diff options
Diffstat (limited to 'gnu/packages/patches')
17 files changed, 537 insertions, 52 deletions
diff --git a/gnu/packages/patches/hubbub-sort-entities.patch b/gnu/packages/patches/hubbub-sort-entities.patch new file mode 100644 index 0000000000..012e3c3022 --- /dev/null +++ b/gnu/packages/patches/hubbub-sort-entities.patch @@ -0,0 +1,13 @@ +Traverse the entities hash's keys in sorted order to ensure reproducibility. + +--- libhubbub-0.3.3/build/make-entities.pl ++++ libhubbub-0.3.3/build/make-entities.pl +@@ -86,7 +86,7 @@ + + my $trie; + +-foreach my $key (keys %entities) { ++foreach my $key (sort keys %entities) { + $trie = insert_node($trie, $key, $entities{$key}); + } + diff --git a/gnu/packages/patches/netsurf-about.patch b/gnu/packages/patches/netsurf-about.patch deleted file mode 100644 index 1fb8eae824..0000000000 --- a/gnu/packages/patches/netsurf-about.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- netsurf-all-3.5/netsurf/gtk/about.c -+++ netsurf-all-3.5/netsurf/gtk/about.c -@@ -79,11 +79,11 @@ - switch (response_id) { - - case ABOUT_RESPONSE_ID_LICENCE: -- about_open("about:credits"); -+ about_open("about:licence"); - break; - - case ABOUT_RESPONSE_ID_CREDITS: -- about_open("about:licence"); -+ about_open("about:credits"); - break; - } - ---- netsurf-all-3.5/netsurf/desktop/version.c -+++ netsurf-all-3.5/netsurf/desktop/version.c -@@ -20,6 +20,6 @@ - - #include "desktop/version.h" - --const char * const netsurf_version = "3.5 (6th April 1016)"; -+const char * const netsurf_version = "3.5 (6th April 2016)"; - const int netsurf_version_major = 3; - const int netsurf_version_minor = 5; diff --git a/gnu/packages/patches/netsurf-longer-test-timeout.patch b/gnu/packages/patches/netsurf-longer-test-timeout.patch new file mode 100644 index 0000000000..4dd5a8539f --- /dev/null +++ b/gnu/packages/patches/netsurf-longer-test-timeout.patch @@ -0,0 +1,20 @@ +Increase the timeout on dictionary tests to accommodate slower machines. + +--- netsurf-3.6/test/hashtable.c ++++ netsurf-3.6/test/hashtable.c +@@ -286,6 +286,7 @@ + tcase_add_checked_fixture(tc_dict_s, + dicts_hashtable_create, + dict_hashtable_teardown); ++ tcase_set_timeout(tc_dict_s, 30); + + tcase_add_test(tc_dict_s, hashtable_dict_test); + +@@ -297,6 +298,7 @@ + tcase_add_checked_fixture(tc_dict_l, + dictl_hashtable_create, + dict_hashtable_teardown); ++ tcase_set_timeout(tc_dict_l, 30); + + tcase_add_test(tc_dict_l, hashtable_dict_test); + diff --git a/gnu/packages/patches/netsurf-system-utf8proc.patch b/gnu/packages/patches/netsurf-system-utf8proc.patch new file mode 100644 index 0000000000..254bf52c93 --- /dev/null +++ b/gnu/packages/patches/netsurf-system-utf8proc.patch @@ -0,0 +1,64 @@ +Use upstream utf8proc package, as suggested in +http://source.netsurf-browser.org/libutf8proc.git/commit/?id=770e329cceaf0620c7b482589a9b17ed1d19c16d + +Work around upstream's lack of a pkg-config file and update API. + +--- netsurf-3.6/Makefile ++++ netsurf-3.6/Makefile +@@ -527,10 +527,9 @@ + $(eval $(call pkg_config_find_and_add,libcss,CSS)) + $(eval $(call pkg_config_find_and_add,libdom,DOM)) + $(eval $(call pkg_config_find_and_add,libnsutils,nsutils)) +-$(eval $(call pkg_config_find_and_add,libutf8proc,utf8proc)) + + # Common libraries without pkg-config support +-LDFLAGS += -lz ++LDFLAGS += -lz -lutf8proc + + # Optional libraries with pkgconfig + +--- netsurf-3.6/utils/idna.c ++++ netsurf-3.6/utils/idna.c +@@ -26,7 +26,7 @@ + #include <stdint.h> + #include <stdlib.h> + #include <string.h> +-#include <libutf8proc/utf8proc.h> ++#include <utf8proc.h> + + #include "utils/errors.h" + #include "utils/idna.h" +@@ -250,7 +250,7 @@ + return NSERROR_NOMEM; + } + +- nfc_size = utf8proc_normalise(nfc_label, nfc_size, ++ nfc_size = utf8proc_normalize_utf32(nfc_label, nfc_size, + UTF8PROC_STABLE | UTF8PROC_COMPOSE); + if (nfc_size < 0) { + return NSERROR_NOMEM; +@@ -565,7 +565,7 @@ + } + + /* Perform NFC normalisation */ +- ucs4_len = utf8proc_normalise(ucs4, u_ucs4_len, ++ ucs4_len = utf8proc_normalize_utf32(ucs4, u_ucs4_len, + UTF8PROC_STABLE | UTF8PROC_COMPOSE); + if (ucs4_len < 0) { + free(ucs4); +--- netsurf-3.6/test/Makefile ++++ netsurf-3.6/test/Makefile +@@ -112,11 +112,11 @@ + -D_XOPEN_SOURCE=600 \ + -Itest -Iinclude -Icontent/handlers -Ifrontends -I. -I.. \ + -Dnsgtk \ +- $(shell pkg-config --cflags libcurl libparserutils libwapcaplet libdom libnsutils libutf8proc libidn) \ ++ $(shell pkg-config --cflags libcurl libparserutils libwapcaplet libdom libnsutils libidn) \ + $(LIB_CFLAGS) \ + $(COV_CFLAGS) + +-TESTLDFLAGS := $(shell pkg-config --libs libcurl libparserutils libwapcaplet libdom libnsutils libutf8proc libidn) -lz \ ++TESTLDFLAGS := $(shell pkg-config --libs libcurl libparserutils libwapcaplet libdom libnsutils libidn) -lz -lutf8proc \ + $(LIB_LDFLAGS)\ + $(COV_LDFLAGS) + diff --git a/gnu/packages/patches/netsurf-y2038-tests.patch b/gnu/packages/patches/netsurf-y2038-tests.patch new file mode 100644 index 0000000000..407a5277c8 --- /dev/null +++ b/gnu/packages/patches/netsurf-y2038-tests.patch @@ -0,0 +1,25 @@ +These two test cases fail for us on i686. + +See https://en.wikipedia.org/wiki/Year_2038_problem + +--- netsurf-3.6/test/time.c ++++ netsurf-3.6/test/time.c +@@ -77,18 +77,10 @@ + .expected = "Tue, 12 Jun 2001 12:12:12 GMT" + }, + { +- .test = "Thu, 16 Jul 2207 12:45:12 GMT", +- .expected = "Thu, 16 Jul 2207 12:45:12 GMT" +- }, +- { + .test = "Thu, 16 Aug 2007 19:45:12 GMT", + .expected = "Thu, 16 Aug 2007 19:45:12 GMT" + }, + { +- .test = "Tue, 16 Sep 3456 00:45:12 GMT", +- .expected = "Tue, 16 Sep 3456 00:45:12 GMT" +- }, +- { + .test = "Sun, 16 Oct 1988 19:45:59 GMT", + .expected = "Sun, 16 Oct 1988 19:45:59 GMT" + }, diff --git a/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch b/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch index 6edd676e38..83c9dbb3d4 100644 --- a/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch +++ b/gnu/packages/patches/ntfs-3g-CVE-2017-0358.patch @@ -2,25 +2,26 @@ Fix CVE-2017-0358: http://seclists.org/oss-sec/2017/q1/259 This patch was copied from the above URL. -diff -ur ntfs-3g.old/src/lowntfs-3g.c ntfs-3g/src/lowntfs-3g.c ---- ntfs-3g.old/src/lowntfs-3g.c 2017-02-09 15:01:04.074331542 -0500 -+++ ntfs-3g/src/lowntfs-3g.c 2017-02-09 15:06:35.757580937 -0500 -@@ -3827,13 +3827,14 @@ - struct stat st; - pid_t pid; - const char *cmd = "/sbin/modprobe"; +diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c +index 0bb38f9..c6d1dad 100644 +--- a/src/lowntfs-3g.c ++++ b/src/lowntfs-3g.c +@@ -3827,13 +3827,14 @@ static fuse_fstype load_fuse_module(void) + struct stat st; + pid_t pid; + const char *cmd = "/sbin/modprobe"; + char *env = (char*)NULL; - struct timespec req = { 0, 100000000 }; /* 100 msec */ - fuse_fstype fstype; - - if (!stat(cmd, &st) && !geteuid()) { - pid = fork(); - if (!pid) { + struct timespec req = { 0, 100000000 }; /* 100 msec */ + fuse_fstype fstype; + + if (!stat(cmd, &st) && !geteuid()) { + pid = fork(); + if (!pid) { - execl(cmd, cmd, "fuse", NULL); + execle(cmd, cmd, "fuse", NULL, &env); - _exit(1); - } else if (pid != -1) - waitpid(pid, NULL, 0); + _exit(1); + } else if (pid != -1) + waitpid(pid, NULL, 0); diff -ur ntfs-3g.old/src/ntfs-3g.c ntfs-3g/src/ntfs-3g.c --- ntfs-3g.old/src/ntfs-3g.c 2017-02-09 15:01:04.074331542 -0500 +++ ntfs-3g/src/ntfs-3g.c 2017-02-09 15:06:26.077252571 -0500 diff --git a/gnu/packages/patches/qemu-CVE-2017-5667.patch b/gnu/packages/patches/qemu-CVE-2017-5667.patch new file mode 100644 index 0000000000..5adea0d278 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5667.patch @@ -0,0 +1,46 @@ +Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer): + +http://seclists.org/oss-sec/2017/q1/243 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667 + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9 + +From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 7 Feb 2017 18:29:59 +0000 +Subject: [PATCH] sd: sdhci: check data length during dma_memory_read + +While doing multi block SDMA transfer in routine +'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting +index 'begin' and data length 's->data_count' could end up to be same. +This could lead to an OOB access issue. Correct transfer data length +to avoid it. + +Cc: qemu-stable@nongnu.org +Reported-by: Jiang Xin <jiangxin1@huawei.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Message-id: 20170130064736.9236-1-ppandit@redhat.com +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +--- + hw/sd/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 01fbf228be..5bd5ab6319 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + boundary_count -= block_size - begin; + } + dma_memory_read(&address_space_memory, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count); ++ &s->fifo_buffer[begin], s->data_count - begin); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + for (n = 0; n < block_size; n++) { +-- +2.11.1 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch new file mode 100644 index 0000000000..5a94bb1ae4 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5898.patch @@ -0,0 +1,44 @@ +Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest): + +http://seclists.org/oss-sec/2017/q1/328 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898 + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a + +From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Fri, 3 Feb 2017 00:52:28 +0530 +Subject: [PATCH] usb: ccid: check ccid apdu length + +CCID device emulator uses Application Protocol Data Units(APDU) +to exchange command and responses to and from the host. +The length in these units couldn't be greater than 65536. Add +check to ensure the same. It'd also avoid potential integer +overflow in emulated_apdu_from_guest. + +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20170202192228.10847-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/dev-smartcard-reader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 89e11b68c4..1325ea1659 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) + DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, + recv->hdr.bSeq, len); + ccid_add_pending_answer(s, (CCID_Header *)recv); +- if (s->card) { ++ if (s->card && len <= BULK_OUT_DATA_SIZE) { + ccid_card_apdu_from_guest(s->card, recv->abData, len); + } else { + DPRINTF(s, D_WARN, "warning: discarded apdu\n"); +-- +2.11.1 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch new file mode 100644 index 0000000000..08910e5fac --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5931.patch @@ -0,0 +1,55 @@ +Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests): + +http://seclists.org/oss-sec/2017/q1/337 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931 + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4 + +From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 +From: Gonglei <arei.gonglei@huawei.com> +Date: Tue, 3 Jan 2017 14:50:03 +0800 +Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow + +Because the 'size_t' type is 4 bytes in 32-bit platform, which +is the same with 'int'. It's easy to make 'max_len' to zero when +integer overflow and then cause heap overflow if 'max_len' is zero. + +Using uint_64 instead of size_t to avoid the integer overflow. + +Cc: qemu-stable@nongnu.org +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Gonglei <arei.gonglei@huawei.com> +Tested-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +--- + hw/virtio/virtio-crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 2f2467e859..c23e1ad458 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + uint32_t hash_start_src_offset = 0, len_to_hash = 0; + uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; + +- size_t max_len, curr_size = 0; ++ uint64_t max_len, curr_size = 0; + size_t s; + + /* Plain cipher */ +@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + +- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; ++ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); + return NULL; +-- +2.11.1 + diff --git a/gnu/packages/patches/screen-CVE-2017-5618.patch b/gnu/packages/patches/screen-CVE-2017-5618.patch new file mode 100644 index 0000000000..1b95e428c8 --- /dev/null +++ b/gnu/packages/patches/screen-CVE-2017-5618.patch @@ -0,0 +1,40 @@ +Fixes CVE-2017-5618 (privilege escalation via opening the logfile when +screen is installed setuid root): + +https://savannah.gnu.org/bugs/?50142 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618 + +This patch reverts the upstream commit that introduced the bug: + +https://git.savannah.gnu.org/cgit/screen.git/commit/?id=5460f5d28c01a9a58e021eb1dffef2965e629d58 + +From f55b0cc29a0ac2a1c54e8a5e886b7393edd4a76c Mon Sep 17 00:00:00 2001 +From: Leo Famulari <leo@famulari.name> +Date: Sat, 11 Feb 2017 22:40:24 -0500 +Subject: [PATCH] Revert "adding permissions check for the logfile name" + +This reverts commit 5460f5d28c01a9a58e021eb1dffef2965e629d58. +--- + src/screen.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/src/screen.c b/src/screen.c +index 64650e9..283c305 100644 +--- a/src/screen.c ++++ b/src/screen.c +@@ -673,12 +673,6 @@ int main(int ac, char** av) + Panic(0, "-L: logfile name can not start with \"-\" symbol"); + if (strlen(screenlogfile) > PATH_MAX) + Panic(0, "-L: logfile name too long. (max. %d char)", PATH_MAX); +- +- FILE *w_check; +- if ((w_check = fopen(screenlogfile, "w")) == NULL) +- Panic(0, "-L: logfile name access problem"); +- else +- fclose(w_check); + } + nwin_options.Lflag = 1; + break; +-- +2.11.1 + diff --git a/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch b/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch new file mode 100644 index 0000000000..3f357c4924 --- /dev/null +++ b/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch @@ -0,0 +1,31 @@ +Patch copied from upstream source repository: + +https://github.com/shadow-maint/shadow/commit/67d2bb6e0a5ac124ce1f026dd5723217b1493194 + +From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge@hallyn.com> +Date: Sun, 18 Sep 2016 21:31:18 -0500 +Subject: [PATCH] su.c: fix missing length argument to snprintf + +--- + src/su.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 0c50a9456afd..93ffd2fbe2b4 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void) + stderr); + (void) kill (-pid_child, caught); + +- snprintf (kill_msg, _(" ...killed.\n")); +- snprintf (wait_msg, _(" ...waiting for child to terminate.\n")); ++ snprintf (kill_msg, 256, _(" ...killed.\n")); ++ snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n")); + + (void) signal (SIGALRM, kill_child); + (void) alarm (2); +-- +2.11.0.rc2 + diff --git a/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch b/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch index b63d5bb018..4092261f75 100644 --- a/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch +++ b/gnu/packages/patches/slurm-configure-remove-nonfree-contribs.patch @@ -1,19 +1,19 @@ -From 53eda9102b969a4be2882cea4befee03591a7436 Mon Sep 17 00:00:00 2001 -From: Pjotr Prins <pjotr.public01@thebird.nl> -Date: Fri, 12 Feb 2016 12:43:33 +0100 -Subject: [PATCH] Remove contribs +From 49d83e24a8e66977056fc9920812265c16806500 Mon Sep 17 00:00:00 2001 +From: carolili <carolili@iki.fi> +Date: Thu, 9 Feb 2017 19:24:49 +0000 +Subject: [PATCH] Removing contribs --- - configure.ac | 20 -------------------- - 1 file changed, 20 deletions(-) + configure.ac | 22 ---------------------- + 1 file changed, 22 deletions(-) diff --git a/configure.ac b/configure.ac -index fedf354..e010732 100644 +index 1cf1051..5d76b44 100644 --- a/configure.ac +++ b/configure.ac -@@ -438,26 +438,6 @@ dnl All slurm Makefiles: +@@ -435,28 +435,6 @@ dnl All slurm Makefiles: + AC_CONFIG_FILES([Makefile - config.xml auxdir/Makefile - contribs/Makefile - contribs/cray/Makefile @@ -27,7 +27,9 @@ index fedf354..e010732 100644 - contribs/perlapi/libslurm/perl/Makefile.PL - contribs/perlapi/libslurmdb/Makefile - contribs/perlapi/libslurmdb/perl/Makefile.PL +- contribs/seff/Makefile - contribs/torque/Makefile +- contribs/openlava/Makefile - contribs/phpext/Makefile - contribs/phpext/slurm_php/config.m4 - contribs/sgather/Makefile @@ -39,5 +41,5 @@ index fedf354..e010732 100644 doc/man/Makefile doc/man/man1/Makefile -- -2.1.4 +2.11.0 diff --git a/gnu/packages/patches/spice-CVE-2016-9577.patch b/gnu/packages/patches/spice-CVE-2016-9577.patch new file mode 100644 index 0000000000..a2cb558cd3 --- /dev/null +++ b/gnu/packages/patches/spice-CVE-2016-9577.patch @@ -0,0 +1,33 @@ +Prevent buffer overflow when reading large messages. + +https://bugzilla.redhat.com/show_bug.cgi?id=1401603 +https://access.redhat.com/security/cve/CVE-2016-9577 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9577 +https://security-tracker.debian.org/tracker/CVE-2016-9577 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 + +From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Tue, 29 Nov 2016 16:46:56 +0000 +Subject: main-channel: Prevent overflow reading messages from client + +diff --git a/server/main_channel.c b/server/main_channel.c +index 0ecc9df..1fc3915 100644 +--- a/server/main_channel.c ++++ b/server/main_channel.c +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, + + if (type == SPICE_MSGC_MAIN_AGENT_DATA) { + return reds_get_agent_data_buffer(mcc, size); ++ } else if (size > sizeof(main_chan->recv_buf)) { ++ /* message too large, caller will log a message and close the connection */ ++ return NULL; + } else { + return main_chan->recv_buf; + } +-- +cgit v0.10.2 + diff --git a/gnu/packages/patches/spice-CVE-2016-9578-1.patch b/gnu/packages/patches/spice-CVE-2016-9578-1.patch new file mode 100644 index 0000000000..f86cdb4eb1 --- /dev/null +++ b/gnu/packages/patches/spice-CVE-2016-9578-1.patch @@ -0,0 +1,33 @@ +Prevent possible DoS during protocol handshake. + +https://bugzilla.redhat.com/show_bug.cgi?id=1399566 +https://access.redhat.com/security/cve/CVE-2016-9578 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578 +https://security-tracker.debian.org/tracker/CVE-2016-9578 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a + +From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Tue, 13 Dec 2016 14:39:48 +0000 +Subject: Prevent possible DoS attempts during protocol handshake + +diff --git a/server/reds.c b/server/reds.c +index f40b65c..86a33d5 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) + + reds->peer_minor_version = header->minor_version; + +- if (header->size < sizeof(SpiceLinkMess)) { ++ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ ++ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); + spice_warning("bad size %u", header->size); + reds_link_free(link); +-- +cgit v0.10.2 + diff --git a/gnu/packages/patches/spice-CVE-2016-9578-2.patch b/gnu/packages/patches/spice-CVE-2016-9578-2.patch new file mode 100644 index 0000000000..76f7ec7ffb --- /dev/null +++ b/gnu/packages/patches/spice-CVE-2016-9578-2.patch @@ -0,0 +1,38 @@ +Fixes a potential buffer overflow in the protocol handling. + +https://bugzilla.redhat.com/show_bug.cgi?id=1399566 +https://access.redhat.com/security/cve/CVE-2016-9578 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578 +https://security-tracker.debian.org/tracker/CVE-2016-9578 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a + +From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Tue, 13 Dec 2016 14:40:10 +0000 +Subject: Prevent integer overflows in capability checks + +diff --git a/server/reds.c b/server/reds.c +index 86a33d5..9150454 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) + link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); + link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); + ++ /* Prevent DoS. Currently we defined only 13 capabilities, ++ * I expect 1024 to be valid for quite a lot time */ ++ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { ++ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); ++ reds_link_free(link); ++ return; ++ } ++ + num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; + caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); + +-- +cgit v0.10.2 + diff --git a/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch b/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch new file mode 100644 index 0000000000..03093e8330 --- /dev/null +++ b/gnu/packages/patches/vdirsyncer-test-suite-slow-machines.patch @@ -0,0 +1,42 @@ +Fix test failures caused by some build machines running more slowly than +expected, which manifest like this: + +------ +> raise FailedHealthCheck(message) +E hypothesis.errors.FailedHealthCheck: Data generation is extremely slow: Only produced 4 valid examples in 1.08 seconds (1 invalid ones and 0 exceeded maximum size). Try decreasing size of the data you're generating (with e.g.average_size or max_leaves parameters). +E See http://hypothesis.readthedocs.org/en/latest/healthchecks.html for more information about this. If you want to disable just this health check, add HealthCheck.too_slowto the suppress_health_check settings for this test. + +/gnu/store/b8d1r8bilvm3jkncgrpvmg3dni9cgcr1-python-hypothesis-3.1.0/lib/python3.5/site-packages/hypothesis/core.py:296: FailedHealthCheck +------ + +Patch copied from upstream source repository: + +https://github.com/pimutils/vdirsyncer/commit/10490a12f13f03495e0945eb9d45d7aed9ab0a6c + +From 10490a12f13f03495e0945eb9d45d7aed9ab0a6c Mon Sep 17 00:00:00 2001 +From: Markus Unterwaditzer <markus@unterwaditzer.net> +Date: Sat, 18 Feb 2017 15:45:06 +0100 +Subject: [PATCH] Unconditionally disable HealthCheck.too_slow + +--- + tests/conftest.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tests/conftest.py b/tests/conftest.py +index e0a07d5..3afd7cd 100644 +--- a/tests/conftest.py ++++ b/tests/conftest.py +@@ -26,10 +26,12 @@ def benchmark(): + else: + del pytest_benchmark + ++ ++settings.suppress_health_check = [HealthCheck.too_slow] ++ + settings.register_profile("ci", settings( + max_examples=1000, + verbosity=Verbosity.verbose, +- suppress_health_check=[HealthCheck.too_slow] + )) + settings.register_profile("deterministic", settings( + derandomize=True, diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch new file mode 100644 index 0000000000..7b66f1bf16 --- /dev/null +++ b/gnu/packages/patches/vim-CVE-2017-5953.patch @@ -0,0 +1,24 @@ +Fix CVE-2017-5953: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953 +https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY + +Patch adapted from upstream commit, correcting the transcription error +in the bounds check: + +https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d + +diff --git a/src/spellfile.c b/src/spellfile.c +index c7d87c6..8b1a3a6 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -1595,6 +1595,9 @@ spell_read_tree( + len = get4c(fd); + if (len < 0) + return SP_TRUNCERROR; ++ if (len >= 0x3fffffff) ++ /* Invalid length, multiply with sizeof(int) would overflow. */ ++ return SP_FORMERROR; + if (len > 0) + { + /* Allocate the byte array. */ |