diff options
Diffstat (limited to 'gnu/packages/patches')
46 files changed, 2843 insertions, 255 deletions
diff --git a/gnu/packages/patches/bluez-tests.patch b/gnu/packages/patches/bluez-tests.patch new file mode 100644 index 0000000000..608ded9be2 --- /dev/null +++ b/gnu/packages/patches/bluez-tests.patch @@ -0,0 +1,25 @@ +From 484ad8c9263bb524051a999ce19a994960e69572 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@gmail.com> +Date: Fri, 23 Oct 2015 20:48:57 +0800 +Subject: [PATCH] unit/test-gobex-header: Fix duplicate test names + +--- + unit/test-gobex-header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unit/test-gobex-header.c b/unit/test-gobex-header.c +index 6f49312..8705892 100644 +--- a/unit/test-gobex-header.c ++++ b/unit/test-gobex-header.c +@@ -554,7 +554,7 @@ int main(int argc, char *argv[]) + test_header_encode_name_umlaut); + g_test_add_func("/gobex/test_header_encode_body", + test_header_encode_body); +- g_test_add_func("/gobex/test_header_encode_connid", ++ g_test_add_func("/gobex/test_header_encode_actionid", + test_header_encode_actionid); + g_test_add_func("/gobex/test_header_encode_apparam", + test_header_encode_apparam); +-- +2.5.0 + diff --git a/gnu/packages/patches/byobu-writable-status.patch b/gnu/packages/patches/byobu-writable-status.patch new file mode 100644 index 0000000000..2858280273 --- /dev/null +++ b/gnu/packages/patches/byobu-writable-status.patch @@ -0,0 +1,13 @@ +Skeleton status files are installed read-only. When copying to the config dir +upon initialization, make sure they end up writable. + +--- byobu-5.98/usr/bin/byobu-janitor.in ++++ byobu-5.98/usr/bin/byobu-janitor.in +@@ -82,6 +82,7 @@ + if [ ! -r "$BYOBU_CONFIG_DIR/$f" ]; then + # Copy from skeleton, if possible + cp -f "$BYOBU_PREFIX/share/$PKG/status/$f" "$BYOBU_CONFIG_DIR/$f" ++ chmod +w "$BYOBU_CONFIG_DIR/$f" + # Enable ec2_cost, if we're in ec2 and seeding a new setup + if metadata_available; then + $BYOBU_SED_INLINE -e "s/#ec2_cost/ec2_cost/g" "$($BYOBU_READLINK -f $BYOBU_CONFIG_DIR/$f)" diff --git a/gnu/packages/patches/dbus-helper-search-path.patch b/gnu/packages/patches/dbus-helper-search-path.patch new file mode 100644 index 0000000000..30c142312b --- /dev/null +++ b/gnu/packages/patches/dbus-helper-search-path.patch @@ -0,0 +1,18 @@ +The setuid helper of D-Bus is responsible for "service activation". +It looks for '.service' files in fixed locations, but the default locations +make no sense (see below), so replace them with /etc/dbus-1/system-services. + +--- dbus-1.10.0/dbus/dbus-sysdeps-util-unix.c 2015-10-22 00:07:03.829251854 +0200 ++++ dbus-1.10.0/dbus/dbus-sysdeps-util-unix.c 2015-10-22 00:07:14.893445175 +0200 +@@ -1410,10 +1410,7 @@ _dbus_get_standard_system_servicedirs (D + * be available. + */ + static const char standard_search_path[] = +- "/usr/local/share:" +- "/usr/share:" +- DBUS_DATADIR ":" +- "/lib"; ++ "/etc"; + DBusString servicedir_path; + + _dbus_string_init_const (&servicedir_path, standard_search_path); diff --git a/gnu/packages/patches/dbus-localstatedir.patch b/gnu/packages/patches/dbus-localstatedir.patch deleted file mode 100644 index 61bed91b5c..0000000000 --- a/gnu/packages/patches/dbus-localstatedir.patch +++ /dev/null @@ -1,30 +0,0 @@ -Do not try to create $localstatedir and $sysconfdir since we cannot do this -when they are /var and /etc. - ---- dbus-1.6.4/bus/Makefile.in 2013-09-11 16:15:13.000000000 +0200 -+++ dbus-1.6.4/bus/Makefile.in 2013-09-11 16:15:15.000000000 +0200 -@@ -1510,9 +1510,6 @@ clean-local: - /bin/rm *.bb *.bbg *.da *.gcov || true - - install-data-hook: -- $(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/dbus -- $(mkinstalldirs) $(DESTDIR)$(configdir)/system.d -- $(mkinstalldirs) $(DESTDIR)$(configdir)/session.d - $(mkinstalldirs) $(DESTDIR)$(datadir)/dbus-1/services - $(mkinstalldirs) $(DESTDIR)$(datadir)/dbus-1/system-services - # Install dbus.socket as default implementation of a D-Bus stack. - ---- dbus-1.6.4/tools/Makefile.in 2013-09-11 16:10:31.000000000 +0200 -+++ dbus-1.6.4/tools/Makefile.in 2013-09-11 16:10:32.000000000 +0200 -@@ -757,11 +757,6 @@ uninstall-am: uninstall-binPROGRAMS - - - # create the /var/lib/dbus directory for dbus-uuidgen --install-data-local: -- $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/dbus -- --installcheck-local: -- test -d $(DESTDIR)$(localstatedir)/lib/dbus - - # Tell versions [3.59,3.63) of GNU make to not export all variables. - # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/gnu/packages/patches/devil-fix-libpng.patch b/gnu/packages/patches/devil-fix-libpng.patch new file mode 100644 index 0000000000..a8e90333a3 --- /dev/null +++ b/gnu/packages/patches/devil-fix-libpng.patch @@ -0,0 +1,36 @@ +From 724194d7a9a91221a564579f64bdd6f0abd64219 Mon Sep 17 00:00:00 2001 +From: Noah Mayr <max96at@gmail.com> +Date: Sun, 1 Mar 2015 10:10:56 +0100 +Subject: [PATCH] Fixed deprecated libpng API usage. + +--- + src-IL/src/il_icon.c | 2 +- + src-IL/src/il_png.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src-IL/src/il_icon.c b/src-IL/src/il_icon.c +index 2ccb1a3..fd9475d 100644 +--- a/src-IL/src/il_icon.c ++++ b/src-IL/src/il_icon.c +@@ -525,7 +525,7 @@ ILboolean ico_readpng_get_image(ICOIMAGE *Icon, ILdouble display_exponent) + + // Expand low-bit-depth grayscale images to 8 bits + if (ico_color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) { +- png_set_gray_1_2_4_to_8(ico_png_ptr); ++ png_set_expand_gray_1_2_4_to_8(ico_png_ptr); + } + + // Expand RGB images with transparency to full alpha channels +diff --git a/src-IL/src/il_png.c b/src-IL/src/il_png.c +index da9517d..2866508 100644 +--- a/src-IL/src/il_png.c ++++ b/src-IL/src/il_png.c +@@ -277,7 +277,7 @@ ILboolean readpng_get_image(ILdouble display_exponent) + + // Expand low-bit-depth grayscale images to 8 bits + if (png_color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) { +- png_set_gray_1_2_4_to_8(png_ptr); ++ png_set_expand_gray_1_2_4_to_8(png_ptr); + } + + // Expand RGB images with transparency to full alpha channels diff --git a/gnu/packages/patches/dico-libtool-deterministic.patch b/gnu/packages/patches/dico-libtool-deterministic.patch new file mode 100644 index 0000000000..957fc79786 --- /dev/null +++ b/gnu/packages/patches/dico-libtool-deterministic.patch @@ -0,0 +1,15 @@ +Dico 2.2 uses an old Libtool (2.2.7a) that did not sort the output +of 'find', thereby leading to non-deterministic file name ordering +in the arguments passed to 'ar rcu' for libdico.a & co. + +--- dico-2.2/build-aux/ltmain.sh 1970-01-01 01:00:00.000000000 +0100 ++++ dico-2.2/build-aux/ltmain.sh 2015-11-25 09:39:30.826169050 +0100 +@@ -2926,7 +2926,7 @@ func_extract_archives () + func_extract_an_archive "$my_xdir" "$my_xabs" + ;; + esac +- my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` ++ my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP` + done + + func_extract_archives_result="$my_oldobjs" diff --git a/gnu/packages/patches/eudev-rules-directory.patch b/gnu/packages/patches/eudev-rules-directory.patch index 9173e22f76..54fc01c6d5 100644 --- a/gnu/packages/patches/eudev-rules-directory.patch +++ b/gnu/packages/patches/eudev-rules-directory.patch @@ -4,9 +4,9 @@ The old udev 182 supported $UDEV_CONFIG_FILE, which in turn allowed the search path to be customized, but eudev no longer has this, hence this hack. ---- eudev-1.9/src/udev/udev-rules.c 2014-09-13 10:21:59.615980259 +0200 -+++ eudev-1.9/src/udev/udev-rules.c 2014-09-13 10:24:13.839976335 +0200 -@@ -46,15 +46,11 @@ +--- eudev-3.1.5/src/udev/udev-rules.c 2015-10-13 06:22:14.000000000 +0800 ++++ eudev-3.1.5/src/udev/udev-rules.c 2015-10-16 20:45:38.491934336 +0800 +@@ -47,15 +47,11 @@ }; }; @@ -14,23 +14,23 @@ this hack. +static const char* rules_dirs[] = { UDEV_CONF_DIR "/rules.d", UDEV_RULES_DIR, -- "/run/udev/rules.d", +- UDEV_ROOT_RUN "/udev/rules.d", UDEV_LIBEXEC_DIR "/rules.d", -#ifdef HAVE_SPLIT_USR - "/lib/udev/rules.d", - "/usr/lib/udev/rules.d", -#endif -+ NULL, /* placeholder for $EUDEV_RULES_DIRECTORY */ ++ NULL, /* placeholder for $EUDEV_RULES_DIRECTORY */ NULL}; struct udev_rules { -@@ -1637,6 +1633,9 @@ +@@ -1704,6 +1700,9 @@ udev_rules_check_timestamp(rules); -+ /* Allow the user to specify an additional rules directory. */ -+ rules_dirs[3] = getenv("EUDEV_RULES_DIRECTORY"); ++ /* Allow the user to specify an additional rules directory. */ ++ rules_dirs[3] = getenv("EUDEV_RULES_DIRECTORY"); + r = conf_files_list_strv(&files, ".rules", NULL, rules_dirs); if (r < 0) { - log_error("failed to enumerate rules files: %s", strerror(-r)); + log_error_errno(r, "failed to enumerate rules files: %m"); diff --git a/gnu/packages/patches/evilwm-lost-focus-bug.patch b/gnu/packages/patches/evilwm-lost-focus-bug.patch new file mode 100644 index 0000000000..af24af8fe9 --- /dev/null +++ b/gnu/packages/patches/evilwm-lost-focus-bug.patch @@ -0,0 +1,18 @@ +evilwm may sometimes lose focus after closing a window. This means that +evilwm stops responding to keyboard shortcuts, and if no other window is open +which the mouse can be moved over to regain focus evilwm becomes unusable and +has to be restarted. + +Patch derived from discussion at +https://wiki.archlinux.org/index.php/Evilwm#Lost_focus_bug_fix + +--- evilwm-1.1.1/client.c ++++ evilwm-1.1.1/client.c +@@ -172,6 +172,7 @@ + * _NET_WM_STATE) */ + if (c->remove) { + LOG_DEBUG("setting WithdrawnState\n"); ++ XSetInputFocus(dpy, PointerRoot, RevertToPointerRoot, CurrentTime); + set_wm_state(c, WithdrawnState); + ewmh_withdraw_client(c); + } else { diff --git a/gnu/packages/patches/glib-tests-desktop.patch b/gnu/packages/patches/glib-tests-desktop.patch index 61f48607f7..642234ebbc 100644 --- a/gnu/packages/patches/glib-tests-desktop.patch +++ b/gnu/packages/patches/glib-tests-desktop.patch @@ -56,11 +56,12 @@ database, the `update-desktop-database' program, which we don't provide. ----------------------------- The hunk below removes tests that depend on `gdbus-testserver.py', -because that script depends on python-gobject. +because that script depends on python-gobject. The second hunk +disables a test that expects /etc/machine-id in the build environment. ---- glib-2.39.1/gio/tests/Makefile.in 2014-01-20 00:18:16.000000000 +0100 -+++ glib-2.39.1/gio/tests/Makefile.in 2014-01-20 00:18:47.000000000 +0100 -@@ -171,20 +171,13 @@ check_PROGRAMS = $(am__EXEEXT_14) +--- glib-2.46.0/gio/tests/Makefile.in 2015-10-14 14:11:00.928809504 +0200 ++++ glib-2.46.0/gio/tests/Makefile.in 2015-10-14 14:12:13.157291092 +0200 +@@ -186,20 +186,13 @@ check_PROGRAMS = $(am__EXEEXT_16) @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-auth \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-bz627724 \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-close-pending \ @@ -79,7 +80,16 @@ because that script depends on python-gobject. @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-test-codegen-old \ -@HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-threading \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gmenumodel \ + @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gnotification \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ $(NULL) +@@ -321,8 +314,7 @@ libresourceplugin_la_LINK = $(LIBTOOL) $ + am__EXEEXT_1 = + @OS_UNIX_TRUE@am__EXEEXT_2 = contenttype$(EXEEXT) file$(EXEEXT) \ + @OS_UNIX_TRUE@ gdbus-peer-object-manager$(EXEEXT) \ +-@OS_UNIX_TRUE@ gdbus-unix-addresses$(EXEEXT) \ + @OS_UNIX_TRUE@ live-g-file$(EXEEXT) socket-address$(EXEEXT) \ + @OS_UNIX_TRUE@ stream-rw_all$(EXEEXT) unix-fd$(EXEEXT) \ + @OS_UNIX_TRUE@ unix-streams$(EXEEXT) $(am__EXEEXT_1) \ The test below depends on the availability /etc/passwd to dbus-daemon. diff --git a/gnu/packages/patches/gsl-poly-test-fix-pt1.patch b/gnu/packages/patches/gsl-poly-test-fix-pt1.patch deleted file mode 100644 index 3d1ed4243c..0000000000 --- a/gnu/packages/patches/gsl-poly-test-fix-pt1.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 9cc12d0377dd634b1b97954d076b715f982853b7 Mon Sep 17 00:00:00 2001 -From: Patrick Alken <alken@colorado.edu> -Date: Fri, 4 Apr 2014 13:36:16 -0600 -Subject: [PATCH] bug fix in sorting of complex numbers (bug #39055) - ---- - poly/test.c | 49 ++++++++++++++++++++++++++++++------------------- - 1 file changed, 30 insertions(+), 19 deletions(-) - -diff --git a/poly/test.c b/poly/test.c -index 9c147f6..d090802 100644 ---- a/poly/test.c -+++ b/poly/test.c -@@ -25,11 +25,21 @@ - #include <gsl/gsl_poly.h> - #include <gsl/gsl_heapsort.h> - -+/* sort by Re(z) then by Im(z) */ - static int - cmp_cplx(const double *a, const double *b) - { -- double t = (a[0] * a[0] + a[1] * a[1]) - (b[0] * b[0] + b[1] * b[1]); -- return t < 0.0 ? -1 : t > 0.0 ? 1 : 0; -+ double r = a[0] - b[0]; -+ -+ if (r == 0.0) -+ { -+ double t = a[1] - b[1]; -+ return t < 0.0 ? -1 : t > 0.0 ? 1 : 0; -+ } -+ else if (r < 0.0) -+ return -1; -+ else -+ return 1; - } - - int -@@ -534,25 +544,26 @@ main (void) - Problem reported by Munagala Ramanath (bug #39055) - */ - -- double a[16] = { 32, -48, -8, 28, -8, 16, -16, 12, -16, 6, 10, -17, 10, 2, -4, 1 }; -+ double a[16] = { 32, -48, -8, 28, -8, 16, -16, 12, -+ -16, 6, 10, -17, 10, 2, -4, 1 }; - double z[16*2]; - -- double expected[16*20] = { -- 1.0000000000000000, 0.00000000000000000, -- 1.0000000000000000, 0.00000000000000000, -- -1.0000000000000000, 0.00000000000000000, -- -0.65893856175240950, 0.83459757287426684, -- -0.65893856175240950, -0.83459757287426684, -- -0.070891117403341281, -1.1359249087587791, -- -0.070891117403341281, 1.1359249087587791, -- 1.1142366961812986, -0.48083981203389980, -- 1.1142366961812986, 0.48083981203389980, -- -1.3066982484920768, 0.00000000000000000, -- 0.57284747839410854, 1.1987808988289705, -- 0.57284747839410854, -1.1987808988289705, -- -1.6078107423472359, 0.00000000000000000, -- 2.0000000000000000, 0.00000000000000000, -- 2.0000000000000000, 0.00000000000000000 }; -+ double expected[16*2] = { -+ -1.6078107423472359, 0.00000000000000000, -+ -1.3066982484920768, 0.00000000000000000, -+ -1.0000000000000000, 0.00000000000000000, -+ -0.65893856175240950, -0.83459757287426684, -+ -0.65893856175240950, 0.83459757287426684, -+ -0.070891117403341281, -1.1359249087587791, -+ -0.070891117403341281, 1.1359249087587791, -+ 0.57284747839410854, -1.1987808988289705, -+ 0.57284747839410854, 1.1987808988289705, -+ 1.0000000000000000, 0.00000000000000000, -+ 1.0000000000000000, 0.00000000000000000, -+ 1.1142366961812986, -0.48083981203389980, -+ 1.1142366961812986, 0.48083981203389980, -+ 2.0000000000000000, 0.00000000000000000, -+ 2.0000000000000000, 0.00000000000000000 }; - - int i; - --- -2.4.3 - diff --git a/gnu/packages/patches/gsl-poly-test-fix-pt2.patch b/gnu/packages/patches/gsl-poly-test-fix-pt2.patch deleted file mode 100644 index 0e6fcf1a53..0000000000 --- a/gnu/packages/patches/gsl-poly-test-fix-pt2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 0466df8660a7b6ddf2e082a1ec38bc6ea25a3c5c Mon Sep 17 00:00:00 2001 -From: Patrick Alken <alken@colorado.edu> -Date: Mon, 7 Apr 2014 10:59:58 -0600 -Subject: [PATCH] change error test for 15th degree polynomial (bug #39055) - ---- - poly/test.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/poly/test.c b/poly/test.c -index d090802..f6a7e3f 100644 ---- a/poly/test.c -+++ b/poly/test.c -@@ -579,8 +579,8 @@ main (void) - - for (i = 0; i<15; i++) - { -- gsl_test_abs (z[2*i], expected[2*i], 1e-7, "z%d.real, 15th-order polynomial", i); -- gsl_test_abs (z[2*i+1], expected[2*i+1], 1e-7, "z%d.imag, 15th-order polynomial", i); -+ gsl_test_rel (z[2*i], expected[2*i], 1e-7, "z%d.real, 15th-order polynomial", i); -+ gsl_test_rel (z[2*i+1], expected[2*i+1], 1e-7, "z%d.imag, 15th-order polynomial", i); - } - } - --- -2.4.3 - diff --git a/gnu/packages/patches/hwloc-gather-topology-lstopo.patch b/gnu/packages/patches/hwloc-gather-topology-lstopo.patch deleted file mode 100644 index 06f47aecaa..0000000000 --- a/gnu/packages/patches/hwloc-gather-topology-lstopo.patch +++ /dev/null @@ -1,13 +0,0 @@ -Derived from upstream commit 0a32f719c. - ---- hwloc-1.10.1/tests/linux/Makefile.in 2015-01-26 03:37:52.000000000 -0600 -+++ hwloc-1.10.1/tests/linux/Makefile.in 2015-06-15 11:21:49.824842511 -0500 -@@ -1633,7 +1633,7 @@ - - - install-exec-hook: -- $(SED) -e 's/HWLOC_top_builddir\/utils/bindir/' -e '/HWLOC_top_builddir/d' $(DESTDIR)$(bindir)/hwloc-gather-topology > $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp && mv -f $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp $(DESTDIR)$(bindir)/hwloc-gather-topology -+ $(SED) -e 's/HWLOC_top_builddir\/utils\/lstopo/bindir/' -e '/HWLOC_top_builddir/d' $(DESTDIR)$(bindir)/hwloc-gather-topology > $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp && mv -f $(DESTDIR)$(bindir)/hwloc-gather-topology.tmp $(DESTDIR)$(bindir)/hwloc-gather-topology - chmod +x $(DESTDIR)$(bindir)/hwloc-gather-topology - - # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/gnu/packages/patches/jasper-CVE-2008-3522.patch b/gnu/packages/patches/jasper-CVE-2008-3522.patch new file mode 100644 index 0000000000..10cfec99a5 --- /dev/null +++ b/gnu/packages/patches/jasper-CVE-2008-3522.patch @@ -0,0 +1,14 @@ +Fix CVE-2008-3522 (buffer overflow in 'jas_stream_printf'). +Patch from <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522>. + +--- jasper-1.900.1/src/libjasper/base/jas_stream.c 2008-09-08 14:56:01.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2008-09-08 14:58:16.000000000 +0200 +@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre + int ret; + + va_start(ap, fmt); +- ret = vsprintf(buf, fmt, ap); ++ ret = vsnprintf(buf, sizeof buf, fmt, ap); + jas_stream_puts(stream, buf); + va_end(ap); + return ret; diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch new file mode 100644 index 0000000000..676024beb4 --- /dev/null +++ b/gnu/packages/patches/libdrm-symbol-check.patch @@ -0,0 +1,195 @@ +Augment the list of expected symbols to fix the symbol-check tests on +mips64el-linux and armhf-linux. + +--- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig 2015-09-04 11:07:40.000000000 -0400 ++++ libdrm-2.4.65/freedreno/freedreno-symbol-check 2015-10-18 23:57:15.288416229 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_freedreno.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + fd_bo_cpu_fini + fd_bo_cpu_prep + fd_bo_del +--- libdrm-2.4.65/nouveau/nouveau-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/nouveau/nouveau-symbol-check 2015-10-18 23:55:26.078327118 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_NOUVEAU_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_nouveau.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + nouveau_bo_map + nouveau_bo_name_get + nouveau_bo_name_ref +--- libdrm-2.4.65/libkms/kms-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/libkms/kms-symbol-check 2015-10-18 23:46:10.683869471 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBKMS_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libkms.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + kms_bo_create + kms_bo_destroy + kms_bo_get_prop +--- libdrm-2.4.65/intel/intel-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/intel/intel-symbol-check 2015-10-18 23:55:53.309558508 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_INTEL_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_intel.so} | awk '{print $3}' | while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + drm_intel_bo_alloc + drm_intel_bo_alloc_for_render + drm_intel_bo_alloc_tiled +--- libdrm-2.4.65/amdgpu/amdgpu-symbol-check.orig 2015-08-17 10:08:11.000000000 -0400 ++++ libdrm-2.4.65/amdgpu/amdgpu-symbol-check 2015-10-18 23:56:10.606917723 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.am/libdrm_amdgpuinclude_HEADERS + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_amdgpu.so} | awk '{print $3}' | while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + amdgpu_bo_alloc + amdgpu_bo_cpu_map + amdgpu_bo_cpu_unmap +--- libdrm-2.4.65/exynos/exynos-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/exynos/exynos-symbol-check 2015-10-18 23:56:32.025486153 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.am/libdrm_exynos*_HEADERS + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_exynos.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + exynos_bo_create + exynos_bo_destroy + exynos_bo_from_name +--- libdrm-2.4.65/omap/omap-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/omap/omap-symbol-check 2015-10-18 23:56:44.834438626 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.am/libdrm_omap*HEADERS + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_omap.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + omap_bo_cpu_fini + omap_bo_cpu_prep + omap_bo_del +--- libdrm-2.4.65/tegra/tegra-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/tegra/tegra-symbol-check 2015-10-18 23:57:00.756759698 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + drm_tegra_bo_get_flags + drm_tegra_bo_get_handle + drm_tegra_bo_get_tiling diff --git a/gnu/packages/patches/librsvg-tests.patch b/gnu/packages/patches/librsvg-tests.patch new file mode 100644 index 0000000000..dc5b94e185 --- /dev/null +++ b/gnu/packages/patches/librsvg-tests.patch @@ -0,0 +1,27 @@ +From e06fc71a57156123e4e50a39957100a651ab632b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@gmail.com> +Date: Sat, 17 Oct 2015 10:20:33 +0800 +Subject: [PATCH] tests/styles: Don't duplicate test names. + +--- + tests/styles.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/styles.c b/tests/styles.c +index d09b1f2..a938835 100644 +--- a/tests/styles.c ++++ b/tests/styles.c +@@ -97,8 +97,8 @@ static const FixtureData fixtures[] = + {"/styles/selectors/2 or more selectors (stroke)", "592207", "styles/bug592207.svg", "#target", "stroke", .expected.color = 0xff0000ff}, + {"/styles/svg-element-style", "615701", "styles/svg-class.svg", "#svg", "fill", .expected.color = 0xff0000ff}, + {"/styles/presentation attribute in svg element", "620693", "styles/bug620693.svg", "#svg", "stroke", .expected.color = 0xffff0000}, +- {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */}, +- {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}}, ++ {"/styles/!important/1", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */}, ++ {"/styles/!important/2", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}}, + {"/styles/!important/class", "614606", "styles/bug614606.svg", "#path6306", "fill", .expected.color = 0xffff0000 /* red */ }, + {"/styles/!important/element", "614606", "styles/bug614606.svg", "#path6308", "fill", .expected.color = 0xff000000}, + {"/styles/!important/#id prior than class", NULL, "styles/important.svg", "#red", "fill", .expected.color = 0xffff0000 }, +-- +2.5.0 + diff --git a/gnu/packages/patches/libsndfile-CVE-2014-9496.patch b/gnu/packages/patches/libsndfile-CVE-2014-9496.patch new file mode 100644 index 0000000000..87d42955fb --- /dev/null +++ b/gnu/packages/patches/libsndfile-CVE-2014-9496.patch @@ -0,0 +1,55 @@ +Copied from Fedora. + +http://pkgs.fedoraproject.org/cgit/libsndfile.git/plain/libsndfile-1.0.25-cve2014_9496.patch + +diff -up libsndfile-1.0.25/src/sd2.c.cve2014_9496 libsndfile-1.0.25/src/sd2.c +--- libsndfile-1.0.25/src/sd2.c.cve2014_9496 2011-01-19 11:10:36.000000000 +0100 ++++ libsndfile-1.0.25/src/sd2.c 2015-01-13 17:00:35.920285526 +0100 +@@ -395,6 +395,21 @@ read_marker (const unsigned char * data, + return 0x666 ; + } /* read_marker */ + ++static inline int ++read_rsrc_marker (const SD2_RSRC *prsrc, int offset) ++{ const unsigned char * data = prsrc->rsrc_data ; ++ ++ if (offset < 0 || offset + 3 >= prsrc->rsrc_len) ++ return 0 ; ++ ++ if (CPU_IS_BIG_ENDIAN) ++ return (((uint32_t) data [offset]) << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ; ++ if (CPU_IS_LITTLE_ENDIAN) ++ return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (((uint32_t) data [offset + 3]) << 24) ; ++ ++ return 0 ; ++} /* read_rsrc_marker */ ++ + static void + read_str (const unsigned char * data, int offset, char * buffer, int buffer_len) + { int k ; +@@ -496,6 +511,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) + + rsrc.type_offset = rsrc.map_offset + 30 ; + ++ if (rsrc.map_offset + 28 > rsrc.rsrc_len) ++ { psf_log_printf (psf, "Bad map offset.\n") ; ++ goto parse_rsrc_fork_cleanup ; ++ } ; ++ + rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ; + if (rsrc.type_count < 1) + { psf_log_printf (psf, "Bad type count.\n") ; +@@ -512,7 +532,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf) + + rsrc.str_index = -1 ; + for (k = 0 ; k < rsrc.type_count ; k ++) +- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ; ++ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len) ++ { psf_log_printf (psf, "Bad rsrc marker.\n") ; ++ goto parse_rsrc_fork_cleanup ; ++ } ; ++ ++ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ; + + if (marker == STR_MARKER) + { rsrc.str_index = k ; diff --git a/gnu/packages/patches/libsndfile-CVE-2015-7805.patch b/gnu/packages/patches/libsndfile-CVE-2015-7805.patch new file mode 100644 index 0000000000..d617f81e5c --- /dev/null +++ b/gnu/packages/patches/libsndfile-CVE-2015-7805.patch @@ -0,0 +1,95 @@ +Slightly modified to apply cleanly to libsndfile-1.0.25. + +From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001 +From: Erik de Castro Lopo <erikd@mega-nerd.com> +Date: Sat, 7 Feb 2015 15:45:10 +1100 +Subject: [PATCH] src/common.c : Fix a header parsing bug. + +When the file header is bigger that SF_HEADER_LEN, the code would seek +instead of reading causing file parse errors. + +The current header parsing and writing code *badly* needs a re-write. +--- + src/common.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +diff --git a/src/common.c b/src/common.c +index dd4edb7..c6b88cc 100644 +--- a/src/common.c ++++ b/src/common.c +@@ -1,5 +1,5 @@ + /* +-** Copyright (C) 1999-2011 Erik de Castro Lopo <erikd@mega-nerd.com> ++** Copyright (C) 1999-2015 Erik de Castro Lopo <erikd@mega-nerd.com> + ** + ** This program is free software; you can redistribute it and/or modify + ** it under the terms of the GNU Lesser General Public License as published by +@@ -800,21 +800,16 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes) + { int count = 0 ; + + if (psf->headindex >= SIGNED_SIZEOF (psf->header)) +- { memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ; +- +- /* This is the best that we can do. */ +- psf_fseek (psf, bytes, SEEK_CUR) ; +- return bytes ; +- } ; ++ return psf_fread (ptr, 1, bytes, psf) ; + + if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header)) + { int most ; + + most = SIGNED_SIZEOF (psf->header) - psf->headindex ; + psf_fread (psf->header + psf->headend, 1, most, psf) ; +- memset ((char *) ptr + most, 0, bytes - most) ; +- +- psf_fseek (psf, bytes - most, SEEK_CUR) ; ++ memcpy (ptr, psf->header + psf->headend, most) ; ++ psf->headend = psf->headindex += most ; ++ psf_fread ((char *) ptr + most, bytes - most, 1, psf) ; + return bytes ; + } ; + +@@ -822,7 +817,7 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes) + { count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ; + if (count != bytes - (int) (psf->headend - psf->headindex)) + { psf_log_printf (psf, "Error : psf_fread returned short count.\n") ; +- return 0 ; ++ return count ; + } ; + psf->headend += count ; + } ; +@@ -836,7 +831,6 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes) + static void + header_seek (SF_PRIVATE *psf, sf_count_t position, int whence) + { +- + switch (whence) + { case SEEK_SET : + if (position > SIGNED_SIZEOF (psf->header)) +@@ -885,8 +879,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence) + + static int + header_gets (SF_PRIVATE *psf, char *ptr, int bufsize) +-{ +- int k ; ++{ int k ; + + for (k = 0 ; k < bufsize - 1 ; k++) + { if (psf->headindex < psf->headend) +@@ -1073,8 +1066,10 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) + case 'j' : + /* Get the seek position first. */ + count = va_arg (argptr, size_t) ; +- header_seek (psf, count, SEEK_CUR) ; +- byte_count += count ; ++ if (count) ++ { header_seek (psf, count, SEEK_CUR) ; ++ byte_count += count ; ++ } ; + break ; + + default : +-- +2.6.3 + diff --git a/gnu/packages/patches/libxslt-CVE-2015-7995.patch b/gnu/packages/patches/libxslt-CVE-2015-7995.patch new file mode 100644 index 0000000000..f291d5b387 --- /dev/null +++ b/gnu/packages/patches/libxslt-CVE-2015-7995.patch @@ -0,0 +1,29 @@ +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 29 Oct 2015 19:33:23 +0800 +Subject: [PATCH] Fix for type confusion in preprocessing attributes + +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10 +We need to check that the parent node is an element before dereferencing +its namespace +--- + libxslt/preproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/preproc.c b/libxslt/preproc.c +index 0eb80a0..7f69325 100644 +--- a/libxslt/preproc.c ++++ b/libxslt/preproc.c +@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) { + } else if (IS_XSLT_NAME(inst, "attribute")) { + xmlNodePtr parent = inst->parent; + +- if ((parent == NULL) || (parent->ns == NULL) || ++ if ((parent == NULL) || ++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) || + ((parent->ns != inst->ns) && + (!xmlStrEqual(parent->ns->href, inst->ns->href))) || + (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) { +-- +2.6.3 + diff --git a/gnu/packages/patches/lua52-liblua-so.patch b/gnu/packages/patches/lua52-liblua-so.patch new file mode 100644 index 0000000000..2e6b39ae79 --- /dev/null +++ b/gnu/packages/patches/lua52-liblua-so.patch @@ -0,0 +1,78 @@ +From 7a1b4e0829124976878ca2765a8e546667a92ceb Mon Sep 17 00:00:00 2001 +From: Leo Famulari <leo@famulari.name> +Date: Fri, 30 Oct 2015 19:11:31 -0400 +Subject: [PATCH] apply existing non-executable library patch and install + libraries as executable + +--- + Makefile | 6 +++--- + src/Makefile | 8 +++++++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 1aea8e6..bfcfed9 100644 +--- a/Makefile ++++ b/Makefile +@@ -44,7 +44,7 @@ INTERPRETER= lua + COMPILER= luac + TO_BIN= $(INTERPRETER) $(COMPILER) + TO_INC= lua.h luaconf.h lualib.h lauxlib.h lua.hpp +-TO_LIB= liblua.a ++TO_LIB= liblua.a liblua.so liblua.so.${V} + TO_PC= lua-$(V).pc + TO_MAN= lua.1 luac.1 + +@@ -56,7 +56,7 @@ R= $V.3 + all: $(PLAT) + + $(PLATS): +- cd src && $(MAKE) $@ ++ cd src && $(MAKE) $@ V=$(V) R=$(R) + + clean: + cd src && $(MAKE) $@ +@@ -69,7 +69,7 @@ install: dummy $(TO_PC) + cd src && $(MKDIR) $(INSTALL_BIN) $(INSTALL_INC) $(INSTALL_LIB) $(INSTALL_PC) $(INSTALL_MAN) $(INSTALL_LMOD) $(INSTALL_CMOD) + cd src && $(INSTALL_EXEC) $(TO_BIN) $(INSTALL_BIN) + cd src && $(INSTALL_DATA) $(TO_INC) $(INSTALL_INC) +- cd src && $(INSTALL_DATA) $(TO_LIB) $(INSTALL_LIB) ++ cd src && $(INSTALL_EXEC) $(TO_LIB) $(INSTALL_LIB) + cd src && $(INSTALL_DATA) ../$(TO_PC) $(INSTALL_PC) + cd doc && $(INSTALL_DATA) $(TO_MAN) $(INSTALL_MAN) + +diff --git a/src/Makefile b/src/Makefile +index 7b4b2b7..c86476e 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -29,6 +29,7 @@ MYOBJS= + PLATS= aix ansi bsd freebsd generic linux macosx mingw posix solaris + + LUA_A= liblua.a ++LUA_SO= liblua.so + CORE_O= lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o \ + lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o \ + ltm.o lundump.o lvm.o lzio.o +@@ -43,7 +44,7 @@ LUAC_T= luac + LUAC_O= luac.o + + ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O) +-ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) ++ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(LUA_SO) + ALL_A= $(LUA_A) + + # Targets start here. +@@ -55,6 +56,11 @@ o: $(ALL_O) + + a: $(ALL_A) + ++$(LUA_SO): $(CORE_O) $(LIB_O) ++ $(CC) -shared -ldl -Wl,-soname,$(LUA_SO).$(V) -o $@.$(R) $? -lm $(MYLDFLAGS) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO).$(V) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO) ++ + $(LUA_A): $(BASE_O) + $(AR) $@ $(BASE_O) + $(RANLIB) $@ +-- +2.6.1 + diff --git a/gnu/packages/patches/matplotlib-setupext-tk.patch b/gnu/packages/patches/matplotlib-setupext-tk.patch new file mode 100644 index 0000000000..37c3d686e0 --- /dev/null +++ b/gnu/packages/patches/matplotlib-setupext-tk.patch @@ -0,0 +1,34 @@ +Use 'pkg-config' instead of heuristics to find 'tk' flags. + +--- matplotlib-1.4.3/setupext.py.orig 2015-12-01 14:21:19.554417453 +0100 ++++ matplotlib-1.4.3/setupext.py 2015-12-02 10:39:47.282363530 +0100 +@@ -1457,7 +1457,7 @@ + p = subprocess.Popen( + '. %s ; eval echo ${%s}' % (file, varname), + shell=True, +- executable="/bin/sh", ++ executable="sh", + stdout=subprocess.PIPE) + result = p.communicate()[0] + return result.decode('ascii') +@@ -1601,8 +1601,19 @@ + # of distros. + + # Query Tcl/Tk system for library paths and version string ++ def getoutput(s): ++ ret = os.popen(s).read().strip() ++ return ret + try: +- tcl_lib_dir, tk_lib_dir, tk_ver = self.query_tcltk() ++ pkg_config_libs = getoutput('pkg-config --libs-only-L tk').split() ++ # drop '-L' part of strings ++ pkg_config_libs = [s[2:] for s in pkg_config_libs] ++ pkg_config_ver = getoutput('pkg-config --modversion tk') ++ tk_ver = re.match(r"(\d+.\d+)[\d.]*", pkg_config_ver).group(1) ++ tcl_lib_dir = next(s for s in pkg_config_libs ++ if re.match(r".*-tcl-.*", s)) + '/tcl' + tk_ver ++ tk_lib_dir = next(s for s in pkg_config_libs ++ if re.match(r".*-tk-.*", s)) + '/tk' + tk_ver + except: + tk_ver = '' + result = self.hardcoded_tcl_config() diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch new file mode 100644 index 0000000000..0f5603e228 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch @@ -0,0 +1,569 @@ +Copied from Debian. + +From b813d5811432faed844a2dfd3daecde914978f2c Mon Sep 17 00:00:00 2001 +From: Nicolas Williams <nico@twosigma.com> +Date: Mon, 14 Sep 2015 12:27:52 -0400 +Subject: Fix SPNEGO context aliasing bugs [CVE-2015-2695] + +The SPNEGO mechanism currently replaces its context handle with the +mechanism context handle upon establishment, under the assumption that +most GSS functions are only called after context establishment. This +assumption is incorrect, and can lead to aliasing violations for some +programs. Maintain the SPNEGO context structure after context +establishment and refer to it in all GSS methods. Add initiate and +opened flags to the SPNEGO context structure for use in +gss_inquire_context() prior to context establishment. + +CVE-2015-2695: + +In MIT krb5 1.5 and later, applications which call +gss_inquire_context() on a partially-established SPNEGO context can +cause the GSS-API library to read from a pointer using the wrong type, +generally causing a process crash. This bug may go unnoticed, because +the most common SPNEGO authentication scenario establishes the context +after just one call to gss_accept_sec_context(). Java server +applications using the native JGSS provider are vulnerable to this +bug. A carefully crafted SPNEGO packet might allow the +gss_inquire_context() call to succeed with attacker-determined +results, but applications should not make access control decisions +based on gss_inquire_context() results prior to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[ghudson@mit.edu: several bugfixes, style changes, and edge-case +behavior changes; commit message and CVE description] + +ticket: 8244 +target_version: 1.14 +tags: pullup + +(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d) +Patch-Category: upstream +--- + src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + + src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++--------- + 2 files changed, 192 insertions(+), 64 deletions(-) + +diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h +index bc23f56..8e05736 100644 +--- a/src/lib/gssapi/spnego/gssapiP_spnego.h ++++ b/src/lib/gssapi/spnego/gssapiP_spnego.h +@@ -102,6 +102,8 @@ typedef struct { + int firstpass; + int mech_complete; + int nego_done; ++ int initiate; ++ int opened; + OM_uint32 ctx_flags; + gss_name_t internal_name; + gss_OID actual_mech; +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 6e39c37..a1072b0 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -104,7 +104,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t, + gss_cred_usage_t, gss_OID_set *); + static void release_spnego_ctx(spnego_gss_ctx_id_t *); + static void check_spnego_options(spnego_gss_ctx_id_t); +-static spnego_gss_ctx_id_t create_spnego_ctx(void); ++static spnego_gss_ctx_id_t create_spnego_ctx(int); + static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf); + static int put_input_token(unsigned char **, gss_buffer_t, unsigned int); + static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int); +@@ -442,7 +442,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx) + } + + static spnego_gss_ctx_id_t +-create_spnego_ctx(void) ++create_spnego_ctx(int initiate) + { + spnego_gss_ctx_id_t spnego_ctx = NULL; + spnego_ctx = (spnego_gss_ctx_id_t) +@@ -465,6 +465,8 @@ create_spnego_ctx(void) + spnego_ctx->mic_rcvd = 0; + spnego_ctx->mech_complete = 0; + spnego_ctx->nego_done = 0; ++ spnego_ctx->opened = 0; ++ spnego_ctx->initiate = initiate; + spnego_ctx->internal_name = GSS_C_NO_NAME; + spnego_ctx->actual_mech = GSS_C_NO_OID; + +@@ -630,7 +632,7 @@ init_ctx_new(OM_uint32 *minor_status, + OM_uint32 ret; + spnego_gss_ctx_id_t sc = NULL; + +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(1); + if (sc == NULL) + return GSS_S_FAILURE; + +@@ -647,10 +649,7 @@ init_ctx_new(OM_uint32 *minor_status, + ret = GSS_S_FAILURE; + goto cleanup; + } +- /* +- * The actual context is not yet determined, set the output +- * context handle to refer to the spnego context itself. +- */ ++ + sc->ctx_handle = GSS_C_NO_CONTEXT; + *ctx = (gss_ctx_id_t)sc; + sc = NULL; +@@ -1091,16 +1090,11 @@ cleanup: + } + gss_release_buffer(&tmpmin, &mechtok_out); + if (ret == GSS_S_COMPLETE) { +- /* +- * Now, switch the output context to refer to the +- * negotiated mechanism's context. +- */ +- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle; ++ spnego_ctx->opened = 1; + if (actual_mech != NULL) + *actual_mech = spnego_ctx->actual_mech; + if (ret_flags != NULL) + *ret_flags = spnego_ctx->ctx_flags; +- release_spnego_ctx(&spnego_ctx); + } else if (ret != GSS_S_CONTINUE_NEEDED) { + if (spnego_ctx != NULL) { + gss_delete_sec_context(&tmpmin, +@@ -1344,7 +1338,7 @@ acc_ctx_hints(OM_uint32 *minor_status, + if (ret != GSS_S_COMPLETE) + goto cleanup; + +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(0); + if (sc == NULL) { + ret = GSS_S_FAILURE; + goto cleanup; +@@ -1426,7 +1420,7 @@ acc_ctx_new(OM_uint32 *minor_status, + gss_release_buffer(&tmpmin, &sc->DER_mechTypes); + assert(mech_wanted != GSS_C_NO_OID); + } else +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(0); + if (sc == NULL) { + ret = GSS_S_FAILURE; + *return_token = NO_TOKEN_SEND; +@@ -1809,13 +1803,12 @@ cleanup: + ret = GSS_S_FAILURE; + } + if (ret == GSS_S_COMPLETE) { +- *context_handle = (gss_ctx_id_t)sc->ctx_handle; ++ sc->opened = 1; + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; + sc->internal_name = GSS_C_NO_NAME; + } +- release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { + if (sc != NULL) { + gss_delete_sec_context(&tmpmin, &sc->ctx_handle, +@@ -2128,8 +2121,13 @@ spnego_gss_unwrap( + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer, + output_message_buffer, + conf_state, +@@ -2149,8 +2147,13 @@ spnego_gss_wrap( + gss_buffer_t output_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + input_message_buffer, +@@ -2167,8 +2170,14 @@ spnego_gss_process_context_token( + const gss_buffer_t token_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ /* SPNEGO doesn't have its own context tokens. */ ++ if (!sc->opened) ++ return (GSS_S_DEFECTIVE_TOKEN); ++ + ret = gss_process_context_token(minor_status, +- context_handle, ++ sc->ctx_handle, + token_buffer); + + return (ret); +@@ -2192,19 +2201,9 @@ spnego_gss_delete_sec_context( + if (*ctx == NULL) + return (GSS_S_COMPLETE); + +- /* +- * If this is still an SPNEGO mech, release it locally. +- */ +- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) { +- (void) gss_delete_sec_context(minor_status, +- &(*ctx)->ctx_handle, +- output_token); +- (void) release_spnego_ctx(ctx); +- } else { +- ret = gss_delete_sec_context(minor_status, +- context_handle, +- output_token); +- } ++ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle, ++ output_token); ++ (void) release_spnego_ctx(ctx); + + return (ret); + } +@@ -2216,8 +2215,13 @@ spnego_gss_context_time( + OM_uint32 *time_rec) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_context_time(minor_status, +- context_handle, ++ sc->ctx_handle, + time_rec); + return (ret); + } +@@ -2229,9 +2233,20 @@ spnego_gss_export_sec_context( + gss_buffer_t interprocess_token) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle; ++ ++ /* We don't currently support exporting partially established ++ * contexts. */ ++ if (!sc->opened) ++ return GSS_S_UNAVAILABLE; ++ + ret = gss_export_sec_context(minor_status, +- context_handle, ++ &sc->ctx_handle, + interprocess_token); ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) { ++ release_spnego_ctx(&sc); ++ *context_handle = GSS_C_NO_CONTEXT; ++ } + return (ret); + } + +@@ -2241,11 +2256,12 @@ spnego_gss_import_sec_context( + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) + { +- OM_uint32 ret; +- ret = gss_import_sec_context(minor_status, +- interprocess_token, +- context_handle); +- return (ret); ++ /* ++ * Until we implement partial context exports, there are no SPNEGO ++ * exported context tokens, only tokens for underlying mechs. So just ++ * return an error for now. ++ */ ++ return GSS_S_UNAVAILABLE; + } + #endif /* LEAN_CLIENT */ + +@@ -2262,16 +2278,48 @@ spnego_gss_inquire_context( + int *opened) + { + OM_uint32 ret = GSS_S_COMPLETE; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ if (targ_name != NULL) ++ *targ_name = GSS_C_NO_NAME; ++ if (lifetime_rec != NULL) ++ *lifetime_rec = 0; ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_spnego; ++ if (ctx_flags != NULL) ++ *ctx_flags = 0; ++ if (locally_initiated != NULL) ++ *locally_initiated = sc->initiate; ++ if (opened != NULL) ++ *opened = sc->opened; ++ ++ if (sc->ctx_handle != GSS_C_NO_CONTEXT) { ++ ret = gss_inquire_context(minor_status, sc->ctx_handle, ++ src_name, targ_name, lifetime_rec, ++ mech_type, ctx_flags, NULL, NULL); ++ } + +- ret = gss_inquire_context(minor_status, +- context_handle, +- src_name, +- targ_name, +- lifetime_rec, +- mech_type, +- ctx_flags, +- locally_initiated, +- opened); ++ if (!sc->opened) { ++ /* ++ * We are still doing SPNEGO negotiation, so report SPNEGO as ++ * the OID. After negotiation is complete we will report the ++ * underlying mechanism OID. ++ */ ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_spnego; ++ ++ /* ++ * Remove flags we don't support with partially-established ++ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add ++ * support for exporting partial SPNEGO contexts.) ++ */ ++ if (ctx_flags != NULL) { ++ *ctx_flags &= ~GSS_C_PROT_READY_FLAG; ++ *ctx_flags &= ~GSS_C_TRANS_FLAG; ++ } ++ } + + return (ret); + } +@@ -2286,8 +2334,13 @@ spnego_gss_wrap_size_limit( + OM_uint32 *max_input_size) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_size_limit(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + req_output_size, +@@ -2304,8 +2357,13 @@ spnego_gss_get_mic( + gss_buffer_t message_token) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_get_mic(minor_status, +- context_handle, ++ sc->ctx_handle, + qop_req, + message_buffer, + message_token); +@@ -2321,8 +2379,13 @@ spnego_gss_verify_mic( + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_verify_mic(minor_status, +- context_handle, ++ sc->ctx_handle, + msg_buffer, + token_buffer, + qop_state); +@@ -2337,8 +2400,14 @@ spnego_gss_inquire_sec_context_by_oid( + gss_buffer_set_t *data_set) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ /* There are no SPNEGO-specific OIDs for this function. */ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_inquire_sec_context_by_oid(minor_status, +- context_handle, ++ sc->ctx_handle, + desired_object, + data_set); + return (ret); +@@ -2407,8 +2476,15 @@ spnego_gss_set_sec_context_option( + const gss_buffer_t value) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle; ++ ++ /* There are no SPNEGO-specific OIDs for this function, and we cannot ++ * construct an empty SPNEGO context with it. */ ++ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_set_sec_context_option(minor_status, +- context_handle, ++ &sc->ctx_handle, + desired_object, + value); + return (ret); +@@ -2425,8 +2501,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status, + gss_buffer_t output_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_aead(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + input_assoc_buffer, +@@ -2447,8 +2528,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status, + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap_aead(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer, + input_assoc_buffer, + output_payload_buffer, +@@ -2467,8 +2553,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_iov(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + conf_state, +@@ -2486,8 +2577,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap_iov(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_state, + qop_state, + iov, +@@ -2505,8 +2601,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_iov_length(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + conf_state, +@@ -2523,8 +2624,13 @@ spnego_gss_complete_auth_token( + gss_buffer_t input_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_complete_auth_token(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer); + return (ret); + } +@@ -2776,8 +2882,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status, + gss_buffer_t prf_out) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_pseudo_random(minor_status, +- context, ++ sc->ctx_handle, + prf_key, + prf_in, + desired_output_len, +@@ -2918,7 +3029,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t qop_req, gss_iov_buffer_desc *iov, + int iov_count) + { +- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov, + iov_count); + } + +@@ -2927,7 +3043,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t *qop_state, gss_iov_buffer_desc *iov, + int iov_count) + { +- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov, + iov_count); + } + +@@ -2936,7 +3057,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, gss_qop_t qop_req, + gss_iov_buffer_desc *iov, int iov_count) + { +- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov, + iov_count); + } + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch new file mode 100644 index 0000000000..aa9fcfa0dd --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch @@ -0,0 +1,65 @@ +Copied from Debian. + +From 18c512ebdcc5cacc777e9dbcc6817f83c301ad93 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Wed, 4 Nov 2015 21:29:10 -0500 +Subject: Fix SPNEGO context import + +The patches for CVE-2015-2695 did not implement a SPNEGO +gss_import_sec_context() function, under the erroneous belief than an +exported SPNEGO context would be tagged with the underlying context +mechanism. Implement it now to allow SPNEGO contexts to be +successfully exported and imported after establishment. + +ticket: 8273 +(cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d) + +Patch-Category: upstream +--- + src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index a1072b0..02284a1 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -2256,12 +2256,33 @@ spnego_gss_import_sec_context( + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) + { +- /* +- * Until we implement partial context exports, there are no SPNEGO +- * exported context tokens, only tokens for underlying mechs. So just +- * return an error for now. +- */ +- return GSS_S_UNAVAILABLE; ++ OM_uint32 ret, tmpmin; ++ gss_ctx_id_t mctx; ++ spnego_gss_ctx_id_t sc; ++ int initiate, opened; ++ ++ ret = gss_import_sec_context(minor_status, interprocess_token, &mctx); ++ if (ret != GSS_S_COMPLETE) ++ return ret; ++ ++ ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL, ++ &initiate, &opened); ++ if (ret != GSS_S_COMPLETE || !opened) { ++ /* We don't currently support importing partially established ++ * contexts. */ ++ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } ++ ++ sc = create_spnego_ctx(initiate); ++ if (sc == NULL) { ++ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } ++ sc->ctx_handle = mctx; ++ sc->opened = 1; ++ *context_handle = (gss_ctx_id_t)sc; ++ return GSS_S_COMPLETE; + } + #endif /* LEAN_CLIENT */ + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch new file mode 100644 index 0000000000..7b4b1d71ab --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch @@ -0,0 +1,736 @@ +Copied from Debian. + +From ebea85358bc72ec20c53130d83acb93f95853b76 Mon Sep 17 00:00:00 2001 +From: Nicolas Williams <nico@twosigma.com> +Date: Mon, 14 Sep 2015 12:28:36 -0400 +Subject: Fix IAKERB context aliasing bugs [CVE-2015-2696] + +The IAKERB mechanism currently replaces its context handle with the +krb5 mechanism handle upon establishment, under the assumption that +most GSS functions are only called after context establishment. This +assumption is incorrect, and can lead to aliasing violations for some +programs. Maintain the IAKERB context structure after context +establishment and add new IAKERB entry points to refer to it with that +type. Add initiate and established flags to the IAKERB context +structure for use in gss_inquire_context() prior to context +establishment. + +CVE-2015-2696: + +In MIT krb5 1.9 and later, applications which call +gss_inquire_context() on a partially-established IAKERB context can +cause the GSS-API library to read from a pointer using the wrong type, +generally causing a process crash. Java server applications using the +native JGSS provider are vulnerable to this bug. A carefully crafted +IAKERB packet might allow the gss_inquire_context() call to succeed +with attacker-determined results, but applications should not make +access control decisions based on gss_inquire_context() results prior +to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[ghudson@mit.edu: several bugfixes, style changes, and edge-case +behavior changes; commit message and CVE description] + +ticket: 8244 +target_version: 1.14 +tags: pullup + +(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a) +Patch-Category: upstream +--- + src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++-- + src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---- + 3 files changed, 529 insertions(+), 41 deletions(-) + +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index a0e8625..05dc321 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext + ); + #endif /* LEAN_CLIENT */ + ++OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid ++(OM_uint32*, /* minor_status */ ++ const gss_ctx_id_t, ++ /* context_handle */ ++ const gss_OID, /* desired_object */ ++ gss_buffer_set_t* /* data_set */ ++); ++ ++OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option ++(OM_uint32*, /* minor_status */ ++ gss_ctx_id_t*, /* context_handle */ ++ const gss_OID, /* desired_object */ ++ const gss_buffer_t/* value */ ++); ++ + OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token + (OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ +@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV + krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, + gss_cred_id_t *cred_handle); + ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_process_context_token(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_buffer_t token_buffer); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 *time_rec); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_context(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_name_t *src_name, ++ gss_name_t *targ_name, OM_uint32 *lifetime_rec, ++ gss_OID *mech_type, OM_uint32 *ctx_flags, ++ int *locally_initiated, int *opened); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t message_token); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_iov_buffer_desc *iov, ++ int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_qop_t qop_req, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, ++ int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, ++ gss_qop_t *qop_state); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int *conf_state, gss_qop_t *qop_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, OM_uint32 req_output_size, ++ OM_uint32 *max_input_size); ++ ++#ifndef LEAN_CLIENT ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_export_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token); ++#endif /* LEAN_CLIENT */ ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_OID desired_object, ++ gss_buffer_set_t *data_set); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int prf_key, const gss_buffer_t prf_in, ++ ssize_t desired_output_len, gss_buffer_t prf_out); ++ + /* Magic string to identify exported krb5 GSS credentials. Increment this if + * the format changes. */ + #define CRED_EXPORT_MAGIC "K5C1" +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 77b7fff..9a23656 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -345,7 +345,7 @@ static struct { + } + }; + +-static OM_uint32 KRB5_CALLCONV ++OM_uint32 KRB5_CALLCONV + krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, +@@ -459,7 +459,7 @@ static struct { + }; + #endif + +-static OM_uint32 KRB5_CALLCONV ++OM_uint32 KRB5_CALLCONV + krb5_gss_set_sec_context_option (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, +@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = { + krb5_gss_get_mic_iov_length, + }; + ++/* Functions which use security contexts or acquire creds are IAKERB-specific; ++ * other functions can borrow from the krb5 mech. */ ++static struct gss_config iakerb_mechanism = { ++ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, ++ NULL, ++ iakerb_gss_acquire_cred, ++ krb5_gss_release_cred, ++ iakerb_gss_init_sec_context, ++#ifdef LEAN_CLIENT ++ NULL, ++#else ++ iakerb_gss_accept_sec_context, ++#endif ++ iakerb_gss_process_context_token, ++ iakerb_gss_delete_sec_context, ++ iakerb_gss_context_time, ++ iakerb_gss_get_mic, ++ iakerb_gss_verify_mic, ++#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE) ++ NULL, ++#else ++ iakerb_gss_wrap, ++#endif ++#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE) ++ NULL, ++#else ++ iakerb_gss_unwrap, ++#endif ++ krb5_gss_display_status, ++ krb5_gss_indicate_mechs, ++ krb5_gss_compare_name, ++ krb5_gss_display_name, ++ krb5_gss_import_name, ++ krb5_gss_release_name, ++ krb5_gss_inquire_cred, ++ NULL, /* add_cred */ ++#ifdef LEAN_CLIENT ++ NULL, ++ NULL, ++#else ++ iakerb_gss_export_sec_context, ++ NULL, ++#endif ++ krb5_gss_inquire_cred_by_mech, ++ krb5_gss_inquire_names_for_mech, ++ iakerb_gss_inquire_context, ++ krb5_gss_internal_release_oid, ++ iakerb_gss_wrap_size_limit, ++ krb5_gss_localname, ++ krb5_gss_authorize_localname, ++ krb5_gss_export_name, ++ krb5_gss_duplicate_name, ++ krb5_gss_store_cred, ++ iakerb_gss_inquire_sec_context_by_oid, ++ krb5_gss_inquire_cred_by_oid, ++ iakerb_gss_set_sec_context_option, ++ krb5_gssspi_set_cred_option, ++ krb5_gssspi_mech_invoke, ++ NULL, /* wrap_aead */ ++ NULL, /* unwrap_aead */ ++ iakerb_gss_wrap_iov, ++ iakerb_gss_unwrap_iov, ++ iakerb_gss_wrap_iov_length, ++ NULL, /* complete_auth_token */ ++ NULL, /* acquire_cred_impersonate_name */ ++ NULL, /* add_cred_impersonate_name */ ++ NULL, /* display_name_ext */ ++ krb5_gss_inquire_name, ++ krb5_gss_get_name_attribute, ++ krb5_gss_set_name_attribute, ++ krb5_gss_delete_name_attribute, ++ krb5_gss_export_name_composite, ++ krb5_gss_map_name_to_any, ++ krb5_gss_release_any_name_mapping, ++ iakerb_gss_pseudo_random, ++ NULL, /* set_neg_mechs */ ++ krb5_gss_inquire_saslname_for_mech, ++ krb5_gss_inquire_mech_for_saslname, ++ krb5_gss_inquire_attrs_for_mech, ++ krb5_gss_acquire_cred_from, ++ krb5_gss_store_cred_into, ++ iakerb_gss_acquire_cred_with_password, ++ krb5_gss_export_cred, ++ krb5_gss_import_cred, ++ NULL, /* import_sec_context_by_mech */ ++ NULL, /* import_name_by_mech */ ++ NULL, /* import_cred_by_mech */ ++ iakerb_gss_get_mic_iov, ++ iakerb_gss_verify_mic_iov, ++ iakerb_gss_get_mic_iov_length, ++}; ++ + #ifdef _GSS_STATIC_LINK + #include "mglueP.h" + static int gss_iakerbmechglue_init(void) + { + struct gss_mech_config mech_iakerb; +- struct gss_config iakerb_mechanism = krb5_mechanism; +- +- /* IAKERB mechanism mirrors krb5, but with different context SPIs */ +- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context; +- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context; +- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context; +- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred; +- iakerb_mechanism.gssspi_acquire_cred_with_password +- = iakerb_gss_acquire_cred_with_password; + + memset(&mech_iakerb, 0, sizeof(mech_iakerb)); + mech_iakerb.mech = &iakerb_mechanism; +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index f30de32..4662bd9 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec { + gss_ctx_id_t gssc; + krb5_data conv; /* conversation for checksumming */ + unsigned int count; /* number of round trips */ ++ int initiate; ++ int established; + krb5_get_init_creds_opt *gic_opts; + }; + +@@ -695,7 +697,7 @@ cleanup: + * Allocate and initialise an IAKERB context + */ + static krb5_error_code +-iakerb_alloc_context(iakerb_ctx_id_t *pctx) ++iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate) + { + iakerb_ctx_id_t ctx; + krb5_error_code code; +@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx) + ctx->magic = KG_IAKERB_CONTEXT; + ctx->state = IAKERB_AS_REQ; + ctx->count = 0; ++ ctx->initiate = initiate; ++ ctx->established = 0; + + code = krb5_gss_init_context(&ctx->k5c); + if (code != 0) +@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token) + { +- OM_uint32 major_status = GSS_S_COMPLETE; ++ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; + + if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; +@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + } + + *minor_status = 0; ++ *context_handle = GSS_C_NO_CONTEXT; ++ iakerb_release_context(iakerb_ctx); + +- if (*context_handle != GSS_C_NO_CONTEXT) { +- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; +- +- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) { +- iakerb_release_context(iakerb_ctx); +- *context_handle = GSS_C_NO_CONTEXT; +- } else { +- assert(iakerb_ctx->magic == KG_CONTEXT); +- +- major_status = krb5_gss_delete_sec_context(minor_status, +- context_handle, +- output_token); +- } +- } +- +- return major_status; ++ return GSS_S_COMPLETE; + } + + static krb5_boolean +@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, + int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); + + if (initialContextToken) { +- code = iakerb_alloc_context(&ctx); ++ code = iakerb_alloc_context(&ctx, 0); + if (code != 0) + goto cleanup; + +@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, + time_rec, + delegated_cred_handle, + &exts); +- if (major_status == GSS_S_COMPLETE) { +- *context_handle = ctx->gssc; +- ctx->gssc = NULL; +- iakerb_release_context(ctx); +- } ++ if (major_status == GSS_S_COMPLETE) ++ ctx->established = 1; + if (mech_type != NULL) + *mech_type = (gss_OID)gss_mech_krb5; + } +@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, + int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); + + if (initialContextToken) { +- code = iakerb_alloc_context(&ctx); ++ code = iakerb_alloc_context(&ctx, 1); + if (code != 0) { + *minor_status = code; + goto cleanup; +@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, + ret_flags, + time_rec, + &exts); +- if (major_status == GSS_S_COMPLETE) { +- *context_handle = ctx->gssc; +- ctx->gssc = GSS_C_NO_CONTEXT; +- iakerb_release_context(ctx); +- } ++ if (major_status == GSS_S_COMPLETE) ++ ctx->established = 1; + if (actual_mech_type != NULL) + *actual_mech_type = (gss_OID)gss_mech_krb5; + } else { +@@ -1010,3 +995,309 @@ cleanup: + + return major_status; + } ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, ++ gss_qop_t *qop_state) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer, ++ output_message_buffer, conf_state, qop_state); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req, ++ input_message_buffer, conf_state, ++ output_message_buffer); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_process_context_token(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_buffer_t token_buffer) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_DEFECTIVE_TOKEN; ++ ++ return krb5_gss_process_context_token(minor_status, ctx->gssc, ++ token_buffer); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 *time_rec) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec); ++} ++ ++#ifndef LEAN_CLIENT ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_export_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token) ++{ ++ OM_uint32 maj; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ /* We don't currently support exporting partially established contexts. */ ++ if (!ctx->established) ++ return GSS_S_UNAVAILABLE; ++ ++ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc, ++ interprocess_token); ++ if (ctx->gssc == GSS_C_NO_CONTEXT) { ++ iakerb_release_context(ctx); ++ *context_handle = GSS_C_NO_CONTEXT; ++ } ++ return maj; ++} ++ ++/* ++ * Until we implement partial context exports, there are no SPNEGO exported ++ * context tokens, only tokens for the underlying krb5 context. So we do not ++ * need to implement an iakerb_gss_import_sec_context() yet; it would be ++ * unreachable except via a manually constructed token. ++ */ ++ ++#endif /* LEAN_CLIENT */ ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_context(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_name_t *src_name, ++ gss_name_t *targ_name, OM_uint32 *lifetime_rec, ++ gss_OID *mech_type, OM_uint32 *ctx_flags, ++ int *initiate, int *opened) ++{ ++ OM_uint32 ret; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ if (targ_name != NULL) ++ *targ_name = GSS_C_NO_NAME; ++ if (lifetime_rec != NULL) ++ *lifetime_rec = 0; ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_iakerb; ++ if (ctx_flags != NULL) ++ *ctx_flags = 0; ++ if (initiate != NULL) ++ *initiate = ctx->initiate; ++ if (opened != NULL) ++ *opened = ctx->established; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_COMPLETE; ++ ++ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name, ++ targ_name, lifetime_rec, mech_type, ++ ctx_flags, initiate, opened); ++ ++ if (!ctx->established) { ++ /* Report IAKERB as the mech OID until the context is established. */ ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_iakerb; ++ ++ /* We don't support exporting partially-established contexts. */ ++ if (ctx_flags != NULL) ++ *ctx_flags &= ~GSS_C_TRANS_FLAG; ++ } ++ ++ return ret; ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, OM_uint32 req_output_size, ++ OM_uint32 *max_input_size) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag, ++ qop_req, req_output_size, max_input_size); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t message_token) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer, ++ message_token); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer, ++ token_buffer, qop_state); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_OID desired_object, ++ gss_buffer_set_t *data_set) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_UNAVAILABLE; ++ ++ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc, ++ desired_object, data_set); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; ++ ++ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_UNAVAILABLE; ++ ++ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc, ++ desired_object, value); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req, ++ conf_state, iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int *conf_state, gss_qop_t *qop_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state, ++ iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag, ++ qop_req, conf_state, iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int prf_key, const gss_buffer_t prf_in, ++ ssize_t desired_output_len, gss_buffer_t prf_out) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in, ++ desired_output_len, prf_out); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_iov_buffer_desc *iov, ++ int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov, ++ iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, ++ int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov, ++ iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_qop_t qop_req, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov, ++ iov_count); ++} diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch new file mode 100644 index 0000000000..f65ce39623 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch @@ -0,0 +1,55 @@ +Copied from Debian. + +From fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 25 Sep 2015 12:51:47 -0400 +Subject: Fix build_principal memory bug [CVE-2015-2697] + +In build_principal_va(), use k5memdup0() instead of strdup() to make a +copy of the realm, to ensure that we allocate the correct number of +bytes and do not read past the end of the input string. This bug +affects krb5_build_principal(), krb5_build_principal_va(), and +krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not +affected. + +CVE-2015-2697: + +In MIT krb5 1.7 and later, an authenticated attacker may be able to +cause a KDC to crash using a TGS request with a large realm field +beginning with a null byte. If the KDC attempts to find a referral to +answer the request, it constructs a principal name for lookup using +krb5_build_principal() with the requested realm. Due to a bug in this +function, the null byte causes only one byte be allocated for the +realm field of the constructed principal, far less than its length. +Subsequent operations on the lookup principal may cause a read beyond +the end of the mapped memory region, causing the KDC process to crash. + +CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +ticket: 8252 (new) +target_version: 1.14 +tags: pullup + +(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789) +Patch-Category: upstream +--- + src/lib/krb5/krb/bld_princ.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c +index ab6fed8..8604268 100644 +--- a/src/lib/krb5/krb/bld_princ.c ++++ b/src/lib/krb5/krb/bld_princ.c +@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, + data = malloc(size * sizeof(krb5_data)); + if (!data) { retval = ENOMEM; } + +- if (!retval) { +- r = strdup(realm); +- if (!r) { retval = ENOMEM; } +- } ++ if (!retval) ++ r = k5memdup0(realm, rlen, &retval); + + while (!retval && (component = va_arg(ap, char *))) { + if (count == size) { diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch new file mode 100644 index 0000000000..67545e4c16 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch @@ -0,0 +1,43 @@ +Copied from Debian. + +From 1a8bdc6d81dcd7dd8a4d42e8de6d2cacf1dd4408 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Tue, 27 Oct 2015 00:44:24 -0400 +Subject: Fix two IAKERB comments + +The comment explaining why there is no iakerb_gss_import_sec_context() +erroneously referenced SPNEGO instead of IAKERB (noticed by Ben +Kaduk). The comment above iakerb_gss_delete_sec_context() is out of +date after the last commit. + +(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d) + +Patch-Category: upstream +--- + src/lib/gssapi/krb5/iakerb.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index 4662bd9..e25862d 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -727,10 +727,6 @@ cleanup: + return code; + } + +-/* +- * Delete an IAKERB context. This can also accept Kerberos context +- * handles. The heuristic is similar to SPNEGO's delete_sec_context. +- */ + OM_uint32 KRB5_CALLCONV + iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, +@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + } + + /* +- * Until we implement partial context exports, there are no SPNEGO exported ++ * Until we implement partial context exports, there are no IAKERB exported + * context tokens, only tokens for the underlying krb5 context. So we do not + * need to implement an iakerb_gss_import_sec_context() yet; it would be + * unreachable except via a manually constructed token. diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch new file mode 100644 index 0000000000..8725cd4eed --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch @@ -0,0 +1,132 @@ +Copied from Debian. + +From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Wed, 4 Nov 2015 21:28:28 -0500 +Subject: Fix IAKERB context export/import [CVE-2015-2698] + +The patches for CVE-2015-2696 contained a regression in the newly +added IAKERB iakerb_gss_export_sec_context() function, which could +cause it to corrupt memory. Fix the regression by properly +dereferencing the context_handle pointer before casting it. + +Also, the patches did not implement an IAKERB gss_import_sec_context() +function, under the erroneous belief than an exported IAKERB context +would be tagged as a krb5 context. Implement it now to allow IAKERB +contexts to be successfully exported and imported after establishment. + +CVE-2015-2698: + +In any MIT krb5 release with the patches for CVE-2015-2696 applied, an +application which calls gss_export_sec_context() may experience memory +corruption if the context was established using the IAKERB mechanism. +Historically, some vulnerabilities of this nature can be translated +into remote code execution, though the necessary exploits must be +tailored to the individual application and are usually quite +complicated. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C + +ticket: 8273 (new) +target_version: 1.14 +tags: pullup + +(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27) + +Patch-Category: upstream +--- + src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- + src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++------- + 3 files changed, 41 insertions(+), 8 deletions(-) + +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 05dc321..ac53662 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV + iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ const gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle); + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 9a23656..d7ba279 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = { + NULL, + #else + iakerb_gss_export_sec_context, +- NULL, ++ iakerb_gss_import_sec_context, + #endif + krb5_gss_inquire_cred_by_mech, + krb5_gss_inquire_names_for_mech, +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index e25862d..32a341e 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_buffer_t interprocess_token) + { + OM_uint32 maj; +- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; + + /* We don't currently support exporting partially established contexts. */ + if (!ctx->established) +@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + return maj; + } + +-/* +- * Until we implement partial context exports, there are no IAKERB exported +- * context tokens, only tokens for the underlying krb5 context. So we do not +- * need to implement an iakerb_gss_import_sec_context() yet; it would be +- * unreachable except via a manually constructed token. +- */ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle) ++{ ++ OM_uint32 maj, tmpmin; ++ krb5_error_code code; ++ gss_ctx_id_t gssc; ++ krb5_gss_ctx_id_t kctx; ++ iakerb_ctx_id_t ctx; ++ ++ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc); ++ if (maj != GSS_S_COMPLETE) ++ return maj; ++ kctx = (krb5_gss_ctx_id_t)gssc; ++ ++ if (!kctx->established) { ++ /* We don't currently support importing partially established ++ * contexts. */ ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } + ++ code = iakerb_alloc_context(&ctx, kctx->initiate); ++ if (code != 0) { ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ *minor_status = code; ++ return GSS_S_FAILURE; ++ } ++ ++ ctx->gssc = gssc; ++ ctx->established = 1; ++ *context_handle = (gss_ctx_id_t)ctx; ++ return GSS_S_COMPLETE; ++} + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV diff --git a/gnu/packages/patches/mit-krb5-init-fix.patch b/gnu/packages/patches/mit-krb5-init-fix.patch deleted file mode 100644 index 13e49c2789..0000000000 --- a/gnu/packages/patches/mit-krb5-init-fix.patch +++ /dev/null @@ -1,18 +0,0 @@ -Fix the early context initialization code to avoid assuming that -arguments will be evaluated from right to left. - -Patch by Mark H Weaver <mhw@netris.org>. - ---- src/lib/krb5/krb/t_cc_config.c.orig 2012-12-17 21:47:05.000000000 -0500 -+++ src/lib/krb5/krb/t_cc_config.c 2013-10-29 18:19:16.547994590 -0400 -@@ -117,8 +117,8 @@ - int c; - unsigned int i; - -- bail_on_err(context, "Error initializing Kerberos library", -- krb5_init_context(&context)); -+ ret = krb5_init_context(&context); -+ bail_on_err(context, "Error initializing Kerberos library", ret); - bail_on_err(context, "Error getting location of default ccache", - krb5_cc_default(context, &ccache)); - server = NULL; diff --git a/gnu/packages/patches/mupen64plus-ui-console-notice.patch b/gnu/packages/patches/mupen64plus-ui-console-notice.patch new file mode 100644 index 0000000000..1d0b4c46bb --- /dev/null +++ b/gnu/packages/patches/mupen64plus-ui-console-notice.patch @@ -0,0 +1,34 @@ +Mupen64Plus supports a single data directory and a single plugin directory in +its configuration, yet we need data and plugin files from a variety of +packages. The best way to deal with this is to install all packages from +which data and plugin files are needed into one's profile, and point the +configuration there. Hence, the ui-console package provides propagated inputs +for packages with the most important data and plugin files, and this patch +provides the user instructions on what needs to be done in order to have +Mupen64Plus find the relevant data and plugins. + +--- a/src/plugin.c ++++ b/src/plugin.c +@@ -122,6 +122,22 @@ m64p_error PluginSearchLoad(m64p_handle ConfigUI) + { + const char *plugindir = (*ConfigGetParamString)(ConfigUI, "PluginDir"); + lib_filelist = osal_library_search(plugindir); ++ /* Guix specific */ ++ if (lib_filelist == NULL) ++ { ++ DebugMessage(M64MSG_ERROR, "No plugins found in PluginDir path: %s", plugindir); ++ DebugMessage(M64MSG_ERROR, ++ "\n\n" ++ "*********************************\n" ++ "*** Notice for GNU Guix users ***\n" ++ "*********************************\n" ++ "\n" ++ "You might want to edit your mupen64plus.cfg (in $XDG_CONFIG_HOME by default)\n" ++ "and set SharedDataPath to /path/to/my_guix_profile/share/mupen64plus and\n" ++ "PluginDir to /path/to/my_guix_profile/lib/mupen64plus so that data and plugins\n" ++ "are found.\n" ++ "\n"); ++ } + } + + /* if still no plugins found, search some common system folders */ diff --git a/gnu/packages/patches/preseq-1.0.2-install-to-PREFIX.patch b/gnu/packages/patches/preseq-1.0.2-install-to-PREFIX.patch deleted file mode 100644 index f8318ae0f5..0000000000 --- a/gnu/packages/patches/preseq-1.0.2-install-to-PREFIX.patch +++ /dev/null @@ -1,37 +0,0 @@ -This patch has been submitted upstream: https://github.com/smithlabcode/preseq/pull/15 - -From 65387b0d766e6c06a15cf8d8f9183d9a4ba644bb Mon Sep 17 00:00:00 2001 -From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> -Date: Thu, 25 Jun 2015 15:01:53 +0200 -Subject: [PATCH] Install to PREFIX - ---- - Makefile | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index 4d0367a..e334f2f 100644 ---- a/preseq-master/Makefile -+++ b/preseq-master/Makefile -@@ -22,6 +22,10 @@ ifndef ROOT - ROOT = $(shell pwd) - endif - -+ifndef PREFIX -+PREFIX = $(ROOT) -+endif -+ - ifndef SMITHLAB_CPP - SMITHLAB_CPP=$(ROOT)/smithlab_cpp/ - endif -@@ -91,8 +95,8 @@ endif - $(CXX) $(CXXFLAGS) -o $@ $^ $(INCLUDEARGS) $(LIBS) - - install: $(PROGS) -- @mkdir -p $(ROOT)/bin -- @install -m 755 $(PROGS) $(ROOT)/bin -+ @mkdir -p $(PREFIX)/bin -+ @install -m 755 $(PROGS) $(PREFIX)/bin - - clean: - @-rm -f $(PROGS) *.o *~ diff --git a/gnu/packages/patches/preseq-1.0.2-link-with-libbam.patch b/gnu/packages/patches/preseq-1.0.2-link-with-libbam.patch deleted file mode 100644 index 035a3b1fe4..0000000000 --- a/gnu/packages/patches/preseq-1.0.2-link-with-libbam.patch +++ /dev/null @@ -1,33 +0,0 @@ -This patch has been submitted upstream: https://github.com/smithlabcode/preseq/pull/15 - -From a937a54d56e8a6ff06237471e568154d1fa5f267 Mon Sep 17 00:00:00 2001 -From: Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> -Date: Thu, 25 Jun 2015 15:02:35 +0200 -Subject: [PATCH] Link with libbam.a if provided via LIBBAM - ---- - Makefile | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/Makefile b/Makefile -index e334f2f..de310e4 100644 ---- a/preseq-master/Makefile -+++ b/preseq-master/Makefile -@@ -83,10 +83,17 @@ $(PROGS): $(addprefix $(SMITHLAB_CPP)/, \ - preseq: continued_fraction.o load_data_for_complexity.o moment_sequence.o - - ifdef SAMTOOLS_DIR -+ifdef LIBBAM -+LIBS += -pthread -+bam2mr preseq: $(addprefix $(SMITHLAB_CPP)/, SAM.o) \ -+ $(LIBBAM) -+else - bam2mr preseq: $(addprefix $(SMITHLAB_CPP)/, SAM.o) \ - $(addprefix $(SAMTOOLS_DIR)/, sam.o bam.o bam_import.o bam_pileup.o \ - faidx.o bam_aux.o kstring.o knetfile.o sam_header.o razf.o bgzf.o) - endif -+endif # SAMTOOLS_DIR -+ - - %.o: %.cpp %.hpp - $(CXX) $(CXXFLAGS) -c -o $@ $< $(INCLUDEARGS) diff --git a/gnu/packages/patches/python-2-deterministic-build-info.patch b/gnu/packages/patches/python-2-deterministic-build-info.patch new file mode 100644 index 0000000000..25a079fe90 --- /dev/null +++ b/gnu/packages/patches/python-2-deterministic-build-info.patch @@ -0,0 +1,17 @@ +Always provide the same date and time in 'Py_GetBuildInfo'. +This is the information shown at the REPL and in 'sys.version'. +We cannot pass it in CPPFLAGS due to whitespace in the DATE string. + +--- a/Modules/getbuildinfo.c ++++ b/Modules/getbuildinfo.c +@@ -4,6 +4,10 @@ + #include <stdio.h> + #endif + ++/* Deterministic date and time. */ ++#define DATE "Jan 1 1970" ++#define TIME "00:00:01" ++ + #ifndef DATE + #ifdef __DATE__ + #define DATE __DATE__ diff --git a/gnu/packages/patches/python-2.7-source-date-epoch.patch b/gnu/packages/patches/python-2.7-source-date-epoch.patch new file mode 100644 index 0000000000..be1f8e010e --- /dev/null +++ b/gnu/packages/patches/python-2.7-source-date-epoch.patch @@ -0,0 +1,33 @@ +Honor the 'SOURCE_DATE_EPOCH' environment variable to allow for +determinitic builds. + +--- a/Lib/py_compile.py ++++ b/Lib/py_compile.py +@@ -105,7 +105,10 @@ def compile(file, cfile=None, dfile=None, doraise=False): + """ + with open(file, 'U') as f: + try: +- timestamp = long(os.fstat(f.fileno()).st_mtime) ++ if 'SOURCE_DATE_EPOCH' in os.environ: ++ timestamp = long(os.environ['SOURCE_DATE_EPOCH']) ++ else: ++ timestamp = long(os.fstat(f.fileno()).st_mtime) + except AttributeError: + timestamp = long(os.stat(file).st_mtime) + codestring = f.read() +diff --git a/Python/import.c b/Python/import.c +index e47ce63..7eecf9c 100644 +--- a/Python/import.c ++++ b/Python/import.c +@@ -945,6 +945,11 @@ write_compiled_module(PyCodeObject *co, char *cpathname, struct stat *srcstat, t + /* Now write the true mtime (as a 32-bit field) */ + fseek(fp, 4L, 0); + assert(mtime <= 0xFFFFFFFF); ++ if (Py_GETENV("SOURCE_DATE_EPOCH") != NULL) { ++ const char *epoch = Py_GETENV("SOURCE_DATE_EPOCH"); ++ mtime = atoi(epoch); ++ } ++ + PyMarshal_WriteLongToFile((long)mtime, fp, Py_MARSHAL_VERSION); + fflush(fp); + fclose(fp); diff --git a/gnu/packages/patches/python-3-deterministic-build-info.patch b/gnu/packages/patches/python-3-deterministic-build-info.patch new file mode 100644 index 0000000000..22c372a0cf --- /dev/null +++ b/gnu/packages/patches/python-3-deterministic-build-info.patch @@ -0,0 +1,17 @@ +Always provide the same date and time in 'Py_GetBuildInfo'. +This is the information shown at the REPL and in 'sys.version'. +We cannot pass it in CPPFLAGS due to whitespace in the DATE string. + +--- Modules/getbuildinfo.c ++++ Modules/getbuildinfo.c +@@ -4,6 +4,10 @@ + #include <stdio.h> + #endif + ++/* Deterministic date and time. */ ++#define DATE "Jan 1 1970" ++#define TIME "00:00:01" ++ + #ifndef DATE + #ifdef __DATE__ + #define DATE __DATE__ diff --git a/gnu/packages/patches/python-configobj-setuptools.patch b/gnu/packages/patches/python-configobj-setuptools.patch new file mode 100644 index 0000000000..3f207ffd74 --- /dev/null +++ b/gnu/packages/patches/python-configobj-setuptools.patch @@ -0,0 +1,30 @@ +From 16fbc38f13e435b4e3e1a37d706e64e05bad4691 Mon Sep 17 00:00:00 2001 +From: Leo Famulari <leo@famulari.name> +Date: Tue, 10 Nov 2015 23:09:24 -0500 +Subject: [PATCH] patch build to use setuptools + +--- + setup.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index c6d57a6..27bf260 100644 +--- a/setup.py ++++ b/setup.py +@@ -12,7 +12,12 @@ + # http://opensource.org/licenses/BSD-3-Clause + import os + import sys +-from distutils.core import setup ++ ++try: ++ from setuptools import setup ++except ImportError: ++ from distutils.core import setup ++ + # a simple import wouldn't work if we moved towards a package with __init__ + from _version import __version__ + +-- +2.6.2 + diff --git a/gnu/packages/patches/scribus-qobject.patch b/gnu/packages/patches/scribus-qobject.patch new file mode 100644 index 0000000000..91be932f1b --- /dev/null +++ b/gnu/packages/patches/scribus-qobject.patch @@ -0,0 +1,17 @@ +See upstream bug report: http://bugs.scribus.net/view.php?id=13102 + +scribus/sclayer.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/scribus/sclayer.cpp b/scribus/sclayer.cpp +index 502112b..4da7bd5 100644 +--- a/scribus/sclayer.cpp ++++ b/scribus/sclayer.cpp +@@ -9,6 +9,7 @@ for which a new license (GPL+exception) is in place. + + #include <QHash> //necessary to avoid msvc warnings induced by SCRIBUS_API on ScLayers + early instanciation of templates + #include <QVector> //necessary to avoid msvc warnings induced by SCRIBUS_API on ScLayers + early instanciation of templates ++#include <QObject> + #include <QtAlgorithms> + + ScLayer::ScLayer(void) diff --git a/gnu/packages/patches/synfig-build-fix.patch b/gnu/packages/patches/synfig-build-fix.patch new file mode 100644 index 0000000000..3f6168e0fb --- /dev/null +++ b/gnu/packages/patches/synfig-build-fix.patch @@ -0,0 +1,61 @@ +Allow Synfig to build in C++11 mode. + +Taken from here: +https://projects.archlinux.org/svntogit/community.git/plain/trunk/build-fix.patch?h=packages/synfig + +diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.cpp synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.cpp +--- synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.cpp 2015-03-28 13:15:00.000000000 +0300 ++++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.cpp 2015-04-28 16:56:11.568749053 +0300 +@@ -56,8 +56,8 @@ + /* === M E T H O D S ======================================================= */ + + +-Importer_LibAVCodec::Importer_LibAVCodec(const char *file): +- filename(file) ++Importer_LibAVCodec::Importer_LibAVCodec(const synfig::FileSystem::Identifier &identifier): ++ Importer(identifier) + { + } + +diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.h synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.h +--- synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.h 2015-03-28 13:15:00.000000000 +0300 ++++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.h 2015-04-28 16:55:18.699192946 +0300 +@@ -46,7 +46,7 @@ + synfig::String filename; + + public: +- Importer_LibAVCodec(const char *filename); ++ Importer_LibAVCodec(const synfig::FileSystem::Identifier &identifier); + ~Importer_LibAVCodec(); + + virtual bool get_frame(synfig::Surface &surface, const synfig::RendDesc &renddesc, synfig::Time time, synfig::ProgressCallback *callback); +diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/trgt_av.cpp synfig-1.0-RC5.my/src/modules/mod_libavcodec/trgt_av.cpp +--- synfig-1.0-RC5/src/modules/mod_libavcodec/trgt_av.cpp 2015-03-28 13:15:00.000000000 +0300 ++++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/trgt_av.cpp 2015-04-28 16:46:54.720091106 +0300 +@@ -121,14 +121,14 @@ + picture = avcodec_alloc_frame(); + if (!picture) + return NULL; +- size = avpicture_get_size(pix_fmt, width, height); ++ size = avpicture_get_size((::PixelFormat)pix_fmt, width, height); + picture_buf = (uint8_t *)malloc(size); + if (!picture_buf) { + av_free(picture); + return NULL; + } + avpicture_fill((AVPicture *)picture, picture_buf, +- pix_fmt, width, height); ++ (::PixelFormat)pix_fmt, width, height); + return picture; + } + +diff -wbBur synfig-1.0.2/src/synfig/time.cpp synfig-1.0.2.my/src/synfig/time.cpp +--- synfig-1.0.2/src/synfig/time.cpp 2015-07-09 10:33:03.000000000 +0300 ++++ synfig-1.0.2.my/src/synfig/time.cpp 2015-10-12 13:54:58.382313903 +0300 +@@ -319,5 +319,5 @@ + bool + Time::is_valid()const + { +- return !isnan(value_); ++ return !::isnan(value_); + } diff --git a/gnu/packages/patches/tcl-mkindex-deterministic.patch b/gnu/packages/patches/tcl-mkindex-deterministic.patch new file mode 100644 index 0000000000..2fcef6a4f7 --- /dev/null +++ b/gnu/packages/patches/tcl-mkindex-deterministic.patch @@ -0,0 +1,29 @@ +This patch ensures that the 'tclIndex' files generated by 'auto_mkindex' +are sorted in a deterministic fashion. + +Fixes a non-determinism issue reported +at <https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00696.html>. + +--- tcl8.6.4/library/auto.tcl 2015-02-26 17:57:28.000000000 +0100 ++++ tcl8.6.4/library/auto.tcl 2015-11-13 23:18:34.964831717 +0100 +@@ -207,6 +207,9 @@ proc auto_mkindex {dir args} { + set args *.tcl + } + ++ # Keep file names sorted in a determistic order. ++ set args [lsort -ascii $args] ++ + auto_mkindex_parser::init + foreach file [glob -- {*}$args] { + try { +@@ -241,6 +244,10 @@ proc auto_mkindex_old {dir args} { + if {![llength $args]} { + set args *.tcl + } ++ ++ # Keep file names sorted in a determistic order. ++ set args [lsort -ascii $args] ++ + foreach file [glob -- {*}$args] { + set f "" + set error [catch { diff --git a/gnu/packages/patches/tinyxml-use-stl.patch b/gnu/packages/patches/tinyxml-use-stl.patch new file mode 100644 index 0000000000..5d8aa899a9 --- /dev/null +++ b/gnu/packages/patches/tinyxml-use-stl.patch @@ -0,0 +1,41 @@ +From a53b6ee4519a7657164610ac14a82c57b1273bf6 Mon Sep 17 00:00:00 2001 +From: David Thompson <dthompson2@worcester.edu> +Date: Mon, 23 Nov 2015 06:54:36 -0500 +Subject: [PATCH] Use STL. + +Software that uses the shared library, such as Kodi, assume that TinyXML was +compiled with STL activated. + +--- + tinyxml.h | 2 ++ + xmltest.cpp | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/tinyxml.h b/tinyxml.h +index a3589e5..6cbfc7d 100644 +--- a/tinyxml.h ++++ b/tinyxml.h +@@ -43,6 +43,8 @@ distribution. + #define DEBUG + #endif + ++#define TIXML_USE_STL 1 ++ + #ifdef TIXML_USE_STL + #include <string> + #include <iostream> +diff --git a/xmltest.cpp b/xmltest.cpp +index 663c157..057dbfe 100644 +--- a/xmltest.cpp ++++ b/xmltest.cpp +@@ -2,6 +2,7 @@ + Test program for TinyXML. + */ + ++#define TIXML_USE_STL 1 + + #ifdef TIXML_USE_STL + #include <iostream> +-- +2.5.0 + diff --git a/gnu/packages/patches/tk-find-library.patch b/gnu/packages/patches/tk-find-library.patch new file mode 100644 index 0000000000..70911bf0d2 --- /dev/null +++ b/gnu/packages/patches/tk-find-library.patch @@ -0,0 +1,29 @@ +This patch hard-codes the Tk library directory during package initialization. + +See <http://core.tcl.tk/tk/tktview/765642ffffffffffffff>. + +diff --git a/generic/tkWindow.c b/generic/tkWindow.c +index b5cbbab..96b5501 100644 +--- a/generic/tkWindow.c ++++ b/generic/tkWindow.c +@@ -988,6 +988,7 @@ TkCreateMainWindow( + + Tcl_SetVar2(interp, "tk_patchLevel", NULL, TK_PATCH_LEVEL, TCL_GLOBAL_ONLY); + Tcl_SetVar2(interp, "tk_version", NULL, TK_VERSION, TCL_GLOBAL_ONLY); ++ Tcl_SetVar2(interp, "tk_library", NULL, TK_LIBRARY, TCL_GLOBAL_ONLY); + + tsdPtr->numMainWindows++; + return tkwin; +diff --git a/unix/Makefile.in b/unix/Makefile.in +index f21fdbb..c61b0df 100644 +--- a/unix/Makefile.in ++++ b/unix/Makefile.in +@@ -1029,7 +1029,7 @@ tkVisual.o: $(GENERIC_DIR)/tkVisual.c + $(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkVisual.c + + tkWindow.o: $(GENERIC_DIR)/tkWindow.c +- $(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkWindow.c ++ $(CC) -c $(CC_SWITCHES) -DTK_LIBRARY=\"${TK_LIBRARY}\" $(GENERIC_DIR)/tkWindow.c + + tkButton.o: $(GENERIC_DIR)/tkButton.c + $(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkButton.c diff --git a/gnu/packages/patches/torsocks-dns-test.patch b/gnu/packages/patches/torsocks-dns-test.patch new file mode 100644 index 0000000000..ba70ba5933 --- /dev/null +++ b/gnu/packages/patches/torsocks-dns-test.patch @@ -0,0 +1,18 @@ +Skip DNS tests that rely on the ability to look up arbitary +host names. + +--- torsocks/tests/test_dns.c 2015-11-10 18:30:53.955941984 +0100 ++++ torsocks/tests/test_dns.c 2015-11-10 18:31:02.199941892 +0100 +@@ -134,11 +134,8 @@ static void test_getaddrinfo(const struc + int main(int argc, char **argv) + { + /* Libtap call for the number of tests planned. */ +- plan_tests(NUM_TESTS); ++ plan_tests(1); + +- test_getaddrinfo(&tor_check); +- test_gethostbyname(&tor_dir_auth1); +- test_gethostbyaddr(&tor_dir_auth2); + test_getaddrinfo(&tor_localhost); + + return 0; diff --git a/gnu/packages/patches/weechat-python.patch b/gnu/packages/patches/weechat-python.patch new file mode 100644 index 0000000000..8182636ecb --- /dev/null +++ b/gnu/packages/patches/weechat-python.patch @@ -0,0 +1,40 @@ +Get Python LDFLAGS from 'pkg-config'. + +The other approach is more complex and gets it wrong: it returns +"-L/path/to/python/lib/python-2.7.10/lib/python2.7/config -lpython -lwhatever"; +since that config/ sub-directory contains libpython2.7.a, we end up +statically linking Python in Weechat's python.so, which we do not want. + +--- weechat-1.3/configure.ac 2015-08-16 08:27:07.000000000 +0200 ++++ weechat-1.3/configure.ac 2015-11-29 18:18:52.975197048 +0100 +@@ -535,29 +535,7 @@ if test "x$enable_python" = "xyes" ; the + if test -r "$PYTHON_INCLUDE/Python.h"; then + PYTHON_CFLAGS="-I$PYTHON_INCLUDE" + AC_MSG_RESULT(found) +- PYTHON_LIB=`$PYTHON -c "import sys, distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_config_var('LIBPL'))"` +- PYTHON_LFLAGS="-lpython$PYTHON_VERSION "`$PYTHON -c "import sys, distutils.sysconfig; sys.stdout.write(distutils.sysconfig.get_config_var('LIBS')+' '+distutils.sysconfig.get_config_var('SYSLIBS')+' '+distutils.sysconfig.get_config_var('LINKFORSHARED'))"` +- AC_MSG_CHECKING(for Python library) +- if test -r "$PYTHON_LIB/libpython$PYTHON_VERSION.so"; then +- PYTHON_LFLAGS="-L$PYTHON_LIB $PYTHON_LFLAGS" +- AC_MSG_RESULT(found) +- elif test -r "$PYTHON_LIB/libpython$PYTHON_VERSION.a"; then +- PYTHON_LFLAGS="-L$PYTHON_LIB $PYTHON_LFLAGS" +- AC_MSG_RESULT(found) +- elif test -r "$PYTHON_LIB/libpython$PYTHON_VERSION.dll.a"; then +- PYTHON_LFLAGS="-L$PYTHON_LIB $PYTHON_LFLAGS" +- AC_MSG_RESULT(found) +- elif test -r "$PYTHON_SYSPREFIX/lib/libpython$PYTHON_VERSION.so"; then +- PYTHON_LFLAGS="-L$PYTHON_SYSPREFIX/lib/ $PYTHON_LFLAGS" +- AC_MSG_RESULT(found) +- else +- AC_MSG_WARN([ +-*** Python library couldn't be found on your system. +-*** Try to install it with your software package manager. +-*** WeeChat will be built without Python support.]) +- enable_python="no" +- not_found="$not_found python" +- fi ++ PYTHON_LFLAGS=`pkg-config python2 --libs` + else + AC_MSG_WARN([ + *** Python header files couldn't be found on your system. diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch new file mode 100644 index 0000000000..00e5b7c771 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch @@ -0,0 +1,32 @@ +From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 25 Oct 2015 15:45:50 +0200 +Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no + PMF in use + +WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is +enabled. Verify that PMF is in use before using this field on station +side to avoid accepting unauthenticated key updates. (CVE-2015-5310) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + wpa_supplicant/wnm_sta.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c +index 954de67..7d79499 100644 +--- a/wpa_supplicant/wnm_sta.c ++++ b/wpa_supplicant/wnm_sta.c +@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s, + end = ptr + key_len_total; + wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total); + ++ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) { ++ wpa_msg(wpa_s, MSG_INFO, ++ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled"); ++ return; ++ } ++ + while (ptr + 1 < end) { + if (ptr + 2 + ptr[1] > end) { + wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element " diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch new file mode 100644 index 0000000000..bfc4c74e95 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch @@ -0,0 +1,51 @@ +From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 1 Nov 2015 18:24:16 +0200 +Subject: [PATCH] EAP-pwd server: Fix last fragment length validation + +All but the last fragment had their length checked against the remaining +room in the reassembly buffer. This allowed a suitably constructed last +fragment frame to try to add extra data that would go beyond the buffer. +The length validation code in wpabuf_put_data() prevents an actual +buffer write overflow from occurring, but this results in process +termination. (CVE-2015-5314) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_server/eap_server_pwd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c +index cb83ff7..9f787ab 100644 +--- a/src/eap_server/eap_server_pwd.c ++++ b/src/eap_server/eap_server_pwd.c +@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, + /* + * the first and all intermediate fragments have the M bit set + */ +- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { ++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { + if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) { + wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow " + "attack detected! (%d+%d > %d)", +@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, + } + wpabuf_put_data(data->inbuf, pos, len); + data->in_frag_pos += len; ++ } ++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { + wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment", + (int) len); + return; +@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, + * buffering fragments so that's how we know it's the last) + */ + if (data->in_frag_pos) { +- wpabuf_put_data(data->inbuf, pos, len); +- data->in_frag_pos += len; + pos = wpabuf_head_u8(data->inbuf); + len = data->in_frag_pos; + wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", +-- +1.9.1 + diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch new file mode 100644 index 0000000000..82c26398b6 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch @@ -0,0 +1,54 @@ +From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 1 Nov 2015 18:18:17 +0200 +Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation + +All but the last fragment had their length checked against the remaining +room in the reassembly buffer. This allowed a suitably constructed last +fragment frame to try to add extra data that would go beyond the buffer. +The length validation code in wpabuf_put_data() prevents an actual +buffer write overflow from occurring, but this results in process +termination. (CVE-2015-5315) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_peer/eap_pwd.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 1f78544..75ceef1 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + /* + * buffer and ACK the fragment + */ +- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { ++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { + data->in_frag_pos += len; + if (data->in_frag_pos > wpabuf_size(data->inbuf)) { + wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack " +@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + return NULL; + } + wpabuf_put_data(data->inbuf, pos, len); +- ++ } ++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { + resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, + EAP_PWD_HDR_SIZE, + EAP_CODE_RESPONSE, eap_get_id(reqData)); +@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + * we're buffering and this is the last fragment + */ + if (data->in_frag_pos) { +- wpabuf_put_data(data->inbuf, pos, len); + wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", + (int) len); +- data->in_frag_pos += len; + pos = wpabuf_head_u8(data->inbuf); + len = data->in_frag_pos; + } +-- +1.9.1 + diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch new file mode 100644 index 0000000000..3088f6a6dc --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch @@ -0,0 +1,34 @@ +From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 1 Nov 2015 19:35:44 +0200 +Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message + +If the Confirm message is received from the server before the Identity +exchange has been completed, the group has not yet been determined and +data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange() +did not take this corner case into account and could end up +dereferencing a NULL pointer and terminating the process if invalid +message sequence is received. (CVE-2015-5316) + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_peer/eap_pwd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 75ceef1..892b590 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); + + fin: +- bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); ++ if (data->grp) ++ bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); + BN_clear_free(x); + BN_clear_free(y); + if (data->outbuf == NULL) { +-- +1.9.1 + diff --git a/gnu/packages/patches/xfce4-session-fix-xflock4.patch b/gnu/packages/patches/xfce4-session-fix-xflock4.patch new file mode 100644 index 0000000000..74769e4257 --- /dev/null +++ b/gnu/packages/patches/xfce4-session-fix-xflock4.patch @@ -0,0 +1,31 @@ +From cbb9c769316b4d32956a2c78aa01a38b473f0cfc Mon Sep 17 00:00:00 2001 +From: David Thompson <dthompson2@worcester.edu> +Date: Fri, 30 Oct 2015 08:30:43 -0400 +Subject: [PATCH] xflock4: Do not override PATH with hardcoded value. + +The PATH "/bin:/usr/bin" may not be a valid search path on the user's +machine. The screen locking program may be in /usr/local/bin or +elsewhere. Distros that do not conform to the FHS, such as GuixSD and +NixOS, will not have their executables in either location. Thus, we +simply leave PATH alone. +--- + scripts/xflock4 | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/scripts/xflock4 b/scripts/xflock4 +index ec4d05d..e7981ac 100644 +--- a/scripts/xflock4 ++++ b/scripts/xflock4 +@@ -21,9 +21,6 @@ + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # + +-PATH=/bin:/usr/bin +-export PATH +- + # Lock by xscreensaver or gnome-screensaver, if a respective daemon is running + for lock_cmd in \ + "xscreensaver-command -lock" \ +-- +2.5.0 + |