diff options
Diffstat (limited to 'gnu/packages/patches')
54 files changed, 2283 insertions, 1366 deletions
diff --git a/gnu/packages/patches/bluez-CVE-2017-1000250.patch b/gnu/packages/patches/bluez-CVE-2017-1000250.patch new file mode 100644 index 0000000000..81f209d7b2 --- /dev/null +++ b/gnu/packages/patches/bluez-CVE-2017-1000250.patch @@ -0,0 +1,42 @@ +Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req +Origin: vendor +Bug-Debian: https://bugs.debian.org/875633 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446 +Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342 +Forwarded: no +Author: Armis Security <security@armis.com> +Reviewed-by: Salvatore Bonaccorso <carnil@debian.org> +Last-Update: 2017-09-13 + +--- a/src/sdpd-request.c ++++ b/src/sdpd-request.c +@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r + /* continuation State exists -> get from cache */ + sdp_buf_t *pCache = sdp_get_cached_rsp(cstate); + if (pCache) { +- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); +- pResponse = pCache->data; +- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); +- buf->data_size += sent; +- cstate->cStateValue.maxBytesSent += sent; +- if (cstate->cStateValue.maxBytesSent == pCache->data_size) +- cstate_size = sdp_set_cstate_pdu(buf, NULL); +- else +- cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) { ++ status = SDP_INVALID_CSTATE; ++ SDPDBG("Got bad cstate with invalid size"); ++ } else { ++ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent); ++ pResponse = pCache->data; ++ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent); ++ buf->data_size += sent; ++ cstate->cStateValue.maxBytesSent += sent; ++ if (cstate->cStateValue.maxBytesSent == pCache->data_size) ++ cstate_size = sdp_set_cstate_pdu(buf, NULL); ++ else ++ cstate_size = sdp_set_cstate_pdu(buf, cstate); ++ } + } else { + status = SDP_INVALID_CSTATE; + SDPDBG("Non-null continuation state, but null cache buffer"); diff --git a/gnu/packages/patches/calibre-drop-unrar.patch b/gnu/packages/patches/calibre-drop-unrar.patch deleted file mode 100644 index adf977b183..0000000000 --- a/gnu/packages/patches/calibre-drop-unrar.patch +++ /dev/null @@ -1,49 +0,0 @@ -Recreated old debian patch on the latest calibre version - -From 6764e4c211e50d4f4633dbabfba7cbc3089c51dc Mon Sep 17 00:00:00 2001 -From: Brendan Tildesley <brendan.tildesley@openmailbox.org> -Date: Sat, 13 May 2017 21:12:12 +1000 -Subject: [PATCH] Remove unrar extension - ---- - setup/extensions.json | 11 ----------- - src/calibre/ebooks/metadata/archive.py | 2 +- - 2 files changed, 1 insertion(+), 12 deletions(-) - -diff --git a/setup/extensions.json b/setup/extensions.json -index 1f6d1fb5fd..127390450f 100644 ---- a/setup/extensions.json -+++ b/setup/extensions.json -@@ -211,16 +211,5 @@ - "sources": "calibre/devices/mtp/unix/devices.c calibre/devices/mtp/unix/libmtp.c", - "headers": "calibre/devices/mtp/unix/devices.h calibre/devices/mtp/unix/upstream/music-players.h calibre/devices/mtp/unix/upstream/device-flags.h", - "libraries": "mtp" -- }, -- { -- "name": "unrar", -- "sources": "unrar/rar.cpp unrar/strlist.cpp unrar/strfn.cpp unrar/pathfn.cpp unrar/savepos.cpp unrar/smallfn.cpp unrar/global.cpp unrar/file.cpp unrar/filefn.cpp unrar/filcreat.cpp unrar/archive.cpp unrar/arcread.cpp unrar/unicode.cpp unrar/system.cpp unrar/isnt.cpp unrar/crypt.cpp unrar/crc.cpp unrar/rawread.cpp unrar/encname.cpp unrar/resource.cpp unrar/match.cpp unrar/timefn.cpp unrar/rdwrfn.cpp unrar/consio.cpp unrar/options.cpp unrar/ulinks.cpp unrar/errhnd.cpp unrar/rarvm.cpp unrar/secpassword.cpp unrar/rijndael.cpp unrar/getbits.cpp unrar/sha1.cpp unrar/extinfo.cpp unrar/extract.cpp unrar/volume.cpp unrar/list.cpp unrar/find.cpp unrar/unpack.cpp unrar/cmddata.cpp unrar/filestr.cpp unrar/scantree.cpp calibre/utils/unrar.cpp", -- "inc_dirs": "unrar", -- "defines": "SILENT RARDLL UNRAR _FILE_OFFSET_BITS=64 _LARGEFILE_SOURCE", -- "windows_defines": "SILENT RARDLL UNRAR", -- "haiku_defines": "LITTLE_ENDIAN SILENT RARDLL UNRAR _FILE_OFFSET_BITS=64 _LARGEFILE_SOURCE _BSD_SOURCE", -- "haiku_libraries": "bsd", -- "optimize_level": 2, -- "windows_libraries": "User32 Advapi32 kernel32 Shell32" - } - ] -diff --git a/src/calibre/ebooks/metadata/archive.py b/src/calibre/ebooks/metadata/archive.py -index f5c0b7bed3..32257dcdae 100644 ---- a/src/calibre/ebooks/metadata/archive.py -+++ b/src/calibre/ebooks/metadata/archive.py -@@ -44,7 +44,7 @@ class ArchiveExtract(FileTypePlugin): - description = _('Extract common e-book formats from archive files ' - '(ZIP/RAR). Also try to autodetect if they are actually ' - 'CBZ/CBR files.') -- file_types = set(['zip', 'rar']) -+ file_types = set(['zip']) - supported_platforms = ['windows', 'osx', 'linux'] - on_import = True - --- -2.12.2 - diff --git a/gnu/packages/patches/csound-header-ordering.patch b/gnu/packages/patches/csound-header-ordering.patch deleted file mode 100644 index 3640d123dd..0000000000 --- a/gnu/packages/patches/csound-header-ordering.patch +++ /dev/null @@ -1,20 +0,0 @@ -Prevent compilation issues with boost-1.60.0. - -Reported upstream at https://github.com/csound/csound/issues/570 - ---- Csound6.05/Opcodes/chua/ChuaOscillator.cpp 2015-04-25 14:06:22.995646234 -0500 -+++ Csound6.05/Opcodes/chua/ChuaOscillator.cpp 2015-12-21 10:31:58.182362640 -0600 -@@ -117,11 +117,12 @@ - // d = sys_variables(12); - // gnor = a*(x.^3) + b*(x.^2) + c*x + d; - --#include <OpcodeBase.hpp> - #include <boost/numeric/ublas/vector.hpp> - using namespace boost::numeric; - #include <cmath> - -+#include <OpcodeBase.hpp> -+ - #undef CS_KSMPS - #define CS_KSMPS (opds.insdshead->ksmps) - diff --git a/gnu/packages/patches/e2fsprogs-32bit-quota-warnings.patch b/gnu/packages/patches/e2fsprogs-32bit-quota-warnings.patch deleted file mode 100644 index e7a96a2ac0..0000000000 --- a/gnu/packages/patches/e2fsprogs-32bit-quota-warnings.patch +++ /dev/null @@ -1,46 +0,0 @@ -Fix a test failure on 32-bit platforms. - -Patch copied from upstream source repository: - -https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=9e31a5696c4b699bf000a07b86601c1fb91c0493 - -diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c -index 00f3a40..931a839 100644 ---- a/lib/support/mkquota.c -+++ b/lib/support/mkquota.c -@@ -50,11 +50,13 @@ static void print_dquot(const char *desc, struct dquot *dq) - { - if (desc) - fprintf(stderr, "%s: ", desc); -- fprintf(stderr, "%u %ld:%ld:%ld %ld:%ld:%ld\n", -- dq->dq_id, dq->dq_dqb.dqb_curspace, -- dq->dq_dqb.dqb_bsoftlimit, dq->dq_dqb.dqb_bhardlimit, -- dq->dq_dqb.dqb_curinodes, -- dq->dq_dqb.dqb_isoftlimit, dq->dq_dqb.dqb_ihardlimit); -+ fprintf(stderr, "%u %lld:%lld:%lld %lld:%lld:%lld\n", -+ dq->dq_id, (long long) dq->dq_dqb.dqb_curspace, -+ (long long) dq->dq_dqb.dqb_bsoftlimit, -+ (long long) dq->dq_dqb.dqb_bhardlimit, -+ (long long) dq->dq_dqb.dqb_curinodes, -+ (long long) dq->dq_dqb.dqb_isoftlimit, -+ (long long) dq->dq_dqb.dqb_ihardlimit); - } - #else - static void print_dquot(const char *desc EXT2FS_ATTR((unused)), -@@ -524,11 +526,11 @@ static int scan_dquots_callback(struct dquot *dquot, void *cb_data) - dq->dq_dqb.dqb_curinodes != dquot->dq_dqb.dqb_curinodes) { - scan_data->usage_is_inconsistent = 1; - fprintf(stderr, "[QUOTA WARNING] Usage inconsistent for ID %u:" -- "actual (%ld, %ld) != expected (%ld, %ld)\n", -- dq->dq_id, dq->dq_dqb.dqb_curspace, -- dq->dq_dqb.dqb_curinodes, -- dquot->dq_dqb.dqb_curspace, -- dquot->dq_dqb.dqb_curinodes); -+ "actual (%lld, %lld) != expected (%lld, %lld)\n", -+ dq->dq_id, (long long) dq->dq_dqb.dqb_curspace, -+ (long long) dq->dq_dqb.dqb_curinodes, -+ (long long) dquot->dq_dqb.dqb_curspace, -+ (long long) dquot->dq_dqb.dqb_curinodes); - } - - if (scan_data->update_limits) { diff --git a/gnu/packages/patches/file-CVE-2017-1000249.patch b/gnu/packages/patches/file-CVE-2017-1000249.patch new file mode 100644 index 0000000000..505acf1592 --- /dev/null +++ b/gnu/packages/patches/file-CVE-2017-1000249.patch @@ -0,0 +1,27 @@ +https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793.patch +http://openwall.com/lists/oss-security/2017/09/05/3 + +The patch is minorly modified to apply to file-5.30 + +From 35c94dc6acc418f1ad7f6241a6680e5327495793 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <christos@zoulas.com> +Date: Sun, 27 Aug 2017 07:55:02 +0000 +Subject: [PATCH] Fix always true condition (Thomas Jarosch) + +--- + src/readelf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/readelf.c b/src/readelf.c +index 81451827..5f425c97 100644 +--- a/src/readelf.c ++++ b/src/readelf.c +@@ -511,7 +511,7 @@ do_bid_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, + size_t noff, size_t doff, int *flags) + { + if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 && +- type == NT_GNU_BUILD_ID && (descsz >= 4 || descsz <= 20)) { ++ type == NT_GNU_BUILD_ID && (descsz >= 4 && descsz <= 20)) { + uint8_t desc[20]; + const char *btype; + uint32_t i; diff --git a/gnu/packages/patches/fontforge-svg-modtime.patch b/gnu/packages/patches/fontforge-svg-modtime.patch deleted file mode 100644 index fd960ae610..0000000000 --- a/gnu/packages/patches/fontforge-svg-modtime.patch +++ /dev/null @@ -1,35 +0,0 @@ -Propagate source font modification time to svg during conversion. Similar to -what upstream commit 95a470e941d9a20fbdaca51334e8b6b9d93cfae4 did for TTF -files. - -Submitted upstream at http://github.com/fontforge/fontforge/pull/2696 - ---- a/fontforge/svg.c -+++ b/fontforge/svg.c -@@ -27,7 +27,6 @@ - #include "fontforgevw.h" - #include <unistd.h> - #include <math.h> --#include <time.h> - #include <locale.h> - #include <utype.h> - #include <chardata.h> -@@ -62,7 +61,6 @@ static int svg_outfontheader(FILE *file, SplineFont *sf,int layer) { - BlueData bd; - char *hash, *hasv, ch; - int minu, maxu, i; -- time_t now; - const char *author = GetAuthor(); - - memset(&info,0,sizeof(info)); -@@ -78,9 +76,8 @@ static int svg_outfontheader(FILE *file, SplineFont *sf,int layer) { - fprintf( file, "\n-->\n" ); - } - fprintf( file, "<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\">\n" ); -- time(&now); - fprintf( file, "<metadata>\nCreated by FontForge %d at %s", -- FONTFORGE_VERSIONDATE_RAW, ctime(&now) ); -+ FONTFORGE_VERSIONDATE_RAW, ctime((time_t*)&sf->modificationtime) ); - if ( author!=NULL ) - fprintf(file," By %s\n", author); - else diff --git a/gnu/packages/patches/foomatic-filters-CVE-2015-8327.patch b/gnu/packages/patches/foomatic-filters-CVE-2015-8327.patch new file mode 100644 index 0000000000..d9f0cc1212 --- /dev/null +++ b/gnu/packages/patches/foomatic-filters-CVE-2015-8327.patch @@ -0,0 +1,14 @@ +Fix for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2015-8327>. + +--- a/util.c 2014-06-20 19:26:18 +0000 ++++ b/util.c 2015-10-30 15:45:03 +0000 +@@ -31,7 +31,7 @@ + #include <assert.h> + + +-const char* shellescapes = "|<>&!$\'\"#*?()[]{}"; ++const char* shellescapes = "|<>&!$\'\"`#*?()[]{}"; + + const char * temp_dir() + { + diff --git a/gnu/packages/patches/foomatic-filters-CVE-2015-8560.patch b/gnu/packages/patches/foomatic-filters-CVE-2015-8560.patch new file mode 100644 index 0000000000..d3c3024220 --- /dev/null +++ b/gnu/packages/patches/foomatic-filters-CVE-2015-8560.patch @@ -0,0 +1,13 @@ +Fix for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2015-8560>. + +--- a/util.c 2015-10-30 15:45:03 +0000 ++++ b/util.c 2015-12-12 23:27:21 +0000 +@@ -31,7 +31,7 @@ + #include <assert.h> + + +-const char* shellescapes = "|<>&!$\'\"`#*?()[]{}"; ++const char* shellescapes = "|;<>&!$\'\"`#*?()[]{}"; + + const char * temp_dir() + { diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch deleted file mode 100644 index 66034c5703..0000000000 --- a/gnu/packages/patches/gd-CVE-2017-7890.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001 -From: LEPILLER Julien <julien@lepiller.eu> -Date: Thu, 3 Aug 2017 17:04:17 +0200 -Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory. - -The stack allocated color map buffers were not zeroed before usage, and -so undefined palette indexes could cause information leakage. - -This is CVE-2017-7890. ---- - src/gd_gif_in.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c -index 008d1ec..c195448 100644 ---- a/src/gd_gif_in.c -+++ b/src/gd_gif_in.c -@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) - - gdImagePtr im = 0; - -+ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE); -+ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE); -+ - if(!ReadOK(fd, buf, 6)) { - return 0; - } --- -2.13.3 - diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch new file mode 100644 index 0000000000..dbcaea1343 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch @@ -0,0 +1,137 @@ +http://www.openwall.com/lists/oss-security/2017/09/01/6 + +CVE-2017-11403: +http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 + +CVE-2017-14103: +http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f + +some changes were made to make the patch apply + +# HG changeset patch +# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> +# Date 1503875721 14400 +# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 +# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad +Attempt to fix Issue 440. + +diff -ru a/coders/png.c b/coders/png.c +--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 ++++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400 +@@ -3106,7 +3106,9 @@ + if (length > PNG_MAX_UINT || count == 0) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "chunk length (%lu) > PNG_MAX_UINT",length); ++ return ((Image*)NULL); + } + + chunk=(unsigned char *) NULL; +@@ -3117,13 +3119,16 @@ + if (chunk == (unsigned char *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Could not allocate chunk memory"); ++ return ((Image*)NULL); + } + if (ReadBlob(image,length,chunk) < length) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,CorruptImage,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " chunk reading was incomplete"); ++ return ((Image*)NULL); + } + p=chunk; + } +@@ -3198,7 +3203,7 @@ + jng_width, jng_height); + MagickFreeMemory(chunk); + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ return ((Image *)NULL); + } + + /* Temporarily set width and height resources to match JHDR */ +@@ -3233,8 +3238,9 @@ + if (color_image == (Image *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, +- image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3245,7 +3251,9 @@ + if (status == MagickFalse) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not open color_image blob"); ++ return ((Image *)NULL); + } + + if (!image_info->ping && jng_color_type >= 12) +@@ -3255,17 +3263,18 @@ + if (alpha_image_info == (ImageInfo *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image_info",length); ++ return ((Image *)NULL); + } + GetImageInfo(alpha_image_info); + alpha_image=AllocateImage(alpha_image_info); + if (alpha_image == (Image *) NULL) + { + DestroyJNGInfo(color_image_info,alpha_image_info); +- ThrowReaderException(ResourceLimitError, +- MemoryAllocationFailed, +- alpha_image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image"); ++ return ((Image *)NULL); + } + if (logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -3277,7 +3286,9 @@ + { + DestroyJNGInfo(color_image_info,alpha_image_info); + DestroyImage(alpha_image); +- ThrowReaderException(CoderError,UnableToOpenBlob,image); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " could not allocate alpha_image blob"); ++ return ((Image *)NULL); + } + if (jng_alpha_compression_method == 0) + { +@@ -3613,6 +3624,8 @@ + alpha_image = (Image *)NULL; + DestroyImageInfo(alpha_image_info); + alpha_image_info = (ImageInfo *)NULL; ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " Destroy the JNG image"); + DestroyImage(jng_image); + jng_image = (Image *)NULL; + } +@@ -5146,8 +5159,8 @@ + + if (image == (Image *) NULL) + { +- DestroyImageList(previous); + CloseBlob(previous); ++ DestroyImageList(previous); + MngInfoFreeStruct(mng_info,&have_mng_structure); + return((Image *) NULL); + } diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch new file mode 100644 index 0000000000..83478c13b3 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch @@ -0,0 +1,195 @@ +http://openwall.com/lists/oss-security/2017/08/31/3 +http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd + +some changes were made to make the patch apply + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503774853 18000 +# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036 +# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d +JNX: Fix DOS issues + +diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c +--- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500 ++++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500 +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2012-2015 GraphicsMagick Group ++% Copyright (C) 2012-2017 GraphicsMagick Group + % + % This program is covered by multiple licenses, which are described in + % Copyright.txt. You should have received a copy of Copyright.txt with this +@@ -100,6 +100,7 @@ + + char img_label_str[MaxTextExtent]; + ++ + alloc_size = TileInfo->PicSize + 2; + + if (image->logging) +@@ -242,6 +243,9 @@ + total_tiles, + current_tile; + ++ magick_off_t ++ file_size; ++ + /* Open image file. */ + assert(image_info != (const ImageInfo *) NULL); + assert(image_info->signature == MagickSignature); +@@ -254,9 +258,8 @@ + if (status == False) + ThrowReaderException(FileOpenError, UnableToOpenFile, image); + +- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); +- + /* Read JNX image header. */ ++ (void) memset(&JNXHeader, 0, sizeof(JNXHeader)); + JNXHeader.Version = ReadBlobLSBLong(image); + if (JNXHeader.Version > 4) + ThrowReaderException(CorruptImageError, ImproperImageHeader, image); +@@ -266,8 +269,6 @@ + JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image); + JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image); + JNXHeader.Levels = ReadBlobLSBLong(image); +- if (JNXHeader.Levels > 20) +- ThrowReaderException(CorruptImageError, ImproperImageHeader, image); + JNXHeader.Expiration = ReadBlobLSBLong(image); + JNXHeader.ProductID = ReadBlobLSBLong(image); + JNXHeader.CRC = ReadBlobLSBLong(image); +@@ -279,7 +280,41 @@ + if (EOFBlob(image)) + ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); + ++ file_size = GetBlobSize(image); ++ ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "JNX Header:\n" ++ " Version: %u\n" ++ " DeviceSN: %u\n" ++ " MapBounds:\n" ++ " NorthEast: lat = %u, lon = %u\n" ++ " SouthWest: lat = %u, lon = %u\n" ++ " Levels: %u\n" ++ " Expiration: %u\n" ++ " ProductID: %u\n" ++ " CRC: %u\n" ++ " SigVersion: %u\n" ++ " SigOffset: %u\n" ++ " ZOrder: %u", ++ JNXHeader.Version, ++ JNXHeader.DeviceSN, ++ JNXHeader.MapBounds.NorthEast.lat, ++ JNXHeader.MapBounds.NorthEast.lon, ++ JNXHeader.MapBounds.SouthWest.lat, ++ JNXHeader.MapBounds.SouthWest.lon, ++ JNXHeader.Levels, ++ JNXHeader.Expiration, ++ JNXHeader.ProductID, ++ JNXHeader.CRC, ++ JNXHeader.SigVersion, ++ JNXHeader.SigOffset, ++ JNXHeader.ZOrder); ++ ++ if (JNXHeader.Levels > 20) ++ ThrowReaderException(CorruptImageError, ImproperImageHeader, image); ++ + /* Read JNX image level info. */ ++ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); + total_tiles = 0; + current_tile = 0; + for (i = 0; i < JNXHeader.Levels; i++) +@@ -302,11 +337,23 @@ + { + JNXLevelInfo[i].Copyright = NULL; + } ++ ++ if (EOFBlob(image)) ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ ++ if (image->logging) ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ "Level[%u] Info:" ++ " TileCount: %4u" ++ " TilesOffset: %6u" ++ " Scale: %04u", ++ i, ++ JNXLevelInfo[i].TileCount, ++ JNXLevelInfo[i].TilesOffset, ++ JNXLevelInfo[i].Scale ++ ); + } + +- if (EOFBlob(image)) +- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); +- + /* Get the current limit */ + SaveLimit = GetMagickResourceLimit(MapResource); + +@@ -316,11 +363,32 @@ + /* Read JNX image data. */ + for (i = 0; i < JNXHeader.Levels; i++) + { ++ /* ++ Validate TileCount against remaining file data ++ */ ++ const magick_off_t current_offset = TellBlob(image); ++ const size_t pos_list_entry_size = ++ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + ++ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) + ++ sizeof(magick_uint32_t) + sizeof(magick_uint32_t); ++ const magick_off_t remaining = file_size-current_offset; ++ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount); ++ ++ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed)) ++ { ++ (void) SetMagickResourceLimit(MapResource, SaveLimit); ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ } ++ + PositionList = MagickAllocateArray(TJNXTileInfo *, + JNXLevelInfo[i].TileCount, + sizeof(TJNXTileInfo)); + if (PositionList == NULL) +- continue; ++ { ++ (void) SetMagickResourceLimit(MapResource, SaveLimit); ++ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, ++ image); ++ } + + (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET); + for (j = 0; j < JNXLevelInfo[i].TileCount; j++) +@@ -333,12 +401,15 @@ + PositionList[j].PicHeight = ReadBlobLSBShort(image); + PositionList[j].PicSize = ReadBlobLSBLong(image); + PositionList[j].PicOffset = ReadBlobLSBLong(image); +- } + +- if (EOFBlob(image)) +- { +- MagickFreeMemory(PositionList); +- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ if (EOFBlob(image) || ++ ((magick_off_t) PositionList[j].PicOffset + ++ PositionList[j].PicSize > file_size)) ++ { ++ (void) SetMagickResourceLimit(MapResource, SaveLimit); ++ MagickFreeMemory(PositionList); ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ } + } + + for (j = 0; j < JNXLevelInfo[i].TileCount; j++) +@@ -351,6 +422,9 @@ + image = ExtractTileJPG(image, image_info, PositionList+j, exception); + (void) SetMonitorHandler(previous_handler); + ++ if (exception->severity >= ErrorException) ++ break; ++ + current_tile++; + if (QuantumTick(current_tile,total_tiles)) + if (!MagickMonitorFormatted(current_tile,total_tiles,exception, + diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch new file mode 100644 index 0000000000..e129fd58fc --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch @@ -0,0 +1,179 @@ +http://openwall.com/lists/oss-security/2017/08/31/1 +http://openwall.com/lists/oss-security/2017/08/31/2 +http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e + +some changes were made to make the patch apply + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503779175 18000 +# Node ID 233a720bfd5efd378f133a776507ed41230da617 +# Parent b037d79b6ccd0cfba7ba9ce09b454ed46d688036 +XBM: Fix DOS issues. + +diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c +--- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500 ++++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500 +@@ -1,5 +1,5 @@ + /* +-% Copyright (C) 2003 -2012 GraphicsMagick Group ++% Copyright (C) 2003-2017 GraphicsMagick Group + % Copyright (C) 2002 ImageMagick Studio + % Copyright 1991-1999 E. I. du Pont de Nemours and Company + % +@@ -121,13 +121,15 @@ + + static int XBMInteger(Image *image,short int *hex_digits) + { ++ unsigned int ++ flag; ++ + int + c, +- flag, + value; + + value=0; +- flag=0; ++ flag=0U; + for ( ; ; ) + { + c=ReadBlobByte(image); +@@ -158,18 +160,14 @@ + Image + *image; + +- int +- bit; +- +- long +- y; +- + register IndexPacket + *indexes; + +- register long ++ register size_t ++ bytes_per_line, + i, +- x; ++ x, ++ y; + + register PixelPacket + *q; +@@ -177,22 +175,24 @@ + register unsigned char + *p; + +- short int +- hex_digits[256]; +- + unsigned char + *data; + + unsigned int ++ bit, ++ byte, ++ padding, ++ version; ++ ++ int ++ value; ++ ++ short int ++ hex_digits[256]; ++ ++ MagickPassFail + status; + +- unsigned long +- byte, +- bytes_per_line, +- padding, +- value, +- version; +- + /* + Open image file. + */ +@@ -207,6 +207,8 @@ + /* + Read X bitmap header. + */ ++ (void) memset(buffer,0,sizeof(buffer)); ++ name[0]='\0'; + while (ReadBlobString(image,buffer) != (char *) NULL) + if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2) + if ((strlen(name) >= 6) && +@@ -278,6 +280,8 @@ + /* + Initialize hex values. + */ ++ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++) ++ hex_digits[i]=(-1); + hex_digits['0']=0; + hex_digits['1']=1; + hex_digits['2']=2; +@@ -311,40 +315,50 @@ + */ + p=data; + if (version == 10) +- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2)) ++ for (i=0; i < (bytes_per_line*image->rows); (i+=2)) + { + value=XBMInteger(image,hex_digits); ++ if (value < 0) ++ { ++ MagickFreeMemory(data); ++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ } + *p++=(unsigned char) value; + if (!padding || ((i+2) % bytes_per_line)) + *p++=(unsigned char) (value >> 8); + } + else +- for (i=0; i < (long) (bytes_per_line*image->rows); i++) ++ for (i=0; i < (bytes_per_line*image->rows); i++) + { + value=XBMInteger(image,hex_digits); ++ if (value < 0) ++ { ++ MagickFreeMemory(data); ++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ } + *p++=(unsigned char) value; + } + /* + Convert X bitmap image to pixel packets. + */ + p=data; +- for (y=0; y < (long) image->rows; y++) ++ for (y=0; y < image->rows; y++) + { + q=SetImagePixels(image,0,y,image->columns,1); + if (q == (PixelPacket *) NULL) + break; + indexes=AccessMutableIndexes(image); +- bit=0; +- byte=0; +- for (x=0; x < (long) image->columns; x++) ++ bit=0U; ++ byte=0U; ++ for (x=0; x < image->columns; x++) + { +- if (bit == 0) ++ if (bit == 0U) + byte=(*p++); + indexes[x]=byte & 0x01 ? 0x01 : 0x00; + bit++; +- byte>>=1; +- if (bit == 8) +- bit=0; ++ byte>>=1U; ++ if (bit == 8U) ++ bit=0U; + } + if (!SyncImagePixels(image)) + break; + diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch new file mode 100644 index 0000000000..46f6b032c7 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch @@ -0,0 +1,80 @@ +http://openwall.com/lists/oss-security/2017/08/28/5 +http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d + +some changes were made to make the patch apply + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503268616 18000 +# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072 +# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3 +PNM: For binary formats, verify sufficient backing file data before memory request. + +diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c +--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500 ++++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500 +@@ -569,7 +569,7 @@ + (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u", + image->colors); + } +- number_pixels=image->columns*image->rows; ++ number_pixels=MagickArraySize(image->columns,image->rows); + if (number_pixels == 0) + ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image); + if (image->storage_class == PseudoClass) +@@ -858,14 +858,14 @@ + if (1 == bits_per_sample) + { + /* PBM */ +- bytes_per_row=((image->columns+7) >> 3); ++ bytes_per_row=((image->columns+7U) >> 3); + import_options.grayscale_miniswhite=MagickTrue; + quantum_type=GrayQuantum; + } + else + { + /* PGM & XV_332 */ +- bytes_per_row=((bits_per_sample+7)/8)*image->columns; ++ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns); + if (XV_332_Format == format) + { + quantum_type=IndexQuantum; +@@ -878,7 +878,8 @@ + } + else + { +- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns; ++ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel), ++ image->columns); + if (3 == samples_per_pixel) + { + /* PPM */ +@@ -915,6 +916,28 @@ + is_monochrome=MagickFalse; + } + } ++ ++ /* Validate file size before allocating memory */ ++ if (BlobIsSeekable(image)) ++ { ++ const magick_off_t file_size = GetBlobSize(image); ++ const magick_off_t current_offset = TellBlob(image); ++ if ((file_size > 0) && ++ (current_offset > 0) && ++ (file_size > current_offset)) ++ { ++ const magick_off_t remaining = file_size-current_offset; ++ const magick_off_t needed = (magick_off_t) image->rows * ++ (magick_off_t) bytes_per_row; ++ if ((remaining < (magick_off_t) bytes_per_row) || ++ (remaining < needed)) ++ { ++ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile, ++ image->filename); ++ break; ++ } ++ } ++ } + + scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1); + if (scanline_set == (ThreadViewDataSet *) NULL) diff --git a/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch new file mode 100644 index 0000000000..1f55d90d38 --- /dev/null +++ b/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch @@ -0,0 +1,72 @@ +http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa +http://openwall.com/lists/oss-security/2017/09/06/4 + +some changes were made to make the patch apply + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503257388 18000 +# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 +# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f +SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. + +diff -r f87246749079 -r 493da54370aa coders/sun.c +--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 ++++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 +@@ -498,6 +498,12 @@ + if (sun_info.depth < 8) + image->depth=sun_info.depth; + ++ if (image_info->ping) ++ { ++ CloseBlob(image); ++ return(image); ++ } ++ + /* + Compute bytes per line and bytes per image for an unencoded + image. +@@ -522,15 +528,37 @@ + if (bytes_per_image > sun_info.length) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + +- if (image_info->ping) +- { +- CloseBlob(image); +- return(image); +- } + if (sun_info.type == RT_ENCODED) + sun_data_length=(size_t) sun_info.length; + else + sun_data_length=bytes_per_image; ++ ++ /* ++ Verify that data length claimed by header is supported by file size ++ */ ++ if (sun_info.type == RT_ENCODED) ++ { ++ if (sun_data_length < bytes_per_image/255U) ++ { ++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ } ++ } ++ if (BlobIsSeekable(image)) ++ { ++ const magick_off_t file_size = GetBlobSize(image); ++ const magick_off_t current_offset = TellBlob(image); ++ if ((file_size > 0) && ++ (current_offset > 0) && ++ (file_size > current_offset)) ++ { ++ const magick_off_t remaining = file_size-current_offset; ++ if (remaining < (magick_off_t) sun_data_length) ++ { ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ } ++ } ++ } ++ + sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); + if (sun_data == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); + diff --git a/gnu/packages/patches/httpd-CVE-2017-9798.patch b/gnu/packages/patches/httpd-CVE-2017-9798.patch new file mode 100644 index 0000000000..8391a3db4a --- /dev/null +++ b/gnu/packages/patches/httpd-CVE-2017-9798.patch @@ -0,0 +1,22 @@ +Fixes "options bleed", aka. CVE-2017-9798: + + https://nvd.nist.gov/vuln/detail/CVE-2017-9798 + https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html + +From <https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch>. + +--- a/server/core.c 2017/08/16 16:50:29 1805223 ++++ b/server/core.c 2017/09/08 13:13:11 1807754 +@@ -2266,6 +2266,12 @@ + /* method has not been registered yet, but resource restriction + * is always checked before method handling, so register it. + */ ++ if (cmd->pool == cmd->temp_pool) { ++ /* In .htaccess, we can't globally register new methods. */ ++ return apr_psprintf(cmd->pool, "Could not register method '%s' " ++ "for %s from .htaccess configuration", ++ method, cmd->cmd->name); ++ } + methnum = ap_method_register(cmd->pool, + apr_pstrdup(cmd->pool, method)); + } diff --git a/gnu/packages/patches/libarchive-CVE-2017-14166.patch b/gnu/packages/patches/libarchive-CVE-2017-14166.patch new file mode 100644 index 0000000000..a122848440 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2017-14166.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-14166: + +https://github.com/libarchive/libarchive/issues/935 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14166 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71 + +From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger <joerg@bec.de> +Date: Tue, 5 Sep 2017 18:12:19 +0200 +Subject: [PATCH] Do something sensible for empty strings to make fuzzers + happy. + +--- + libarchive/archive_read_support_format_xar.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c +index 7a22beb9d..93eeacc5e 100644 +--- a/libarchive/archive_read_support_format_xar.c ++++ b/libarchive/archive_read_support_format_xar.c +@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) + uint64_t l; + int digit; + ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + digit = *p - '0'; + while (digit >= 0 && digit < 10 && char_cnt-- > 0) { +@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) + { + int64_t l; + int digit; +- ++ ++ if (char_cnt == 0) ++ return (0); ++ + l = 0; + while (char_cnt-- > 0) { + if (*p >= '0' && *p <= '7') diff --git a/gnu/packages/patches/libunwind-CVE-2015-3239.patch b/gnu/packages/patches/libunwind-CVE-2015-3239.patch deleted file mode 100644 index 3f11ac7337..0000000000 --- a/gnu/packages/patches/libunwind-CVE-2015-3239.patch +++ /dev/null @@ -1,17 +0,0 @@ -Copied from Fedora. - -https://bugzilla.redhat.com/show_bug.cgi?id=1232265 -http://pkgs.fedoraproject.org/cgit/libunwind.git/tree/libunwind-1.1-fix-CVE-2015-3239.patch - -diff -up libunwind-1.1/include/dwarf_i.h.CVE20153239 libunwind-1.1/include/dwarf_i.h ---- libunwind-1.1/include/dwarf_i.h.CVE20153239 2015-07-10 13:38:36.404996748 -0400 -+++ libunwind-1.1/include/dwarf_i.h 2015-07-10 13:39:25.050707613 -0400 -@@ -20,7 +20,7 @@ - extern const uint8_t dwarf_to_unw_regnum_map[DWARF_REGNUM_MAP_LENGTH]; - /* REG is evaluated multiple times; it better be side-effects free! */ - # define dwarf_to_unw_regnum(reg) \ -- (((reg) <= DWARF_REGNUM_MAP_LENGTH) ? dwarf_to_unw_regnum_map[reg] : 0) -+ (((reg) < DWARF_REGNUM_MAP_LENGTH) ? dwarf_to_unw_regnum_map[reg] : 0) - #endif - - #ifdef UNW_LOCAL_ONLY diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patch new file mode 100644 index 0000000000..b0277a2d23 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-0663.patch @@ -0,0 +1,53 @@ +Fix CVE-2017-0663: + +https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663 +https://security-tracker.debian.org/tracker/CVE-2017-0663 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66 + +From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Tue, 6 Jun 2017 12:56:28 +0200 +Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace + +Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on +namespace declarations make no practical sense anyway. + +Fixes bug 780228. + +Found with libFuzzer and ASan. +--- + valid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/valid.c b/valid.c +index 8075d3a0..c51ea290 100644 +--- a/valid.c ++++ b/valid.c +@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + } + } + ++ /* ++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions ++ * xmlAddID and xmlAddRef for namespace declarations, but it makes ++ * no practical sense to use ID types anyway. ++ */ ++#if 0 + /* Validity Constraint: ID uniqueness */ + if (attrDecl->atype == XML_ATTRIBUTE_ID) { + if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) +@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) { + if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL) + ret = 0; + } ++#endif + + /* Validity Constraint: Notation Attributes */ + if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) { +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patch new file mode 100644 index 0000000000..32af1ff6ba --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-7375.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-7375: + +https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375 +https://security-tracker.debian.org/tracker/CVE-2017-7375 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e + +From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001 +From: Neel Mehta <nmehta@google.com> +Date: Fri, 7 Apr 2017 17:43:02 +0200 +Subject: [PATCH] Prevent unwanted external entity reference + +For https://bugzilla.gnome.org/show_bug.cgi?id=780691 + +* parser.c: add a specific check to avoid PE reference +--- + parser.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/parser.c b/parser.c +index 609a2703..c2c812de 100644 +--- a/parser.c ++++ b/parser.c +@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) + if (xmlPushInput(ctxt, input) < 0) + return; + } else { ++ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && ++ ((ctxt->options & XML_PARSE_NOENT) == 0) && ++ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && ++ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && ++ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && ++ (ctxt->replaceEntities == 0) && ++ (ctxt->validate == 0)) ++ return; ++ + /* + * TODO !!! + * handle the extra spaces added before and after +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patch new file mode 100644 index 0000000000..5b9e45bd83 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-7376.patch @@ -0,0 +1,41 @@ +Fix CVE-2017-7376: + +https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376 +https://security-tracker.debian.org/tracker/CVE-2017-7376 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e + +From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 7 Apr 2017 17:13:28 +0200 +Subject: [PATCH] Increase buffer space for port in HTTP redirect support + +For https://bugzilla.gnome.org/show_bug.cgi?id=780690 + +nanohttp.c: the code wrongly assumed a short int port value. +--- + nanohttp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nanohttp.c b/nanohttp.c +index e109ad75..373425de 100644 +--- a/nanohttp.c ++++ b/nanohttp.c +@@ -1423,9 +1423,9 @@ retry: + if (ctxt->port != 80) { + /* reserve space for ':xxxxx', incl. potential proxy */ + if (proxy) +- blen += 12; ++ blen += 17; + else +- blen += 6; ++ blen += 11; + } + bp = (char*)xmlMallocAtomic(blen); + if ( bp == NULL ) { +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch new file mode 100644 index 0000000000..0a0e6d34cf --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch @@ -0,0 +1,130 @@ +Fix CVE-2017-{9047,9048}: + +https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public) +https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048 +http://www.openwall.com/lists/oss-security/2017/05/15/1 +https://security-tracker.debian.org/tracker/CVE-2017-9047 +https://security-tracker.debian.org/tracker/CVE-2017-9048 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74 + +From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 3 Jun 2017 02:01:29 +0200 +Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +xmlSnprintfElementContent failed to correctly check the available +buffer space in two locations. + +Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048). + +Thanks to Marcel Böhme and Thuan Pham for the report. +--- + result/valid/781333.xml | 5 +++++ + result/valid/781333.xml.err | 3 +++ + result/valid/781333.xml.err.rdr | 6 ++++++ + test/valid/781333.xml | 4 ++++ + valid.c | 20 +++++++++++--------- + 5 files changed, 29 insertions(+), 9 deletions(-) + create mode 100644 result/valid/781333.xml + create mode 100644 result/valid/781333.xml.err + create mode 100644 result/valid/781333.xml.err.rdr + create mode 100644 test/valid/781333.xml + +diff --git a/result/valid/781333.xml b/result/valid/781333.xml +new file mode 100644 +index 00000000..45dc451d +--- /dev/null ++++ b/result/valid/781333.xml +@@ -0,0 +1,5 @@ ++<?xml version="1.0"?> ++<!DOCTYPE a [ ++<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> ++]> ++<a/> +diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err +new file mode 100644 +index 00000000..b401b49a +--- /dev/null ++++ b/result/valid/781333.xml.err +@@ -0,0 +1,3 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/> ++ ^ +diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr +new file mode 100644 +index 00000000..5ff56992 +--- /dev/null ++++ b/result/valid/781333.xml.err.rdr +@@ -0,0 +1,6 @@ ++./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got ++<a/> ++ ^ ++./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child ++ ++^ +diff --git a/test/valid/781333.xml b/test/valid/781333.xml +new file mode 100644 +index 00000000..b29e5a68 +--- /dev/null ++++ b/test/valid/781333.xml +@@ -0,0 +1,4 @@ ++<!DOCTYPE a [ ++ <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)> ++]> ++<a/> +diff --git a/valid.c b/valid.c +index 19f84b82..9b2df56a 100644 +--- a/valid.c ++++ b/valid.c +@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + case XML_ELEMENT_CONTENT_PCDATA: + strcat(buf, "#PCDATA"); + break; +- case XML_ELEMENT_CONTENT_ELEMENT: ++ case XML_ELEMENT_CONTENT_ELEMENT: { ++ int qnameLen = xmlStrlen(content->name); ++ ++ if (content->prefix != NULL) ++ qnameLen += xmlStrlen(content->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ strcat(buf, " ..."); ++ return; ++ } + if (content->prefix != NULL) { +- if (size - len < xmlStrlen(content->prefix) + 10) { +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) content->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(content->name) + 10) { +- strcat(buf, " ..."); +- return; +- } + if (content->name != NULL) + strcat(buf, (char *) content->name); + break; ++ } + case XML_ELEMENT_CONTENT_SEQ: + if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || + (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) +@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int + xmlSnprintfElementContent(buf, size, content->c2, 0); + break; + } ++ if (size - strlen(buf) <= 2) return; + if (englob) + strcat(buf, ")"); + switch (content->ocur) { +-- +2.14.1 + diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch new file mode 100644 index 0000000000..890e9c2284 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch @@ -0,0 +1,319 @@ +Fix CVE-2017-{9049,9050}: + +https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public) +https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public) +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050 +http://www.openwall.com/lists/oss-security/2017/05/15/1 +https://security-tracker.debian.org/tracker/CVE-2017-9049 +https://security-tracker.debian.org/tracker/CVE-2017-9050 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3 + +Changes to 'runtest.c' are removed since they introduce test failure +when applying to libxml2 2.9.4 release tarball. + +From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 5 Jun 2017 15:37:17 +0200 +Subject: [PATCH] Fix handling of parameter-entity references +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were two bugs where parameter-entity references could lead to an +unexpected change of the input buffer in xmlParseNameComplex and +xmlDictLookup being called with an invalid pointer. + +Percent sign in DTD Names +========================= + +The NEXTL macro used to call xmlParserHandlePEReference. When parsing +"complex" names inside the DTD, this could result in entity expansion +which created a new input buffer. The fix is to simply remove the call +to xmlParserHandlePEReference from the NEXTL macro. This is safe because +no users of the macro require expansion of parameter entities. + +- xmlParseNameComplex +- xmlParseNCNameComplex +- xmlParseNmtoken + +The percent sign is not allowed in names, which are grammatical tokens. + +- xmlParseEntityValue + +Parameter-entity references in entity values are expanded but this +happens in a separate step in this function. + +- xmlParseSystemLiteral + +Parameter-entity references are ignored in the system literal. + +- xmlParseAttValueComplex +- xmlParseCharDataComplex +- xmlParseCommentComplex +- xmlParsePI +- xmlParseCDSect + +Parameter-entity references are ignored outside the DTD. + +- xmlLoadEntityContent + +This function is only called from xmlStringLenDecodeEntities and +entities are replaced in a separate step immediately after the function +call. + +This bug could also be triggered with an internal subset and double +entity expansion. + +This fixes bug 766956 initially reported by Wei Lei and independently by +Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone +involved. + +xmlParseNameComplex with XML_PARSE_OLD10 +======================================== + +When parsing Names inside an expanded parameter entity with the +XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the +GROW macro if the input buffer was exhausted. At the end of the +parameter entity's replacement text, this function would then call +xmlPopInput which invalidated the input buffer. + +There should be no need to invoke GROW in this situation because the +buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and, +at least for UTF-8, in xmlCurrentChar. This also matches the code path +executed when XML_PARSE_OLD10 is not set. + +This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050). +Thanks to Marcel Böhme and Thuan Pham for the report. + +Additional hardening +==================== + +A separate check was added in xmlParseNameComplex to validate the +buffer size. +--- + Makefile.am | 18 ++++++++++++++++++ + parser.c | 18 ++++++++++-------- + result/errors10/781205.xml | 0 + result/errors10/781205.xml.err | 21 +++++++++++++++++++++ + result/errors10/781361.xml | 0 + result/errors10/781361.xml.err | 13 +++++++++++++ + result/valid/766956.xml | 0 + result/valid/766956.xml.err | 9 +++++++++ + result/valid/766956.xml.err.rdr | 10 ++++++++++ + runtest.c | 3 +++ + test/errors10/781205.xml | 3 +++ + test/errors10/781361.xml | 3 +++ + test/valid/766956.xml | 2 ++ + test/valid/dtds/766956.dtd | 2 ++ + 14 files changed, 94 insertions(+), 8 deletions(-) + create mode 100644 result/errors10/781205.xml + create mode 100644 result/errors10/781205.xml.err + create mode 100644 result/errors10/781361.xml + create mode 100644 result/errors10/781361.xml.err + create mode 100644 result/valid/766956.xml + create mode 100644 result/valid/766956.xml.err + create mode 100644 result/valid/766956.xml.err.rdr + create mode 100644 test/errors10/781205.xml + create mode 100644 test/errors10/781361.xml + create mode 100644 test/valid/766956.xml + create mode 100644 test/valid/dtds/766956.dtd + +diff --git a/Makefile.am b/Makefile.am +index 6fc8ffa9..10e716a5 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT) + if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ + rm result.$$name error.$$name ; \ + fi ; fi ; done) ++ @echo "## Error cases regression tests (old 1.0)" ++ -@(for i in $(srcdir)/test/errors10/*.xml ; do \ ++ name=`basename $$i`; \ ++ if [ ! -d $$i ] ; then \ ++ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \ ++ echo New test file $$name ; \ ++ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \ ++ 2> $(srcdir)/result/errors10/$$name.err \ ++ > $(srcdir)/result/errors10/$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ else \ ++ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \ ++ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \ ++ diff $(srcdir)/result/errors10/$$name result.$$name ; \ ++ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \ ++ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \ ++ rm result.$$name error.$$name ; \ ++ fi ; fi ; done) + @echo "## Error cases stream regression tests" + -@(for i in $(srcdir)/test/errors/*.xml ; do \ + name=`basename $$i`; \ +diff --git a/parser.c b/parser.c +index df2efa55..a175ac4e 100644 +--- a/parser.c ++++ b/parser.c +@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + ctxt->input->line++; ctxt->input->col = 1; \ + } else ctxt->input->col++; \ + ctxt->input->cur += l; \ +- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \ + } while (0) + + #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l) +@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + len += l; + NEXTL(l); + c = CUR_CHAR(l); +- if (c == 0) { +- count = 0; +- GROW; +- if (ctxt->instate == XML_PARSER_EOF) +- return(NULL); +- c = CUR_CHAR(l); +- } + } + } + if ((len > XML_MAX_NAME_LENGTH) && +@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } ++ if (ctxt->input->cur - ctxt->input->base < len) { ++ /* ++ * There were a couple of bugs where PERefs lead to to a change ++ * of the buffer. Check the buffer size to avoid passing an invalid ++ * pointer to xmlDictLookup. ++ */ ++ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "unexpected change of input buffer"); ++ return (NULL); ++ } + if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r')) + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len)); + return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); +diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err +new file mode 100644 +index 00000000..da15c3f7 +--- /dev/null ++++ b/result/errors10/781205.xml.err +@@ -0,0 +1,21 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %a; ++ ^ ++Entity: line 1: ++<:0000 ++^ ++namespace error : Failed to parse QName ':0000' ++ %a; ++ ^ ++<:0000 ++ ^ ++./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1 ++ ++^ +diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err +new file mode 100644 +index 00000000..655f41a2 +--- /dev/null ++++ b/result/errors10/781361.xml.err +@@ -0,0 +1,13 @@ ++./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected ++ ++^ ++./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ ++^ ++./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated ++ ++^ ++./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found ++ ++^ +diff --git a/result/valid/766956.xml b/result/valid/766956.xml +new file mode 100644 +index 00000000..e69de29b +diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err +new file mode 100644 +index 00000000..34b1dae6 +--- /dev/null ++++ b/result/valid/766956.xml.err +@@ -0,0 +1,9 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ +diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr +new file mode 100644 +index 00000000..77603462 +--- /dev/null ++++ b/result/valid/766956.xml.err.rdr +@@ -0,0 +1,10 @@ ++test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';' ++%ä%ent; ++ ^ ++Entity: line 1: parser error : Content error in the external subset ++ %ent; ++ ^ ++Entity: line 1: ++value ++^ ++./test/valid/766956.xml : failed to parse +diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml +new file mode 100644 +index 00000000..d9e9e839 +--- /dev/null ++++ b/test/errors10/781205.xml +@@ -0,0 +1,3 @@ ++<!DOCTYPE D [ ++ <!ENTITY % a "<:0000"> ++ %a; +diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml +new file mode 100644 +index 00000000..67476bcb +--- /dev/null ++++ b/test/errors10/781361.xml +@@ -0,0 +1,3 @@ ++<!DOCTYPE doc [ ++ <!ENTITY % elem "<!ELEMENT e0000000000"> ++ %elem; +diff --git a/test/valid/766956.xml b/test/valid/766956.xml +new file mode 100644 +index 00000000..19a95a0e +--- /dev/null ++++ b/test/valid/766956.xml +@@ -0,0 +1,2 @@ ++<!DOCTYPE test SYSTEM "dtds/766956.dtd"> ++<test/> +diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd +new file mode 100644 +index 00000000..dddde68b +--- /dev/null ++++ b/test/valid/dtds/766956.dtd +@@ -0,0 +1,2 @@ ++<!ENTITY % ent "value"> ++%ä%ent; +-- +2.14.1 + diff --git a/gnu/packages/patches/libzip-CVE-2017-12858.patch b/gnu/packages/patches/libzip-CVE-2017-12858.patch deleted file mode 100644 index 8125173f95..0000000000 --- a/gnu/packages/patches/libzip-CVE-2017-12858.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2017-12858: - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12858 - -Patch copied from upstream source repository: - -https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796 - -From 2217022b7d1142738656d891e00b3d2d9179b796 Mon Sep 17 00:00:00 2001 -From: Thomas Klausner <tk@giga.or.at> -Date: Mon, 14 Aug 2017 10:55:44 +0200 -Subject: [PATCH] Fix double free(). - -Found by Brian 'geeknik' Carpenter using AFL. ---- - THANKS | 1 + - lib/zip_dirent.c | 3 --- - 2 files changed, 1 insertion(+), 3 deletions(-) - -diff --git a/THANKS b/THANKS -index be0cca9..a80ee1d 100644 ---- a/THANKS -+++ b/THANKS -@@ -12,6 +12,7 @@ BALATON Zoltan <balaton@eik.bme.hu> - Benjamin Gilbert <bgilbert@backtick.net> - Boaz Stolk <bstolk@aweta.nl> - Bogdan <bogiebog@gmail.com> -+Brian 'geeknik' Carpenter <geeknik@protonmail.ch> - Chris Nehren <cnehren+libzip@pobox.com> - Coverity <info@coverity.com> - Dane Springmeyer <dane.springmeyer@gmail.com> -diff --git a/lib/zip_dirent.c b/lib/zip_dirent.c -index a369900..e5a7cc9 100644 ---- a/lib/zip_dirent.c -+++ b/lib/zip_dirent.c -@@ -579,9 +579,6 @@ _zip_dirent_read(zip_dirent_t *zde, zip_source_t *src, zip_buffer_t *buffer, boo - } - - if (!_zip_dirent_process_winzip_aes(zde, error)) { -- if (!from_buffer) { -- _zip_buffer_free(buffer); -- } - return -1; - } - diff --git a/gnu/packages/patches/meson-for-build-rpath.patch b/gnu/packages/patches/meson-for-build-rpath.patch new file mode 100644 index 0000000000..4e20c9aed3 --- /dev/null +++ b/gnu/packages/patches/meson-for-build-rpath.patch @@ -0,0 +1,24 @@ +This patch removes a part of meson that clears the rpath upon installation. +This will only be applied to a special version of meson, used for the +meson-build-system. + +Patch by Peter Mikkelsen <petermikkelsen10@gmail.com> + +--- meson-0.42.0/mesonbuild/scripts/meson_install.py.orig 2017-09-09 01:49:39.147374148 +0200 ++++ meson-0.42.0/mesonbuild/scripts/meson_install.py 2017-09-09 01:51:01.209134717 +0200 +@@ -345,15 +345,6 @@ + print("Symlink creation does not work on this platform. " + "Skipping all symlinking.") + printed_symlink_error = True +- if is_elf_platform() and os.path.isfile(outname): +- try: +- e = depfixer.Elf(outname, False) +- e.fix_rpath(install_rpath) +- except SystemExit as e: +- if isinstance(e.code, int) and e.code == 0: +- pass +- else: +- raise + + def run(args): + global install_log_file diff --git a/gnu/packages/patches/metabat-fix-boost-issue.patch b/gnu/packages/patches/metabat-fix-boost-issue.patch deleted file mode 100644 index 3382d84d66..0000000000 --- a/gnu/packages/patches/metabat-fix-boost-issue.patch +++ /dev/null @@ -1,27 +0,0 @@ -This patch fixes the issue described at -https://bitbucket.org/berkeleylab/metabat/issues/28/compilation-fail-with-boost-164 - -diff --git a/src/metabat.h b/src/metabat.h -index 32ae94c..2292c04 100644 ---- a/src/metabat.h -+++ b/src/metabat.h -@@ -35,6 +35,7 @@ KSEQ_INIT(gzFile, gzread) - - #include <boost/program_options.hpp> - #include <boost/algorithm/string.hpp> -+#include <boost/serialization/array_wrapper.hpp> - #include <boost/numeric/ublas/matrix.hpp> - #include <boost/math/distributions.hpp> - #include <boost/serialization/serialization.hpp> -diff --git a/src/metabat2.h b/src/metabat2.h -index 60a9998..19fa815 100644 ---- a/src/metabat2.h -+++ b/src/metabat2.h -@@ -41,6 +41,7 @@ KSEQ_INIT(gzFile, gzread) - - #include <boost/program_options.hpp> - #include <boost/algorithm/string.hpp> -+#include <boost/serialization/array_wrapper.hpp> - #include <boost/numeric/ublas/matrix.hpp> - #include <boost/numeric/ublas/matrix_sparse.hpp> - #include <boost/numeric/ublas/matrix_proxy.hpp> diff --git a/gnu/packages/patches/metabat-remove-compilation-date.patch b/gnu/packages/patches/metabat-remove-compilation-date.patch deleted file mode 100644 index 7672205b22..0000000000 --- a/gnu/packages/patches/metabat-remove-compilation-date.patch +++ /dev/null @@ -1,16 +0,0 @@ -Remove the reference to the compilation date so that the build is -reproducible. - -diff --git a/src/metabat.cpp b/src/metabat.cpp -index 88e06de..c95cb1a 100644 ---- a/src/metabat.cpp -+++ b/src/metabat.cpp -@@ -49,7 +49,7 @@ int main(int ac, char* av[]) { - po::notify(vm); - - if (vm.count("help") || inFile.length() == 0 || outFile.length() == 0) { -- cerr << "\nMetaBAT: Metagenome Binning based on Abundance and Tetranucleotide frequency (version " << version << "; " << __DATE__ << " " << __TIME__ << ")" << endl; -+ cerr << "\nMetaBAT: Metagenome Binning based on Abundance and Tetranucleotide frequency (version " << version << "; unknown compilation date)" << endl; - cerr << "by Don Kang (ddkang@lbl.gov), Jeff Froula, Rob Egan, and Zhong Wang (zhongwang@lbl.gov) \n" << endl; - cerr << desc << endl << endl; - diff --git a/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch b/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch deleted file mode 100644 index 87be6142f4..0000000000 --- a/gnu/packages/patches/multiqc-fix-git-subprocess-error.patch +++ /dev/null @@ -1,16 +0,0 @@ -Without this patch, the incorrect exception is caught when 'git' is not in -PATH. See https://github.com/ewels/MultiQC/pull/377. - -diff --git a/multiqc/utils/config.py b/multiqc/utils/config.py -index 01fa554..4a11793 100755 ---- a/multiqc/utils/config.py -+++ b/multiqc/utils/config.py -@@ -28,7 +28,7 @@ try: - git_hash = subprocess.check_output(['git', 'rev-parse', 'HEAD'], stderr=subprocess.STDOUT) - git_hash_short = git_hash[:7] - version = '{} ({})'.format(version, git_hash_short) --except subprocess.CalledProcessError: -+except (subprocess.CalledProcessError, FileNotFoundError): - pass - os.chdir(cwd) - diff --git a/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch new file mode 100644 index 0000000000..449105e42a --- /dev/null +++ b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch @@ -0,0 +1,43 @@ +https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333.patch +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 + +From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001 +From: Alexander Batischev <eual.jp@gmail.com> +Date: Sat, 16 Sep 2017 19:31:43 +0300 +Subject: [PATCH] Work around shell code in podcast names (#598) + +--- + src/pb_controller.cpp | 6 +++--- + src/queueloader.cpp | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp +index 09b5e897..213216cd 100644 +--- a/src/pb_controller.cpp ++++ b/src/pb_controller.cpp +@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) { + if (player == "") + return; + cmdline.append(player); +- cmdline.append(" \""); +- cmdline.append(utils::replace_all(file,"\"", "\\\"")); +- cmdline.append("\""); ++ cmdline.append(" \'"); ++ cmdline.append(utils::replace_all(file,"'", "%27")); ++ cmdline.append("\'"); + stfl::reset(); + LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str()); + ::system(cmdline.c_str()); +diff --git a/src/queueloader.cpp b/src/queueloader.cpp +index c1dabdd8..ae725e04 100644 +--- a/src/queueloader.cpp ++++ b/src/queueloader.cpp +@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) { + strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t)); + fn.append(lbuf); + } else { +- fn.append(base); ++ fn.append(utils::replace_all(base, "'", "%27")); + } + return fn; + } diff --git a/gnu/packages/patches/node-9077.patch b/gnu/packages/patches/node-9077.patch deleted file mode 100644 index 6b71d48c0e..0000000000 --- a/gnu/packages/patches/node-9077.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fc164acbbb700fd50ab9c04b47fc1b2687e9c0f4 Mon Sep 17 00:00:00 2001 -From: "Bradley T. Hughes" <bradleythughes@fastmail.fm> -Date: Thu, 13 Oct 2016 07:38:38 +0000 -Subject: [PATCH] build: add -DZLIB_CONST when building with --shared-zlib - -Commit 782620f added the define only when building with the bundled -zlib. Using a shared zlib results in build breakage: - -../src/inspector_agent.cc:179:16: error: assigning to 'Bytef *' (aka 'unsigned char *') from incompatible type - 'const uint8_t *' (aka 'const unsigned char *') - strm.next_in = PROTOCOL_JSON + 3; - ^ ~~~~~~~~~~~~~~~~~ -1 error generated. ---- - node.gyp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/node.gyp b/node.gyp -index 272dc98..667c260 100644 ---- a/node.gyp -+++ b/node.gyp -@@ -653,7 +653,8 @@ - [ 'node_shared_zlib=="false"', { - 'dependencies': [ - 'deps/zlib/zlib.gyp:zlib', -- ] -+ ]}, { -+ 'defines': [ 'ZLIB_CONST' ], - }], - [ 'node_shared_openssl=="false"', { - 'dependencies': [ diff --git a/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch b/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch new file mode 100644 index 0000000000..9f8713e3d3 --- /dev/null +++ b/gnu/packages/patches/ocaml-graph-honor-source-date-epoch.patch @@ -0,0 +1,34 @@ +From 354ef78aac0b887fae3c10b28eb2b0d83f66bdfe Mon Sep 17 00:00:00 2001 +From: Julien Lepiller <julien@lepiller.eu> +Date: Mon, 2 Jan 2017 17:05:24 +0100 +Subject: [PATCH] Honor SOURCE_DATE_EPOCH + +--- + Makefile.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index a32b4b8..ef4c174 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -113,11 +113,16 @@ graph.cmx: $(CMI) $(CMX) + $(OCAMLOPT) $(INCLUDES) -pack -o $@ $^ + + VERSION=1.8.7 ++ifdef SOURCE_DATE_EPOCH ++BUILD_DATE=$(shell date -u -d "@$(SOURCE_DATE_EPOCH)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" 2>/dev/null || date) ++else ++BUILD_DATE=$(shell date) ++endif + + src/version.ml: Makefile + rm -f $@ + echo "let version = \""$(VERSION)"\"" > $@ +- echo "let date = \""`date`"\"" >> $@ ++ echo "let date = \""$(BUILD_DATE)"\"" >> $@ + + # gtk2 graph editor + ################### +-- +2.11.0 + diff --git a/gnu/packages/patches/openfoam-4.1-cleanup.patch b/gnu/packages/patches/openfoam-4.1-cleanup.patch new file mode 100644 index 0000000000..37effa5c9c --- /dev/null +++ b/gnu/packages/patches/openfoam-4.1-cleanup.patch @@ -0,0 +1,243 @@ +# This patch removes all need for the ThirdParty files of OpenFOAM. + +# Derived from EasyBuild patch by Ward Poelmans <wpoely86@gmail.com>. +# Modified for GNU Guix by Paul Garlick <pgarlick@tourbillion-technology.com>. + +diff -ur OpenFOAM-4.x-version-4.1.org/applications/utilities/mesh/manipulation/setSet/Allwmake OpenFOAM-4.x-version-4.1/applications/utilities/mesh/manipulation/setSet/Allwmake +--- OpenFOAM-4.x-version-4.1.org/applications/utilities/mesh/manipulation/setSet/Allwmake ++++ OpenFOAM-4.x-version-4.1/applications/utilities/mesh/manipulation/setSet/Allwmake +@@ -9,7 +9,7 @@ + # + # use readline if available + # +-if [ -f /usr/include/readline/readline.h ] ++if true + then + echo "Found <readline/readline.h> -- enabling readline support." + export COMP_FLAGS="-DHAS_READLINE" +diff -ur OpenFOAM-4.x-version-4.1.org/etc/bashrc OpenFOAM-4.x-version-4.1/etc/bashrc +--- OpenFOAM-4.x-version-4.1.org/etc/bashrc ++++ OpenFOAM-4.x-version-4.1/etc/bashrc +@@ -43,8 +43,10 @@ + # Please set to the appropriate path if the default is not correct. + # + [ $BASH_SOURCE ] && \ +-export FOAM_INST_DIR=$(cd ${BASH_SOURCE%/*/*/*} && pwd -P) || \ ++export FOAM_INST_DIR=$(cd $(dirname $BASH_SOURCE)/../.. && pwd -P) || \ + export FOAM_INST_DIR=$HOME/$WM_PROJECT ++# For GNU Guix: set initially for build then re-set at runtime ++# + # export FOAM_INST_DIR=~$WM_PROJECT + # export FOAM_INST_DIR=/opt/$WM_PROJECT + # export FOAM_INST_DIR=/usr/local/$WM_PROJECT +diff -ur OpenFOAM-4.x-version-4.1.org/etc/config.sh/CGAL OpenFOAM-4.x-version-4.1/etc/config.sh/CGAL +--- OpenFOAM-4.x-version-4.1.org/etc/config.sh/CGAL ++++ OpenFOAM-4.x-version-4.1/etc/config.sh/CGAL +@@ -36,37 +36,7 @@ + # + #------------------------------------------------------------------------------ + +-boost_version=boost-system +-cgal_version=cgal-system +-#cgal_version=CGAL-4.8 +- +-if [ -z "$SOURCE_CGAL_VERSIONS_ONLY" ] +-then +- +- common_path=$WM_THIRD_PARTY_DIR/platforms/$WM_ARCH$WM_COMPILER +- +- export BOOST_ARCH_PATH=$common_path/$boost_version +- export CGAL_ARCH_PATH=$common_path/$cgal_version +- +- if [ "$FOAM_VERBOSE" -a "$PS1" ] +- then +- echo "Using CGAL and boost" 1>&2 +- echo " $cgal_version at $CGAL_ARCH_PATH" 1>&2 +- echo " $boost_version at $BOOST_ARCH_PATH" 1>&2 +- fi +- +- if [ -d "$CGAL_ARCH_PATH" -a "$cgal_version" != "cgal-system" ] +- then +- _foamAddLib $CGAL_ARCH_PATH/lib +- fi +- +- if [ -d "$BOOST_ARCH_PATH" -a "$boost_version" != "boost-system" ] +- then +- _foamAddLib $BOOST_ARCH_PATH/lib +- fi +- +- unset boost_version cgal_version common_path +- +-fi ++export CGAL_ARCH_PATH=$CGAL_ROOT ++export BOOST_ARCH_PATH=$BOOST_ROOT + + #------------------------------------------------------------------------------ +diff -ur OpenFOAM-4.x-version-4.1.org/etc/config.sh/gperftools OpenFOAM-4.x-version-4.1/etc/config.sh/gperftools +--- OpenFOAM-4.x-version-4.1.org/etc/config.sh/gperftools ++++ OpenFOAM-4.x-version-4.1/etc/config.sh/gperftools +@@ -29,13 +29,5 @@ + # + #------------------------------------------------------------------------------ + +-version=svn +-gperftools_install=$WM_THIRD_PARTY_DIR/platforms/$WM_ARCH$WM_COMPILER +- +-GPERFTOOLS_VERSION=gperftools-$version +-GPERFTOOLS_ARCH_PATH=$gperftools_install/$GPERFTOOLS_VERSION +- +-export PATH=$GPERFTOOLS_ARCH_PATH/bin:$PATH +-export LD_LIBRARY_PATH=$GPERFTOOLS_ARCH_PATH/lib:$LD_LIBRARY_PATH + + #------------------------------------------------------------------------------ +diff -ur OpenFOAM-4.x-version-4.1.org/etc/config.sh/metis OpenFOAM-4.x-version-4.1/etc/config.sh/metis +--- OpenFOAM-4.x-version-4.1.org/etc/config.sh/metis ++++ OpenFOAM-4.x-version-4.1/etc/config.sh/metis +@@ -34,7 +34,7 @@ + # + #------------------------------------------------------------------------------ + +-export METIS_VERSION=metis-5.1.0 +-export METIS_ARCH_PATH=$WM_THIRD_PARTY_DIR/platforms/$WM_ARCH$WM_COMPILER$WM_PRECISION_OPTION$WM_LABEL_OPTION/$METIS_VERSION ++export METIS_VERSION=metis-$METISVERSION ++export METIS_ARCH_PATH=$METIS_ROOT + + #------------------------------------------------------------------------------ +diff -ur OpenFOAM-4.x-version-4.1.org/etc/config.sh/scotch OpenFOAM-4.x-version-4.1/etc/config.sh/scotch +--- OpenFOAM-4.x-version-4.1.org/etc/config.sh/scotch ++++ OpenFOAM-4.x-version-4.1/etc/config.sh/scotch +@@ -37,7 +37,7 @@ + # + #------------------------------------------------------------------------------ + +-export SCOTCH_VERSION=scotch_6.0.3 +-export SCOTCH_ARCH_PATH=$WM_THIRD_PARTY_DIR/platforms/$WM_ARCH$WM_COMPILER$WM_PRECISION_OPTION$WM_LABEL_OPTION/$SCOTCH_VERSION ++export SCOTCH_VERSION=scotch_$SCOTCHVERSION ++export SCOTCH_ARCH_PATH=$SCOTCH_ROOT + + #------------------------------------------------------------------------------ +diff -ur OpenFOAM-4.x-version-4.1.org/etc/config.sh/settings OpenFOAM-4.x-version-4.1/etc/config.sh/settings +--- OpenFOAM-4.x-version-4.1.org/etc/config.sh/settings ++++ OpenFOAM-4.x-version-4.1/etc/config.sh/settings +@@ -279,6 +279,9 @@ + ;; + system) + # Use system compiler ++ # Use system GMP and MPFR packages ++ export GMP_ARCH_PATH=$GMP_ROOT ++ export MPFR_ARCH_PATH=$MPFR_ROOT + ;; + *) + echo "Warn: WM_COMPILER_TYPE='$WM_COMPILER_TYPE' is unsupported" 1>&2 +diff -ur OpenFOAM-4.x-version-4.1.org/src/parallel/decompose/ptscotchDecomp/Make/options OpenFOAM-4.x-version-4.1/src/parallel/decompose/ptscotchDecomp/Make/options +--- OpenFOAM-4.x-version-4.1.org/src/parallel/decompose/ptscotchDecomp/Make/options ++++ OpenFOAM-4.x-version-4.1/src/parallel/decompose/ptscotchDecomp/Make/options +@@ -5,8 +5,7 @@ + $(PFLAGS) $(PINC) \ + -I$(SCOTCH_ROOT)/include \ + -I$(SCOTCH_ARCH_PATH)/include/$(FOAM_MPI) \ +- -I/usr/include/scotch \ + -I../decompositionMethods/lnInclude + + LIB_LIBS = \ +- -L$(SCOTCH_ROOT)/lib -L$(FOAM_EXT_LIBBIN)/$(FOAM_MPI) -lptscotch -lptscotcherrexit -lscotch ${LINK_FLAGS} -lrt ++ -L$(SCOTCH_ROOT)/lib -L$(MPI_ARCH_PATH)/lib -lptscotch -lptscotcherrexit -lscotch ${LINK_FLAGS} -lrt +diff -ur OpenFOAM-4.x-version-4.1.org/src/parallel/decompose/scotchDecomp/Make/options OpenFOAM-4.x-version-4.1/src/parallel/decompose/scotchDecomp/Make/options +--- OpenFOAM-4.x-version-4.1.org/src/parallel/decompose/scotchDecomp/Make/options ++++ OpenFOAM-4.x-version-4.1/src/parallel/decompose/scotchDecomp/Make/options +@@ -9,8 +9,7 @@ + $(PFLAGS) $(PINC) \ + -I$(SCOTCH_ROOT)/include \ + -I$(SCOTCH_ARCH_PATH)/include \ +- -I/usr/include/scotch \ + -I../decompositionMethods/lnInclude + + LIB_LIBS = \ +- -L$(SCOTCH_ROOT)/lib -L$(FOAM_EXT_LIBBIN) -lscotch -lscotcherrexit -lrt ++ -L$(SCOTCH_ROOT)/lib -lscotch -lscotcherrexit -lrt +diff -ur OpenFOAM-4.x-version-4.1.org/wmake/makefiles/general OpenFOAM-4.x-version-4.1/wmake/makefiles/general +--- OpenFOAM-4.x-version-4.1.org/wmake/makefiles/general ++++ OpenFOAM-4.x-version-4.1/wmake/makefiles/general +@@ -33,7 +33,6 @@ + # The Makefile uses a POSIX shell + #------------------------------------------------------------------------------ + +-SHELL = /bin/sh + + + #------------------------------------------------------------------------------ +diff -ur OpenFOAM-4.x-version-4.1.org/wmake/wmake OpenFOAM-4.x-version-4.1/wmake/wmake +--- OpenFOAM-4.x-version-4.1.org/wmake/wmake ++++ OpenFOAM-4.x-version-4.1/wmake/wmake +@@ -163,7 +163,7 @@ + then + if [ "$WM_NCOMPPROCS" -gt 1 -a ! "$MAKEFLAGS" ] + then +- lockDir=$HOME/.$WM_PROJECT/.wmake ++ lockDir=$(cd $(dirname $BASH_SOURCE)/../.. && pwd -P)/.$WM_PROJECT/.wmake + + if [ -d $lockDir ] + then +diff -ur OpenFOAM-4.x-version-4.1.org/wmake/wmakeScheduler OpenFOAM-4.x-version-4.1/wmake/wmakeScheduler +--- OpenFOAM-4.x-version-4.1.org/wmake/wmakeScheduler ++++ OpenFOAM-4.x-version-4.1/wmake/wmakeScheduler +@@ -53,7 +53,7 @@ + # csh sets HOST, bash sets HOSTNAME + : ${HOST:=$HOSTNAME} + +-lockDir=$HOME/.$WM_PROJECT/.wmake ++lockDir=$(cd $(dirname $BASH_SOURCE)/../.. && pwd -P)/.$WM_PROJECT/.wmake + + # Fallback - 1 core on current host + : ${WM_HOSTS:=$HOST:1} +diff -ur OpenFOAM-4.x-version-4.1.org/wmake/wmakeSchedulerUptime OpenFOAM-4.x-version-4.1/wmake/wmakeSchedulerUptime +--- OpenFOAM-4.x-version-4.1.org/wmake/wmakeSchedulerUptime ++++ OpenFOAM-4.x-version-4.1/wmake/wmakeSchedulerUptime +@@ -53,7 +53,7 @@ + # csh sets HOST, bash sets HOSTNAME + : ${HOST:=$HOSTNAME} + +-lockDir=$HOME/.$WM_PROJECT/.wmake ++lockDir=$(cd $(dirname $BASH_SOURCE)/../.. && pwd -P)/.$WM_PROJECT/.wmake + # Fallback - 1 core on current host + : ${WM_HOSTS:=$HOST:1} + +diff -ur OpenFOAM-4.x-version-4.1.org/src/parallel/decompose/metisDecomp/metisDecomp.C OpenFOAM-4.x-version-4.1/src/parallel/decompose/metisDecomp/metisDecomp.C +--- OpenFOAM-4.x-version-4.1.org/src/parallel/decompose/metisDecomp/metisDecomp.C ++++ OpenFOAM-4.x-version-4.1/src/parallel/decompose/metisDecomp/metisDecomp.C +@@ -67,7 +67,7 @@ + + // Processor weights initialised with no size, only used if specified in + // a file +- Field<scalar> processorWeights; ++ Field<floatScalar> processorWeights; + + // Cell weights (so on the vertices of the dual) + List<label> cellWeights; +diff -ur OpenFOAM-4.x-version-4.1.org/wmake/rules/General/CGAL OpenFOAM-4.x-version-4.1/wmake/rules/General/CGAL +--- OpenFOAM-4.x-version-4.1.org/wmake/rules/General/CGAL ++++ OpenFOAM-4.x-version-4.1/wmake/rules/General/CGAL +@@ -6,9 +6,10 @@ + -I/usr/include + + CGAL_LIBS = \ +- -L$(MPFR_ARCH_PATH)/lib$(WM_COMPILER_LIB_ARCH) \ +- -L$(GMP_ARCH_PATH)/lib$(WM_COMPILER_LIB_ARCH) \ ++ -L$(MPFR_ARCH_PATH)/lib \ ++ -L$(GMP_ARCH_PATH)/lib \ + -L$(BOOST_ARCH_PATH)/lib \ + -L$(CGAL_ARCH_PATH)/lib \ + -lCGAL \ ++ -lgmp \ + -lmpfr +diff -ur OpenFOAM-4.x-version-4.1.org/wmake/rules/linux64Gcc/c++ OpenFOAM-4.x-version-4.1/wmake/rules/linux64Gcc/c++ +--- OpenFOAM-4.x-version-4.1.org/wmake/rules/linux64Gcc/c++ ++++ OpenFOAM-4.x-version-4.1/wmake/rules/linux64Gcc/c++ +@@ -20,5 +20,5 @@ + + LINK_LIBS = $(c++DBUG) + +-LINKLIBSO = $(CC) $(c++FLAGS) -shared -Xlinker --add-needed -Xlinker --no-as-needed +-LINKEXE = $(CC) $(c++FLAGS) -Xlinker --add-needed -Xlinker --no-as-needed ++LINKLIBSO = $(CC) $(c++FLAGS) $(LDFLAGS) -shared -Xlinker --add-needed -Xlinker --no-as-needed ++LINKEXE = $(CC) $(c++FLAGS) $(LDFLAGS) -Xlinker --add-needed -Xlinker --no-as-needed diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch new file mode 100644 index 0000000000..bd7473ba0d --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch @@ -0,0 +1,83 @@ +http://openwall.com/lists/oss-security/2017/08/28/3 +https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch + +From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 17 Aug 2017 11:47:40 +0200 +Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and + fixes unaligned load (#995) + +--- + src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------ + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index a4eb81f6a..73dfc8d5f 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -580,13 +580,10 @@ struct tga_header { + }; + #endif /* INFORMATION_ONLY */ + +-static unsigned short get_ushort(const unsigned char *data) ++/* Returns a ushort from a little-endian serialized value */ ++static unsigned short get_tga_ushort(const unsigned char *data) + { +- unsigned short val = *(const unsigned short *)data; +-#ifdef OPJ_BIG_ENDIAN +- val = ((val & 0xffU) << 8) | (val >> 8); +-#endif +- return val; ++ return data[0] | (data[1] << 8); + } + + #define TGA_HEADER_SIZE 18 +@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel, + id_len = tga[0]; + /*cmap_type = tga[1];*/ + image_type = tga[2]; +- /*cmap_index = get_ushort(&tga[3]);*/ +- cmap_len = get_ushort(&tga[5]); ++ /*cmap_index = get_tga_ushort(&tga[3]);*/ ++ cmap_len = get_tga_ushort(&tga[5]); + cmap_entry_size = tga[7]; + + + #if 0 +- x_origin = get_ushort(&tga[8]); +- y_origin = get_ushort(&tga[10]); ++ x_origin = get_tga_ushort(&tga[8]); ++ y_origin = get_tga_ushort(&tga[10]); + #endif +- image_w = get_ushort(&tga[12]); +- image_h = get_ushort(&tga[14]); ++ image_w = get_tga_ushort(&tga[12]); ++ image_h = get_tga_ushort(&tga[14]); + pixel_depth = tga[16]; + image_desc = tga[17]; + +@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters) + color_space = OPJ_CLRSPC_SRGB; + } + ++ /* If the declared file size is > 10 MB, check that the file is big */ ++ /* enough to avoid excessive memory allocations */ ++ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) { ++ char ch; ++ OPJ_UINT64 expected_file_size = ++ (OPJ_UINT64)image_width * image_height * numcomps; ++ long curpos = ftell(f); ++ if (expected_file_size > (OPJ_UINT64)INT_MAX) { ++ expected_file_size = (OPJ_UINT64)INT_MAX; ++ } ++ fseek(f, (long)expected_file_size - 1, SEEK_SET); ++ if (fread(&ch, 1, 1, f) != 1) { ++ fclose(f); ++ return NULL; ++ } ++ fseek(f, curpos, SEEK_SET); ++ } ++ + subsampling_dx = parameters->subsampling_dx; + subsampling_dy = parameters->subsampling_dy; + diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch new file mode 100644 index 0000000000..6e3fccf3c0 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch @@ -0,0 +1,25 @@ +http://openwall.com/lists/oss-security/2017/08/28/4 +https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch + +From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Fri, 18 Aug 2017 13:39:20 +0200 +Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997) + +--- + src/bin/jp2/convert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c +index 5459f7d44..e606c9be7 100644 +--- a/src/bin/jp2/convert.c ++++ b/src/bin/jp2/convert.c +@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters) + } + + fseek(f, 0, SEEK_SET); +- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1, ++ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1, + &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) { + fclose(f); + fprintf(stderr, diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch new file mode 100644 index 0000000000..4fcf6af6db --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch @@ -0,0 +1,46 @@ +https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch +http://openwall.com/lists/oss-security/2017/09/06/1 + +From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 14 Aug 2017 17:20:37 +0200 +Subject: [PATCH] Encoder: grow buffer size in + opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in + opj_mqc_flush (#982) + +--- + src/lib/openjp2/tcd.c | 7 +++++-- + tests/nonregression/test_suite.ctest.in | 2 ++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c +index 301c7213e..53cdcf64d 100644 +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t * + { + OPJ_UINT32 l_data_size; + +- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ +- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ ++ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* TODO: is there a theoretical upper-bound for the compressed code */ ++ /* block size ? */ ++ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { +diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in +index aaf40d7d0..ffd964c2a 100644 +--- a/tests/nonregression/test_suite.ctest.in ++++ b/tests/nonregression/test_suite.ctest.in +@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban + # Same rate as Bretagne2_4.j2k + opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800 + ++opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1 ++ + # DECODER TEST SUITE + opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx + opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch new file mode 100644 index 0000000000..6c083be123 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch @@ -0,0 +1,38 @@ +https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch +http://openwall.com/lists/oss-security/2017/09/06/2 + +From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 15 Aug 2017 11:55:58 +0200 +Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in + opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985) + +--- + src/lib/openjp2/j2k.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index a2521ebbc..54b490a8c 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters, + + /* Precincts */ + parameters->csty |= 0x01; +- parameters->res_spec = parameters->numresolution - 1; +- for (i = 0; i < parameters->res_spec; i++) { +- parameters->prcw_init[i] = 256; +- parameters->prch_init[i] = 256; ++ if (parameters->numresolution == 1) { ++ parameters->res_spec = 1; ++ parameters->prcw_init[0] = 128; ++ parameters->prch_init[0] = 128; ++ } else { ++ parameters->res_spec = parameters->numresolution - 1; ++ for (i = 0; i < parameters->res_spec; i++) { ++ parameters->prcw_init[i] = 256; ++ parameters->prch_init[i] = 256; ++ } + } + + /* The progression order shall be CPRL */ diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch new file mode 100644 index 0000000000..2bfc5a6a85 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch @@ -0,0 +1,89 @@ +https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch +http://openwall.com/lists/oss-security/2017/09/06/3 + +From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 16 Aug 2017 17:09:10 +0200 +Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow + (#991) + +--- + src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 54b490a8c..16915452e 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, + * Writes the SOT marker (Start of tile-part) + * + * @param p_j2k J2K codec. +- * @param p_data FIXME DOC +- * @param p_data_written FIXME DOC ++ * @param p_data Output buffer ++ * @param p_total_data_size Output buffer size ++ * @param p_data_written Number of bytes written into stream + * @param p_stream the stream to write data to. + * @param p_manager the user event manager. + */ + static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager); +@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k, + + static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_BYTE * p_data, ++ OPJ_UINT32 p_total_data_size, + OPJ_UINT32 * p_data_written, + const opj_stream_private_t *p_stream, + opj_event_mgr_t * p_manager +@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k, + OPJ_UNUSED(p_stream); + OPJ_UNUSED(p_manager); + ++ if (p_total_data_size < 12) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "Not enough bytes in output buffer to write SOT marker\n"); ++ return OPJ_FALSE; ++ } ++ + opj_write_bytes(p_data, J2K_MS_SOT, + 2); /* SOT */ + p_data += 2; +@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k, + + l_current_nb_bytes_written = 0; + l_begin_data = p_data; +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size, ++ &l_current_nb_bytes_written, p_stream, + p_manager)) { + return OPJ_FALSE; + } +@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, ++ p_total_data_size, ++ &l_current_nb_bytes_written, ++ p_stream, + p_manager)) { + return OPJ_FALSE; + } +@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k, + l_part_tile_size = 0; + l_begin_data = p_data; + +- if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream, ++ if (! opj_j2k_write_sot(p_j2k, p_data, ++ p_total_data_size, ++ &l_current_nb_bytes_written, p_stream, + p_manager)) { + return OPJ_FALSE; + } diff --git a/gnu/packages/patches/openocd-nrf52.patch b/gnu/packages/patches/openocd-nrf52.patch index 792575df78..0ec4348cb4 100644 --- a/gnu/packages/patches/openocd-nrf52.patch +++ b/gnu/packages/patches/openocd-nrf52.patch @@ -21,19 +21,19 @@ Signed-off-by: Michael Dietz <mjdietzx@gmail.com> --- diff --git a/src/flash/nor/Makefile.am b/src/flash/nor/Makefile.am -index c167e8f..b6a2be3 100644 +index 727e4f2..839667c 100644 --- a/src/flash/nor/Makefile.am +++ b/src/flash/nor/Makefile.am -@@ -37,6 +37,7 @@ NOR_DRIVERS = \ - niietcm4.c \ - non_cfi.c \ - nrf51.c \ -+ nrf52.c \ - numicro.c \ - ocl.c \ - pic32mx.c \ +@@ -36,6 +36,7 @@ NOR_DRIVERS = \ + %D%/niietcm4.c \ + %D%/non_cfi.c \ + %D%/nrf51.c \ ++ %D%/nrf52.c \ + %D%/numicro.c \ + %D%/ocl.c \ + %D%/pic32mx.c \ diff --git a/src/flash/nor/drivers.c b/src/flash/nor/drivers.c -index 56a5cb2..3e071bd 100644 +index 56a5cb2..071273e 100644 --- a/src/flash/nor/drivers.c +++ b/src/flash/nor/drivers.c @@ -48,6 +48,7 @@ extern struct flash_driver mdr_flash; @@ -48,7 +48,7 @@ index 56a5cb2..3e071bd 100644 &mrvlqspi_flash, &niietcm4_flash, &nrf51_flash, -+ &nrf52_flash, ++ &nrf52_flash, &numicro_flash, &ocl_flash, &pic32mx_flash, @@ -792,47 +792,31 @@ index 0000000..7f2bd35 + .protect_check = nrf52_protect_check, +}; diff --git a/tcl/target/nrf52.cfg b/tcl/target/nrf52.cfg -index c1cbf1a..a2567ff 100644 +index c1cbf1a..41a22ff 100644 --- a/tcl/target/nrf52.cfg +++ b/tcl/target/nrf52.cfg -@@ -5,15 +5,22 @@ - source [find target/swj-dp.tcl] +@@ -10,6 +10,13 @@ if { [info exists CHIPNAME] } { + set _CHIPNAME nrf52 + } - if { [info exists CHIPNAME] } { -- set _CHIPNAME $CHIPNAME -+ set _CHIPNAME $CHIPNAME - } else { -- set _CHIPNAME nrf52 -+ set _CHIPNAME nrf52 -+} -+ +# Work-area is a space in RAM used for flash programming, by default use 16kB. +if { [info exists WORKAREASIZE] } { -+ set _WORKAREASIZE $WORKAREASIZE ++ set _WORKAREASIZE $WORKAREASIZE +} else { -+ set _WORKAREASIZE 0x4000 - } - ++ set _WORKAREASIZE 0x4000 ++} ++ if { [info exists CPUTAPID] } { -- set _CPUTAPID $CPUTAPID -+ set _CPUTAPID $CPUTAPID + set _CPUTAPID $CPUTAPID } else { -- set _CPUTAPID 0x2ba01477 -+ set _CPUTAPID 0x2ba01477 - } - - swj_newdap $_CHIPNAME cpu -expected-id $_CPUTAPID -@@ -21,8 +28,15 @@ swj_newdap $_CHIPNAME cpu -expected-id $_CPUTAPID - set _TARGETNAME $_CHIPNAME.cpu +@@ -22,7 +29,15 @@ set _TARGETNAME $_CHIPNAME.cpu target create $_TARGETNAME cortex_m -chain-position $_TARGETNAME --adapter_khz 10000 + adapter_khz 10000 +$_TARGETNAME configure -work-area-phys 0x20000000 -work-area-size $_WORKAREASIZE -work-area-backup 0 --if { ![using_hla] } { -- cortex_m reset_config sysresetreq -+if {![using_hla]} { -+ cortex_m reset_config sysresetreq + if { ![using_hla] } { + cortex_m reset_config sysresetreq } + +flash bank $_CHIPNAME.flash nrf52 0x00000000 0 1 1 $_TARGETNAME diff --git a/gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch b/gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch new file mode 100644 index 0000000000..e0df632a04 --- /dev/null +++ b/gnu/packages/patches/perl-text-markdown-discount-use-system-markdown.patch @@ -0,0 +1,32 @@ +Description: Use the markdown library provided by the libmarkdown2 package. +Author: Alessandro Ghedini <al3xbio@gmail.com> +Origin: vendor +Forwarded: not-needed +Last-Update: 2012-01-01 + +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -57,12 +57,6 @@ + + + +-sub MY::postamble { +- return sprintf(' +-$(MYEXTLIB): +- %s +-', qq{( cd $extdir; CC='cc -fPIC' sh configure.sh; make )\n}); +-} + + WriteMakefile( + NAME => 'Text::Markdown::Discount', +@@ -71,8 +65,6 @@ + ($] >= 5.005 ? + (ABSTRACT_FROM => 'lib/Text/Markdown/Discount.pm', + AUTHOR => 'Masayoshi Sekimura <sekimura@cpan.org>') : ()), +- LIBS => '-L' . $extdir, +- INC => '-I. -I' . $extdir, +- MYEXTLIB => $myextlib, +- clean => { FILES => $clean_files }, ++ LIBS => '-lmarkdown', ++ INC => '-I.', + ); diff --git a/gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch b/gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch new file mode 100644 index 0000000000..f1db5d7c3b --- /dev/null +++ b/gnu/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch @@ -0,0 +1,29 @@ +From ca548da9ba78ddee90779051210e3e89185e4f7d Mon Sep 17 00:00:00 2001 +From: Michel Alexandre Salim <michel@michel-slm.name> +Date: Mon, 15 Feb 2016 23:03:42 +0700 +Subject: coverage-4.0a6 compatibility + +coverage 4.0a6 no longer generates .coverage file, so use -f when +deleting .coverage to ensure deletion does not fail. +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +(limited to 'Makefile') + +diff --git a/Makefile b/Makefile +index 7818f57..362c07f 100644 +--- a/Makefile ++++ b/Makefile +@@ -23,7 +23,7 @@ fsck-larch.1: fsck-larch.1.in fsck-larch + + check: + python -m CoverageTestRunner --ignore-missing-from=without-tests +- rm .coverage ++ rm -f .coverage + ./insert-remove-test tempdir 100 + rm -r tempdir larch.log + cmdtest tests +-- +cgit v1.1 + diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/patches/qemu-CVE-2017-10664.patch deleted file mode 100644 index 2b60de3dca..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-10664.patch +++ /dev/null @@ -1,27 +0,0 @@ -Fix CVE-2017-10664: - -https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html -https://bugzilla.redhat.com/show_bug.cgi?id=1466190 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664 -https://security-tracker.debian.org/tracker/CVE-2017-10664 - -Patch copied from upstream source repository: - -https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1 - -diff --git a/qemu-nbd.c b/qemu-nbd.c -index 9464a0461c..4dd3fd4732 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -581,6 +581,10 @@ int main(int argc, char **argv) - sa_sigterm.sa_handler = termsig_handler; - sigaction(SIGTERM, &sa_sigterm, NULL); - -+#ifdef CONFIG_POSIX -+ signal(SIGPIPE, SIG_IGN); -+#endif -+ - module_call_init(MODULE_INIT_TRACE); - qcrypto_init(&error_fatal); - - diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/patches/qemu-CVE-2017-10806.patch deleted file mode 100644 index ebf782fe7b..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-10806.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fix CVE-2017-10806: - -https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html -https://bugzilla.redhat.com/show_bug.cgi?id=1468496 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806 -https://security-tracker.debian.org/tracker/CVE-2017-10806 - -Patch copied from upstream source repository: - -https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index b001a27f05..ad5ef783a6 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) - static void usbredir_log_data(USBRedirDevice *dev, const char *desc, - const uint8_t *data, int len) - { -- int i, j, n; -- - if (dev->debug < usbredirparser_debug_data) { - return; - } -- -- for (i = 0; i < len; i += j) { -- char buf[128]; -- -- n = sprintf(buf, "%s", desc); -- for (j = 0; j < 8 && i + j < len; j++) { -- n += sprintf(buf + n, " %02X", data[i + j]); -- } -- error_report("%s", buf); -- } -+ qemu_hexdump((char *)data, stderr, desc, len); - } - - /* diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch deleted file mode 100644 index 1dcb860a2d..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-10911.patch +++ /dev/null @@ -1,106 +0,0 @@ -Fix CVE-2017-10911: - -https://xenbits.xen.org/xsa/advisory-216.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911 -https://security-tracker.debian.org/tracker/CVE-2017-10911 - -Patch copied from Xen Security Advisory: - -https://xenbits.xen.org/xsa/xsa216-qemuu.patch - ---- a/hw/block/xen_blkif.h -+++ b/hw/block/xen_blkif.h -@@ -14,9 +14,6 @@ - struct blkif_common_request { - char dummy; - }; --struct blkif_common_response { -- char dummy; --}; - - /* i386 protocol version */ - #pragma pack(push, 4) -@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard { - blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ - uint64_t nr_sectors; /* # of contiguous sectors to discard */ - }; --struct blkif_x86_32_response { -- uint64_t id; /* copied from request */ -- uint8_t operation; /* copied from request */ -- int16_t status; /* BLKIF_RSP_??? */ --}; - typedef struct blkif_x86_32_request blkif_x86_32_request_t; --typedef struct blkif_x86_32_response blkif_x86_32_response_t; - #pragma pack(pop) - - /* x86_64 protocol version */ -@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard { - blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ - uint64_t nr_sectors; /* # of contiguous sectors to discard */ - }; --struct blkif_x86_64_response { -- uint64_t __attribute__((__aligned__(8))) id; -- uint8_t operation; /* copied from request */ -- int16_t status; /* BLKIF_RSP_??? */ --}; - typedef struct blkif_x86_64_request blkif_x86_64_request_t; --typedef struct blkif_x86_64_response blkif_x86_64_response_t; - - DEFINE_RING_TYPES(blkif_common, struct blkif_common_request, -- struct blkif_common_response); -+ struct blkif_response); - DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request, -- struct blkif_x86_32_response); -+ struct blkif_response QEMU_PACKED); - DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request, -- struct blkif_x86_64_response); -+ struct blkif_response); - - union blkif_back_rings { - blkif_back_ring_t native; ---- a/hw/block/xen_disk.c -+++ b/hw/block/xen_disk.c -@@ -769,31 +769,30 @@ static int blk_send_response_one(struct - struct XenBlkDev *blkdev = ioreq->blkdev; - int send_notify = 0; - int have_requests = 0; -- blkif_response_t resp; -- void *dst; -- -- resp.id = ioreq->req.id; -- resp.operation = ioreq->req.operation; -- resp.status = ioreq->status; -+ blkif_response_t *resp; - - /* Place on the response ring for the relevant domain. */ - switch (blkdev->protocol) { - case BLKIF_PROTOCOL_NATIVE: -- dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.native, -+ blkdev->rings.native.rsp_prod_pvt); - break; - case BLKIF_PROTOCOL_X86_32: -- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, -- blkdev->rings.x86_32_part.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, -+ blkdev->rings.x86_32_part.rsp_prod_pvt); - break; - case BLKIF_PROTOCOL_X86_64: -- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, -- blkdev->rings.x86_64_part.rsp_prod_pvt); -+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, -+ blkdev->rings.x86_64_part.rsp_prod_pvt); - break; - default: -- dst = NULL; - return 0; - } -- memcpy(dst, &resp, sizeof(resp)); -+ -+ resp->id = ioreq->req.id; -+ resp->operation = ioreq->req.operation; -+ resp->status = ioreq->status; -+ - blkdev->rings.common.rsp_prod_pvt++; - - RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify); diff --git a/gnu/packages/patches/qemu-CVE-2017-11334.patch b/gnu/packages/patches/qemu-CVE-2017-11334.patch deleted file mode 100644 index cb68c803aa..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-11334.patch +++ /dev/null @@ -1,52 +0,0 @@ -Fix CVE-2017-11334: - -https://bugzilla.redhat.com/show_bug.cgi?id=1471638 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 - -From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Wed, 12 Jul 2017 18:08:40 +0530 -Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram - -When accessing guest's ram block during DMA operation, use -'qemu_ram_ptr_length' to get ram block pointer. It ensures -that DMA operation of given length is possible; And avoids -any OOB memory access situations. - -Reported-by: Alex <broscutamaker@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-Id: <20170712123840.29328-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - exec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/exec.c b/exec.c -index a083ff89ad..ad103ce483 100644 ---- a/exec.c -+++ b/exec.c -@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, - } - } else { - /* RAM case */ -- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); -+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); - memcpy(ptr, buf, l); - invalidate_and_set_dirty(mr, addr1, l); - } -@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, - } - } else { - /* RAM case */ -- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); -+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); - memcpy(buf, ptr, l); - } - --- -2.13.3 - diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/patches/qemu-CVE-2017-11434.patch deleted file mode 100644 index 4da701a73d..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-11434.patch +++ /dev/null @@ -1,25 +0,0 @@ -Fix CVE-2017-11434: - -https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html -https://bugzilla.redhat.com/show_bug.cgi?id=1472611 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434 -https://security-tracker.debian.org/tracker/CVE-2017-11434 - -Patch copied from upstream source repository: - -https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0 - -diff --git a/slirp/bootp.c b/slirp/bootp.c -index 5a4646c182..5dd1a415b5 100644 ---- a/slirp/bootp.c -+++ b/slirp/bootp.c -@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, - if (p >= p_end) - break; - len = *p++; -+ if (p + len > p_end) { -+ break; -+ } - DPRINTF("dhcp: tag=%d len=%d\n", tag, len); - - switch(tag) { diff --git a/gnu/packages/patches/qemu-CVE-2017-12809.patch b/gnu/packages/patches/qemu-CVE-2017-12809.patch deleted file mode 100644 index e40a14b4e0..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-12809.patch +++ /dev/null @@ -1,38 +0,0 @@ -http://openwall.com/lists/oss-security/2017/08/21/2 -https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html - -The block backend changed in a way that flushing empty CDROM drives now -crashes. Amend IDE to avoid doing so until the root problem can be -addressed for 2.11. - -Original patch by John Snow <address@hidden>. - -Reported-by: Kieron Shorrock <address@hidden> -Signed-off-by: Stefan Hajnoczi <address@hidden> ---- - hw/ide/core.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 0b48b64d3a..bea39536b0 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -1063,7 +1063,15 @@ static void ide_flush_cache(IDEState *s) - s->status |= BUSY_STAT; - ide_set_retry(s); - block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH); -- s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s); -+ -+ if (blk_bs(s->blk)) { -+ s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s); -+ } else { -+ /* XXX blk_aio_flush() crashes when blk_bs(blk) is NULL, remove this -+ * temporary workaround when blk_aio_*() functions handle NULL blk_bs. -+ */ -+ ide_flush_cb(s, 0); -+ } - } - - static void ide_cfata_metadata_inquiry(IDEState *s) --- -2.13.3 diff --git a/gnu/packages/patches/qemu-CVE-2017-13711.patch b/gnu/packages/patches/qemu-CVE-2017-13711.patch new file mode 100644 index 0000000000..4070115419 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-13711.patch @@ -0,0 +1,89 @@ +Fix CVE-2017-13711: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1201d308519f1e915866d7583d5136d03cc1d384 + +From 1201d308519f1e915866d7583d5136d03cc1d384 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault <samuel.thibault@ens-lyon.org> +Date: Fri, 25 Aug 2017 01:35:53 +0200 +Subject: [PATCH] slirp: fix clearing ifq_so from pending packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The if_fastq and if_batchq contain not only packets, but queues of packets +for the same socket. When sofree frees a socket, it thus has to clear ifq_so +from all the packets from the queues, not only the first. + +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +--- + slirp/socket.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +diff --git a/slirp/socket.c b/slirp/socket.c +index ecec0295a9..cb7b5b608d 100644 +--- a/slirp/socket.c ++++ b/slirp/socket.c +@@ -59,6 +59,27 @@ socreate(Slirp *slirp) + return(so); + } + ++/* ++ * Remove references to so from the given message queue. ++ */ ++static void ++soqfree(struct socket *so, struct quehead *qh) ++{ ++ struct mbuf *ifq; ++ ++ for (ifq = (struct mbuf *) qh->qh_link; ++ (struct quehead *) ifq != qh; ++ ifq = ifq->ifq_next) { ++ if (ifq->ifq_so == so) { ++ struct mbuf *ifm; ++ ifq->ifq_so = NULL; ++ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { ++ ifm->ifq_so = NULL; ++ } ++ } ++ } ++} ++ + /* + * remque and free a socket, clobber cache + */ +@@ -66,23 +87,9 @@ void + sofree(struct socket *so) + { + Slirp *slirp = so->slirp; +- struct mbuf *ifm; + +- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; +- (struct quehead *) ifm != &slirp->if_fastq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } +- +- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; +- (struct quehead *) ifm != &slirp->if_batchq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } ++ soqfree(so, &slirp->if_fastq); ++ soqfree(so, &slirp->if_batchq); + + if (so->so_emu==EMU_RSH && so->extra) { + sofree(so->extra); +-- +2.14.1 + diff --git a/gnu/packages/patches/qemu-CVE-2017-14167.patch b/gnu/packages/patches/qemu-CVE-2017-14167.patch new file mode 100644 index 0000000000..a6007ac082 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-14167.patch @@ -0,0 +1,69 @@ +Fix CVE-2017-14167: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167 +http://seclists.org/oss-sec/2017/q3/407 + +Patch copied from upstream development mailing list: + +https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html + +From: Prasad J Pandit <address@hidden> + +While loading kernel via multiboot-v1 image, (flags & 0x00010000) +indicates that multiboot header contains valid addresses to load +the kernel image. These addresses are used to compute kernel +size and kernel text offset in the OS image. Validate these +address values to avoid an OOB access issue. + +This is CVE-2017-14167. + +Reported-by: Thomas Garnier <address@hidden> +Signed-off-by: Prasad J Pandit <address@hidden> +--- + hw/i386/multiboot.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +Update: add CVE-ID to the commit message. + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index 6001f4caa2..c7b70c91d5 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg, + uint32_t mh_header_addr = ldl_p(header+i+12); + uint32_t mh_load_end_addr = ldl_p(header+i+20); + uint32_t mh_bss_end_addr = ldl_p(header+i+24); ++ + mh_load_addr = ldl_p(header+i+16); ++ if (mh_header_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_load_addr address\n"); ++ exit(1); ++ } ++ + uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); + uint32_t mb_load_size = 0; + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { ++ if (mh_bss_end_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } + mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ ++ if (mh_load_end_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_load_end_addr address\n"); ++ exit(1); ++ } + mb_load_size = mh_load_end_addr - mh_load_addr; + } else { ++ if (kernel_file_size < mb_kernel_text_offset) { ++ fprintf(stderr, "invalid kernel_file_size\n"); ++ exit(1); ++ } + mb_kernel_size = kernel_file_size - mb_kernel_text_offset; + mb_load_size = mb_kernel_size; + } +-- +2.13.5 + diff --git a/gnu/packages/patches/qemu-CVE-2017-7493.patch b/gnu/packages/patches/qemu-CVE-2017-7493.patch deleted file mode 100644 index 67b26fad81..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-7493.patch +++ /dev/null @@ -1,182 +0,0 @@ -Fix CVE-2017-7493: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7493 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commit;h=7a95434e0ca8a037fd8aa1a2e2461f92585eb77b - -From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Fri, 5 May 2017 14:48:08 +0200 -Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) - -When using the mapped-file security mode, we shouldn't let the client mess -with the metadata. The current code already tries to hide the metadata dir -from the client by skipping it in local_readdir(). But the client can still -access or modify it through several other operations. This can be used to -escalate privileges in the guest. - -Affected backend operations are: -- local_mknod() -- local_mkdir() -- local_open2() -- local_symlink() -- local_link() -- local_unlinkat() -- local_renameat() -- local_rename() -- local_name_to_path() - -Other operations are safe because they are only passed a fid path, which -is computed internally in local_name_to_path(). - -This patch converts all the functions listed above to fail and return -EINVAL when being passed the name of the metadata dir. This may look -like a poor choice for errno, but there's no such thing as an illegal -path name on Linux and I could not think of anything better. - -This fixes CVE-2017-7493. - -Reported-by: Leo Gaspard <leo@gaspard.io> -Signed-off-by: Greg Kurz <groug@kaod.org> -Reviewed-by: Eric Blake <eblake@redhat.com> ---- - hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 56 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c -index f3ebca4f7a..a2486566af 100644 ---- a/hw/9pfs/9p-local.c -+++ b/hw/9pfs/9p-local.c -@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs) - return telldir(fs->dir.stream); - } - -+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name) -+{ -+ return !strcmp(name, VIRTFS_META_DIR); -+} -+ - static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) - { - struct dirent *entry; -@@ -465,8 +470,8 @@ again: - if (ctx->export_flags & V9FS_SM_MAPPED) { - entry->d_type = DT_UNKNOWN; - } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { -- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { -- /* skp the meta data directory */ -+ if (local_is_mapped_file_metadata(ctx, entry->d_name)) { -+ /* skip the meta data directory */ - goto again; - } - entry->d_type = DT_UNKNOWN; -@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - /* - * Mark all the open to not follow symlinks - */ -@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, - int err = -1; - int dirfd; - -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(fs_ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); - if (dirfd == -1) { - return -1; -@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, - int ret = -1; - int odirfd, ndirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - odirfd = local_opendir_nofollow(ctx, odirpath); - if (odirfd == -1) { - goto out; -@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path, - static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, - const char *name, V9fsPath *target) - { -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - if (dir_path) { - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); - } else if (strcmp(name, "/")) { -@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir, - int ret; - int odirfd, ndirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ (local_is_mapped_file_metadata(ctx, old_name) || -+ local_is_mapped_file_metadata(ctx, new_name))) { -+ errno = EINVAL; -+ return -1; -+ } -+ - odirfd = local_opendir_nofollow(ctx, olddir->data); - if (odirfd == -1) { - return -1; -@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir, - int ret; - int dirfd; - -+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && -+ local_is_mapped_file_metadata(ctx, name)) { -+ errno = EINVAL; -+ return -1; -+ } -+ - dirfd = local_opendir_nofollow(ctx, dir->data); - if (dirfd == -1) { - return -1; --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch deleted file mode 100644 index 88b33aa2f0..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8112.patch +++ /dev/null @@ -1,41 +0,0 @@ -Fix CVE-2017-8112: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e - -From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001 -From: P J P <ppandit@redhat.com> -Date: Tue, 25 Apr 2017 18:36:23 +0530 -Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation - -A guest could set the message ring page count to zero, resulting in -infinite loop. Add check to avoid it. - -Reported-by: YY Z <bigbird475958471@gmail.com> -Signed-off-by: P J P <ppandit@redhat.com> -Message-Id: <20170425130623.3649-1-ppandit@redhat.com> -Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/vmw_pvscsi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 75575461e2..4a106da856 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - uint32_t len_log2; - uint32_t ring_size; - -- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { -+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { - return -1; - } - ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch deleted file mode 100644 index dc4b4006b7..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8309.patch +++ /dev/null @@ -1,46 +0,0 @@ -Fix CVE-2017-8309: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a - -From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Fri, 28 Apr 2017 09:56:12 +0200 -Subject: [PATCH] audio: release capture buffers - -AUD_add_capture() allocates two buffers which are never released. -Add the missing calls to AUD_del_capture(). - -Impact: Allows vnc clients to exhaust host memory by repeatedly -starting and stopping audio capture. - -Fixes: CVE-2017-8309 -Cc: P J P <ppandit@redhat.com> -Cc: Huawei PSIRT <PSIRT@huawei.com> -Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-id: 20170428075612.9997-1-kraxel@redhat.com ---- - audio/audio.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/audio/audio.c b/audio/audio.c -index c8898d8422..beafed209b 100644 ---- a/audio/audio.c -+++ b/audio/audio.c -@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) - sw = sw1; - } - QLIST_REMOVE (cap, entries); -+ g_free (cap->hw.mix_buf); -+ g_free (cap->buf); - g_free (cap); - } - return; --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch deleted file mode 100644 index 200b133d3e..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8379.patch +++ /dev/null @@ -1,98 +0,0 @@ -Fix CVE-2017-8379: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc - -From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Fri, 28 Apr 2017 10:42:37 +0200 -Subject: [PATCH] input: limit kbd queue depth - -Apply a limit to the number of items we accept into the keyboard queue. - -Impact: Without this limit vnc clients can exhaust host memory by -sending keyboard events faster than qemu feeds them to the guest. - -Fixes: CVE-2017-8379 -Cc: P J P <ppandit@redhat.com> -Cc: Huawei PSIRT <PSIRT@huawei.com> -Reported-by: jiangxin1@huawei.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 20170428084237.23960-1-kraxel@redhat.com ---- - ui/input.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ui/input.c b/ui/input.c -index ed88cda6d6..fb1f404095 100644 ---- a/ui/input.c -+++ b/ui/input.c -@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = - QTAILQ_HEAD_INITIALIZER(kbd_queue); - static QEMUTimer *kbd_timer; - static uint32_t kbd_default_delay_ms = 10; -+static uint32_t queue_count; -+static uint32_t queue_limit = 1024; - - QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, - QemuInputHandler *handler) -@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) - break; - } - QTAILQ_REMOVE(queue, item, node); -+ queue_count--; - g_free(item); - } - } -@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, - item->delay_ms = delay_ms; - item->timer = timer; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - - if (start_timer) { - timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) -@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, - item->src = src; - item->evt = evt; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) -@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) - - item->type = QEMU_INPUT_QUEUE_SYNC; - QTAILQ_INSERT_TAIL(queue, item, node); -+ queue_count++; - } - - void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) -@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) - qemu_input_event_send(src, evt); - qemu_input_event_sync(); - qapi_free_InputEvent(evt); -- } else { -+ } else if (queue_count < queue_limit) { - qemu_input_queue_event(&kbd_queue, src, evt); - qemu_input_queue_sync(&kbd_queue); - } -@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) - kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, - &kbd_queue); - } -- qemu_input_queue_delay(&kbd_queue, kbd_timer, -- delay_ms ? delay_ms : kbd_default_delay_ms); -+ if (queue_count < queue_limit) { -+ qemu_input_queue_delay(&kbd_queue, kbd_timer, -+ delay_ms ? delay_ms : kbd_default_delay_ms); -+ } - } - - InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch deleted file mode 100644 index 65e49fc885..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-8380.patch +++ /dev/null @@ -1,53 +0,0 @@ -Fix CVE-2017-8380: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380 - -Patch copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f - -From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 24 Apr 2017 17:36:34 +0530 -Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write - -While reading magic sequence(MFI_SEQ) in megasas_mmio_write, -an off-by-one error could occur as 's->adp_reset' index is not -reset after reading the last sequence. - -Reported-by: YY Z <bigbird475958471@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-Id: <20170424120634.12268-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/megasas.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 84b8caf901..804122ab05 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, - case MFI_SEQ: - trace_megasas_mmio_writel("MFI_SEQ", val); - /* Magic sequence to start ADP reset */ -- if (adp_reset_seq[s->adp_reset] == val) { -- s->adp_reset++; -+ if (adp_reset_seq[s->adp_reset++] == val) { -+ if (s->adp_reset == 6) { -+ s->adp_reset = 0; -+ s->diag = MFI_DIAG_WRITE_ENABLE; -+ } - } else { - s->adp_reset = 0; - s->diag = 0; - } -- if (s->adp_reset == 6) { -- s->diag = MFI_DIAG_WRITE_ENABLE; -- } - break; - case MFI_DIAG: - trace_megasas_mmio_writel("MFI_DIAG", val); --- -2.13.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-9524.patch b/gnu/packages/patches/qemu-CVE-2017-9524.patch deleted file mode 100644 index 57160055e3..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-9524.patch +++ /dev/null @@ -1,287 +0,0 @@ -Fix CVE-2017-9524: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9524 -http://seclists.org/oss-sec/2017/q2/454 - -Patches copied from upstream source repository: - -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af -http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0c9390d978cbf61e8f16c9f580fa96b305c43568 - -From df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af Mon Sep 17 00:00:00 2001 -From: Eric Blake <eblake@redhat.com> -Date: Fri, 26 May 2017 22:04:21 -0500 -Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation - -If a non-NBD client connects to qemu-nbd, we would end up with -a SIGSEGV in nbd_client_put() because we were trying to -unregister the client's association to the export, even though -we skipped inserting the client into that list. Easy trigger -in two terminals: - -$ qemu-nbd -p 30001 --format=raw file -$ nmap 127.0.0.1 -p 30001 - -nmap claims that it thinks it connected to a pago-services1 -server (which probably means nmap could be updated to learn the -NBD protocol and give a more accurate diagnosis of the open -port - but that's not our problem), then terminates immediately, -so our call to nbd_negotiate() fails. The fix is to reorder -nbd_co_client_start() to ensure that all initialization occurs -before we ever try talking to a client in nbd_negotiate(), so -that the teardown sequence on negotiation failure doesn't fault -while dereferencing a half-initialized object. - -While debugging this, I also noticed that nbd_update_server_watch() -called by nbd_client_closed() was still adding a channel to accept -the next client, even when the state was no longer RUNNING. That -is fixed by making nbd_can_accept() pay attention to the current -state. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 - -Signed-off-by: Eric Blake <eblake@redhat.com> -Message-Id: <20170527030421.28366-1-eblake@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - nbd/server.c | 8 +++----- - qemu-nbd.c | 2 +- - 2 files changed, 4 insertions(+), 6 deletions(-) - -diff --git a/nbd/server.c b/nbd/server.c -index ee59e5d234..49b55f6ede 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque) - - if (exp) { - nbd_export_get(exp); -+ QTAILQ_INSERT_TAIL(&exp->clients, client, next); - } -+ qemu_co_mutex_init(&client->send_lock); -+ - if (nbd_negotiate(data)) { - client_close(client); - goto out; - } -- qemu_co_mutex_init(&client->send_lock); -- -- if (exp) { -- QTAILQ_INSERT_TAIL(&exp->clients, client, next); -- } - - nbd_client_receive_next_request(client); - -diff --git a/qemu-nbd.c b/qemu-nbd.c -index f60842fd86..651f85ecc1 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -325,7 +325,7 @@ out: - - static int nbd_can_accept(void) - { -- return nb_fds < shared; -+ return state == RUNNING && nb_fds < shared; - } - - static void nbd_export_closed(NBDExport *exp) --- -2.13.1 - -From 0c9390d978cbf61e8f16c9f580fa96b305c43568 Mon Sep 17 00:00:00 2001 -From: Eric Blake <eblake@redhat.com> -Date: Thu, 8 Jun 2017 17:26:17 -0500 -Subject: [PATCH] nbd: Fix regression on resiliency to port scan - -Back in qemu 2.5, qemu-nbd was immune to port probes (a transient -server would not quit, regardless of how many probe connections -came and went, until a connection actually negotiated). But we -broke that in commit ee7d7aa when removing the return value to -nbd_client_new(), although that patch also introduced a bug causing -an assertion failure on a client that fails negotiation. We then -made it worse during refactoring in commit 1a6245a (a segfault -before we could even assert); the (masked) assertion was cleaned -up in d3780c2 (still in 2.6), and just recently we finally fixed -the segfault ("nbd: Fully intialize client in case of failed -negotiation"). But that still means that ever since we added -TLS support to qemu-nbd, we have been vulnerable to an ill-timed -port-scan being able to cause a denial of service by taking down -qemu-nbd before a real client has a chance to connect. - -Since negotiation is now handled asynchronously via coroutines, -we no longer have a synchronous point of return by re-adding a -return value to nbd_client_new(). So this patch instead wires -things up to pass the negotiation status through the close_fn -callback function. - -Simple test across two terminals: -$ qemu-nbd -f raw -p 30001 file -$ nmap 127.0.0.1 -p 30001 && \ - qemu-io -c 'r 0 512' -f raw nbd://localhost:30001 - -Note that this patch does not change what constitutes successful -negotiation (thus, a client must enter transmission phase before -that client can be considered as a reason to terminate the server -when the connection ends). Perhaps we may want to tweak things -in a later patch to also treat a client that uses NBD_OPT_ABORT -as being a 'successful' negotiation (the client correctly talked -the NBD protocol, and informed us it was not going to use our -export after all), but that's a discussion for another day. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 - -Signed-off-by: Eric Blake <eblake@redhat.com> -Message-Id: <20170608222617.20376-1-eblake@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - blockdev-nbd.c | 6 +++++- - include/block/nbd.h | 2 +- - nbd/server.c | 24 +++++++++++++++--------- - qemu-nbd.c | 4 ++-- - 4 files changed, 23 insertions(+), 13 deletions(-) - -diff --git a/blockdev-nbd.c b/blockdev-nbd.c -index dd0860f4a6..28f551a7b0 100644 ---- a/blockdev-nbd.c -+++ b/blockdev-nbd.c -@@ -27,6 +27,10 @@ typedef struct NBDServerData { - - static NBDServerData *nbd_server; - -+static void nbd_blockdev_client_closed(NBDClient *client, bool ignored) -+{ -+ nbd_client_put(client); -+} - - static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, - gpointer opaque) -@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, - qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server"); - nbd_client_new(NULL, cioc, - nbd_server->tlscreds, NULL, -- nbd_client_put); -+ nbd_blockdev_client_closed); - object_unref(OBJECT(cioc)); - return TRUE; - } -diff --git a/include/block/nbd.h b/include/block/nbd.h -index 416257abca..8fa5ce51f3 100644 ---- a/include/block/nbd.h -+++ b/include/block/nbd.h -@@ -162,7 +162,7 @@ void nbd_client_new(NBDExport *exp, - QIOChannelSocket *sioc, - QCryptoTLSCreds *tlscreds, - const char *tlsaclname, -- void (*close)(NBDClient *)); -+ void (*close_fn)(NBDClient *, bool)); - void nbd_client_get(NBDClient *client); - void nbd_client_put(NBDClient *client); - -diff --git a/nbd/server.c b/nbd/server.c -index 49b55f6ede..f2b1aa47ce 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports); - - struct NBDClient { - int refcount; -- void (*close)(NBDClient *client); -+ void (*close_fn)(NBDClient *client, bool negotiated); - - bool no_zeroes; - NBDExport *exp; -@@ -778,7 +778,7 @@ void nbd_client_put(NBDClient *client) - } - } - --static void client_close(NBDClient *client) -+static void client_close(NBDClient *client, bool negotiated) - { - if (client->closing) { - return; -@@ -793,8 +793,8 @@ static void client_close(NBDClient *client) - NULL); - - /* Also tell the client, so that they release their reference. */ -- if (client->close) { -- client->close(client); -+ if (client->close_fn) { -+ client->close_fn(client, negotiated); - } - } - -@@ -975,7 +975,7 @@ void nbd_export_close(NBDExport *exp) - - nbd_export_get(exp); - QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) { -- client_close(client); -+ client_close(client, true); - } - nbd_export_set_name(exp, NULL); - nbd_export_set_description(exp, NULL); -@@ -1337,7 +1337,7 @@ done: - - out: - nbd_request_put(req); -- client_close(client); -+ client_close(client, true); - nbd_client_put(client); - } - -@@ -1363,7 +1363,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) - qemu_co_mutex_init(&client->send_lock); - - if (nbd_negotiate(data)) { -- client_close(client); -+ client_close(client, false); - goto out; - } - -@@ -1373,11 +1373,17 @@ out: - g_free(data); - } - -+/* -+ * Create a new client listener on the given export @exp, using the -+ * given channel @sioc. Begin servicing it in a coroutine. When the -+ * connection closes, call @close_fn with an indication of whether the -+ * client completed negotiation. -+ */ - void nbd_client_new(NBDExport *exp, - QIOChannelSocket *sioc, - QCryptoTLSCreds *tlscreds, - const char *tlsaclname, -- void (*close_fn)(NBDClient *)) -+ void (*close_fn)(NBDClient *, bool)) - { - NBDClient *client; - NBDClientNewData *data = g_new(NBDClientNewData, 1); -@@ -1394,7 +1400,7 @@ void nbd_client_new(NBDExport *exp, - object_ref(OBJECT(client->sioc)); - client->ioc = QIO_CHANNEL(sioc); - object_ref(OBJECT(client->ioc)); -- client->close = close_fn; -+ client->close_fn = close_fn; - - data->client = client; - data->co = qemu_coroutine_create(nbd_co_client_start, data); -diff --git a/qemu-nbd.c b/qemu-nbd.c -index 651f85ecc1..9464a0461c 100644 ---- a/qemu-nbd.c -+++ b/qemu-nbd.c -@@ -336,10 +336,10 @@ static void nbd_export_closed(NBDExport *exp) - - static void nbd_update_server_watch(void); - --static void nbd_client_closed(NBDClient *client) -+static void nbd_client_closed(NBDClient *client, bool negotiated) - { - nb_fds--; -- if (nb_fds == 0 && !persistent && state == RUNNING) { -+ if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) { - state = TERMINATE; - } - nbd_update_server_watch(); --- -2.13.1 - diff --git a/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch index 51d6c3e791..fd12ba4ce1 100644 --- a/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch +++ b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch @@ -1,4 +1,4 @@ -This patch comes from Debian and was modified by Kei Kebreau <kei@openmailbox.org>. +This patch comes from Debian and was modified by Kei Kebreau <kkebreau@posteo.net>. Link: https://anonscm.debian.org/cgit/pkg-wmaker/wmfire.git/plain/debian/patches/gdk_updates.patch?h=debian/1.2.4-2&id=a272234fc5eecdbfc469adb12133196bc62f3059 Description: Update for newer versions of GDK. |