diff options
Diffstat (limited to 'gnu/packages/patches')
28 files changed, 1759 insertions, 497 deletions
diff --git a/gnu/packages/patches/bazaar-CVE-2017-14176.patch b/gnu/packages/patches/bazaar-CVE-2017-14176.patch new file mode 100644 index 0000000000..0e9083b97d --- /dev/null +++ b/gnu/packages/patches/bazaar-CVE-2017-14176.patch @@ -0,0 +1,166 @@ +Fix CVE-2017-14176: + +https://bugs.launchpad.net/bzr/+bug/1710979 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176 + +Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1: + +https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204 + +Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs +Bug: https://bugs.launchpad.net/brz/+bug/1710979 +Bug-Debian: https://bugs.debian.org/874429 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176 +Forwarded: no +Author: Jelmer Vernooij <jelmer@jelmer.uk> +Last-Update: 2017-11-26 + +=== modified file 'bzrlib/tests/test_ssh_transport.py' +--- old/bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000 ++++ new/bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000 +@@ -22,6 +22,7 @@ + SSHCorpSubprocessVendor, + LSHSubprocessVendor, + SSHVendorManager, ++ StrangeHostname, + ) + + +@@ -161,6 +162,19 @@ + + class SubprocessVendorsTests(TestCase): + ++ def test_openssh_command_tricked(self): ++ vendor = OpenSSHSubprocessVendor() ++ self.assertEqual( ++ vendor._get_vendor_specific_argv( ++ "user", "-oProxyCommand=blah", 100, command=["bzr"]), ++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no", ++ "-oClearAllForwardings=yes", ++ "-oNoHostAuthenticationForLocalhost=yes", ++ "-p", "100", ++ "-l", "user", ++ "--", ++ "-oProxyCommand=blah", "bzr"]) ++ + def test_openssh_command_arguments(self): + vendor = OpenSSHSubprocessVendor() + self.assertEqual( +@@ -171,6 +185,7 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", ++ "--", + "host", "bzr"] + ) + +@@ -184,9 +199,16 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", +- "-s", "host", "sftp"] ++ "-s", "--", "host", "sftp"] + ) + ++ def test_openssh_command_tricked(self): ++ vendor = SSHCorpSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_sshcorp_command_arguments(self): + vendor = SSHCorpSubprocessVendor() + self.assertEqual( +@@ -209,6 +231,13 @@ + "-s", "sftp", "host"] + ) + ++ def test_lsh_command_tricked(self): ++ vendor = LSHSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_lsh_command_arguments(self): + vendor = LSHSubprocessVendor() + self.assertEqual( +@@ -231,6 +260,13 @@ + "--subsystem", "sftp", "host"] + ) + ++ def test_plink_command_tricked(self): ++ vendor = PLinkSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_plink_command_arguments(self): + vendor = PLinkSubprocessVendor() + self.assertEqual( + +=== modified file 'bzrlib/transport/ssh.py' +--- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000 ++++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000 +@@ -46,6 +46,10 @@ + from paramiko.sftp_client import SFTPClient + + ++class StrangeHostname(errors.BzrError): ++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s" ++ ++ + SYSTEM_HOSTKEYS = {} + BZR_HOSTKEYS = {} + +@@ -360,6 +364,11 @@ + # tests, but beware of using PIPE which may hang due to not being read. + _stderr_target = None + ++ @staticmethod ++ def _check_hostname(arg): ++ if arg.startswith('-'): ++ raise StrangeHostname(hostname=arg) ++ + def _connect(self, argv): + # Attempt to make a socketpair to use as stdin/stdout for the SSH + # subprocess. We prefer sockets to pipes because they support +@@ -424,9 +433,9 @@ + if username is not None: + args.extend(['-l', username]) + if subsystem is not None: +- args.extend(['-s', host, subsystem]) ++ args.extend(['-s', '--', host, subsystem]) + else: +- args.extend([host] + command) ++ args.extend(['--', host] + command) + return args + + register_ssh_vendor('openssh', OpenSSHSubprocessVendor()) +@@ -439,6 +448,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x'] + if port is not None: + args.extend(['-p', str(port)]) +@@ -460,6 +470,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path] + if port is not None: + args.extend(['-p', str(port)]) +@@ -481,6 +492,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch'] + if port is not None: + args.extend(['-P', str(port)]) + diff --git a/gnu/packages/patches/clementine-use-openssl.patch b/gnu/packages/patches/clementine-use-openssl.patch new file mode 100644 index 0000000000..1fbf3d2b8a --- /dev/null +++ b/gnu/packages/patches/clementine-use-openssl.patch @@ -0,0 +1,67 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 4022c383b..3202b8b69 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -83,6 +83,7 @@ pkg_check_modules(LIBPULSE libpulse) + pkg_check_modules(LIBXML libxml-2.0) + pkg_check_modules(SPOTIFY libspotify>=12.1.45) + pkg_check_modules(TAGLIB REQUIRED taglib>=1.6) ++pkg_check_modules(OPENSSL REQUIRED openssl) + + if (WIN32) + find_package(ZLIB REQUIRED) +@@ -381,20 +382,6 @@ if(GMOCK_INCLUDE_DIRS) + endif(GTEST_INCLUDE_DIRS) + endif(GMOCK_INCLUDE_DIRS) + +-# Use the system's sha2 if it's available. +-find_path(SHA2_INCLUDE_DIRS sha2.h) +-find_library(SHA2_LIBRARIES sha2) +-if(SHA2_LIBRARIES AND SHA2_INCLUDE_DIRS) +- message(STATUS "Using system sha2 library") +- set(USE_SYSTEM_SHA2 ON) +-else() +- message(STATUS "Using builtin sha2 library") +- set(USE_SYSTEM_SHA2 OFF) +- add_subdirectory(3rdparty/sha2) +- set(SHA2_INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sha2) +- set(SHA2_LIBRARIES sha2) +-endif() +- + # Use the system libmygpo-qt5 if a recent enough version was found + if(LIBMYGPO_QT5_FOUND) + set(MYGPOQT5_LIBRARIES ${LIBMYGPO_QT5_LIBRARIES}) +diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt +index 6e24c9726..104d044d9 100644 +--- a/src/CMakeLists.txt ++++ b/src/CMakeLists.txt +@@ -29,7 +29,6 @@ include_directories(${LIBPROJECTM_INCLUDE_DIRS}) + include_directories(${QTSINGLEAPPLICATION_INCLUDE_DIRS}) + include_directories(${QTIOCOMPRESSOR_INCLUDE_DIRS}) + include_directories(${QXT_INCLUDE_DIRS}) +-include_directories(${SHA2_INCLUDE_DIRS}) + include_directories(${CHROMAPRINT_INCLUDE_DIRS}) + include_directories(${MYGPOQT5_INCLUDE_DIRS}) + +@@ -1223,7 +1222,7 @@ target_link_libraries(clementine_lib + libclementine-common + libclementine-tagreader + libclementine-remote +- ${SHA2_LIBRARIES} ++ ${OPENSSL_LIBRARIES} + ${TAGLIB_LIBRARIES} + ${MYGPOQT5_LIBRARIES} + ${CHROMAPRINT_LIBRARIES} +diff --git a/src/core/utilities.cpp b/src/core/utilities.cpp +index ce76f22da..80bf623fb 100644 +--- a/src/core/utilities.cpp ++++ b/src/core/utilities.cpp +@@ -52,7 +52,7 @@ + #include "config.h" + #include "timeconstants.h" + +-#include "sha2.h" ++#include <openssl/sha.h> + + #if defined(Q_OS_UNIX) + #include <sys/statvfs.h> diff --git a/gnu/packages/patches/dtc-32-bits-check.patch b/gnu/packages/patches/dtc-32-bits-check.patch new file mode 100644 index 0000000000..cf15be3404 --- /dev/null +++ b/gnu/packages/patches/dtc-32-bits-check.patch @@ -0,0 +1,134 @@ +This fixes tests on 32 bits platforms. Patch taken from upstream. + +commit f8872e29ce06d78d3db71b3ab26a7465fc8a9586 +Author: David Gibson <david@gibson.dropbear.id.au> +Date: Fri Oct 6 23:07:30 2017 +1100 + + tests: Avoid 64-bit arithmetic in assembler + + For testing we (ab)use the assembler to build us a sample dtb, independent + of the other tools (dtc and libfdt) that we're trying to test. In a few + places this uses 64-bit arithmetic to decompose 64-bit constants into + the individual bytes in the blob. + + Unfortunately, it seems that some builds of GNU as don't support >32 bit + arithmetic, though it's not entirely clear to me which do and which don't + (Fedora i386 does support 64-bit, Debian arm32 doesn't). + + Anyway, to be safe, this avoids 64-bit arithmetic in assembler at the cost + of some extra awkwardness because we have to define the values in 32-bit + halves. + + Signed-off-by: David Gibson <david@gibson.dropbear.id.au> + +diff --git a/tests/testdata.h b/tests/testdata.h +index 3588778..f6bbe1d 100644 +--- a/tests/testdata.h ++++ b/tests/testdata.h +@@ -4,15 +4,25 @@ + #define ASM_CONST_LL(x) (x##ULL) + #endif + +-#define TEST_ADDR_1 ASM_CONST_LL(0xdeadbeef00000000) +-#define TEST_SIZE_1 ASM_CONST_LL(0x100000) +-#define TEST_ADDR_2 ASM_CONST_LL(123456789) +-#define TEST_SIZE_2 ASM_CONST_LL(010000) ++#define TEST_ADDR_1H ASM_CONST_LL(0xdeadbeef) ++#define TEST_ADDR_1L ASM_CONST_LL(0x00000000) ++#define TEST_ADDR_1 ((TEST_ADDR_1H << 32) | TEST_ADDR_1L) ++#define TEST_SIZE_1H ASM_CONST_LL(0x00000000) ++#define TEST_SIZE_1L ASM_CONST_LL(0x00100000) ++#define TEST_SIZE_1 ((TEST_SIZE_1H << 32) | TEST_SIZE_1L) ++#define TEST_ADDR_2H ASM_CONST_LL(0) ++#define TEST_ADDR_2L ASM_CONST_LL(123456789) ++#define TEST_ADDR_2 ((TEST_ADDR_2H << 32) | TEST_ADDR_2L) ++#define TEST_SIZE_2H ASM_CONST_LL(0) ++#define TEST_SIZE_2L ASM_CONST_LL(010000) ++#define TEST_SIZE_2 ((TEST_SIZE_2H << 32) | TEST_SIZE_2L) + + #define TEST_VALUE_1 0xdeadbeef + #define TEST_VALUE_2 123456789 + +-#define TEST_VALUE64_1 ASM_CONST_LL(0xdeadbeef01abcdef) ++#define TEST_VALUE64_1H ASM_CONST_LL(0xdeadbeef) ++#define TEST_VALUE64_1L ASM_CONST_LL(0x01abcdef) ++#define TEST_VALUE64_1 ((TEST_VALUE64_1H << 32) | TEST_VALUE64_1L) + + #define PHANDLE_1 0x2000 + #define PHANDLE_2 0x2001 +diff --git a/tests/trees.S b/tests/trees.S +index 9854d1d..9859914 100644 +--- a/tests/trees.S ++++ b/tests/trees.S +@@ -7,16 +7,6 @@ + .byte ((val) >> 8) & 0xff ; \ + .byte (val) & 0xff ; + +-#define FDTQUAD(val) \ +- .byte ((val) >> 56) & 0xff ; \ +- .byte ((val) >> 48) & 0xff ; \ +- .byte ((val) >> 40) & 0xff ; \ +- .byte ((val) >> 32) & 0xff ; \ +- .byte ((val) >> 24) & 0xff ; \ +- .byte ((val) >> 16) & 0xff ; \ +- .byte ((val) >> 8) & 0xff ; \ +- .byte (val) & 0xff ; +- + #define TREE_HDR(tree) \ + .balign 8 ; \ + .globl _##tree ; \ +@@ -33,14 +23,16 @@ tree: \ + FDTLONG(tree##_strings_end - tree##_strings) ; \ + FDTLONG(tree##_struct_end - tree##_struct) ; + +-#define RSVMAP_ENTRY(addr, len) \ +- FDTQUAD(addr) ; \ +- FDTQUAD(len) ; \ ++#define RSVMAP_ENTRY(addrh, addrl, lenh, lenl) \ ++ FDTLONG(addrh) ; \ ++ FDTLONG(addrl) ; \ ++ FDTLONG(lenh) ; \ ++ FDTLONG(lenl) + + #define EMPTY_RSVMAP(tree) \ + .balign 8 ; \ + tree##_rsvmap: ; \ +- RSVMAP_ENTRY(0, 0) \ ++ RSVMAP_ENTRY(0, 0, 0, 0) \ + tree##_rsvmap_end: ; + + #define PROPHDR(tree, name, len) \ +@@ -52,9 +44,10 @@ tree##_rsvmap_end: ; + PROPHDR(tree, name, 4) \ + FDTLONG(val) ; + +-#define PROP_INT64(tree, name, val) \ ++#define PROP_INT64(tree, name, valh, vall) \ + PROPHDR(tree, name, 8) \ +- FDTQUAD(val) ; ++ FDTLONG(valh) ; \ ++ FDTLONG(vall) ; + + #define PROP_STR(tree, name, str) \ + PROPHDR(tree, name, 55f - 54f) \ +@@ -81,16 +74,16 @@ tree##_##name: ; \ + + .balign 8 + test_tree1_rsvmap: +- RSVMAP_ENTRY(TEST_ADDR_1, TEST_SIZE_1) +- RSVMAP_ENTRY(TEST_ADDR_2, TEST_SIZE_2) +- RSVMAP_ENTRY(0, 0) ++ RSVMAP_ENTRY(TEST_ADDR_1H, TEST_ADDR_1L, TEST_SIZE_1H, TEST_SIZE_1L) ++ RSVMAP_ENTRY(TEST_ADDR_2H, TEST_ADDR_2L, TEST_SIZE_2H, TEST_SIZE_2L) ++ RSVMAP_ENTRY(0, 0, 0, 0) + test_tree1_rsvmap_end: + + test_tree1_struct: + BEGIN_NODE("") + PROP_STR(test_tree1, compatible, "test_tree1") + PROP_INT(test_tree1, prop_int, TEST_VALUE_1) +- PROP_INT64(test_tree1, prop_int64, TEST_VALUE64_1) ++ PROP_INT64(test_tree1, prop_int64, TEST_VALUE64_1H, TEST_VALUE64_1L) + PROP_STR(test_tree1, prop_str, TEST_STRING_1) + PROP_INT(test_tree1, address_cells, 1) + PROP_INT(test_tree1, size_cells, 0) diff --git a/gnu/packages/patches/dtc-format-modifier.patch b/gnu/packages/patches/dtc-format-modifier.patch new file mode 100644 index 0000000000..c33d16857f --- /dev/null +++ b/gnu/packages/patches/dtc-format-modifier.patch @@ -0,0 +1,38 @@ +This fixes build on 32 bits platforms. This patch is taken from upstream. + +commit 497432fd2131967f349e69dc5d259072151cc4b4 +Author: Thierry Reding <treding@nvidia.com> +Date: Wed Sep 27 15:04:09 2017 +0200 + + checks: Use proper format modifier for size_t + + The size of size_t can vary between architectures, so using %ld isn't + going to work on 32-bit builds. Use the %zu modifier to make sure it is + always correct. + + Signed-off-by: Thierry Reding <treding@nvidia.com> + Acked-by: Rob Herring <robh@kernel.org> + Signed-off-by: David Gibson <david@gibson.dropbear.id.au> + +diff --git a/checks.c b/checks.c +index 902f2e3..08a3a29 100644 +--- a/checks.c ++++ b/checks.c +@@ -972,7 +972,7 @@ static void check_property_phandle_args(struct check *c, + int cell, cellsize = 0; + + if (prop->val.len % sizeof(cell_t)) { +- FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %ld in node %s", ++ FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %zu in node %s", + prop->name, prop->val.len, sizeof(cell_t), node->fullpath); + return; + } +@@ -1163,7 +1163,7 @@ static void check_interrupts_property(struct check *c, + return; + + if (irq_prop->val.len % sizeof(cell_t)) +- FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %ld in node %s", ++ FAIL(c, dti, "property '%s' size (%d) is invalid, expected multiple of %zu in node %s", + irq_prop->name, irq_prop->val.len, sizeof(cell_t), + node->fullpath); + diff --git a/gnu/packages/patches/emacs-highlight-stages-add-gexp.patch b/gnu/packages/patches/emacs-highlight-stages-add-gexp.patch new file mode 100644 index 0000000000..931355b4fe --- /dev/null +++ b/gnu/packages/patches/emacs-highlight-stages-add-gexp.patch @@ -0,0 +1,26 @@ +Copyright © 2017 Oleg Pykhalov <go.wigust@gmail.com> +Copyright © 2017 Ludovic Courtès <ludo@gnu.org> + +This patch adds highlighting for (guix) G-Expressions. + +diff --git a/highlight-stages.el b/highlight-stages.el +index 3094c3c..e11260e 100644 +--- a/highlight-stages.el ++++ b/highlight-stages.el +@@ -237,14 +237,14 @@ non-nil, (match-string 0) must be the expression matched." + + (defun highlight-stages-lisp-quote-matcher (&optional limit) + (when (highlight-stages--search-forward-regexp +- "\\(?:`\\|\\(#?'\\)\\)\\|([\s\t\n]*\\(?:backquote\\|\\(quote\\)\\)[\s\t\n]+" limit) ++ "\\(?:`\\|\\(#?'\\)\\)\\|([\s\t\n]*\\(?:backquote\\|\\(quote\\)\\)[\s\t\n]+\\|\\(?:#~\\)\\|([\s\t\n]*\\(?:gexp\\)[\s\t\n]+" limit) + (prog1 (if (or (match-beginning 1) (match-beginning 2)) 'real t) + (set-match-data + (list (point) + (progn (ignore-errors (forward-sexp 1)) (point))))))) + + (defun highlight-stages-lisp-escape-matcher (&optional limit) +- (when (highlight-stages--search-forward-regexp ",@?\\|([\s\t\n]*\\\\,@?+[\s\t\n]+" limit) ++ (when (highlight-stages--search-forward-regexp ",@?\\|([\s\t\n]*\\\\,@?+[\s\t\n]+\\|\\(unquote\\)\\|\\(unquote-splicing\\)\\|\\(ungexp-native\\)\\|\\(ungexp-splicing\\)\\|\\(ungexp-native-splicing\\)\\|\\(ungexp\\)\\|#\\$" limit) + (set-match-data + (list (point) + (progn (ignore-errors (forward-sexp 1)) (point)))) diff --git a/gnu/packages/patches/exim-CVE-2017-1000369.patch b/gnu/packages/patches/exim-CVE-2017-1000369.patch deleted file mode 100644 index a67a8afb0e..0000000000 --- a/gnu/packages/patches/exim-CVE-2017-1000369.patch +++ /dev/null @@ -1,59 +0,0 @@ -Fix CVE-2017-1000369: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000369 -https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt - -Patch adapted from upstream source repository: - -https://git.exim.org/exim.git/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21 - -From 65e061b76867a9ea7aeeb535341b790b90ae6c21 Mon Sep 17 00:00:00 2001 -From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> -Date: Wed, 31 May 2017 23:08:56 +0200 -Subject: [PATCH] Cleanup (prevent repeated use of -p/-oMr to avoid mem leak) - ---- - doc/doc-docbook/spec.xfpt | 3 ++- - src/src/exim.c | 19 +++++++++++++++++-- - 2 files changed, 19 insertions(+), 3 deletions(-) - -diff --git a/src/src/exim.c b/src/src/exim.c -index 67583e58..88e11977 100644 ---- a/src/exim.c -+++ b/src/exim.c -@@ -3106,7 +3106,14 @@ for (i = 1; i < argc; i++) - - /* -oMr: Received protocol */ - -- else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; -+ else if (Ustrcmp(argrest, "Mr") == 0) -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ else received_protocol = argv[++i]; - - /* -oMs: Set sender host name */ - -@@ -3202,7 +3209,15 @@ for (i = 1; i < argc; i++) - - if (*argrest != 0) - { -- uschar *hn = Ustrchr(argrest, ':'); -+ uschar *hn; -+ -+ if (received_protocol) -+ { -+ fprintf(stderr, "received_protocol is set already\n"); -+ exit(EXIT_FAILURE); -+ } -+ -+ hn = Ustrchr(argrest, ':'); - if (hn == NULL) - { - received_protocol = argrest; --- -2.13.1 - diff --git a/gnu/packages/patches/gcc-6-source-date-epoch-1.patch b/gnu/packages/patches/gcc-6-source-date-epoch-1.patch new file mode 100644 index 0000000000..26f62bc9f1 --- /dev/null +++ b/gnu/packages/patches/gcc-6-source-date-epoch-1.patch @@ -0,0 +1,187 @@ +Make GCC respect SOURCE_DATE_EPOCH in __DATE__ and __TIME__ macros. + +Cherry-picked from upstream commit: + +https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934 + +diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c +index 6cf8c610b4e..b5daea65ba7 100644 +--- a/gcc/c-family/c-common.c ++++ b/gcc/c-family/c-common.c +@@ -12750,4 +12750,37 @@ valid_array_size_p (location_t loc, tree type, tree name) + return true; + } + ++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic ++ timestamp to replace embedded current dates to get reproducible ++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++time_t ++get_source_date_epoch () ++{ ++ char *source_date_epoch; ++ long long epoch; ++ char *endptr; ++ ++ source_date_epoch = getenv ("SOURCE_DATE_EPOCH"); ++ if (!source_date_epoch) ++ return (time_t) -1; ++ ++ errno = 0; ++ epoch = strtoll (source_date_epoch, &endptr, 10); ++ if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN)) ++ || (errno != 0 && epoch == 0)) ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "strtoll: %s\n", xstrerror(errno)); ++ if (endptr == source_date_epoch) ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "no digits were found: %s\n", endptr); ++ if (*endptr != '\0') ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "trailing garbage: %s\n", endptr); ++ if (epoch < 0) ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "value must be nonnegative: %lld \n", epoch); ++ ++ return (time_t) epoch; ++} ++ + #include "gt-c-family-c-common.h" +diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h +index dd74d0dd62e..c6e0ed12b55 100644 +--- a/gcc/c-family/c-common.h ++++ b/gcc/c-family/c-common.h +@@ -1467,4 +1467,9 @@ extern bool reject_gcc_builtin (const_tree, location_t = UNKNOWN_LOCATION); + extern void warn_duplicated_cond_add_or_warn (location_t, tree, vec<tree> **); + extern bool valid_array_size_p (location_t, tree, tree); + ++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic ++ timestamp to replace embedded current dates to get reproducible ++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++extern time_t get_source_date_epoch (void); ++ + #endif /* ! GCC_C_COMMON_H */ +diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c +index 96da4fc974e..bf1db6c0252 100644 +--- a/gcc/c-family/c-lex.c ++++ b/gcc/c-family/c-lex.c +@@ -385,6 +385,9 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags, + enum cpp_ttype type; + unsigned char add_flags = 0; + enum overflow_type overflow = OT_NONE; ++ time_t source_date_epoch = get_source_date_epoch (); ++ ++ cpp_init_source_date_epoch (parse_in, source_date_epoch); + + timevar_push (TV_CPP); + retry: +diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi +index 22c8cb37624..e958e93e97e 100644 +--- a/gcc/doc/cppenv.texi ++++ b/gcc/doc/cppenv.texi +@@ -79,4 +79,21 @@ main input file is omitted. + @ifclear cppmanual + @xref{Preprocessor Options}. + @end ifclear ++ ++@item SOURCE_DATE_EPOCH ++ ++If this variable is set, its value specifies a UNIX timestamp to be ++used in replacement of the current date and time in the @code{__DATE__} ++and @code{__TIME__} macros, so that the embedded timestamps become ++reproducible. ++ ++The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp, ++defined as the number of seconds (excluding leap seconds) since ++01 Jan 1970 00:00:00 represented in ASCII, identical to the output of ++@samp{@command{date +%s}}. ++ ++The value should be a known timestamp such as the last modification ++time of the source or package and it should be set by the build ++process. ++ + @end vtable +diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h +index 35b0375c09c..4998b3a8ab8 100644 +--- a/libcpp/include/cpplib.h ++++ b/libcpp/include/cpplib.h +@@ -784,6 +784,9 @@ extern void cpp_init_special_builtins (cpp_reader *); + /* Set up built-ins like __FILE__. */ + extern void cpp_init_builtins (cpp_reader *, int); + ++/* Initialize the source_date_epoch value. */ ++extern void cpp_init_source_date_epoch (cpp_reader *, time_t); ++ + /* This is called after options have been parsed, and partially + processed. */ + extern void cpp_post_options (cpp_reader *); +diff --git a/libcpp/init.c b/libcpp/init.c +index 4343075ba85..f5ff85b3bae 100644 +--- a/libcpp/init.c ++++ b/libcpp/init.c +@@ -533,8 +533,15 @@ cpp_init_builtins (cpp_reader *pfile, int hosted) + _cpp_define_builtin (pfile, "__OBJC__ 1"); + } + ++/* Initialize the source_date_epoch value. */ ++void ++cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch) ++{ ++ pfile->source_date_epoch = source_date_epoch; ++} ++ + /* Sanity-checks are dependent on command-line options, so it is +- called as a subroutine of cpp_read_main_file (). */ ++ called as a subroutine of cpp_read_main_file. */ + #if CHECKING_P + static void sanity_checks (cpp_reader *); + static void sanity_checks (cpp_reader *pfile) +diff --git a/libcpp/internal.h b/libcpp/internal.h +index 9ce870738cc..e3eb26b1f27 100644 +--- a/libcpp/internal.h ++++ b/libcpp/internal.h +@@ -502,6 +502,10 @@ struct cpp_reader + const unsigned char *date; + const unsigned char *time; + ++ /* Externally set timestamp to replace current date and time useful for ++ reproducibility. */ ++ time_t source_date_epoch; ++ + /* EOF token, and a token forcing paste avoidance. */ + cpp_token avoid_paste; + cpp_token eof; +diff --git a/libcpp/macro.c b/libcpp/macro.c +index c2515534504..c2a83764660 100644 +--- a/libcpp/macro.c ++++ b/libcpp/macro.c +@@ -357,13 +357,20 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node, + time_t tt; + struct tm *tb = NULL; + +- /* (time_t) -1 is a legitimate value for "number of seconds +- since the Epoch", so we have to do a little dance to +- distinguish that from a genuine error. */ +- errno = 0; +- tt = time(NULL); +- if (tt != (time_t)-1 || errno == 0) +- tb = localtime (&tt); ++ /* Set a reproducible timestamp for __DATE__ and __TIME__ macro ++ usage if SOURCE_DATE_EPOCH is defined. */ ++ if (pfile->source_date_epoch != (time_t) -1) ++ tb = gmtime (&pfile->source_date_epoch); ++ else ++ { ++ /* (time_t) -1 is a legitimate value for "number of seconds ++ since the Epoch", so we have to do a little dance to ++ distinguish that from a genuine error. */ ++ errno = 0; ++ tt = time (NULL); ++ if (tt != (time_t)-1 || errno == 0) ++ tb = localtime (&tt); ++ } + + if (tb) + { +-- +2.14.1 + diff --git a/gnu/packages/patches/gcc-6-source-date-epoch-2.patch b/gnu/packages/patches/gcc-6-source-date-epoch-2.patch new file mode 100644 index 0000000000..cd5b09867f --- /dev/null +++ b/gnu/packages/patches/gcc-6-source-date-epoch-2.patch @@ -0,0 +1,346 @@ +Cherry-picked from upstream commit: + +https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c + +diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c +index b5daea65ba7..a4539da15ce 100644 +--- a/gcc/c-family/c-common.c ++++ b/gcc/c-family/c-common.c +@@ -12753,8 +12753,9 @@ valid_array_size_p (location_t loc, tree type, tree name) + /* Read SOURCE_DATE_EPOCH from environment to have a deterministic + timestamp to replace embedded current dates to get reproducible + results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++ + time_t +-get_source_date_epoch () ++cb_get_source_date_epoch (cpp_reader *pfile ATTRIBUTE_UNUSED) + { + char *source_date_epoch; + long long epoch; +@@ -12766,19 +12767,14 @@ get_source_date_epoch () + + errno = 0; + epoch = strtoll (source_date_epoch, &endptr, 10); +- if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN)) +- || (errno != 0 && epoch == 0)) +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "strtoll: %s\n", xstrerror(errno)); +- if (endptr == source_date_epoch) +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "no digits were found: %s\n", endptr); +- if (*endptr != '\0') +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "trailing garbage: %s\n", endptr); +- if (epoch < 0) +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "value must be nonnegative: %lld \n", epoch); ++ if (errno != 0 || endptr == source_date_epoch || *endptr != '\0' ++ || epoch < 0 || epoch > MAX_SOURCE_DATE_EPOCH) ++ { ++ error_at (input_location, "environment variable SOURCE_DATE_EPOCH must " ++ "expand to a non-negative integer less than or equal to %wd", ++ MAX_SOURCE_DATE_EPOCH); ++ return (time_t) -1; ++ } + + return (time_t) epoch; + } +diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h +index c6e0ed12b55..44699f716e0 100644 +--- a/gcc/c-family/c-common.h ++++ b/gcc/c-family/c-common.h +@@ -1084,6 +1084,16 @@ extern vec<tree, va_gc> *make_tree_vector_copy (const vec<tree, va_gc> *); + c_register_builtin_type. */ + extern GTY(()) tree registered_builtin_types; + ++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic ++ timestamp to replace embedded current dates to get reproducible ++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++extern time_t cb_get_source_date_epoch (cpp_reader *pfile); ++ ++/* The value (as a unix timestamp) corresponds to date ++ "Dec 31 9999 23:59:59 UTC", which is the latest date that __DATE__ and ++ __TIME__ can store. */ ++#define MAX_SOURCE_DATE_EPOCH HOST_WIDE_INT_C (253402300799) ++ + /* In c-gimplify.c */ + extern void c_genericize (tree); + extern int c_gimplify_expr (tree *, gimple_seq *, gimple_seq *); +@@ -1467,9 +1477,4 @@ extern bool reject_gcc_builtin (const_tree, location_t = UNKNOWN_LOCATION); + extern void warn_duplicated_cond_add_or_warn (location_t, tree, vec<tree> **); + extern bool valid_array_size_p (location_t, tree, tree); + +-/* Read SOURCE_DATE_EPOCH from environment to have a deterministic +- timestamp to replace embedded current dates to get reproducible +- results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ +-extern time_t get_source_date_epoch (void); +- + #endif /* ! GCC_C_COMMON_H */ +diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c +index bf1db6c0252..42a4135d339 100644 +--- a/gcc/c-family/c-lex.c ++++ b/gcc/c-family/c-lex.c +@@ -80,6 +80,7 @@ init_c_lex (void) + cb->valid_pch = c_common_valid_pch; + cb->read_pch = c_common_read_pch; + cb->has_attribute = c_common_has_attribute; ++ cb->get_source_date_epoch = cb_get_source_date_epoch; + + /* Set the debug callbacks if we can use them. */ + if ((debug_info_level == DINFO_LEVEL_VERBOSE +@@ -385,9 +386,6 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags, + enum cpp_ttype type; + unsigned char add_flags = 0; + enum overflow_type overflow = OT_NONE; +- time_t source_date_epoch = get_source_date_epoch (); +- +- cpp_init_source_date_epoch (parse_in, source_date_epoch); + + timevar_push (TV_CPP); + retry: +diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi +index e958e93e97e..8cefd529aa3 100644 +--- a/gcc/doc/cppenv.texi ++++ b/gcc/doc/cppenv.texi +@@ -81,7 +81,6 @@ main input file is omitted. + @end ifclear + + @item SOURCE_DATE_EPOCH +- + If this variable is set, its value specifies a UNIX timestamp to be + used in replacement of the current date and time in the @code{__DATE__} + and @code{__TIME__} macros, so that the embedded timestamps become +@@ -89,8 +88,9 @@ reproducible. + + The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp, + defined as the number of seconds (excluding leap seconds) since +-01 Jan 1970 00:00:00 represented in ASCII, identical to the output of +-@samp{@command{date +%s}}. ++01 Jan 1970 00:00:00 represented in ASCII; identical to the output of ++@samp{@command{date +%s}} on GNU/Linux and other systems that support the ++@code{%s} extension in the @code{date} command. + + The value should be a known timestamp such as the last modification + time of the source or package and it should be set by the build +diff --git a/gcc/gcc.c b/gcc/gcc.c +index cfa074d4e43..f88596219bc 100644 +--- a/gcc/gcc.c ++++ b/gcc/gcc.c +@@ -3541,6 +3541,29 @@ save_switch (const char *opt, size_t n_args, const char *const *args, + n_switches++; + } + ++/* Set the SOURCE_DATE_EPOCH environment variable to the current time if it is ++ not set already. */ ++ ++static void ++set_source_date_epoch_envvar () ++{ ++ /* Array size is 21 = ceil(log_10(2^64)) + 1 to hold string representations ++ of 64 bit integers. */ ++ char source_date_epoch[21]; ++ time_t tt; ++ ++ errno = 0; ++ tt = time (NULL); ++ if (tt < (time_t) 0 || errno != 0) ++ tt = (time_t) 0; ++ ++ snprintf (source_date_epoch, 21, "%llu", (unsigned long long) tt); ++ /* Using setenv instead of xputenv because we want the variable to remain ++ after finalizing so that it's still set in the second run when using ++ -fcompare-debug. */ ++ setenv ("SOURCE_DATE_EPOCH", source_date_epoch, 0); ++} ++ + /* Handle an option DECODED that is unknown to the option-processing + machinery. */ + +@@ -3840,6 +3863,7 @@ driver_handle_option (struct gcc_options *opts, + else + compare_debug_opt = arg; + save_switch (compare_debug_replacement_opt, 0, NULL, validated, true); ++ set_source_date_epoch_envvar (); + return true; + + case OPT_fdiagnostics_color_: +diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c +new file mode 100644 +index 00000000000..f6aa1a360ff +--- /dev/null ++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c +@@ -0,0 +1,11 @@ ++/* { dg-do run } */ ++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "630333296" } */ ++ ++int ++main(void) ++{ ++ __builtin_printf ("%s %s\n", __DATE__, __TIME__); ++ return 0; ++} ++ ++/* { dg-output "^Dec 22 1989 12:34:56\n$" } */ +diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c +new file mode 100644 +index 00000000000..ae18362ae87 +--- /dev/null ++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c +@@ -0,0 +1,12 @@ ++/* { dg-do compile } */ ++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "AAA" } */ ++ ++/* Make sure that SOURCE_DATE_EPOCH is only parsed once */ ++ ++int ++main(void) ++{ ++ __builtin_printf ("%s %s\n", __DATE__, __TIME__); /* { dg-error "SOURCE_DATE_EPOCH must expand" } */ ++ __builtin_printf ("%s %s\n", __DATE__, __TIME__); ++ return 0; ++} +diff --git a/gcc/testsuite/lib/gcc-dg.exp b/gcc/testsuite/lib/gcc-dg.exp +index 9dd909b0985..822d2fbb3b9 100644 +--- a/gcc/testsuite/lib/gcc-dg.exp ++++ b/gcc/testsuite/lib/gcc-dg.exp +@@ -450,6 +450,38 @@ proc restore-target-env-var { } { + } + } + ++proc dg-set-compiler-env-var { args } { ++ global set_compiler_env_var ++ global saved_compiler_env_var ++ if { [llength $args] != 3 } { ++ error "dg-set-compiler-env-var: need two arguments" ++ return ++ } ++ set var [lindex $args 1] ++ set value [lindex $args 2] ++ if [info exists ::env($var)] { ++ lappend saved_compiler_env_var [list $var 1 $::env($var)] ++ } else { ++ lappend saved_compiler_env_var [list $var 0] ++ } ++ setenv $var $value ++ lappend set_compiler_env_var [list $var $value] ++} ++ ++proc restore-compiler-env-var { } { ++ global saved_compiler_env_var ++ for { set env_vari [llength $saved_compiler_env_var] } { ++ [incr env_vari -1] >= 0 } {} { ++ set env_var [lindex $saved_compiler_env_var $env_vari] ++ set var [lindex $env_var 0] ++ if [lindex $env_var 1] { ++ setenv $var [lindex $env_var 2] ++ } else { ++ unsetenv $var ++ } ++ } ++} ++ + # Utility routines. + + # +@@ -873,6 +905,11 @@ if { [info procs saved-dg-test] == [list] } { + if [info exists set_target_env_var] { + unset set_target_env_var + } ++ if [info exists set_compiler_env_var] { ++ restore-compiler-env-var ++ unset set_compiler_env_var ++ unset saved_compiler_env_var ++ } + if [info exists keep_saved_temps_suffixes] { + unset keep_saved_temps_suffixes + } +diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h +index 4998b3a8ab8..9d70cc856ef 100644 +--- a/libcpp/include/cpplib.h ++++ b/libcpp/include/cpplib.h +@@ -594,6 +594,9 @@ struct cpp_callbacks + + /* Callback that can change a user builtin into normal macro. */ + bool (*user_builtin_macro) (cpp_reader *, cpp_hashnode *); ++ ++ /* Callback to parse SOURCE_DATE_EPOCH from environment. */ ++ time_t (*get_source_date_epoch) (cpp_reader *); + }; + + #ifdef VMS +@@ -784,9 +787,6 @@ extern void cpp_init_special_builtins (cpp_reader *); + /* Set up built-ins like __FILE__. */ + extern void cpp_init_builtins (cpp_reader *, int); + +-/* Initialize the source_date_epoch value. */ +-extern void cpp_init_source_date_epoch (cpp_reader *, time_t); +- + /* This is called after options have been parsed, and partially + processed. */ + extern void cpp_post_options (cpp_reader *); +diff --git a/libcpp/init.c b/libcpp/init.c +index f5ff85b3bae..e78b3206def 100644 +--- a/libcpp/init.c ++++ b/libcpp/init.c +@@ -257,6 +257,9 @@ cpp_create_reader (enum c_lang lang, cpp_hash_table *table, + /* Do not force token locations by default. */ + pfile->forced_token_location_p = NULL; + ++ /* Initialize source_date_epoch to -2 (not yet set). */ ++ pfile->source_date_epoch = (time_t) -2; ++ + /* The expression parser stack. */ + _cpp_expand_op_stack (pfile); + +@@ -533,13 +536,6 @@ cpp_init_builtins (cpp_reader *pfile, int hosted) + _cpp_define_builtin (pfile, "__OBJC__ 1"); + } + +-/* Initialize the source_date_epoch value. */ +-void +-cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch) +-{ +- pfile->source_date_epoch = source_date_epoch; +-} +- + /* Sanity-checks are dependent on command-line options, so it is + called as a subroutine of cpp_read_main_file. */ + #if CHECKING_P +diff --git a/libcpp/internal.h b/libcpp/internal.h +index e3eb26b1f27..cea32ec73c6 100644 +--- a/libcpp/internal.h ++++ b/libcpp/internal.h +@@ -503,7 +503,8 @@ struct cpp_reader + const unsigned char *time; + + /* Externally set timestamp to replace current date and time useful for +- reproducibility. */ ++ reproducibility. It should be initialized to -2 (not yet set) and ++ set to -1 to disable it or to a non-negative value to enable it. */ + time_t source_date_epoch; + + /* EOF token, and a token forcing paste avoidance. */ +diff --git a/libcpp/macro.c b/libcpp/macro.c +index c2a83764660..a3b8348a23f 100644 +--- a/libcpp/macro.c ++++ b/libcpp/macro.c +@@ -358,9 +358,13 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node, + struct tm *tb = NULL; + + /* Set a reproducible timestamp for __DATE__ and __TIME__ macro +- usage if SOURCE_DATE_EPOCH is defined. */ +- if (pfile->source_date_epoch != (time_t) -1) +- tb = gmtime (&pfile->source_date_epoch); ++ if SOURCE_DATE_EPOCH is defined. */ ++ if (pfile->source_date_epoch == (time_t) -2 ++ && pfile->cb.get_source_date_epoch != NULL) ++ pfile->source_date_epoch = pfile->cb.get_source_date_epoch (pfile); ++ ++ if (pfile->source_date_epoch >= (time_t) 0) ++ tb = gmtime (&pfile->source_date_epoch); + else + { + /* (time_t) -1 is a legitimate value for "number of seconds +-- +2.14.1 + diff --git a/gnu/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch b/gnu/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch new file mode 100644 index 0000000000..d05b4351b3 --- /dev/null +++ b/gnu/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch @@ -0,0 +1,140 @@ +This patch was taken from Nixpkgs. + +From 616381bc25b0e90198683fb049f994e82d467d96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= <mail@nh2.me> +Date: Sat, 13 May 2017 02:45:49 +0200 +Subject: [PATCH] Don't use hardcoded /sbin, /usr/bin etc. paths. Fixes + #1450546. + +Instead, rely on programs to be in PATH, as gluster already +does in many places across its code base. + +Change-Id: Id21152fe42f5b67205d8f1571b0656c4d5f74246 +--- + contrib/fuse-lib/mount-common.c | 8 ++++---- + xlators/mgmt/glusterd/src/glusterd-ganesha.c | 6 +++--- + xlators/mgmt/glusterd/src/glusterd-quota.c | 6 +++--- + xlators/mgmt/glusterd/src/glusterd-snapshot.c | 4 ++-- + xlators/mgmt/glusterd/src/glusterd-utils.c | 14 +------------- + 5 files changed, 13 insertions(+), 25 deletions(-) + +diff --git a/contrib/fuse-lib/mount-common.c b/contrib/fuse-lib/mount-common.c +index e9f80fe81..6380dd867 100644 +--- a/contrib/fuse-lib/mount-common.c ++++ b/contrib/fuse-lib/mount-common.c +@@ -255,16 +255,16 @@ fuse_mnt_umount (const char *progname, const char *abs_mnt, + exit (1); + } + #ifdef GF_LINUX_HOST_OS +- execl ("/bin/umount", "/bin/umount", "-i", rel_mnt, ++ execl ("umount", "umount", "-i", rel_mnt, + lazy ? "-l" : NULL, NULL); +- GFFUSE_LOGERR ("%s: failed to execute /bin/umount: %s", ++ GFFUSE_LOGERR ("%s: failed to execute umount: %s", + progname, strerror (errno)); + #elif __NetBSD__ + /* exitting the filesystem causes the umount */ + exit (0); + #else +- execl ("/sbin/umount", "/sbin/umount", "-f", rel_mnt, NULL); +- GFFUSE_LOGERR ("%s: failed to execute /sbin/umount: %s", ++ execl ("umount", "umount", "-f", rel_mnt, NULL); ++ GFFUSE_LOGERR ("%s: failed to execute umount: %s", + progname, strerror (errno)); + #endif /* GF_LINUX_HOST_OS */ + exit (1); +diff --git a/xlators/mgmt/glusterd/src/glusterd-quota.c b/xlators/mgmt/glusterd/src/glusterd-quota.c +index 0e6629cf0..fcb4738b7 100644 +--- a/xlators/mgmt/glusterd/src/glusterd-quota.c ++++ b/xlators/mgmt/glusterd/src/glusterd-quota.c +@@ -30,7 +30,7 @@ + + #ifndef _PATH_SETFATTR + # ifdef GF_LINUX_HOST_OS +-# define _PATH_SETFATTR "/usr/bin/setfattr" ++# define _PATH_SETFATTR "setfattr" + # endif + # ifdef __NetBSD__ + # define _PATH_SETFATTR "/usr/pkg/bin/setfattr" +@@ -335,7 +335,7 @@ _glusterd_quota_initiate_fs_crawl (glusterd_conf_t *priv, + + if (type == GF_QUOTA_OPTION_TYPE_ENABLE || + type == GF_QUOTA_OPTION_TYPE_ENABLE_OBJECTS) +- runner_add_args (&runner, "/usr/bin/find", ".", NULL); ++ runner_add_args (&runner, "find", ".", NULL); + + else if (type == GF_QUOTA_OPTION_TYPE_DISABLE) { + +@@ -351,7 +351,7 @@ _glusterd_quota_initiate_fs_crawl (glusterd_conf_t *priv, + VIRTUAL_QUOTA_XATTR_CLEANUP_KEY, "1", + "{}", "\\", ";", NULL); + #else +- runner_add_args (&runner, "/usr/bin/find", ".", ++ runner_add_args (&runner, "find", ".", + "-exec", _PATH_SETFATTR, "-n", + VIRTUAL_QUOTA_XATTR_CLEANUP_KEY, "-v", + "1", "{}", "\\", ";", NULL); +diff --git a/xlators/mgmt/glusterd/src/glusterd-snapshot.c b/xlators/mgmt/glusterd/src/glusterd-snapshot.c +index da0152366..f0d135350 100644 +--- a/xlators/mgmt/glusterd/src/glusterd-snapshot.c ++++ b/xlators/mgmt/glusterd/src/glusterd-snapshot.c +@@ -121,7 +121,7 @@ glusterd_build_snap_device_path (char *device, char *snapname, + } + + runinit (&runner); +- runner_add_args (&runner, "/sbin/lvs", "--noheadings", "-o", "vg_name", ++ runner_add_args (&runner, "lvs", "--noheadings", "-o", "vg_name", + device, NULL); + runner_redir (&runner, STDOUT_FILENO, RUN_PIPE); + snprintf (msg, sizeof (msg), "Get volume group for device %s", device); +@@ -1982,7 +1982,7 @@ glusterd_is_thinp_brick (char *device, uint32_t *op_errno) + + runinit (&runner); + +- runner_add_args (&runner, "/sbin/lvs", "--noheadings", "-o", "pool_lv", ++ runner_add_args (&runner, "lvs", "--noheadings", "-o", "pool_lv", + device, NULL); + runner_redir (&runner, STDOUT_FILENO, RUN_PIPE); + runner_log (&runner, this->name, GF_LOG_DEBUG, msg); +diff --git a/xlators/mgmt/glusterd/src/glusterd-utils.c b/xlators/mgmt/glusterd/src/glusterd-utils.c +index 51db13df0..6fa7b92f9 100644 +--- a/xlators/mgmt/glusterd/src/glusterd-utils.c ++++ b/xlators/mgmt/glusterd/src/glusterd-utils.c +@@ -6027,7 +6027,6 @@ static struct fs_info { + char *fs_tool_pattern; + char *fs_tool_pkg; + } glusterd_fs[] = { +- /* some linux have these in /usr/sbin/and others in /sbin/? */ + { "xfs", "xfs_info", NULL, "isize=", "xfsprogs" }, + { "ext3", "tune2fs", "-l", "Inode size:", "e2fsprogs" }, + { "ext4", "tune2fs", "-l", "Inode size:", "e2fsprogs" }, +@@ -6048,7 +6047,6 @@ glusterd_add_inode_size_to_dict (dict_t *dict, int count) + char *trail = NULL; + runner_t runner = {0, }; + struct fs_info *fs = NULL; +- char fs_tool_name[256] = {0, }; + static dict_t *cached_fs = NULL; + + memset (key, 0, sizeof (key)); +@@ -6085,17 +6083,7 @@ glusterd_add_inode_size_to_dict (dict_t *dict, int count) + cur_word = "N/A"; + goto cached; + } +- +- snprintf (fs_tool_name, sizeof (fs_tool_name), +- "/usr/sbin/%s", fs->fs_tool_name); +- if (sys_access (fs_tool_name, R_OK|X_OK) == 0) +- runner_add_arg (&runner, fs_tool_name); +- else { +- snprintf (fs_tool_name, sizeof (fs_tool_name), +- "/sbin/%s", fs->fs_tool_name); +- if (sys_access (fs_tool_name, R_OK|X_OK) == 0) +- runner_add_arg (&runner, fs_tool_name); +- } ++ runner_add_arg (&runner, fs->fs_tool_name); + break; + } + } +-- +2.12.0 + diff --git a/gnu/packages/patches/guile-emacs-fix-configure.patch b/gnu/packages/patches/guile-emacs-fix-configure.patch new file mode 100644 index 0000000000..b1f7146d21 --- /dev/null +++ b/gnu/packages/patches/guile-emacs-fix-configure.patch @@ -0,0 +1,211 @@ +Two patches here backporting fixes from Emacs master. + +Upstream status: emailed first patch to latest committer, Robin Templeton +<robin@igalia.com>, no response. + +From dfcb3b6ff318e47b84a28cfc43f50bec42fa3570 Mon Sep 17 00:00:00 2001 +From: Jan Nieuwenhuizen <janneke@gnu.org> +Date: Tue, 7 Nov 2017 18:48:03 +0100 +Subject: [PATCH 1/2] backport: Port jpeg configuration to Solaris 10 with Sun + C. + +* configure.ac: Check for jpeglib 6b by trying to link it, instead +of relying on cpp magic that has problems in practice. Check for +both jpeglib.h and jerror.h features. Remove special case for +mingw32, which should no longer be needed (and if it were needed, +should now be addressable by hotwiring emacs_cv_jpeglib). +Fixes: bug#20332 + + From fdf532b9c915ad9ba72155646d29d0f530fd72ec Mon Sep 17 00:00:00 2001 + From: Paul Eggert <address@hidden> + Date: Wed, 15 Apr 2015 18:30:01 -0700 + Subject: [PATCH] Port jpeg configuration to Solaris 10 with Sun C. + + * configure.ac: Check for jpeglib 6b by trying to link it, instead + of relying on cpp magic that has problems in practice. Check for + both jpeglib.h and jerror.h features. Remove special case for + mingw32, which should no longer be needed (and if it were needed, + should now be addressable by hotwiring emacs_cv_jpeglib). + Fixes: bug#20332 +--- + configure.ac | 72 ++++++++++++++++++++++++++++-------------------------------- + 1 file changed, 34 insertions(+), 38 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 2445db4886..36fa8eb390 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3014,44 +3014,40 @@ AC_SUBST(LIBXPM) + ### mingw32 doesn't use -ljpeg, since it loads the library dynamically. + HAVE_JPEG=no + LIBJPEG= +-if test "${opsys}" = "mingw32"; then +- if test "${with_jpeg}" != "no"; then +- dnl Checking for jpeglib.h can lose because of a redefinition of +- dnl HAVE_STDLIB_H. +- AC_CHECK_HEADER(jerror.h, HAVE_JPEG=yes, HAVE_JPEG=no) +- fi +- AH_TEMPLATE(HAVE_JPEG, [Define to 1 if you have the jpeg library (-ljpeg).])dnl +- if test "${HAVE_JPEG}" = "yes"; then +- AC_DEFINE(HAVE_JPEG) +- AC_EGREP_CPP([version= *(6[2-9]|[7-9][0-9])], +- [#include <jpeglib.h> +- version=JPEG_LIB_VERSION +-], +- [AC_DEFINE(HAVE_JPEG)], +- [AC_MSG_WARN([libjpeg found, but not version 6b or later]) +- HAVE_JPEG=no]) +- fi +-elif test "${HAVE_X11}" = "yes" || test "${HAVE_W32}" = "yes"; then +- if test "${with_jpeg}" != "no"; then +- dnl Checking for jpeglib.h can lose because of a redefinition of +- dnl HAVE_STDLIB_H. +- AC_CHECK_HEADER(jerror.h, +- [AC_CHECK_LIB(jpeg, jpeg_destroy_compress, HAVE_JPEG=yes)]) +- fi +- +- AH_TEMPLATE(HAVE_JPEG, [Define to 1 if you have the jpeg library (-ljpeg).])dnl +- if test "${HAVE_JPEG}" = "yes"; then +- AC_DEFINE(HAVE_JPEG) +- AC_EGREP_CPP([version= *(6[2-9]|[7-9][0-9])], +- [#include <jpeglib.h> +- version=JPEG_LIB_VERSION +-], +- [AC_DEFINE(HAVE_JPEG)], +- [AC_MSG_WARN([libjpeg found, but not version 6b or later]) +- HAVE_JPEG=no]) +- fi +- if test "${HAVE_JPEG}" = "yes"; then +- LIBJPEG=-ljpeg ++if test "${with_jpeg}" != "no"; then ++ AC_CACHE_CHECK([for jpeglib 6b or later], ++ [emacs_cv_jpeglib], ++ [OLD_LIBS=$LIBS ++ for emacs_cv_jpeglib in yes -ljpeg no; do ++ case $emacs_cv_jpeglib in ++ yes) ;; ++ no) break;; ++ *) LIBS="$LIBS $emacs_cv_jpeglib";; ++ esac ++ AC_LINK_IFELSE( ++ [AC_LANG_PROGRAM( ++ [[#undef HAVE_STDLIB_H /* Avoid config.h/jpeglib.h collision. */ ++ #include <stdio.h> /* jpeglib.h needs FILE and size_t. */ ++ #include <jpeglib.h> ++ #include <jerror.h> ++ char verify[JPEG_LIB_VERSION < 62 ? -1 : 1]; ++ struct jpeg_decompress_struct cinfo; ++ ]], ++ [[ ++ jpeg_create_decompress (&cinfo); ++ WARNMS (&cinfo, JWRN_JPEG_EOF); ++ jpeg_destroy_decompress (&cinfo); ++ ]])], ++ [emacs_link_ok=yes], ++ [emacs_link_ok=no]) ++ LIBS=$OLD_LIBS ++ test $emacs_link_ok = yes && break ++ done]) ++ if test "$emacs_cv_jpeglib" != no; then ++ HAVE_JPEG=yes ++ AC_DEFINE([HAVE_JPEG], 1, ++ [Define to 1 if you have the jpeg library (typically -ljpeg).]) ++ test "$emacs_cv_jpeglib" != yes && LIBJPEG=$emacs_cv_jpeglib + fi + fi + AC_SUBST(LIBJPEG) +-- +Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org +Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com + +From f761b92d520b72954be28ad66eb82d1a96c785fb Mon Sep 17 00:00:00 2001 +From: Jan Nieuwenhuizen <janneke@gnu.org> +Date: Wed, 8 Nov 2017 14:05:43 +0100 +Subject: [PATCH 2/2] backport fix for #24065: calloc loop when compiling with + -O2. + +This patch fixes + + EMACSLOADPATH= '../src/bootstrap-emacs' -batch --no-site-file --no-site-lisp -l autoload \ + --eval "(setq generate-autoload-cookie \";;;###cal-autoload\")" \ + --eval "(setq generated-autoload-file (expand-file-name + (unmsys--file-name + \"../../git-checkout/lisp/calendar/cal-loaddefs.el\")))" \ + -f batch-update-autoloads ../../git-checkout/lisp/calendar + make[2]: *** [Makefile:466: ../../git-checkout/lisp/calendar/cal-loaddefs.el] Segmentation fault + +in gdb seen as + + in calloc (nmemb=<error reading variable: DWARF-2 expression error:Loop detected (257).>, size=size@entry=1) at gmalloc.c:1510 + +I did not find malloc-fixing commits from emacs master to cleanly +cherry-pick, so this patch replaces the relevant part in configure +(emacs 53da55b8cc45e76b836ebaadd23f46e92d25abce). + +* configure.ac: backport system_malloc/hybrid_malloc detection. +--- + configure.ac | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 36fa8eb390..3cc1794f37 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1966,7 +1966,25 @@ case "$opsys" in + darwin|mingw32|sol2-10) system_malloc=yes ;; + esac + ++hybrid_malloc= ++system_malloc=yes ++ ++test "$CANNOT_DUMP" = yes || ++case "$opsys" in ++ ## darwin ld insists on the use of malloc routines in the System framework. ++ darwin | mingw32 | nacl | sol2-10) ;; ++ cygwin) hybrid_malloc=yes ++ system_malloc= ;; ++ *) test "$ac_cv_func_sbrk" = yes && system_malloc=$emacs_cv_sanitize_address;; ++esac ++ ++if test "${system_malloc}" != yes && test "${doug_lea_malloc}" != yes \ ++ && test "${UNEXEC_OBJ}" = unexelf.o; then ++ hybrid_malloc=yes ++fi ++ + GMALLOC_OBJ= ++HYBRID_MALLOC= + if test "${system_malloc}" = "yes"; then + AC_DEFINE([SYSTEM_MALLOC], 1, + [Define to 1 to use the system memory allocator, even if it is not +@@ -1975,6 +1993,14 @@ if test "${system_malloc}" = "yes"; then + GNU_MALLOC_reason=" + (The GNU allocators don't work with this system configuration.)" + VMLIMIT_OBJ= ++elif test "$hybrid_malloc" = yes; then ++ AC_DEFINE(HYBRID_MALLOC, 1, ++ [Define to use gmalloc before dumping and the system malloc after.]) ++ HYBRID_MALLOC=1 ++ GNU_MALLOC=no ++ GNU_MALLOC_reason=" (only before dumping)" ++ GMALLOC_OBJ=gmalloc.o ++ VMLIMIT_OBJ= + else + test "$doug_lea_malloc" != "yes" && GMALLOC_OBJ=gmalloc.o + VMLIMIT_OBJ=vm-limit.o +@@ -1993,10 +2019,11 @@ else + of the main data segment.]) + fi + fi ++AC_SUBST([HYBRID_MALLOC]) + AC_SUBST(GMALLOC_OBJ) + AC_SUBST(VMLIMIT_OBJ) + +-if test "$doug_lea_malloc" = "yes" ; then ++if test "$doug_lea_malloc" = "yes" && test "$hybrid_malloc" != yes; then + if test "$GNU_MALLOC" = yes ; then + GNU_MALLOC_reason=" + (Using Doug Lea's new malloc from the GNU C Library.)" +-- +Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org +Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com + diff --git a/gnu/packages/patches/higan-remove-march-native-flag.patch b/gnu/packages/patches/higan-remove-march-native-flag.patch index 8f4a36dc35..30d4cdd061 100644 --- a/gnu/packages/patches/higan-remove-march-native-flag.patch +++ b/gnu/packages/patches/higan-remove-march-native-flag.patch @@ -2,12 +2,11 @@ Remove -march=native from build flags. --- a/higan/GNUmakefile +++ b/higan/GNUmakefile -@@ -32,7 +32,7 @@ ifeq ($(platform),windows) - else ifeq ($(platform),macosx) - flags += -march=native - else ifneq ($(filter $(platform),linux bsd),) -- flags += -march=native -fopenmp -+ flags += -fopenmp +@@ -26,7 +26,6 @@ + flags += -fopenmp link += -fopenmp - link += -Wl,-export-dynamic - link += -lX11 -lXext + ifeq ($(binary),application) +- flags += -march=native + link += -Wl,-export-dynamic + link += -lX11 -lXext + else ifeq ($(binary),library) diff --git a/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch b/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch new file mode 100644 index 0000000000..c457d592cc --- /dev/null +++ b/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch @@ -0,0 +1,41 @@ +From ebe2323727f8d646590245b0bf06dbc92b5808d6 Mon Sep 17 00:00:00 2001 +From: Golubev Alexander <fatzer2@gmail.com> +Date: Tue, 20 Sep 2016 15:33:30 +0400 +Subject: [PATCH] JsonCreatorTest failed due to extra space + +JsonCreatorTest failed with next message: +``` +********* Start testing of mygpo::JsonCreatorTest ********* +Config: Using QTest library 4.8.6, Qt 4.8.6 +PASS : mygpo::JsonCreatorTest::initTestCase() +PASS : mygpo::JsonCreatorTest::testAddRemoveSubsToJSON() +PASS : mygpo::JsonCreatorTest::testSaveSettingsToJSON() +FAIL! : mygpo::JsonCreatorTest::testEpisodeActionListToJSON() Compared values are not the same + Actual (outString2): [{"action":"download","device":"device1","episode":"http://episode.url","podcast":"http://podcast.url","timestamp":"1998-01-01T00:01:02"},{"action":"delete","device":"device3","episode":"http://episode2.url","podcast":"http://podcast2.url","timestamp":"1920-01-01T12:01:02"},{"action":"new","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","timestamp":"1998-01-01T00:01:02"},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","timestamp":"1920-01-01T12:01:02"},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","position":123,"started":10,"timestamp":"1998-01-01T00:01:02","total":321},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","position":10,"timestamp":"1998-01-01T00:01:02"}] + Expected (expected2): [{"action":"download","device":"device1","episode":"http://episode.url","podcast":"http: + Loc: [/var/tmp/portage/media-libs/libmygpo-qt-1.0.9-r1/work/libmygpo-qt-1.0.9/tests/JsonCreatorTest.cpp(138)] +PASS : mygpo::JsonCreatorTest::testRenameDeviceStringToJSON() +PASS : mygpo::JsonCreatorTest::testDeviceSynchronizationListsToJSON() +PASS : mygpo::JsonCreatorTest::cleanupTestCase() +Totals: 6 passed, 1 failed, 0 skipped +********* Finished testing of mygpo::JsonCreatorTest ********* +``` + +This was caused by extra space in the expected string. +--- + tests/JsonCreatorTest.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/JsonCreatorTest.cpp b/tests/JsonCreatorTest.cpp +index b15b006..feb03d5 100644 +--- a/tests/JsonCreatorTest.cpp ++++ b/tests/JsonCreatorTest.cpp +@@ -133,7 +133,7 @@ void JsonCreatorTest::testEpisodeActionListToJSON() + + output = JsonCreator::episodeActionListToJSON(episodeActions); + QString outString2 = QString::fromLatin1( output ).replace( QLatin1String(" "), QLatin1String("") ); +- QString expected2( QLatin1String( "[{\"action\":\"download\",\"device\":\"device1\",\"episode\":\"http://episode.url\",\"podcast\":\"http://podcast.url\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"delete\",\"device\":\"device3\",\"episode\":\"http://episode2.url\",\"podcast\":\"http://podcast2.url\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"new\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1920-01-01T12:01:02\" },{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":123,\"started\":10,\"timestamp\":\"1998-01-01T00:01:02\",\"total\":321},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":10,\"timestamp\":\"1998-01-01T00:01:02\"}]" ) ); ++ QString expected2( QLatin1String( "[{\"action\":\"download\",\"device\":\"device1\",\"episode\":\"http://episode.url\",\"podcast\":\"http://podcast.url\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"delete\",\"device\":\"device3\",\"episode\":\"http://episode2.url\",\"podcast\":\"http://podcast2.url\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"new\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":123,\"started\":10,\"timestamp\":\"1998-01-01T00:01:02\",\"total\":321},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":10,\"timestamp\":\"1998-01-01T00:01:02\"}]" ) ); + + QCOMPARE(outString2, expected2 ); + } diff --git a/gnu/packages/patches/libtorrent-rasterbar-boost-compat.patch b/gnu/packages/patches/libtorrent-rasterbar-boost-compat.patch deleted file mode 100644 index 85bea76efe..0000000000 --- a/gnu/packages/patches/libtorrent-rasterbar-boost-compat.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix compatibility with Boost 1.63. - -Patch copied from upstream source repository: - -https://github.com/arvidn/libtorrent/commit/6d2d736cecce0af274dd651dd1f562716b625d92 - -From 6d2d736cecce0af274dd651dd1f562716b625d92 Mon Sep 17 00:00:00 2001 -From: arvidn <arvid@cs.umu.se> -Date: Sun, 12 Mar 2017 13:03:26 -0400 -Subject: [PATCH] fix test_ssl.cpp build with newer versions of boost - ---- - test/test_ssl.cpp | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/test/test_ssl.cpp b/test/test_ssl.cpp -index 01c5bc7..2903332 100644 ---- a/test/test_ssl.cpp -+++ b/test/test_ssl.cpp -@@ -51,7 +51,6 @@ POSSIBILITY OF SUCH DAMAGE. - #include <boost/asio/connect.hpp> - - #ifdef TORRENT_USE_OPENSSL --#include <boost/asio/ssl/error.hpp> // for asio::error::get_ssl_category() - #include <boost/asio/ssl.hpp> - - #include "libtorrent/aux_/disable_warnings_pop.hpp" diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch deleted file mode 100644 index d577e1eb50..0000000000 --- a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch +++ /dev/null @@ -1,84 +0,0 @@ -Fix CVE-2017-1000256: - -https://security.libvirt.org/2017/0002.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256 - -Patch copied from upstream source repository: - -https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7 - -From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001 -From: Daniel P. Berrange <berrange@redhat.com> -Date: Thu, 5 Oct 2017 17:54:28 +0100 -Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate - -The default_tls_x509_verify (and related) parameters in qemu.conf -control whether the QEMU TLS servers request & verify certificates -from clients. This works as a simple access control system for -servers by requiring the CA to issue certs to permitted clients. -This use of client certificates is disabled by default, since it -requires extra work to issue client certificates. - -Unfortunately the code was using this configuration parameter when -setting up both TLS clients and servers in QEMU. The result was that -TLS clients for character devices and disk devices had verification -turned off, meaning they would ignore errors while validating the -server certificate. - -This allows for trivial MITM attacks between client and server, -as any certificate returned by the attacker will be accepted by -the client. - -This is assigned CVE-2017-1000256 / LSN-2017-0002 - -Reviewed-by: Eric Blake <eblake@redhat.com> -Signed-off-by: Daniel P. Berrange <berrange@redhat.com> -(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157) ---- - src/qemu/qemu_command.c | 2 +- - .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- - ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c -index 9a27987..ae78cd1 100644 ---- a/src/qemu/qemu_command.c -+++ b/src/qemu/qemu_command.c -@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, - if (virJSONValueObjectCreate(propsret, - "s:dir", path, - "s:endpoint", (isListen ? "server": "client"), -- "b:verify-peer", verifypeer, -+ "b:verify-peer", (isListen ? verifypeer : true), - NULL) < 0) - goto cleanup; - -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -index 5aff773..ab5f7e2 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -@@ -26,7 +26,7 @@ server,nowait \ - localport=1111 \ - -device isa-serial,chardev=charserial0,id=serial0 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no \ -+endpoint=client,verify-peer=yes \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -index 91f1fe0..2567abb 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -@@ -31,7 +31,7 @@ localport=1111 \ - data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ - keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ -+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ --- -1.7.1 - diff --git a/gnu/packages/patches/node-test-http2-server-rst-stream.patch b/gnu/packages/patches/node-test-http2-server-rst-stream.patch new file mode 100644 index 0000000000..c2f85010b1 --- /dev/null +++ b/gnu/packages/patches/node-test-http2-server-rst-stream.patch @@ -0,0 +1,131 @@ +From a41cc020fd6e40b358103425edfa50e6a10fc973 Mon Sep 17 00:00:00 2001 +From: Anatoli Papirovski <apapirovski@mac.com> +Date: Thu, 2 Nov 2017 12:46:31 -0400 +Subject: [PATCH] test: fix flaky test-http2-server-rst-stream.js + +PR-URL: https://github.com/nodejs/node/pull/16690 +Fixes: https://github.com/nodejs/node/issues/16688 +Reviewed-By: James M Snell <jasnell@gmail.com> +Reviewed-By: Matteo Collina <matteo.collina@gmail.com> +--- + test/parallel/test-http2-server-rst-stream.js | 93 ++++++++++----------------- + 1 file changed, 35 insertions(+), 58 deletions(-) + +diff --git a/test/parallel/test-http2-server-rst-stream.js b/test/parallel/test-http2-server-rst-stream.js +index b92217dc99..dd38efb42f 100644 +--- a/test/parallel/test-http2-server-rst-stream.js ++++ b/test/parallel/test-http2-server-rst-stream.js +@@ -5,11 +5,9 @@ if (!common.hasCrypto) + common.skip('missing crypto'); + const assert = require('assert'); + const http2 = require('http2'); ++const Countdown = require('../common/countdown'); + + const { +- HTTP2_HEADER_METHOD, +- HTTP2_HEADER_PATH, +- HTTP2_METHOD_POST, + NGHTTP2_CANCEL, + NGHTTP2_NO_ERROR, + NGHTTP2_PROTOCOL_ERROR, +@@ -17,63 +15,42 @@ const { + NGHTTP2_INTERNAL_ERROR + } = http2.constants; + +-const errCheck = common.expectsError({ code: 'ERR_HTTP2_STREAM_ERROR' }, 6); ++const tests = [ ++ ['rstStream', NGHTTP2_NO_ERROR, false], ++ ['rstWithNoError', NGHTTP2_NO_ERROR, false], ++ ['rstWithProtocolError', NGHTTP2_PROTOCOL_ERROR, true], ++ ['rstWithCancel', NGHTTP2_CANCEL, false], ++ ['rstWithRefuse', NGHTTP2_REFUSED_STREAM, true], ++ ['rstWithInternalError', NGHTTP2_INTERNAL_ERROR, true] ++]; ++ ++const server = http2.createServer(); ++server.on('stream', (stream, headers) => { ++ const method = headers['rstmethod']; ++ stream[method](); ++}); ++ ++server.listen(0, common.mustCall(() => { ++ const client = http2.connect(`http://localhost:${server.address().port}`); ++ ++ const countdown = new Countdown(tests.length, common.mustCall(() => { ++ client.destroy(); ++ server.close(); ++ })); + +-function checkRstCode(rstMethod, expectRstCode) { +- const server = http2.createServer(); +- server.on('stream', (stream, headers, flags) => { +- stream.respond({ +- 'content-type': 'text/html', +- ':status': 200 ++ tests.forEach((test) => { ++ const req = client.request({ ++ ':method': 'POST', ++ rstmethod: test[0] + }); +- stream.write('test'); +- if (rstMethod === 'rstStream') +- stream[rstMethod](expectRstCode); +- else +- stream[rstMethod](); +- +- if (expectRstCode !== NGHTTP2_NO_ERROR && +- expectRstCode !== NGHTTP2_CANCEL) { +- stream.on('error', common.mustCall(errCheck)); +- } else { +- stream.on('error', common.mustNotCall()); +- } +- }); +- +- server.listen(0, common.mustCall(() => { +- const port = server.address().port; +- const client = http2.connect(`http://localhost:${port}`); +- +- const headers = { +- [HTTP2_HEADER_PATH]: '/', +- [HTTP2_HEADER_METHOD]: HTTP2_METHOD_POST +- }; +- const req = client.request(headers); +- +- req.setEncoding('utf8'); +- req.on('streamClosed', common.mustCall((actualRstCode) => { +- assert.strictEqual( +- expectRstCode, actualRstCode, `${rstMethod} is not match rstCode`); +- server.close(); +- client.destroy(); ++ req.on('streamClosed', common.mustCall((code) => { ++ assert.strictEqual(code, test[1]); ++ countdown.dec(); + })); +- req.on('data', common.mustCall()); + req.on('aborted', common.mustCall()); +- req.on('end', common.mustCall()); +- +- if (expectRstCode !== NGHTTP2_NO_ERROR && +- expectRstCode !== NGHTTP2_CANCEL) { +- req.on('error', common.mustCall(errCheck)); +- } else { ++ if (test[2]) ++ req.on('error', common.mustCall()); ++ else + req.on('error', common.mustNotCall()); +- } +- +- })); +-} +- +-checkRstCode('rstStream', NGHTTP2_NO_ERROR); +-checkRstCode('rstWithNoError', NGHTTP2_NO_ERROR); +-checkRstCode('rstWithProtocolError', NGHTTP2_PROTOCOL_ERROR); +-checkRstCode('rstWithCancel', NGHTTP2_CANCEL); +-checkRstCode('rstWithRefuse', NGHTTP2_REFUSED_STREAM); +-checkRstCode('rstWithInternalError', NGHTTP2_INTERNAL_ERROR); ++ }); ++})); +-- +2.15.0 + diff --git a/gnu/packages/patches/optipng-CVE-2017-1000229.patch b/gnu/packages/patches/optipng-CVE-2017-1000229.patch new file mode 100644 index 0000000000..2cb3b2f21c --- /dev/null +++ b/gnu/packages/patches/optipng-CVE-2017-1000229.patch @@ -0,0 +1,22 @@ +Fix CVE-2017-1000229: + +https://security-tracker.debian.org/tracker/CVE-2017-1000229 +https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000229.html +https://nvd.nist.gov/vuln/detail/CVE-2017-1000229 + +Patch copied from upstream bug tracker: +https://sourceforge.net/p/optipng/bugs/65/ + +diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c +index b4910ec..5f9b376 100644 +--- a/src/minitiff/tiffread.c ++++ b/src/minitiff/tiffread.c +@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp) + count = tiff_ptr->strip_offsets_count; + if (count == 0 || count > tiff_ptr->height) + goto err_invalid; ++ if (count > (size_t)-1 / sizeof(long)) ++ goto err_memory; + tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long)); + if (tiff_ptr->strip_offsets == NULL) + goto err_memory; diff --git a/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch b/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch new file mode 100644 index 0000000000..489d22c83b --- /dev/null +++ b/gnu/packages/patches/pcmanfm-CVE-2017-8934.patch @@ -0,0 +1,56 @@ +From bc8c3d871e9ecc67c47ff002b68cf049793faf08 Mon Sep 17 00:00:00 2001 +From: Andriy Grytsenko <andrej@rep.kiev.ua> +Date: Sun, 14 May 2017 21:35:40 +0300 +Subject: [PATCH] Fix potential access violation, use runtime user dir instead + of tmp dir. + +--- + NEWS | 4 ++++ + src/single-inst.c | 7 ++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 8c2049a..876f7f3 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,3 +1,7 @@ ++* Fixed potential access violation, use runtime user dir instead of tmp dir ++ for single instance socket. ++ ++ + Changes on 1.2.5 since 1.2.4: + + * Removed options to Cut, Remove and Rename from context menu on mounted +diff --git a/src/single-inst.c b/src/single-inst.c +index 62c37b3..aaf84ab 100644 +--- a/src/single-inst.c ++++ b/src/single-inst.c +@@ -2,7 +2,7 @@ + * single-inst.c: simple IPC mechanism for single instance app + * + * Copyright 2010 Hong Jen Yee (PCMan) <pcman.tw@gmail.com> +- * Copyright 2012 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua> ++ * Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -404,11 +404,16 @@ static void get_socket_name(SingleInstData* data, char* buf, int len) + } + else + dpynum = 0; ++#if GLIB_CHECK_VERSION(2, 28, 0) ++ g_snprintf(buf, len, "%s/%s-socket-%s-%d", g_get_user_runtime_dir(), ++ data->prog_name, host ? host : "", dpynum); ++#else + g_snprintf(buf, len, "%s/.%s-socket-%s-%d-%s", + g_get_tmp_dir(), + data->prog_name, + host ? host : "", + dpynum, + g_get_user_name()); ++#endif + } + +-- +2.1.4 + diff --git a/gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch b/gnu/packages/patches/perl-text-markdown-discount-unbundle.patch index e0df632a04..e0df632a04 100644 --- a/gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch +++ b/gnu/packages/patches/perl-text-markdown-discount-unbundle.patch diff --git a/gnu/packages/patches/procmail-CVE-2017-16844.patch b/gnu/packages/patches/procmail-CVE-2017-16844.patch new file mode 100644 index 0000000000..b96540c8cd --- /dev/null +++ b/gnu/packages/patches/procmail-CVE-2017-16844.patch @@ -0,0 +1,25 @@ +Fix CVE-2017-16844: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844 +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511 + +Patch copied from Debian procmail package 3.22-26: + +http://http.debian.net/debian/pool/main/p/procmail/procmail_3.22-26.debian.tar.xz + +From: Santiago Vila <sanvila@debian.org> +Subject: Fix heap-based buffer overflow in loadbuf() +Bug-Debian: http://bugs.debian.org/876511 +X-Debian-version: 3.22-26 + +--- a/src/formisc.c ++++ b/src/formisc.c +@@ -103,7 +103,7 @@ + } + /* append to buf */ + void loadbuf(text,len)const char*const text;const size_t len; +-{ if(buffilled+len>buflen) /* buf can't hold the text */ ++{ while(buffilled+len>buflen) /* buf can't hold the text */ + buf=realloc(buf,buflen+=Bsize); + tmemmove(buf+buffilled,text,len);buffilled+=len; + } diff --git a/gnu/packages/patches/qemu-CVE-2017-15118.patch b/gnu/packages/patches/qemu-CVE-2017-15118.patch new file mode 100644 index 0000000000..d427317be9 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-15118.patch @@ -0,0 +1,58 @@ +Fix CVE-2017-15118: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15118 +https://bugzilla.redhat.com/show_bug.cgi?id=1516922 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183 + +From 51ae4f8455c9e32c54770c4ebc25bf86a8128183 Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Wed, 22 Nov 2017 15:07:22 -0600 +Subject: [PATCH] nbd/server: CVE-2017-15118 Stack smash on large export name + +Introduced in commit f37708f6b8 (2.10). The NBD spec says a client +can request export names up to 4096 bytes in length, even though +they should not expect success on names longer than 256. However, +qemu hard-codes the limit of 256, and fails to filter out a client +that probes for a longer name; the result is a stack smash that can +potentially give an attacker arbitrary control over the qemu +process. + +The smash can be easily demonstrated with this client: +$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a) + +If the qemu NBD server binary (whether the standalone qemu-nbd, or +the builtin server of QMP nbd-server-start) was compiled with +-fstack-protector-strong, the ability to exploit the stack smash +into arbitrary execution is a lot more difficult (but still +theoretically possible to a determined attacker, perhaps in +combination with other CVEs). Still, crashing a running qemu (and +losing the VM) is bad enough, even if the attacker did not obtain +full execution control. + +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake <eblake@redhat.com> +--- + nbd/server.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/nbd/server.c b/nbd/server.c +index a81801e3bc..92c0fdd03b 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length, + msg = "name length is incorrect"; + goto invalid; + } ++ if (namelen >= sizeof(name)) { ++ msg = "name too long for qemu"; ++ goto invalid; ++ } + if (nbd_read(client->ioc, name, namelen, errp) < 0) { + return -EIO; + } +-- +2.15.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-15119.patch b/gnu/packages/patches/qemu-CVE-2017-15119.patch new file mode 100644 index 0000000000..6265ecf8d6 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-15119.patch @@ -0,0 +1,68 @@ +Fix CVE-2017-15119: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15119 +https://bugzilla.redhat.com/show_bug.cgi?id=1516925 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=fdad35ef6c5839d50dfc14073364ac893afebc30 + +From fdad35ef6c5839d50dfc14073364ac893afebc30 Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Wed, 22 Nov 2017 16:25:16 -0600 +Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M + +The NBD spec gives us permission to abruptly disconnect on clients +that send outrageously large option requests, rather than having +to spend the time reading to the end of the option. No real +option request requires that much data anyways; and meanwhile, we +already have the practice of abruptly dropping the connection on +any client that sends NBD_CMD_WRITE with a payload larger than 32M. + +For comparison, nbdkit drops the connection on any request with +more than 4096 bytes; however, that limit is probably too low +(as the NBD spec states an export name can theoretically be up +to 4096 bytes, which means a valid NBD_OPT_INFO could be even +longer) - even if qemu doesn't permit exports longer than 256 +bytes. + +It could be argued that a malicious client trying to get us to +read nearly 4G of data on a bad request is a form of denial of +service. In particular, if the server requires TLS, but a client +that does not know the TLS credentials sends any option (other +than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated +payload of nearly 4G, then the server was keeping the connection +alive trying to read all the payload, tying up resources that it +would rather be spending on a client that can get past the TLS +handshake. Hence, this warranted a CVE. + +Present since at least 2.5 when handling known options, and made +worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE +to handle unknown options. + +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake <eblake@redhat.com> +--- + nbd/server.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nbd/server.c b/nbd/server.c +index 7d6801b427..a81801e3bc 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -673,6 +673,12 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags, + } + length = be32_to_cpu(length); + ++ if (length > NBD_MAX_BUFFER_SIZE) { ++ error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)", ++ length, NBD_MAX_BUFFER_SIZE); ++ return -EINVAL; ++ } ++ + trace_nbd_negotiate_options_check_option(option, + nbd_opt_lookup(option)); + if (client->tlscreds && +-- +2.15.0 + diff --git a/gnu/packages/patches/shepherd-close-fds.patch b/gnu/packages/patches/shepherd-close-fds.patch new file mode 100644 index 0000000000..2078b15265 --- /dev/null +++ b/gnu/packages/patches/shepherd-close-fds.patch @@ -0,0 +1,36 @@ +commit 3e346a2a84b099766ea8a3a4a4549f6172483062 +Author: Ludovic Courtès <ludo@gnu.org> +Date: Sun Dec 3 22:30:03 2017 +0100 + + service: In 'exec-command', close open ports before 'execl'. + + This gets rid of annoying "Bad file descriptor" warnings from shepherd. + + * modules/shepherd/service.scm (exec-command): In 'loop', invoke + 'close-port' and the ports returned by (fdes->ports i). + +diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm +index b2d8bc5..0ad28a0 100644 +--- a/modules/shepherd/service.scm ++++ b/modules/shepherd/service.scm +@@ -1,5 +1,5 @@ + ;; service.scm -- Representation of services. +-;; Copyright (C) 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> ++;; Copyright (C) 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> + ;; Copyright (C) 2002, 2003 Wolfgang Järling <wolfgang@pro-linux.de> + ;; Copyright (C) 2014 Alex Sassmannshausen <alex.sassmannshausen@gmail.com> + ;; Copyright (C) 2016 Alex Kost <alezost@gmail.com> +@@ -744,6 +744,14 @@ false." + + (let loop ((i 3)) + (when (< i max-fd) ++ ;; First try to close any ports associated with file descriptor I. ++ ;; Otherwise the finalization thread might get around to closing ++ ;; those ports eventually, which will raise an EBADF exception (on ++ ;; 2.2), leading to messages like "error in the finalization ++ ;; thread: Bad file descriptor". ++ (for-each (lambda (port) ++ (catch-system-error (close-port port))) ++ (fdes->ports i)) + (catch-system-error (close-fdes i)) + (loop (+ i 1))))) diff --git a/gnu/packages/patches/spice-CVE-2016-9577.patch b/gnu/packages/patches/spice-CVE-2016-9577.patch deleted file mode 100644 index a2cb558cd3..0000000000 --- a/gnu/packages/patches/spice-CVE-2016-9577.patch +++ /dev/null @@ -1,33 +0,0 @@ -Prevent buffer overflow when reading large messages. - -https://bugzilla.redhat.com/show_bug.cgi?id=1401603 -https://access.redhat.com/security/cve/CVE-2016-9577 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9577 -https://security-tracker.debian.org/tracker/CVE-2016-9577 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 - -From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 29 Nov 2016 16:46:56 +0000 -Subject: main-channel: Prevent overflow reading messages from client - -diff --git a/server/main_channel.c b/server/main_channel.c -index 0ecc9df..1fc3915 100644 ---- a/server/main_channel.c -+++ b/server/main_channel.c -@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, - - if (type == SPICE_MSGC_MAIN_AGENT_DATA) { - return reds_get_agent_data_buffer(mcc, size); -+ } else if (size > sizeof(main_chan->recv_buf)) { -+ /* message too large, caller will log a message and close the connection */ -+ return NULL; - } else { - return main_chan->recv_buf; - } --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/spice-CVE-2016-9578-1.patch b/gnu/packages/patches/spice-CVE-2016-9578-1.patch deleted file mode 100644 index f86cdb4eb1..0000000000 --- a/gnu/packages/patches/spice-CVE-2016-9578-1.patch +++ /dev/null @@ -1,33 +0,0 @@ -Prevent possible DoS during protocol handshake. - -https://bugzilla.redhat.com/show_bug.cgi?id=1399566 -https://access.redhat.com/security/cve/CVE-2016-9578 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578 -https://security-tracker.debian.org/tracker/CVE-2016-9578 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a - -From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 13 Dec 2016 14:39:48 +0000 -Subject: Prevent possible DoS attempts during protocol handshake - -diff --git a/server/reds.c b/server/reds.c -index f40b65c..86a33d5 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) - - reds->peer_minor_version = header->minor_version; - -- if (header->size < sizeof(SpiceLinkMess)) { -+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ -+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { - reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); - spice_warning("bad size %u", header->size); - reds_link_free(link); --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/spice-CVE-2016-9578-2.patch b/gnu/packages/patches/spice-CVE-2016-9578-2.patch deleted file mode 100644 index 76f7ec7ffb..0000000000 --- a/gnu/packages/patches/spice-CVE-2016-9578-2.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fixes a potential buffer overflow in the protocol handling. - -https://bugzilla.redhat.com/show_bug.cgi?id=1399566 -https://access.redhat.com/security/cve/CVE-2016-9578 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578 -https://security-tracker.debian.org/tracker/CVE-2016-9578 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a - -From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 13 Dec 2016 14:40:10 +0000 -Subject: Prevent integer overflows in capability checks - -diff --git a/server/reds.c b/server/reds.c -index 86a33d5..9150454 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) - link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); - link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); - -+ /* Prevent DoS. Currently we defined only 13 capabilities, -+ * I expect 1024 to be valid for quite a lot time */ -+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { -+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); -+ reds_link_free(link); -+ return; -+ } -+ - num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; - caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); - --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/spice-CVE-2017-7506.patch b/gnu/packages/patches/spice-CVE-2017-7506.patch deleted file mode 100644 index 37d8f02831..0000000000 --- a/gnu/packages/patches/spice-CVE-2017-7506.patch +++ /dev/null @@ -1,158 +0,0 @@ -Fix CVE-2017-7506: - -https://bugzilla.redhat.com/show_bug.cgi?id=1452606 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7506 - -Patches copied from Debian spice package version -'spice_0.12.8-2.1+deb9u1.debian.tar.xz': -http://security.debian.org/debian-security/pool/updates/main/s/spice/spice_0.12.8-2.1+deb9u1.debian.tar.xz - -The patches had to be adapted to apply to the latest spice tarball, and -are based on these upstream commits: - -https://cgit.freedesktop.org/spice/spice/commit/?id=111ab38611cef5012f1565a65fa2d8a8a05cce37 -https://cgit.freedesktop.org/spice/spice/commit/?id=571cec91e71c2aae0d5f439ea2d8439d0c3d75eb -https://cgit.freedesktop.org/spice/spice/commit/?id=fbbcdad773e2791cfb988f4748faa41943551ca6 - -From 257f69d619fed407493156c8a7b952abc8a51314 Mon Sep 17 00:00:00 2001 -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [spice-server 1/3] reds: Disconnect when receiving overly big - ClientMonitorsConfig - -Total message size received from the client was unlimited. There is -a 2kiB size check on individual agent messages, but the MonitorsConfig -message can be split in multiple chunks, and the size of the -non-chunked MonitorsConfig message was never checked. This could easily -lead to memory exhaustion on the host. - ---- - server/reds.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/server/reds.c b/server/reds.c -index f439a3668..7be85fdfc 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -993,19 +993,34 @@ static void reds_client_monitors_config_cleanup(void) - static void reds_on_main_agent_monitors_config( - MainChannelClient *mcc, void *message, size_t size) - { -+ const unsigned int MAX_MONITORS = 256; -+ const unsigned int MAX_MONITOR_CONFIG_SIZE = -+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); -+ - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; - -+ // limit size of message sent by the client as this can cause a DoS through -+ // memory exhaustion, or potentially some integer overflows -+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { -+ goto overflow; -+ } - cmc->buffer_size += size; - cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); - spice_assert(cmc->buffer); - cmc->mcc = mcc; - memcpy(cmc->buffer + cmc->buffer_pos, message, size); - cmc->buffer_pos += size; -+ if (sizeof(VDAgentMessage) > cmc->buffer_size) { -+ spice_debug("not enough data yet. %d", cmc->buffer_size); -+ return; -+ } - msg_header = (VDAgentMessage *)cmc->buffer; -- if (sizeof(VDAgentMessage) > cmc->buffer_size || -- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { -+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { -+ goto overflow; -+ } -+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -@@ -1013,6 +1028,12 @@ static void reds_on_main_agent_monitors_config( - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); - reds_client_monitors_config_cleanup(); -+ return; -+ -+overflow: -+ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); -+ red_channel_client_disconnect(main_channel_client_get_base(mcc)); -+ reds_client_monitors_config_cleanup(); - } - - void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size) --- -2.13.0 -From ff2b4ef70181087d5abd50bad76d026ec5088a93 Mon Sep 17 00:00:00 2001 -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [spice-server 2/3] reds: Avoid integer overflows handling monitor - configuration - -Avoid VDAgentMessage::size integer overflows. - ---- - server/reds.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index 7be85fdfc..e1c8c1086 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config( - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { -+ goto overflow; -+ } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); --- -2.13.0 -From 8cc3d7df2792751939cc832f4110c57e2addfca5 Mon Sep 17 00:00:00 2001 -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [spice-server 3/3] reds: Avoid buffer overflows handling monitor - configuration - -It was also possible for a malicious client to set -VDAgentMonitorsConfig::num_of_monitors to a number larger -than the actual size of VDAgentMOnitorsConfig::monitors. -This would lead to buffer overflows, which could allow the guest to -read part of the host memory. This might cause write overflows in the -host as well, but controlling the content of such buffers seems -complicated. - ---- - server/reds.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index e1c8c1086..3a42c3755 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config( - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; -+ uint32_t max_monitors; - - // limit size of message sent by the client as this can cause a DoS through - // memory exhaustion, or potentially some integer overflows -@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config( - goto overflow; - } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); -+ // limit the monitor number to avoid buffer overflows -+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / -+ sizeof(VDAgentMonConfig); -+ if (monitors_config->num_of_monitors > max_monitors) { -+ goto overflow; -+ } - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); - reds_client_monitors_config_cleanup(); --- -2.13.0 diff --git a/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch b/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch deleted file mode 100644 index db3c56861b..0000000000 --- a/gnu/packages/patches/supertuxkart-angelscript-ftbfs.patch +++ /dev/null @@ -1,42 +0,0 @@ -https://github.com/supertuxkart/stk-code/commit/5e05f1178ce6bc5f3a653b55ab3dc6d016196341.patch - -From 5e05f1178ce6bc5f3a653b55ab3dc6d016196341 Mon Sep 17 00:00:00 2001 -From: Deve <deveee@gmail.com> -Date: Mon, 3 Oct 2016 23:26:09 +0200 -Subject: [PATCH] Fixed compiler error on Linux with non-x86 64bit platforms, - e.g. arm64, mips, and s390x architectures - -This modification is already applied in upstream angelscript repository: -https://sourceforge.net/p/angelscript/code/2353/ - -Thanks to Adrian Bunk and Andreas Jonsson ---- - lib/angelscript/projects/cmake/CMakeLists.txt | 1 + - lib/angelscript/source/as_config.h | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/angelscript/projects/cmake/CMakeLists.txt b/lib/angelscript/projects/cmake/CMakeLists.txt -index e93971315e..755d8378c3 100644 ---- a/lib/angelscript/projects/cmake/CMakeLists.txt -+++ b/lib/angelscript/projects/cmake/CMakeLists.txt -@@ -67,6 +67,7 @@ set(ANGELSCRIPT_SOURCE - ../../source/as_builder.cpp - ../../source/as_bytecode.cpp - ../../source/as_callfunc.cpp -+ ../../source/as_callfunc_mips.cpp - ../../source/as_callfunc_x86.cpp - ../../source/as_callfunc_x64_gcc.cpp - ../../source/as_callfunc_x64_msvc.cpp -diff --git a/lib/angelscript/source/as_config.h b/lib/angelscript/source/as_config.h -index cb05bffbd5..5bb5b8e800 100644 ---- a/lib/angelscript/source/as_config.h -+++ b/lib/angelscript/source/as_config.h -@@ -844,7 +844,7 @@ - #define THISCALL_PASS_OBJECT_POINTER_ON_THE_STACK - #define AS_X86 - #undef AS_NO_THISCALL_FUNCTOR_METHOD -- #elif defined(__LP64__) && !defined(__arm64__) -+ #elif defined(__x86_64__) - #define AS_X64_GCC - #undef AS_NO_THISCALL_FUNCTOR_METHOD - #define HAS_128_BIT_PRIMITIVES diff --git a/gnu/packages/patches/vpnc-script.patch b/gnu/packages/patches/vpnc-script.patch deleted file mode 100644 index a0d9481952..0000000000 --- a/gnu/packages/patches/vpnc-script.patch +++ /dev/null @@ -1,15 +0,0 @@ -This patch adapts the vpnc script to newer kernel versions, see - https://lkml.org/lkml/2011/3/24/645 - -diff -u a/vpnc-script.in b/vpnc-script.in ---- a/vpnc-script.in 2013-03-03 13:55:16.000000000 +0100 -+++ b/vpnc-script.in 2013-03-03 13:56:11.000000000 +0100 -@@ -116,7 +116,7 @@ - - if [ -n "$IPROUTE" ]; then - fix_ip_get_output () { -- sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit [0-9]\+//g' -+ sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit [0-9]\+//g;s/ipid 0x....//g' - } - - set_vpngateway_route() { |