diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/akonadi-paths.patch | 53 | ||||
-rw-r--r-- | gnu/packages/patches/bluez-CVE-2020-0556.patch | 180 | ||||
-rw-r--r-- | gnu/packages/patches/calibre-msgpack-compat.patch | 18 | ||||
-rw-r--r-- | gnu/packages/patches/calibre-remove-test-bs4.patch | 34 | ||||
-rw-r--r-- | gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch | 42 | ||||
-rw-r--r-- | gnu/packages/patches/kinit-kdeinit-extra_libs.patch | 10 | ||||
-rw-r--r-- | gnu/packages/patches/libdrm-realpath-virtio.patch | 42 | ||||
-rw-r--r-- | gnu/packages/patches/libdrm-symbol-check.patch | 215 | ||||
-rw-r--r-- | gnu/packages/patches/nss-CVE-2020-12399.patch | 138 | ||||
-rw-r--r-- | gnu/packages/patches/pyqt-unbundled-qt.patch | 19 | ||||
-rw-r--r-- | gnu/packages/patches/qtbase-QTBUG-81715.patch | 40 | ||||
-rw-r--r-- | gnu/packages/patches/qtbase-use-TZDIR.patch | 4 |
12 files changed, 75 insertions, 720 deletions
diff --git a/gnu/packages/patches/akonadi-paths.patch b/gnu/packages/patches/akonadi-paths.patch index da250ee9e8..ac08ec5448 100644 --- a/gnu/packages/patches/akonadi-paths.patch +++ b/gnu/packages/patches/akonadi-paths.patch @@ -1,31 +1,31 @@ This is based on the respectve patch from NixPkgs, but with the parts pinning mysql and postgresql executables removed. The our package definition on why. - -Index: akonadi-19.08.0/src/akonadicontrol/agentmanager.cpp -=================================================================== ---- akonadi-19.08.0.orig/src/akonadicontrol/agentmanager.cpp -+++ akonadi-19.08.0/src/akonadicontrol/agentmanager.cpp -@@ -78,12 +78,12 @@ AgentManager::AgentManager(bool verbose, - mStorageController = new Akonadi::ProcessControl; - mStorageController->setShutdownTimeout(15 * 1000); // the server needs more time for shutdown if we are using an internal mysqld - connect(mStorageController, &Akonadi::ProcessControl::unableToStart, this, &AgentManager::serverFailure); -- mStorageController->start(QStringLiteral("akonadiserver"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash); -+ mStorageController->start(QLatin1String(NIX_OUT "/bin/akonadiserver"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash); +diff --git a/src/akonadicontrol/agentmanager.cpp b/src/akonadicontrol/agentmanager.cpp +--- a/src/akonadicontrol/agentmanager.cpp ++++ b/src/akonadicontrol/agentmanager.cpp +@@ -61,7 +61,7 @@ public: + []() { + QCoreApplication::instance()->exit(255); + }); +- start(QStringLiteral("akonadiserver"), args, RestartOnCrash); ++ start(QLatin1String(NIX_OUT "/bin/akonadiserver"), args, RestartOnCrash); + } - if (mAgentServerEnabled) { - mAgentServer = new Akonadi::ProcessControl; - connect(mAgentServer, &Akonadi::ProcessControl::unableToStart, this, &AgentManager::agentServerFailure); -- mAgentServer->start(QStringLiteral("akonadi_agent_server"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash); -+ mAgentServer->start(QLatin1String(NIX_OUT "/bin/akonadi_agent_server"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash); + ~StorageProcessControl() override +@@ -84,7 +84,7 @@ public: + []() { + qCCritical(AKONADICONTROL_LOG) << "Failed to start AgentServer!"; + }); +- start(QStringLiteral("akonadi_agent_server"), args, RestartOnCrash); ++ start(QLatin1String(NIX_OUT "/bin/akonadi_agent_server"), args, RestartOnCrash); } - } -Index: akonadi-19.08.0/src/akonadicontrol/agentprocessinstance.cpp -=================================================================== ---- akonadi-19.08.0.orig/src/akonadicontrol/agentprocessinstance.cpp -+++ akonadi-19.08.0/src/akonadicontrol/agentprocessinstance.cpp -@@ -62,7 +62,7 @@ bool AgentProcessInstance::start(const A + ~AgentServerProcessControl() override +diff --git a/src/akonadicontrol/agentprocessinstance.cpp b/src/akonadicontrol/agentprocessinstance.cpp +--- a/src/akonadicontrol/agentprocessinstance.cpp ++++ b/src/akonadicontrol/agentprocessinstance.cpp +@@ -62,7 +62,7 @@ bool AgentProcessInstance::start(const AgentType &agentInfo) } else { Q_ASSERT(agentInfo.launchMethod == AgentType::Launcher); const QStringList arguments = QStringList() << executable << identifier(); @@ -34,11 +34,10 @@ Index: akonadi-19.08.0/src/akonadicontrol/agentprocessinstance.cpp mController->start(agentLauncherExec, arguments); } return true; -Index: akonadi-19.08.0/src/server/storage/dbconfigmysql.cpp -=================================================================== ---- akonadi-19.08.0.orig/src/server/storage/dbconfigmysql.cpp -+++ akonadi-19.08.0/src/server/storage/dbconfigmysql.cpp -@@ -209,7 +193,7 @@ bool DbConfigMysql::startInternalServer( +diff --git a/src/server/storage/dbconfigmysql.cpp b/src/server/storage/dbconfigmysql.cpp +--- a/src/server/storage/dbconfigmysql.cpp ++++ b/src/server/storage/dbconfigmysql.cpp +@@ -209,7 +209,7 @@ bool DbConfigMysql::startInternalServer() #endif // generate config file diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch deleted file mode 100644 index 7c34459a3a..0000000000 --- a/gnu/packages/patches/bluez-CVE-2020-0556.patch +++ /dev/null @@ -1,180 +0,0 @@ -Fix CVE-2020-0556: - -https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 - -Patches copied from upstream source repository: - -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 - -From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 -From: Alain Michaud <alainm@chromium.org> -Date: Tue, 10 Mar 2020 02:35:18 +0000 -Subject: [PATCH] HID accepts bonded device connections only. - -This change adds a configuration for platforms to choose a more secure -posture for the HID profile. While some older mice are known to not -support pairing or encryption, some platform may choose a more secure -posture by requiring the device to be bonded and require the -connection to be encrypted when bonding is required. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html ---- - profiles/input/device.c | 23 ++++++++++++++++++++++- - profiles/input/device.h | 1 + - profiles/input/input.conf | 8 ++++++++ - profiles/input/manager.c | 13 ++++++++++++- - 4 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/profiles/input/device.c b/profiles/input/device.c -index 2cb3811c8..d89da2d7c 100644 ---- a/profiles/input/device.c -+++ b/profiles/input/device.c -@@ -92,6 +92,7 @@ struct input_device { - - static int idle_timeout = 0; - static bool uhid_enabled = false; -+static bool classic_bonded_only = false; - - void input_set_idle_timeout(int timeout) - { -@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) - uhid_enabled = state; - } - -+void input_set_classic_bonded_only(bool state) -+{ -+ classic_bonded_only = state; -+} -+ - static void input_device_enter_reconnect_mode(struct input_device *idev); - static int connection_disconnect(struct input_device *idev, uint32_t flags); - -@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) - if (device_name_known(idev->device)) - device_get_name(idev->device, req->name, sizeof(req->name)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) { -+ error("Rejected connection from !bonded device %s", dst_addr); -+ goto cleanup; -+ } -+ - /* Encryption is mandatory for keyboards */ -- if (req->subclass & 0x40) { -+ /* Some platforms may choose to require encryption for all devices */ -+ /* Note that this only matters for pre 2.1 devices as otherwise the */ -+ /* device is encrypted by default by the lower layers */ -+ if (classic_bonded_only || req->subclass & 0x40) { - if (!bt_io_set(idev->intr_io, &gerr, - BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, - BT_IO_OPT_INVALID)) { -@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) - DBG("path=%s reconnect_mode=%s", idev->path, - reconnect_mode_to_string(idev->reconnect_mode)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) -+ return; -+ - /* Only attempt an auto-reconnect when the device is required to - * accept reconnections from the host. - */ -diff --git a/profiles/input/device.h b/profiles/input/device.h -index 51a9aee18..3044db673 100644 ---- a/profiles/input/device.h -+++ b/profiles/input/device.h -@@ -29,6 +29,7 @@ struct input_conn; - - void input_set_idle_timeout(int timeout); - void input_enable_userspace_hid(bool state); -+void input_set_classic_bonded_only(bool state); - - int input_device_register(struct btd_service *service); - void input_device_unregister(struct btd_service *service); -diff --git a/profiles/input/input.conf b/profiles/input/input.conf -index 3e1d65aae..166aff4a4 100644 ---- a/profiles/input/input.conf -+++ b/profiles/input/input.conf -@@ -11,3 +11,11 @@ - # Enable HID protocol handling in userspace input profile - # Defaults to false (HIDP handled in HIDP kernel module) - #UserspaceHID=true -+ -+# Limit HID connections to bonded devices -+# The HID Profile does not specify that devices must be bonded, however some -+# platforms may want to make sure that input connections only come from bonded -+# device connections. Several older mice have been known for not supporting -+# pairing/encryption. -+# Defaults to false to maximize device compatibility. -+#ClassicBondedOnly=true -diff --git a/profiles/input/manager.c b/profiles/input/manager.c -index 1d31b0652..5cd27b839 100644 ---- a/profiles/input/manager.c -+++ b/profiles/input/manager.c -@@ -96,7 +96,7 @@ static int input_init(void) - config = load_config_file(CONFIGDIR "/input.conf"); - if (config) { - int idle_timeout; -- gboolean uhid_enabled; -+ gboolean uhid_enabled, classic_bonded_only; - - idle_timeout = g_key_file_get_integer(config, "General", - "IdleTimeout", &err); -@@ -114,6 +114,17 @@ static int input_init(void) - input_enable_userspace_hid(uhid_enabled); - } else - g_clear_error(&err); -+ -+ classic_bonded_only = g_key_file_get_boolean(config, "General", -+ "ClassicBondedOnly", &err); -+ -+ if (!err) { -+ DBG("input.conf: ClassicBondedOnly=%s", -+ classic_bonded_only ? "true" : "false"); -+ input_set_classic_bonded_only(classic_bonded_only); -+ } else -+ g_clear_error(&err); -+ - } - - btd_profile_register(&input_profile); --- -2.25.1 - -From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 -From: Alain Michaud <alainm@chromium.org> -Date: Tue, 10 Mar 2020 02:35:16 +0000 -Subject: [PATCH] HOGP must only accept data from bonded devices. - -HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm ---- - profiles/input/hog.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index 83c017dcb..dfac68921 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) - return -EINVAL; - } - -+ /* HOGP 1.0 Section 6.1 requires bonding */ -+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) -+ return -ECONNREFUSED; -+ - /* TODO: Replace GAttrib with bt_gatt_client */ - bt_hog_attach(dev->hog, attrib); - --- -2.25.1 - diff --git a/gnu/packages/patches/calibre-msgpack-compat.patch b/gnu/packages/patches/calibre-msgpack-compat.patch deleted file mode 100644 index 9920103bea..0000000000 --- a/gnu/packages/patches/calibre-msgpack-compat.patch +++ /dev/null @@ -1,18 +0,0 @@ -Fix deserialization with msgpack 1.0. - -Patch copied from upstream source repository: -https://github.com/kovidgoyal/calibre/commit/0ff41ac64994ec11b7859fc004c94d08769e3af3 - -diff --git a/src/calibre/utils/serialize.py b/src/calibre/utils/serialize.py -index f5d560c468..c35ae53849 100644 ---- a/src/calibre/utils/serialize.py -+++ b/src/calibre/utils/serialize.py -@@ -110,7 +110,7 @@ def msgpack_decoder(code, data): - def msgpack_loads(dump, use_list=True): - # use_list controls whether msgpack arrays are unpacked as lists or tuples - import msgpack -- return msgpack.unpackb(dump, ext_hook=msgpack_decoder, raw=False, use_list=use_list) -+ return msgpack.unpackb(dump, ext_hook=msgpack_decoder, raw=False, use_list=use_list, strict_map_key=False) - - - def json_loads(data): diff --git a/gnu/packages/patches/calibre-remove-test-bs4.patch b/gnu/packages/patches/calibre-remove-test-bs4.patch deleted file mode 100644 index 77dd45d329..0000000000 --- a/gnu/packages/patches/calibre-remove-test-bs4.patch +++ /dev/null @@ -1,34 +0,0 @@ -In my efforts to fix all Calibre tests, this test would always complain about -backports.functools_lru_cache not existing even after I packaged and added -python2-soupsieve as an input and confirmed it was in the -PYTHONPATH. Currently Calibre does not actually use it for anything other than -testing it's there, so I assume they will start using it in future Calibre -versions. - -From 2738dd42caebe55326c76922a12ba8740bdb22e7 Mon Sep 17 00:00:00 2001 -From: Brendan Tildesley <mail@brendan.scot> -Date: Sat, 27 Apr 2019 00:42:39 +1000 -Subject: [PATCH] Remove test_bs4 - ---- - src/calibre/test_build.py | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/src/calibre/test_build.py b/src/calibre/test_build.py -index 73f1172e8c..07bdffd3e5 100644 ---- a/src/calibre/test_build.py -+++ b/src/calibre/test_build.py -@@ -73,10 +73,6 @@ class BuildTest(unittest.TestCase): - from html5_parser import parse - parse('<p>xxx') - -- def test_bs4(self): -- import soupsieve, bs4 -- del soupsieve, bs4 -- - def test_zeroconf(self): - if ispy3: - import zeroconf as z, ifaddr --- -2.21.0 - diff --git a/gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch b/gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch deleted file mode 100644 index 13345c0038..0000000000 --- a/gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch +++ /dev/null @@ -1,42 +0,0 @@ -From b84c4ba97cecf7304e99cafdd8a9c5866ce27050 Mon Sep 17 00:00:00 2001 -From: Hartmut Goebel <h.goebel@crazy-compilers.com> -Date: Tue, 21 Jan 2020 23:33:50 +0100 -Subject: [PATCH] Fix missing link libraries. - -See <https://phabricator.kde.org/D26819> - -These are only actually missing if the libraries reside in different -prefixes, as it is the case in Guix or Nix. ---- - resources/ews/test/CMakeLists.txt | 1 + - resources/facebook/CMakeLists.txt | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/resources/ews/test/CMakeLists.txt b/resources/ews/test/CMakeLists.txt -index b20eddcb8..6355eb994 100644 ---- a/resources/ews/test/CMakeLists.txt -+++ b/resources/ews/test/CMakeLists.txt -@@ -35,6 +35,7 @@ qt5_add_resources(isolatestestcommon_RSRCS isolatedtestcommon.qrc) - add_library(isolatedtestcommon STATIC ${isolatestestcommon_SRCS}) - target_link_libraries(isolatedtestcommon - KF5::AkonadiCore -+ KF5::AkonadiMime - Qt5::Core - Qt5::Network - Qt5::Test -diff --git a/resources/facebook/CMakeLists.txt b/resources/facebook/CMakeLists.txt -index bdd5eeaa7..27a9c83c1 100644 ---- a/resources/facebook/CMakeLists.txt -+++ b/resources/facebook/CMakeLists.txt -@@ -21,7 +21,8 @@ add_library(facebookresourcelib STATIC ${fbresource_SRCS}) - - target_link_libraries(facebookresourcelib - KF5::KIOWidgets -+ KF5::AkonadiCore - KF5::IconThemes - KF5::I18n - KF5::ConfigGui - KF5::CalendarCore --- -2.21.1 - diff --git a/gnu/packages/patches/kinit-kdeinit-extra_libs.patch b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch index c3c4ce1161..1271f3df7d 100644 --- a/gnu/packages/patches/kinit-kdeinit-extra_libs.patch +++ b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch @@ -42,12 +42,12 @@ pkgs/development/libraries/kde-frameworks/kinit/kdeinit-extra_libs.patch extern "C" { static void secondary_child_handler(int) -@@ -1689,7 +1693,7 @@ +@@ -1673,7 +1673,7 @@ + #if defined(Q_OS_UNIX) && !defined(Q_OS_OSX) if (!d.suicide && qEnvironmentVariableIsEmpty("KDE_IS_PRELINKED")) { - const int extrasCount = sizeof(extra_libs) / sizeof(extra_libs[0]); - for (int i = 0; i < extrasCount; i++) { -- const QString extra = findSharedLib(QString::fromLatin1(extra_libs[i])); -+ const QString extra = QString::fromLatin1(extra_libs[i]); + for (const char *extra_lib : extra_libs) { +- const QString extra = findSharedLib(QString::fromLatin1(extra_lib)); ++ const QString extra = QString::fromLatin1(extra_lib); if (!extra.isEmpty()) { QLibrary l(extra); l.setLoadHints(QLibrary::ExportExternalSymbolsHint); diff --git a/gnu/packages/patches/libdrm-realpath-virtio.patch b/gnu/packages/patches/libdrm-realpath-virtio.patch new file mode 100644 index 0000000000..b7d85160b4 --- /dev/null +++ b/gnu/packages/patches/libdrm-realpath-virtio.patch @@ -0,0 +1,42 @@ +Only check for for relative path on virtio devices. Otherwise it could +break driver loading in some circumstances, notably the IceCat sandbox. + +https://gitlab.freedesktop.org/mesa/drm/-/issues/39 + +Taken from upstream: +https://gitlab.freedesktop.org/mesa/drm/-/commit/57df07572ce45a1b60bae6fb89770388d3abd6dd + +diff --git a/xf86drm.c b/xf86drm.c +--- a/xf86drm.c ++++ b/xf86drm.c +@@ -3103,15 +3103,18 @@ static int drmParseSubsystemType(int maj, int min) + int subsystem_type; + + snprintf(path, sizeof(path), "/sys/dev/char/%d:%d/device", maj, min); +- if (!realpath(path, real_path)) +- return -errno; +- snprintf(path, sizeof(path), "%s", real_path); + + subsystem_type = get_subsystem_type(path); ++ /* Try to get the parent (underlying) device type */ + if (subsystem_type == DRM_BUS_VIRTIO) { ++ /* Assume virtio-pci on error */ ++ if (!realpath(path, real_path)) ++ return DRM_BUS_VIRTIO; + strncat(path, "/..", PATH_MAX); + subsystem_type = get_subsystem_type(path); +- } ++ if (subsystem_type < 0) ++ return DRM_BUS_VIRTIO; ++ } + return subsystem_type; + #elif defined(__OpenBSD__) || defined(__DragonFly__) || defined(__FreeBSD__) + return DRM_BUS_PCI; +@@ -3920,6 +3923,7 @@ process_device(drmDevicePtr *device, const char *d_name, + + switch (subsystem_type) { + case DRM_BUS_PCI: ++ case DRM_BUS_VIRTIO: + return drmProcessPciDevice(device, node, node_type, maj, min, + fetch_deviceinfo, flags); + case DRM_BUS_USB: diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch deleted file mode 100644 index 0a77763a4f..0000000000 --- a/gnu/packages/patches/libdrm-symbol-check.patch +++ /dev/null @@ -1,215 +0,0 @@ -Augment the list of expected symbols to fix the symbol-check tests on -mips64el-linux, armhf-linux and aarch64-linux. - ---- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig 2015-09-04 11:07:40.000000000 -0400 -+++ libdrm-2.4.65/freedreno/freedreno-symbol-check 2015-10-18 23:57:15.288416229 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_freedreno.so} | awk '{print $3}'| while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - fd_bo_cpu_fini - fd_bo_cpu_prep - fd_bo_del ---- libdrm-2.4.65/nouveau/nouveau-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 -+++ libdrm-2.4.65/nouveau/nouveau-symbol-check 2015-10-18 23:55:26.078327118 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.sources/LIBDRM_NOUVEAU_H_FILES - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_nouveau.so} | awk '{print $3}'| while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - nouveau_bo_map - nouveau_bo_name_get - nouveau_bo_name_ref ---- libdrm-2.4.65/libkms/kms-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 -+++ libdrm-2.4.65/libkms/kms-symbol-check 2015-10-18 23:46:10.683869471 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.sources/LIBKMS_H_FILES - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libkms.so} | awk '{print $3}'| while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - kms_bo_create - kms_bo_destroy - kms_bo_get_prop ---- libdrm-2.4.65/intel/intel-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 -+++ libdrm-2.4.65/intel/intel-symbol-check 2015-10-18 23:55:53.309558508 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.sources/LIBDRM_INTEL_H_FILES - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_intel.so} | awk '{print $3}' | while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - drm_intel_bo_alloc - drm_intel_bo_alloc_for_render - drm_intel_bo_alloc_tiled ---- libdrm-2.4.65/amdgpu/amdgpu-symbol-check.orig 2015-08-17 10:08:11.000000000 -0400 -+++ libdrm-2.4.65/amdgpu/amdgpu-symbol-check 2015-10-18 23:56:10.606917723 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.am/libdrm_amdgpuinclude_HEADERS - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_amdgpu.so} | awk '{print $3}' | while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - amdgpu_bo_alloc - amdgpu_bo_cpu_map - amdgpu_bo_cpu_unmap ---- libdrm-2.4.65/exynos/exynos-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 -+++ libdrm-2.4.65/exynos/exynos-symbol-check 2015-10-18 23:56:32.025486153 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.am/libdrm_exynos*_HEADERS - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_exynos.so} | awk '{print $3}'| while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - exynos_bo_create - exynos_bo_destroy - exynos_bo_from_name ---- libdrm-2.4.65/omap/omap-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 -+++ libdrm-2.4.65/omap/omap-symbol-check 2015-10-18 23:56:44.834438626 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.am/libdrm_omap*HEADERS - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_omap.so} | awk '{print $3}'| while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - omap_bo_cpu_fini - omap_bo_cpu_prep - omap_bo_del ---- libdrm-2.4.65/tegra/tegra-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 -+++ libdrm-2.4.65/tegra/tegra-symbol-check 2015-10-18 23:57:00.756759698 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first nine) are taken from tegra.h. -+# The following symbols (past the first 12) are taken from tegra.h. - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do - ( grep -q "^$func$" || echo $func ) <<EOF -@@ -9,6 +9,9 @@ - __bss_start - __end__ - _bss_end__ -+_fbss -+_fdata -+_ftext - _edata - _end - _fini ---- libdrm-2.4.65/radeon/radeon-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 -+++ libdrm-2.4.65/radeon/radeon-symbol-check 2015-10-18 23:57:00.756759698 -0400 -@@ -1,6 +1,6 @@ - #!/bin/bash - --# The following symbols (past the first five) are taken from the public headers. -+# The following symbols (past the first 12) are taken from the public headers. - # A list of the latter should be available Makefile.sources/LIBDRM_RADEON_H_FILES - - FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do -@@ -10,6 +10,13 @@ - _end - _fini - _init -+_fbss -+_fdata -+_ftext -+__bss_start__ -+__bss_end__ -+_bss_end__ -+__end__ - radeon_bo_debug - radeon_bo_get_handle - radeon_bo_get_src_domain diff --git a/gnu/packages/patches/nss-CVE-2020-12399.patch b/gnu/packages/patches/nss-CVE-2020-12399.patch deleted file mode 100644 index 0d91b655e2..0000000000 --- a/gnu/packages/patches/nss-CVE-2020-12399.patch +++ /dev/null @@ -1,138 +0,0 @@ -Fix CVE-2020-12399 (Timing attack on DSA signature generation: NSS has -shown timing differences when performing DSA signatures, which was -exploitable and could eventually leak private keys.) - -Copied from upstream: -<https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e> -but with "nss/" inserted into the file name to patch. - -# HG changeset patch -# User Robert Relyea <rrelyea@redhat.com> -# Date 1589907685 0 -# Node ID daa823a4a29bcef0fec33a379ec83857429aea2e -# Parent d2cfb4ccdf167e5ea06d2bb5bc39c50f789929c8 -Bug 1631576 - Force a fixed length for DSA exponentiation r=pereida,bbrumley - -Differential Revision: https://phabricator.services.mozilla.com/D72011 - -diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c ---- a/nss/lib/freebl/dsa.c -+++ b/nss/lib/freebl/dsa.c -@@ -308,23 +308,24 @@ DSA_NewKeyFromSeed(const PQGParams *para - SECItem seedItem; - seedItem.data = (unsigned char *)seed; - seedItem.len = PQG_GetLength(¶ms->subPrime); - return dsa_NewKeyExtended(params, &seedItem, privKey); - } - - static SECStatus - dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, -- const unsigned char *kb) -+ const unsigned char *kbytes) - { - mp_int p, q, g; /* PQG parameters */ - mp_int x, k; /* private key & pseudo-random integer */ - mp_int r, s; /* tuple (r, s) is signature) */ - mp_int t; /* holding tmp values */ - mp_int ar; /* holding blinding values */ -+ mp_digit fuzz; /* blinding multiplier for q */ - mp_err err = MP_OKAY; - SECStatus rv = SECSuccess; - unsigned int dsa_subprime_len, dsa_signature_len, offset; - SECItem localDigest; - unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN]; - SECItem t2 = { siBuffer, NULL, 0 }; - - /* FIPS-compliance dictates that digest is a SHA hash. */ -@@ -368,31 +369,46 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt - CHECK_MPI_OK(mp_init(&q)); - CHECK_MPI_OK(mp_init(&g)); - CHECK_MPI_OK(mp_init(&x)); - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_init(&r)); - CHECK_MPI_OK(mp_init(&s)); - CHECK_MPI_OK(mp_init(&t)); - CHECK_MPI_OK(mp_init(&ar)); -+ - /* - ** Convert stored PQG and private key into MPI integers. - */ - SECITEM_TO_MPINT(key->params.prime, &p); - SECITEM_TO_MPINT(key->params.subPrime, &q); - SECITEM_TO_MPINT(key->params.base, &g); - SECITEM_TO_MPINT(key->privateValue, &x); -- OCTETS_TO_MPINT(kb, &k, dsa_subprime_len); -+ OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len); -+ -+ /* k blinding create a single value that has the high bit set in -+ * the mp_digit*/ -+ if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) { -+ PORT_SetError(SEC_ERROR_NEED_RANDOM); -+ rv = SECFailure; -+ goto cleanup; -+ } -+ fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1)); - /* - ** FIPS 186-1, Section 5, Step 1 - ** - ** r = (g**k mod p) mod q - */ -- CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */ -- CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */ -+ CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */ -+ CHECK_MPI_OK(mp_add(&k, &t, &t)); /* t = k+q*fuzz */ -+ /* length of t is now fixed, bits in k have been blinded */ -+ CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */ -+ /* r is now g**(k+q*fuzz) == g**k mod p */ -+ CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */ -+ - /* - ** FIPS 186-1, Section 5, Step 2 - ** - ** s = (k**-1 * (HASH(M) + x*r)) mod q - */ - if (DSA_NewRandom(NULL, &key->params.subPrime, &t2) != SECSuccess) { - PORT_SetError(SEC_ERROR_NEED_RANDOM); - rv = SECFailure; -@@ -406,25 +422,34 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt - goto cleanup; - } - SECITEM_TO_MPINT(t2, &ar); /* ar <-$ Zq */ - SECITEM_FreeItem(&t2, PR_FALSE); - - /* Using mp_invmod on k directly would leak bits from k. */ - CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */ - CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */ -- CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */ -+ /* k is now k*t*ar */ -+ CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */ -+ /* k is now (k*t*ar)**-1 */ - CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */ -- SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */ -+ /* k is now (k*ar)**-1 */ -+ SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */ - /* To avoid leaking secret bits here the addition is blinded. */ -- CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */ -- CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */ -+ CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */ -+ /* x is now x*ar */ -+ CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */ -+ /* x is now x*r*ar */ - CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */ -- CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */ -- CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */ -+ /* t is now hash(M)*ar */ -+ CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */ -+ /* s is now (HASH(M)+x*r)*ar */ -+ CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */ -+ /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */ -+ - /* - ** verify r != 0 and s != 0 - ** mentioned as optional in FIPS 186-1. - */ - if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) { - PORT_SetError(SEC_ERROR_NEED_RANDOM); - rv = SECFailure; - goto cleanup; - diff --git a/gnu/packages/patches/pyqt-unbundled-qt.patch b/gnu/packages/patches/pyqt-unbundled-qt.patch deleted file mode 100644 index 5c91ed031c..0000000000 --- a/gnu/packages/patches/pyqt-unbundled-qt.patch +++ /dev/null @@ -1,19 +0,0 @@ -Remove test for bundled Qt which breaks dependent applications. This has -been fixed in 5.13. - -Taken from Arch Linux: -https://git.archlinux.org/svntogit/packages.git/tree/trunk/python2-pyqt5-crash-fix.patch?h=packages/pyqt5&id=3e56e11d1fd7b1eac8242ce64c58db2bd9acba20 - -diff -ur PyQt5_gpl-5.12.3/qpy/QtCore/qpycore_post_init.cpp.in PyQt5_gpl-5.12.3b/qpy/QtCore/qpycore_post_init.cpp.in ---- PyQt5_gpl-5.12.3/qpy/QtCore/qpycore_post_init.cpp.in 2019-06-25 14:41:02.000000000 +0200 -+++ PyQt5_gpl-5.12.3b/qpy/QtCore/qpycore_post_init.cpp.in 2019-07-01 17:06:34.882644535 +0200 -@@ -151,8 +151,4 @@ - // initialised first (at least for Windows) and this is the only way to - // guarantee things are done in the right order. - PyQtSlotProxy::mutex = new QMutex(QMutex::Recursive); -- -- // Load the embedded qt.conf file if there is a bundled copy of Qt. -- if (!qpycore_qt_conf()) -- Py_FatalError("PyQt5.QtCore: Unable to embed qt.conf"); - } - diff --git a/gnu/packages/patches/qtbase-QTBUG-81715.patch b/gnu/packages/patches/qtbase-QTBUG-81715.patch deleted file mode 100644 index 70b83b97d2..0000000000 --- a/gnu/packages/patches/qtbase-QTBUG-81715.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8a3fde00bf53d99e9e4853e8ab97b0e1bcf74915 Mon Sep 17 00:00:00 2001 -From: Joerg Bornemann <joerg.bornemann@qt.io> -Date: Wed, 29 Jan 2020 11:06:35 +0100 -Subject: [PATCH] Fix qt5_make_output_file macro for paths containing dots - -Commit 89bd5a7e broke CMake projects that use dots in their build -paths, because the used regular expression matches the directory part -of the path as well. - -The regex wants to achieve the same as get_filename_component(... -NAME_WLE) which is available since CMake 3.14. Re-implement the -NAME_WLE functionality for older CMake versions by using multiple -get_filename_component calls. - -Fixes: QTBUG-81715 -Task-number: QTBUG-80295 -Change-Id: I2ef053300948f6e1b2c0c5eafac35105f193d4e6 -Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io> ---- - -diff --git a/src/corelib/Qt5CoreMacros.cmake b/src/corelib/Qt5CoreMacros.cmake -index 7735e51..b3da640 100644 ---- a/src/corelib/Qt5CoreMacros.cmake -+++ b/src/corelib/Qt5CoreMacros.cmake -@@ -59,7 +59,14 @@ - set(_outfile "${CMAKE_CURRENT_BINARY_DIR}/${rel}") - string(REPLACE ".." "__" _outfile ${_outfile}) - get_filename_component(outpath ${_outfile} PATH) -- string(REGEX REPLACE "\\.[^.]*$" "" _outfile ${_outfile}) -+ if(CMAKE_VERSION VERSION_LESS "3.14") -+ get_filename_component(_outfile_ext ${_outfile} EXT) -+ get_filename_component(_outfile_ext ${_outfile_ext} NAME_WE) -+ get_filename_component(_outfile ${_outfile} NAME_WE) -+ string(APPEND _outfile ${_outfile_ext}) -+ else() -+ get_filename_component(_outfile ${_outfile} NAME_WLE) -+ endif() - file(MAKE_DIRECTORY ${outpath}) - set(${outfile} ${outpath}/${prefix}${_outfile}.${ext}) - endmacro() diff --git a/gnu/packages/patches/qtbase-use-TZDIR.patch b/gnu/packages/patches/qtbase-use-TZDIR.patch index 11c737d844..b6c377b133 100644 --- a/gnu/packages/patches/qtbase-use-TZDIR.patch +++ b/gnu/packages/patches/qtbase-use-TZDIR.patch @@ -4,8 +4,8 @@ important to be able to update it fast. Based on a patch fron NixOS. =================================================================== ---- qtbase-opensource-src-5.9.4.orig/src/corelib/tools/qtimezoneprivate_tz.cpp -+++ qtbase-opensource-src-5.9.4/src/corelib/tools/qtimezoneprivate_tz.cpp +--- qtbase-opensource-src-5.14.2.orig/src/corelib/time/qtimezoneprivate_tz.cpp ++++ qtbase-opensource-src-5.15.2/src/corelib/time/qtimezoneprivate_tz.cpp @@ -70,7 +70,11 @@ // Parse zone.tab table, assume lists all installed zones, if not will need to read directories static QTzTimeZoneHash loadTzTimeZones() |