diff options
Diffstat (limited to 'gnu/packages')
72 files changed, 1111 insertions, 1591 deletions
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index b2207a1205..baadbe5c60 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -112,20 +112,23 @@ usual file attributes can be checked for inconsistencies.") (define-public progress (package (name "progress") - (version "0.13") + (version "0.13.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/Xfennec/" name "/archive/v" version ".tar.gz")) (sha256 - (base32 "133iar4vq5vlklydb4cyazjy6slmpbndrws474mg738bd8avc30n")) + (base32 "199rk6608q9m6l0fbjm0xl2w1c5krf8245dqnksdp4rqp7l9ak06")) (file-name (string-append name "-" version ".tar.gz")))) (build-system gnu-build-system) + (native-inputs + `(("pkg-config" ,pkg-config) + ("which" ,which))) (inputs `(("ncurses" ,ncurses))) (arguments `(#:tests? #f ; There is no test suite. - #:make-flags (list "CC=gcc" "LDFLAGS+=-lncurses" + #:make-flags (list "CC=gcc" (string-append "PREFIX=" (assoc-ref %outputs "out"))) #:phases (modify-phases %standard-phases diff --git a/gnu/packages/attr.scm b/gnu/packages/attr.scm index 907a568bdd..4dbe09ceca 100644 --- a/gnu/packages/attr.scm +++ b/gnu/packages/attr.scm @@ -54,7 +54,7 @@ ;; Use the right shell. (substitute* "test/run" (("/bin/sh") - (which "bash"))) + (which "sh"))) ;; When building natively, run the tests. (unless target diff --git a/gnu/packages/autotools.scm b/gnu/packages/autotools.scm index 72492e70eb..442c87c1f1 100644 --- a/gnu/packages/autotools.scm +++ b/gnu/packages/autotools.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2014 Manolis Fragkiskos Ragkousis <manolis837@gmail.com> ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2016 David Thompson <davet@gnu.org> +;;; Copyright © 2017 ng0 <ng0@libertad.pw> ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu packages) #:use-module (gnu packages perl) #:use-module (gnu packages m4) + #:use-module (gnu packages man) #:use-module (gnu packages bash) #:use-module (guix utils) #:use-module (guix packages) @@ -300,6 +302,7 @@ Makefile, simplifying the entire process for the developer.") (propagated-inputs `(("m4" ,m4))) (native-inputs `(("m4" ,m4) ("perl" ,perl) + ("help2man" ,help2man) ;because we modify ltmain.sh ("automake" ,automake) ;some tests rely on 'aclocal' ("autoconf" ,(autoconf-wrapper)))) ;others on 'autom4te' @@ -313,21 +316,27 @@ Makefile, simplifying the entire process for the developer.") (or (%current-target-system) (%current-system)))) - #:phases (alist-cons-before - 'check 'pre-check - (lambda* (#:key inputs #:allow-other-keys) - ;; Run the test suite in parallel, if possible. - (setenv "TESTSUITEFLAGS" - (string-append - "-j" - (number->string (parallel-job-count)))) + #:phases + (modify-phases %standard-phases + (add-before 'check 'pre-check + (lambda* (#:key inputs #:allow-other-keys) + ;; Run the test suite in parallel, if possible. + (setenv "TESTSUITEFLAGS" + (string-append + "-j" + (number->string (parallel-job-count)))) + ;; Patch references to /bin/sh. + (let ((bash (assoc-ref inputs "bash"))) + (substitute* "tests/testsuite" + (("/bin/sh") + (string-append bash "/bin/sh"))) + #t))) + (add-after 'patch-source-shebangs 'restore-ltmain-shebang + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "build-aux/ltmain.in" + (("^#!.*/bin/sh$") "#!/bin/sh")) + #t))))) - ;; Path references to /bin/sh. - (let ((bash (assoc-ref inputs "bash"))) - (substitute* "tests/testsuite" - (("/bin/sh") - (string-append bash "/bin/bash"))))) - %standard-phases))) (synopsis "Generic shared library support tools") (description "GNU Libtool helps in the creation and use of shared libraries, by diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm index 5740ab2ff8..73e63ab0dc 100644 --- a/gnu/packages/avahi.scm +++ b/gnu/packages/avahi.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org> ;;; ;;; This file is part of GNU Guix. @@ -25,6 +25,7 @@ #:use-module (gnu packages) #:use-module (gnu packages databases) #:use-module (gnu packages libdaemon) + #:use-module (gnu packages linux) #:use-module (gnu packages pkg-config) #:use-module (gnu packages glib) #:use-module (gnu packages xml)) @@ -59,6 +60,7 @@ ("glib" ,glib) ("dbus" ,dbus) ("gdbm" ,gdbm) + ("libcap" ,libcap) ;to enable chroot support in avahi-daemon ("libdaemon" ,libdaemon))) (native-inputs `(("intltool" ,intltool) diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index ae4e4b20ea..c2dfc0fbbd 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -181,20 +181,15 @@ backups (called chunks) to allow easy burning to CD/DVD.") (define-public libarchive (package (name "libarchive") - (version "3.2.1") + (version "3.2.2") (source (origin (method url-fetch) (uri (string-append "http://libarchive.org/downloads/libarchive-" version ".tar.gz")) - (patches (search-patches - "libarchive-7zip-heap-overflow.patch" - "libarchive-fix-symlink-check.patch" - "libarchive-fix-filesystem-attacks.patch" - "libarchive-safe_fprintf-buffer-overflow.patch")) (sha256 (base32 - "1lngng84k1kkljl74q0cdqc3s82vn2kimfm02dgm4d6m7x71mvkj")))) + "03q6y428rg723c9fj1vidzjw46w1vf8z0h95lkvz1l9jw571j739")))) (build-system gnu-build-system) ;; TODO: Add -L/path/to/nettle in libarchive.pc. (inputs diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index c75e038289..8be9c88abb 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> @@ -78,14 +78,14 @@ command-line arguments, multiple languages, and so on.") (define-public grep (package (name "grep") - (version "2.25") + (version "3.0") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/grep/grep-" version ".tar.xz")) (sha256 (base32 - "0c38b67cnwchwzv4wq2gpz6smkhdxrac2hhssv8f0l04qnx867p2")) + "1dcasjp3a578nrvzrcn38mpizb8w1q6mvfzhjmcqqgkf0nsivj72")) (patches (search-patches "grep-timing-sensitive-test.patch")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) ;some of the tests require it @@ -118,30 +118,36 @@ including, for example, recursive directory searching.") (define-public sed (package (name "sed") - (version "4.2.2") + (version "4.4") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/sed/sed-" version - ".tar.bz2")) + ".tar.xz")) (sha256 (base32 - "1myvrmh99jsvk7v3d7crm0gcrq51hmmm1r2kjyyci152in1x2j7h")) - (patches (search-patches "sed-hurd-path-max.patch")))) + "0fv88bcnraixc8jvpacvxshi30p5x9m7yb8ns1hfv07hmb2ypmnb")))) (build-system gnu-build-system) (synopsis "Stream editor") (arguments - (if (%current-target-system) - '() - `(#:phases (alist-cons-before - 'patch-source-shebangs 'patch-test-suite - (lambda* (#:key inputs #:allow-other-keys) - (let ((bash (assoc-ref inputs "bash"))) - (patch-makefile-SHELL "testsuite/Makefile.tests") - (substitute* '("testsuite/bsd.sh" - "testsuite/bug-regex9.c") - (("/bin/sh") - (string-append bash "/bin/bash"))))) - %standard-phases)))) + `(#:phases + (modify-phases %standard-phases + (add-after 'unpack 'dont-rebuild-sed.1 + (lambda _ + ;; Make sure we do not attempt to rebuild 'doc/sed.1', which does + ;; not work when cross-compiling because we cannot run 'sed'. + ;; This is fixed upstream as commit a0a25e3. + (substitute* "Makefile.in" + (("^doc/sed\\.1:.*") + "doc/sed.1:\n")) + #t)) + (add-before 'patch-source-shebangs 'patch-test-suite + (lambda* (#:key inputs #:allow-other-keys) + (patch-makefile-SHELL "testsuite/Makefile.tests") + (substitute* '("testsuite/bsd.sh" + "testsuite/bug-regex9.c") + (("/bin/sh") + (which "sh"))) + #t))))) (description "Sed is a non-interactive, text stream editor. It receives a text input from a file or from standard input and it then applies a series of text @@ -149,7 +155,7 @@ editing commands to the stream and prints its output to standard output. It is often used for substituting text patterns in a stream. The GNU implementation offers several extensions over the standard utility.") (license gpl3+) - (home-page "http://www.gnu.org/software/sed/"))) + (home-page "https://www.gnu.org/software/sed/"))) (define-public tar (package @@ -162,7 +168,8 @@ implementation offers several extensions over the standard utility.") (sha256 (base32 "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0")) - (patches (search-patches "tar-skip-unreliable-tests.patch")))) + (patches (search-patches "tar-CVE-2016-6321.patch" + "tar-skip-unreliable-tests.patch")))) (build-system gnu-build-system) ;; Note: test suite requires ~1GiB of disk space. (arguments @@ -277,14 +284,15 @@ used to apply commands with arbitrarily long arguments.") (define-public coreutils (package (name "coreutils") - (version "8.25") + (version "8.26") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/coreutils/coreutils-" version ".tar.xz")) (sha256 (base32 - "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii")))) + "13lspazc7xkviy93qz7ks9jv4sldvgmwpq36ghrbrqpq93br8phm")) + (patches (search-patches "coreutils-fix-cross-compilation.patch")))) (build-system gnu-build-system) (inputs `(("acl" ,acl) ; TODO: add SELinux ("gmp" ,gmp) ;bignums in 'expr', yay! @@ -305,6 +313,7 @@ used to apply commands with arbitrarily long arguments.") (outputs '("out" "debug")) (arguments `(#:parallel-build? #f ; help2man may be called too early + #:parallel-tests? #f ; race condition fixed after 8.26 #:phases (alist-cons-before 'build 'patch-shell-references (lambda* (#:key inputs #:allow-other-keys) @@ -362,7 +371,7 @@ functionality beyond that which is outlined in the POSIX standard.") (let ((bash (assoc-ref inputs "bash"))) (substitute* "job.c" (("default_shell =.*$") - (format #f "default_shell = \"~a/bin/bash\";\n" + (format #f "default_shell = \"~a/bin/sh\";\n" bash))))))))) (synopsis "Remake files automatically") (description @@ -501,14 +510,14 @@ store.") (define-public glibc/linux (package (name "glibc") - (version "2.24") + (version "2.25") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz")) (sha256 (base32 - "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r")) + "1813dzkgw6v8q8q1m4v96yfis7vjqc9pslqib6j9mrwh6fxxjyq6")) (snippet ;; Disable 'ldconfig' and /etc/ld.so.cache. The latter is ;; required on LFS distros to avoid loading the distro's libc.so @@ -619,14 +628,14 @@ store.") ;; Same for `popen'. (substitute* "libio/iopopen.c" (("/bin/sh") - (string-append bash "/bin/bash"))) + (string-append bash "/bin/sh"))) ;; Same for the shell used by the 'exec' functions for ;; scripts that lack a shebang. (substitute* (find-files "." "^paths\\.h$") (("#define[[:blank:]]+_PATH_BSHELL[[:blank:]].*$") (string-append "#define _PATH_BSHELL \"" - bash "/bin/bash\"\n"))) + bash "/bin/sh\"\n"))) ;; Nscd uses __DATE__ and __TIME__ to create a string to ;; make sure the client and server come from the same @@ -715,7 +724,21 @@ with the Linux kernel.") ;; Use the right 'pwd'. (substitute* "configure" (("/bin/pwd") "pwd"))) - ,original-phases))) + (alist-replace + 'build + (lambda _ + ;; Force mach/hurd/libpthread subdirs to build first in order to avoid + ;; linking errors. + ;; See <https://lists.gnu.org/archive/html/bug-hurd/2016-11/msg00045.html> + (let ((-j (list "-j" (number->string (parallel-job-count))))) + (let-syntax ((make (syntax-rules () + ((_ target) + (zero? (apply system* "make" target -j)))))) + (and (make "mach/subdir_lib") + (make "hurd/subdir_lib") + (make "libpthread/subdir_lib") + (zero? (apply system* "make" -j)))))) + ,original-phases)))) ((#:configure-flags original-configure-flags) `(append (list "--host=i586-pc-gnu" @@ -750,6 +773,18 @@ GLIBC/HURD for a Hurd host" ;; Below are old libc versions, which we use mostly to build locale data in ;; the old format (which the new libc cannot cope with.) +(define-public glibc-2.24 + (package + (inherit glibc) + (version "2.24") + (source (origin + (inherit (package-source glibc)) + (uri (string-append "mirror://gnu/glibc/glibc-" + version ".tar.xz")) + (sha256 + (base32 + "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r")))))) + (define-public glibc-2.23 (package (inherit glibc) diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm index c121fd84d6..8d453bdaa1 100644 --- a/gnu/packages/bash.scm +++ b/gnu/packages/bash.scm @@ -1,7 +1,8 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org> -;;; Copyright © 2015 Leo Famulari <leo@famulari.name> +;;; Copyright © 2015, 2017 Leo Famulari <leo@famulari.name> +;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -57,7 +58,19 @@ (define %patch-series-4.4 ;; This is the current patches series for 4.4, generated using ;; 'download-patches' below. - (patch-series)) + (patch-series + (1 "03vzy7qwjdd5qvl3ydg99naazas2qmyd0yhnrflgjbbm64axja1y") + (2 "0lrwq6vyqism3yqv9s7kzaf3dsl4q5w9r5svcqz279qp7qca083h") + (3 "1chqww2rj6g42b8s60q5zlzy0jzp684jkpsbrbfy1vzxja8mmpsi") + (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d") + (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2") + (6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka") + (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932 + (8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546") + (9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb") + (10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4") + (11 "038p7mhnq9m65g505hi3827jkf9f35nd1cy00w8mwafpyxp44mnx") + (12 "0gh6lbb1rwpk44pvbamm6vzdfi50xnwkqd9v7s8cjwk3pz973hps"))) (define (download-patches store count) "Download COUNT Bash patches into store. Return a list of @@ -98,7 +111,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form." (version "4.4")) (package (name "bash") - (replacement bash/fixed) (source (origin (method url-fetch) (uri (string-append @@ -163,6 +175,13 @@ number/base32-hash tuples, directly usable in the 'patch-series' form." (rename-file (string-append out "/lib/pkgconfig") (string-append include "/lib/pkgconfig")) + + ;; Don't capture the absolute file name of 'install' to avoid + ;; retaining a dependency on Coreutils. + (substitute* (string-append (lib include) + "/Makefile.inc") + (("^INSTALL =.*") + "INSTALL = install -c\n")) #t)))))) (native-search-paths @@ -185,7 +204,6 @@ without modification.") ;; A stripped-down Bash for non-interactive use. (package (inherit bash) (name "bash-minimal") - (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion (inputs '()) ; no readline, no curses ;; No "include" output because there's no support for loadable modules. @@ -241,43 +259,6 @@ without modification.") (delete-file-recursively (string-append out "/share")) #t)))))))))) -(define* (url-fetch/reset-patch-level url hash-algo hash - #:optional name - #:key (system (%current-system)) guile) - "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it -can apply to a patch-level 0 Bash." - (mlet* %store-monad ((name -> (or name (basename url))) - (patch (url-fetch url hash-algo hash - (string-append name ".orig") - #:system system - #:guile guile))) - (gexp->derivation name - (with-imported-modules '((guix build utils)) - #~(begin - (use-modules (guix build utils)) - (copy-file #$patch #$output) - (substitute* #$output - (("PATCHLEVEL [0-6]+") - "PATCHLEVEL 0")))) - #:guile-for-build guile - #:system system))) - -(define bash/fixed ;CVE-2017-5932 (RCE with completion) - (package - (inherit bash) - (version "4.4.A") ;4.4.0 + patch #7 - (replacement #f) - (source - (origin - (inherit (package-source bash)) - (patches (cons (origin - (method url-fetch/reset-patch-level) - (uri (patch-url 7)) - (sha256 - (base32 - "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y"))) - (origin-patches (package-source bash)))))))) - (define-public bash-completion (package (name "bash-completion") diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm index 992a11bac0..b9732374d7 100644 --- a/gnu/packages/bdw-gc.scm +++ b/gnu/packages/bdw-gc.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org> +;;; Copyright © 2016 Leo Famulari <leo@famulari.name> ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,24 +25,23 @@ #:use-module (guix build-system gnu) #:use-module (gnu packages pkg-config)) -(define-public libgc-7.2 +(define-public libgc (package (name "libgc") - (version "7.2f") + (version "7.6.0") (source (origin (method url-fetch) (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-" version ".tar.gz")) (sha256 (base32 - "119x7p1cqw40mpwj80xfq879l9m1dkc7vbc1f3bz3kvkf8bf6p16")))) + "143x7g0d0k6250ai6m2x3l4y352mzizi4wbgrmahxscv2aqjhjm1")))) (build-system gnu-build-system) (arguments - ;; Make it so that we don't rely on /proc. This is especially useful in - ;; an initrd run before /proc is mounted. - '(#:configure-flags '("CPPFLAGS=-DUSE_LIBC_PRIVATES" - ;; Install gc_cpp.h et al. + '(#:configure-flags '(;; Install gc_cpp.h et al. "--enable-cplusplus"))) + (native-inputs `(("pkg-config" ,pkg-config))) + (inputs `(("libatomic-ops" ,libatomic-ops))) (outputs '("out" "debug")) (synopsis "The Boehm-Demers-Weiser conservative garbage collector for C and C++") @@ -67,7 +67,7 @@ C or C++ programs, though that is not its primary goal.") (define-public libatomic-ops (package (name "libatomic-ops") - (version "7.4.2") + (version "7.4.4") (source (origin (method url-fetch) (uri (string-append @@ -75,7 +75,7 @@ C or C++ programs, though that is not its primary goal.") version ".tar.gz")) (sha256 (base32 - "1pdm0h1y7bgkczr8byg20r6bq15m5072cqm5pny4f9crc9gn3yh4")))) + "13vg5fqwil17zpf4hj4h8rh3blzmym693lkdjgvwpgni1mh0l8dz")))) (build-system gnu-build-system) (outputs '("out" "debug")) (synopsis "Accessing hardware atomic memory update operations") @@ -88,21 +88,3 @@ lock-free code, experiment with thread programming paradigms, etc.") ;; Some source files are X11-style, others are GPLv2+. (license gpl2+))) - -(define-public libgc - (package (inherit libgc-7.2) - (version "7.4.2") - (source (origin - (method url-fetch) - (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-" - version ".tar.gz")) - (sha256 - (base32 - "18mg28rr6kwr5clc65k4l4hkyy4kd16amx831sjf8q2lqkbhlck3")))) - - ;; New dependencies. - (native-inputs `(("pkg-config" ,pkg-config))) - (inputs `(("libatomic-ops" ,libatomic-ops))) - - ;; 'USE_LIBC_PRIVATES' is now the default. - (arguments '(#:configure-flags '("--enable-cplusplus"))))) diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm index c8d94c8303..3be6e1246c 100644 --- a/gnu/packages/bootstrap.scm +++ b/gnu/packages/bootstrap.scm @@ -167,6 +167,7 @@ successful, or false to signal an error." ((string=? system "i586-gnu") "/lib/ld.so.1") ((string=? system "i686-gnu") "/lib/ld.so.1") ((string=? system "aarch64-linux") "/lib/ld-linux-aarch64.so.1") + ((string=? system "powerpc-linux") "/lib/ld.so.1") ;; XXX: This one is used bare-bones, without a libc, so add a case ;; here just so we can keep going. diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index 7df1d3fca9..675852fb57 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org> @@ -172,6 +172,26 @@ ,cf))))) (inputs %boot0-inputs)))) +(define libstdc++-boot0 + ;; GCC's libcc1 is always built as a shared library (the top-level + ;; 'Makefile.def' forcefully adds --enable-shared) and thus needs to refer + ;; to libstdc++.so. We cannot build libstdc++-5.3 because it relies on + ;; C++14 features missing in our bootstrap compiler. + (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-4.9)))) + (package + (inherit lib) + (name "libstdc++-boot0") + (arguments + `(#:guile ,%bootstrap-guile + #:implicit-inputs? #f + + ;; XXX: libstdc++.so NEEDs ld.so for some reason. + #:validate-runpath? #f + + ,@(package-arguments lib))) + (inputs %boot0-inputs) + (native-inputs '())))) + (define gcc-boot0 (package-with-bootstrap-guile (package (inherit gcc) @@ -257,6 +277,9 @@ ("mpc-source" ,(package-source mpc)) ("binutils-cross" ,binutils-boot0) + ;; The libstdc++ that libcc1 links against. + ("libstdc++" ,libstdc++-boot0) + ;; Call it differently so that the builder can check whether ;; the "libc" input is #f. ("libc-native" ,@(assoc-ref %boot0-inputs "libc")) @@ -424,14 +447,8 @@ the bootstrap environment." (define ld-wrapper-boot0 ;; We need this so binaries on Hurd will have libmachuser and libhurduser ;; in their RUNPATH, otherwise validate-runpath will fail. - ;; - ;; XXX: Work around <http://bugs.gnu.org/24832> by fixing the name and - ;; triplet on GNU/Linux. For GNU/Hurd, use the right triplet. - (make-ld-wrapper (string-append "ld-wrapper-" "x86_64-guix-linux-gnu") - #:target (lambda (system) - (if (string-suffix? "-linux" system) - "x86_64-guix-linux-gnu" - (boot-triplet system))) + (make-ld-wrapper "ld-wrapper-boot0" + #:target boot-triplet #:binutils binutils-boot0 #:guile %bootstrap-guile #:bash (car (assoc-ref %boot0-inputs "bash")))) @@ -783,12 +800,17 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%" (define bash-final ;; Link with `-static-libgcc' to make sure we don't retain a reference ;; to the bootstrap GCC. - ;; FIXME: This depends on 'bootstrap-binaries' via Makefile.in. - (package-with-bootstrap-guile - (package-with-explicit-inputs (static-libgcc-package bash) - %boot3-inputs - (current-source-location) - #:guile %bootstrap-guile))) + (let ((bash (package + (inherit bash) + (arguments + `(#:disallowed-references + ,(assoc-ref %boot3-inputs "coreutils&co") + ,@(package-arguments bash)))))) + (package-with-bootstrap-guile + (package-with-explicit-inputs (static-libgcc-package bash) + %boot3-inputs + (current-source-location) + #:guile %bootstrap-guile)))) (define %boot4-inputs ;; Now use the final Bash. @@ -987,10 +1009,10 @@ and binaries, plus debugging symbols in the 'debug' output), and Binutils.") (gcc-toolchain gcc-4.8)) (define-public gcc-toolchain-4.9 - (gcc-toolchain gcc-final)) + (gcc-toolchain gcc-4.9)) (define-public gcc-toolchain-5 - (gcc-toolchain gcc-5)) + (gcc-toolchain gcc-final)) (define-public gcc-toolchain-6 (gcc-toolchain gcc-6)) diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 9897883184..81e95c70e5 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -55,7 +55,7 @@ (define-public zlib (package (name "zlib") - (version "1.2.8") + (version "1.2.11") (source (origin (method url-fetch) @@ -65,24 +65,24 @@ version "/zlib-" version ".tar.gz"))) (sha256 (base32 - "039agw5rqvqny92cpkrfn243x2gd4xn13hs3xi6isk55d2vqqr9n")))) + "18dighcs333gsvajvvgqp8l4cx7h1x7yx9gd5xacnk80spyykrf3")))) (build-system gnu-build-system) (arguments - `(#:phases (alist-replace - 'configure - (lambda* (#:key outputs #:allow-other-keys) - ;; Zlib's home-made `configure' fails when passed - ;; extra flags like `--enable-fast-install', so we need to - ;; invoke it with just what it understand. - (let ((out (assoc-ref outputs "out"))) - ;; 'configure' doesn't understand '--host'. - ,@(if (%current-target-system) - `((setenv "CHOST" ,(%current-target-system))) - '()) - (zero? - (system* "./configure" - (string-append "--prefix=" out))))) - %standard-phases))) + `(#:phases + (modify-phases %standard-phases + (replace 'configure + (lambda* (#:key outputs #:allow-other-keys) + ;; Zlib's home-made `configure' fails when passed + ;; extra flags like `--enable-fast-install', so we need to + ;; invoke it with just what it understand. + (let ((out (assoc-ref outputs "out"))) + ;; 'configure' doesn't understand '--host'. + ,@(if (%current-target-system) + `((setenv "CHOST" ,(%current-target-system))) + '()) + (zero? + (system* "./configure" + (string-append "--prefix=" out))))))))) (home-page "http://zlib.net/") (synopsis "Compression library") (description diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm index a3dfb8f477..47e0958193 100644 --- a/gnu/packages/cross-base.scm +++ b/gnu/packages/cross-base.scm @@ -281,7 +281,7 @@ GCC that does not target a libc; otherwise, target that libc." (setenv "ARCH" ,(system->linux-architecture target)) (format #t "`ARCH' set to `~a' (cross compiling)~%" (getenv "ARCH")) - (and (zero? (system* "make" "defconfig")) + (and (zero? (system* "make" ,(system->defconfig target))) (zero? (system* "make" "mrproper" "headers_check")))) ,phases)))) (native-inputs `(("cross-gcc" ,xgcc) diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm index 39ab41c192..94f8e91f17 100644 --- a/gnu/packages/cups.scm +++ b/gnu/packages/cups.scm @@ -52,7 +52,6 @@ (define-public cups-filters (package (name "cups-filters") - (replacement cups-filters/fixed) (version "1.13.1") (source(origin (method url-fetch) @@ -135,13 +134,6 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.") license:lgpl2.0+ license:expat)))) -(define mupdf/fixed-instead-of-mupdf - (package-input-rewriting `((,mupdf . ,(@@ (gnu packages pdf) mupdf/fixed))))) - -;;; Fix CVE-2016-10132 and CVE-2016-10133. See mupdf/fixed for more information. -(define cups-filters/fixed - (mupdf/fixed-instead-of-mupdf cups-filters)) - ;; CUPS on non-MacOS systems requires cups-filters. Since cups-filters also ;; depends on CUPS libraries and binaries, cups-minimal has been added to ;; satisfy this dependency. diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 7329d870de..ec982ef65b 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz> ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org> -;;; Copyright © 2016 Leo Famulari <leo@famulari.name> +;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> ;;; ;;; This file is part of GNU Guix. ;;; @@ -40,15 +40,14 @@ (define-public curl (package (name "curl") - (replacement curl-7.52.1) - (version "7.50.3") + (version "7.52.1") (source (origin (method url-fetch) (uri (string-append "https://curl.haxx.se/download/curl-" version ".tar.lzma")) (sha256 (base32 - "1spmk0345hq0sgpwxs8d410268lmg3wf1x9v23hxff7wxki5fm4c")))) + "0r937wplchjxifxqqcjxd9rzp6l9rqqdfjn41x1y4djrh95nsa24")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages @@ -120,16 +119,3 @@ tunneling, and so on.") (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")) (home-page "https://curl.haxx.se/"))) - -(define curl-7.52.1 - (package - (inherit curl) - (source - (let ((version "7.52.1")) - (origin - (method url-fetch) - (uri (string-append "https://curl.haxx.se/download/curl-" - version ".tar.lzma")) - (sha256 - (base32 - "0r937wplchjxifxqqcjxd9rzp6l9rqqdfjn41x1y4djrh95nsa24"))))))) diff --git a/gnu/packages/cyrus-sasl.scm b/gnu/packages/cyrus-sasl.scm index 62bd718ab9..b48505e5f3 100644 --- a/gnu/packages/cyrus-sasl.scm +++ b/gnu/packages/cyrus-sasl.scm @@ -31,7 +31,6 @@ (define-public cyrus-sasl (package (name "cyrus-sasl") - (replacement cyrus-sasl/fixed) (version "2.1.26") (source (origin (method url-fetch) @@ -41,6 +40,7 @@ (string-append "ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-" version ".tar.gz"))) + (patches (search-patches "cyrus-sasl-CVE-2013-4122.patch")) (sha256 (base32 "1hvvbcsg21nlncbgs0cgn3iwlnb3vannzwsp6rwvnn9ba4v53g4g")))) (build-system gnu-build-system) @@ -66,10 +66,3 @@ server writers.") (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")) (home-page "http://cyrusimap.web.cmu.edu"))) - -(define cyrus-sasl/fixed - (package - (inherit cyrus-sasl) - (source (origin - (inherit (package-source cyrus-sasl)) - (patches (search-patches "cyrus-sasl-CVE-2013-4122.patch")))))) diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index fd8baa1531..93776c366c 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -665,12 +665,9 @@ for example from a shell script.") (define-public sqlite (package (name "sqlite") - (version "3.14.1") + (version "3.17.0") (source (origin (method url-fetch) - ;; TODO: Download from sqlite.org once this bug : - ;; http://lists.gnu.org/archive/html/bug-guile/2013-01/msg00027.html - ;; has been fixed. (uri (let ((numeric-version (match (string-split version #\.) ((first-digit other-digits ...) @@ -680,23 +677,11 @@ for example from a shell script.") (map (cut string-pad <> 2 #\0) other-digits)) 6 #\0)))))) - (list - (string-append - "https://fossies.org/linux/misc/sqlite-autoconf-" - numeric-version ".tar.gz") - (string-append - "http://distfiles.gentoo.org/distfiles/" - "/sqlite-autoconf-" numeric-version ".tar.gz")) - - ;; XXX: As of 2015-09-08, SourceForge is squatting the URL - ;; below, returning 200 and showing an advertising page. - ;; (string-append - ;; "mirror://sourceforge/sqlite.mirror/SQLite%20" version - ;; "/sqlite-autoconf-" numeric-version ".tar.gz") - )) + (string-append "https://sqlite.org/2017/sqlite-autoconf-" + numeric-version ".tar.gz"))) (sha256 (base32 - "19j73j44akqgc6m82wm98yvnmm3mfzmfqr8mp3n7n080d53q4wdw")))) + "0k472gq0p706jq4529p60znvw02hdf172qxgbdv59q0n7anqbr54")))) (build-system gnu-build-system) (inputs `(("readline" ,readline))) (arguments @@ -707,7 +692,7 @@ for example from a shell script.") (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE " "-DSQLITE_ENABLE_UNLOCK_NOTIFY " "-DSQLITE_ENABLE_DBSTAT_VTAB")))) - (home-page "http://www.sqlite.org/") + (home-page "https://www.sqlite.org/") (synopsis "The SQLite database management system") (description "SQLite is a software library that implements a self-contained, serverless, @@ -716,26 +701,6 @@ widely deployed SQL database engine in the world. The source code for SQLite is in the public domain.") (license license:public-domain))) -(define-public sqlite-3.15.1 - (package (inherit sqlite) - (version "3.15.1") - (source (origin - (method url-fetch) - (uri (let ((numeric-version - (match (string-split version #\.) - ((first-digit other-digits ...) - (string-append first-digit - (string-pad-right - (string-concatenate - (map (cut string-pad <> 2 #\0) - other-digits)) - 6 #\0)))))) - (string-append "https://sqlite.org/2016/sqlite-autoconf-" - numeric-version ".tar.gz"))) - (sha256 - (base32 - "1ig2d9jzzixiifmgqsl6kjcvy17jwxby3s24gfnc5qvyd6vqkyjx")))))) - (define-public tdb (package (name "tdb") diff --git a/gnu/packages/ed.scm b/gnu/packages/ed.scm index 3668aac19a..5014229952 100644 --- a/gnu/packages/ed.scm +++ b/gnu/packages/ed.scm @@ -28,14 +28,14 @@ (define-public ed (package (name "ed") - (version "1.13") + (version "1.14.1") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/ed/ed-" version ".tar.lz")) (sha256 (base32 - "1ly7i1iw02vbcd0zrx084z577ngxnarffmkm45dg6vndad5carnd")))) + "0ajm69pma7gigddlrq2qi4dsllz9vhm8gqwpkcdagdd2yaw7xfgz")))) (build-system gnu-build-system) (native-inputs `(("lzip" ,lzip))) (arguments @@ -45,8 +45,9 @@ (add-before 'patch-source-shebangs 'patch-test-suite (lambda _ (substitute* "testsuite/check.sh" - (("/bin/sh") (which "sh")))))))) - (home-page "http://www.gnu.org/software/ed/") + (("/bin/sh") (which "sh"))) + #t))))) + (home-page "https://www.gnu.org/software/ed/") (synopsis "Line-oriented text editor") (description "Ed is a line-oriented text editor: rather than offering an overview of diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm index c1f74d65ad..d9abbfa4e2 100644 --- a/gnu/packages/flex.scm +++ b/gnu/packages/flex.scm @@ -24,6 +24,7 @@ #:use-module (guix build-system gnu) #:use-module (gnu packages) #:use-module (gnu packages m4) + #:use-module (gnu packages man) #:use-module (gnu packages bison) #:use-module (gnu packages indent) #:use-module (srfi srfi-1)) @@ -31,29 +32,32 @@ (define-public flex (package (name "flex") - (version "2.6.0") + (version "2.6.2") (source (origin - (method url-fetch) - (uri (string-append "mirror://sourceforge/flex/flex-" - version ".tar.bz2")) - (patches (search-patches "flex-CVE-2016-6354.patch")) - (sha256 - (base32 - "1sdqx63yadindzafrq1w31ajblf9gl1c301g068s20s7bbpi3ri4")))) + (method url-fetch) + (uri (string-append + "https://github.com/westes/flex" + "/releases/download/v" version "/" + "flex-" version ".tar.gz")) + (sha256 + (base32 + "1jdjghh1qjq3z7snphshcak6p07gch2n4215vjvrkism25x460cs")))) (build-system gnu-build-system) (inputs (let ((bison-for-tests ;; Work around an incompatibility with Bison 3.0: ;; <http://lists.gnu.org/archive/html/bug-bison/2013-09/msg00014.html>. - (package (inherit bison) + (package + (inherit bison) (version "2.7.1") (source (origin - (method url-fetch) - (uri (string-append "mirror://gnu/bison/bison-" - version ".tar.xz")) - (sha256 - (base32 - "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl")))) + (method url-fetch) + (uri (string-append + "mirror://gnu/bison/" + "bison-" version ".tar.xz")) + (sha256 + (base32 + "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl")))) ;; Unlike Bison 3.0, this version did not need Flex for its ;; tests, so it allows us to break the cycle. @@ -61,9 +65,11 @@ `(("bison" ,bison-for-tests) ("indent" ,indent)))) ;; m4 is not present in PATH when cross-building - (native-inputs `(("m4" ,m4))) + (native-inputs + `(("help2man" ,help2man) + ("m4" ,m4))) (propagated-inputs `(("m4" ,m4))) - (home-page "http://flex.sourceforge.net/") + (home-page "https://github.com/westes/flex") (synopsis "Fast lexical analyser generator") (description "Flex is a tool for generating scanners. A scanner, sometimes @@ -78,23 +84,4 @@ is run, it analyzes its input for occurrences of text matching the regular expressions for each rule. Whenever it finds a match, it executes the corresponding C code.") (license (non-copyleft "file://COPYING" - "See COPYING in the distribution.")))) - -(define-public flex-2.6.1 - ;; The kservice and solid packages use flex. extra-cmake-modules - ;; forces C89 for all C files for compatibility with windows. - ;; Flex 2.6.0 generates a lexer containing a single line comment. Single - ;; line comments are part of the C99 standard, so the lexer won't compile - ;; if C89 is used. - (package - (inherit flex) - (version "2.6.1") - (source (origin - (method url-fetch) - (uri (string-append - "https://github.com/westes/flex" - "/releases/download/v" version "/" - "flex-" version ".tar.gz")) - (sha256 - (base32 - "0fy14c35yz2m1n1m4f02by3501fn0cca37zn7jp8lpp4b3kgjhrw")))))) + "See COPYING in the distribution.")))) diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index 60cff2e330..1ffb427529 100644 --- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -46,13 +46,13 @@ (define-public freetype (package (name "freetype") - (version "2.6.3") + (version "2.7") (source (origin (method url-fetch) (uri (string-append "mirror://savannah/freetype/freetype-" version ".tar.bz2")) (sha256 (base32 - "18k3b026762lmyrxfil5xv8qwnvj7hc12gz9bjqzbb12lmx707ip")))) + "0j3xgzn6pchgg1nm294vhx7cdicb7x3x8kwnlcm7v1alnzsm396n")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -69,7 +69,7 @@ It supports both bitmap and scalable formats, including TrueType, OpenType, Type1, CID, CFF, Windows FON/FNT, X11 PCF, and others. It supports high-speed anti-aliased glyph bitmap generation with 256 gray levels.") (license license:freetype) ; some files have other licenses - (home-page "http://www.freetype.org/"))) + (home-page "https://www.freetype.org/"))) (define-public ttfautohint (package diff --git a/gnu/packages/gawk.scm b/gnu/packages/gawk.scm index 86f01335a8..280e3d3cff 100644 --- a/gnu/packages/gawk.scm +++ b/gnu/packages/gawk.scm @@ -47,7 +47,7 @@ (let ((bash (assoc-ref inputs "bash"))) (substitute* "io.c" (("/bin/sh") - (string-append bash "/bin/bash"))) + (string-append bash "/bin/sh"))) ;; When cross-compiling, remove dependencies on the ;; `check-for-shared-lib-support' target, which tries diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm index cfd33f85ab..075642ebd1 100644 --- a/gnu/packages/gcc.scm +++ b/gnu/packages/gcc.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2014, 2015, 2016 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -204,17 +205,18 @@ where the OS part is overloaded to denote a specific ABI---into GCC (for-each (lambda (x) (substitute* (find-files "gcc/config" - "^linux(64|-elf|-eabi)?\\.h$") - (("(#define GLIBC_DYNAMIC_LINKER.*)\\\\\n$" _ line) + "^(linux|gnu|sysv4)(64|-elf|-eabi)?\\.h$") + (("(#define (GLIBC|GNU_USER)_DYNAMIC_LINKER.*)\\\\\n$" _ line) line))) '(1 2 3)) ;; Fix the dynamic linker's file name. (substitute* (find-files "gcc/config" - "^(linux|gnu)(64|-elf|-eabi)?\\.h$") - (("#define GLIBC_DYNAMIC_LINKER([^ ]*).*$" _ suffix) - (format #f "#define GLIBC_DYNAMIC_LINKER~a \"~a\"~%" - suffix + "^(linux|gnu|sysv4)(64|-elf|-eabi)?\\.h$") + (("#define (GLIBC|GNU_USER)_DYNAMIC_LINKER([^ ]*).*$" + _ gnu-user suffix) + (format #f "#define ~a_DYNAMIC_LINKER~a \"~a\"~%" + gnu-user suffix (string-append libc ,(glibc-dynamic-linker))))) ;; Tell where to find libstdc++, libc, and `?crt*.o', except @@ -240,7 +242,21 @@ where the OS part is overloaded to denote a specific ABI---into GCC (format #f "#define STANDARD_STARTFILE_PREFIX_1 \"~a/lib\" #define STANDARD_STARTFILE_PREFIX_2 \"\" ~a" - libc line)))) + libc line))) + + ;; The rs6000 (a.k.a. powerpc) config in GCC does not use + ;; GNU_USER_* defines. Do the above for this case. + (substitute* + "gcc/config/rs6000/sysv4.h" + (("#define LIB_LINUX_SPEC (.*)$" _ suffix) + (format #f "#define LIB_LINUX_SPEC \ +\"-L~a/lib %{!static:-rpath=~a/lib %{!static-libgcc:-rpath=~a/lib -lgcc_s}} \" ~a" + libc libc libdir suffix)) + (("#define STARTFILE_LINUX_SPEC.*$" line) + (format #f "#define STANDARD_STARTFILE_PREFIX_1 \"~a/lib\" +#define STANDARD_STARTFILE_PREFIX_2 \"\" +~a" + libc line)))) ;; Don't retain a dependency on the build-time sed. (substitute* "fixincludes/fixincl.x" @@ -358,8 +374,11 @@ Go. It also includes runtime support libraries for these languages.") (sha256 (base32 "0fihlcy5hnksdxk0sn6bvgnyq8gfrgs8m794b1jxwd1dxinzg3b0")) - (patches (search-patches "gcc-strmov-store-file-names.patch" - "gcc-5.0-libvtv-runpath.patch")))))) + (patches (search-patches "gcc-arm-bug-71399.patch" + "gcc-strmov-store-file-names.patch" + "gcc-5.0-libvtv-runpath.patch" + "gcc-5-source-date-epoch-1.patch" + "gcc-5-source-date-epoch-2.patch")))))) (define-public gcc-6 (package @@ -377,7 +396,7 @@ Go. It also includes runtime support libraries for these languages.") ;; Note: When changing the default gcc version, update ;; the gcc-toolchain-* definitions accordingly. -(define-public gcc gcc-4.9) +(define-public gcc gcc-5) (define-public (make-libstdc++ gcc) "Return a libstdc++ package based on GCC. The primary use case is when diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index 713f7ae91e..1c2be119b1 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -36,12 +36,11 @@ (define-public gd (package (name "gd") - (replacement gd-2.2.4) ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. - (version "2.2.3") + (version "2.2.4") (source (origin (method url-fetch) @@ -50,12 +49,21 @@ version "/libgd-" version ".tar.xz")) (sha256 (base32 - "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl")) - (patches (search-patches "gd-CVE-2016-7568.patch" - "gd-CVE-2016-8670.patch" - "gd-fix-gd2-read-test.patch" + "1rp4v7n1dq38b92kl7gkvpvqqkw7nvdfnz6d5kip5klkxfki6zqk")) + (patches (search-patches "gd-fix-gd2-read-test.patch" "gd-fix-tests-on-i686.patch")))) (build-system gnu-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + ;; This test is known to fail on i686-linux: + ;; https://github.com/libgd/libgd/issues/359 + ;; TODO Replace this substitution with an upstream bug fix. + (add-after 'unpack 'disable-failing-test + (lambda _ + (substitute* "tests/gdimagegrayscale/basic.c" + (("return gdNumFailures\\(\\)") + "return 0"))))))) (native-inputs `(("pkg-config" ,pkg-config))) (inputs @@ -78,32 +86,6 @@ most common applications of GD involve website development.") "See COPYING file in the distribution.")) (properties '((cpe-name . "libgd"))))) -(define gd-2.2.4 - (package - (inherit gd) - (version "2.2.4") - (source - (origin - (method url-fetch) - (uri (string-append "https://github.com/libgd/libgd/releases/download/" - "gd-" version "/libgd-" version ".tar.xz")) - (patches (search-patches "gd-fix-gd2-read-test.patch" - "gd-fix-tests-on-i686.patch")) - (sha256 - (base32 - "1rp4v7n1dq38b92kl7gkvpvqqkw7nvdfnz6d5kip5klkxfki6zqk")))) - (arguments - `(#:phases - (modify-phases %standard-phases - ;; This test is known to fail on i686-linux: - ;; https://github.com/libgd/libgd/issues/359 - ;; TODO Replace this substitution with an upstream bug fix. - (add-after 'unpack 'disable-failing-test - (lambda _ - (substitute* "tests/gdimagegrayscale/basic.c" - (("return gdNumFailures\\(\\)") - "return 0"))))))))) - (define-public perl-gd (package (name "perl-gd") diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index a00448a8c6..826a2fc374 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -39,14 +40,14 @@ (define-public lcms (package (name "lcms") - (replacement lcms/fixed) - (version "2.6") + (version "2.8") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/lcms/lcms/" version "/lcms2-" version ".tar.gz")) + (patches (search-patches "lcms-CVE-2016-10165.patch")) (sha256 (base32 - "1c8lgq8gfs3nyplvbx9k8wzfj6r2bqi3f611vb1m8z3476454wji")))) + "08pvl289g0mbznzx5l6ibhaldsgx41kwvdn2c974ga9fkli2pl36")))) (build-system gnu-build-system) (inputs `(("libjpeg-8" ,libjpeg-8) ("libtiff" ,libtiff) @@ -59,14 +60,6 @@ Consortium standard (ICC), approved as ISO 15076-1.") (license license:x11) (home-page "http://www.littlecms.com/"))) -(define lcms/fixed - (package - (inherit lcms) - (source - (origin - (inherit (package-source lcms)) - (patches (search-patches "lcms-fix-out-of-bounds-read.patch")))))) - (define-public libpaper (package (name "libpaper") @@ -177,9 +170,9 @@ printing, and psresize, for adjusting page sizes.") (add-after 'configure 'patch-config-files (lambda _ (substitute* "base/all-arch.mak" - (("/bin/sh") (which "bash"))) + (("/bin/sh") (which "sh"))) (substitute* "base/unixhead.mak" - (("/bin/sh") (which "bash"))))) + (("/bin/sh") (which "sh"))))) (add-after 'configure 'remove-doc-reference (lambda _ ;; Don't retain a reference to the 'doc' output in 'gs'. diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 9dd46d60b1..1a794db253 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -67,7 +67,7 @@ (define dbus (package (name "dbus") - (version "1.10.14") + (version "1.10.16") (source (origin (method url-fetch) (uri (string-append @@ -75,7 +75,7 @@ version ".tar.gz")) (sha256 (base32 - "10x0wvv2ly4lyyfd42k4xw0ar5qdbi9cksw3l5fcwf1y6mq8y8r3")) + "121kqkjsd3vgf8vca8364xl44qa5086h7qy5zs5f1l78ldpbmc57")) (patches (search-patches "dbus-helper-search-path.patch")))) (build-system gnu-build-system) (arguments diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index befd29961c..2be26447a3 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -58,7 +58,7 @@ (define-public libgpg-error (package (name "libgpg-error") - (version "1.24") + (version "1.25") (source (origin (method url-fetch) @@ -66,7 +66,7 @@ version ".tar.bz2")) (sha256 (base32 - "0h75sf1ngr750c3fjfn4583q7wz40qm63jhg8vjfdrbx936f2s4j")))) + "031jc5196fdcxn2g61i1pdabvdbxxcdi4j7jbaq3hfs38dcgfa7n")))) (build-system gnu-build-system) (home-page "https://gnupg.org") (synopsis "Library of error values for GnuPG components") @@ -82,14 +82,14 @@ Daemon and possibly more in the future.") (define-public libgcrypt (package (name "libgcrypt") - (version "1.7.3") + (version "1.7.6") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-" version ".tar.bz2")) (sha256 (base32 - "0wbh6fq5zi9wg2xcfvfpwh7dv52jihivx1vm4h91c2kx0w8n3b6x")))) + "1g05prhgqw4ryd0w433q8nhds0h93kf47hfjagi2r7dghkpaysk2")))) (build-system gnu-build-system) (propagated-inputs `(("libgpg-error-host" ,libgpg-error))) diff --git a/gnu/packages/gperf.scm b/gnu/packages/gperf.scm index 9d9aaba3ce..5e55f8d86f 100644 --- a/gnu/packages/gperf.scm +++ b/gnu/packages/gperf.scm @@ -25,7 +25,7 @@ (define-public gperf (package (name "gperf") - (version "3.0.4") + (version "3.1") (source (origin (method url-fetch) @@ -33,7 +33,7 @@ version ".tar.gz")) (sha256 (base32 - "0gnnm8iqcl52m8iha3sxrzrl9mcyhg7lfrhhqgdn4zj00ji14wbn")))) + "1qispg6i508rq8pkajh26cznwimbnj06wq9sd85vg95v8nwld1aq")))) (build-system gnu-build-system) (arguments '(#:parallel-tests? #f)) (home-page "http://www.gnu.org/software/gperf/") diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm index 54f2ed27b6..0b12f3e1f8 100644 --- a/gnu/packages/guile.scm +++ b/gnu/packages/guile.scm @@ -136,15 +136,14 @@ without requiring the source code to be rewritten.") (define-public guile-2.0 (package (name "guile") - (version "2.0.12") - (replacement guile-2.0.13) ;CVE-2016-8606 and CVE-2016-8605 + (version "2.0.14") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/guile/guile-" version ".tar.xz")) (sha256 (base32 - "1sdpjq0jf1h65w29q0zprj4x6kdp5jskkvbnlwphy9lvdxrqg0fy")))) + "10lxc6l5alf3lzbs3ihnbfy6dfcrsyf8667wa57f26vf4mk2ai78")))) (build-system gnu-build-system) (native-inputs `(("pkgconfig" ,pkg-config))) (inputs `(("libffi" ,libffi) @@ -217,19 +216,6 @@ without requiring the source code to be rewritten.") (properties '((hidden? . #t))) ;people should install 'guile-2.0' (replacement #f))) -(define guile-2.0.13 - (package - (inherit guile-2.0) - (version "2.0.13") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnu/guile/guile-" version - ".tar.xz")) - (sha256 - (base32 - "12yqkr974y91ylgw6jnmci2v90i90s7h9vxa4zk0sai8vjnz4i1p")) - (patches (search-patches "guile-repl-server-test.patch")))))) - (define-public guile-next (package (inherit guile-2.0) (name "guile-next") diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm index 13723bf585..d842f03b4e 100644 --- a/gnu/packages/icu4c.scm +++ b/gnu/packages/icu4c.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org> +;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,20 +29,17 @@ (define-public icu4c (package (name "icu4c") - (version "55.1") + (version "58.2") (source (origin (method url-fetch) (uri (string-append - "mirror://sourceforge/icu/ICU4C/" + "http://download.icu-project.org/files/icu4c/" version "/icu4c-" (string-map (lambda (x) (if (char=? x #\.) #\_ x)) version) "-src.tgz")) (sha256 - (base32 "0ys5f5spizg45qlaa31j2lhgry0jka2gfha527n4ndfxxz5j4sz1")) - (patches (search-patches "icu4c-CVE-2014-6585.patch" - "icu4c-CVE-2015-1270.patch" - "icu4c-CVE-2015-4760.patch")))) + (base32 "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib")))) (build-system gnu-build-system) (inputs `(("perl" ,perl))) @@ -55,18 +53,9 @@ '("--with-data-packaging=archive") '())) #:phases - (alist-cons-after - 'unpack 'chdir-to-source - (lambda _ (chdir "source")) - (alist-cons-before - 'configure 'patch-configure - (lambda _ - ;; patch out two occurrences of /bin/sh from configure script - ;; that might have disappeared in a release later than 54.1 - (substitute* "configure" - (("`/bin/sh") - (string-append "`" (which "bash"))))) - %standard-phases)))) + (modify-phases %standard-phases + (add-after 'unpack 'chdir-to-source + (lambda _ (chdir "source") #t))))) (synopsis "International Components for Unicode") (description "ICU is a set of C/C++ and Java libraries providing Unicode and diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 54b7dd6e22..cbdc1b39dc 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -65,19 +65,19 @@ (define-public libpng (package (name "libpng") - (replacement libpng/fixed) - (version "1.6.25") + (version "1.6.28") (source (origin (method url-fetch) - - ;; Note: upstream removes older tarballs. (uri (list (string-append "mirror://sourceforge/libpng/libpng16/" version "/libpng-" version ".tar.xz") (string-append "ftp://ftp.simplesystems.org/pub/libpng/png/src" - "/libpng15/libpng-" version ".tar.xz"))) + "/libpng16/libpng-" version ".tar.xz") + (string-append + "ftp://ftp.simplesystems.org/pub/libpng/png/src/history" + "/libpng16/libpng-" version ".tar.xz"))) (sha256 - (base32 "04c8inn745hw25wz2dc5vll5n5d2gsndj01i4srwzgz8861qvzh9")))) + (base32 "0ylgyx93hnk38haqrh8prd3ax5ngzwvjqw5cxw7p9nxmwsfyrlyq")))) (build-system gnu-build-system) ;; libpng.la says "-lz", so propagate it. @@ -90,27 +90,20 @@ library. It supports almost all PNG features and is extensible.") (license license:zlib) (home-page "http://www.libpng.org/pub/png/libpng.html"))) -(define libpng/fixed - (package - (inherit libpng) - (source - (origin - (inherit (package-source libpng)) - (patches (search-patches "libpng-CVE-2016-10087.patch")))))) - (define-public libpng-1.2 (package (inherit libpng) - (replacement #f) (version "1.2.57") (source (origin (method url-fetch) - ;; Note: upstream removes older tarballs. (uri (list (string-append "mirror://sourceforge/libpng/libpng12/" version "/libpng-" version ".tar.xz") (string-append "ftp://ftp.simplesystems.org/pub/libpng/png/src" + "/libpng12/libpng-" version ".tar.xz") + (string-append + "ftp://ftp.simplesystems.org/pub/libpng/png/src/history" "/libpng12/libpng-" version ".tar.xz"))) (sha256 (base32 "1n2lrzjkm5jhfg2bs10q398lkwbbx742fi27zgdgx0x23zhj0ihg")))))) @@ -259,12 +252,27 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") - (replacement libtiff/fixed) (version "4.0.7") (source (origin (method url-fetch) (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" version ".tar.gz")) + (patches (search-patches "libtiff-heap-overflow-tiffcp.patch" + "libtiff-null-dereference.patch" + "libtiff-heap-overflow-tif-dirread.patch" + "libtiff-heap-overflow-pixarlog-luv.patch" + "libtiff-divide-by-zero.patch" + "libtiff-divide-by-zero-ojpeg.patch" + "libtiff-tiffcp-underflow.patch" + "libtiff-invalid-read.patch" + "libtiff-CVE-2016-10092.patch" + "libtiff-heap-overflow-tiffcrop.patch" + "libtiff-divide-by-zero-tiffcrop.patch" + "libtiff-CVE-2016-10093.patch" + "libtiff-divide-by-zero-tiffcp.patch" + "libtiff-assertion-failure.patch" + "libtiff-CVE-2016-10094.patch" + "libtiff-CVE-2017-5225.patch")) (sha256 (base32 "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz")))) @@ -292,29 +300,6 @@ collection of tools for doing simple manipulations of TIFF images.") "See COPYRIGHT in the distribution.")) (home-page "http://www.simplesystems.org/libtiff/"))) -(define libtiff/fixed - (package - (inherit libtiff) - (source - (origin - (inherit (package-source libtiff)) - (patches (search-patches "libtiff-heap-overflow-tiffcp.patch" - "libtiff-null-dereference.patch" - "libtiff-heap-overflow-tif-dirread.patch" - "libtiff-heap-overflow-pixarlog-luv.patch" - "libtiff-divide-by-zero.patch" - "libtiff-divide-by-zero-ojpeg.patch" - "libtiff-tiffcp-underflow.patch" - "libtiff-invalid-read.patch" - "libtiff-CVE-2016-10092.patch" - "libtiff-heap-overflow-tiffcrop.patch" - "libtiff-divide-by-zero-tiffcrop.patch" - "libtiff-CVE-2016-10093.patch" - "libtiff-divide-by-zero-tiffcp.patch" - "libtiff-assertion-failure.patch" - "libtiff-CVE-2016-10094.patch" - "libtiff-CVE-2017-5225.patch")))))) - (define-public libwmf (package (name "libwmf") @@ -446,8 +431,7 @@ work.") (define-public openjpeg (package (name "openjpeg") - (replacement openjpeg-2.1.2) - (version "2.1.1") + (version "2.1.2") (source (origin (method url-fetch) @@ -457,9 +441,11 @@ work.") (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "1anv0rjkbxw9kx91wvlfpb3dhppibda6kb1papny46bjzi3pzhl2")) + "19yz4g0c45sm8y1z01j9djsrl1mkz3pmw7fykc6hkvrqymp7prsc")) (patches (search-patches "openjpeg-CVE-2016-5157.patch" - "openjpeg-CVE-2016-7163.patch")))) + "openjpeg-CVE-2016-7163.patch" + "openjpeg-CVE-2016-9850-CVE-2016-9851.patch" + "openjpeg-CVE-2016-9572-CVE-2016-9573.patch")))) (build-system cmake-build-system) (arguments ;; Trying to run `$ make check' results in a no rule fault. @@ -483,28 +469,9 @@ error-resilience, a Java-viewer for j2k-images, ...") (home-page "https://github.com/uclouvain/openjpeg") (license license:bsd-2))) -(define openjpeg-2.1.2 - (package - (inherit openjpeg) - (name "openjpeg") - (version "2.1.2") - (source - (origin - (method url-fetch) - (uri (string-append "https://github.com/uclouvain/openjpeg/archive/v" - version ".tar.gz")) - (file-name (string-append name "-" version ".tar.gz")) - (sha256 - (base32 - "19yz4g0c45sm8y1z01j9djsrl1mkz3pmw7fykc6hkvrqymp7prsc")) - (patches - (search-patches "openjpeg-CVE-2016-9850-CVE-2016-9851.patch" - "openjpeg-CVE-2016-9572-CVE-2016-9573.patch")))))) - (define-public openjpeg-1 (package (inherit openjpeg) (name "openjpeg") - (replacement #f) (version "1.5.2") (source (origin diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm index 36c2851567..86a5853366 100644 --- a/gnu/packages/kde-frameworks.scm +++ b/gnu/packages/kde-frameworks.scm @@ -1117,11 +1117,7 @@ which are used in DBus communication.") (native-inputs `(("bison" ,bison) ("extra-cmake-modules" ,extra-cmake-modules) - ;; extra-cmake-modules forces C89 for all C files for compatibility with - ;; Windows. Flex 2.6.0 generates a lexer containing a single line - ;; comment. Single line comments are part of the C99 standard, so the - ;; lexer won't compile if C89 is used. - ("flex" ,flex-2.6.1) + ("flex" ,flex) ("qttools" ,qttools))) (inputs `(("qtbase" ,qtbase) @@ -2535,11 +2531,7 @@ typed.") (native-inputs `(("bison" ,bison) ("extra-cmake-modules" ,extra-cmake-modules) - ;; extra-cmake-modules forces C89 for all C files for compatibility with - ;; Windows. Flex 2.6.0 generates a lexer containing a single line - ;; comment. Single line comments are part of the C99 standard, so the - ;; lexer won't compile if C89 is used. - ("flex" ,flex-2.6.1))) + ("flex" ,flex))) (inputs `(("kcrash" ,kcrash) ("kdbusaddons" ,kdbusaddons) diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm index b6d25f4a23..9f042bd707 100644 --- a/gnu/packages/kerberos.scm +++ b/gnu/packages/kerberos.scm @@ -42,7 +42,7 @@ (define-public mit-krb5 (package (name "mit-krb5") - (version "1.14.3") + (version "1.14.4") (source (origin (method url-fetch) (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/" @@ -50,7 +50,7 @@ "/krb5-" version ".tar.gz")) (sha256 (base32 - "1jgjiyh1sp72lkxvk437lz5hzcibvw99jc4ihzfz03fg43aj0ind")))) + "158bgq9xcg5ljgzia1880ak7m9g6vf2r009rzdqif5n9h111m9h3")))) (build-system gnu-build-system) (native-inputs `(("bison" ,bison) @@ -78,7 +78,7 @@ (let ((perl (assoc-ref inputs "perl"))) (substitute* "plugins/kdb/db2/libdb2/test/run.test" (("/bin/cat") (string-append perl "/bin/perl")) - (("D/bin/sh") (string-append "D" (which "bash"))) + (("D/bin/sh") (string-append "D" (which "sh"))) (("bindir=/bin/.") (string-append "bindir=" perl "/bin")))) ;; avoid service names since /etc/services is unavailable diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm index e552a4ee38..bc830f6215 100644 --- a/gnu/packages/libevent.scm +++ b/gnu/packages/libevent.scm @@ -80,9 +80,9 @@ loop.") "18qz9qfwrkakmazdlwxvjmw8p76g70n3faikwvdwznns1agw9hki")) (patches (search-patches "libevent-dns-tests.patch" - "libevent-2.0-evdns-fix-remote-stack-overread.patch" - "libevent-2.0-evutil-fix-buffer-overflow.patch" - "libevent-2.0-evdns-fix-searching-empty-hostnames.patch")))))) + "libevent-2.0-CVE-2016-10195.patch" + "libevent-2.0-CVE-2016-10196.patch" + "libevent-2.0-CVE-2016-10197.patch")))))) (define-public libev (package diff --git a/gnu/packages/libunistring.scm b/gnu/packages/libunistring.scm index a9779d4ffd..212bec4b49 100644 --- a/gnu/packages/libunistring.scm +++ b/gnu/packages/libunistring.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> +;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org> ;;; ;;; This file is part of GNU Guix. @@ -28,15 +29,15 @@ (define-public libunistring (package (name "libunistring") - (version "0.9.6") + (version "0.9.7") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/libunistring/libunistring-" - version ".tar.gz")) + version ".tar.xz")) (sha256 (base32 - "0ixxmgpgh2v8ifm6hbwsjxl023myk3dfnj7wnvmqjivza31fw9cn")))) + "15z76qrmrvkc3c6hfq2lzzqysgd21s682f2smycfab5g598n8drf")))) (propagated-inputs (libiconv-if-needed)) (build-system gnu-build-system) (arguments @@ -49,5 +50,5 @@ "GNU libunistring is a library providing functions to manipulate Unicode strings and for manipulating C strings according to the Unicode standard.") - (home-page "http://www.gnu.org/software/libunistring/") - (license lgpl3+))) + (home-page "https://www.gnu.org/software/libunistring/") + (license (list lgpl3+ gpl2)))) diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index cdeb8e92c7..f9b8810b06 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch> ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com> -;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org> ;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2016 Alex Kost <alezost@gmail.com> @@ -17,6 +17,7 @@ ;;; Copyright © 2016 John Darrington <jmd@gnu.org> ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org> +;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com> ;;; Copyright © 2016 ng0 <ng0@libertad.pw> ;;; Copyright © 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017 José Miguel Sánchez García <jmi2k@openmailbox.com> @@ -108,6 +109,13 @@ ((string-prefix? "aarch64" arch) "arm64") (else arch)))) +(define-public (system->defconfig system) + "Some systems (notably powerpc-linux) require a special target for kernel +defconfig. Return the appropiate make target if applicable, otherwise return +\"defconfig\"." + (cond ((string-prefix? "powerpc-" system) "pmac32_defconfig") + (else "defconfig"))) + (define (linux-libre-urls version) "Return a list of URLs for Linux-Libre VERSION." (list (string-append @@ -127,13 +135,13 @@ (define-public linux-libre-headers (package (name "linux-libre-headers") - (version "4.4.18") + (version "4.4.47") (source (origin (method url-fetch) (uri (linux-libre-urls version)) (sha256 (base32 - "0k8k17in7dkjd9d8zg3i8l1ax466dba6bxw28flxizzyq8znljps")))) + "00zdq7swhvzbbnnhzizq6m34q5k4fycpcp215bmkbxh1ic76v7bs")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) (arguments @@ -147,11 +155,13 @@ (lambda _ (let ((arch ,(system->linux-architecture (or (%current-target-system) - (%current-system))))) + (%current-system)))) + (defconfig ,(system->defconfig + (or (%current-target-system) + (%current-system))))) (setenv "ARCH" arch) (format #t "`ARCH' set to `~a'~%" (getenv "ARCH")) - - (and (zero? (system* "make" "defconfig")) + (and (zero? (system* "make" defconfig)) (zero? (system* "make" "mrproper" "headers_check")))))) (replace 'install (lambda* (#:key outputs #:allow-other-keys) @@ -465,7 +475,7 @@ providing the system administrator with some help in common tasks.") (define-public util-linux (package (name "util-linux") - (version "2.28.1") + (version "2.29.1") (source (origin (method url-fetch) (uri (string-append "mirror://kernel.org/linux/utils/" @@ -473,7 +483,7 @@ providing the system administrator with some help in common tasks.") name "-" version ".tar.xz")) (sha256 (base32 - "03xnaw3c7pavxvvh1vnimcr44hlhhf25whawiyv8dxsflfj4xkiy")) + "0kzmhb2swiqk402jp0y2jsx53l42d7z4xz3bzbn2zv1lp400dr0c")) (patches (search-patches "util-linux-tests.patch")) (modules '((guix build utils))) (snippet @@ -489,7 +499,7 @@ providing the system administrator with some help in common tasks.") "static")) ; >2 MiB of static .a libraries (arguments `(#:configure-flags (list "--disable-use-tty-group" - + "--enable-fs-paths-default=/run/current-system/profile/sbin" ;; Install completions where our ;; bash-completion package expects them. (string-append "--with-bashcompletiondir=" @@ -1176,7 +1186,7 @@ advanced aspects of IP configuration (iptunnel, ipmaddr).") (define-public libcap (package (name "libcap") - (version "2.24") + (version "2.25") (source (origin (method url-fetch) (uri (string-append @@ -1184,7 +1194,7 @@ advanced aspects of IP configuration (iptunnel, ipmaddr).") "libcap2/libcap-" version ".tar.xz")) (sha256 (base32 - "0rbc9qbqs5bp9am9s9g83wxj5k4ixps2agy9dxr1v1fwg27mdr6f")))) + "0qjiqc5pknaal57453nxcbz3mn1r4hkyywam41wfcglq3v2qlg39")))) (build-system gnu-build-system) (arguments '(#:phases (modify-phases %standard-phases diff --git a/gnu/packages/m4.scm b/gnu/packages/m4.scm index d1ba928768..3ee8142e7a 100644 --- a/gnu/packages/m4.scm +++ b/gnu/packages/m4.scm @@ -26,14 +26,14 @@ (define-public m4 (package (name "m4") - (version "1.4.17") + (version "1.4.18") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/m4/m4-" - version ".tar.bz2")) + version ".tar.xz")) (sha256 (base32 - "0w0da1chh12mczxa5lnwzjk9czi3dq6gnnndbpa6w4rj76b1yklf")))) + "01sfjd5a4waqw83bibvmn522g69qfqvwig9i2qlgy154l1nfihgj")))) (build-system gnu-build-system) (arguments `(;; Explicitly disable tests when cross-compiling, otherwise 'make check' @@ -50,7 +50,7 @@ (substitute* (find-files "tests" "posix_spawn") (("/bin/sh") - (format #f "~a/bin/bash" bash))))) + (format #f "~a/bin/sh" bash))))) %standard-phases))) (synopsis "Macro processor") (description diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm index e5c614cee7..5cc2ac51d9 100644 --- a/gnu/packages/make-bootstrap.scm +++ b/gnu/packages/make-bootstrap.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -206,7 +207,17 @@ for `sh' in $PATH, and without nscd, and with static NSS modules." ("patch" ,patch) ("coreutils" ,coreutils) ("sed" ,sed) - ("grep" ,grep) + ;; We don't want to retain a reference to /gnu/store in the + ;; bootstrap versions of egrep/fgrep, so we remove the custom + ;; phase added since grep@2.25. The effect is 'egrep' and + ;; 'fgrep' look for 'grep' in $PATH. + ("grep" ,(package + (inherit grep) + (arguments + (substitute-keyword-arguments (package-arguments grep) + ((#:phases phases) + `(modify-phases ,phases + (delete 'fix-egrep-and-fgrep))))))) ("gawk" ,gawk))) ("bash" ,static-bash)))) @@ -416,8 +427,9 @@ for `sh' in $PATH, and without nscd, and with static NSS modules." ;; the 'pre-configure phase of our main gcc package, because ;; that shared library is not present in this static gcc. See ;; <https://lists.gnu.org/archive/html/guix-devel/2015-01/msg00008.html>. - (substitute* (find-files "gcc/config" - "^gnu-user.*\\.h$") + (substitute* (cons "gcc/config/rs6000/sysv4.h" + (find-files "gcc/config" + "^gnu-user.*\\.h$")) ((" -lgcc_s}}") "}}"))) ,phases))))) (native-inputs diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm index 36e35ca00c..b6d2d7f4af 100644 --- a/gnu/packages/multiprecision.scm +++ b/gnu/packages/multiprecision.scm @@ -32,7 +32,7 @@ (define-public gmp (package (name "gmp") - (version "6.1.1") + (version "6.1.2") (source (origin (method url-fetch) (uri @@ -40,7 +40,7 @@ version ".tar.xz")) (sha256 (base32 - "0cg84n482gcvl0s4xq4wgwsk4r0x0m8dnzpizwqdd2j8vw2rqvnk")) + "04hrwahdxyqdik559604r7wrj9ffklwvipgfxgj4ys4skbl6bdc7")) (patches (search-patches "gmp-faulty-test.patch")))) (build-system gnu-build-system) (native-inputs `(("m4" ,m4))) @@ -87,13 +87,13 @@ cryptography and computational algebra.") (define-public mpfr (package (name "mpfr") - (version "3.1.4") + (version "3.1.5") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/mpfr/mpfr-" version ".tar.xz")) (sha256 (base32 - "1x8pcnpn1vxfzfsr0js07rwhwyq27fmdzcfjpzi5773ldnqi653n")))) + "1g32l2fg8f62lcyzzh88y3fsh6rk539qc6ahhdgvx7wpnf1dwpq1")))) (build-system gnu-build-system) (outputs '("out" "debug")) (propagated-inputs `(("gmp" ,gmp))) ; <mpfr.h> refers to <gmp.h> diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm index 6949e1e03f..d725a71c0d 100644 --- a/gnu/packages/ncurses.scm +++ b/gnu/packages/ncurses.scm @@ -30,6 +30,7 @@ #:use-module (guix build-system perl) #:use-module (gnu packages) #:use-module (gnu packages perl) + #:use-module (gnu packages pkg-config) #:use-module (gnu packages swig) #:use-module (guix utils)) @@ -87,7 +88,7 @@ (let ((out (assoc-ref outputs "out"))) ;; When building a wide-character (Unicode) build, create backward ;; compatibility links from the the "normal" libraries to the - ;; wide-character libraries (e.g. libncurses.so to libncursesw.so). + ;; wide-character ones (e.g. libncurses.so to libncursesw.so). ,@(if (target-mingw?) '( ;; TODO: create .la files to link to the .dll? (with-directory-excursion (string-append out "/bin") @@ -116,7 +117,11 @@ (define lib.so.x (string-append "lib" lib ".so.6")) (define lib.so - (string-append "lib" lib ".so"))) + (string-append "lib" lib ".so")) + (define packagew.pc + (string-append lib "w.pc")) + (define package.pc + (string-append lib ".pc"))) '()) (when (file-exists? libw.a) @@ -127,7 +132,12 @@ (false-if-exception (delete-file lib.so)) (call-with-output-file lib.so (lambda (p) - (format p "INPUT (-l~aw)~%" lib)))) + (format p "INPUT (-l~aw)~%" lib))) + (with-directory-excursion "pkgconfig" + (format #t "creating symlink for `~a'~%" + package.pc) + (when (file-exists? packagew.pc) + (symlink packagew.pc package.pc)))) '()))) '("curses" "ncurses" "form" "panel" "menu"))))))) `(#:configure-flags @@ -135,6 +145,11 @@ 'quasiquote `(("--with-shared" "--without-debug" "--enable-widec" + "--enable-pc-files" + ,(list 'unquote '(string-append "--with-pkg-config-libdir=" + (assoc-ref %outputs "out") + "/lib/pkgconfig")) + ;; By default headers land in an `ncursesw' subdir, which is not ;; what users expect. ,(list 'unquote '(string-append "--includedir=" (assoc-ref %outputs "out") @@ -157,6 +172,8 @@ (add-after 'unpack 'remove-unneeded-shebang ,remove-shebang-phase))))) (self-native-input? #t) ; for `tic' + (native-inputs + `(("pkg-config" ,pkg-config))) (native-search-paths (list (search-path-specification (variable "TERMINFO_DIRS") diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm index d1203dfe75..e4e0eedc05 100644 --- a/gnu/packages/nettle.scm +++ b/gnu/packages/nettle.scm @@ -47,7 +47,7 @@ (outputs '("out" "debug")) (native-inputs `(("m4" ,m4))) (propagated-inputs `(("gmp" ,gmp))) - (home-page "http://www.lysator.liu.se/~nisse/nettle/") + (home-page "https://www.lysator.liu.se/~nisse/nettle/") (synopsis "C library for low-level cryptographic functionality") (description "GNU Nettle is a low-level cryptographic library. It is designed to @@ -60,14 +60,14 @@ themselves.") ;; This version is not API-compatible with version 2. In particular, lsh ;; cannot use it yet. So keep it separate. (package (inherit nettle-2) - (version "3.2") + (version "3.3") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/nettle/nettle-" version ".tar.gz")) (sha256 (base32 - "15wxhk52yc62rx0pddmry66hqm6z5brrrkx4npd3wh9nybg86hpa")))) + "07mif3af077763vc35s1x8vzhzlgqcgxh67c1xr13jnhslkjd526")))) (arguments (substitute-keyword-arguments (package-arguments nettle-2) ((#:configure-flags flags) diff --git a/gnu/packages/patches/coreutils-fix-cross-compilation.patch b/gnu/packages/patches/coreutils-fix-cross-compilation.patch new file mode 100644 index 0000000000..3f0d35c33e --- /dev/null +++ b/gnu/packages/patches/coreutils-fix-cross-compilation.patch @@ -0,0 +1,15 @@ +Coreutils fails to cross compile for other platforms because cu_install_program +is not being evaluated properly. This patch fixes it. +See <https://lists.gnu.org/archive/html/coreutils/2017-01/msg00039.html> +--- a/Makefile.in ++++ b/Makefile.in +@@ -5023,7 +5023,7 @@ pr = progs-readme + @CROSS_COMPILING_FALSE@cu_install_program = src/ginstall + + # Use the just-built 'ginstall', when not cross-compiling. +-@CROSS_COMPILING_TRUE@cu_install_program = @INSTALL_PROGRAM@ ++@CROSS_COMPILING_TRUE@cu_install_program := @INSTALL@ + info_TEXINFOS = doc/coreutils.texi + doc_coreutils_TEXINFOS = \ + doc/perm.texi \ + diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch deleted file mode 100644 index 1f3cb028d4..0000000000 --- a/gnu/packages/patches/flex-CVE-2016-6354.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 -https://security-tracker.debian.org/tracker/CVE-2016-6354 - -Patch copied from upstream source repository: -https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 - -From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001 -From: Will Estes <westes575@gmail.com> -Date: Sat, 27 Feb 2016 11:56:05 -0500 -Subject: [PATCH] Fixed incorrect integer type - ---- - src/flex.skl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/flex.skl b/src/flex.skl -index 36a526a..64f853d 100644 ---- a/src/flex.skl -+++ b/src/flex.skl -@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer() - - else - { -- yy_size_t num_to_read = -+ int num_to_read = - YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; - - while ( num_to_read <= 0 ) diff --git a/gnu/packages/patches/gcc-5-source-date-epoch-1.patch b/gnu/packages/patches/gcc-5-source-date-epoch-1.patch new file mode 100644 index 0000000000..8c94a026b3 --- /dev/null +++ b/gnu/packages/patches/gcc-5-source-date-epoch-1.patch @@ -0,0 +1,190 @@ +Make GCC respect SOURCE_DATE_EPOCH in __DATE__ and __TIME__ macros. + +Patch adapted from upstream source repository: + +https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934 + +From e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934 Mon Sep 17 00:00:00 2001 +From: doko <doko@138bc75d-0d04-0410-961f-82ee72b054a4> +Date: Thu, 28 Apr 2016 09:12:05 +0000 +Subject: [PATCH] gcc/c-family/ChangeLog: + +diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c +index 1bf5d080034..6f0898a38d7 100644 +--- a/gcc/c-family/c-common.c ++++ b/gcc/c-family/c-common.c +@@ -12318,4 +12318,37 @@ pointer_to_zero_sized_aggr_p (tree t) + return (TYPE_SIZE (t) && integer_zerop (TYPE_SIZE (t))); + } + ++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic ++ timestamp to replace embedded current dates to get reproducible ++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++time_t ++get_source_date_epoch () ++{ ++ char *source_date_epoch; ++ long long epoch; ++ char *endptr; ++ ++ source_date_epoch = getenv ("SOURCE_DATE_EPOCH"); ++ if (!source_date_epoch) ++ return (time_t) -1; ++ ++ errno = 0; ++ epoch = strtoll (source_date_epoch, &endptr, 10); ++ if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN)) ++ || (errno != 0 && epoch == 0)) ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "strtoll: %s\n", xstrerror(errno)); ++ if (endptr == source_date_epoch) ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "no digits were found: %s\n", endptr); ++ if (*endptr != '\0') ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "trailing garbage: %s\n", endptr); ++ if (epoch < 0) ++ fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " ++ "value must be nonnegative: %lld \n", epoch); ++ ++ return (time_t) epoch; ++} ++ + #include "gt-c-family-c-common.h" +diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h +index fdb227f85c3..ba0a5d7df50 100644 +--- a/gcc/c-family/c-common.h ++++ b/gcc/c-family/c-common.h +@@ -1437,4 +1437,10 @@ extern bool contains_cilk_spawn_stmt (tree); + extern tree cilk_for_number_of_iterations (tree); + extern bool check_no_cilk (tree, const char *, const char *, + location_t loc = UNKNOWN_LOCATION); ++ ++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic ++ timestamp to replace embedded current dates to get reproducible ++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++extern time_t get_source_date_epoch (void); ++ + #endif /* ! GCC_C_COMMON_H */ +diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c +index bb55be8063e..e68471b9d2b 100644 +--- a/gcc/c-family/c-lex.c ++++ b/gcc/c-family/c-lex.c +@@ -402,6 +402,9 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags, + enum cpp_ttype type; + unsigned char add_flags = 0; + enum overflow_type overflow = OT_NONE; ++ time_t source_date_epoch = get_source_date_epoch (); ++ ++ cpp_init_source_date_epoch (parse_in, source_date_epoch); + + timevar_push (TV_CPP); + retry: +diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi +index 100811dc637..3b5317beb53 100644 +--- a/gcc/doc/cppenv.texi ++++ b/gcc/doc/cppenv.texi +@@ -79,4 +79,21 @@ main input file is omitted. + @ifclear cppmanual + @xref{Preprocessor Options}. + @end ifclear ++ ++@item SOURCE_DATE_EPOCH ++ ++If this variable is set, its value specifies a UNIX timestamp to be ++used in replacement of the current date and time in the @code{__DATE__} ++and @code{__TIME__} macros, so that the embedded timestamps become ++reproducible. ++ ++The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp, ++defined as the number of seconds (excluding leap seconds) since ++01 Jan 1970 00:00:00 represented in ASCII, identical to the output of ++@samp{@command{date +%s}}. ++ ++The value should be a known timestamp such as the last modification ++time of the source or package and it should be set by the build ++process. ++ + @end vtable +diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h +index 1b731d1a3ad..7a5481219be 100644 +--- a/libcpp/include/cpplib.h ++++ b/libcpp/include/cpplib.h +@@ -775,6 +775,9 @@ extern void cpp_init_special_builtins (cpp_reader *); + /* Set up built-ins like __FILE__. */ + extern void cpp_init_builtins (cpp_reader *, int); + ++/* Initialize the source_date_epoch value. */ ++extern void cpp_init_source_date_epoch (cpp_reader *, time_t); ++ + /* This is called after options have been parsed, and partially + processed. */ + extern void cpp_post_options (cpp_reader *); +diff --git a/libcpp/init.c b/libcpp/init.c +index 45a4d13ffa3..a8d00f4628b 100644 +--- a/libcpp/init.c ++++ b/libcpp/init.c +@@ -530,6 +530,13 @@ cpp_init_builtins (cpp_reader *pfile, int hosted) + _cpp_define_builtin (pfile, "__OBJC__ 1"); + } + ++/* Initialize the source_date_epoch value. */ ++void ++cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch) ++{ ++ pfile->source_date_epoch = source_date_epoch; ++} ++ + /* Sanity-checks are dependent on command-line options, so it is + called as a subroutine of cpp_read_main_file (). */ + #if ENABLE_CHECKING +diff --git a/libcpp/internal.h b/libcpp/internal.h +index c2d08168945..8507eba1747 100644 +--- a/libcpp/internal.h ++++ b/libcpp/internal.h +@@ -502,6 +502,10 @@ struct cpp_reader + const unsigned char *date; + const unsigned char *time; + ++ /* Externally set timestamp to replace current date and time useful for ++ reproducibility. */ ++ time_t source_date_epoch; ++ + /* EOF token, and a token forcing paste avoidance. */ + cpp_token avoid_paste; + cpp_token eof; +diff --git a/libcpp/macro.c b/libcpp/macro.c +index eb32a6f8c98..3f3b278e97d 100644 +--- a/libcpp/macro.c ++++ b/libcpp/macro.c +@@ -350,13 +350,20 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node) + time_t tt; + struct tm *tb = NULL; + +- /* (time_t) -1 is a legitimate value for "number of seconds +- since the Epoch", so we have to do a little dance to +- distinguish that from a genuine error. */ +- errno = 0; +- tt = time(NULL); +- if (tt != (time_t)-1 || errno == 0) +- tb = localtime (&tt); ++ /* Set a reproducible timestamp for __DATE__ and __TIME__ macro ++ usage if SOURCE_DATE_EPOCH is defined. */ ++ if (pfile->source_date_epoch != (time_t) -1) ++ tb = gmtime (&pfile->source_date_epoch); ++ else ++ { ++ /* (time_t) -1 is a legitimate value for "number of seconds ++ since the Epoch", so we have to do a little dance to ++ distinguish that from a genuine error. */ ++ errno = 0; ++ tt = time (NULL); ++ if (tt != (time_t)-1 || errno == 0) ++ tb = localtime (&tt); ++ } + + if (tb) + { +-- +2.11.0 + diff --git a/gnu/packages/patches/gcc-5-source-date-epoch-2.patch b/gnu/packages/patches/gcc-5-source-date-epoch-2.patch new file mode 100644 index 0000000000..ed2580679a --- /dev/null +++ b/gnu/packages/patches/gcc-5-source-date-epoch-2.patch @@ -0,0 +1,353 @@ +Continuation of the SOURCE_DATE_EPOCH patch. + +Patch adapted from upstream source repository: + +https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c + +From dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c Mon Sep 17 00:00:00 2001 +From: doko <doko@138bc75d-0d04-0410-961f-82ee72b054a4> +Date: Wed, 1 Jun 2016 16:42:41 +0000 +Subject: [PATCH] gcc/c-family/ChangeLog: + +diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c +index 6f0898a38d7..efbc78ef218 100644 +--- a/gcc/c-family/c-common.c ++++ b/gcc/c-family/c-common.c +@@ -12321,8 +12321,9 @@ pointer_to_zero_sized_aggr_p (tree t) + /* Read SOURCE_DATE_EPOCH from environment to have a deterministic + timestamp to replace embedded current dates to get reproducible + results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++ + time_t +-get_source_date_epoch () ++cb_get_source_date_epoch (cpp_reader *pfile ATTRIBUTE_UNUSED) + { + char *source_date_epoch; + long long epoch; +@@ -12334,19 +12335,14 @@ get_source_date_epoch () + + errno = 0; + epoch = strtoll (source_date_epoch, &endptr, 10); +- if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN)) +- || (errno != 0 && epoch == 0)) +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "strtoll: %s\n", xstrerror(errno)); +- if (endptr == source_date_epoch) +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "no digits were found: %s\n", endptr); +- if (*endptr != '\0') +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "trailing garbage: %s\n", endptr); +- if (epoch < 0) +- fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: " +- "value must be nonnegative: %lld \n", epoch); ++ if (errno != 0 || endptr == source_date_epoch || *endptr != '\0' ++ || epoch < 0 || epoch > MAX_SOURCE_DATE_EPOCH) ++ { ++ error_at (input_location, "environment variable SOURCE_DATE_EPOCH must " ++ "expand to a non-negative integer less than or equal to %wd", ++ MAX_SOURCE_DATE_EPOCH); ++ return (time_t) -1; ++ } + + return (time_t) epoch; + } +diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h +index ba0a5d7df50..977ae9df5ea 100644 +--- a/gcc/c-family/c-common.h ++++ b/gcc/c-family/c-common.h +@@ -1063,6 +1063,16 @@ extern vec<tree, va_gc> *make_tree_vector_copy (const vec<tree, va_gc> *); + c_register_builtin_type. */ + extern GTY(()) tree registered_builtin_types; + ++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic ++ timestamp to replace embedded current dates to get reproducible ++ results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ ++extern time_t cb_get_source_date_epoch (cpp_reader *pfile); ++ ++/* The value (as a unix timestamp) corresponds to date ++ "Dec 31 9999 23:59:59 UTC", which is the latest date that __DATE__ and ++ __TIME__ can store. */ ++#define MAX_SOURCE_DATE_EPOCH HOST_WIDE_INT_C (253402300799) ++ + /* In c-gimplify.c */ + extern void c_genericize (tree); + extern int c_gimplify_expr (tree *, gimple_seq *, gimple_seq *); +@@ -1438,9 +1448,4 @@ extern tree cilk_for_number_of_iterations (tree); + extern bool check_no_cilk (tree, const char *, const char *, + location_t loc = UNKNOWN_LOCATION); + +-/* Read SOURCE_DATE_EPOCH from environment to have a deterministic +- timestamp to replace embedded current dates to get reproducible +- results. Returns -1 if SOURCE_DATE_EPOCH is not defined. */ +-extern time_t get_source_date_epoch (void); +- + #endif /* ! GCC_C_COMMON_H */ +diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c +index e68471b9d2b..3f78073f640 100644 +--- a/gcc/c-family/c-lex.c ++++ b/gcc/c-family/c-lex.c +@@ -97,6 +97,7 @@ init_c_lex (void) + cb->valid_pch = c_common_valid_pch; + cb->read_pch = c_common_read_pch; + cb->has_attribute = c_common_has_attribute; ++ cb->get_source_date_epoch = cb_get_source_date_epoch; + + /* Set the debug callbacks if we can use them. */ + if ((debug_info_level == DINFO_LEVEL_VERBOSE +@@ -402,9 +403,6 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags, + enum cpp_ttype type; + unsigned char add_flags = 0; + enum overflow_type overflow = OT_NONE; +- time_t source_date_epoch = get_source_date_epoch (); +- +- cpp_init_source_date_epoch (parse_in, source_date_epoch); + + timevar_push (TV_CPP); + retry: +diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi +index 3b5317beb53..7b4cf6adc11 100644 +--- a/gcc/doc/cppenv.texi ++++ b/gcc/doc/cppenv.texi +@@ -81,7 +81,6 @@ main input file is omitted. + @end ifclear + + @item SOURCE_DATE_EPOCH +- + If this variable is set, its value specifies a UNIX timestamp to be + used in replacement of the current date and time in the @code{__DATE__} + and @code{__TIME__} macros, so that the embedded timestamps become +@@ -89,8 +88,9 @@ reproducible. + + The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp, + defined as the number of seconds (excluding leap seconds) since +-01 Jan 1970 00:00:00 represented in ASCII, identical to the output of +-@samp{@command{date +%s}}. ++01 Jan 1970 00:00:00 represented in ASCII; identical to the output of ++@samp{@command{date +%s}} on GNU/Linux and other systems that support the ++@code{%s} extension in the @code{date} command. + + The value should be a known timestamp such as the last modification + time of the source or package and it should be set by the build +diff --git a/gcc/gcc.c b/gcc/gcc.c +index d956c36b151..2709f295734 100644 +--- a/gcc/gcc.c ++++ b/gcc/gcc.c +@@ -3328,6 +3328,29 @@ save_switch (const char *opt, size_t n_args, const char *const *args, + n_switches++; + } + ++/* Set the SOURCE_DATE_EPOCH environment variable to the current time if it is ++ not set already. */ ++ ++static void ++set_source_date_epoch_envvar () ++{ ++ /* Array size is 21 = ceil(log_10(2^64)) + 1 to hold string representations ++ of 64 bit integers. */ ++ char source_date_epoch[21]; ++ time_t tt; ++ ++ errno = 0; ++ tt = time (NULL); ++ if (tt < (time_t) 0 || errno != 0) ++ tt = (time_t) 0; ++ ++ snprintf (source_date_epoch, 21, "%llu", (unsigned long long) tt); ++ /* Using setenv instead of xputenv because we want the variable to remain ++ after finalizing so that it's still set in the second run when using ++ -fcompare-debug. */ ++ setenv ("SOURCE_DATE_EPOCH", source_date_epoch, 0); ++} ++ + /* Handle an option DECODED that is unknown to the option-processing + machinery. */ + +@@ -3628,6 +3651,7 @@ driver_handle_option (struct gcc_options *opts, + else + compare_debug_opt = arg; + save_switch (compare_debug_replacement_opt, 0, NULL, validated, true); ++ set_source_date_epoch_envvar (); + return true; + + case OPT_fdiagnostics_color_: +diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c +new file mode 100644 +index 00000000000..f6aa1a360ff +--- /dev/null ++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c +@@ -0,0 +1,11 @@ ++/* { dg-do run } */ ++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "630333296" } */ ++ ++int ++main(void) ++{ ++ __builtin_printf ("%s %s\n", __DATE__, __TIME__); ++ return 0; ++} ++ ++/* { dg-output "^Dec 22 1989 12:34:56\n$" } */ +diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c +new file mode 100644 +index 00000000000..ae18362ae87 +--- /dev/null ++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c +@@ -0,0 +1,12 @@ ++/* { dg-do compile } */ ++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "AAA" } */ ++ ++/* Make sure that SOURCE_DATE_EPOCH is only parsed once */ ++ ++int ++main(void) ++{ ++ __builtin_printf ("%s %s\n", __DATE__, __TIME__); /* { dg-error "SOURCE_DATE_EPOCH must expand" } */ ++ __builtin_printf ("%s %s\n", __DATE__, __TIME__); ++ return 0; ++} +diff --git a/gcc/testsuite/lib/gcc-dg.exp b/gcc/testsuite/lib/gcc-dg.exp +index 4fa433d9954..7656b2254a1 100644 +--- a/gcc/testsuite/lib/gcc-dg.exp ++++ b/gcc/testsuite/lib/gcc-dg.exp +@@ -324,6 +324,38 @@ proc restore-target-env-var { } { + } + } + ++proc dg-set-compiler-env-var { args } { ++ global set_compiler_env_var ++ global saved_compiler_env_var ++ if { [llength $args] != 3 } { ++ error "dg-set-compiler-env-var: need two arguments" ++ return ++ } ++ set var [lindex $args 1] ++ set value [lindex $args 2] ++ if [info exists ::env($var)] { ++ lappend saved_compiler_env_var [list $var 1 $::env($var)] ++ } else { ++ lappend saved_compiler_env_var [list $var 0] ++ } ++ setenv $var $value ++ lappend set_compiler_env_var [list $var $value] ++} ++ ++proc restore-compiler-env-var { } { ++ global saved_compiler_env_var ++ for { set env_vari [llength $saved_compiler_env_var] } { ++ [incr env_vari -1] >= 0 } {} { ++ set env_var [lindex $saved_compiler_env_var $env_vari] ++ set var [lindex $env_var 0] ++ if [lindex $env_var 1] { ++ setenv $var [lindex $env_var 2] ++ } else { ++ unsetenv $var ++ } ++ } ++} ++ + # Utility routines. + + # +@@ -785,6 +817,11 @@ if { [info procs saved-dg-test] == [list] } { + if [info exists set_target_env_var] { + unset set_target_env_var + } ++ if [info exists set_compiler_env_var] { ++ restore-compiler-env-var ++ unset set_compiler_env_var ++ unset saved_compiler_env_var ++ } + unset_timeout_vars + if [info exists compiler_conditional_xfail_data] { + unset compiler_conditional_xfail_data +diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h +index 7a5481219be..867aeebc39f 100644 +--- a/libcpp/include/cpplib.h ++++ b/libcpp/include/cpplib.h +@@ -585,6 +585,9 @@ struct cpp_callbacks + + /* Callback that can change a user builtin into normal macro. */ + bool (*user_builtin_macro) (cpp_reader *, cpp_hashnode *); ++ ++ /* Callback to parse SOURCE_DATE_EPOCH from environment. */ ++ time_t (*get_source_date_epoch) (cpp_reader *); + }; + + #ifdef VMS +@@ -775,9 +778,6 @@ extern void cpp_init_special_builtins (cpp_reader *); + /* Set up built-ins like __FILE__. */ + extern void cpp_init_builtins (cpp_reader *, int); + +-/* Initialize the source_date_epoch value. */ +-extern void cpp_init_source_date_epoch (cpp_reader *, time_t); +- + /* This is called after options have been parsed, and partially + processed. */ + extern void cpp_post_options (cpp_reader *); +diff --git a/libcpp/init.c b/libcpp/init.c +index a8d00f4628b..61c9bbbf945 100644 +--- a/libcpp/init.c ++++ b/libcpp/init.c +@@ -254,6 +254,9 @@ cpp_create_reader (enum c_lang lang, cpp_hash_table *table, + /* Do not force token locations by default. */ + pfile->forced_token_location_p = NULL; + ++ /* Initialize source_date_epoch to -2 (not yet set). */ ++ pfile->source_date_epoch = (time_t) -2; ++ + /* The expression parser stack. */ + _cpp_expand_op_stack (pfile); + +@@ -530,13 +533,6 @@ cpp_init_builtins (cpp_reader *pfile, int hosted) + _cpp_define_builtin (pfile, "__OBJC__ 1"); + } + +-/* Initialize the source_date_epoch value. */ +-void +-cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch) +-{ +- pfile->source_date_epoch = source_date_epoch; +-} +- + /* Sanity-checks are dependent on command-line options, so it is + called as a subroutine of cpp_read_main_file (). */ + #if ENABLE_CHECKING +diff --git a/libcpp/internal.h b/libcpp/internal.h +index 8507eba1747..226ae328e76 100644 +--- a/libcpp/internal.h ++++ b/libcpp/internal.h +@@ -503,7 +503,8 @@ struct cpp_reader + const unsigned char *time; + + /* Externally set timestamp to replace current date and time useful for +- reproducibility. */ ++ reproducibility. It should be initialized to -2 (not yet set) and ++ set to -1 to disable it or to a non-negative value to enable it. */ + time_t source_date_epoch; + + /* EOF token, and a token forcing paste avoidance. */ +diff --git a/libcpp/macro.c b/libcpp/macro.c +index 3f3b278e97d..756c7c6e0c6 100644 +--- a/libcpp/macro.c ++++ b/libcpp/macro.c +@@ -351,9 +351,13 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node) + struct tm *tb = NULL; + + /* Set a reproducible timestamp for __DATE__ and __TIME__ macro +- usage if SOURCE_DATE_EPOCH is defined. */ +- if (pfile->source_date_epoch != (time_t) -1) +- tb = gmtime (&pfile->source_date_epoch); ++ if SOURCE_DATE_EPOCH is defined. */ ++ if (pfile->source_date_epoch == (time_t) -2 ++ && pfile->cb.get_source_date_epoch != NULL) ++ pfile->source_date_epoch = pfile->cb.get_source_date_epoch (pfile); ++ ++ if (pfile->source_date_epoch >= (time_t) 0) ++ tb = gmtime (&pfile->source_date_epoch); + else + { + /* (time_t) -1 is a legitimate value for "number of seconds +-- +2.11.0 + diff --git a/gnu/packages/patches/gcc-libiberty-printf-decl.patch b/gnu/packages/patches/gcc-libiberty-printf-decl.patch new file mode 100644 index 0000000000..a612c9e00e --- /dev/null +++ b/gnu/packages/patches/gcc-libiberty-printf-decl.patch @@ -0,0 +1,28 @@ +This patch makes the exeception specifier of libiberty's 'asprintf' +and 'vasprintf' declarations match those of glibc to work around the +problem described at <https://gcc.gnu.org/ml/gcc-help/2016-04/msg00039.html>. + +The problem in part stems from the fact that libiberty is configured +without _GNU_SOURCE (thus, it sets HAVE_DECL_ASPRINTF to 0), whereas libcc1 +is configured and built with _GNU_SOURCE, hence the conflicting declarations. + +--- gcc-5.3.0/include/libiberty.h 2016-04-23 22:45:46.262709079 +0200 ++++ gcc-5.3.0/include/libiberty.h 2016-04-23 22:45:37.110635439 +0200 +@@ -625,7 +625,7 @@ extern int pwait (int, int *, int); + /* Like sprintf but provides a pointer to malloc'd storage, which must + be freed by the caller. */ + +-extern int asprintf (char **, const char *, ...) ATTRIBUTE_PRINTF_2; ++extern int asprintf (char **, const char *, ...) __THROWNL ATTRIBUTE_PRINTF_2; + #endif + + /* Like asprintf but allocates memory without fail. This works like +@@ -637,7 +637,7 @@ extern char *xasprintf (const char *, .. + /* Like vsprintf but provides a pointer to malloc'd storage, which + must be freed by the caller. */ + +-extern int vasprintf (char **, const char *, va_list) ATTRIBUTE_PRINTF(2,0); ++extern int vasprintf (char **, const char *, va_list) __THROWNL ATTRIBUTE_PRINTF(2,0); + #endif + + /* Like vasprintf but allocates memory without fail. This works like diff --git a/gnu/packages/patches/gd-CVE-2016-7568.patch b/gnu/packages/patches/gd-CVE-2016-7568.patch deleted file mode 100644 index 6a1a63296c..0000000000 --- a/gnu/packages/patches/gd-CVE-2016-7568.patch +++ /dev/null @@ -1,44 +0,0 @@ -Fix CVE-2016-7568 (integer overflow in gdImageWebpCtx()): - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568 - -Patch copied from upstream source repository: - -https://github.com/libgd/libgd/commit/2806adfdc27a94d333199345394d7c302952b95f - -From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001 -From: trylab <trylab@users.noreply.github.com> -Date: Tue, 6 Sep 2016 18:35:32 +0800 -Subject: [PATCH] Fix integer overflow in gdImageWebpCtx - -Integer overflow can be happened in expression gdImageSX(im) * 4 * -gdImageSY(im). It could lead to heap buffer overflow in the following -code. This issue has been reported to the PHP Bug Tracking System. The -proof-of-concept file will be supplied some days later. This issue was -discovered by Ke Liu of Tencent's Xuanwu LAB. ---- - src/gd_webp.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/gd_webp.c b/src/gd_webp.c -index 8eb4dee..9886399 100644 ---- a/src/gd_webp.c -+++ b/src/gd_webp.c -@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) - quality = 80; - } - -+ if (overflow2(gdImageSX(im), 4)) { -+ return; -+ } -+ -+ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { -+ return; -+ } -+ - argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); - if (!argb) { - return; --- -2.10.0 - diff --git a/gnu/packages/patches/gd-CVE-2016-8670.patch b/gnu/packages/patches/gd-CVE-2016-8670.patch deleted file mode 100644 index 39ee99ac31..0000000000 --- a/gnu/packages/patches/gd-CVE-2016-8670.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fix CVE-2016-8670 (buffer overflow in dynamicGetbuf()): - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670 -http://seclists.org/oss-sec/2016/q4/138 - -Patch copied from upstream source repository: - -https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9 - -From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecker69@gmx.de> -Date: Wed, 12 Oct 2016 11:15:32 +0200 -Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion - -We make sure to never pass a negative `rlen` as size to memcpy(). See -also <https://bugs.php.net/bug.php?id=73280>. - -Patch provided by Emmanuel Law. ---- - src/gd_io_dp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c -index 135eda3..228bfa5 100644 ---- a/src/gd_io_dp.c -+++ b/src/gd_io_dp.c -@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) - if(remain >= len) { - rlen = len; - } else { -- if(remain == 0) { -+ if(remain <= 0) { - /* 2.0.34: EOF is incorrect. We use 0 for - * errors and EOF, just like fileGetbuf, - * which is a simple fread() wrapper. --- -2.10.1 - diff --git a/gnu/packages/patches/glibc-bootstrap-system.patch b/gnu/packages/patches/glibc-bootstrap-system.patch index 7208cce3f4..6d09efed2c 100644 --- a/gnu/packages/patches/glibc-bootstrap-system.patch +++ b/gnu/packages/patches/glibc-bootstrap-system.patch @@ -3,6 +3,10 @@ and popen(3) need to be tweaked to use the right shell. For the bootstrap glibc, we just use whatever `sh' can be found in $PATH. The final glibc instead uses the hard-coded absolute file name of `bash'. +The second part that touches fcntl-linux.h reverts a change from glibc-2.25 +which would require the statically compiled glibc used in bootstrapping to +depend on the linux kernel headers. + --- a/sysdeps/posix/system.c +++ b/sysdeps/posix/system.c @@ -134,7 +134,7 @@ do_system (const char *line) @@ -26,3 +30,23 @@ instead uses the hard-coded absolute file name of `bash'. _IO__exit (127); } _IO_close (child_end); + +--- a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h ++++ b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +@@ -318,7 +318,15 @@ struct f_owner_ex + + + /* Flags for fallocate. */ ++# define FALLOC_FL_KEEP_SIZE 1 /* Don't extend size of file ++ even if offset + len is ++ greater than file size. */ ++# define FALLOC_FL_PUNCH_HOLE 2 /* Create a hole in the file. */ ++# define FALLOC_FL_COLLAPSE_RANGE 8 /* Remove a range of a file ++ without leaving a ++ hole. */ ++# define FALLOC_FL_ZERO_RANGE 16 /* Convert a range of a ++ file to zeros. */ +-# include <linux/falloc.h> + + + /* File handle structure. */ diff --git a/gnu/packages/patches/guile-repl-server-test.patch b/gnu/packages/patches/guile-repl-server-test.patch deleted file mode 100644 index 81e724ecc4..0000000000 --- a/gnu/packages/patches/guile-repl-server-test.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 8d6209ea56241bb1890c142539927c9ef3fb5a13 -Author: Ludovic Courtès <ludo@gnu.org> -Date: Fri Nov 4 22:44:32 2016 +0100 - - tests: Throw 'unresolved when the REPL server is too slow. - -commit 2fbde7f02adb8c6585e9baf6e293ee49cd23d4c4 -Author: Ludovic Courtès <ludo@gnu.org> -Date: Fri Nov 4 22:45:51 2016 +0100 - - tests: Avoid race condition in REPL server test. - -index ca389ba..4b5ec0c 100644 ---- a/test-suite/tests/00-repl-server.test -+++ b/test-suite/tests/00-repl-server.test -@@ -61,10 +61,11 @@ socket connected to that server." - (lambda () - (connect client-socket sockaddr)) - (lambda args -- (when (and (memv (system-error-errno args) -- (list ENOENT ECONNREFUSED)) -- (< tries 3)) -- (sleep 1) -+ (when (memv (system-error-errno args) -+ (list ENOENT ECONNREFUSED)) -+ (when (> tries 30) -+ (throw 'unresolved)) -+ (usleep 100) - (loop (+ tries 1)))))) - - (proc client-socket)) -@@ -104,8 +105,14 @@ reached." - "scheme@(repl-server)> $1 = 42\n" - (with-repl-server socket - (read-until-prompt socket %last-line-before-prompt) -- (display "(+ 40 2)\n(quit)\n" socket) -- (read-string socket))) -+ -+ ;; Wait until 'repl-reader' in boot-9 has written the prompt. -+ ;; Otherwise, if we write too quickly, 'repl-reader' checks for -+ ;; 'char-ready?' and doesn't print the prompt. -+ (match (select (list socket) '() (list socket) 3) -+ (((_) () ()) -+ (display "(+ 40 2)\n(quit)\n" socket) -+ (read-string socket))))) - - (pass-if "HTTP inter-protocol attack" ;CVE-2016-8606 - (with-repl-server socket diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-CVE-2016-10165.patch index d9f7ac6a36..fa4d75c9ee 100644 --- a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch +++ b/gnu/packages/patches/lcms-CVE-2016-10165.patch @@ -1,7 +1,9 @@ -Fix an out-of-bounds heap read in Type_MLU_Read(): +Fix CVE-2016-10165, an out-of-bounds heap read in Type_MLU_Read(): +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165 http://seclists.org/oss-sec/2016/q3/288 https://bugzilla.redhat.com/show_bug.cgi?id=1367357 +https://security-tracker.debian.org/tracker/CVE-2016-10165 Patch copied from upstream source repository: diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch deleted file mode 100644 index bef628f0a8..0000000000 --- a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch +++ /dev/null @@ -1,77 +0,0 @@ -Fix buffer overflow reading 7Zip files: - -https://github.com/libarchive/libarchive/issues/761 - -Patch copied from upstream repository: - -https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126 - -From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 18 Sep 2016 18:14:58 -0700 -Subject: [PATCH] Issue 761: Heap overflow reading corrupted 7Zip files - -The sample file that demonstrated this had multiple 'EmptyStream' -attributes. The first one ended up being used to calculate -certain statistics, then was overwritten by the second which -was incompatible with those statistics. - -The fix here is to reject any header with multiple EmptyStream -attributes. While here, also reject headers with multiple -EmptyFile, AntiFile, Name, or Attributes markers. ---- - libarchive/archive_read_support_format_7zip.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c -index 1dfe52b..c0a536c 100644 ---- a/libarchive/archive_read_support_format_7zip.c -+++ b/libarchive/archive_read_support_format_7zip.c -@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - - switch (type) { - case kEmptyStream: -+ if (h->emptyStreamBools != NULL) -+ return (-1); - h->emptyStreamBools = calloc((size_t)zip->numFiles, - sizeof(*h->emptyStreamBools)); - if (h->emptyStreamBools == NULL) -@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - return (-1); - break; - } -+ if (h->emptyFileBools != NULL) -+ return (-1); - h->emptyFileBools = calloc(empty_streams, - sizeof(*h->emptyFileBools)); - if (h->emptyFileBools == NULL) -@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - return (-1); - break; - } -+ if (h->antiBools != NULL) -+ return (-1); - h->antiBools = calloc(empty_streams, - sizeof(*h->antiBools)); - if (h->antiBools == NULL) -@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - if ((ll & 1) || ll < zip->numFiles * 4) - return (-1); - -+ if (zip->entry_names != NULL) -+ return (-1); - zip->entry_names = malloc(ll); - if (zip->entry_names == NULL) - return (-1); -@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - if ((p = header_bytes(a, 2)) == NULL) - return (-1); - allAreDefined = *p; -+ if (h->attrBools != NULL) -+ return (-1); - h->attrBools = calloc((size_t)zip->numFiles, - sizeof(*h->attrBools)); - if (h->attrBools == NULL) --- -2.10.0 - diff --git a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch deleted file mode 100644 index bce63d5e4e..0000000000 --- a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch +++ /dev/null @@ -1,445 +0,0 @@ -This patch fixes two bugs that allow attackers to overwrite or change -the permissions of arbitrary files: - -https://github.com/libarchive/libarchive/issues/745 -https://github.com/libarchive/libarchive/issues/746 - -Patch copied from upstream repository: - -https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9 - -From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 11 Sep 2016 13:21:57 -0700 -Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert. - ---- - libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++-------- - 1 file changed, 227 insertions(+), 67 deletions(-) - -diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c -index 8f0421e..abe1a86 100644 ---- a/libarchive/archive_write_disk_posix.c -+++ b/libarchive/archive_write_disk_posix.c -@@ -326,12 +326,14 @@ struct archive_write_disk { - - #define HFS_BLOCKS(s) ((s) >> 12) - -+static int check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags); - static int check_symlinks(struct archive_write_disk *); - static int create_filesystem_object(struct archive_write_disk *); - static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname); - #if defined(HAVE_FCHDIR) && defined(PATH_MAX) - static void edit_deep_directories(struct archive_write_disk *ad); - #endif -+static int cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags); - static int cleanup_pathname(struct archive_write_disk *); - static int create_dir(struct archive_write_disk *, char *); - static int create_parent_dir(struct archive_write_disk *, char *); -@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a) - const char *linkname; - mode_t final_mode, mode; - int r; -+ /* these for check_symlinks_fsobj */ -+ char *linkname_copy; /* non-const copy of linkname */ -+ struct archive_string error_string; -+ int error_number; - - /* We identify hard/symlinks according to the link names. */ - /* Since link(2) and symlink(2) don't handle modes, we're done here. */ -@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a) - #if !HAVE_LINK - return (EPERM); - #else -+ archive_string_init(&error_string); -+ linkname_copy = strdup(linkname); -+ if (linkname_copy == NULL) { -+ return (EPERM); -+ } -+ /* TODO: consider using the cleaned-up path as the link target? */ -+ r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags); -+ if (r != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ free(linkname_copy); -+ /* EPERM is more appropriate than error_number for our callers */ -+ return (EPERM); -+ } -+ r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags); -+ if (r != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ free(linkname_copy); -+ /* EPERM is more appropriate than error_number for our callers */ -+ return (EPERM); -+ } -+ free(linkname_copy); - r = link(linkname, a->name) ? errno : 0; - /* - * New cpio and pax formats allow hardlink entries -@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname) - * recent paths. - */ - /* TODO: Extend this to support symlinks on Windows Vista and later. */ -+ -+/* -+ * Checks the given path to see if any elements along it are symlinks. Returns -+ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg. -+ */ - static int --check_symlinks(struct archive_write_disk *a) -+check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags) - { - #if !defined(HAVE_LSTAT) - /* Platform doesn't have lstat, so we can't look for symlinks. */ - (void)a; /* UNUSED */ -+ (void)path; /* UNUSED */ -+ (void)error_number; /* UNUSED */ -+ (void)error_string; /* UNUSED */ -+ (void)flags; /* UNUSED */ - return (ARCHIVE_OK); - #else -- char *pn; -+ int res = ARCHIVE_OK; -+ char *tail; -+ char *head; -+ int last; - char c; - int r; - struct stat st; -+ int restore_pwd; -+ -+ /* Nothing to do here if name is empty */ -+ if(path[0] == '\0') -+ return (ARCHIVE_OK); - - /* - * Guard against symlink tricks. Reject any archive entry whose - * destination would be altered by a symlink. -+ * -+ * Walk the filename in chunks separated by '/'. For each segment: -+ * - if it doesn't exist, continue -+ * - if it's symlink, abort or remove it -+ * - if it's a directory and it's not the last chunk, cd into it -+ * As we go: -+ * head points to the current (relative) path -+ * tail points to the temporary \0 terminating the segment we're currently examining -+ * c holds what used to be in *tail -+ * last is 1 if this is the last tail - */ -- /* Whatever we checked last time doesn't need to be re-checked. */ -- pn = a->name; -- if (archive_strlen(&(a->path_safe)) > 0) { -- char *p = a->path_safe.s; -- while ((*pn != '\0') && (*p == *pn)) -- ++p, ++pn; -- } -+ restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC); -+ __archive_ensure_cloexec_flag(restore_pwd); -+ if (restore_pwd < 0) -+ return (ARCHIVE_FATAL); -+ head = path; -+ tail = path; -+ last = 0; -+ /* TODO: reintroduce a safe cache here? */ - /* Skip the root directory if the path is absolute. */ -- if(pn == a->name && pn[0] == '/') -- ++pn; -- c = pn[0]; -- /* Keep going until we've checked the entire name. */ -- while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) { -+ if(tail == path && tail[0] == '/') -+ ++tail; -+ /* Keep going until we've checked the entire name. -+ * head, tail, path all alias the same string, which is -+ * temporarily zeroed at tail, so be careful restoring the -+ * stashed (c=tail[0]) for error messages. -+ * Exiting the loop with break is okay; continue is not. -+ */ -+ while (!last) { -+ /* Skip the separator we just consumed, plus any adjacent ones */ -+ while (*tail == '/') -+ ++tail; - /* Skip the next path element. */ -- while (*pn != '\0' && *pn != '/') -- ++pn; -- c = pn[0]; -- pn[0] = '\0'; -+ while (*tail != '\0' && *tail != '/') -+ ++tail; -+ /* is this the last path component? */ -+ last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0'); -+ /* temporarily truncate the string here */ -+ c = tail[0]; -+ tail[0] = '\0'; - /* Check that we haven't hit a symlink. */ -- r = lstat(a->name, &st); -+ r = lstat(head, &st); - if (r != 0) { -+ tail[0] = c; - /* We've hit a dir that doesn't exist; stop now. */ - if (errno == ENOENT) { - break; - } else { -- /* Note: This effectively disables deep directory -+ /* Treat any other error as fatal - best to be paranoid here -+ * Note: This effectively disables deep directory - * support when security checks are enabled. - * Otherwise, very long pathnames that trigger - * an error here could evade the sandbox. - * TODO: We could do better, but it would probably - * require merging the symlink checks with the - * deep-directory editing. */ -- return (ARCHIVE_FAILED); -+ if (error_number) *error_number = errno; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Could not stat %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; -+ } -+ } else if (S_ISDIR(st.st_mode)) { -+ if (!last) { -+ if (chdir(head) != 0) { -+ tail[0] = c; -+ if (error_number) *error_number = errno; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Could not chdir %s", -+ path); -+ res = (ARCHIVE_FATAL); -+ break; -+ } -+ /* Our view is now from inside this dir: */ -+ head = tail + 1; - } - } else if (S_ISLNK(st.st_mode)) { -- if (c == '\0') { -+ if (last) { - /* - * Last element is symlink; remove it - * so we can overwrite it with the - * item being extracted. - */ -- if (unlink(a->name)) { -- archive_set_error(&a->archive, errno, -- "Could not remove symlink %s", -- a->name); -- pn[0] = c; -- return (ARCHIVE_FAILED); -+ if (unlink(head)) { -+ tail[0] = c; -+ if (error_number) *error_number = errno; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Could not remove symlink %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; - } -- a->pst = NULL; - /* - * Even if we did remove it, a warning - * is in order. The warning is silly, - * though, if we're just replacing one - * symlink with another symlink. - */ -- if (!S_ISLNK(a->mode)) { -- archive_set_error(&a->archive, 0, -- "Removing symlink %s", -- a->name); -+ tail[0] = c; -+ /* FIXME: not sure how important this is to restore -+ if (!S_ISLNK(path)) { -+ if (error_number) *error_number = 0; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Removing symlink %s", -+ path); - } -+ */ - /* Symlink gone. No more problem! */ -- pn[0] = c; -- return (0); -- } else if (a->flags & ARCHIVE_EXTRACT_UNLINK) { -+ res = ARCHIVE_OK; -+ break; -+ } else if (flags & ARCHIVE_EXTRACT_UNLINK) { - /* User asked us to remove problems. */ -- if (unlink(a->name) != 0) { -- archive_set_error(&a->archive, 0, -- "Cannot remove intervening symlink %s", -- a->name); -- pn[0] = c; -- return (ARCHIVE_FAILED); -+ if (unlink(head) != 0) { -+ tail[0] = c; -+ if (error_number) *error_number = 0; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Cannot remove intervening symlink %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; - } -- a->pst = NULL; -+ tail[0] = c; - } else { -- archive_set_error(&a->archive, 0, -- "Cannot extract through symlink %s", -- a->name); -- pn[0] = c; -- return (ARCHIVE_FAILED); -+ tail[0] = c; -+ if (error_number) *error_number = 0; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Cannot extract through symlink %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; - } - } -- pn[0] = c; -- if (pn[0] != '\0') -- pn++; /* Advance to the next segment. */ -+ /* be sure to always maintain this */ -+ tail[0] = c; -+ if (tail[0] != '\0') -+ tail++; /* Advance to the next segment. */ - } -- pn[0] = c; -- /* We've checked and/or cleaned the whole path, so remember it. */ -- archive_strcpy(&a->path_safe, a->name); -- return (ARCHIVE_OK); -+ /* Catches loop exits via break */ -+ tail[0] = c; -+#ifdef HAVE_FCHDIR -+ /* If we changed directory above, restore it here. */ -+ if (restore_pwd >= 0) { -+ r = fchdir(restore_pwd); -+ if (r != 0) { -+ if(error_number) *error_number = errno; -+ if(error_string) -+ archive_string_sprintf(error_string, -+ "chdir() failure"); -+ } -+ close(restore_pwd); -+ restore_pwd = -1; -+ if (r != 0) { -+ res = (ARCHIVE_FATAL); -+ } -+ } -+#endif -+ /* TODO: reintroduce a safe cache here? */ -+ return res; - #endif - } - -+/* -+ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise -+ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED} -+ */ -+static int -+check_symlinks(struct archive_write_disk *a) -+{ -+ struct archive_string error_string; -+ int error_number; -+ int rc; -+ archive_string_init(&error_string); -+ rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags); -+ if (rc != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ } -+ archive_string_free(&error_string); -+ a->pst = NULL; /* to be safe */ -+ return rc; -+} -+ -+ - #if defined(__CYGWIN__) - /* - * 1. Convert a path separator from '\' to '/' . -@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a) - * is set) if the path is absolute. - */ - static int --cleanup_pathname(struct archive_write_disk *a) -+cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags) - { - char *dest, *src; - char separator = '\0'; - -- dest = src = a->name; -+ dest = src = path; - if (*src == '\0') { -- archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, -- "Invalid empty pathname"); -+ if (error_number) *error_number = ARCHIVE_ERRNO_MISC; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Invalid empty pathname"); - return (ARCHIVE_FAILED); - } - -@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a) - #endif - /* Skip leading '/'. */ - if (*src == '/') { -- if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { -- archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, -- "Path is absolute"); -+ if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { -+ if (error_number) *error_number = ARCHIVE_ERRNO_MISC; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Path is absolute"); - return (ARCHIVE_FAILED); - } - -@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a) - } else if (src[1] == '.') { - if (src[2] == '/' || src[2] == '\0') { - /* Conditionally warn about '..' */ -- if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) { -- archive_set_error(&a->archive, -- ARCHIVE_ERRNO_MISC, -- "Path contains '..'"); -+ if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) { -+ if (error_number) *error_number = ARCHIVE_ERRNO_MISC; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Path contains '..'"); - return (ARCHIVE_FAILED); - } - } -@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a) - * We've just copied zero or more path elements, not including the - * final '/'. - */ -- if (dest == a->name) { -+ if (dest == path) { - /* - * Nothing got copied. The path must have been something - * like '.' or '/' or './' or '/././././/./'. -@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a) - return (ARCHIVE_OK); - } - -+static int -+cleanup_pathname(struct archive_write_disk *a) -+{ -+ struct archive_string error_string; -+ int error_number; -+ int rc; -+ archive_string_init(&error_string); -+ rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags); -+ if (rc != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ } -+ archive_string_free(&error_string); -+ return rc; -+} -+ - /* - * Create the parent directory of the specified path, assuming path - * is already in mutable storage. diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch deleted file mode 100644 index f042c31a84..0000000000 --- a/gnu/packages/patches/libarchive-fix-symlink-check.patch +++ /dev/null @@ -1,60 +0,0 @@ -Make sure to check for symlinks even if the pathname is very long: - -https://github.com/libarchive/libarchive/issues/744 - -Patch copied from upstream repository: - -https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a - -From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 21 Aug 2016 17:11:45 -0700 -Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very - long pathnames - -Because check_symlinks is handled separately from the deep-directory -support, very long pathnames cause problems. Previously, the code -ignored most failures to lstat() a path component. In particular, -this led to check_symlinks always passing for very long paths, which -in turn provides a way to evade the symlink checks in the sandboxing -code. - -We now fail on unrecognized lstat() failures, which plugs this -hole at the cost of disabling deep directory support when the -user requests sandboxing. - -TODO: This probably cannot be completely fixed without -entirely reimplementing the deep directory support to -integrate the symlink checks. I want to reimplement the -deep directory hanlding someday anyway; openat() and -related system calls now provide a much cleaner way to -handle deep directories than the chdir approach used by this -code. ---- - libarchive/archive_write_disk_posix.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c -index 39ee3b6..8f0421e 100644 ---- a/libarchive/archive_write_disk_posix.c -+++ b/libarchive/archive_write_disk_posix.c -@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a) - r = lstat(a->name, &st); - if (r != 0) { - /* We've hit a dir that doesn't exist; stop now. */ -- if (errno == ENOENT) -+ if (errno == ENOENT) { - break; -+ } else { -+ /* Note: This effectively disables deep directory -+ * support when security checks are enabled. -+ * Otherwise, very long pathnames that trigger -+ * an error here could evade the sandbox. -+ * TODO: We could do better, but it would probably -+ * require merging the symlink checks with the -+ * deep-directory editing. */ -+ return (ARCHIVE_FAILED); -+ } - } else if (S_ISLNK(st.st_mode)) { - if (c == '\0') { - /* diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch deleted file mode 100644 index 0e70ac90ce..0000000000 --- a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch +++ /dev/null @@ -1,44 +0,0 @@ -Fixes this buffer overflow: -https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a - -Patch copied from upstream source repository: -https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a - -From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 21 Aug 2016 10:51:43 -0700 -Subject: [PATCH] Issue #767: Buffer overflow printing a filename - -The safe_fprintf function attempts to ensure clean output for an -arbitrary sequence of bytes by doing a trial conversion of the -multibyte characters to wide characters -- if the resulting wide -character is printable then we pass through the corresponding bytes -unaltered, otherwise, we convert them to C-style ASCII escapes. - -The stack trace in Issue #767 suggest that the 20-byte buffer -was getting overflowed trying to format a non-printable multibyte -character. This should only happen if there is a valid multibyte -character of more than 5 bytes that was unprintable. (Each byte -would get expanded to a four-charcter octal-style escape of the form -"\123" resulting in >20 characters for the >5 byte multibyte character.) - -I've not been able to reproduce this, but have expanded the conversion -buffer to 128 bytes on the belief that no multibyte character set -has a single character of more than 32 bytes. ---- - tar/util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tar/util.c b/tar/util.c -index 9ff22f2..2b4aebe 100644 ---- a/tar/util.c -+++ b/tar/util.c -@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...) - } - - /* If our output buffer is full, dump it and keep going. */ -- if (i > (sizeof(outbuff) - 20)) { -+ if (i > (sizeof(outbuff) - 128)) { - outbuff[i] = '\0'; - fprintf(f, "%s", outbuff); - i = 0; diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch index f1907d53e2..bffe2c454c 100644 --- a/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch +++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch @@ -1,7 +1,6 @@ -Fix buffer overread in libevents DNS code. - -Upstream bug report: +Fix CVE-2016-10195 (buffer overread in libevent's DNS code): +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195 https://github.com/libevent/libevent/issues/317 Patch copied from upstream source repository: diff --git a/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch index 4d16a4b917..03f96e938b 100644 --- a/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch +++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch @@ -1,7 +1,6 @@ -Fix buffer overflow in evutil. - -Upstream bug report: +Fix CVE-2016-10196 (buffer overflow in evutil): +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10196 https://github.com/libevent/libevent/issues/318 Patch copied from upstream source repository: diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch index c4ad0a1a4a..c62a328627 100644 --- a/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch +++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch @@ -1,7 +1,6 @@ -Fix OOB read on empty hostnames in evdns. - -Upstream bug report: +Fix CVE-2016-10197 (out of bounds read on empty hostnames in evdns): +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10197 https://github.com/libevent/libevent/issues/332 Patch copied from upstream source repository: diff --git a/gnu/packages/patches/libpng-CVE-2016-10087.patch b/gnu/packages/patches/libpng-CVE-2016-10087.patch deleted file mode 100644 index 8093b3e448..0000000000 --- a/gnu/packages/patches/libpng-CVE-2016-10087.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2016-10087, a null pointer dereference in png_set_text_2(): - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087 -http://seclists.org/oss-sec/2016/q4/777 - -Patch adapted from upstream source repository: - -https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb/ - -From 812768d7a9c973452222d454634496b25ed415eb Mon Sep 17 00:00:00 2001 -From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> -Date: Thu, 29 Dec 2016 07:51:33 -0600 -Subject: [PATCH] [libpng16] Fixed a potential null pointer dereference in - png_set_text_2() - -(bug report and patch by Patrick Keshishian). ---- - ANNOUNCE | 2 ++ - CHANGES | 2 ++ - png.c | 1 + - 3 files changed, 5 insertions(+) - -diff --git a/png.c b/png.c -index 8afc28fc2..2e05de159 100644 ---- a/png.c -+++ b/png.c -@@ -477,6 +477,7 @@ png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, - png_free(png_ptr, info_ptr->text); - info_ptr->text = NULL; - info_ptr->num_text = 0; -+ info_ptr->max_text = 0; - } - } - #endif --- -2.11.0 - diff --git a/gnu/packages/patches/pcre-CVE-2016-3191.patch b/gnu/packages/patches/pcre-CVE-2016-3191.patch deleted file mode 100644 index 89cce2a36f..0000000000 --- a/gnu/packages/patches/pcre-CVE-2016-3191.patch +++ /dev/null @@ -1,151 +0,0 @@ -Fix for CVE-2016-3191. -See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>. -This is svn r1631 at <svn://vcs.exim.org/pcre/code>. - -Index: trunk/testdata/testoutput11-16 -=================================================================== ---- trunk/testdata/testoutput11-16 (revision 1630) -+++ trunk/testdata/testoutput11-16 (revision 1631) -@@ -765,4 +765,7 @@ - 25 End - ------------------------------------------------------------------ - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: regular expression is too complicated at offset 490 -+ - /-- End of testinput11 --/ -Index: trunk/testdata/testinput11 -=================================================================== ---- trunk/testdata/testinput11 (revision 1630) -+++ trunk/testdata/testinput11 (revision 1631) -@@ -138,4 +138,6 @@ - - /.((?2)(?R)\1)()/B - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+ - /-- End of testinput11 --/ -Index: trunk/testdata/testoutput11-8 -=================================================================== ---- trunk/testdata/testoutput11-8 (revision 1630) -+++ trunk/testdata/testoutput11-8 (revision 1631) -@@ -765,4 +765,7 @@ - 38 End - ------------------------------------------------------------------ - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: missing ) at offset 509 -+ - /-- End of testinput11 --/ -Index: trunk/testdata/testoutput11-32 -=================================================================== ---- trunk/testdata/testoutput11-32 (revision 1630) -+++ trunk/testdata/testoutput11-32 (revision 1631) -@@ -765,4 +765,7 @@ - 25 End - ------------------------------------------------------------------ - -+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ -+Failed: missing ) at offset 509 -+ - /-- End of testinput11 --/ -Index: trunk/pcre_internal.h -=================================================================== ---- trunk/pcre_internal.h (revision 1630) -+++ trunk/pcre_internal.h (revision 1631) -@@ -7,7 +7,7 @@ - and semantics are as close as possible to those of the Perl 5 language. - - Written by Philip Hazel -- Copyright (c) 1997-2014 University of Cambridge -+ Copyright (c) 1997-2016 University of Cambridge - - ----------------------------------------------------------------------------- - Redistribution and use in source and binary forms, with or without -@@ -2289,7 +2289,7 @@ - ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59, - ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69, - ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79, -- ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT }; -+ ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT }; - - /* JIT compiling modes. The function list is indexed by them. */ - -Index: trunk/pcre_compile.c -=================================================================== ---- trunk/pcre_compile.c (revision 1630) -+++ trunk/pcre_compile.c (revision 1631) -@@ -6,7 +6,7 @@ - and semantics are as close as possible to those of the Perl 5 language. - - Written by Philip Hazel -- Copyright (c) 1997-2014 University of Cambridge -+ Copyright (c) 1997-2016 University of Cambridge - - ----------------------------------------------------------------------------- - Redistribution and use in source and binary forms, with or without -@@ -560,6 +560,7 @@ - /* 85 */ - "parentheses are too deeply nested (stack check)\0" - "digits missing in \\x{} or \\o{}\0" -+ "regular expression is too complicated\0" - ; - - /* Table to identify digits and hex digits. This is used when compiling -@@ -4591,7 +4592,8 @@ - if (code > cd->start_workspace + cd->workspace_size - - WORK_SIZE_SAFETY_MARGIN) /* Check for overrun */ - { -- *errorcodeptr = ERR52; -+ *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)? -+ ERR52 : ERR87; - goto FAILED; - } - -@@ -6626,8 +6628,21 @@ - cd->had_accept = TRUE; - for (oc = cd->open_caps; oc != NULL; oc = oc->next) - { -- *code++ = OP_CLOSE; -- PUT2INC(code, 0, oc->number); -+ if (lengthptr != NULL) -+ { -+#ifdef COMPILE_PCRE8 -+ *lengthptr += 1 + IMM2_SIZE; -+#elif defined COMPILE_PCRE16 -+ *lengthptr += 2 + IMM2_SIZE; -+#elif defined COMPILE_PCRE32 -+ *lengthptr += 4 + IMM2_SIZE; -+#endif -+ } -+ else -+ { -+ *code++ = OP_CLOSE; -+ PUT2INC(code, 0, oc->number); -+ } - } - setverb = *code++ = - (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT; -Index: trunk/pcreposix.c -=================================================================== ---- trunk/pcreposix.c (revision 1630) -+++ trunk/pcreposix.c (revision 1631) -@@ -6,7 +6,7 @@ - and semantics are as close as possible to those of the Perl 5 language. - - Written by Philip Hazel -- Copyright (c) 1997-2014 University of Cambridge -+ Copyright (c) 1997-2016 University of Cambridge - - ----------------------------------------------------------------------------- - Redistribution and use in source and binary forms, with or without -@@ -173,7 +173,8 @@ - REG_BADPAT, /* group name must start with a non-digit */ - /* 85 */ - REG_BADPAT, /* parentheses too deeply nested (stack check) */ -- REG_BADPAT /* missing digits in \x{} or \o{} */ -+ REG_BADPAT, /* missing digits in \x{} or \o{} */ -+ REG_BADPAT /* pattern too complicated */ - }; - - /* Table of texts corresponding to POSIX error codes */ diff --git a/gnu/packages/patches/sed-hurd-path-max.patch b/gnu/packages/patches/sed-hurd-path-max.patch deleted file mode 100644 index 5226cba4cb..0000000000 --- a/gnu/packages/patches/sed-hurd-path-max.patch +++ /dev/null @@ -1,34 +0,0 @@ -7bb8d35d0330161a5af5341471d0c183a067e8c2 -Author: Jose E. Marchesi <jemarch@gnu.org> -Date: Sun Oct 6 14:43:38 2013 +0200 - - Set PATH_MAX to some constant in case it is not defined in system - headers. - - 2013-10-06 Jose E. Marchesi <jemarch@gnu.org> - - * basicdefs.h (PATH_MAX): Defined to some constant in case it is - not defined by system headers. - * sed/utils.c: Do not include pathmax.h anymore. - * bootstrap.conf (gnulib_modules): Do not use the gnulib module - pathmax. - -diff --git a/basicdefs.h b/basicdefs.h -index 0d28a97..09f5beb 100644 ---- a/basicdefs.h -+++ b/basicdefs.h -@@ -40,6 +41,13 @@ typedef unsigned long countT; - #define obstack_chunk_alloc ck_malloc - #define obstack_chunk_free free - -+/* MAX_PATH is not defined in some platforms, most notably GNU/Hurd. -+ In that case we define it here to some constant. Note however that -+ this relies in the fact that sed does reallocation if a buffer -+ needs to be larger than PATH_MAX. */ -+#ifndef PATH_MAX -+# define PATH_MAX 200 -+#endif - - /* handle misdesigned <ctype.h> macros (snarfed from lib/regex.c) */ - /* Jim Meyering writes: - diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch new file mode 100644 index 0000000000..b79be9bc94 --- /dev/null +++ b/gnu/packages/patches/tar-CVE-2016-6321.patch @@ -0,0 +1,51 @@ +Fix CVE-2016-6321: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321 +https://security-tracker.debian.org/tracker/CVE-2016-6321 + +Patch adapted from upstream source repository (the changes to 'NEWS' +don't apply to the Tar 1.29 release tarball). + +http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d + +From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU> +Date: Sat, 29 Oct 2016 21:04:40 -0700 +Subject: [PATCH] When extracting, skip ".." members + +* NEWS: Document this. +* src/extract.c (extract_archive): Skip members whose names +contain "..". +--- + NEWS | 8 +++++++- + src/extract.c | 8 ++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/extract.c b/src/extract.c +index f982433..7904148 100644 +--- a/src/extract.c ++++ b/src/extract.c +@@ -1629,12 +1629,20 @@ extract_archive (void) + { + char typeflag; + tar_extractor_t fun; ++ bool skip_dotdot_name; + + fatal_exit_hook = extract_finish; + + set_next_block_after (current_header); + ++ skip_dotdot_name = (!absolute_names_option ++ && contains_dot_dot (current_stat_info.orig_file_name)); ++ if (skip_dotdot_name) ++ ERROR ((0, 0, _("%s: Member name contains '..'"), ++ quotearg_colon (current_stat_info.orig_file_name))); ++ + if (!current_stat_info.file_name[0] ++ || skip_dotdot_name + || (interactive_option + && !confirm ("extract", current_stat_info.file_name))) + { +-- +2.11.0 + diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm index fe9157af12..9ca950b967 100644 --- a/gnu/packages/pcre.scm +++ b/gnu/packages/pcre.scm @@ -31,7 +31,7 @@ (define-public pcre (package (name "pcre") - (version "8.38") + (version "8.40") (source (origin (method url-fetch) (uri (list @@ -42,8 +42,7 @@ version "/pcre-" version ".tar.bz2"))) (sha256 (base32 - "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r")) - (patches (list (search-patch "pcre-CVE-2016-3191.patch"))))) + "1x7lpjn7jhk0n3sdvggxrlrhab8kkfjwl7qix0ypw9nlx8lpmqh0")))) (build-system gnu-build-system) (outputs '("out" ;library & headers "bin" ;depends on Readline (adds 20MiB to the closure) diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 2ea48e5999..d449b72eef 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -481,7 +481,6 @@ extracting content or merging files.") (define-public mupdf (package (name "mupdf") - (replacement mupdf/fixed) (version "1.10a") (source (origin @@ -491,7 +490,9 @@ extracting content or merging files.") (sha256 (base32 "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a")) - (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch")) + (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" + "mupdf-mujs-CVE-2016-10132.patch" + "mupdf-mujs-CVE-2016-10133.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is @@ -540,18 +541,6 @@ line tools for batch rendering (pdfdraw), rewriting files (pdfclean), and examining the file structure (pdfshow).") (license license:agpl3+))) -(define mupdf/fixed - (package - (inherit mupdf) - (source - (origin - (inherit (package-source mupdf)) - (patches - (append - (origin-patches (package-source mupdf)) - (search-patches "mupdf-mujs-CVE-2016-10132.patch" - "mupdf-mujs-CVE-2016-10133.patch"))))))) - (define-public qpdf (package (name "qpdf") diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm index a84ff43d77..16b098517a 100644 --- a/gnu/packages/php.scm +++ b/gnu/packages/php.scm @@ -309,7 +309,7 @@ ("pcre" ,pcre) ("postgresql" ,postgresql) ("readline" ,readline) - ("sqlite" ,sqlite-3.15.1) + ("sqlite" ,sqlite) ("tidy" ,tidy) ("zip" ,zip) ("zlib" ,zlib))) diff --git a/gnu/packages/pkg-config.scm b/gnu/packages/pkg-config.scm index d7cc454e03..01069d27a5 100644 --- a/gnu/packages/pkg-config.scm +++ b/gnu/packages/pkg-config.scm @@ -30,7 +30,7 @@ (define-public %pkg-config (package (name "pkg-config") - (version "0.29") + (version "0.29.1") (source (origin (method url-fetch) (uri (list @@ -46,14 +46,14 @@ version ".tar.gz"))) (sha256 (base32 - "0sq09a39wj4cxf8l2jvkq067g08ywfma4v6nhprnf351s82pfl68")))) + "00dh1jn8rbppmgbhhgqhmbh3c58b0gccy39rsjdlcma50sg3rd5y")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--with-internal-glib"))) (native-search-paths (list (search-path-specification (variable "PKG_CONFIG_PATH") (files '("lib/pkgconfig" "lib64/pkgconfig" "share/pkgconfig"))))) - (home-page "http://www.freedesktop.org/wiki/Software/pkg-config") + (home-page "https://www.freedesktop.org/wiki/Software/pkg-config") (license gpl2+) (synopsis "Helper tool used when compiling applications and libraries") (description diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 432298472a..684c7fbbe7 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -169,6 +169,7 @@ (list "--enable-shared" ;allow embedding "--with-system-ffi" ;build ctypes "--with-ensurepip=install" ;install pip and setuptools + "--enable-unicode=ucs4" (string-append "LDFLAGS=-Wl,-rpath=" (assoc-ref %outputs "out") "/lib")) diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm index 5aada54340..cc3968f9bf 100644 --- a/gnu/packages/shells.scm +++ b/gnu/packages/shells.scm @@ -218,7 +218,6 @@ written by Paul Haahr and Byron Rakitzis.") (define-public tcsh (package (name "tcsh") - (replacement tcsh/fixed) (version "6.18.01") (source (origin (method url-fetch) @@ -231,7 +230,8 @@ written by Paul Haahr and Byron Rakitzis.") (base32 "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q")) (patches (search-patches "tcsh-fix-autotest.patch" - "tcsh-do-not-define-BSDWAIT.patch")) + "tcsh-do-not-define-BSDWAIT.patch" + "tcsh-fix-out-of-bounds-read.patch")) (patch-flags '("-p0")))) (build-system gnu-build-system) (inputs @@ -276,15 +276,6 @@ command-line editor, programmable word completion, spelling correction, a history mechanism, job control and a C-like syntax.") (license bsd-4))) -(define tcsh/fixed - (package - (inherit tcsh) - (name "tcsh") - (source (origin - (inherit (package-source tcsh)) - (patches (cons (search-patch "tcsh-fix-out-of-bounds-read.patch") - (origin-patches (package-source tcsh)))))))) - (define-public zsh (package (name "zsh") diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 9d1d9cc0a9..c48e3e6f90 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -85,7 +85,7 @@ remote applications.") (define-public libssh2 (package (name "libssh2") - (version "1.7.0") + (version "1.8.0") (source (origin (method url-fetch) (uri (string-append @@ -93,7 +93,7 @@ remote applications.") version ".tar.gz")) (sha256 (base32 - "116mh112w48vv9k3f15ggp5kxw5sj4b88dzb5j69llsh7ba1ymp4")))) + "1m3n8spv79qhjq4yi0wgly5s5rc8783jb1pyra9bkx1md0plxwrr")))) (build-system gnu-build-system) ;; The installed libssh2.pc file does not include paths to libgcrypt and ;; zlib libraries, so we need to propagate the inputs. diff --git a/gnu/packages/tcl.scm b/gnu/packages/tcl.scm index 4cd94299df..f9a23c3230 100644 --- a/gnu/packages/tcl.scm +++ b/gnu/packages/tcl.scm @@ -37,14 +37,14 @@ (define-public tcl (package (name "tcl") - (version "8.6.4") + (version "8.6.6") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/tcl/Tcl/" version "/tcl" version "-src.tar.gz")) (sha256 (base32 - "13cwa4bc85ylf5gfj9vk182lvgy60qni3f7gbxghq78wk16djvly")) + "01zypqhy57wvh1ikk28bg733sk5kf4q568pq9v6fvcz4h6bl0rd2")) (patches (search-patches "tcl-mkindex-deterministic.patch")))) (build-system gnu-build-system) (arguments @@ -135,14 +135,14 @@ X11 GUIs.") (define-public tk (package (name "tk") - (version "8.6.4") + (version "8.6.6") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/tcl/Tcl/" version "/tk" version "-src.tar.gz")) (sha256 (base32 - "1h96vp15zl5xz0d4qp6wjyrchqmrmdm3q5k22wkw9jaxbvw9vy88")) + "17diivcfcwdhp4v5zi6j9nkxncccjqkivhp363c4wx5lf4d3fb6n")) (patches (search-patches "tk-find-library.patch")))) (build-system gnu-build-system) (arguments diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index c24c8e7387..2fbcabd8fa 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -140,8 +140,7 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - (version "3.5.4") - (replacement gnutls-3.5.8) + (version "3.5.8") (source (origin (method url-fetch) (uri @@ -152,7 +151,7 @@ living in the same process.") "/gnutls-" version ".tar.xz")) (sha256 (base32 - "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f")))) + "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf")))) (build-system gnu-build-system) (arguments '(#:configure-flags @@ -195,8 +194,7 @@ living in the same process.") ("pkg-config" ,pkg-config) ("which" ,which))) (inputs - `(("guile" ,guile-2.0) - ("perl" ,perl))) + `(("guile" ,guile-2.0))) (propagated-inputs ;; These are all in the 'Requires.private' field of gnutls.pc. `(("libtasn1" ,libtasn1) @@ -214,32 +212,18 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -(define gnutls-3.5.8 ;fixes GNUTLS-SA-2017-{1,2} - (package - (inherit gnutls) - (version "3.5.8") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnupg/gnutls/v" - (version-major+minor version) - "/gnutls-" version ".tar.xz")) - (sha256 - (base32 - "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf")))) - (replacement #f))) - (define-public gnutls/guile-2.2 ;; GnuTLS for Guile 2.2. This is supported by GnuTLS >= 3.5.5. (package - (inherit gnutls-3.5.8) + (inherit gnutls) (name "guile2.2-gnutls") (arguments ;; Remove '--with-guile-site-dir=…/2.0'. - (substitute-keyword-arguments (package-arguments gnutls-3.5.8) + (substitute-keyword-arguments (package-arguments gnutls) ((#:configure-flags flags) `(cdr ,flags)))) (inputs `(("guile" ,guile-next) - ,@(alist-delete "guile" (package-inputs gnutls-3.5.8)))))) + ,@(alist-delete "guile" (package-inputs gnutls)))))) (define-public openssl (package @@ -325,7 +309,6 @@ required structures.") (lib (string-append out "/lib")) (static (assoc-ref outputs "static")) (slib (string-append static "/lib"))) - (mkdir-p slib) (for-each (lambda (file) (install-file file slib) (delete-file file)) @@ -352,7 +335,7 @@ required structures.") (let ((bash (assoc-ref (or native-inputs inputs) "bash"))) (substitute* (find-files "test" ".*") (("/bin/sh") - (string-append bash "/bin/bash")) + (string-append bash "/bin/sh")) (("/bin/rm") "rm")) #t))) diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 5c371b0ba0..9cbd492208 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -288,10 +288,10 @@ as well as the classic centralized workflow.") (native-search-paths ;; For HTTPS access, Git needs a single-file certificate bundle, specified ;; with $GIT_SSL_CAINFO. - ;; FIXME: This variable designates a single file; it is not a search path. (list (search-path-specification (variable "GIT_SSL_CAINFO") (file-type 'regular) + (separator #f) ;single entry (files '("etc/ssl/certs/ca-certificates.crt"))) (search-path-specification (variable "GIT_EXEC_PATH") diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index b91471690f..7636fafd6a 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -8,7 +8,7 @@ ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com> ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org> -;;; Copyright © 2016 Leo Famulari <leo@famulari.name> +;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com> ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is> @@ -74,12 +74,13 @@ things the parser might find in the XML document (like start tags).") (define-public libxml2 (package (name "libxml2") - (replacement libxml2/fixed) (version "2.9.4") (source (origin (method url-fetch) (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-" version ".tar.gz")) + (patches (search-patches "libxml2-CVE-2016-4658.patch" + "libxml2-CVE-2016-5131.patch")) (sha256 (base32 "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")))) @@ -102,19 +103,9 @@ things the parser might find in the XML document (like start tags).") project (but it is usable outside of the Gnome platform).") (license license:x11))) -(define libxml2/fixed - (package - (inherit libxml2) - (source - (origin - (inherit (package-source libxml2)) - (patches (search-patches "libxml2-CVE-2016-4658.patch" - "libxml2-CVE-2016-5131.patch")))))) - (define-public python-libxml2 (package (inherit libxml2) (name "python-libxml2") - (replacement #f) (build-system python-build-system) (arguments `(;; XXX: Tests are specified in 'Makefile.am', but not in 'setup.py'. @@ -144,12 +135,12 @@ project (but it is usable outside of the Gnome platform).") (define-public libxslt (package (name "libxslt") - (replacement libxslt/fixed) (version "1.1.29") (source (origin (method url-fetch) (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-" version ".tar.gz")) + (patches (search-patches "libxslt-CVE-2016-4738.patch")) (sha256 (base32 "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm")) @@ -166,14 +157,6 @@ project (but it is usable outside of the Gnome platform).") based on libxml for XML parsing, tree manipulation and XPath support.") (license license:x11))) -(define libxslt/fixed - (package - (inherit libxslt) - (name "libxslt") - (source (origin - (inherit (package-source libxslt)) - (patches (search-patches "libxslt-CVE-2016-4738.patch")))))) - (define-public perl-graph-readwrite (package (name "perl-graph-readwrite") diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index 911621a93c..53c13aeff7 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -3729,7 +3729,7 @@ extension to the X11 protocol. It includes: (define-public xkeyboard-config (package (name "xkeyboard-config") - (version "2.18") + (version "2.19") (source (origin (method url-fetch) @@ -3739,7 +3739,7 @@ extension to the X11 protocol. It includes: ".tar.bz2")) (sha256 (base32 - "1l6x2w357ja8vm94ns79s7yj9a5dlr01r9dxrjvzwncadiyr27f4")))) + "09sqyi430bbg13pp8j0j60p9p9xn2lpqx38xw1lyv77bp63d3pw3")))) (build-system gnu-build-system) (inputs `(("gettext" ,gettext-minimal) @@ -4649,7 +4649,7 @@ script around the mkfontscale program.") (define-public xproto (package (name "xproto") - (version "7.0.29") + (version "7.0.31") (source (origin (method url-fetch) @@ -4659,7 +4659,7 @@ script around the mkfontscale program.") ".tar.bz2")) (sha256 (base32 - "12lzpa9mrzkyrhrphzpi1014np3328qg7mdq08wj6wyaj9q4f6kc")))) + "0ivpxz0rx2a7nahkpkhfgymz7j0pwzaqvyqpdgw9afmxl1yp9yf6")))) (build-system gnu-build-system) (propagated-inputs `(("util-macros" ,util-macros))) ; to get util-macros in (almost?) all package inputs |