heap, int stack, int symbols, void *toplevel) + callback_continuation_level = 0; + gc_ms = 0; + (void)C_randomize(C_fix(time(NULL))); ++ initialize_symbol_table(); + + if (profiling) { + #ifndef C_NONUNIX +-- +2.11.0 + diff --git a/gnu/packages/patches/evince-CVE-2017-1000083.patch b/gnu/packages/patches/evince-CVE-2017-1000083.patch new file mode 100644 index 0000000000..2ca062f337 --- /dev/null +++ b/gnu/packages/patches/evince-CVE-2017-1000083.patch @@ -0,0 +1,109 @@ +Fix CVE-2017-1000083. + +http://seclists.org/oss-sec/2017/q3/128 +https://bugzilla.gnome.org/show_bug.cgi?id=784630 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/evince/commit/?id=717df38fd8509bf883b70d680c9b1b3cf36732ee + +From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001 +From: Bastien Nocera <hadess@hadess.net> +Date: Thu, 6 Jul 2017 20:02:00 +0200 +Subject: comics: Remove support for tar and tar-like commands + +diff --git a/backend/comics/comics-document.c b/backend/comics/comics-document.c +index 4c74731..641d785 100644 +--- a/backend/comics/comics-document.c ++++ b/backend/comics/comics-document.c +@@ -56,8 +56,7 @@ typedef enum + RARLABS, + GNAUNRAR, + UNZIP, +- P7ZIP, +- TAR ++ P7ZIP + } ComicBookDecompressType; + + typedef struct _ComicsDocumentClass ComicsDocumentClass; +@@ -117,9 +116,6 @@ static const ComicBookDecompressCommand command_usage_def[] = { + + /* 7zip */ + {NULL , "%s l -- %s" , "%s x -y %s -o%s", FALSE, OFFSET_7Z}, +- +- /* tar */ +- {"%s -xOf" , "%s -tf %s" , NULL , FALSE, NO_OFFSET} + }; + + static GSList* get_supported_image_extensions (void); +@@ -364,13 +360,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = GNAUNRAR; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- + } else if (g_content_type_is_a (mime_type, "application/x-cbz") || + g_content_type_is_a (mime_type, "application/zip")) { + /* InfoZIP's unzip program */ +@@ -396,12 +385,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = P7ZIP; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } + + } else if (g_content_type_is_a (mime_type, "application/x-cb7") || + g_content_type_is_a (mime_type, "application/x-7z-compressed")) { +@@ -425,27 +408,6 @@ comics_check_decompress_command (gchar *mime_type, + comics_document->command_usage = P7ZIP; + return TRUE; + } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- } else if (g_content_type_is_a (mime_type, "application/x-cbt") || +- g_content_type_is_a (mime_type, "application/x-tar")) { +- /* tar utility (Tape ARchive) */ +- comics_document->selected_command = +- g_find_program_in_path ("tar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } +- comics_document->selected_command = +- g_find_program_in_path ("bsdtar"); +- if (comics_document->selected_command) { +- comics_document->command_usage = TAR; +- return TRUE; +- } + } else { + g_set_error (error, + EV_DOCUMENT_ERROR, +diff --git a/configure.ac b/configure.ac +index 9e9f831..7eb0f1f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -795,7 +795,7 @@ AC_SUBST(TIFF_MIME_TYPES) + AC_SUBST(APPDATA_TIFF_MIME_TYPES) + AM_SUBST_NOTMAKE(APPDATA_TIFF_MIME_TYPES) + if test "x$enable_comics" = "xyes"; then +- COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;application/x-ext-cbt" ++ COMICS_MIME_TYPES="application/x-cbr;application/x-cbz;application/x-cb7;application/x-ext-cbr;application/x-ext-cbz;application/vnd.comicbook+zip;application/x-ext-cb7;" + APPDATA_COMICS_MIME_TYPES=$(echo "<mimetype>$COMICS_MIME_TYPES</mimetype>" | sed -e 's/;/<\/mimetype>\n <mimetype>/g') + if test -z "$EVINCE_MIME_TYPES"; then + EVINCE_MIME_TYPES="${COMICS_MIME_TYPES}" +-- +cgit v0.12 + diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch new file mode 100644 index 0000000000..d76f0df369 --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-11103: + +https://orpheus-lyre.info/ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 +https://security-tracker.debian.org/tracker/CVE-2017-11103 + +Patch lifted from upstream source repository: + +https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea + +From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001 +From: Jeffrey Altman <jaltman@secure-endpoints.com> +Date: Wed, 12 Apr 2017 15:40:42 -0400 +Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + +In _krb5_extract_ticket() the KDC-REP service name must be obtained from +encrypted version stored in 'enc_part' instead of the unencrypted version +stored in 'ticket'. Use of the unecrypted version provides an +opportunity for successful server impersonation and other attacks. + +Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. + +Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c +--- + lib/krb5/ticket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c +index d95d96d1b..b8d81c6ad 100644 +--- a/lib/krb5/ticket.c ++++ b/lib/krb5/ticket.c +@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context, + /* check server referral and save principal */ + ret = _krb5_principalname2krb5_principal (context, + &tmp_principal, +- rep->kdc_rep.ticket.sname, +- rep->kdc_rep.ticket.realm); ++ rep->enc_part.sname, ++ rep->enc_part.srealm); + if (ret) + goto out; + if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ +-- +2.13.3 + diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch new file mode 100644 index 0000000000..714af60304 --- /dev/null +++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch @@ -0,0 +1,85 @@ +Fix CVE-2017-6594: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594 +https://security-tracker.debian.org/tracker/CVE-2017-6594 + +Patch lifted from upstream source repository: + +https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837 + +To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and +files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified. + +From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni <viktor@twosigma.com> +Date: Wed, 10 Aug 2016 23:31:14 +0000 +Subject: [PATCH] Fix transit path validation CVE-2017-6594 + +Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm +to not be added to the transit path of issued tickets. This may, in +some cases, enable bypass of capath policy in Heimdal versions 1.5 +through 7.2. + +Note, this may break sites that rely on the bug. With the bug some +incomplete [capaths] worked, that should not have. These may now break +authentication in some cross-realm configurations. +--- + NEWS | 14 ++++++++++++++ + kdc/krb5tgs.c | 12 ++++++++++-- + tests/kdc/check-kdc.in | 17 +++++++++++++++++ + tests/kdc/krb5.conf.in | 4 ++++ + 4 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c +index 6048b9c55..98503812f 100644 +--- a/kdc/krb5tgs.c ++++ b/kdc/krb5tgs.c +@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context, + "Decoding transited encoding"); + return ret; + } ++ ++ /* ++ * If the realm of the presented tgt is neither the client nor the server ++ * realm, it is a transit realm and must be added to transited set. ++ */ + if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { +- /* not us, so add the previous realm to transited set */ + if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { + ret = ERANGE; + goto free_realms; +@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context, + const char *server_name, + hdb_entry_ex *client, + krb5_principal client_principal, ++ const char *tgt_realm, + hdb_entry_ex *krbtgt, + krb5_enctype krbtgt_etype, + krb5_principals spp, +@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context, + &tgt->transited, &et, + krb5_principal_get_realm(context, client_principal), + krb5_principal_get_realm(context, server->entry.principal), +- krb5_principal_get_realm(context, krbtgt->entry.principal)); ++ tgt_realm); + if(ret) + goto out; + +@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context, + krb5_keyblock sessionkey; + krb5_kvno kvno; + krb5_data rspac; ++ const char *tgt_realm = /* Realm of TGT issuer */ ++ krb5_principal_get_realm(context, krbtgt->entry.principal); + +@@ -2324,6 +2331,7 @@ server_lookup: + spn, + client, + cp, ++ tgt_realm, + krbtgt_out, + tkey_sign->key.keytype, + spp, +-- +2.13.3 + diff --git a/gnu/packages/patches/hop-linker-flags.patch b/gnu/packages/patches/hop-linker-flags.patch deleted file mode 100644 index f1f5dbfbd9..0000000000 --- a/gnu/packages/patches/hop-linker-flags.patch +++ /dev/null @@ -1,60 +0,0 @@ -Make hop's link rules honor flags set by the --blflags configure argument. - ---- hop-2.4.0/src/Makefile 2015-05-05 19:41:04.800151036 -0500 -+++ hop-2.4.0/src/Makefile 2015-05-05 19:40:40.916150417 -0500 -@@ -69,10 +69,10 @@ - $(MAKE) link.$(LINK) DEST=$@ - - link.dynamic: -- @ $(call link,$(BIGLOO),$(BCFLAGS),$(BCFLAGSDEV),$(OBJECTS),-o,$(DEST)) -+ @ $(call link,$(BIGLOO),$(BCFLAGS) $(BLFLAGS),$(BCFLAGSDEV),$(OBJECTS),-o,$(DEST)) - - link.static: -- @ $(call link,$(BIGLOO),$(BCFLAGS),$(BCFLAGSDEV),-static-all-bigloo $(OBJECTS),-o,$(DEST)) -+ @ $(call link,$(BIGLOO),$(BCFLAGS) $(BLFLAGS),$(BCFLAGSDEV),-static-all-bigloo $(OBJECTS),-o,$(DEST)) - - link.library: - echo "***ERROR: link.library not currently supported!" ---- hop-2.4.0/hopc/Makefile 2013-01-30 07:17:59.000000000 -0600 -+++ hop-2.4.0/hopc/Makefile 2015-05-05 19:45:21.876157699 -0500 -@@ -62,7 +62,7 @@ - mkdir -p $@ - - $(BUILDBINDIR)/$(EXEC): .afile .etags $(OBJECTS) -- @ $(call link,$(BIGLOO),$(BCFLAGS),,$(OBJECTS),-o,$@) -+ @ $(call link,$(BIGLOO),$(BCFLAGS) $(BLFLAGS),$(BCFLAGSDEV),$(OBJECTS),-o,$@) - - $(BUILDBINDIR)/$(EXEC).jar: .afile .etags .jfile $(BGL_CLASSES) META-INF/MANIFEST.MF jvm-stdlibs jvm-share jvm-lib - $(JAR) $@ META-INF/MANIFEST.MF -C o/class_s . ---- hop-2.4.0/hophz/Makefile 2013-01-30 07:17:59.000000000 -0600 -+++ hop-2.4.0/hophz/Makefile 2015-05-05 19:59:42.996180030 -0500 -@@ -16,9 +16,6 @@ - -include ../etc/Makefile.hopconfig - -include ../etc/Makefile.version - --BLFLAGS = --BLINKFLAGS = -suffix hop -- - #*---------------------------------------------------------------------*/ - #* Target and Project */ - #*---------------------------------------------------------------------*/ -@@ -72,7 +69,7 @@ - mkdir -p $@ - - $(BUILDBINDIR)/$(EXEC): .afile .etags $(OBJECTS) -- @ $(call link,$(BIGLOO),$(BCFLAGS),$(BLINKFLAGS),$(OBJECTS),-o,$@) -+ @ $(call link,$(BIGLOO),$(BCFLAGS) $(BLFLAGS),$(BCFLAGSDEV),$(OBJECTS),-o,$@) - - $(BUILDBINDIR)/$(EXEC).jar: .afile .etags .jfile $(BGL_CLASSES) META-INF/MANIFEST.MF jvm-stdlibs jvm-share jvm-lib - @ $(JAR) $@ META-INF/MANIFEST.MF -C o/class_s . ---- hop-2.4.0/hopsh/Makefile 2013-01-30 07:17:59.000000000 -0600 -+++ hop-2.4.0/hopsh/Makefile 2015-05-05 19:46:36.060159626 -0500 -@@ -60,7 +60,7 @@ - mkdir -p $@ - - $(BUILDBINDIR)/$(EXEC): .afile .etags $(OBJECTS) -- @ $(call link,$(BIGLOO),$(BCFLAGS),$(BCFLAGSDEV),$(OBJECTS),-o,$@) -+ @ $(call link,$(BIGLOO),$(BCFLAGS) $(BLFLAGS),$(BCFLAGSDEV),$(OBJECTS),-o,$@) - - $(BUILDBINDIR)/$(EXEC).jar: .afile .etags .jfile $(BGL_CLASSES) META-INF/MANIFEST.MF jvm-stdlibs jvm-share jvm-lib - @ $(JAR) $@ META-INF/MANIFEST.MF -C o/class_s . diff --git a/gnu/packages/patches/libusb-0.1-disable-tests.patch b/gnu/packages/patches/libusb-0.1-disable-tests.patch new file mode 100644 index 0000000000..37dd8bd111 --- /dev/null +++ b/gnu/packages/patches/libusb-0.1-disable-tests.patch @@ -0,0 +1,15 @@ +Disable tests who fail because they have to run as root. + +--- libusb-0.1.12/tests/Makefile.in 2006-03-04 03:54:06.000000000 +0100 ++++ libusb-0.1.12/tests/Makefile.in 2017-07-13 16:17:45.201728019 +0200 +@@ -255,8 +255,8 @@ + hub_strings_LDADD = $(top_builddir)/libusbpp.la @OSLIBS@ + driver_name_SOURCES = driver_name.cpp + driver_name_LDADD = $(top_builddir)/libusbpp.la @OSLIBS@ +-TESTS = testlibusb descriptor_test id_test find_hubs find_mice \ +- get_resolution hub_strings $(OS_SPECIFIC) ++TESTS = testlibusb descriptor_test id_test find_hubs find_mice ++ #get_resolution hub_strings $(OS_SPECIFIC) + + XFAIL_TESTS = get_resolution hub_strings $(OS_SPECIFIC_XFAIL) + all: all-am diff --git a/gnu/packages/patches/metabat-fix-compilation.patch b/gnu/packages/patches/metabat-fix-compilation.patch new file mode 100644 index 0000000000..7086a96e86 --- /dev/null +++ b/gnu/packages/patches/metabat-fix-compilation.patch @@ -0,0 +1,39 @@ +This patch changes metabat so that (1) it is not build statically, (2) it uses +shared libraries rather than static libraries where possible. + +diff --git a/SConstruct b/SConstruct +index 69cdc0a..ac99bcb 100644 +--- a/SConstruct ++++ b/SConstruct +@@ -26,8 +26,6 @@ debug = ARGUMENTS.get('DEBUG', None) + build_flags = ['-Wall', '-g', '-std=c++11', '-fopenmp'] + link_flags = ['-lstdc++', '-lm', '-fopenmp'] + +-if platform.platform(True, True).find('Darwin') == -1: +- link_flags.extend(['-static', '-static-libgcc', '-static-libstdc++']) + + if debug is None: + build_flags.extend(['-O3', '-DNDEBUG', '-Wno-unknown-pragmas', '-Wno-deprecated-declarations', '-Wno-overflow', '-Wno-unused-variable']) +@@ -110,17 +108,17 @@ def findStaticOrShared( lib, testPaths, static_source_list, link_flag_list, stat + for path in testPaths: + if not os.path.isdir(path): + continue ++ for testfile in ('%s/lib%s.so' % (path, lib), '%s/lib%s.dylib' % (path, lib)): ++ if os.path.isfile(testfile): ++ print "Found shared library %s as %s" % (lib, testfile) ++ link_flag_list.extend( ["-L%s" % (path), "-l%s" % (lib) ] ) ++ return + for suffix in staticSuffixes: + testfile = '%s/lib%s%s' % (path, lib, suffix) + if os.path.isfile(testfile): + static_source_list.append(testfile) + print "Found static library %s as %s" % (lib, testfile) + return +- for testfile in ('%s/lib%s.so' % (path, lib), '%s/lib%s.dylib' % (path, lib)): +- if os.path.isfile(testfile): +- print "Found shared library %s as %s" % (lib, testfile) +- link_flag_list.extend( ["-L%s" % (path), "-l%s" % (lib) ] ) +- return + print "Could not find library for %s!!! Looked in %s" % (lib, testPaths) + return + diff --git a/gnu/packages/patches/python-fake-factory-fix-build-32bit.patch b/gnu/packages/patches/python-fake-factory-fix-build-32bit.patch deleted file mode 100644 index cb60896fad..0000000000 --- a/gnu/packages/patches/python-fake-factory-fix-build-32bit.patch +++ /dev/null @@ -1,36 +0,0 @@ -These tests fail on 32-bit due to an overflow. - -Upstream bug URL: https://github.com/joke2k/faker/issues/408 - -diff --git a/faker/tests/__init__.py b/faker/tests/__init__.py -index 6026772..58b6b83 100644 ---- a/faker/tests/__init__.py -+++ b/faker/tests/__init__.py -@@ -384,7 +384,6 @@ class FactoryTestCase(unittest.TestCase): - provider = Provider - # test century - self.assertTrue(self._datetime_to_time(provider.date_time_this_century(after_now=False)) <= self._datetime_to_time(datetime.datetime.now())) -- self.assertTrue(self._datetime_to_time(provider.date_time_this_century(before_now=False, after_now=True)) >= self._datetime_to_time(datetime.datetime.now())) - # test decade - self.assertTrue(self._datetime_to_time(provider.date_time_this_decade(after_now=False)) <= self._datetime_to_time(datetime.datetime.now())) - self.assertTrue(self._datetime_to_time(provider.date_time_this_decade(before_now=False, after_now=True)) >= self._datetime_to_time(datetime.datetime.now())) -@@ -413,8 +412,6 @@ class FactoryTestCase(unittest.TestCase): - - # ensure all methods provide timezone aware datetimes - with self.assertRaises(TypeError): -- provider.date_time_this_century(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now() -- with self.assertRaises(TypeError): - provider.date_time_this_decade(after_now=False, tzinfo=utc) <= datetime.datetime.now() - with self.assertRaises(TypeError): - provider.date_time_this_year(after_now=False, tzinfo=utc) <= datetime.datetime.now() -@@ -423,7 +420,6 @@ class FactoryTestCase(unittest.TestCase): - - # test century - self.assertTrue(provider.date_time_this_century(after_now=False, tzinfo=utc) <= datetime.datetime.now(utc)) -- self.assertTrue(provider.date_time_this_century(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now(utc)) - # test decade - self.assertTrue(provider.date_time_this_decade(after_now=False, tzinfo=utc) <= datetime.datetime.now(utc)) - self.assertTrue(provider.date_time_this_decade(before_now=False, after_now=True, tzinfo=utc) >= datetime.datetime.now(utc)) --- -2.11.1 - diff --git a/gnu/packages/patches/python-pyopenssl-17.1.0-test-overflow.patch b/gnu/packages/patches/python-pyopenssl-17.1.0-test-overflow.patch deleted file mode 100644 index 06b2f4fe03..0000000000 --- a/gnu/packages/patches/python-pyopenssl-17.1.0-test-overflow.patch +++ /dev/null @@ -1,36 +0,0 @@ -Resolves a test failure on 32-bit platforms. - -https://github.com/pyca/pyopenssl/issues/657 - -Patch copied from upstream source repository: - -https://github.com/pyca/pyopenssl/commit/ecc0325479c0d5c5f2ca88b4550e87cdb59d6c95 - -From ecc0325479c0d5c5f2ca88b4550e87cdb59d6c95 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor <alex.gaynor@gmail.com> -Date: Thu, 6 Jul 2017 22:14:44 -0400 -Subject: [PATCH] Fixed #657 -- handle OverflowErrors on large allocation - requests - ---- - tests/test_rand.py | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/test_rand.py b/tests/test_rand.py -index bdd3af08..6adf72a1 100644 ---- a/tests/test_rand.py -+++ b/tests/test_rand.py -@@ -32,10 +32,10 @@ def test_bytes_wrong_args(self, args): - - def test_insufficient_memory(self): - """ -- `OpenSSL.rand.bytes` raises `MemoryError` if more bytes are requested -- than will fit in memory. -+ `OpenSSL.rand.bytes` raises `MemoryError` or `OverflowError` if more -+ bytes are requested than will fit in memory. - """ -- with pytest.raises(MemoryError): -+ with pytest.raises((MemoryError, OverflowError)): - rand.bytes(sys.maxsize) - - def test_bytes(self): diff --git a/gnu/packages/patches/qemu-CVE-2017-11334.patch b/gnu/packages/patches/qemu-CVE-2017-11334.patch new file mode 100644 index 0000000000..cb68c803aa --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-11334.patch @@ -0,0 +1,52 @@ +Fix CVE-2017-11334: + +https://bugzilla.redhat.com/show_bug.cgi?id=1471638 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 + +From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 12 Jul 2017 18:08:40 +0530 +Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram + +When accessing guest's ram block during DMA operation, use +'qemu_ram_ptr_length' to get ram block pointer. It ensures +that DMA operation of given length is possible; And avoids +any OOB memory access situations. + +Reported-by: Alex <broscutamaker@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20170712123840.29328-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index a083ff89ad..ad103ce483 100644 +--- a/exec.c ++++ b/exec.c +@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(ptr, buf, l); + invalidate_and_set_dirty(mr, addr1, l); + } +@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(buf, ptr, l); + } + +-- +2.13.3 + diff --git a/gnu/packages/patches/quassel-fix-tls-check.patch b/gnu/packages/patches/quassel-fix-tls-check.patch new file mode 100644 index 0000000000..057bc02a14 --- /dev/null +++ b/gnu/packages/patches/quassel-fix-tls-check.patch @@ -0,0 +1,25 @@ +This allows quasselclient to connect to SSL-enabled quasselcore instances. + +The check in qglobal.h requires -fPIC (not -fPIE as it is now). When this check +fails SSL / TLS is disabled. + +This patch comes from the upstream source repository [0] and can be +removed when the next version is packaged. + +[0] https://github.com/quassel/quassel/commit/4768c9e99f99b581d4e32e797db91d0182391696 + +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -428,6 +428,11 @@ endif() + cmake_push_check_state(RESET) + set(CMAKE_REQUIRED_INCLUDES ${QT_INCLUDES} ${Qt5Core_INCLUDE_DIRS}) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${Qt5Core_EXECUTABLE_COMPILE_FLAGS}") ++ ++if (USE_QT5 AND Qt5_POSITION_INDEPENDENT_CODE) ++ set(CMAKE_REQUIRED_FLAGS "-fPIC -DQT_NO_VERSION_TAGGING") ++endif() ++ + check_cxx_source_compiles(" + #include \"qglobal.h\" + #if defined QT_NO_SSL + diff --git a/gnu/packages/patches/sooperlooper-build-with-wx-30.patch b/gnu/packages/patches/sooperlooper-build-with-wx-30.patch new file mode 100644 index 0000000000..43f4b9be69 --- /dev/null +++ b/gnu/packages/patches/sooperlooper-build-with-wx-30.patch @@ -0,0 +1,179 @@ +Downloaded from https://anonscm.debian.org/cgit/pkg-multimedia/sooperlooper.git/plain/debian/patches/04-build_with_wx_30.patch -O gnu/packages/patches/sooperlooper-build-with-wx-30.patch + +Author: Jaromír Mikeš <mira.mikes@seznam.cz>, Olly Betts <olly@survex.com> +Description: build against wx 3.0. +Forwarded: yes + +Index: sooperlooper/src/gui/main_panel.cpp +=================================================================== +--- sooperlooper.orig/src/gui/main_panel.cpp ++++ sooperlooper/src/gui/main_panel.cpp +@@ -448,7 +448,7 @@ MainPanel::init_loopers (int count) + while (count < (int)_looper_panels.size()) { + looperpan = _looper_panels.back(); + _looper_panels.pop_back(); +- _main_sizer->Remove(looperpan); ++ _main_sizer->Detach(looperpan); + looperpan->Destroy(); + } + } +@@ -1277,7 +1277,7 @@ void MainPanel::misc_action (bool releas + } + + +- wxString filename = do_file_selector (wxT("Choose file to save loop"), wxT("wav"), wxT("WAVE files (*.wav)|*.wav;*.WAV;*.Wav"), wxSAVE|wxCHANGE_DIR|wxOVERWRITE_PROMPT); ++ wxString filename = do_file_selector (wxT("Choose file to save loop"), wxT("wav"), wxT("WAVE files (*.wav)|*.wav;*.WAV;*.Wav"), wxFD_SAVE|wxFD_CHANGE_DIR|wxFD_OVERWRITE_PROMPT); + + if ( !filename.empty() ) + { +@@ -1296,7 +1296,7 @@ void MainPanel::misc_action (bool releas + index = 0; + } + +- wxString filename = do_file_selector (wxT("Choose file to open"), wxT(""), wxT("*.slsess"), wxOPEN|wxCHANGE_DIR); ++ wxString filename = do_file_selector (wxT("Choose file to open"), wxT(""), wxT("*.slsess"), wxFD_OPEN|wxFD_CHANGE_DIR); + + if ( !filename.empty() ) + { +@@ -1408,7 +1408,7 @@ void MainPanel::set_curr_loop (int index + + void MainPanel::do_load_session () + { +- wxString filename = do_file_selector (wxT("Choose session to load"), wxT("*.slsess"), wxT("*.slsess"), wxOPEN|wxCHANGE_DIR); ++ wxString filename = do_file_selector (wxT("Choose session to load"), wxT("*.slsess"), wxT("*.slsess"), wxFD_OPEN|wxFD_CHANGE_DIR); + + if ( !filename.empty() ) + { +@@ -1419,7 +1419,7 @@ void MainPanel::do_load_session () + + void MainPanel::do_save_session (bool write_audio) + { +- wxString filename = do_file_selector (wxT("Choose file to save session"), wxT("slsess"), wxT("*.slsess"), wxSAVE|wxCHANGE_DIR|wxOVERWRITE_PROMPT); ++ wxString filename = do_file_selector (wxT("Choose file to save session"), wxT("slsess"), wxT("*.slsess"), wxFD_SAVE|wxFD_CHANGE_DIR|wxFD_OVERWRITE_PROMPT); + + if ( !filename.empty() ) + { +Index: sooperlooper/src/gui/pix_button.cpp +=================================================================== +--- sooperlooper.orig/src/gui/pix_button.cpp ++++ sooperlooper/src/gui/pix_button.cpp +@@ -250,7 +250,7 @@ PixButton::OnMouseEvents (wxMouseEvent & + pt.x += bounds.x; + pt.y += bounds.y; + +- if (bounds.Inside(pt)) { ++ if (bounds.Contains(pt)) { + clicked (get_mouse_button(ev)); // emit + + if (ev.MiddleUp() && ev.ControlDown()) { +Index: sooperlooper/src/gui/looper_panel.cpp +=================================================================== +--- sooperlooper.orig/src/gui/looper_panel.cpp ++++ sooperlooper/src/gui/looper_panel.cpp +@@ -1428,7 +1428,7 @@ LooperPanel::clicked_events (int button, + if (cmd == wxT("save")) + { + wxString filename = _mainpanel->do_file_selector (wxT("Choose file to save loop"), +- wxT("wav"), wxT("WAVE files (*.wav)|*.wav;*.WAV;*.Wav"), wxSAVE|wxCHANGE_DIR|wxOVERWRITE_PROMPT); ++ wxT("wav"), wxT("WAVE files (*.wav)|*.wav;*.WAV;*.Wav"), wxFD_SAVE|wxFD_CHANGE_DIR|wxFD_OVERWRITE_PROMPT); + + if ( !filename.empty() ) + { +@@ -1442,7 +1442,7 @@ LooperPanel::clicked_events (int button, + } + else if (cmd == wxT("load")) + { +- wxString filename = _mainpanel->do_file_selector(wxT("Choose file to open"), wxT(""), wxT("Audio files (*.wav,*.aif)|*.wav;*.WAV;*.Wav;*.aif;*.aiff;*.AIF;*.AIFF|All files (*.*)|*.*"), wxOPEN|wxCHANGE_DIR); ++ wxString filename = _mainpanel->do_file_selector(wxT("Choose file to open"), wxT(""), wxT("Audio files (*.wav,*.aif)|*.wav;*.WAV;*.Wav;*.aif;*.aiff;*.AIF;*.AIFF|All files (*.*)|*.*"), wxFD_OPEN|wxFD_CHANGE_DIR); + + if ( !filename.empty() ) + { +Index: sooperlooper/src/gui/keyboard_target.cpp +=================================================================== +--- sooperlooper.orig/src/gui/keyboard_target.cpp ++++ sooperlooper/src/gui/keyboard_target.cpp +@@ -553,10 +553,10 @@ KeyboardTarget::keycode_from_name (const + keycode = WXK_RETURN; + } + else if ( keyname == wxT("PGUP") ) { +- keycode = WXK_PRIOR; ++ keycode = WXK_PAGEUP; + } + else if ( keyname == wxT("PGDN") ) { +- keycode = WXK_NEXT; ++ keycode = WXK_PAGEDOWN; + } + else if ( keyname == wxT("LEFT") ) { + keycode = WXK_LEFT; +@@ -630,10 +630,10 @@ wxString KeyboardTarget::name_from_keyco + case WXK_RETURN: + text += wxT("return"); + break; +- case WXK_PRIOR: ++ case WXK_PAGEUP: + text += wxT("pageup"); + break; +- case WXK_NEXT: ++ case WXK_PAGEDOWN: + text += wxT("pagedown"); + break; + case WXK_LEFT: +Index: sooperlooper/src/gui/check_box.cpp +=================================================================== +--- sooperlooper.orig/src/gui/check_box.cpp ++++ sooperlooper/src/gui/check_box.cpp +@@ -237,7 +237,7 @@ CheckBox::OnMouseEvents (wxMouseEvent &e + } + else if (ev.LeftUp()) + { +- if (bounds.Inside(ev.GetPosition())) { ++ if (bounds.Contains(ev.GetPosition())) { + // toggle value + _value = !_value; + +Index: sooperlooper/src/gui/midi_bind_panel.cpp +=================================================================== +--- sooperlooper.orig/src/gui/midi_bind_panel.cpp ++++ sooperlooper/src/gui/midi_bind_panel.cpp +@@ -880,7 +880,7 @@ void MidiBindPanel::on_button (wxCommand + } + else if (ev.GetId() == ID_LoadButton) + { +- wxString filename = _parent->do_file_selector(wxT("Choose midi binding file to open"), wxT(""), wxT("*.slb"), wxOPEN|wxCHANGE_DIR); ++ wxString filename = _parent->do_file_selector(wxT("Choose midi binding file to open"), wxT(""), wxT("*.slb"), wxFD_OPEN|wxFD_CHANGE_DIR); + if ( !filename.empty() ) + { + _parent->get_loop_control().load_midi_bindings(filename, _append_check->GetValue()); +@@ -888,7 +888,7 @@ void MidiBindPanel::on_button (wxCommand + } + else if (ev.GetId() == ID_SaveButton) + { +- wxString filename = _parent->do_file_selector(wxT("Choose midi binding file to save"), wxT(""), wxT("*.slb"), wxSAVE|wxCHANGE_DIR|wxOVERWRITE_PROMPT); ++ wxString filename = _parent->do_file_selector(wxT("Choose midi binding file to save"), wxT(""), wxT("*.slb"), wxFD_SAVE|wxFD_CHANGE_DIR|wxFD_OVERWRITE_PROMPT); + + if ( !filename.empty() ) + { +Index: sooperlooper/src/gui/config_panel.cpp +=================================================================== +--- sooperlooper.orig/src/gui/config_panel.cpp ++++ sooperlooper/src/gui/config_panel.cpp +@@ -378,7 +378,7 @@ void ConfigPanel::on_button (wxCommandEv + else if (ev.GetId() == ID_MidiBrowseButton) { + + _parent->get_keyboard().set_enabled(false); +- wxString filename = _parent->do_file_selector(wxT("Choose midi binding file to use"), wxT(""), wxT("*.slb"), wxOPEN|wxCHANGE_DIR); ++ wxString filename = _parent->do_file_selector(wxT("Choose midi binding file to use"), wxT(""), wxT("*.slb"), wxFD_OPEN|wxFD_CHANGE_DIR); + _parent->get_keyboard().set_enabled(true); + + if ( !filename.empty() ) +@@ -389,8 +389,8 @@ void ConfigPanel::on_button (wxCommandEv + else if (ev.GetId() == ID_SessionBrowseButton) { + + _parent->get_keyboard().set_enabled(false); +- wxString filename = _parent->do_file_selector(wxT("Choose session file to use"), wxT(""), wxT("*.slsess"), wxOPEN|wxCHANGE_DIR); +- //wxString filename = wxFileSelector(wxT("Choose session file to use"), wxT(""), wxT(""), wxT(""), wxT("*.slsess"), wxOPEN|wxCHANGE_DIR); ++ wxString filename = _parent->do_file_selector(wxT("Choose session file to use"), wxT(""), wxT("*.slsess"), wxFD_OPEN|wxFD_CHANGE_DIR); ++ //wxString filename = wxFileSelector(wxT("Choose session file to use"), wxT(""), wxT(""), wxT(""), wxT("*.slsess"), wxFD_OPEN|wxFD_CHANGE_DIR); + _parent->get_keyboard().set_enabled(true); + + if ( !filename.empty() ) diff --git a/gnu/packages/patches/spice-CVE-2017-7506.patch b/gnu/packages/patches/spice-CVE-2017-7506.patch new file mode 100644 index 0000000000..37d8f02831 --- /dev/null +++ b/gnu/packages/patches/spice-CVE-2017-7506.patch @@ -0,0 +1,158 @@ +Fix CVE-2017-7506: + +https://bugzilla.redhat.com/show_bug.cgi?id=1452606 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7506 + +Patches copied from Debian spice package version +'spice_0.12.8-2.1+deb9u1.debian.tar.xz': +http://security.debian.org/debian-security/pool/updates/main/s/spice/spice_0.12.8-2.1+deb9u1.debian.tar.xz + +The patches had to be adapted to apply to the latest spice tarball, and +are based on these upstream commits: + +https://cgit.freedesktop.org/spice/spice/commit/?id=111ab38611cef5012f1565a65fa2d8a8a05cce37 +https://cgit.freedesktop.org/spice/spice/commit/?id=571cec91e71c2aae0d5f439ea2d8439d0c3d75eb +https://cgit.freedesktop.org/spice/spice/commit/?id=fbbcdad773e2791cfb988f4748faa41943551ca6 + +From 257f69d619fed407493156c8a7b952abc8a51314 Mon Sep 17 00:00:00 2001 +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [spice-server 1/3] reds: Disconnect when receiving overly big + ClientMonitorsConfig + +Total message size received from the client was unlimited. There is +a 2kiB size check on individual agent messages, but the MonitorsConfig +message can be split in multiple chunks, and the size of the +non-chunked MonitorsConfig message was never checked. This could easily +lead to memory exhaustion on the host. + +--- + server/reds.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +diff --git a/server/reds.c b/server/reds.c +index f439a3668..7be85fdfc 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -993,19 +993,34 @@ static void reds_client_monitors_config_cleanup(void) + static void reds_on_main_agent_monitors_config( + MainChannelClient *mcc, void *message, size_t size) + { ++ const unsigned int MAX_MONITORS = 256; ++ const unsigned int MAX_MONITOR_CONFIG_SIZE = ++ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); ++ + VDAgentMessage *msg_header; + VDAgentMonitorsConfig *monitors_config; + RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; + ++ // limit size of message sent by the client as this can cause a DoS through ++ // memory exhaustion, or potentially some integer overflows ++ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { ++ goto overflow; ++ } + cmc->buffer_size += size; + cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); + spice_assert(cmc->buffer); + cmc->mcc = mcc; + memcpy(cmc->buffer + cmc->buffer_pos, message, size); + cmc->buffer_pos += size; ++ if (sizeof(VDAgentMessage) > cmc->buffer_size) { ++ spice_debug("not enough data yet. %d", cmc->buffer_size); ++ return; ++ } + msg_header = (VDAgentMessage *)cmc->buffer; +- if (sizeof(VDAgentMessage) > cmc->buffer_size || +- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { ++ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { ++ goto overflow; ++ } ++ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { + spice_debug("not enough data yet. %d", cmc->buffer_size); + return; + } +@@ -1013,6 +1028,12 @@ static void reds_on_main_agent_monitors_config( + spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); + red_dispatcher_client_monitors_config(monitors_config); + reds_client_monitors_config_cleanup(); ++ return; ++ ++overflow: ++ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); ++ red_channel_client_disconnect(main_channel_client_get_base(mcc)); ++ reds_client_monitors_config_cleanup(); + } + + void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size) +-- +2.13.0 +From ff2b4ef70181087d5abd50bad76d026ec5088a93 Mon Sep 17 00:00:00 2001 +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [spice-server 2/3] reds: Avoid integer overflows handling monitor + configuration + +Avoid VDAgentMessage::size integer overflows. + +--- + server/reds.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/server/reds.c b/server/reds.c +index 7be85fdfc..e1c8c1086 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config( + spice_debug("not enough data yet. %d", cmc->buffer_size); + return; + } ++ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { ++ goto overflow; ++ } + monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); + spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); + red_dispatcher_client_monitors_config(monitors_config); +-- +2.13.0 +From 8cc3d7df2792751939cc832f4110c57e2addfca5 Mon Sep 17 00:00:00 2001 +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [spice-server 3/3] reds: Avoid buffer overflows handling monitor + configuration + +It was also possible for a malicious client to set +VDAgentMonitorsConfig::num_of_monitors to a number larger +than the actual size of VDAgentMOnitorsConfig::monitors. +This would lead to buffer overflows, which could allow the guest to +read part of the host memory. This might cause write overflows in the +host as well, but controlling the content of such buffers seems +complicated. + +--- + server/reds.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/server/reds.c b/server/reds.c +index e1c8c1086..3a42c3755 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config( + VDAgentMessage *msg_header; + VDAgentMonitorsConfig *monitors_config; + RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; ++ uint32_t max_monitors; + + // limit size of message sent by the client as this can cause a DoS through + // memory exhaustion, or potentially some integer overflows +@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config( + goto overflow; + } + monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); ++ // limit the monitor number to avoid buffer overflows ++ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / ++ sizeof(VDAgentMonConfig); ++ if (monitors_config->num_of_monitors > max_monitors) { ++ goto overflow; ++ } + spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); + red_dispatcher_client_monitors_config(monitors_config); + reds_client_monitors_config_cleanup(); +-- +2.13.0 diff --git a/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch b/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch new file mode 100644 index 0000000000..db3c56861b --- /dev/null +++ b/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch @@ -0,0 +1,42 @@ +https://github.com/supertuxkart/stk-code/commit/5e05f1178ce6bc5f3a653b55ab3dc6d016196341.patch + +From 5e05f1178ce6bc5f3a653b55ab3dc6d016196341 Mon Sep 17 00:00:00 2001 +From: Deve <deveee@gmail.com> +Date: Mon, 3 Oct 2016 23:26:09 +0200 +Subject: [PATCH] Fixed compiler error on Linux with non-x86 64bit platforms, + e.g. arm64, mips, and s390x architectures + +This modification is already applied in upstream angelscript repository: +https://sourceforge.net/p/angelscript/code/2353/ + +Thanks to Adrian Bunk and Andreas Jonsson +--- + lib/angelscript/projects/cmake/CMakeLists.txt | 1 + + lib/angelscript/source/as_config.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/angelscript/projects/cmake/CMakeLists.txt b/lib/angelscript/projects/cmake/CMakeLists.txt +index e93971315e..755d8378c3 100644 +--- a/lib/angelscript/projects/cmake/CMakeLists.txt ++++ b/lib/angelscript/projects/cmake/CMakeLists.txt +@@ -67,6 +67,7 @@ set(ANGELSCRIPT_SOURCE + ../../source/as_builder.cpp + ../../source/as_bytecode.cpp + ../../source/as_callfunc.cpp ++ ../../source/as_callfunc_mips.cpp + ../../source/as_callfunc_x86.cpp + ../../source/as_callfunc_x64_gcc.cpp + ../../source/as_callfunc_x64_msvc.cpp +diff --git a/lib/angelscript/source/as_config.h b/lib/angelscript/source/as_config.h +index cb05bffbd5..5bb5b8e800 100644 +--- a/lib/angelscript/source/as_config.h ++++ b/lib/angelscript/source/as_config.h +@@ -844,7 +844,7 @@ + #define THISCALL_PASS_OBJECT_POINTER_ON_THE_STACK + #define AS_X86 + #undef AS_NO_THISCALL_FUNCTOR_METHOD +- #elif defined(__LP64__) && !defined(__arm64__) ++ #elif defined(__x86_64__) + #define AS_X64_GCC + #undef AS_NO_THISCALL_FUNCTOR_METHOD + #define HAS_128_BIT_PRIMITIVES |