diff options
| -rw-r--r-- | doc/contributing.texi | 6 | ||||
| -rw-r--r-- | doc/guix.texi | 93 | ||||
| -rw-r--r-- | gnu-system.am | 2 | ||||
| -rw-r--r-- | gnu/packages/audio.scm | 14 | ||||
| -rw-r--r-- | gnu/packages/bioinformatics.scm | 48 | ||||
| -rw-r--r-- | gnu/packages/curl.scm | 11 | ||||
| -rw-r--r-- | gnu/packages/databases.scm | 28 | ||||
| -rw-r--r-- | gnu/packages/freedesktop.scm | 3 | ||||
| -rw-r--r-- | gnu/packages/gdb.scm | 6 | ||||
| -rw-r--r-- | gnu/packages/guile.scm | 4 | ||||
| -rw-r--r-- | gnu/packages/kde-frameworks.scm | 23 | ||||
| -rw-r--r-- | gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch | 77 | ||||
| -rw-r--r-- | gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 | ||||
| -rw-r--r-- | gnu/packages/ssh.scm | 50 | ||||
| -rw-r--r-- | guix/http-client.scm | 18 | ||||
| -rw-r--r-- | guix/scripts/publish.scm | 6 | ||||
| -rw-r--r-- | guix/scripts/system.scm | 23 | ||||
| -rw-r--r-- | guix/store.scm | 7 | ||||
| -rw-r--r-- | tests/publish.scm | 8 |
19 files changed, 347 insertions, 169 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi index 54fb23a822..3dbd3dbba6 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -315,6 +315,6 @@ extensions---or to the operating system kernel---e.g., reliance on @end enumerate -When posting a patch to the mailing list, use @samp{[PATCH] @dots{}} as a -subject. You may use your email client or the @command{git send-mail} -command. +When posting a patch to the mailing list, use @samp{[PATCH] @dots{}} as +a subject. You may use your email client or the @command{git +send-email} command. diff --git a/doc/guix.texi b/doc/guix.texi index 15b36f9039..60a46bb32b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -377,19 +377,29 @@ Create the group and user accounts for build users as explained below (@pxref{Build Environment Setup}). @item -Run the daemon: +Run the daemon, and set it to automatically start on boot. + +If your host distro uses the systemd init system, this can be achieved +with these commands: @example -# ~root/.guix-profile/bin/guix-daemon --build-users-group=guixbuild +# cp ~root/.guix-profile/lib/systemd/system/guix-daemon.service \ + /etc/systemd/system/ +# systemctl start guix-daemon && systemctl enable guix-daemon @end example -On hosts using the systemd init system, drop -@file{~root/.guix-profile/lib/systemd/system/guix-daemon.service} in -@file{/etc/systemd/system}. +If your host distro uses the Upstart init system: + +@example +# cp ~root/.guix-profile/lib/upstart/system/guix-daemon.conf /etc/init/ +# start guix-daemon +@end example -Likewise, on hosts using the Upstart init system, drop -@file{~root/.guix-profile/lib/upstart/system/guix-daemon.conf} in -@file{/etc/init}. +Otherwise, you can still start the daemon manually with: + +@example +# ~root/.guix-profile/bin/guix-daemon --build-users-group=guixbuild +@end example @item Make the @command{guix} command available to other users on the machine, @@ -425,16 +435,25 @@ authorize them: @end example @end enumerate -And that's it! For additional tips and tricks, @pxref{Application -Setup}. +This completes root-level install of Guix. Each user will need to +perform additional steps to make their Guix envionment ready for use, +@pxref{Application Setup}. + +You can confirm that Guix is working by installing a sample package into +the root profile: -The @code{guix} package must remain available in @code{root}'s -profile, or it would become subject to garbage collection---in which -case you would find yourself badly handicapped by the lack of the -@command{guix} command. +@example +# guix package -i hello +@end example -The tarball in question can be (re)produced and verified simply by -running the following command in the Guix source tree: +The @code{guix} package must remain available in @code{root}'s profile, +or it would become subject to garbage collection---in which case you +would find yourself badly handicapped by the lack of the @command{guix} +command. In other words, do not remove @code{guix} by running +@code{guix package -r guix}. + +The binary installation tarball can be (re)produced and verified simply +by running the following command in the Guix source tree: @example make guix-binary.@var{system}.tar.xz @@ -1975,9 +1994,15 @@ On completion, @command{guix package} will use packages and package versions from this just-retrieved copy of Guix. Not only that, but all the Guix commands and Scheme modules will also be taken from that latest version. New @command{guix} sub-commands added by the update also -become available@footnote{Under the hood, @command{guix pull} updates -the @file{~/.config/guix/latest} symbolic link to point to the latest -Guix, and the @command{guix} command loads code from there.}. +become available. + +Any user can update their Guix copy using @command{guix pull}, and the +effect is limited to the user who run @command{guix pull}. For +instance, when user @code{root} runs @command{guix pull}, this has no +effect on the version of Guix that user @code{alice} sees, and vice +versa@footnote{Under the hood, @command{guix pull} updates the +@file{~/.config/guix/latest} symbolic link to point to the latest Guix, +and the @command{guix} command loads code from there.}. The @command{guix pull} command is usually invoked with no arguments, but it supports the following options: @@ -2888,7 +2913,14 @@ Procedures that make RPCs all take a server object as their first argument. @deffn {Scheme Procedure} valid-path? @var{server} @var{path} -Return @code{#t} when @var{path} is a valid store path. +@cindex invalid store items +Return @code{#t} when @var{path} designates a valid store item and +@code{#f} otherwise (an invalid item may exist on disk but still be +invalid, for instance because it is the result of an aborted or failed +build.) + +A @code{&nix-protocol-error} condition is raised if @var{path} is not +prefixed by the store directory (@file{/gnu/store}). @end deffn @deffn {Scheme Procedure} add-text-to-store @var{server} @var{name} @var{text} [@var{references}] @@ -6272,7 +6304,12 @@ is interpreted as a partition label name; when it is @code{uuid}, @code{device} is interpreted as a partition unique identifier (UUID). UUIDs may be converted from their string representation (as shown by the -@command{tune2fs -l} command) using the @code{uuid} form, like this: +@command{tune2fs -l} command) using the @code{uuid} form@footnote{The +@code{uuid} form expects 16-byte UUIDs as defined in +@uref{https://tools.ietf.org/html/rfc4122, RFC@tie{}4122}. This is the +form of UUID used by the ext2 family of file systems and others, but it +is different from ``UUIDs'' found in FAT file systems, for instance.}, +like this: @example (file-system @@ -9340,7 +9377,7 @@ guix system @var{options}@dots{} @var{action} @var{file} @var{file} must be the name of a file containing an @code{operating-system} declaration. @var{action} specifies how the -operating system is instantiate. Currently the following values are +operating system is instantiated. Currently the following values are supported: @table @code @@ -9806,7 +9843,7 @@ the composition of the extensions. Udev extensions are composed into a list of rules, but the udev service value is itself a @code{<udev-configuration>} record. So here, we -extend that record by appending the list of rules is contains to the +extend that record by appending the list of rules it contains to the list of contributed rules. @end table @@ -10000,11 +10037,11 @@ extend it by passing it lists of packages to add to the system profile. @cindex PID 1 @cindex init system -The @code{(gnu services shepherd)} provides a way to define services -managed by the GNU@tie{}Shepherd, which is GuixSD initialization -system---the first process that is started when the system boots, -aka. PID@tie{}1 (@pxref{Introduction,,, shepherd, The GNU Shepherd -Manual}). +The @code{(gnu services shepherd)} module provides a way to define +services managed by the GNU@tie{}Shepherd, which is the GuixSD +initialization system---the first process that is started when the +system boots, aka. PID@tie{}1 (@pxref{Introduction,,, shepherd, The GNU +Shepherd Manual}). Services in the Shepherd can depend on each other. For instance, the SSH daemon may need to be started after the syslog daemon has been diff --git a/gnu-system.am b/gnu-system.am index b5f59e3449..431c2b5cd1 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -566,12 +566,12 @@ dist_patch_DATA = \ gnu/packages/patches/libmad-armv7-thumb-pt2.patch \ gnu/packages/patches/libmad-frame-length.patch \ gnu/packages/patches/libmad-mips-newgcc.patch \ + gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \ gnu/packages/patches/libtheora-config-guess.patch \ gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \ gnu/packages/patches/libtiff-oob-accesses-in-decode.patch \ gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch \ gnu/packages/patches/libtool-skip-tests2.patch \ - gnu/packages/patches/libssh-CVE-2014-0017.patch \ gnu/packages/patches/libunwind-CVE-2015-3239.patch \ gnu/packages/patches/libwmf-CAN-2004-0941.patch \ gnu/packages/patches/libwmf-CVE-2006-3376.patch \ diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm index 10f16ddd1f..4c4322d872 100644 --- a/gnu/packages/audio.scm +++ b/gnu/packages/audio.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com> ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015 Alex Kost <alezost@gmail.com> @@ -158,24 +158,24 @@ streams from live audio.") (define-public ardour (package (name "ardour") - (version "4.4") + (version "4.7") (source (origin (method git-fetch) (uri (git-reference (url "git://git.ardour.org/ardour/ardour.git") (commit version))) (snippet - ;; Ardour expects this file to exist at build time. It can be - ;; created from a git checkout with: - ;; ./waf create_stored_revision + ;; Ardour expects this file to exist at build time. The revision + ;; is the output of + ;; git describe HEAD | sed 's/^[A-Za-z]*+//' '(call-with-output-file "libs/ardour/revision.cc" (lambda (port) (format port "#include \"ardour/revision.h\" -namespace ARDOUR { const char* revision = \"4.4-210-ga4daf93\" ; }")))) +namespace ARDOUR { const char* revision = \"4.7-219-g0e36f8e\" ; }")))) (sha256 (base32 - "1gnrcnq2ksnh7fsa301v1c4p5dqrbqpjylf02rg3za3ab58wxi7l")) + "149gswphz77m3pkzsn2nqbm6yvcfa3fva560bcvjzlgb73f64q5l")) (file-name (string-append name "-" version)))) (build-system waf-build-system) (arguments diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm index c502caf8ec..8958ec502d 100644 --- a/gnu/packages/bioinformatics.scm +++ b/gnu/packages/bioinformatics.scm @@ -40,6 +40,8 @@ #:use-module (gnu packages boost) #:use-module (gnu packages compression) #:use-module (gnu packages cpio) + #:use-module (gnu packages curl) + #:use-module (gnu packages doxygen) #:use-module (gnu packages file) #:use-module (gnu packages gawk) #:use-module (gnu packages gcc) @@ -1081,6 +1083,52 @@ preparation protocols.") other types of unwanted sequence from high-throughput sequencing reads.") (license license:expat))) +(define-public libbigwig + (package + (name "libbigwig") + (version "0.1.4") + (source (origin + (method url-fetch) + (uri (string-append "https://github.com/dpryan79/libBigWig/" + "archive/" version ".tar.gz")) + (file-name (string-append name "-" version ".tar.gz")) + (sha256 + (base32 + "098rjh35pi4a9q83n8wiwvyzykjqj6l8q189p1xgfw4ghywdlvw1")))) + (build-system gnu-build-system) + (arguments + `(#:test-target "test" + #:make-flags + (list "CC=gcc" + (string-append "prefix=" (assoc-ref %outputs "out"))) + #:phases + (modify-phases %standard-phases + (delete 'configure) + (add-before 'check 'disable-curl-test + (lambda _ + (substitute* "Makefile" + (("./test/testRemote.*") "")) + #t)) + ;; This has been fixed with the upstream commit 4ff6959cd8a0, but + ;; there has not yet been a release containing this change. + (add-before 'install 'create-target-dirs + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (mkdir-p (string-append out "/lib")) + (mkdir-p (string-append out "/include")) + #t)))))) + (inputs + `(("zlib" ,zlib) + ("curl" ,curl))) + (native-inputs + `(("doxygen" ,doxygen))) + (home-page "https://github.com/dpryan79/libBigWig") + (synopsis "C library for handling bigWig files") + (description + "This package provides a C library for parsing local and remote BigWig +files.") + (license license:expat))) + (define-public deeptools (package (name "deeptools") diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 222910b655..46e0fa0f16 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -54,7 +54,16 @@ (inputs `(("gnutls" ,gnutls) ("gss" ,gss) ("libidn" ,libidn) - ("libssh2" ,libssh2) + + ;; XXX libssh2-1.4 is a temporary package for use only by curl, + ;; to allow most users of libssh2 to get the security update for + ;; CVE-2016-7087 while postponing the large number of rebuilds + ;; entailed by updating curl. Soon, curl should be updated to + ;; use the latest libssh2 and libssh2-1.4 should be removed. + + ;; XXX libssh2-1.4 is vulnerable to CVE-2016-0787. + ("libssh2" ,libssh2-1.4) + ("openldap" ,openldap) ("zlib" ,zlib))) (native-inputs diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index b51d96846a..7c30208035 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com> ;;; Copyright © 2015 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016 Nils Gillmann <niasterisk@grrlz.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -822,3 +823,30 @@ supports many data structures including strings, hashes, lists, sets, sorted sets, bitmaps and hyperloglogs.") (home-page "http://redis.io/") (license bsd-3))) + +(define-public kyotocabinet + (package + (name "kyotocabinet") + (version "1.2.76") + (source (origin + (method url-fetch) + (uri (string-append "http://fallabs.com/kyotocabinet/pkg/" + name "-" version ".tar.gz")) + (sha256 + (base32 + "0g6js20x7vnpq4p8ghbw3mh9wpqksya9vwhzdx6dnlf354zjsal1")))) + (build-system gnu-build-system) + (arguments + `(#:configure-flags + (list + (string-append "LDFLAGS=-Wl,-rpath=" + (assoc-ref %outputs "out") "/lib")))) + (inputs `(("zlib" ,zlib))) + (home-page "http://fallabs.com/kyotocabinet/") + (synopsis + "Kyoto Cabinet is a modern implementation of the DBM database") + (description + "Kyoto Cabinet is a standalone file-based database that supports Hash +and B+ Tree data storage models. It is a fast key-value lightweight +database and supports many programming languages. It is a NoSQL database.") + (license gpl3+))) diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm index 7755cb98be..6a28379e95 100644 --- a/gnu/packages/freedesktop.scm +++ b/gnu/packages/freedesktop.scm @@ -67,6 +67,9 @@ (base32 "1b019d3r1379b60p33d6z44kx589xjgga62ijz9vha95dg8vgbi1")))) (build-system gnu-build-system) + (propagated-inputs + `(("xprop" ,xprop) ; for Xfce detecting + ("xset", xset))) ; for xdg-screensaver (arguments `(#:tests? #f)) ; no check target (home-page "http://portland.freedesktop.org/") diff --git a/gnu/packages/gdb.scm b/gnu/packages/gdb.scm index 81d6a8950d..9065732c78 100644 --- a/gnu/packages/gdb.scm +++ b/gnu/packages/gdb.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> -;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -37,14 +37,14 @@ (define-public gdb (package (name "gdb") - (version "7.10.1") + (version "7.11") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/gdb/gdb-" version ".tar.xz")) (sha256 (base32 - "1mfnjcwnwm5cg4rc9pncs9v356a0bz6ymjyac56mbj6784yjzir5")))) + "1hg5kwwdvi9b9nxzxfjnx8fx3gip75fqyvkp82xpf3b3rcb42hvs")))) (build-system gnu-build-system) (arguments `(#:tests? #f ; FIXME "make check" fails on single-processor systems. diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm index 2c83f56f40..5349fda081 100644 --- a/gnu/packages/guile.scm +++ b/gnu/packages/guile.scm @@ -449,14 +449,14 @@ for Guile\".") (define-public guile-json (package (name "guile-json") - (version "0.4.0") + (version "0.5.0") (source (origin (method url-fetch) (uri (string-append "mirror://savannah/guile-json/guile-json-" version ".tar.gz")) (sha256 (base32 - "0v06272rw4ycwzssjf3fzpk2vhpslvl55hz94q80vc6f74j0d5h6")) + "0l8a34l92nrdszy7ykycfvr8y0n0yi5qb3ccliycvpvf9mzk5n8d")) (modules '((guix build utils))) (snippet ;; Make sure everything goes under .../site/2.0, like Guile's diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm index 5e73a6b7fa..ec637e55d1 100644 --- a/gnu/packages/kde-frameworks.scm +++ b/gnu/packages/kde-frameworks.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr> +;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,7 +27,7 @@ #:use-module (gnu packages qt) #:use-module (gnu packages xorg)) -(define kde-frameworks-version "5.12.0") +(define kde-frameworks-version "5.19.0") (define-public extra-cmake-modules (package @@ -39,7 +40,8 @@ (version-major+minor version) "/" name "-" version ".tar.xz")) (sha256 - (base32 "14n77sn493m8kzr42wv13mdgxpnbx7x64bvw37ircrx8wmf4002i")))) + (base32 + "1dl3hhbara7iswb5wsc5dp17ar3ljw5f0nrncl8vry9smaz2zl63")))) ;; The package looks for Qt5LinguistTools provided by Qt, but apparently ;; compiles without it; it might be needed for building the ;; documentation, which requires the additional Sphinx package. @@ -63,18 +65,19 @@ common build settings used in software produced by the KDE community.") (version-major+minor version) "/" name "-" version ".tar.xz")) (sha256 - (base32 "0fjxhf07r186cmp0mjvinrwxg4z90zlyvycqhy0n18fdp67szckl")))) + (base32 + "115xs34r74j9zcsw69glnh8w59iyh764n3gniawwrk23c6yb8fch")))) (build-system cmake-build-system) (native-inputs - `(("pkg-config" ,pkg-config) - ("xorg-server" ,xorg-server))) ; for the tests + `(("pkg-config" ,pkg-config) + ("xorg-server" ,xorg-server))) ; for the tests (inputs - `(("extra-cmake-modules" ,extra-cmake-modules) - ("libxrender" ,libxrender) - ("qt" ,qt) - ("xcb-utils-keysyms" ,xcb-util-keysyms))) + `(("extra-cmake-modules" ,extra-cmake-modules) + ("libxrender" ,libxrender) + ("qt" ,qt) + ("xcb-utils-keysyms" ,xcb-util-keysyms))) (arguments - `(#:tests? #f)) ; FIXME: The first seven tests fail with "Exception". + `(#:tests? #f)) ; FIXME: The first seven tests fail with "Exception". (home-page "https://community.kde.org/Frameworks") (synopsis "KDE access to the windowing system") (description "KWindowSystem provides information about and allows diff --git a/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch b/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch new file mode 100644 index 0000000000..a5fdd7ffff --- /dev/null +++ b/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch @@ -0,0 +1,77 @@ +Fix CVE-2016-0739 (Weak Diffie-Hellman secret generation in +dh_generate_x() and dh_generate_y()). + +"Due to a byte/bit confusion, the DH secret was too short. This file was +completely reworked and will be commited in a future version." +Source: +https://git.libssh.org/projects/libssh.git/commit/?id=f8d0026c65fc8a55748ae481758e2cf376c26c86 + +This patch was created by upstream for libssh-0.7.3, but applied without +modification to libssh-0.6.3 by Debian. In Guix, we apply it without +modification to libssh-0.6.5. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739 +https://security-tracker.debian.org/tracker/CVE-2016-0739 + +--- + src/dh.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/src/dh.c b/src/dh.c +index e489a1d..d27b66e 100644 +--- a/src/dh.c ++++ b/src/dh.c +@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) { + } + + int dh_generate_x(ssh_session session) { ++ int keysize; ++ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { ++ keysize = 1023; ++ } else { ++ keysize = 2047; ++ } + session->next_crypto->x = bignum_new(); + if (session->next_crypto->x == NULL) { + return -1; + } + + #ifdef HAVE_LIBGCRYPT +- bignum_rand(session->next_crypto->x, 128); ++ bignum_rand(session->next_crypto->x, keysize); + #elif defined HAVE_LIBCRYPTO +- bignum_rand(session->next_crypto->x, 128, 0, -1); ++ bignum_rand(session->next_crypto->x, keysize, -1, 0); + #endif + + /* not harder than this */ +@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) { + + /* used by server */ + int dh_generate_y(ssh_session session) { +- session->next_crypto->y = bignum_new(); ++ int keysize; ++ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { ++ keysize = 1023; ++ } else { ++ keysize = 2047; ++ } ++ session->next_crypto->y = bignum_new(); + if (session->next_crypto->y == NULL) { + return -1; + } + + #ifdef HAVE_LIBGCRYPT +- bignum_rand(session->next_crypto->y, 128); ++ bignum_rand(session->next_crypto->y, keysize); + #elif defined HAVE_LIBCRYPTO +- bignum_rand(session->next_crypto->y, 128, 0, -1); ++ bignum_rand(session->next_crypto->y, keysize, -1, 0); + #endif + + /* not harder than this */ +-- +cgit v0.12 + diff --git a/gnu/packages/patches/libssh-CVE-2014-0017.patch b/gnu/packages/patches/libssh-CVE-2014-0017.patch deleted file mode 100644 index 94d8cc33d2..0000000000 --- a/gnu/packages/patches/libssh-CVE-2014-0017.patch +++ /dev/null @@ -1,89 +0,0 @@ -Patch from libssh 0.6, with bind.c hunk adjusted for 0.5.5. - -From e99246246b4061f7e71463f8806b9dcad65affa0 Mon Sep 17 00:00:00 2001 -From: Aris Adamantiadis <aris@0xbadc0de.be> -Date: Wed, 05 Feb 2014 20:24:12 +0000 -Subject: security: fix for vulnerability CVE-2014-0017 - -When accepting a new connection, a forking server based on libssh forks -and the child process handles the request. The RAND_bytes() function of -openssl doesn't reset its state after the fork, but simply adds the -current process id (getpid) to the PRNG state, which is not guaranteed -to be unique. -This can cause several children to end up with same PRNG state which is -a security issue. ---- -diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h -index 7374a88..e8ff32c 100644 ---- a/include/libssh/wrapper.h -+++ b/include/libssh/wrapper.h -@@ -70,5 +70,6 @@ int crypt_set_algorithms_server(ssh_session session); - struct ssh_crypto_struct *crypto_new(void); - void crypto_free(struct ssh_crypto_struct *crypto); - -+void ssh_reseed(void); - - #endif /* WRAPPER_H_ */ -diff --git a/src/bind.c b/src/bind.c -index 8d82d0d..03d3403 100644 ---- a/src/bind.c -+++ b/src/bind.c -@@ -375,6 +375,8 @@ int ssh_bind_accept(ssh_bind sshbind, ss - session->dsa_key = dsa; - session->rsa_key = rsa; - -+ /* force PRNG to change state in case we fork after ssh_bind_accept */ -+ ssh_reseed(); - return SSH_OK; - } - -diff --git a/src/libcrypto.c b/src/libcrypto.c -index bb1d96a..d8cc795 100644 ---- a/src/libcrypto.c -+++ b/src/libcrypto.c -@@ -23,6 +23,7 @@ - #include <stdlib.h> - #include <stdio.h> - #include <string.h> -+#include <sys/time.h> - - #include "libssh/priv.h" - #include "libssh/session.h" -@@ -38,6 +39,8 @@ - #include <openssl/rsa.h> - #include <openssl/hmac.h> - #include <openssl/opensslv.h> -+#include <openssl/rand.h> -+ - #ifdef HAVE_OPENSSL_AES_H - #define HAS_AES - #include <openssl/aes.h> -@@ -74,6 +77,12 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { - return 0; - } - -+void ssh_reseed(void){ -+ struct timeval tv; -+ gettimeofday(&tv, NULL); -+ RAND_add(&tv, sizeof(tv), 0.0); -+} -+ - SHACTX sha1_init(void) { - SHACTX c = malloc(sizeof(*c)); - if (c == NULL) { -diff --git a/src/libgcrypt.c b/src/libgcrypt.c -index 899bccd..4617901 100644 ---- a/src/libgcrypt.c -+++ b/src/libgcrypt.c -@@ -45,6 +45,9 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { - return 0; - } - -+void ssh_reseed(void){ -+ } -+ - SHACTX sha1_init(void) { - SHACTX ctx = NULL; - gcry_md_open(&ctx, GCRY_MD_SHA1, 0); --- -cgit v0.9.1 diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 41cb38134f..3c73e47882 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016 Leo Famulari <leo@famulari.name> ;;; ;;; This file is part of GNU Guix. ;;; @@ -44,15 +45,15 @@ (define-public libssh (package (name "libssh") - (version "0.6.5") + (version "0.7.3") (source (origin (method url-fetch) (uri (string-append - "https://red.libssh.org/attachments/download/121/libssh-" + "https://red.libssh.org/attachments/download/195/libssh-" version ".tar.xz")) (sha256 (base32 - "0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g")))) + "165g49i4kmm3bfsjm0n8hm21kadv79g9yjqyq09138jxanz4dvr6")))) (build-system cmake-build-system) (arguments '(#:configure-flags '("-DWITH_GCRYPT=ON") @@ -70,29 +71,32 @@ remote applications.") (home-page "http://www.libssh.org") (license license:lgpl2.1+))) -(define libssh-0.5 ; kept private +(define libssh-0.6 ; kept private for use in guile-ssh (package (inherit libssh) - (version "0.5.5") + (version "0.6.5") (source (origin (method url-fetch) - (uri (string-append "https://red.libssh.org/attachments/download/51/libssh-" - version ".tar.gz")) + (uri (string-append "https://red.libssh.org/attachments/" + "download/121/libssh-" + version ".tar.xz")) (sha256 (base32 - "17cfdff4hc0ijzrr15biq29fiabafz0bw621zlkbwbc1zh2hzpy0")) - (patches (list (search-patch "libssh-CVE-2014-0017.patch"))))))) + "0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g")) + (patches (list + (search-patch "libssh-0.6.5-CVE-2016-0739.patch"))))))) (define-public libssh2 (package (name "libssh2") - (version "1.4.3") + (version "1.7.0") (source (origin (method url-fetch) (uri (string-append - "http://www.libssh2.org/download/libssh2-" + "https://www.libssh2.org/download/libssh2-" version ".tar.gz")) - (sha256 (base32 - "0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa")))) + (sha256 + (base32 + "116mh112w48vv9k3f15ggp5kxw5sj4b88dzb5j69llsh7ba1ymp4")))) (build-system gnu-build-system) ;; The installed libssh2.pc file does not include paths to libgcrypt and ;; zlib libraries, so we need to propagate the inputs. @@ -108,6 +112,24 @@ a server that supports the SSH-2 protocol.") (license license:bsd-3) (home-page "http://www.libssh2.org/"))) +;;; XXX This is a temporary package for use only by curl, to allow most users +;;; of libssh2 to get the security update sooner while postponing the large +;;; number of rebuilds entailed by updating curl. +;;; +;;; XXX This package is vulnerable to CVE-2016-7087. +;;; +;;; https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0787 +(define-public libssh2-1.4 + (package (inherit libssh2) + (version "1.4.3") + (source (origin + (method url-fetch) + (uri (string-append "https://www.libssh2.org/download/libssh2-" + version ".tar.gz")) + (sha256 + (base32 + "0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa")))))) + (define-public openssh (package (name "openssh") @@ -235,7 +257,7 @@ Additionally, various channel-specific options can be negotiated.") ("pkg-config" ,pkg-config) ("which" ,which))) (inputs `(("guile" ,guile-2.0) - ("libssh" ,libssh) + ("libssh" ,libssh-0.6) ("libgcrypt" ,libgcrypt))) (synopsis "Guile bindings to libssh") (description diff --git a/guix/http-client.scm b/guix/http-client.scm index 31b511eb1c..2161856c63 100644 --- a/guix/http-client.scm +++ b/guix/http-client.scm @@ -33,6 +33,7 @@ #:use-module (guix ui) #:use-module (guix utils) #:use-module (guix base64) + #:autoload (guix hash) (sha256) #:use-module ((guix build utils) #:select (mkdir-p dump-port)) #:use-module ((guix build download) @@ -280,18 +281,23 @@ Raise an '&http-get-error' condition if downloading fails." string->number*) 36)))) +(define (cache-file-for-uri uri) + "Return the name of the file in the cache corresponding to URI." + (let ((digest (sha256 (string->utf8 (uri->string uri))))) + ;; Use the "URL" alphabet because it does not contain "/". + (string-append (cache-directory) "/http/" + (base64-encode digest 0 (bytevector-length digest) + #f #f base64url-alphabet)))) + (define* (http-fetch/cached uri #:key (ttl (%http-cache-ttl)) text?) "Like 'http-fetch', return an input port, but cache its contents in ~/.cache/guix. The cache remains valid for TTL seconds." - (let* ((directory (string-append (cache-directory) "/http/" - (uri-host uri))) - (file (string-append directory "/" - (basename (uri-path uri))))) + (let ((file (cache-file-for-uri uri))) (define (update-cache) ;; Update the cache and return an input port. (let ((port (http-fetch uri #:text? text?))) - (mkdir-p directory) - (call-with-output-file file + (mkdir-p (dirname file)) + (with-atomic-file-output file (cut dump-port port <>)) (close-port port) (open-input-file file))) diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm index 3d197384d6..5306afcf07 100644 --- a/guix/scripts/publish.scm +++ b/guix/scripts/publish.scm @@ -208,13 +208,13 @@ References: ~a~%" (narinfo-string store store-path (force %private-key)) <>))))) -(define (render-nar request store-item) +(define (render-nar store request store-item) "Render archive of the store path corresponding to STORE-ITEM." (let ((store-path (string-append %store-directory "/" store-item))) ;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will ;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte ;; sequences. - (if (file-exists? store-path) + (if (valid-path? store store-path) (values '((content-type . (application/x-nix-archive (charset . "ISO-8859-1")))) ;; XXX: We're not returning the actual contents, deferring @@ -314,7 +314,7 @@ blocking." (render-narinfo store request hash)) ;; /nar/<store-item> (("nar" store-item) - (render-nar request store-item)) + (render-nar store request store-item)) (_ (not-found request))) (not-found request)))) diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index 7279be0c43..401aa8b60a 100644 --- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -211,6 +211,19 @@ the ownership of '~a' may be incorrect!~%") (lambda () (environ env))))) +(define-syntax-rule (save-load-path-excursion body ...) + "Save the current values of '%load-path' and '%load-compiled-path', run +BODY..., and restore them." + (let ((path %load-path) + (cpath %load-compiled-path)) + (dynamic-wind + (const #t) + (lambda () + body ...) + (lambda () + (set! %load-path path) + (set! %load-compiled-path cpath))))) + (define-syntax-rule (warn-on-system-error body ...) (catch 'system-error (lambda () @@ -273,6 +286,9 @@ bring the system down." (info (_ "loading new services:~{ ~a~}...~%") to-load-names) (mlet %store-monad ((files (mapm %store-monad shepherd-service-file to-load))) + ;; Here we assume that FILES are exactly those that were computed + ;; as part of the derivation that built OS, which is normally the + ;; case. (load-services (map derivation->output-path files)) (for-each start-service @@ -299,7 +315,12 @@ it atomically, and then run OS's activation script." ;; Tell 'activate-current-system' what the new system is. (setenv "GUIX_NEW_SYSTEM" system) - (primitive-load (derivation->output-path script))) + ;; The activation script may modify '%load-path' & co., so protect + ;; against that. This is necessary to ensure that + ;; 'upgrade-shepherd-services' gets to see the right modules when it + ;; computes derivations with (gexp->derivation #:modules …). + (save-load-path-excursion + (primitive-load (derivation->output-path script)))) ;; Finally, try to update system services. (upgrade-shepherd-services os)))) diff --git a/guix/store.scm b/guix/store.scm index 8123407816..3d6cff4c21 100644 --- a/guix/store.scm +++ b/guix/store.scm @@ -582,7 +582,12 @@ encoding conversion errors." (operation (name args ...) docstring return ...))) (define-operation (valid-path? (string path)) - "Return #t when PATH is a valid store path." + "Return #t when PATH designates a valid store item and #f otherwise (an +invalid item may exist on disk but still be invalid, for instance because it +is the result of an aborted or failed build.) + +A '&nix-protocol-error' condition is raised if PATH is not prefixed by the +store directory (/gnu/store)." boolean) (define-operation (query-path-hash (store-path path)) diff --git a/tests/publish.scm b/tests/publish.scm index 0b92390900..6c710fe0a7 100644 --- a/tests/publish.scm +++ b/tests/publish.scm @@ -112,6 +112,14 @@ References: ~a~%" (call-with-input-string nar (cut restore-file <> temp))) (call-with-input-file temp read-string)))) +(test-equal "/nar/invalid" + 404 + (begin + (call-with-output-file (string-append (%store-prefix) "/invalid") + (lambda (port) + (display "This file is not a valid store item." port))) + (response-code (http-get (publish-uri (string-append "/nar/invalid")))))) + (test-end "publish") |