diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/curl.scm | 63 | ||||
-rw-r--r-- | gnu/packages/fontutils.scm | 73 | ||||
-rw-r--r-- | gnu/packages/ghostscript.scm | 4 | ||||
-rw-r--r-- | gnu/packages/glib.scm | 40 | ||||
-rw-r--r-- | gnu/packages/gnuzilla.scm | 4 | ||||
-rw-r--r-- | gnu/packages/gtk.scm | 13 | ||||
-rw-r--r-- | gnu/packages/image.scm | 17 | ||||
-rw-r--r-- | gnu/packages/node.scm | 22 | ||||
-rw-r--r-- | gnu/packages/openldap.scm | 49 | ||||
-rw-r--r-- | gnu/packages/package-management.scm | 2 | ||||
-rw-r--r-- | gnu/packages/patches/ghostscript-CVE-2020-15900.patch | 36 | ||||
-rw-r--r-- | gnu/packages/patches/ghostscript-freetype-compat.patch | 35 | ||||
-rw-r--r-- | gnu/packages/patches/libssh2-CVE-2019-17498.patch | 126 | ||||
-rw-r--r-- | gnu/packages/patches/python-CVE-2020-26116.patch | 47 | ||||
-rw-r--r-- | gnu/packages/python.scm | 1 | ||||
-rw-r--r-- | gnu/packages/ssh.scm | 5 | ||||
-rw-r--r-- | gnu/packages/tls.scm | 76 | ||||
-rw-r--r-- | gnu/packages/vpn.scm | 4 | ||||
-rw-r--r-- | gnu/packages/web.scm | 32 | ||||
-rw-r--r-- | gnu/packages/xorg.scm | 20 |
20 files changed, 357 insertions, 312 deletions
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 33a2188d70..a09210bf04 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz> -;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017, 2019, 2020 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il> @@ -53,16 +53,15 @@ (define-public curl (package (name "curl") - (version "7.69.1") - (replacement curl-7.74.0) + (version "7.74.0") (source (origin - (method url-fetch) - (uri (string-append "https://curl.haxx.se/download/curl-" - version ".tar.xz")) - (sha256 - (base32 - "0kwxh76iq9fblk7iyv4f75bmcmasarp2bcm1mm07wyvzd7kdbiq3")) - (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (method url-fetch) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.xz")) + (sha256 + (base32 + "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")) + (patches (search-patches "curl-use-ssl-cert-env.patch")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.2 MiB of man3 pages @@ -126,25 +125,6 @@ (substitute* "tests/runtests.pl" (("/bin/sh") (which "sh"))) - ;; XXX FIXME: Test #1510 seems to work on some machines and not - ;; others, possibly based on the kernel version. It works on Guix System - ;; on x86_64 with linux-libre-4.1, but fails on Hydra for both i686 - ;; and x86_64 with the following error: - ;; - ;; test 1510...[HTTP GET connection cache limit (CURLOPT_MAXCONNECTS)] - ;; - ;; 1510: output (log/stderr1510) FAILED: - ;; --- log/check-expected 2015-06-27 07:45:53.166720834 +0000 - ;; +++ log/check-generated 2015-06-27 07:45:53.166720834 +0000 - ;; @@ -1,5 +1,5 @@ - ;; * Connection #0 to host server1.example.com left intact[LF] - ;; * Connection #1 to host server2.example.com left intact[LF] - ;; * Connection #2 to host server3.example.com left intact[LF] - ;; -* Closing connection 0[LF] - ;; +* Closing connection 1[LF] - ;; * Connection #3 to host server4.example.com left intact[LF] - (delete-file "tests/data/test1510") - ;; The top-level "make check" does "make -C tests quiet-test", which ;; is too quiet. Use the "test" target instead, which is more ;; verbose. @@ -171,31 +151,6 @@ tunneling, and so on.") (name "curl-minimal") (inputs (alist-delete "openldap" (package-inputs curl)))))) -;; Replacement package to fix multiple security vulnerabilities. -(define curl-7.74.0 - (package - (inherit curl) - (version "7.74.0") - (source (origin - (inherit (package-source curl)) - (uri (string-append "https://curl.haxx.se/download/curl-" - version ".tar.xz")) - (sha256 - (base32 - "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr")))) - (arguments - (substitute-keyword-arguments (package-arguments curl) - ((#:phases phases) - `(modify-phases ,phases - (replace 'check - (lambda _ - ;; Test 1510 is now disabled upstream, and the test runner - ;; complains that it can not disable a non-existing test. - ;; Thus, override the phase to not delete the test. - (substitute* "tests/runtests.pl" - (("/bin/sh") (which "sh"))) - (invoke "make" "-C" "tests" "test"))))))))) - (define-public kurly (package (name "kurly") diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index ed2e960938..0181536c37 100644 --- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -8,7 +8,7 @@ ;;; Copyright © 2017 Nikita <nikita@n0.is> ;;; Copyright © 2017, 2018, 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> -;;; Copyright © 2018, 2019 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2020 Roel Janssen <roel@gnu.org> ;;; Copyright © 2020 Nicolas Goaziou <mail@nicolasgoaziou.fr> @@ -73,14 +73,14 @@ (define-public freetype (package (name "freetype") - (version "2.10.1") - (replacement freetype/fixed) - (source (origin - (method url-fetch) - (uri (string-append "mirror://savannah/freetype/freetype-" - version ".tar.xz")) - (sha256 (base32 - "0vx2dg1jh5kq34dd6ifpjywkpapp8a7p1bvyq9yq5zi1i94gmnqn")))) + (version "2.10.4") + (source + (origin + (method url-fetch) + (uri (string-append "mirror://savannah/freetype/freetype-" + version ".tar.xz")) + (sha256 + (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46")))) (build-system gnu-build-system) (arguments ;; The use of "freetype-config" is deprecated, but other packages still @@ -103,19 +103,6 @@ anti-aliased glyph bitmap generation with 256 gray levels.") (license license:freetype) ; some files have other licenses (home-page "https://www.freetype.org/"))) -(define freetype/fixed - ;; Security fix for CVE-2020-15999. - (package - (inherit freetype) - (version "2.10.4") - (source - (origin - (method url-fetch) - (uri (string-append "mirror://savannah/freetype/freetype-" - version ".tar.xz")) - (sha256 - (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46")))))) - (define-public ttfautohint (package (name "ttfautohint") @@ -331,12 +318,6 @@ Font Format (WOFF).") (define-public fontconfig (package (name "fontconfig") - - ;; This replacement is not security-related, but works around the fact - ;; that gs-fonts are not recognized by newer versions of Pango, causing - ;; many applications to fail to find fonts otherwise. - (replacement fontconfig/font-dejavu) - (version "2.13.1") (source (origin (method url-fetch) @@ -351,16 +332,19 @@ Font Format (WOFF).") (propagated-inputs `(("expat" ,expat) ("freetype" ,freetype) ("libuuid" ,util-linux "lib"))) - (inputs `(("gs-fonts" ,gs-fonts))) + (inputs + ;; We use to use 'gs-fonts' but they are not recognized by newer versions + ;; of Pango, causing many applications to fail to find fonts otherwise. + `(("font-dejavu" ,font-dejavu))) (native-inputs `(("gperf" ,gperf) ("pkg-config" ,pkg-config))) (arguments `(#:configure-flags (list "--with-cache-dir=/var/cache/fontconfig" - ;; register gs-fonts as default fonts + ;; register the default fonts (string-append "--with-default-fonts=" - (assoc-ref %build-inputs "gs-fonts") + (assoc-ref %build-inputs "font-dejavu") "/share/fonts") ;; Register fonts from user and system profiles. @@ -393,13 +377,6 @@ high quality, anti-aliased and subpixel rendered text on a display.") "See COPYING in the distribution.")) (home-page "https://www.freedesktop.org/wiki/Software/fontconfig"))) -(define fontconfig/font-dejavu - (package - (inherit fontconfig) - (inputs - ;; XXX: Reuse the name to avoid having to override the configure flags. - `(("gs-fonts" ,font-dejavu))))) - (define-public t1lib (package (name "t1lib") @@ -575,16 +552,15 @@ using the above tables.") (define-public libspiro (package (name "libspiro") - (version "20190731") - (replacement libspiro-20200505) + (version "20200505") (source (origin (method url-fetch) (uri (string-append "https://github.com/fontforge/libspiro/releases" - "/download/" version "/libspiro-" version ".tar.gz")) + "/download/" version "/libspiro-dist-" version ".tar.gz")) (sha256 (base32 - "0m63x97b7aciviijprvy85gm03p2jsgslxn323zl9zn7qz6d3ir4")))) + "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-static"))) @@ -595,19 +571,6 @@ smooth contours with constant curvature at the spline joins.") (license license:gpl2+) (home-page "http://libspiro.sourceforge.net/"))) -(define libspiro-20200505 - (package - (inherit libspiro) - (version "20200505") - (source - (origin - (method url-fetch) - (uri (string-append "https://github.com/fontforge/libspiro/releases" - "/download/" version "/libspiro-dist-" version ".tar.gz")) - (sha256 - (base32 - "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6")))))) - (define-public libuninameslist (package (name "libuninameslist") diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index 4d56f05cf2..03a516dc52 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -170,7 +170,9 @@ printing, and psresize, for adjusting page sizes.") (sha256 (base32 "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p")) - (patches (search-patches "ghostscript-no-header-creationdate.patch" + (patches (search-patches "ghostscript-freetype-compat.patch" + "ghostscript-CVE-2020-15900.patch" + "ghostscript-no-header-creationdate.patch" "ghostscript-no-header-id.patch" "ghostscript-no-header-uuid.patch")) (modules '((guix build utils))) diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 431111f811..9cc2b1b69e 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2013, 2014, 2015, 2016, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org> @@ -91,7 +91,6 @@ (package (name "dbus") (version "1.12.16") - (replacement dbus/fixed) (source (origin (method url-fetch) (uri (string-append @@ -100,7 +99,8 @@ (sha256 (base32 "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl")) - (patches (search-patches "dbus-helper-search-path.patch")))) + (patches (search-patches "dbus-CVE-2020-12049.patch" + "dbus-helper-search-path.patch")))) (build-system gnu-build-system) (arguments '(#:configure-flags @@ -168,20 +168,10 @@ or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.") (license license:gpl2+))) ; or Academic Free License 2.1 -;; Replacement package to fix CVE-2020-12049. -(define dbus/fixed - (package - (inherit dbus) - (source (origin - (inherit (package-source dbus)) - (patches (append (search-patches "dbus-CVE-2020-12049.patch") - (origin-patches (package-source dbus)))))))) - (define glib (package (name "glib") (version "2.62.6") - (replacement glib-with-gio-patch) (source (origin (method url-fetch) (uri (string-append "mirror://gnome/sources/" @@ -190,7 +180,8 @@ shared NFS home directories.") (sha256 (base32 "174bsmbmcvaw69ff9g60q5sx0fn23rkhqcwqz17h5s7sprps4kqh")) - (patches (search-patches "glib-tests-timer.patch")) + (patches (search-patches "glib-appinfo-watch.patch" + "glib-tests-timer.patch")) (modules '((guix build utils))) (snippet '(begin @@ -236,6 +227,17 @@ shared NFS home directories.") (("gio-launch-desktop") (string-append out "/libexec/gio-launch-desktop"))) #t))) + ;; TODO: Remove the conditional in the next core-updates cycle. + ;; Needed to build glib on slower ARM nodes. + ,@(if (string-prefix? "arm" (%current-system)) + `((add-after 'unpack 'increase-test-timeout + (lambda _ + (substitute* "meson.build" + (("test_timeout = 60") + "test_timeout = 90") + (("test_timeout_slow = 120") + "test_timeout_slow = 180"))))) + '()) (add-before 'build 'pre-build (lambda* (#:key inputs outputs #:allow-other-keys) ;; For tests/gdatetime.c. @@ -388,16 +390,6 @@ dynamic loading, and an object system.") (home-page "https://developer.gnome.org/glib/") (license license:lgpl2.1+))) -(define glib-with-gio-patch - ;; GLib with a fix for <https://bugs.gnu.org/35594>. - ;; TODO: Fold into 'glib' above in the next rebuild cycle. - (package - (inherit glib) - (source (origin - (inherit (package-source glib)) - (patches (cons (search-patch "glib-appinfo-watch.patch") - (origin-patches (package-source glib)))))))) - (define-public glib-with-documentation ;; glib's doc must be built in a separate package since it requires gtk-doc, ;; which in turn depends on glib. diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 0c432f5dc1..98b77a9515 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -935,7 +935,7 @@ from forcing GEXP-PROMISE." ("llvm" ,llvm) ("clang" ,clang) ("perl" ,perl) - ("node" ,node-10.22) + ("node" ,node) ("python" ,python) ("python-2" ,python-2) ("python2-pysqlite" ,python2-pysqlite) @@ -1604,7 +1604,7 @@ standards of the IceCat project.") ("clang" ,clang) ("llvm" ,llvm) ("nasm" ,nasm) - ("node" ,node-10.22) + ("node" ,node) ("perl" ,perl) ("pkg-config" ,pkg-config) ("python" ,python) diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 3c930722b5..b4472a5e98 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -357,7 +357,18 @@ used throughout the world.") (base32 "17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx")))) (build-system gnu-build-system) - (arguments '()))) + (arguments + '(#:phases (modify-phases %standard-phases + (add-after 'configure 'disable-layout-test + (lambda _ + ;; This test requires that fontconfig uses bitmap fonts + ;; such as "gs-fonts"; however providing such a package + ;; alone is not enough, as the requirement comes from + ;; deeper in the font stack. Since this version of Pango + ;; is only used for librsvg, simply disable the test. + (substitute* "tests/Makefile" + (("test-layout\\$\\(EXEEXT\\)") "")) + #t))))))) (define-public pangox-compat (package diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 979b069415..dac1d654f6 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1613,15 +1613,14 @@ is hereby granted.")))) (define-public libjpeg-turbo (package (name "libjpeg-turbo") - (version "2.0.4") - (replacement libjpeg-turbo/fixed) + (version "2.0.5") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/libjpeg-turbo/" version "/libjpeg-turbo-" version ".tar.gz")) (sha256 (base32 - "01ill8bgjyk582wipx7sh7gj2nidylpbzvwhx0wkcm6mxx3qbp9k")))) + "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n")))) (build-system cmake-build-system) (native-inputs `(("nasm" ,nasm))) @@ -1671,18 +1670,6 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).") license:ijg ;the libjpeg library and associated tools license:zlib)))) ;the libjpeg-turbo SIMD extensions -(define libjpeg-turbo/fixed - (package - (inherit libjpeg-turbo) - (version "2.0.5") - (source (origin - (method url-fetch) - (uri (string-append "mirror://sourceforge/libjpeg-turbo/" - version "/libjpeg-turbo-" version ".tar.gz")) - (sha256 - (base32 - "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n")))))) - (define-deprecated libjpeg libjpeg-turbo) (export libjpeg) diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index f04e39bbd5..66ef4f0905 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -48,14 +48,14 @@ (define-public node (package (name "node") - (version "10.20.0") + (version "10.22.1") (source (origin (method url-fetch) (uri (string-append "https://nodejs.org/dist/v" version "/node-v" version ".tar.xz")) (sha256 (base32 - "0cvjwnl0wkcsyw3kannbdv01s235wrnp11n2s6swzjx95gpichfi")) + "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl")) (modules '((guix build utils))) (snippet `(begin @@ -201,24 +201,6 @@ devices.") (properties '((max-silent-time . 7200) ;2h, needed on ARM (timeout . 21600))))) ;6h -;; TODO: Make this the default node on core-updates. This cannot be done on -;; master since this version of node requires a newer nghttp2 library at link -;; time. -(define-public node-10.22 - (package - (inherit node) - (version "10.22.1") - (source (origin - (inherit (package-source node)) - (uri (string-append "https://nodejs.org/dist/v" version - "/node-v" version ".tar.xz")) - (sha256 - (base32 - "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl")))) - (inputs - (alist-replace "nghttp2" (list nghttp2-1.41 "lib") - (package-inputs node))))) - (define-public libnode (package (inherit node) diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm index 6e863388d8..fb917882e7 100644 --- a/gnu/packages/openldap.scm +++ b/gnu/packages/openldap.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015, 2019 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2013, 2014, 2015, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2016 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus <rekado@elephly.net> @@ -61,25 +61,23 @@ (define-public openldap (package (name "openldap") - (replacement openldap-2.4.50) - (version "2.4.49") + (version "2.4.50") (source (origin - (method url-fetch) - - ;; See <http://www.openldap.org/software/download/> for a list of - ;; mirrors. - (uri (list (string-append - "ftp://mirror.switch.ch/mirror/OpenLDAP/" - "openldap-release/openldap-" version ".tgz") - (string-append - "https://www.openldap.org/software/download/OpenLDAP/" - "openldap-release/openldap-" version ".tgz") - (string-append - "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/" - "openldap-release/openldap-" version ".tgz"))) - (sha256 - (base32 - "0vp524rsngdcykf6ki7vprsyg7gj8z7hszg8xwxz50219fa1gcg3")))) + (method url-fetch) + ;; See <http://www.openldap.org/software/download/> for a list of + ;; mirrors. + (uri (list (string-append + "ftp://mirror.switch.ch/mirror/OpenLDAP/" + "openldap-release/openldap-" version ".tgz") + (string-append + "https://www.openldap.org/software/download/OpenLDAP/" + "openldap-release/openldap-" version ".tgz") + (string-append + "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/" + "openldap-release/openldap-" version ".tgz"))) + (sha256 + (base32 + "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw")))) (build-system gnu-build-system) (inputs `(("bdb" ,bdb-5.3) ("cyrus-sasl" ,cyrus-sasl) @@ -127,19 +125,6 @@ (license openldap2.8) (home-page "https://www.openldap.org/"))) -(define openldap-2.4.50 - (package - (inherit openldap) - (version "2.4.50") - (source (origin - (method url-fetch) - (uri (string-append "https://www.openldap.org/software/download/" - "OpenLDAP/openldap-release/openldap-" version - ".tgz")) - (sha256 - (base32 - "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw")))))) - (define-public nss-pam-ldapd (package (name "nss-pam-ldapd") diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index df217c801f..801d74627b 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -405,7 +405,7 @@ $(prefix)/etc/init.d\n"))) ("glibc-utf8-locales" ,glibc-utf8-locales))) (propagated-inputs - `(("gnutls" ,(if (%current-target-system) gnutls/fixed gnutls)) + `(("gnutls" ,gnutls) ;; Avahi requires "glib" which doesn't cross-compile yet. ,@(if (%current-target-system) '() diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch new file mode 100644 index 0000000000..b6658d7c7f --- /dev/null +++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch @@ -0,0 +1,36 @@ +Fix CVE-2020-15900. + +https://cve.circl.lu/cve/CVE-2020-15900 +https://artifex.com/security-advisories/CVE-2020-15900 + +Taken from upstream: +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b + +diff --git a/psi/zstring.c b/psi/zstring.c +--- a/psi/zstring.c ++++ b/psi/zstring.c +@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) + return 0; + found: + op->tas.type_attrs = op1->tas.type_attrs; +- op->value.bytes = ptr; +- r_set_size(op, size); ++ op->value.bytes = ptr; /* match */ ++ op->tas.rsize = size; /* match */ + push(2); +- op[-1] = *op1; +- r_set_size(op - 1, ptr - op[-1].value.bytes); +- op1->value.bytes = ptr + size; +- r_set_size(op1, count + (!forward ? (size - 1) : 0)); ++ op[-1] = *op1; /* pre */ ++ op[-3].value.bytes = ptr + size; /* post */ ++ if (forward) { ++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ ++ op[-3].tas.rsize = count; /* post */ ++ } else { ++ op[-1].tas.rsize = count; /* pre */ ++ op[-3].tas.rsize -= count + size; /* post */ ++ } + make_true(op); + return 0; + } diff --git a/gnu/packages/patches/ghostscript-freetype-compat.patch b/gnu/packages/patches/ghostscript-freetype-compat.patch new file mode 100644 index 0000000000..cc225b5ad6 --- /dev/null +++ b/gnu/packages/patches/ghostscript-freetype-compat.patch @@ -0,0 +1,35 @@ +Fix build with FreeType 2.10.3 and newer. + +Taken from upstream: +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade + +diff --git a/base/fapi_ft.c b/base/fapi_ft.c +--- a/base/fapi_ft.c ++++ b/base/fapi_ft.c +@@ -125,7 +125,7 @@ static void + delete_inc_int_info(gs_fapi_server * a_server, + FT_IncrementalRec * a_inc_int_info); + +-FT_CALLBACK_DEF(void *) ++static void * + FF_alloc(FT_Memory memory, long size) + { + gs_memory_t *mem = (gs_memory_t *) memory->user; +@@ -133,7 +133,7 @@ FF_alloc(FT_Memory memory, long size) + return (gs_malloc(mem, size, 1, "FF_alloc")); + } + +-FT_CALLBACK_DEF(void *) ++static void * + FF_realloc(FT_Memory memory, long cur_size, long new_size, void *block) + { + gs_memory_t *mem = (gs_memory_t *) memory->user; +@@ -153,7 +153,7 @@ FT_CALLBACK_DEF(void *) + return (tmp); + } + +-FT_CALLBACK_DEF(void) ++static void + FF_free(FT_Memory memory, void *block) + { + gs_memory_t *mem = (gs_memory_t *) memory->user; diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch new file mode 100644 index 0000000000..6f69e562e2 --- /dev/null +++ b/gnu/packages/patches/libssh2-CVE-2019-17498.patch @@ -0,0 +1,126 @@ +https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch + +From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Fri, 30 Aug 2019 09:57:38 -0700 +Subject: [PATCH] packet.c: improve message parsing (#402) + +* packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. +--- + src/packet.c | 68 ++++++++++++++++++++++------------------------------ + 1 file changed, 29 insertions(+), 39 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 38ab62944..2e01bfc5d 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); +@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + int always_display = data[1]; + + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + +- message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + + if(session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch new file mode 100644 index 0000000000..dc0571e964 --- /dev/null +++ b/gnu/packages/patches/python-CVE-2020-26116.patch @@ -0,0 +1,47 @@ +Fix CVE-2020-26116: + +https://cve.circl.lu/cve/CVE-2020-26116 +https://bugs.python.org/issue39603 + +Taken from upstream (sans test and NEWS update): +https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf + +diff --git a/Lib/http/client.py b/Lib/http/client.py +--- a/Lib/http/client.py ++++ b/Lib/http/client.py +@@ -147,6 +147,10 @@ + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, + else: + raise CannotSendRequest(self.__state) + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1177,6 +1183,15 @@ def _encode_request(self, request): + # ASCII also helps prevent CVE-2019-9740. + return request.encode('ascii') + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ f"method can't contain control characters. {method!r} " ++ f"(found at least {match.group()!r})") ++ + def _validate_path(self, url): + """Validate a url for putrequest.""" + # Prevent CVE-2019-9740. diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index fa9bf10e07..27e9b70432 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -370,6 +370,7 @@ data types.") (uri (string-append "https://www.python.org/ftp/python/" version "/Python-" version ".tar.xz")) (patches (search-patches + "python-CVE-2020-26116.patch" "python-3-fix-tests.patch" "python-3.8-fix-tests.patch" "python-3-deterministic-build-info.patch" diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 146177f7f3..0f2434d7c5 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> -;;; Copyright © 2015, 2016, 2018, 2019 Efraim Flashner <efraim@flashner.co.il> +;;; Copyright © 2015, 2016, 2018, 2019, 2020 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016, 2019 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr> ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org> @@ -165,7 +165,8 @@ applications.") version ".tar.gz")) (sha256 (base32 - "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym")))) + "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym")) + (patches (search-patches "libssh2-CVE-2019-17498.patch")))) (build-system gnu-build-system) ;; The installed libssh2.pc file does not include paths to libgcrypt and ;; zlib libraries, so we need to propagate the inputs. diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index ab2a1f8628..0724d4d5be 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -164,21 +164,19 @@ living in the same process.") (define-public gnutls (package (name "gnutls") - ;; XXX Unversion openconnect's "gnutls" input when ungrafting. - (replacement gnutls/fixed) - (version "3.6.12") + (version "3.6.15") (source (origin - (method url-fetch) - (uri + (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the ;; schism (after version 3.1.5). - (string-append "mirror://gnupg/gnutls/v" - (version-major+minor version) - "/gnutls-" version ".tar.xz")) - (patches (search-patches "gnutls-skip-trust-store-test.patch")) - (sha256 - (base32 - "0jvca1qahn9lrwv6f5kfs95icirc15b2a8x9fzczyj996ipg3b5z")))) + (uri (string-append "mirror://gnupg/gnutls/v" + (version-major+minor version) + "/gnutls-" version ".tar.xz")) + (patches (search-patches "gnutls-skip-trust-store-test.patch" + "gnutls-cross.patch")) + (sha256 + (base32 + "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) (build-system gnu-build-system) (arguments `(#:tests? ,(not (or (%current-target-system) @@ -228,7 +226,11 @@ living in the same process.") "debug" "doc")) ;4.1 MiB of man pages (native-inputs - `(,@(if (hurd-target?) '() + `(,@(if (%current-target-system) ;for cross-build + `(("guile" ,guile-3.0)) ;to create .go files + '()) + ,@(if (hurd-target?) + '() `(("net-tools" ,net-tools))) ("pkg-config" ,pkg-config) ("which" ,which) @@ -254,27 +256,6 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -;; Replacement package to fix multiple security vulnerabilities. -(define-public gnutls/fixed - (package - (inherit gnutls) - (version "3.6.15") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnupg/gnutls/v" - (version-major+minor version) - "/gnutls-" version ".tar.xz")) - (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch")) - (sha256 - (base32 - "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) - (native-inputs - `(,@(if (%current-target-system) ;for cross-build - `(("guile" ,guile-3.0)) ;to create .go files - '()) - ,@(package-native-inputs gnutls))))) - (define-public gnutls/guile-2.0 ;; GnuTLS for Guile 2.0. (package/inherit gnutls @@ -287,7 +268,7 @@ required structures.") ;; Authentication of Named Entities. This is required for GNS functionality ;; by GNUnet and gnURL. This is done in an extra package definition ;; to have the choice between GnuTLS with Dane and without Dane. - (package/inherit gnutls/fixed + (package/inherit gnutls (name "gnutls-dane") (inputs `(("unbound" ,unbound) ,@(package-inputs gnutls))))) @@ -306,8 +287,7 @@ required structures.") (define-public openssl (package (name "openssl") - (version "1.1.1f") - (replacement openssl-1.1.1i) + (version "1.1.1i") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -317,10 +297,10 @@ required structures.") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set:letter) "/openssl-" version ".tar.gz"))) + (patches (search-patches "openssl-1.1-c-rehash-in.patch")) (sha256 (base32 - "0d9zv9srjqivs8nn099fpbjv1wyhfcb8lzy491dpmfngdvz6nv0q")) - (patches (search-patches "openssl-1.1-c-rehash-in.patch")))) + "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8")))) (build-system gnu-build-system) (outputs '("out" "doc" ;6.8 MiB of man3 pages and full HTML documentation @@ -439,24 +419,6 @@ required structures.") (license license:openssl) (home-page "https://www.openssl.org/"))) -(define openssl-1.1.1i - (package - (inherit openssl) - (version "1.1.1i") - (source (origin - (method url-fetch) - (uri (list (string-append "https://www.openssl.org/source/openssl-" - version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/" - "openssl-" version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/old/" - (string-trim-right version char-set:letter) - "/openssl-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1-c-rehash-in.patch")) - (sha256 - (base32 - "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8")))))) - (define-public openssl-1.0 (package (inherit openssl) diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm index c1f0b65e84..525d1ddb3f 100644 --- a/gnu/packages/vpn.scm +++ b/gnu/packages/vpn.scm @@ -264,9 +264,7 @@ the user specifically asks to proxy, so the @dfn{VPN} interface no longer (build-system gnu-build-system) (propagated-inputs `(("libxml2" ,libxml2) - ;; XXX ‘DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.’ - ;; See <https://gitlab.com/gnutls/gnutls/-/issues/960>. - ("gnutls" ,gnutls/fixed) + ("gnutls" ,gnutls) ("zlib" ,zlib))) (inputs `(("lz4" ,lz4) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index bd1e7eccaa..5851251c6d 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -900,7 +900,6 @@ data.") (define-public json-c (package - (replacement json-c/fixed) (name "json-c") (version "0.14") (source (origin @@ -910,7 +909,8 @@ data.") version ".tar.gz")) (sha256 (base32 - "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk")))) + "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk")) + (patches (search-patches "json-c-CVE-2020-12762.patch")))) (build-system cmake-build-system) (home-page "https://github.com/json-c/json-c/wiki") (synopsis "JSON implementation in C") @@ -921,15 +921,6 @@ parse JSON-formatted strings back into the C representation of JSON objects. It aims to conform to RFC 7159.") (license license:x11))) -(define json-c/fixed - (package - (inherit json-c) - (name "json-c") - (version "0.14") - (source (origin - (inherit (package-source json-c)) - (patches (search-patches "json-c-CVE-2020-12762.patch")))))) - ;; TODO: Remove these old versions when all dependents have been updated. (define-public json-c-0.13 (package @@ -7447,8 +7438,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.") (define-public nghttp2 (package (name "nghttp2") - (version "1.40.0") - (replacement nghttp2-1.41) + (version "1.41.0") (source (origin (method url-fetch) @@ -7457,7 +7447,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.") "nghttp2-" version ".tar.xz")) (sha256 (base32 - "0wwhwv7cvi1vxpdjwvg0kpa4jzhszclpnwrwfcw728zz53a47z09")))) + "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb")))) (build-system gnu-build-system) (outputs (list "out" "lib")) ; only libnghttp2 @@ -7531,20 +7521,6 @@ compressed JSON header blocks. @end itemize\n") (license license:expat))) -(define-public nghttp2-1.41 ;fixes CVE-2020-11080 - (package - (inherit nghttp2) - (version "1.41.0") - (source - (origin - (method url-fetch) - (uri (string-append "https://github.com/nghttp2/nghttp2/" - "releases/download/v" version "/" - "nghttp2-" version ".tar.xz")) - (sha256 - (base32 - "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb")))))) - (define-public hpcguix-web (let ((commit "9de63562b06b4aef3a3afe5ecb18d3c91e57ee74") (revision "5")) diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index 3a26acc802..cd3a7d3765 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2014, 2015, 2017, 2018, 2020 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2014, 2015 Eric Bavier <bavier@member.fsf.org> -;;; Copyright © 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr> ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org> ;;; Copyright © 2015 Cyrill Schenkel <cyrill.schenkel@gmail.com> @@ -5473,8 +5473,7 @@ draggable titlebars and borders.") (define-public libx11 (package (name "libx11") - (version "1.6.9") - (replacement libx11/fixed) + (version "1.6.10") (source (origin (method url-fetch) @@ -5484,7 +5483,7 @@ draggable titlebars and borders.") ".tar.bz2")) (sha256 (base32 - "1ldyn9c6pyx54sxzaw120n3q42rqi7b503aqmyjky6fn038fiiww")))) + "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;8 MiB of man pages + XML @@ -5512,19 +5511,6 @@ draggable titlebars and borders.") (description "Xorg Core X11 protocol client library.") (license license:x11))) -(define libx11/fixed ; Fixes CVE-2020-14344 - (package - (inherit libx11) - (version "1.6.A") - (source - (origin - (method url-fetch) - (uri (string-append - "mirror://xorg/individual/lib/libX11-1.6.10.tar.bz2")) - (sha256 - (base32 - "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g")))))) - ;; packages of height 5 in the propagated-inputs tree (define-public libxcursor |