diff options
24 files changed, 371 insertions, 90 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 7dcac4f2bc..9a70d73759 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -660,6 +660,7 @@ dist_patch_DATA = \ %D%/packages/patches/4store-unset-preprocessor-directive.patch \ %D%/packages/patches/a2ps-CVE-2001-1593.patch \ %D%/packages/patches/a2ps-CVE-2014-0466.patch \ + %D%/packages/patches/a2ps-CVE-2015-8107.patch \ %D%/packages/patches/abiword-explictly-cast-bools.patch \ %D%/packages/patches/abiword-black-drawing-with-gtk322.patch \ %D%/packages/patches/acl-fix-perl-regex.patch \ @@ -746,7 +747,7 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ - %D%/packages/patches/cvs-2017-12836.patch \ + %D%/packages/patches/cvs-CVE-2017-12836.patch \ %D%/packages/patches/dbus-helper-search-path.patch \ %D%/packages/patches/dbus-CVE-2019-12749.patch \ %D%/packages/patches/dealii-mpi-deprecations.patch \ @@ -1005,6 +1006,7 @@ dist_patch_DATA = \ %D%/packages/patches/libdrm-symbol-check.patch \ %D%/packages/patches/libexif-CVE-2016-6328.patch \ %D%/packages/patches/libexif-CVE-2017-7544.patch \ + %D%/packages/patches/libexif-CVE-2018-20030.patch \ %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch \ %D%/packages/patches/libgit2-avoid-python.patch \ %D%/packages/patches/libgit2-mtime-0.patch \ @@ -1182,6 +1184,8 @@ dist_patch_DATA = \ %D%/packages/patches/pixman-CVE-2016-5296.patch \ %D%/packages/patches/plink-1.07-unclobber-i.patch \ %D%/packages/patches/plink-endian-detection.patch \ + %D%/packages/patches/plib-CVE-2011-4620.patch \ + %D%/packages/patches/plib-CVE-2012-4552.patch \ %D%/packages/patches/plotutils-libpng-jmpbuf.patch \ %D%/packages/patches/podofo-cmake-3.12.patch \ %D%/packages/patches/portaudio-audacity-compat.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 411be40f5b..0914f13f7a 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1422,7 +1422,7 @@ module slots, and the list of I/O ports (e.g. serial, parallel, USB).") (define-public acpica (package (name "acpica") - (version "20190509") + (version "20190703") (source (origin (method url-fetch) (uri (string-append @@ -1430,7 +1430,7 @@ module slots, and the list of I/O ports (e.g. serial, parallel, USB).") version ".tar.gz")) (sha256 (base32 - "17cf5jhcy9wqla5c9s08khqg0pxhar2nmwdcja2jf2srl2a5y2w6")))) + "0kp3ian3lffx9709ajrr3bp6b9cb6c6v1crjziyr8j8pp639jlwz")))) (build-system gnu-build-system) (native-inputs `(("flex" ,flex) ("bison" ,bison))) @@ -1517,20 +1517,20 @@ characters can be replaced as well, as can UTF-8 characters.") (define-public testdisk (package (name "testdisk") - (version "7.0") + (version "7.1") (source (origin (method url-fetch) - (uri (string-append "http://www.cgsecurity.org/testdisk-" + (uri (string-append "https://www.cgsecurity.org/testdisk-" version ".tar.bz2")) (sha256 (base32 - "0ba4wfz2qrf60vwvb1qsq9l6j0pgg81qgf7fh22siaz649mkpfq0")))) + "1zlh44w67py416hkvw6nrfmjickc2d43v51vcli5p374d5sw84ql")))) (build-system gnu-build-system) (inputs `(("ntfs-3g" ,ntfs-3g) ("util-linux" ,util-linux) ("openssl" ,openssl) - ;; FIXME: add reiserfs + ;; FIXME: add reiserfs. ("zlib" ,zlib) ("e2fsprogs" ,e2fsprogs) ("libjpeg" ,libjpeg) @@ -2462,7 +2462,7 @@ in order to be able to find it. (define-public sedsed (package (name "sedsed") - (version "1.0") + (version "1.1") (source (origin (method git-fetch) @@ -2471,11 +2471,10 @@ in order to be able to find it. (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 - (base32 "0009lsjsxhqmgaklpwq15hhd94hpiy7r4va69yy0ig3mxi6zbg2z")))) + (base32 "05cl35mwljdb9ynbbsfa8zx6ig8r0xncbg2cir9vwn5manndjj18")))) (build-system python-build-system) (arguments `(#:tests? #f ; no tests - #:python ,python-2 #:phases (modify-phases %standard-phases (add-after 'unpack 'patch-sed-in @@ -2492,29 +2491,30 @@ in order to be able to find it. ;; Just one file to copy around (install-file "sedsed.py" bin) #t))) - (add-after 'install 'symlink + (add-after 'wrap 'symlink ;; Create 'sedsed' symlink to "sedsed.py". (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out")) (bin (string-append out "/bin")) (sed (string-append bin "/sedsed")) (sedpy (string-append bin "/sedsed.py"))) - (symlink sedpy sed) + (symlink sedpy sed) #t)))))) - (home-page "http://aurelio.net/projects/sedsed") + (home-page "https://aurelio.net/projects/sedsed") (synopsis "Sed sed scripts") (description - "@code{sedsed} can debug, indent, tokenize and HTMLize your sed(1) script. + "@code{sedsed} can debug, indent, tokenize and HTMLize your @command{sed} +script. -In debug mode it reads your script and add extra commands to it. When +In debug mode, it reads your script and adds extra commands to it. When executed you can see the data flow between the commands, revealing all the -magic sed does on its internal buffers. +magic sed performs on its internal buffers. -In indent mode your script is reformatted with standard spacing. +In indent mode, your script is reformatted with standard spacing. -In tokenize mode you can see the elements of every command you use. +In tokenize mode, you can see the elements of every command you use. -In HTMLize mode your script is converted to a beautiful colored HTML file, +In HTMLize mode, your script is converted to a beautiful colored HTML file, with all the commands and parameters identified for your viewing pleasure. With sedsed you can master any sed script. No more secrets, no more hidden diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index b5eb1845a5..4e2db8ed44 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -866,14 +866,14 @@ pictures, sounds, or video.") (package (inherit postgresql) (name "postgresql") - (version "9.6.13") + (version "9.6.14") (source (origin (method url-fetch) (uri (string-append "https://ftp.postgresql.org/pub/source/v" version "/postgresql-" version ".tar.bz2")) (sha256 (base32 - "197964wb5pc5fx81a6mh9hlcrr9sgr3nqlpmljv6asi9aq0d5gpc")))))) + "08hsqczy1ixkjyf2vr3s9x69agfz9yr8lh31fir4z0dfr5jw421z")))))) (define-public python-pymysql (package diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm index 05a68b717a..7eac935a69 100644 --- a/gnu/packages/game-development.scm +++ b/gnu/packages/game-development.scm @@ -1434,7 +1434,9 @@ joystick support."))) "plib-" version ".tar.gz")) (sha256 (base32 - "0cha71mflpa10vh2l7ipyqk67dq2y0k5xbafwdks03fwdyzj4ns8")))) + "0cha71mflpa10vh2l7ipyqk67dq2y0k5xbafwdks03fwdyzj4ns8")) + (patches (search-patches "plib-CVE-2011-4620.patch" + "plib-CVE-2012-4552.patch")))) (build-system gnu-build-system) (inputs `(("mesa" ,mesa) diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 4b1dbbdb49..1179e09901 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -5025,7 +5025,6 @@ to display dialog boxes from the commandline and shell scripts.") ("cairo" ,cairo) ("gdk-pixbuf" ,gdk-pixbuf) ("glib" ,glib) - ("gtk+" ,gtk+) ("json-glib" ,json-glib) ("libinput" ,libinput) ("libx11" ,libx11) diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index f84f8d73a0..2b2b64d9b0 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -219,19 +219,21 @@ threads implementation. In contrast to GNU Pth is is based on the system's standard threads implementation. This allows the use of libraries which are not compatible to GNU Pth.") - (license (list license:lgpl3+ license:gpl2+)))) ; dual license + (license (list license:lgpl3+ license:gpl2+)) ; dual license + (properties '((ftp-server . "ftp.gnupg.org") + (ftp-directory . "/gcrypt/npth"))))) (define-public gnupg (package (name "gnupg") - (version "2.2.16") + (version "2.2.17") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/gnupg/gnupg-" version ".tar.bz2")) (sha256 (base32 - "1jqlzp9b3kpfp1dkjqskm67jjrhvf9nh3lzf45321p7m9d2qvgkc")))) + "056mgy09lvsi03531a437qj58la1j2x1y1scvfi53diris3658mg")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -396,7 +398,9 @@ Because the direct use of GnuPG from an application can be a complicated programming task, it is suggested that all software should try to use GPGME instead. This way bug fixes or improvements can be done at a central place and every application benefits from this.") - (license license:lgpl2.1+))) + (license license:lgpl2.1+) + (properties '((ftp-server . "ftp.gnupg.org") + (ftp-directory . "/gcrypt/gpgme"))))) (define-public qgpgme (package @@ -542,14 +546,14 @@ decrypt messages using the OpenPGP format by making use of GPGME.") (define-public python-gnupg (package (name "python-gnupg") - (version "0.4.3") + (version "0.4.4") (source (origin (method url-fetch) (uri (pypi-uri "python-gnupg" version)) (sha256 (base32 - "03dc8whhvk7ccspbk8vzfhkxli8cd9zfbss5p597g4jldgy8s59d")))) + "03pvjyp6q9pr8qa22i38az06ddzhvzy5kj192hxa3gbhnchg1nj5")))) (build-system python-build-system) (arguments `(#:phases @@ -907,14 +911,14 @@ them to transform your existing public key into a secret key.") (define-public gpa (package (name "gpa") - (version "0.9.10") + (version "0.10.0") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/gpa/" name "-" version ".tar.bz2")) (sha256 (base32 - "09xphbi2456qynwqq5n0yh0zdmdi2ggrj3wk4hsyh5lrzlvcrff3")))) + "1cbpc45f8qbdkd62p12s3q2rdq6fa5xdzwmcwd3xrj55bzkspnwm")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -930,7 +934,9 @@ them to transform your existing public key into a secret key.") "GPA, the GNU Privacy Assistant, is a graphical user interface for @uref{https://gnupg.org, GnuPG}. It can be used to encrypt, decrypt, and sign files, to verify signatures, and to manage the private and public keys.") - (license license:gpl3+))) + (license license:gpl3+) + (properties '((ftp-server . "ftp.gnupg.org") + (ftp-directory . "/gcrypt/gpa"))))) (define-public parcimonie (package diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index a874878fea..ff382b2388 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -426,7 +426,7 @@ from forcing GEXP-PROMISE." #:system system #:guile-for-build guile))) -(define %icecat-version "60.7.2-guix1") +(define %icecat-version "60.8.0-guix1") ;; 'icecat-source' is a "computed" origin that generates an IceCat tarball ;; from the corresponding upstream Firefox ESR tarball, using the 'makeicecat' @@ -448,7 +448,7 @@ from forcing GEXP-PROMISE." "firefox-" upstream-firefox-version ".source.tar.xz")) (sha256 (base32 - "1hkaq8mavmn2wphfbrlq3v56jvmvfi2nyvrkjgr28rc01jkqx4ca")))) + "1gkz90clarbhgfxhq91s0is6lw6bfymyjb0xbyyswdg68kcqfcy1")))) (upstream-icecat-base-version "60.7.0") ; maybe older than base-version (upstream-icecat-gnu-version "1") @@ -627,7 +627,7 @@ from forcing GEXP-PROMISE." ("mesa" ,mesa) ("mit-krb5" ,mit-krb5) ;; See <https://bugs.gnu.org/32833> - ;; and related comments in the 'snippet' above. + ;; and related comments in the 'remove-bundled-libraries' phase. ;; UNBUNDLE-ME! ("nspr" ,nspr) ;; UNBUNDLE-ME! ("nss" ,nss) ("sqlite" ,sqlite) @@ -720,7 +720,8 @@ from forcing GEXP-PROMISE." "--with-system-icu" ;; See <https://bugs.gnu.org/32833> - ;; and related comments in the 'snippet' above. + ;; and related comments in the + ;; 'remove-bundled-libraries' phase below. ;; UNBUNDLE-ME! "--with-system-nspr" ;; UNBUNDLE-ME! "--with-system-nss" diff --git a/gnu/packages/javascript.scm b/gnu/packages/javascript.scm index e7dcd7962d..9e1818dfaf 100644 --- a/gnu/packages/javascript.scm +++ b/gnu/packages/javascript.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net> ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> -;;; Copyright © 2017, 2018 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2017, 2018, 2019 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2018 Nicolas Goaziou <mail@nicolasgoaziou.fr> ;;; ;;; This file is part of GNU Guix. @@ -417,32 +417,28 @@ external server.") (define-public mujs (package (name "mujs") - (version "1.0.5") + (version "1.0.6") (source (origin - (method git-fetch) - (uri (git-reference - (url "https://git.ghostscript.com/mujs.git") - (commit version))) - (file-name (string-append name "-" version "-checkout")) + (method url-fetch) + (uri (string-append "https://mujs.com/downloads/mujs-" + version ".tar.xz")) (sha256 (base32 - "0pkv26jxwgv5ax0ylfmi4h96h79hj4gvr95218ns8wngnmgr1ny6")))) + "1q9w2dcspfp580pzx7sw7x9gbn8j0ak6dvj75wd1ml3f3q3i43df")))) (build-system gnu-build-system) (arguments '(#:phases (modify-phases %standard-phases (delete 'configure) ; no configure (add-after 'install 'install-shared-library - (lambda* (#:key outputs #:allow-other-keys) - (let ((out (assoc-ref outputs "out"))) - (install-file "build/release/libmujs.so" - (string-append out "/lib")))))) + (lambda* (#:key (make-flags '()) #:allow-other-keys) + (apply invoke "make" "install-shared" make-flags)))) #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")) (string-append "CC=gcc")) #:tests? #f)) ; no tests (inputs `(("readline" ,readline))) - (home-page "https://artifex.com/mujs/") + (home-page "https://mujs.com/") (synopsis "JavaScript interpreter written in C") (description "MuJS is a lightweight Javascript interpreter designed for embedding in other software to extend them with scripting capabilities. MuJS diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 653f844b48..e7c97c0243 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -430,8 +430,8 @@ for ARCH and optionally VARIANT, or #f if there is no such configuration." It has been modified to remove all non-free binary blobs.") (license license:gpl2))) -(define %linux-libre-version "5.1.16") -(define %linux-libre-hash "055vs2g6z6wx34qvi0aw952x9q3drbj7z27s7g7pks6w730xkga8") +(define %linux-libre-version "5.1.17") +(define %linux-libre-hash "049mij4z1iilrggw6plfdpcj1lnc1vqz5z445ix9677cq1fmiwlh") (define %linux-libre-5.1-patches (list %boot-logo-patch @@ -448,8 +448,8 @@ It has been modified to remove all non-free binary blobs.") (make-linux-libre-headers %linux-libre-version %linux-libre-hash)) -(define %linux-libre-4.19-version "4.19.57") -(define %linux-libre-4.19-hash "0p9b27hfbzppxgad9q2g7nvfzv0phzdsk16sqy87q3dglc8wqrqq") +(define %linux-libre-4.19-version "4.19.58") +(define %linux-libre-4.19-hash "0i2mh0zk1h1niba1bpd49bn938sdn3qrwzkqpqzimxnj31xcjhyz") (define %linux-libre-4.19-patches (list %boot-logo-patch @@ -466,8 +466,8 @@ It has been modified to remove all non-free binary blobs.") (make-linux-libre-headers %linux-libre-4.19-version %linux-libre-4.19-hash)) -(define %linux-libre-4.14-version "4.14.132") -(define %linux-libre-4.14-hash "0mvp4izw21f8w5kkk8qm8m8b7qjxbp8hshgffdlh1aik41zvcnyq") +(define %linux-libre-4.14-version "4.14.133") +(define %linux-libre-4.14-hash "16ay2x0r5i96lg4rgcg151352igvwxa7wh98kwdsjbckiw7fhn08") (define-public linux-libre-4.14 (make-linux-libre %linux-libre-4.14-version @@ -480,14 +480,14 @@ It has been modified to remove all non-free binary blobs.") %linux-libre-4.14-hash)) (define-public linux-libre-4.9 - (make-linux-libre "4.9.184" - "0q3ggndwf0rwsb3xv33zl9awkd1803h2l9b4g6d6ps3f2sjxwxwa" + (make-linux-libre "4.9.185" + "1byz9cxvslm45nv01abhzvrm2isdskx5k11gi5rpa39r7lx6bmjp" '("x86_64-linux" "i686-linux") #:configuration-file kernel-config)) (define-public linux-libre-4.4 - (make-linux-libre "4.4.184" - "05v295wk9fid17n5plkx6p9nwz6dvpcn2r7khwsq30sy3pg0vxv5" + (make-linux-libre "4.4.185" + "0df22wqj1nwqp60v8341qcmjhwmdr0hgfraishpc7hic8aqdr4p7" '("x86_64-linux" "i686-linux") #:configuration-file kernel-config #:extra-options diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 6ab0f9358e..51f881f8eb 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -1173,15 +1173,17 @@ which can add many functionalities to the base client.") "--with-tls=gnutls") #:phases (modify-phases %standard-phases - (add-after 'install 'install-msmtpq + (add-after 'install 'install-additional-files (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out")) (bin (string-append out "/bin")) (doc (string-append out "/share/doc/msmtp")) - (msmtpq (string-append "scripts/msmtpq"))) + (msmtpq "scripts/msmtpq") + (vimfiles (string-append out "/share/vim/vimfiles/plugin"))) (install-file (string-append msmtpq "/msmtpq") bin) (install-file (string-append msmtpq "/msmtp-queue") bin) (install-file (string-append msmtpq "/README.msmtpq") doc) + (install-file "scripts/vim/msmtp.vim" vimfiles) #t)))))) (synopsis "Simple and easy to use SMTP client with decent sendmail compatibility") diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm index 3281387253..53c11f6d95 100644 --- a/gnu/packages/networking.scm +++ b/gnu/packages/networking.scm @@ -1870,14 +1870,14 @@ displays the results in real time.") (define-public strongswan (package (name "strongswan") - (version "5.6.3") + (version "5.8.0") (source (origin (method url-fetch) (uri (string-append "https://download.strongswan.org/strongswan-" version ".tar.bz2")) (sha256 - (base32 "095zg7h7qwsc456sqgwb1lhhk29ac3mk5z9gm6xja1pl061driy3")))) + (base32 "0cq9m86ydd2i0awxkv4a256f4926p2f9pzlisyskl9fngl6f3c8m")))) (build-system gnu-build-system) (arguments `(#:phases @@ -2210,6 +2210,9 @@ widely used protocol for monitoring the health and welfare of network equipment (e.g. routers), computer equipment and even devices like UPSs. Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6.") + ;; This only affects OpenBSD + ;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8100 + (properties `((lint-hidden-cve . ("CVE-2015-8100")))) (license (list license:bsd-3 (license:non-copyleft "http://www.net-snmp.org/about/license.html" diff --git a/gnu/packages/patches/a2ps-CVE-2015-8107.patch b/gnu/packages/patches/a2ps-CVE-2015-8107.patch new file mode 100644 index 0000000000..5ea35d45da --- /dev/null +++ b/gnu/packages/patches/a2ps-CVE-2015-8107.patch @@ -0,0 +1,80 @@ +https://sources.debian.org/data/main/a/a2ps/1:4.14-2/debian/patches/fix-format-security.diff + +Index: b/lib/psgen.c +=================================================================== +--- a/lib/psgen.c ++++ b/lib/psgen.c +@@ -232,7 +232,7 @@ + default: + *buf = '\0'; + ps_escape_char (job, cp[i], buf); +- output (jdiv, (char *) buf); ++ output (jdiv, "%s", (char *) buf); + break; + } + } +Index: b/lib/output.c +=================================================================== +--- a/lib/output.c ++++ b/lib/output.c +@@ -525,7 +525,7 @@ + expand_user_string (job, FIRST_FILE (job), + (const uchar *) "Expand: requirement", + (const uchar *) token)); +- output (dest, expansion); ++ output (dest, "%s", expansion); + continue; + } + +Index: b/lib/parseppd.y +=================================================================== +--- a/lib/parseppd.y ++++ b/lib/parseppd.y +@@ -154,7 +154,7 @@ + void + yyerror (const char *msg) + { +- error_at_line (1, 0, ppdfilename, ppdlineno, msg); ++ error_at_line (1, 0, ppdfilename, ppdlineno, "%s", msg); + } + + /* +Index: b/src/parsessh.y +=================================================================== +--- a/src/parsessh.y ++++ b/src/parsessh.y +@@ -740,7 +740,7 @@ + void + yyerror (const char *msg) + { +- error_at_line (1, 0, sshfilename, sshlineno, msg); ++ error_at_line (1, 0, sshfilename, sshlineno, "%s", msg); + } + + /* +Index: b/lib/parseppd.c +=================================================================== +--- a/lib/parseppd.c ++++ b/lib/parseppd.c +@@ -1707,7 +1707,7 @@ + void + yyerror (const char *msg) + { +- error_at_line (1, 0, ppdfilename, ppdlineno, msg); ++ error_at_line (1, 0, ppdfilename, ppdlineno, "%s", msg); + } + + /* +Index: b/src/parsessh.c +=================================================================== +--- a/src/parsessh.c ++++ b/src/parsessh.c +@@ -2639,7 +2639,7 @@ + void + yyerror (const char *msg) + { +- error_at_line (1, 0, sshfilename, sshlineno, msg); ++ error_at_line (1, 0, sshfilename, sshlineno, "%s", msg); + } + + /* diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-CVE-2017-12836.patch index 507ab0f7d0..507ab0f7d0 100644 --- a/gnu/packages/patches/cvs-2017-12836.patch +++ b/gnu/packages/patches/cvs-CVE-2017-12836.patch diff --git a/gnu/packages/patches/libexif-CVE-2018-20030.patch b/gnu/packages/patches/libexif-CVE-2018-20030.patch new file mode 100644 index 0000000000..57e4746b58 --- /dev/null +++ b/gnu/packages/patches/libexif-CVE-2018-20030.patch @@ -0,0 +1,120 @@ +https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89.patch + +NEWS section was removed +'12' -> '30' on line 79 + +From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001 +From: Dan Fandrich <dan@coneharvesters.com> +Date: Fri, 12 Oct 2018 16:01:45 +0200 +Subject: [PATCH] Improve deep recursion detection in + exif_data_load_data_content. + +The existing detection was still vulnerable to pathological cases +causing DoS by wasting CPU. The new algorithm takes the number of tags +into account to make it harder to abuse by cases using shallow recursion +but with a very large number of tags. This improves on commit 5d28011c +which wasn't sufficient to counter this kind of case. + +The limitation in the previous fix was discovered by Laurent Delosieres, +Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned +the identifier CVE-2018-20030. +--- + NEWS | 1 + + libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++-------- + 2 files changed, 38 insertions(+), 8 deletions(-) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index e35403d..a6f9c94 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -35,6 +35,7 @@ + #include <libexif/olympus/exif-mnote-data-olympus.h> + #include <libexif/pentax/exif-mnote-data-pentax.h> + ++#include <math.h> + #include <stdlib.h> + #include <stdio.h> + #include <string.h> +@@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) { \ + break; \ + } + ++/*! Calculate the recursion cost added by one level of IFD loading. ++ * ++ * The work performed is related to the cost in the exponential relation ++ * work=1.1**cost ++ */ ++static unsigned int ++level_cost(unsigned int n) ++{ ++ static const double log_1_1 = 0.09531017980432493; ++ ++ /* Adding 0.1 protects against the case where n==1 */ ++ return ceil(log(n + 0.1)/log_1_1); ++} ++ + /*! Load data for an IFD. + * + * \param[in,out] data #ExifData +@@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) { \ + * \param[in] d pointer to buffer containing raw IFD data + * \param[in] ds size of raw data in buffer at \c d + * \param[in] offset offset into buffer at \c d at which IFD starts +- * \param[in] recursion_depth number of times this function has been +- * recursively called without returning ++ * \param[in] recursion_cost factor indicating how expensive this recursive ++ * call could be + */ + static void + exif_data_load_data_content (ExifData *data, ExifIfd ifd, + const unsigned char *d, +- unsigned int ds, unsigned int offset, unsigned int recursion_depth) ++ unsigned int ds, unsigned int offset, unsigned int recursion_cost) + { + ExifLong o, thumbnail_offset = 0, thumbnail_length = 0; + ExifShort n; +@@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT)) + return; + +- if (recursion_depth > 30) { ++ if (recursion_cost > 170) { ++ /* ++ * recursion_cost is a logarithmic-scale indicator of how expensive this ++ * recursive call might end up being. It is an indicator of the depth of ++ * recursion as well as the potential for worst-case future recursive ++ * calls. Since it's difficult to tell ahead of time how often recursion ++ * will occur, this assumes the worst by assuming every tag could end up ++ * causing recursion. ++ * The value of 170 was chosen to limit typical EXIF structures to a ++ * recursive depth of about 6, but pathological ones (those with very ++ * many tags) to only 2. ++ */ + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", +- "Deep recursion detected!"); ++ "Deep/expensive recursion detected!"); + return; + } + +@@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + switch (tag) { + case EXIF_TAG_EXIF_IFD_POINTER: + CHECK_REC (EXIF_IFD_EXIF); +- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_GPS_INFO_IFD_POINTER: + CHECK_REC (EXIF_IFD_GPS); +- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_INTEROPERABILITY_IFD_POINTER: + CHECK_REC (EXIF_IFD_INTEROPERABILITY); +- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1); ++ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, ++ recursion_cost + level_cost(n)); + break; + case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: + thumbnail_offset = o; diff --git a/gnu/packages/patches/plib-CVE-2011-4620.patch b/gnu/packages/patches/plib-CVE-2011-4620.patch new file mode 100644 index 0000000000..c5a03bd0ca --- /dev/null +++ b/gnu/packages/patches/plib-CVE-2011-4620.patch @@ -0,0 +1,13 @@ +https://sources.debian.org/data/main/p/plib/1.8.5-8/debian/patches/04_CVE-2011-4620.diff + +--- a/src/util/ulError.cxx ++++ b/src/util/ulError.cxx +@@ -39,7 +39,7 @@ + { + va_list argp; + va_start ( argp, fmt ) ; +- vsprintf ( _ulErrorBuffer, fmt, argp ) ; ++ vsnprintf ( _ulErrorBuffer, sizeof(_ulErrorBuffer), fmt, argp ) ; + va_end ( argp ) ; + + if ( _ulErrorCB ) diff --git a/gnu/packages/patches/plib-CVE-2012-4552.patch b/gnu/packages/patches/plib-CVE-2012-4552.patch new file mode 100644 index 0000000000..7b697855d6 --- /dev/null +++ b/gnu/packages/patches/plib-CVE-2012-4552.patch @@ -0,0 +1,57 @@ +https://sources.debian.org/data/main/p/plib/1.8.5-8/debian/patches/05_CVE-2012-4552.diff + +diff -up plib-1.8.5/src/ssg/ssgParser.cxx~ plib-1.8.5/src/ssg/ssgParser.cxx +--- plib-1.8.5/src/ssg/ssgParser.cxx~ 2008-03-11 03:06:23.000000000 +0100 ++++ plib-1.8.5/src/ssg/ssgParser.cxx 2012-11-01 15:33:12.424483374 +0100 +@@ -57,18 +57,16 @@ void _ssgParser::error( const char *form + char msgbuff[ 255 ]; + va_list argp; + +- char* msgptr = msgbuff; +- if (linenum) +- { +- msgptr += sprintf ( msgptr,"%s, line %d: ", +- path, linenum ); +- } +- + va_start( argp, format ); +- vsprintf( msgptr, format, argp ); ++ vsnprintf( msgbuff, sizeof(msgbuff), format, argp ); + va_end( argp ); + +- ulSetError ( UL_WARNING, "%s", msgbuff ) ; ++ if (linenum) ++ { ++ ulSetError ( UL_WARNING, "%s, line %d: %s", path, linenum, msgbuff ) ; ++ } else { ++ ulSetError ( UL_WARNING, "%s", msgbuff ) ; ++ } + } + + +@@ -78,18 +76,16 @@ void _ssgParser::message( const char *fo + char msgbuff[ 255 ]; + va_list argp; + +- char* msgptr = msgbuff; +- if (linenum) +- { +- msgptr += sprintf ( msgptr,"%s, line %d: ", +- path, linenum ); +- } +- + va_start( argp, format ); +- vsprintf( msgptr, format, argp ); ++ vsnprintf( msgbuff, sizeof(msgbuff), format, argp ); + va_end( argp ); + +- ulSetError ( UL_DEBUG, "%s", msgbuff ) ; ++ if (linenum) ++ { ++ ulSetError ( UL_DEBUG, "%s, line %d: %s", path, linenum, msgbuff ) ; ++ } else { ++ ulSetError ( UL_DEBUG, "%s", msgbuff ) ; ++ } + } + + // Opens the file and does a few internal calculations based on the spec. diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index a9e345da53..de447b9486 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org> ;;; Copyright © 2016 Roel Janssen <roel@gnu.org> ;;; Copyright © 2016 ng0 <ng0@n0.is> -;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016, 2017, 2018, 2019 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu> @@ -604,7 +604,7 @@ extracting content or merging files.") (define-public mupdf (package (name "mupdf") - (version "1.14.0") + (version "1.15.0") (source (origin (method url-fetch) @@ -612,7 +612,7 @@ extracting content or merging files.") name "-" version "-source.tar.xz")) (sha256 (base32 - "1psnz02w5p7wc1s1ma7vvjmkjfy641xvsh9ykaqzkk84dflnjgk0")) + "0kmcz3ivxmqmks8vg50ri1zar18q5svk829z0g1kj08lgz7kcl2n")) (modules '((guix build utils))) (snippet ;; We keep lcms2 since it is different than our lcms. @@ -620,7 +620,7 @@ extracting content or merging files.") (for-each (lambda (dir) (delete-file-recursively (string-append "thirdparty/" dir))) - '("curl" "freeglut" "freetype" "harfbuzz" "jbig2dec" + '("freeglut" "freetype" "harfbuzz" "jbig2dec" "libjpeg" "mujs" "openjpeg" "zlib")) #t)))) (build-system gnu-build-system) diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm index cf7da80642..cbfc2debd8 100644 --- a/gnu/packages/photo.scm +++ b/gnu/packages/photo.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2014, 2015, 2017, 2019 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2015, 2017 Andreas Enge <andreas@enge.fr> -;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016, 2017, 2018, 2019 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2017 Roel Janssen <roel@gnu.org> ;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Leo Famulari <leo@famulari.name> @@ -117,7 +117,8 @@ cameras (CRW/CR2, NEF, RAF, DNG, and others).") (uri (string-append "mirror://sourceforge/libexif/libexif/" version "/libexif-" version ".tar.bz2")) (patches (search-patches "libexif-CVE-2016-6328.patch" - "libexif-CVE-2017-7544.patch")) + "libexif-CVE-2017-7544.patch" + "libexif-CVE-2018-20030.patch")) (sha256 (base32 "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n")))) diff --git a/gnu/packages/pretty-print.scm b/gnu/packages/pretty-print.scm index 405ad08ba4..7a5b98c698 100644 --- a/gnu/packages/pretty-print.scm +++ b/gnu/packages/pretty-print.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016, 2019 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org> @@ -63,7 +63,8 @@ #t)) (patches (search-patches "a2ps-CVE-2001-1593.patch" - "a2ps-CVE-2014-0466.patch")))) + "a2ps-CVE-2014-0466.patch" + "a2ps-CVE-2015-8107.patch")))) (build-system gnu-build-system) (inputs `(("psutils" ,psutils) diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 8effe1d502..b1fd0195ce 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -1409,7 +1409,7 @@ machine.") (uri (string-append "https://ftp.gnu.org/non-gnu/cvs/source/feature/" version "/cvs-" version ".tar.bz2")) - (patches (search-patches "cvs-2017-12836.patch")) + (patches (search-patches "cvs-CVE-2017-12836.patch")) (sha256 (base32 "0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq")))) diff --git a/gnu/packages/vim.scm b/gnu/packages/vim.scm index 7f2db9980e..e06edd5be9 100644 --- a/gnu/packages/vim.scm +++ b/gnu/packages/vim.scm @@ -565,21 +565,21 @@ and powerline symbols, etc.") ;; There are no tarball releases. (define-public vim-airline-themes - (let ((commit "6026eb78bf362cb3aa875aff8487f65728d0f7d8") - (revision "1")) + (let ((commit "e6f233231b232b6027cde6aebeeb18d9138e5324") + (revision "2")) (package (name "vim-airline-themes") - (version (string-append "0.0.0-" revision "." (string-take commit 7))) + (version (git-version "0.0.0" revision commit)) (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/vim-airline/vim-airline-themes") (commit commit))) - (file-name (string-append name "-" version "-checkout")) + (file-name (git-file-name name version)) (sha256 (base32 - "13ijkavh1r0935cn2rjsfbdd1q3ka8bi26kw0bdkrqlrqxwvpss8")))) + "1sb7nb7j7bz0pv1c9bgdy0smhr0jk2b1vbdv9yzghg5lrknpsbr6")))) (build-system gnu-build-system) (arguments `(#:tests? #f diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 0a270e14f0..d1f5ec2eb6 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -2518,15 +2518,14 @@ composed of HTML::Element style components.") (define-public perl-html-form (package (name "perl-html-form") - (version "6.03") + (version "6.04") (source (origin (method url-fetch) - (uri (string-append "mirror://cpan/authors/id/G/GA/GAAS/" + (uri (string-append "mirror://cpan/authors/id/O/OA/OALDERS/" "HTML-Form-" version ".tar.gz")) (sha256 - (base32 - "0dpwr7yz6hjc3bcqgcbdzjjk9l58ycdjmbam9nfcmm85y2a1vh38")))) + (base32 "100090bdsr5kapv8h0wxzwlzfbfqn57rq9gzrvg9i6hvnsl5gmcw")))) (build-system perl-build-system) (propagated-inputs `(("perl-html-parser" ,perl-html-parser) diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index ff9e18c76f..bd30fd2fd2 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -1062,7 +1062,7 @@ color temperature should be set to match the lamps in your room.") (define-public xscreensaver (package (name "xscreensaver") - (version "5.42") + (version "5.43") (source (origin (method url-fetch) @@ -1070,11 +1070,10 @@ color temperature should be set to match the lamps in your room.") (string-append "https://www.jwz.org/xscreensaver/xscreensaver-" version ".tar.gz")) (sha256 - (base32 - "1qfbsnj7201d03vf0b2lzxmlcq4kvkvzp48r5gcgsjr17c1sl7a4")))) + (base32 "1571pj1a9998sq14y9366s2rw9wd2kq3l3dvvsk610vyd0fki3qm")))) (build-system gnu-build-system) (arguments - `(#:tests? #f ; no check target + `(#:tests? #f ; no check target #:phases (modify-phases %standard-phases (add-before 'configure 'adjust-gtk-resource-paths @@ -1085,9 +1084,7 @@ color temperature should be set to match the lamps in your room.") #t))) #:configure-flags '("--with-pam" "--with-proc-interrupts" "--without-readdisplay") - ;; FIXME: Remove CFLAGS once our default compiler is GCC6 or later. - #:make-flags (list "CFLAGS=-std=c99" - (string-append "AD_DIR=" + #:make-flags (list (string-append "AD_DIR=" (assoc-ref %outputs "out") "/usr/lib/X11/app-defaults")))) (native-inputs diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index fc60758724..8c5c7b08c9 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -671,14 +671,14 @@ This module provide functions which simplify writing tests for (define-public perl-xml-compile (package (name "perl-xml-compile") - (version "1.62") + (version "1.63") (source (origin (method url-fetch) (uri (string-append "mirror://cpan/authors/id/M/MA/MARKOV/" "XML-Compile-" version ".tar.gz")) (sha256 (base32 - "0a75gr4qcjj8ybzljacbbkdxprbqpypz49bc0jb7cfamx1hp7p2w")))) + "0psr5pwsk2biz2bfkigmx04v2rfhs6ybwcfmcrrg7gvh9bpp222b")))) (build-system perl-build-system) (propagated-inputs `(("perl-carp" ,perl-carp) |