From 1e9f667708ba6fdc4b16fe6851bc0ea0b6306fad Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Mon, 8 Feb 2021 16:40:17 +0100 Subject: gnu: qpdfview: Fix qt-5.15 compatibility. * gnu/packages/pdf.scm (qpdfview)[source]: Add patch to include a missing header. * gnu/packages/patches/qpdfview-qt515-compat.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 7b6cd8e0ae..886c8531c9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1560,6 +1560,7 @@ dist_patch_DATA = \ %D%/packages/patches/pypy3-7.3.1-fix-tests.patch \ %D%/packages/patches/qemu-build-info-manual.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ + %D%/packages/patches/qpdfview-qt515-compat.patch \ %D%/packages/patches/qrcodegen-cpp-make-install.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-absolute-runpath.patch \ -- cgit 1.4.1 From d00380b0077b0df2a0b790bb115d07c1533b8863 Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Sun, 7 Feb 2021 11:28:21 +0100 Subject: gnu: vorbis-tools: Update to 1.4.2. * gnu/packages/xiph.scm (vorbis-tools): Update to 1.4.2. (source): Remove obsolete patches. * gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch, gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch, gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. Signed-off-by: Leo Famulari --- gnu/local.mk | 3 - .../vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch | 83 ---------------------- .../patches/vorbis-tools-CVE-2014-9640.patch | 29 -------- .../patches/vorbis-tools-CVE-2015-6749.patch | 44 ------------ gnu/packages/xiph.scm | 8 +-- 5 files changed, 2 insertions(+), 165 deletions(-) delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch delete mode 100644 gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 886c8531c9..8a31bfef64 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1712,9 +1712,6 @@ dist_patch_DATA = \ %D%/packages/patches/vinagre-newer-freerdp.patch \ %D%/packages/patches/vinagre-newer-rdp-parameters.patch \ %D%/packages/patches/virglrenderer-CVE-2017-6386.patch \ - %D%/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch \ - %D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \ - %D%/packages/patches/vorbis-tools-CVE-2015-6749.patch \ %D%/packages/patches/vsearch-unbundle-cityhash.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ diff --git a/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch b/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch deleted file mode 100644 index 6e389dd59e..0000000000 --- a/gnu/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch +++ /dev/null @@ -1,83 +0,0 @@ -From: Petter Reinholdtsen -Date: Tue, 22 Sep 2015 15:14:06 +0200 -Subject: oggenc: validate count of channels in the header (CVE-2014-9638 & - CVE-2014-9639) - -Author: Kamil Dudka -Origin: http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html -Bug: https://trac.xiph.org/ticket/2136 -Bug: https://trac.xiph.org/ticket/2137 -Bug-Debian: https://bugs.debian.org/776086 -Forwarded: not-needed -Reviewed-By: Petter Reinholdtsen -Last-Update: 2015-09-22 ---- - oggenc/audio.c | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/oggenc/audio.c b/oggenc/audio.c -index 05e42b3..1b3f179 100644 ---- a/oggenc/audio.c -+++ b/oggenc/audio.c -@@ -13,6 +13,7 @@ - #include - #endif - -+#include - #include - #include - #include -@@ -251,6 +252,7 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) - aiff_fmt format; - aifffile *aiff = malloc(sizeof(aifffile)); - int i; -+ long channels; - - if(buf[11]=='C') - aifc=1; -@@ -277,11 +279,16 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) - return 0; - } - -- format.channels = READ_U16_BE(buffer); -+ format.channels = channels = READ_U16_BE(buffer); - format.totalframes = READ_U32_BE(buffer+2); - format.samplesize = READ_U16_BE(buffer+6); - format.rate = (int)read_IEEE80(buffer+8); - -+ if(channels <= 0L || SHRT_MAX < channels) -+ { -+ fprintf(stderr, _("Warning: Unsupported count of channels in AIFF header\n")); -+ return 0; -+ } - aiff->bigendian = 1; - - if(aifc) -@@ -412,6 +419,7 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char *oldbuf, int buflen) - wav_fmt format; - wavfile *wav = malloc(sizeof(wavfile)); - int i; -+ long channels; - - /* Ok. At this point, we know we have a WAV file. Now we have to detect - * whether we support the subtype, and we have to find the actual data -@@ -449,12 +457,18 @@ int wav_open(FILE *in, oe_enc_opt *opt, unsigned char *oldbuf, int buflen) - } - - format.format = READ_U16_LE(buf); -- format.channels = READ_U16_LE(buf+2); -+ format.channels = channels = READ_U16_LE(buf+2); - format.samplerate = READ_U32_LE(buf+4); - format.bytespersec = READ_U32_LE(buf+8); - format.align = READ_U16_LE(buf+12); - format.samplesize = READ_U16_LE(buf+14); - -+ if(channels <= 0L || SHRT_MAX < channels) -+ { -+ fprintf(stderr, _("Warning: Unsupported count of channels in WAV header\n")); -+ return 0; -+ } -+ - if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */ - { - if(len<40) diff --git a/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch b/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch deleted file mode 100644 index 97d18e0db7..0000000000 --- a/gnu/packages/patches/vorbis-tools-CVE-2014-9640.patch +++ /dev/null @@ -1,29 +0,0 @@ -Index: vorbis-tools/oggenc/oggenc.c -=================================================================== ---- vorbis-tools/oggenc/oggenc.c (revision 19116) -+++ vorbis-tools/oggenc/oggenc.c (revision 19117) -@@ -98,4 +98,6 @@ - 0,0,0.f, - 0, 0, 0, 0, 0}; -+ input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", -+ N_("RAW file reader")}; - - int i; -@@ -240,6 +242,4 @@ - if(opt.rawmode) - { -- input_format raw_format = {NULL, 0, raw_open, wav_close, "raw", -- N_("RAW file reader")}; - - enc_opts.rate=opt.raw_samplerate; -Index: vorbis-tools/oggenc/skeleton.h -=================================================================== ---- vorbis-tools/oggenc/skeleton.h (revision 19116) -+++ vorbis-tools/oggenc/skeleton.h (revision 19117) -@@ -42,5 +42,5 @@ - ogg_int64_t start_granule; /* start granule value */ - ogg_uint32_t preroll; /* preroll */ -- unsigned char granule_shift; // a 8-bit field /* 1 byte value holding the granule shift */ -+ unsigned char granule_shift; /* 1 byte value holding the granule shift */ - char *message_header_fields; /* holds all the message header fields */ - /* current total size of the message header fields, for realloc purpose, initially zero */ diff --git a/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch b/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch deleted file mode 100644 index bcddcbfd70..0000000000 --- a/gnu/packages/patches/vorbis-tools-CVE-2015-6749.patch +++ /dev/null @@ -1,44 +0,0 @@ -Upstream fix for CVE-2015-6749. -https://trac.xiph.org/ticket/2212 - -From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001 -From: Mark Harris -Date: Sun, 30 Aug 2015 05:54:46 -0700 -Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input - -Fixes #2212 ---- - oggenc/audio.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/oggenc/audio.c b/oggenc/audio.c -index 477da8c..4921fb9 100644 ---- a/oggenc/audio.c -+++ b/oggenc/audio.c -@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] = - int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) - { - int aifc; /* AIFC or AIFF? */ -- unsigned int len; -- unsigned char *buffer; -+ unsigned int len, readlen; -+ unsigned char buffer[22]; - unsigned char buf2[8]; - aiff_fmt format; - aifffile *aiff = malloc(sizeof(aifffile)); -@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen) - return 0; /* Weird common chunk */ - } - -- buffer = alloca(len); -- -- if(fread(buffer,1,len,in) < len) -+ readlen = len < sizeof(buffer) ? len : sizeof(buffer); -+ if(fread(buffer,1,readlen,in) < readlen || -+ (len > readlen && !seek_forward(in, len-readlen))) - { - fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n")); - return 0; --- -2.5.0 - diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm index 4a3f25e009..8ed0e518a7 100644 --- a/gnu/packages/xiph.scm +++ b/gnu/packages/xiph.scm @@ -312,18 +312,14 @@ Kate stream.") (define vorbis-tools (package (name "vorbis-tools") - (version "1.4.0") + (version "1.4.2") (source (origin (method url-fetch) (uri (string-append "https://downloads.xiph.org/releases/vorbis/" "vorbis-tools-" version ".tar.gz")) (sha256 (base32 - "1g12bnh5ah08v529y72kfdz5lhvy75iaz7f9jskyby23m9dkk2d3")) - (patches (search-patches - "vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch" - "vorbis-tools-CVE-2014-9640.patch" - "vorbis-tools-CVE-2015-6749.patch")))) + "1c7h4ivgfdyygz2hyh6nfibxlkz8kdk868a576qkkjgj5gn78xyv")))) (build-system gnu-build-system) (inputs `(("ao" ,ao) ("curl" ,curl) -- cgit 1.4.1 From 55050e54a987cd99b8477da1a4993e83adcca129 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 9 Feb 2021 22:59:51 +0100 Subject: gnu: inetutils: Update to 2.0. * gnu/packages/admin.scm (inetutils): Update to 2.0. [source](patches): Remove. * gnu/packages/patches/inetutils-hurd.patch: Remove. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. --- gnu/local.mk | 3 +- gnu/packages/admin.scm | 7 +- gnu/packages/patches/inetutils-hurd.patch | 583 ------------------------------ 3 files changed, 4 insertions(+), 589 deletions(-) delete mode 100644 gnu/packages/patches/inetutils-hurd.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8a31bfef64..21250c2d7b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès +# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès # Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Andreas Enge # Copyright © 2016 Mathieu Lirzin # Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Mark H Weaver @@ -1180,7 +1180,6 @@ dist_patch_DATA = \ %D%/packages/patches/id3lib-UTF16-writing-bug.patch \ %D%/packages/patches/idris-disable-test.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ - %D%/packages/patches/inetutils-hurd.patch \ %D%/packages/patches/inkscape-poppler-0.76.patch \ %D%/packages/patches/intel-xed-fix-nondeterminism.patch \ %D%/packages/patches/intltool-perl-compatibility.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index a6cf633baa..4bc08f83f0 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès ;;; Copyright © 2013 Cyril Roelandt ;;; Copyright © 2014, 2015, 2016, 2018, 2019, 2020 Mark H Weaver ;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2020 Eric Bavier @@ -612,15 +612,14 @@ re-executing them as necessary.") (define-public inetutils (package (name "inetutils") - (version "1.9.4") + (version "2.0") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/inetutils/inetutils-" version ".tar.gz")) - (patches (search-patches "inetutils-hurd.patch")) (sha256 (base32 - "05n65k4ixl85dc6rxc51b1b732gnmm8xnqi424dy9f1nz7ppb3xy")))) + "0j1nb69bhg29cm4xkqqjh2ln1zqcj2lnpm92v638lpwrs11dypxl")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--localstatedir=/var" diff --git a/gnu/packages/patches/inetutils-hurd.patch b/gnu/packages/patches/inetutils-hurd.patch deleted file mode 100644 index bd65c4feb1..0000000000 --- a/gnu/packages/patches/inetutils-hurd.patch +++ /dev/null @@ -1,583 +0,0 @@ -Support compiling on the Hurd. - -Taken from https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/tree/debian/patches/0002-ifconfig-Improve-the-support-for-GNU-Hurd.patch - -From 9a90d9b9119906df23cb2db1503cb0f099942dd9 Mon Sep 17 00:00:00 2001 -From: Mats Erik Andersson -Date: Sat, 18 Jul 2015 01:12:41 +0200 -Subject: [PATCH 02/35] ifconfig: Improve the support for GNU/Hurd. - -Use system specific code instead of generic code. -This provides abilities similar to other systems. ---- - ChangeLog | 17 +++ - ifconfig/system.c | 10 +- - ifconfig/system.h | 2 + - ifconfig/system/Makefile.am | 4 +- - ifconfig/system/generic.c | 14 +- - ifconfig/system/hurd.c | 292 ++++++++++++++++++++++++++++++++++++ - ifconfig/system/hurd.h | 50 ++++++ - 7 files changed, 381 insertions(+), 8 deletions(-) - create mode 100644 ifconfig/system/hurd.c - create mode 100644 ifconfig/system/hurd.h - -diff --git a/ifconfig/system.c b/ifconfig/system.c -index 30677e41..e108dc2e 100644 ---- a/ifconfig/system.c -+++ b/ifconfig/system.c -@@ -25,10 +25,12 @@ - # include "system/solaris.c" - #elif defined __QNX__ - # include "system/qnx.c" --# elif defined __DragonFly__ || defined __FreeBSD__ || \ -- defined __FreeBSD_kernel__ || \ -- defined __NetBSD__ || defined __OpenBSD__ --# include "system/bsd.c" -+#elif defined __DragonFly__ || defined __FreeBSD__ || \ -+ defined __FreeBSD_kernel__ || \ -+ defined __NetBSD__ || defined __OpenBSD__ -+# include "system/bsd.c" -+#elif defined __GNU__ -+# include "system/hurd.c" - #else - # include "system/generic.c" - #endif -diff --git a/ifconfig/system.h b/ifconfig/system.h -index 8521ad95..66878d3a 100644 ---- a/ifconfig/system.h -+++ b/ifconfig/system.h -@@ -97,6 +97,8 @@ extern struct if_nameindex* (*system_if_nameindex) (void); - defined __FreeBSD_kernel__ || \ - defined __NetBSD__ || defined __OpenBSD__ - # include "system/bsd.h" -+# elif defined __GNU__ -+# include "system/hurd.h" - # else - # include "system/generic.h" - # endif -diff --git a/ifconfig/system/Makefile.am b/ifconfig/system/Makefile.am -index 954c6774..62a9f1c4 100644 ---- a/ifconfig/system/Makefile.am -+++ b/ifconfig/system/Makefile.am -@@ -26,8 +26,10 @@ noinst_HEADERS = \ - linux.h \ - solaris.h \ - qnx.h \ -+ hurd.h \ - bsd.c \ - generic.c \ - linux.c \ - solaris.c \ -- qnx.c -+ qnx.c \ -+ hurd.c -diff --git a/ifconfig/system/generic.c b/ifconfig/system/generic.c -index 9a2bda55..20a78bde 100644 ---- a/ifconfig/system/generic.c -+++ b/ifconfig/system/generic.c -@@ -22,6 +22,8 @@ - #include - - #include "../ifconfig.h" -+ -+#include - - - /* Output format stuff. */ -@@ -36,19 +38,25 @@ const char *system_help; - struct argp_child system_argp_child; - - int --system_parse_opt (struct ifconfig **ifp, char option, char *optarg) -+system_parse_opt (struct ifconfig **ifp _GL_UNUSED_PARAMETER, -+ char option _GL_UNUSED_PARAMETER, -+ char *optarg _GL_UNUSED_PARAMETER) - { - return 0; - } - - int --system_parse_opt_rest (struct ifconfig **ifp, int argc, char *argv[]) -+system_parse_opt_rest (struct ifconfig **ifp _GL_UNUSED_PARAMETER, -+ int argc _GL_UNUSED_PARAMETER, -+ char *argv[] _GL_UNUSED_PARAMETER) - { - return 0; - } - - int --system_configure (int sfd, struct ifreq *ifr, struct system_ifconfig *ifs) -+system_configure (int sfd _GL_UNUSED_PARAMETER, -+ struct ifreq *ifr _GL_UNUSED_PARAMETER, -+ struct system_ifconfig *ifs _GL_UNUSED_PARAMETER) - { - return 0; - } -diff --git a/ifconfig/system/hurd.c b/ifconfig/system/hurd.c -new file mode 100644 -index 00000000..3bd19775 ---- /dev/null -+++ b/ifconfig/system/hurd.c -@@ -0,0 +1,292 @@ -+/* hurd.c -- Code for ifconfig specific to GNU/Hurd. -+ Copyright (C) 2015 Free Software Foundation, Inc. -+ -+ This file is part of GNU Inetutils. -+ -+ GNU Inetutils is free software: you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation, either version 3 of the License, or (at -+ your option) any later version. -+ -+ GNU Inetutils is distributed in the hope that it will be useful, but -+ WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see `http://www.gnu.org/licenses/'. */ -+ -+/* Mostly written by Marcus Brinkmann. -+ Adaptions to GNU/Hurd by Mats Erik Andersson. */ -+ -+#include -+ -+#include -+#include -+#include -+#include "../ifconfig.h" -+ -+#include -+ -+ -+/* Output format stuff. */ -+ -+const char *system_default_format = "gnu"; -+ -+ -+/* Argument parsing stuff. */ -+ -+const char *system_help = "NAME [ADDR]\ -+ [broadcast BRDADDR] [netmask MASK]\ -+ [mtu N] [up|down] [FLAGS]"; -+ -+struct argp_child system_argp_child; -+ -+int -+system_parse_opt (struct ifconfig **ifp _GL_UNUSED_PARAMETER, -+ char option _GL_UNUSED_PARAMETER, -+ char *optarg _GL_UNUSED_PARAMETER) -+{ -+ return 0; -+} -+ -+int -+system_parse_opt_rest (struct ifconfig **ifp, int argc, char *argv[]) -+{ -+ int i = 0, mask, rev; -+ enum { -+ EXPECT_NOTHING, -+ EXPECT_AF, -+ EXPECT_BROADCAST, -+ EXPECT_NETMASK, -+ EXPECT_METRIC, -+ EXPECT_MTU -+ } expect = EXPECT_AF; -+ -+ *ifp = parse_opt_new_ifs (argv[0]); -+ -+ while (++i < argc) -+ { -+ switch (expect) -+ { -+ case EXPECT_BROADCAST: -+ parse_opt_set_brdaddr (*ifp, argv[i]); -+ break; -+ -+ case EXPECT_NETMASK: -+ parse_opt_set_netmask (*ifp, argv[i]); -+ break; -+ -+ case EXPECT_MTU: -+ parse_opt_set_mtu (*ifp, argv[i]); -+ break; -+ -+ /* XXX: 2015-07-18, GNU/Hurd does not yet support -+ ioctl(SIOCSIFMETRIC), but we let the code -+ handle this standard ability anyway! -+ */ -+ case EXPECT_METRIC: -+ parse_opt_set_metric (*ifp, argv[i]); -+ break; -+ -+ case EXPECT_AF: -+ expect = EXPECT_NOTHING; -+ if (!strcmp (argv[i], "inet")) -+ continue; -+ else if (!strcmp (argv[i], "inet6")) -+ { -+ error (0, 0, "%s is not a supported address family", argv[i]); -+ return 0; -+ } -+ break; -+ -+ case EXPECT_NOTHING: -+ break; -+ } -+ -+ if (expect != EXPECT_NOTHING) -+ expect = EXPECT_NOTHING; -+ else if (!strcmp (argv[i], "broadcast")) -+ expect = EXPECT_BROADCAST; -+ else if (!strcmp (argv[i], "netmask")) -+ expect = EXPECT_NETMASK; -+ else if (!strcmp (argv[i], "metric")) -+ expect = EXPECT_METRIC; -+ else if (!strcmp (argv[i], "mtu")) -+ expect = EXPECT_MTU; -+ else if (!strcmp (argv[i], "up")) -+ parse_opt_set_flag (*ifp, IFF_UP | IFF_RUNNING, 0); -+ else if (!strcmp (argv[i], "down")) -+ parse_opt_set_flag (*ifp, IFF_UP, 1); -+ else if (((mask = if_nameztoflag (argv[i], &rev)) -+ & ~IU_IFF_CANTCHANGE) != 0) -+ parse_opt_set_flag (*ifp, mask, rev); -+ else -+ { -+ if (!((*ifp)->valid & IF_VALID_ADDR)) -+ parse_opt_set_address (*ifp, argv[i]); -+ else if (!((*ifp)->valid & IF_VALID_DSTADDR)) -+ parse_opt_set_dstaddr (*ifp, argv[i]); -+ } -+ } -+ -+ switch (expect) -+ { -+ case EXPECT_BROADCAST: -+ error (0, 0, "option `broadcast' requires an argument"); -+ break; -+ -+ case EXPECT_NETMASK: -+ error (0, 0, "option `netmask' requires an argument"); -+ break; -+ -+ case EXPECT_METRIC: -+ error (0, 0, "option `metric' requires an argument"); -+ break; -+ -+ case EXPECT_MTU: -+ error (0, 0, "option `mtu' requires an argument"); -+ break; -+ -+ case EXPECT_AF: -+ case EXPECT_NOTHING: -+ return 1; -+ } -+ -+ return 0; -+} -+ -+int -+system_configure (int sfd _GL_UNUSED_PARAMETER, -+ struct ifreq *ifr _GL_UNUSED_PARAMETER, -+ struct system_ifconfig *ifs _GL_UNUSED_PARAMETER) -+{ -+ return 0; -+} -+ -+struct if_nameindex* (*system_if_nameindex) (void) = if_nameindex; -+ -+static void -+print_hwaddr_ether (format_data_t form _GL_UNUSED_PARAMETER, -+ unsigned char *data) -+{ -+ *column += printf ("%02X:%02X:%02X:%02X:%02X:%02X", -+ data[0], data[1], data[2], data[3], data[4], data[5]); -+ had_output = 1; -+} -+ -+struct arphrd_symbol -+{ -+ const char *name; -+ const char *title; -+ int value; -+ void (*print_hwaddr) (format_data_t form, unsigned char *data); -+} arphrd_symbols[] = -+ { -+#ifdef ARPHRD_ETHER /* Ethernet 10/100Mbps. */ -+ { "ETHER", "Ethernet", ARPHRD_ETHER, print_hwaddr_ether}, -+#endif -+#ifdef ARPHRD_LOOPBACK /* Loopback device. */ -+ { "LOOPBACK", "Local Loopback", ARPHRD_LOOPBACK, NULL}, -+#endif -+ /* XXX: The image debian-hurd-20150424 returns the value 4 -+ instead of expected ARPHRD_LOOPBACK. This has been -+ discussed in the list debian-hurd, where I was asked -+ to resist the temptation of a work around! -+ */ -+ { NULL, NULL, 0, NULL} -+ }; -+ -+struct arphrd_symbol * -+arphrd_findvalue (int value) -+{ -+ struct arphrd_symbol *arp = arphrd_symbols; -+ while (arp->name != NULL) -+ { -+ if (arp->value == value) -+ break; -+ arp++; -+ } -+ if (arp->name) -+ return arp; -+ else -+ return NULL; -+} -+ -+void -+system_fh_hwaddr_query (format_data_t form, int argc, char *argv[]) -+{ -+#ifdef SIOCGIFHWADDR -+ struct arphrd_symbol *arp; -+ -+ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) < 0) -+ select_arg (form, argc, argv, 1); -+ -+ arp = arphrd_findvalue (form->ifr->ifr_hwaddr.sa_family); -+ select_arg (form, argc, argv, (arp && arp->print_hwaddr) ? 0 : 1); -+#else -+ select_arg (form, argc, argv, 1); -+#endif -+} -+ -+void -+system_fh_hwaddr (format_data_t form, int argc _GL_UNUSED_PARAMETER, -+ char *argv[] _GL_UNUSED_PARAMETER) -+{ -+#ifdef SIOCGIFHWADDR -+ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) < 0) -+ error (EXIT_FAILURE, errno, -+ "SIOCGIFHWADDR failed for interface `%s'", -+ form->ifr->ifr_name); -+ else -+ { -+ struct arphrd_symbol *arp; -+ -+ arp = arphrd_findvalue (form->ifr->ifr_hwaddr.sa_family); -+ if (arp && arp->print_hwaddr) -+ arp->print_hwaddr (form, -+ (unsigned char *) form->ifr->ifr_hwaddr.sa_data); -+ else -+ put_string (form, "(hwaddr unknown)"); -+ } -+#else -+ *column += printf ("(not available)"); -+ had_output = 1; -+#endif -+} -+ -+void -+system_fh_hwtype_query (format_data_t form, int argc, char *argv[]) -+{ -+#ifdef SIOCGIFHWADDR -+ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) >= 0) -+ select_arg (form, argc, argv, 0); -+ else -+#endif -+ select_arg (form, argc, argv, 1); -+} -+ -+void -+system_fh_hwtype (format_data_t form, int argc _GL_UNUSED_PARAMETER, -+ char *argv[] _GL_UNUSED_PARAMETER) -+{ -+#ifdef SIOCGIFHWADDR -+ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) < 0) -+ error (EXIT_FAILURE, errno, -+ "SIOCGIFHWADDR failed for interface `%s'", -+ form->ifr->ifr_name); -+ else -+ { -+ struct arphrd_symbol *arp; -+ -+ arp = arphrd_findvalue (form->ifr->ifr_hwaddr.sa_family); -+ if (arp) -+ put_string (form, arp->title); -+ else -+ put_string (form, "(hwtype unknown)"); -+ } -+#else -+ *column += printf ("(not available)"); -+ had_output = 1; -+#endif -+} -diff --git a/ifconfig/system/hurd.h b/ifconfig/system/hurd.h -new file mode 100644 -index 00000000..bab14565 ---- /dev/null -+++ b/ifconfig/system/hurd.h -@@ -0,0 +1,50 @@ -+/* -+ Copyright (C) 2015 Free Software Foundation, Inc. -+ -+ This file is part of GNU Inetutils. -+ -+ GNU Inetutils is free software: you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation, either version 3 of the License, or (at -+ your option) any later version. -+ -+ GNU Inetutils is distributed in the hope that it will be useful, but -+ WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see `http://www.gnu.org/licenses/'. */ -+ -+/* Written by Mats Erik Andersson. */ -+ -+#ifndef IFCONFIG_SYSTEM_HURD_H -+# define IFCONFIG_SYSTEM_HURD_H -+ -+# include "../printif.h" -+# include "../options.h" -+ -+ -+/* Option support. */ -+ -+struct system_ifconfig -+{ -+ int valid; -+}; -+ -+ -+/* Output format support. */ -+ -+# define SYSTEM_FORMAT_HANDLER \ -+ { "hurd", fh_nothing}, \ -+ { "hwaddr?", system_fh_hwaddr_query}, \ -+ { "hwaddr", system_fh_hwaddr}, \ -+ { "hwtype?", system_fh_hwtype_query}, \ -+ { "hwtype", system_fh_hwtype}, -+ -+void system_fh_hwaddr_query (format_data_t form, int argc, char *argv[]); -+void system_fh_hwaddr (format_data_t form, int argc, char *argv[]); -+void system_fh_hwtype_query (format_data_t form, int argc, char *argv[]); -+void system_fh_hwtype (format_data_t form, int argc, char *argv[]); -+ -+#endif /* !IFCONFIG_SYSTEM_HURD_H */ --- -2.23.0.rc1.170.gbd704faa3e - -From 589dab9c7d3119da82837dabae34c8a3d16cbe49 Mon Sep 17 00:00:00 2001 -From: Mats Erik Andersson -Date: Thu, 30 Jul 2015 01:06:42 +0200 -Subject: [PATCH 07/35] ifconfig: Hardware detection in GNU/Hurd. - -A work-around needed to distinguish hardware type. ---- - ChangeLog | 10 ++++++++++ - ifconfig/system/hurd.c | 19 ++++++++++++------- - 2 files changed, 22 insertions(+), 7 deletions(-) - -diff --git a/ifconfig/system/hurd.c b/ifconfig/system/hurd.c -index 3bd19775..b6261a00 100644 ---- a/ifconfig/system/hurd.c -+++ b/ifconfig/system/hurd.c -@@ -175,6 +175,16 @@ print_hwaddr_ether (format_data_t form _GL_UNUSED_PARAMETER, - had_output = 1; - } - -+/* GNU/Hurd and Mach are using a mixture of BSD definitions -+ * and GNU/Linux interface headers, which in this situation -+ * means that sa_family_t is an unsigned char, from BSD, while -+ * all ARPHRD_* come from GNU/Linux and are thus 16 bits wide. -+ * We must account for this. The following bitmask will -+ * adapt to any future change! -+ */ -+ -+#define _ARP_MASK ((sizeof (sa_family_t) == 1) ? 0xff : 0xffff) -+ - struct arphrd_symbol - { - const char *name; -@@ -184,16 +194,11 @@ struct arphrd_symbol - } arphrd_symbols[] = - { - #ifdef ARPHRD_ETHER /* Ethernet 10/100Mbps. */ -- { "ETHER", "Ethernet", ARPHRD_ETHER, print_hwaddr_ether}, -+ { "ETHER", "Ethernet", ARPHRD_ETHER & _ARP_MASK, print_hwaddr_ether}, - #endif - #ifdef ARPHRD_LOOPBACK /* Loopback device. */ -- { "LOOPBACK", "Local Loopback", ARPHRD_LOOPBACK, NULL}, -+ { "LOOPBACK", "Local Loopback", ARPHRD_LOOPBACK & _ARP_MASK, NULL}, - #endif -- /* XXX: The image debian-hurd-20150424 returns the value 4 -- instead of expected ARPHRD_LOOPBACK. This has been -- discussed in the list debian-hurd, where I was asked -- to resist the temptation of a work around! -- */ - { NULL, NULL, 0, NULL} - }; - --- -2.23.0.rc1.170.gbd704faa3e - -From d379784b4461d17b2536effd1b52bae21cd28a32 Mon Sep 17 00:00:00 2001 -From: Guillem Jover -Date: Fri, 16 Aug 2019 00:34:03 +0200 -Subject: [PATCH 35/35] telnet: Several ioctls have been disabled in the Hurd's - glibc - -But not the related option macros. inetutils uses those macros to decide -whether the ioctls are available, so it is FTBFS now. The Hurd's glibc -is being fixed, but we'll use this for now to get the builds going. ---- - telnet/sys_bsd.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/telnet/sys_bsd.c b/telnet/sys_bsd.c -index 662536ab..5eb35cb5 100644 ---- a/telnet/sys_bsd.c -+++ b/telnet/sys_bsd.c -@@ -63,6 +63,7 @@ - #include - #include - #include -+#include - #include - - #include "ring.h" -@@ -157,7 +158,7 @@ TerminalRead (char *buf, int n) - int - TerminalAutoFlush (void) - { --#if defined LNOFLSH -+#if defined TIOCLGET && defined LNOFLSH - int flush; - - ioctl (0, TIOCLGET, (char *) &flush); -@@ -260,7 +261,9 @@ TerminalSaveState (void) - ioctl (0, TIOCGETP, (char *) &ottyb); - ioctl (0, TIOCGETC, (char *) &otc); - ioctl (0, TIOCGLTC, (char *) &oltc); -+#ifdef TIOCLGET - ioctl (0, TIOCLGET, (char *) &olmode); -+#endif - - ntc = otc; - nltc = oltc; -@@ -755,7 +758,9 @@ TerminalNewMode (register int f) - #endif - } - #ifndef USE_TERMIO -+#ifdef TIOCLSET - ioctl (tin, TIOCLSET, (char *) &lmode); -+#endif - ioctl (tin, TIOCSLTC, (char *) <c); - ioctl (tin, TIOCSETC, (char *) &tc); - ioctl (tin, TIOCSETN, (char *) &sb); --- -2.23.0.rc1.170.gbd704faa3e - -- cgit 1.4.1 From 4590ee9bd0c3d1269724f6de8bdac70f20a61640 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 10 Feb 2021 00:17:22 +0100 Subject: Revert "gnu: inetutils: Update to 2.0." This reverts commit 55050e54a987cd99b8477da1a4993e83adcca129, which rebuilds xdg-utils and hence a good part of the world (1838 packages). Reported by mroh in #guix. --- gnu/local.mk | 3 +- gnu/packages/admin.scm | 7 +- gnu/packages/patches/inetutils-hurd.patch | 583 ++++++++++++++++++++++++++++++ 3 files changed, 589 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/inetutils-hurd.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 21250c2d7b..8a31bfef64 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès +# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès # Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Andreas Enge # Copyright © 2016 Mathieu Lirzin # Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Mark H Weaver @@ -1180,6 +1180,7 @@ dist_patch_DATA = \ %D%/packages/patches/id3lib-UTF16-writing-bug.patch \ %D%/packages/patches/idris-disable-test.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ + %D%/packages/patches/inetutils-hurd.patch \ %D%/packages/patches/inkscape-poppler-0.76.patch \ %D%/packages/patches/intel-xed-fix-nondeterminism.patch \ %D%/packages/patches/intltool-perl-compatibility.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 4bc08f83f0..a6cf633baa 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès ;;; Copyright © 2013 Cyril Roelandt ;;; Copyright © 2014, 2015, 2016, 2018, 2019, 2020 Mark H Weaver ;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2020 Eric Bavier @@ -612,14 +612,15 @@ re-executing them as necessary.") (define-public inetutils (package (name "inetutils") - (version "2.0") + (version "1.9.4") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/inetutils/inetutils-" version ".tar.gz")) + (patches (search-patches "inetutils-hurd.patch")) (sha256 (base32 - "0j1nb69bhg29cm4xkqqjh2ln1zqcj2lnpm92v638lpwrs11dypxl")))) + "05n65k4ixl85dc6rxc51b1b732gnmm8xnqi424dy9f1nz7ppb3xy")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--localstatedir=/var" diff --git a/gnu/packages/patches/inetutils-hurd.patch b/gnu/packages/patches/inetutils-hurd.patch new file mode 100644 index 0000000000..bd65c4feb1 --- /dev/null +++ b/gnu/packages/patches/inetutils-hurd.patch @@ -0,0 +1,583 @@ +Support compiling on the Hurd. + +Taken from https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/tree/debian/patches/0002-ifconfig-Improve-the-support-for-GNU-Hurd.patch + +From 9a90d9b9119906df23cb2db1503cb0f099942dd9 Mon Sep 17 00:00:00 2001 +From: Mats Erik Andersson +Date: Sat, 18 Jul 2015 01:12:41 +0200 +Subject: [PATCH 02/35] ifconfig: Improve the support for GNU/Hurd. + +Use system specific code instead of generic code. +This provides abilities similar to other systems. +--- + ChangeLog | 17 +++ + ifconfig/system.c | 10 +- + ifconfig/system.h | 2 + + ifconfig/system/Makefile.am | 4 +- + ifconfig/system/generic.c | 14 +- + ifconfig/system/hurd.c | 292 ++++++++++++++++++++++++++++++++++++ + ifconfig/system/hurd.h | 50 ++++++ + 7 files changed, 381 insertions(+), 8 deletions(-) + create mode 100644 ifconfig/system/hurd.c + create mode 100644 ifconfig/system/hurd.h + +diff --git a/ifconfig/system.c b/ifconfig/system.c +index 30677e41..e108dc2e 100644 +--- a/ifconfig/system.c ++++ b/ifconfig/system.c +@@ -25,10 +25,12 @@ + # include "system/solaris.c" + #elif defined __QNX__ + # include "system/qnx.c" +-# elif defined __DragonFly__ || defined __FreeBSD__ || \ +- defined __FreeBSD_kernel__ || \ +- defined __NetBSD__ || defined __OpenBSD__ +-# include "system/bsd.c" ++#elif defined __DragonFly__ || defined __FreeBSD__ || \ ++ defined __FreeBSD_kernel__ || \ ++ defined __NetBSD__ || defined __OpenBSD__ ++# include "system/bsd.c" ++#elif defined __GNU__ ++# include "system/hurd.c" + #else + # include "system/generic.c" + #endif +diff --git a/ifconfig/system.h b/ifconfig/system.h +index 8521ad95..66878d3a 100644 +--- a/ifconfig/system.h ++++ b/ifconfig/system.h +@@ -97,6 +97,8 @@ extern struct if_nameindex* (*system_if_nameindex) (void); + defined __FreeBSD_kernel__ || \ + defined __NetBSD__ || defined __OpenBSD__ + # include "system/bsd.h" ++# elif defined __GNU__ ++# include "system/hurd.h" + # else + # include "system/generic.h" + # endif +diff --git a/ifconfig/system/Makefile.am b/ifconfig/system/Makefile.am +index 954c6774..62a9f1c4 100644 +--- a/ifconfig/system/Makefile.am ++++ b/ifconfig/system/Makefile.am +@@ -26,8 +26,10 @@ noinst_HEADERS = \ + linux.h \ + solaris.h \ + qnx.h \ ++ hurd.h \ + bsd.c \ + generic.c \ + linux.c \ + solaris.c \ +- qnx.c ++ qnx.c \ ++ hurd.c +diff --git a/ifconfig/system/generic.c b/ifconfig/system/generic.c +index 9a2bda55..20a78bde 100644 +--- a/ifconfig/system/generic.c ++++ b/ifconfig/system/generic.c +@@ -22,6 +22,8 @@ + #include + + #include "../ifconfig.h" ++ ++#include + + + /* Output format stuff. */ +@@ -36,19 +38,25 @@ const char *system_help; + struct argp_child system_argp_child; + + int +-system_parse_opt (struct ifconfig **ifp, char option, char *optarg) ++system_parse_opt (struct ifconfig **ifp _GL_UNUSED_PARAMETER, ++ char option _GL_UNUSED_PARAMETER, ++ char *optarg _GL_UNUSED_PARAMETER) + { + return 0; + } + + int +-system_parse_opt_rest (struct ifconfig **ifp, int argc, char *argv[]) ++system_parse_opt_rest (struct ifconfig **ifp _GL_UNUSED_PARAMETER, ++ int argc _GL_UNUSED_PARAMETER, ++ char *argv[] _GL_UNUSED_PARAMETER) + { + return 0; + } + + int +-system_configure (int sfd, struct ifreq *ifr, struct system_ifconfig *ifs) ++system_configure (int sfd _GL_UNUSED_PARAMETER, ++ struct ifreq *ifr _GL_UNUSED_PARAMETER, ++ struct system_ifconfig *ifs _GL_UNUSED_PARAMETER) + { + return 0; + } +diff --git a/ifconfig/system/hurd.c b/ifconfig/system/hurd.c +new file mode 100644 +index 00000000..3bd19775 +--- /dev/null ++++ b/ifconfig/system/hurd.c +@@ -0,0 +1,292 @@ ++/* hurd.c -- Code for ifconfig specific to GNU/Hurd. ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ ++ This file is part of GNU Inetutils. ++ ++ GNU Inetutils is free software: you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation, either version 3 of the License, or (at ++ your option) any later version. ++ ++ GNU Inetutils is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see `http://www.gnu.org/licenses/'. */ ++ ++/* Mostly written by Marcus Brinkmann. ++ Adaptions to GNU/Hurd by Mats Erik Andersson. */ ++ ++#include ++ ++#include ++#include ++#include ++#include "../ifconfig.h" ++ ++#include ++ ++ ++/* Output format stuff. */ ++ ++const char *system_default_format = "gnu"; ++ ++ ++/* Argument parsing stuff. */ ++ ++const char *system_help = "NAME [ADDR]\ ++ [broadcast BRDADDR] [netmask MASK]\ ++ [mtu N] [up|down] [FLAGS]"; ++ ++struct argp_child system_argp_child; ++ ++int ++system_parse_opt (struct ifconfig **ifp _GL_UNUSED_PARAMETER, ++ char option _GL_UNUSED_PARAMETER, ++ char *optarg _GL_UNUSED_PARAMETER) ++{ ++ return 0; ++} ++ ++int ++system_parse_opt_rest (struct ifconfig **ifp, int argc, char *argv[]) ++{ ++ int i = 0, mask, rev; ++ enum { ++ EXPECT_NOTHING, ++ EXPECT_AF, ++ EXPECT_BROADCAST, ++ EXPECT_NETMASK, ++ EXPECT_METRIC, ++ EXPECT_MTU ++ } expect = EXPECT_AF; ++ ++ *ifp = parse_opt_new_ifs (argv[0]); ++ ++ while (++i < argc) ++ { ++ switch (expect) ++ { ++ case EXPECT_BROADCAST: ++ parse_opt_set_brdaddr (*ifp, argv[i]); ++ break; ++ ++ case EXPECT_NETMASK: ++ parse_opt_set_netmask (*ifp, argv[i]); ++ break; ++ ++ case EXPECT_MTU: ++ parse_opt_set_mtu (*ifp, argv[i]); ++ break; ++ ++ /* XXX: 2015-07-18, GNU/Hurd does not yet support ++ ioctl(SIOCSIFMETRIC), but we let the code ++ handle this standard ability anyway! ++ */ ++ case EXPECT_METRIC: ++ parse_opt_set_metric (*ifp, argv[i]); ++ break; ++ ++ case EXPECT_AF: ++ expect = EXPECT_NOTHING; ++ if (!strcmp (argv[i], "inet")) ++ continue; ++ else if (!strcmp (argv[i], "inet6")) ++ { ++ error (0, 0, "%s is not a supported address family", argv[i]); ++ return 0; ++ } ++ break; ++ ++ case EXPECT_NOTHING: ++ break; ++ } ++ ++ if (expect != EXPECT_NOTHING) ++ expect = EXPECT_NOTHING; ++ else if (!strcmp (argv[i], "broadcast")) ++ expect = EXPECT_BROADCAST; ++ else if (!strcmp (argv[i], "netmask")) ++ expect = EXPECT_NETMASK; ++ else if (!strcmp (argv[i], "metric")) ++ expect = EXPECT_METRIC; ++ else if (!strcmp (argv[i], "mtu")) ++ expect = EXPECT_MTU; ++ else if (!strcmp (argv[i], "up")) ++ parse_opt_set_flag (*ifp, IFF_UP | IFF_RUNNING, 0); ++ else if (!strcmp (argv[i], "down")) ++ parse_opt_set_flag (*ifp, IFF_UP, 1); ++ else if (((mask = if_nameztoflag (argv[i], &rev)) ++ & ~IU_IFF_CANTCHANGE) != 0) ++ parse_opt_set_flag (*ifp, mask, rev); ++ else ++ { ++ if (!((*ifp)->valid & IF_VALID_ADDR)) ++ parse_opt_set_address (*ifp, argv[i]); ++ else if (!((*ifp)->valid & IF_VALID_DSTADDR)) ++ parse_opt_set_dstaddr (*ifp, argv[i]); ++ } ++ } ++ ++ switch (expect) ++ { ++ case EXPECT_BROADCAST: ++ error (0, 0, "option `broadcast' requires an argument"); ++ break; ++ ++ case EXPECT_NETMASK: ++ error (0, 0, "option `netmask' requires an argument"); ++ break; ++ ++ case EXPECT_METRIC: ++ error (0, 0, "option `metric' requires an argument"); ++ break; ++ ++ case EXPECT_MTU: ++ error (0, 0, "option `mtu' requires an argument"); ++ break; ++ ++ case EXPECT_AF: ++ case EXPECT_NOTHING: ++ return 1; ++ } ++ ++ return 0; ++} ++ ++int ++system_configure (int sfd _GL_UNUSED_PARAMETER, ++ struct ifreq *ifr _GL_UNUSED_PARAMETER, ++ struct system_ifconfig *ifs _GL_UNUSED_PARAMETER) ++{ ++ return 0; ++} ++ ++struct if_nameindex* (*system_if_nameindex) (void) = if_nameindex; ++ ++static void ++print_hwaddr_ether (format_data_t form _GL_UNUSED_PARAMETER, ++ unsigned char *data) ++{ ++ *column += printf ("%02X:%02X:%02X:%02X:%02X:%02X", ++ data[0], data[1], data[2], data[3], data[4], data[5]); ++ had_output = 1; ++} ++ ++struct arphrd_symbol ++{ ++ const char *name; ++ const char *title; ++ int value; ++ void (*print_hwaddr) (format_data_t form, unsigned char *data); ++} arphrd_symbols[] = ++ { ++#ifdef ARPHRD_ETHER /* Ethernet 10/100Mbps. */ ++ { "ETHER", "Ethernet", ARPHRD_ETHER, print_hwaddr_ether}, ++#endif ++#ifdef ARPHRD_LOOPBACK /* Loopback device. */ ++ { "LOOPBACK", "Local Loopback", ARPHRD_LOOPBACK, NULL}, ++#endif ++ /* XXX: The image debian-hurd-20150424 returns the value 4 ++ instead of expected ARPHRD_LOOPBACK. This has been ++ discussed in the list debian-hurd, where I was asked ++ to resist the temptation of a work around! ++ */ ++ { NULL, NULL, 0, NULL} ++ }; ++ ++struct arphrd_symbol * ++arphrd_findvalue (int value) ++{ ++ struct arphrd_symbol *arp = arphrd_symbols; ++ while (arp->name != NULL) ++ { ++ if (arp->value == value) ++ break; ++ arp++; ++ } ++ if (arp->name) ++ return arp; ++ else ++ return NULL; ++} ++ ++void ++system_fh_hwaddr_query (format_data_t form, int argc, char *argv[]) ++{ ++#ifdef SIOCGIFHWADDR ++ struct arphrd_symbol *arp; ++ ++ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) < 0) ++ select_arg (form, argc, argv, 1); ++ ++ arp = arphrd_findvalue (form->ifr->ifr_hwaddr.sa_family); ++ select_arg (form, argc, argv, (arp && arp->print_hwaddr) ? 0 : 1); ++#else ++ select_arg (form, argc, argv, 1); ++#endif ++} ++ ++void ++system_fh_hwaddr (format_data_t form, int argc _GL_UNUSED_PARAMETER, ++ char *argv[] _GL_UNUSED_PARAMETER) ++{ ++#ifdef SIOCGIFHWADDR ++ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) < 0) ++ error (EXIT_FAILURE, errno, ++ "SIOCGIFHWADDR failed for interface `%s'", ++ form->ifr->ifr_name); ++ else ++ { ++ struct arphrd_symbol *arp; ++ ++ arp = arphrd_findvalue (form->ifr->ifr_hwaddr.sa_family); ++ if (arp && arp->print_hwaddr) ++ arp->print_hwaddr (form, ++ (unsigned char *) form->ifr->ifr_hwaddr.sa_data); ++ else ++ put_string (form, "(hwaddr unknown)"); ++ } ++#else ++ *column += printf ("(not available)"); ++ had_output = 1; ++#endif ++} ++ ++void ++system_fh_hwtype_query (format_data_t form, int argc, char *argv[]) ++{ ++#ifdef SIOCGIFHWADDR ++ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) >= 0) ++ select_arg (form, argc, argv, 0); ++ else ++#endif ++ select_arg (form, argc, argv, 1); ++} ++ ++void ++system_fh_hwtype (format_data_t form, int argc _GL_UNUSED_PARAMETER, ++ char *argv[] _GL_UNUSED_PARAMETER) ++{ ++#ifdef SIOCGIFHWADDR ++ if (ioctl (form->sfd, SIOCGIFHWADDR, form->ifr) < 0) ++ error (EXIT_FAILURE, errno, ++ "SIOCGIFHWADDR failed for interface `%s'", ++ form->ifr->ifr_name); ++ else ++ { ++ struct arphrd_symbol *arp; ++ ++ arp = arphrd_findvalue (form->ifr->ifr_hwaddr.sa_family); ++ if (arp) ++ put_string (form, arp->title); ++ else ++ put_string (form, "(hwtype unknown)"); ++ } ++#else ++ *column += printf ("(not available)"); ++ had_output = 1; ++#endif ++} +diff --git a/ifconfig/system/hurd.h b/ifconfig/system/hurd.h +new file mode 100644 +index 00000000..bab14565 +--- /dev/null ++++ b/ifconfig/system/hurd.h +@@ -0,0 +1,50 @@ ++/* ++ Copyright (C) 2015 Free Software Foundation, Inc. ++ ++ This file is part of GNU Inetutils. ++ ++ GNU Inetutils is free software: you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation, either version 3 of the License, or (at ++ your option) any later version. ++ ++ GNU Inetutils is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see `http://www.gnu.org/licenses/'. */ ++ ++/* Written by Mats Erik Andersson. */ ++ ++#ifndef IFCONFIG_SYSTEM_HURD_H ++# define IFCONFIG_SYSTEM_HURD_H ++ ++# include "../printif.h" ++# include "../options.h" ++ ++ ++/* Option support. */ ++ ++struct system_ifconfig ++{ ++ int valid; ++}; ++ ++ ++/* Output format support. */ ++ ++# define SYSTEM_FORMAT_HANDLER \ ++ { "hurd", fh_nothing}, \ ++ { "hwaddr?", system_fh_hwaddr_query}, \ ++ { "hwaddr", system_fh_hwaddr}, \ ++ { "hwtype?", system_fh_hwtype_query}, \ ++ { "hwtype", system_fh_hwtype}, ++ ++void system_fh_hwaddr_query (format_data_t form, int argc, char *argv[]); ++void system_fh_hwaddr (format_data_t form, int argc, char *argv[]); ++void system_fh_hwtype_query (format_data_t form, int argc, char *argv[]); ++void system_fh_hwtype (format_data_t form, int argc, char *argv[]); ++ ++#endif /* !IFCONFIG_SYSTEM_HURD_H */ +-- +2.23.0.rc1.170.gbd704faa3e + +From 589dab9c7d3119da82837dabae34c8a3d16cbe49 Mon Sep 17 00:00:00 2001 +From: Mats Erik Andersson +Date: Thu, 30 Jul 2015 01:06:42 +0200 +Subject: [PATCH 07/35] ifconfig: Hardware detection in GNU/Hurd. + +A work-around needed to distinguish hardware type. +--- + ChangeLog | 10 ++++++++++ + ifconfig/system/hurd.c | 19 ++++++++++++------- + 2 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/ifconfig/system/hurd.c b/ifconfig/system/hurd.c +index 3bd19775..b6261a00 100644 +--- a/ifconfig/system/hurd.c ++++ b/ifconfig/system/hurd.c +@@ -175,6 +175,16 @@ print_hwaddr_ether (format_data_t form _GL_UNUSED_PARAMETER, + had_output = 1; + } + ++/* GNU/Hurd and Mach are using a mixture of BSD definitions ++ * and GNU/Linux interface headers, which in this situation ++ * means that sa_family_t is an unsigned char, from BSD, while ++ * all ARPHRD_* come from GNU/Linux and are thus 16 bits wide. ++ * We must account for this. The following bitmask will ++ * adapt to any future change! ++ */ ++ ++#define _ARP_MASK ((sizeof (sa_family_t) == 1) ? 0xff : 0xffff) ++ + struct arphrd_symbol + { + const char *name; +@@ -184,16 +194,11 @@ struct arphrd_symbol + } arphrd_symbols[] = + { + #ifdef ARPHRD_ETHER /* Ethernet 10/100Mbps. */ +- { "ETHER", "Ethernet", ARPHRD_ETHER, print_hwaddr_ether}, ++ { "ETHER", "Ethernet", ARPHRD_ETHER & _ARP_MASK, print_hwaddr_ether}, + #endif + #ifdef ARPHRD_LOOPBACK /* Loopback device. */ +- { "LOOPBACK", "Local Loopback", ARPHRD_LOOPBACK, NULL}, ++ { "LOOPBACK", "Local Loopback", ARPHRD_LOOPBACK & _ARP_MASK, NULL}, + #endif +- /* XXX: The image debian-hurd-20150424 returns the value 4 +- instead of expected ARPHRD_LOOPBACK. This has been +- discussed in the list debian-hurd, where I was asked +- to resist the temptation of a work around! +- */ + { NULL, NULL, 0, NULL} + }; + +-- +2.23.0.rc1.170.gbd704faa3e + +From d379784b4461d17b2536effd1b52bae21cd28a32 Mon Sep 17 00:00:00 2001 +From: Guillem Jover +Date: Fri, 16 Aug 2019 00:34:03 +0200 +Subject: [PATCH 35/35] telnet: Several ioctls have been disabled in the Hurd's + glibc + +But not the related option macros. inetutils uses those macros to decide +whether the ioctls are available, so it is FTBFS now. The Hurd's glibc +is being fixed, but we'll use this for now to get the builds going. +--- + telnet/sys_bsd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/telnet/sys_bsd.c b/telnet/sys_bsd.c +index 662536ab..5eb35cb5 100644 +--- a/telnet/sys_bsd.c ++++ b/telnet/sys_bsd.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + #include + + #include "ring.h" +@@ -157,7 +158,7 @@ TerminalRead (char *buf, int n) + int + TerminalAutoFlush (void) + { +-#if defined LNOFLSH ++#if defined TIOCLGET && defined LNOFLSH + int flush; + + ioctl (0, TIOCLGET, (char *) &flush); +@@ -260,7 +261,9 @@ TerminalSaveState (void) + ioctl (0, TIOCGETP, (char *) &ottyb); + ioctl (0, TIOCGETC, (char *) &otc); + ioctl (0, TIOCGLTC, (char *) &oltc); ++#ifdef TIOCLGET + ioctl (0, TIOCLGET, (char *) &olmode); ++#endif + + ntc = otc; + nltc = oltc; +@@ -755,7 +758,9 @@ TerminalNewMode (register int f) + #endif + } + #ifndef USE_TERMIO ++#ifdef TIOCLSET + ioctl (tin, TIOCLSET, (char *) &lmode); ++#endif + ioctl (tin, TIOCSLTC, (char *) <c); + ioctl (tin, TIOCSETC, (char *) &tc); + ioctl (tin, TIOCSETN, (char *) &sb); +-- +2.23.0.rc1.170.gbd704faa3e + -- cgit 1.4.1 From f813750a4aa07797e0120babdd5efbe17f1d3911 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Thu, 11 Feb 2021 18:57:38 -0800 Subject: gnu: diffoscope: Update to 166. * gnu/packages/diffoscope.scm (diffoscope): Update to 166. [source]: Add patch to use magic.open compatibility interface. * gnu/packages/patches/diffoscope-revert-to-magic-open.patch: New file. * gnu/local.mk [dist_patch_DATA]: New patch. --- gnu/local.mk | 1 + gnu/packages/diffoscope.scm | 6 +- .../patches/diffoscope-revert-to-magic-open.patch | 70 ++++++++++++++++++++++ 3 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/diffoscope-revert-to-magic-open.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8a31bfef64..d098c04308 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -926,6 +926,7 @@ dist_patch_DATA = \ %D%/packages/patches/desmume-gcc6-fixes.patch \ %D%/packages/patches/desmume-gcc7-fixes.patch \ %D%/packages/patches/dfu-programmer-fix-libusb.patch \ + %D%/packages/patches/diffoscope-revert-to-magic-open.patch \ %D%/packages/patches/diffutils-gets-undeclared.patch \ %D%/packages/patches/dkimproxy-add-ipv6-support.patch \ %D%/packages/patches/docbook-xsl-nonrecursive-string-subst.patch \ diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm index 7108c773ae..a31ac485c2 100644 --- a/gnu/packages/diffoscope.scm +++ b/gnu/packages/diffoscope.scm @@ -72,7 +72,7 @@ (define-public diffoscope (package (name "diffoscope") - (version "165") + (version "166") (source (origin (method git-fetch) (uri (git-reference @@ -81,7 +81,9 @@ (file-name (git-file-name name version)) (sha256 (base32 - "0chi8drkxdwk7mlfgljij0nihnxp9pi5ybhqaq8rc4l1zl6srirb")))) + "0vc4a38ii6b10af4c7cxfkvj4lk4ihx1xs4q5lshnkyg74gmm21b")) + (patches (search-patches + "diffoscope-revert-to-magic-open.patch")))) (build-system python-build-system) (arguments `(#:phases (modify-phases %standard-phases diff --git a/gnu/packages/patches/diffoscope-revert-to-magic-open.patch b/gnu/packages/patches/diffoscope-revert-to-magic-open.patch new file mode 100644 index 0000000000..d52b26ead5 --- /dev/null +++ b/gnu/packages/patches/diffoscope-revert-to-magic-open.patch @@ -0,0 +1,70 @@ +From b658c3a6819ccb9a104b13e973132c66f0965965 Mon Sep 17 00:00:00 2001 +From: Vagrant Cascadian +Date: Thu, 11 Feb 2021 17:28:21 -0800 +Subject: [PATCH] Revert "Prefer to use magic.Magic over the magic.open + compatibility interface. (Closes: reproducible-builds/diffoscope#236)" + +This reverts commit c72c30f29ea3760eb4c785644dc7cd4c26833740. +--- + diffoscope/comparators/utils/file.py | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/diffoscope/comparators/utils/file.py b/diffoscope/comparators/utils/file.py +index fb3b4316..32700f02 100644 +--- a/diffoscope/comparators/utils/file.py ++++ b/diffoscope/comparators/utils/file.py +@@ -65,37 +65,37 @@ def _run_tests(fold, tests): + + + class File(metaclass=abc.ABCMeta): +- if hasattr(magic, "Magic"): # use python-magic ++ if hasattr(magic, "open"): # use Magic-file-extensions from file + + @classmethod + def guess_file_type(cls, path): + if not hasattr(cls, "_mimedb"): +- cls._mimedb = magic.Magic() +- return maybe_decode(cls._mimedb.from_file(path)) ++ cls._mimedb = magic.open(magic.NONE) ++ cls._mimedb.load() ++ return cls._mimedb.file( ++ path.encode("utf-8", errors="surrogateescape") ++ ) + + @classmethod + def guess_encoding(cls, path): + if not hasattr(cls, "_mimedb_encoding"): +- cls._mimedb_encoding = magic.Magic(mime_encoding=True) +- return maybe_decode(cls._mimedb_encoding.from_file(path)) ++ cls._mimedb_encoding = magic.open(magic.MAGIC_MIME_ENCODING) ++ cls._mimedb_encoding.load() ++ return cls._mimedb_encoding.file(path) + +- else: # use Magic-file-extensions from file ++ else: # use python-magic + + @classmethod + def guess_file_type(cls, path): + if not hasattr(cls, "_mimedb"): +- cls._mimedb = magic.open(magic.NONE) +- cls._mimedb.load() +- return cls._mimedb.file( +- path.encode("utf-8", errors="surrogateescape") +- ) ++ cls._mimedb = magic.Magic() ++ return maybe_decode(cls._mimedb.from_file(path)) + + @classmethod + def guess_encoding(cls, path): + if not hasattr(cls, "_mimedb_encoding"): +- cls._mimedb_encoding = magic.open(magic.MAGIC_MIME_ENCODING) +- cls._mimedb_encoding.load() +- return cls._mimedb_encoding.file(path) ++ cls._mimedb_encoding = magic.Magic(mime_encoding=True) ++ return maybe_decode(cls._mimedb_encoding.from_file(path)) + + def __init__(self, container=None): + self._comments = [] +-- +2.30.0 + -- cgit 1.4.1 From db6b9d2f4bc59511904e8c1412d0257675c46095 Mon Sep 17 00:00:00 2001 From: Simon South Date: Sat, 5 Dec 2020 10:27:55 -0500 Subject: services: Add transmission-daemon service. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/file-sharing.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * po/packages/POTFILES.in: Add it. * tests/services/file-sharing.scm: New file. * Makefile.am (SCM_TESTS): Add it. * doc/guix.texi (File-Sharing Services): New section. Signed-off-by: 宋文武 --- Makefile.am | 1 + doc/guix.texi | 799 +++++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/file-sharing.scm | 804 ++++++++++++++++++++++++++++++++++++++++ po/packages/POTFILES.in | 1 + tests/services/file-sharing.scm | 59 +++ 6 files changed, 1665 insertions(+) create mode 100644 gnu/services/file-sharing.scm create mode 100644 tests/services/file-sharing.scm (limited to 'gnu/local.mk') diff --git a/Makefile.am b/Makefile.am index 798808bde6..52537fb53d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -475,6 +475,7 @@ SCM_TESTS = \ tests/scripts.scm \ tests/search-paths.scm \ tests/services.scm \ + tests/services/file-sharing.scm \ tests/services/linux.scm \ tests/sets.scm \ tests/size.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index 8944f5129d..aba8a6b575 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14716,6 +14716,7 @@ declaration. * Mail Services:: IMAP, POP3, SMTP, and all that. * Messaging Services:: Messaging services. * Telephony Services:: Telephony services. +* File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. @@ -22287,6 +22288,804 @@ If it is set your server will be linked by this host name instead. +@node File-Sharing Services +@subsection File-Sharing Services + +The @code{(gnu services file-sharing)} module provides services that +assist with transferring files over peer-to-peer file-sharing networks. + +@subsubheading Transmission Daemon Service + +@uref{https://transmissionbt.com/, Transmission} is a flexible +BitTorrent client that offers a variety of graphical and command-line +interfaces. A @code{transmission-daemon-service-type} service provides +Transmission's headless variant, @command{transmission-daemon}, as a +system service, allowing users to share files via BitTorrent even when +they are not logged in. + +@deffn {Scheme Variable} transmission-daemon-service-type +The service type for the Transmission Daemon BitTorrent client. Its +value must be a @code{transmission-daemon-configuration} object as in +this example: + +@lisp +(service transmission-daemon-service-type + (transmission-daemon-configuration + ;; Restrict access to the RPC ("control") interface + (rpc-authentication-required? #t) + (rpc-username "transmission") + (rpc-password + (transmission-password-hash + "transmission" ; desired password + "uKd1uMs9")) ; arbitrary salt value + + ;; Accept requests from this and other hosts on the + ;; local network + (rpc-whitelist-enabled? #t) + (rpc-whitelist '("::1" "127.0.0.1" "192.168.0.*")) + + ;; Limit bandwidth use during work hours + (alt-speed-down (* 1024 2)) ; 2 MB/s + (alt-speed-up 512) ; 512 kB/s + + (alt-speed-time-enabled? #t) + (alt-speed-time-day 'weekdays) + (alt-speed-time-begin + (+ (* 60 8) 30)) ; 8:30 am + (alt-speed-time-end + (+ (* 60 (+ 12 5)) 30)))) ; 5:30 pm +@end lisp +@end deffn + +Once the service is started, users can interact with the daemon through +its Web interface (at @code{http://localhost:9091/}) or by using the +@command{transmission-remote} command-line tool, available in the +@code{transmission} package. (Emacs users may want to also consider the +@code{emacs-transmission} package.) Both communicate with the daemon +through its remote procedure call (RPC) interface, which by default is +available to all users on the system; you may wish to change this by +assigning values to the @code{rpc-authentication-required?}, +@code{rpc-username} and @code{rpc-password} settings, as shown in the +example above and documented further below. + +The value for @code{rpc-password} must be a password hash of the type +generated and used by Transmission clients. This can be copied verbatim +from an existing @file{settings.json} file, if another Transmission +client is already being used. Otherwise, the +@code{transmission-password-hash} and @code{transmission-random-salt} +procedures provided by this module can be used to obtain a suitable hash +value. + +@deffn {Scheme Procedure} transmission-password-hash @var{password} @var{salt} +Returns a string containing the result of hashing @var{password} +together with @var{salt}, in the format recognized by Transmission +clients for their @code{rpc-password} configuration setting. + +@var{salt} must be an eight-character string. The +@code{transmission-random-salt} procedure can be used to generate a +suitable salt value at random. +@end deffn + +@deffn {Scheme Procedure} transmission-random-salt +Returns a string containing a random, eight-character salt value of the +type generated and used by Transmission clients, suitable for passing to +the @code{transmission-password-hash} procedure. +@end deffn + +These procedures are accessible from within a Guile REPL started with +the @command{guix repl} command (@pxref {Invoking guix repl}). This is +useful for obtaining a random salt value to provide as the second +parameter to `transmission-password-hash`, as in this example session: + +@example +$ guix repl +scheme@@(guix-user)> ,use (gnu services file-sharing) +scheme@@(guix-user)> (transmission-random-salt) +$1 = "uKd1uMs9" +@end example + +Alternatively, a complete password hash can generated in a single step: + +@example +scheme@@(guix-user)> (transmission-password-hash "transmission" +(transmission-random-salt)) +$2 = "@{c8bbc6d1740cd8dc819a6e25563b67812c1c19c9VtFPfdsX" +@end example + +The resulting string can be used as-is for the value of +@code{rpc-password}, allowing the password to be kept hidden even in the +operating-system configuration. + +Torrent files downloaded by the daemon are directly accessible only to +users in the ``transmission'' user group, who receive read-only access +to the directory specified by the @code{download-dir} configuration +setting (and also the directory specified by @code{incomplete-dir}, if +@code{incomplete-dir-enabled?} is @code{#t}). Downloaded files can be +moved to another directory or deleted altogether using +@command{transmission-remote} with its @code{--move} and +@code{--remove-and-delete} options. + +If the @code{watch-dir-enabled?} setting is set to @code{#t}, users in +the ``transmission'' group are able also to place @file{.torrent} files +in the directory specified by @code{watch-dir} to have the corresponding +torrents added by the daemon. (The @code{trash-original-torrent-files?} +setting controls whether the daemon deletes these files after processing +them.) + +Some of the daemon's configuration settings can be changed temporarily +by @command{transmission-remote} and similar tools. To undo these +changes, use the service's @code{reload} action to have the daemon +reload its settings from disk: + +@example +# herd reload transmission-daemon +@end example + +The full set of available configuration settings is defined by the +@code{transmission-daemon-configuration} data type. + +@deftp {Data Type} transmission-daemon-configuration +The data type representing configuration settings for Transmission +Daemon. These correspond directly to the settings recognized by +Transmission clients in their @file{settings.json} file. +@end deftp + +@c The following documentation was initially generated by +@c (generate-transmission-daemon-documentation) in (gnu services +@c file-sharing). Manually maintained documentation is better, so we +@c shouldn't hesitate to edit below as needed. However if the change +@c you want to make to this documentation can be done in an automated +@c way, it's probably easier to change (generate-documentation) than to +@c make it below and have to deal with the churn as Transmission Daemon +@c updates. + +@c %start of fragment + +Available @code{transmission-daemon-configuration} fields are: + +@deftypevr {@code{transmission-daemon-configuration} parameter} package transmission +The Transmission package to use. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer stop-wait-period +The period, in seconds, to wait when stopping the service for +@command{transmission-daemon} to exit before killing its process. This +allows the daemon time to complete its housekeeping and send a final +update to trackers as it shuts down. On slow hosts, or hosts with a +slow network connection, this value may need to be increased. + +Defaults to @samp{10}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string download-dir +The directory to which torrent files are downloaded. + +Defaults to @samp{"/var/lib/transmission-daemon/downloads"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean incomplete-dir-enabled? +If @code{#t}, files will be held in @code{incomplete-dir} while their +torrent is being downloaded, then moved to @code{download-dir} once the +torrent is complete. Otherwise, files for all torrents (including those +still being downloaded) will be placed in @code{download-dir}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string incomplete-dir +The directory in which files from incompletely downloaded torrents will +be held when @code{incomplete-dir-enabled?} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} umask umask +The file mode creation mask used for downloaded files. (See the +@command{umask} man page for more information.) + +Defaults to @samp{18}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rename-partial-files? +When @code{#t}, ``.part'' is appended to the name of partially +downloaded files. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} preallocation-mode preallocation +The mode by which space should be preallocated for downloaded files, one +of @code{none}, @code{fast} (or @code{sparse}) and @code{full}. +Specifying @code{full} will minimize disk fragmentation at a cost to +file-creation speed. + +Defaults to @samp{fast}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean watch-dir-enabled? +If @code{#t}, the directory specified by @code{watch-dir} will be +watched for new @file{.torrent} files and the torrents they describe +added automatically (and the original files removed, if +@code{trash-original-torrent-files?} is @code{#t}). + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string watch-dir +The directory to be watched for @file{.torrent} files indicating new +torrents to be added, when @code{watch-dir-enabled} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean trash-original-torrent-files? +When @code{#t}, @file{.torrent} files will be deleted from the watch +directory once their torrent has been added (see +@code{watch-directory-enabled?}). + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-down-enabled? +When @code{#t}, the daemon's download speed will be limited to the rate +specified by @code{speed-limit-down}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-down +The default global-maximum download speed, in kilobytes per second. + +Defaults to @samp{100}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-up-enabled? +When @code{#t}, the daemon's upload speed will be limited to the rate +specified by @code{speed-limit-up}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-up +The default global-maximum upload speed, in kilobytes per second. + +Defaults to @samp{100}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-enabled? +When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} are used (in place of @code{speed-limit-down} and +@code{speed-limit-up}, if they are enabled) to constrain the daemon's +bandwidth usage. This can be scheduled to occur automatically at +certain times during the week; see @code{alt-speed-time-enabled?}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-down +The alternate global-maximum download speed, in kilobytes per second. + +Defaults to @samp{50}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-up +The alternate global-maximum upload speed, in kilobytes per second. + +Defaults to @samp{50}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-time-enabled? +When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} will be enabled automatically during the periods +specified by @code{alt-speed-time-day}, @code{alt-speed-time-begin} and +@code{alt-time-speed-end}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} day-list alt-speed-time-day +The days of the week on which the alternate-speed schedule should be +used, specified either as a list of days (@code{sunday}, @code{monday}, +and so on) or using one of the symbols @code{weekdays}, @code{weekends} +or @code{all}. + +Defaults to @samp{all}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-begin +The time of day at which to enable the alternate speed limits, expressed +as a number of minutes since midnight. + +Defaults to @samp{540}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-end +The time of day at which to disable the alternate speed limits, +expressed as a number of minutes since midnight. + +Defaults to @samp{1020}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv4 +The IP address at which to listen for peer connections, or ``0.0.0.0'' +to listen at all available IP addresses. + +Defaults to @samp{"0.0.0.0"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv6 +The IPv6 address at which to listen for peer connections, or ``::'' to +listen at all available IPv6 addresses. + +Defaults to @samp{"::"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean peer-port-random-on-start? +If @code{#t}, when the daemon starts it will select a port at random on +which to listen for peer connections, from the range specified +(inclusively) by @code{peer-port-random-low} and +@code{peer-port-random-high}. Otherwise, it listens on the port +specified by @code{peer-port}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-low +The lowest selectable port number when @code{peer-port-random-on-start?} +is @code{#t}. + +Defaults to @samp{49152}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-high +The highest selectable port number when @code{peer-port-random-on-start} +is @code{#t}. + +Defaults to @samp{65535}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port +The port on which to listen for peer connections when +@code{peer-port-random-on-start?} is @code{#f}. + +Defaults to @samp{51413}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean port-forwarding-enabled? +If @code{#t}, the daemon will attempt to configure port-forwarding on an +upstream gateway automatically using @acronym{UPnP} and +@acronym{NAT-PMP}. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} encryption-mode encryption +The encryption preference for peer connections, one of +@code{prefer-unencrypted-connections}, +@code{prefer-encrypted-connections} or +@code{require-encrypted-connections}. + +Defaults to @samp{prefer-encrypted-connections}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string peer-congestion-algorithm +The TCP congestion-control algorithm to use for peer connections, +specified using a string recognized by the operating system in calls to +@code{setsockopt} (or set to @code{disabled}, in which case the +operating-system default is used). + +Note that on GNU/Linux systems, the kernel must be configured to allow +processes to use a congestion-control algorithm not in the default set; +otherwise, it will deny these requests with ``Operation not permitted''. +To see which algorithms are available on your system and which are +currently permitted for use, look at the contents of the files +@file{tcp_available_congestion_control} and +@file{tcp_allowed_congestion_control} in the @file{/proc/sys/net/ipv4} +directory. + +As an example, to have Transmission Daemon use +@uref{http://www-ece.rice.edu/networks/TCP-LP/,the TCP Low Priority +congestion-control algorithm}, you'll need to modify your kernel +configuration to build in support for the algorithm, then update your +operating-system configuration to allow its use by adding a +@code{sysctl-service-type} service (or updating the existing one's +configuration) with lines like the following: + +@lisp +(service sysctl-service-type + (sysctl-configuration + (settings + ("net.ipv4.tcp_allowed_congestion_control" . + "reno cubic lp")))) +@end lisp + +The Transmission Daemon configuration can then be updated with + +@lisp +(peer-congestion-algorithm "lp") +@end lisp + +and the system reconfigured to have the changes take effect. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} tcp-type-of-service peer-socket-tos +The type of service to request in outgoing @acronym{TCP} packets, one of +@code{default}, @code{low-cost}, @code{throughput}, @code{low-delay} and +@code{reliability}. + +Defaults to @samp{default}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-global +The global limit on the number of connected peers. + +Defaults to @samp{200}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-per-torrent +The per-torrent limit on the number of connected peers. + +Defaults to @samp{50}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer upload-slots-per-torrent +The maximum number of peers to which the daemon will upload data +simultaneously for each torrent. + +Defaults to @samp{14}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-id-ttl-hours +The maximum lifespan, in hours, of the peer ID associated with each +public torrent before it is regenerated. + +Defaults to @samp{6}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean blocklist-enabled? +When @code{#t}, the daemon will ignore peers mentioned in the blocklist +it has most recently downloaded from @code{blocklist-url}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string blocklist-url +The URL of a peer blocklist (in @acronym{P2P}-plaintext or eMule +@file{.dat} format) to be periodically downloaded and applied when +@code{blocklist-enabled?} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean download-queue-enabled? +If @code{#t}, the daemon will be limited to downloading at most +@code{download-queue-size} non-stalled torrents simultaneously. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer download-queue-size +The size of the daemon's download queue, which limits the number of +non-stalled torrents it will download at any one time when +@code{download-queue-enabled?} is @code{#t}. + +Defaults to @samp{5}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean seed-queue-enabled? +If @code{#t}, the daemon will be limited to seeding at most +@code{seed-queue-size} non-stalled torrents simultaneously. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer seed-queue-size +The size of the daemon's seed queue, which limits the number of +non-stalled torrents it will seed at any one time when +@code{seed-queue-enabled?} is @code{#t}. + +Defaults to @samp{10}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean queue-stalled-enabled? +When @code{#t}, the daemon will consider torrents for which it has not +shared data in the past @code{queue-stalled-minutes} minutes to be +stalled and not count them against its @code{download-queue-size} and +@code{seed-queue-size} limits. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer queue-stalled-minutes +The maximum period, in minutes, a torrent may be idle before it is +considered to be stalled, when @code{queue-stalled-enabled?} is +@code{#t}. + +Defaults to @samp{30}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean ratio-limit-enabled? +When @code{#t}, a torrent being seeded will automatically be paused once +it reaches the ratio specified by @code{ratio-limit}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-rational ratio-limit +The ratio at which a torrent being seeded will be paused, when +@code{ratio-limit-enabled?} is @code{#t}. + +Defaults to @samp{2.0}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean idle-seeding-limit-enabled? +When @code{#t}, a torrent being seeded will automatically be paused once +it has been idle for @code{idle-seeding-limit} minutes. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer idle-seeding-limit +The maximum period, in minutes, a torrent being seeded may be idle +before it is paused, when @code{idle-seeding-limit-enabled?} is +@code{#t}. + +Defaults to @samp{30}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean dht-enabled? +Enable @uref{http://bittorrent.org/beps/bep_0005.html,the distributed +hash table (@acronym{DHT}) protocol}, which supports the use of +trackerless torrents. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean lpd-enabled? +Enable @uref{https://en.wikipedia.org/wiki/Local_Peer_Discovery,local +peer discovery} (@acronym{LPD}), which allows the discovery of peers on +the local network and may reduce the amount of data sent over the public +Internet. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean pex-enabled? +Enable @uref{https://en.wikipedia.org/wiki/Peer_exchange,peer exchange} +(@acronym{PEX}), which reduces the daemon's reliance on external +trackers and may improve its performance. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean utp-enabled? +Enable @uref{http://bittorrent.org/beps/bep_0029.html,the micro +transport protocol} (@acronym{uTP}), which aims to reduce the impact of +BitTorrent traffic on other users of the local network while maintaining +full utilization of the available bandwidth. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-enabled? +If @code{#t}, enable the remote procedure call (@acronym{RPC}) +interface, which allows remote control of the daemon via its Web +interface, the @command{transmission-remote} command-line client, and +similar tools. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-bind-address +The IP address at which to listen for @acronym{RPC} connections, or +``0.0.0.0'' to listen at all available IP addresses. + +Defaults to @samp{"0.0.0.0"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number rpc-port +The port on which to listen for @acronym{RPC} connections. + +Defaults to @samp{9091}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-url +The path prefix to use in the @acronym{RPC}-endpoint @acronym{URL}. + +Defaults to @samp{"/transmission/"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-authentication-required? +When @code{#t}, clients must authenticate (see @code{rpc-username} and +@code{rpc-password}) when using the @acronym{RPC} interface. Note this +has the side effect of disabling host-name whitelisting (see +@code{rpc-host-whitelist-enabled?}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string rpc-username +The username required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-transmission-password-hash rpc-password +The password required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}. This must be +specified using a password hash in the format recognized by Transmission +clients, either copied from an existing @file{settings.json} file or +generated using the @code{transmission-password-hash} procedure. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-whitelist-enabled? +When @code{#t}, @acronym{RPC} requests will be accepted only when they +originate from an address specified in @code{rpc-whitelist}. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-whitelist +The list of IP and IPv6 addresses from which @acronym{RPC} requests will +be accepted when @code{rpc-whitelist-enabled?} is @code{#t}. Wildcards +may be specified using @samp{*}. + +Defaults to @samp{("127.0.0.1" "::1")}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-host-whitelist-enabled? +When @code{#t}, @acronym{RPC} requests will be accepted only when they +are addressed to a host named in @code{rpc-host-whitelist}. Note that +requests to ``localhost'' or ``localhost.'', or to a numeric address, +are always accepted regardless of these settings. + +Note also this functionality is disabled when +@code{rpc-authentication-required?} is @code{#t}. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-host-whitelist +The list of host names recognized by the @acronym{RPC} server when +@code{rpc-host-whitelist-enabled?} is @code{#t}. + +Defaults to @samp{()}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} message-level message-level +The minimum severity level of messages to be logged (to +@file{/var/log/transmission.log}) by the daemon, one of @code{none} (no +logging), @code{error}, @code{info} and @code{debug}. + +Defaults to @samp{info}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean start-added-torrents? +When @code{#t}, torrents are started as soon as they are added; +otherwise, they are added in ``paused'' state. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean script-torrent-done-enabled? +When @code{#t}, the script specified by +@code{script-torrent-done-filename} will be invoked each time a torrent +completes. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-file-object script-torrent-done-filename +A file name or file-like object specifying a script to run each time a +torrent completes, when @code{script-torrent-done-enabled?} is +@code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean scrape-paused-torrents-enabled? +When @code{#t}, the daemon will scrape trackers for a torrent even when +the torrent is paused. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer cache-size-mb +The amount of memory, in megabytes, to allocate for the daemon's +in-memory cache. A larger value may increase performance by reducing +the frequency of disk I/O. + +Defaults to @samp{4}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean prefetch-enabled? +When @code{#t}, the daemon will try to improve I/O performance by +hinting to the operating system which data is likely to be read next +from disk to satisfy requests from peers. + +Defaults to @samp{#t}. + +@end deftypevr + + +@c %end of fragment + + + @node Monitoring Services @subsection Monitoring Services diff --git a/gnu/local.mk b/gnu/local.mk index d098c04308..0625c6c5eb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -605,6 +605,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/dns.scm \ %D%/services/docker.scm \ %D%/services/authentication.scm \ + %D%/services/file-sharing.scm \ %D%/services/games.scm \ %D%/services/ganeti.scm \ %D%/services/getmail.scm \ diff --git a/gnu/services/file-sharing.scm b/gnu/services/file-sharing.scm new file mode 100644 index 0000000000..72cd6478d6 --- /dev/null +++ b/gnu/services/file-sharing.scm @@ -0,0 +1,804 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Simon South +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services file-sharing) + #:use-module (gcrypt base16) + #:use-module (gcrypt hash) + #:use-module (gcrypt random) + #:use-module (gnu services) + #:use-module (gnu services admin) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu packages admin) + #:use-module (gnu packages bittorrent) + #:use-module (gnu packages gnupg) + #:use-module (gnu packages guile) + #:use-module (gnu system shadow) + #:use-module (guix diagnostics) + #:use-module (guix gexp) + #:use-module (guix i18n) + #:use-module (guix modules) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (ice-9 format) + #:use-module (ice-9 match) + #:use-module (rnrs bytevectors) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) + #:export (transmission-daemon-configuration + transmission-daemon-service-type + transmission-password-hash + transmission-random-salt)) + +;;; +;;; Transmission Daemon. +;;; + +(define %transmission-daemon-user "transmission") +(define %transmission-daemon-group "transmission") + +(define %transmission-daemon-configuration-directory + "/var/lib/transmission-daemon") +(define %transmission-daemon-log-file + "/var/log/transmission.log") + +(define %transmission-salt-length 8) + +(define (transmission-password-hash password salt) + "Returns a string containing the result of hashing @var{password} together +with @var{salt}, in the format recognized by Transmission clients for their +@code{rpc-password} configuration setting. + +@var{salt} must be an eight-character string. The +@code{transmission-random-salt} procedure can be used to generate a suitable +salt value at random." + (if (not (and (string? salt) + (eq? (string-length salt) %transmission-salt-length))) + (raise (formatted-message + (G_ "salt value must be a string of ~d characters") + %transmission-salt-length)) + (string-append "{" + (bytevector->base16-string + (sha1 (string->utf8 (string-append password salt)))) + salt))) + +(define (transmission-random-salt) + "Returns a string containing a random, eight-character salt value of the +type generated and used by Transmission clients, suitable for passing to the +@code{transmission-password-hash} procedure." + ;; This implementation matches a portion of Transmission's tr_ssha1 + ;; function. See libtransmission/crypto-utils.c in the Transmission source + ;; distribution. + (let ((salter (string-append "0123456789" + "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "./"))) + (list->string + (map (lambda (u8) + (string-ref salter (modulo u8 (string-length salter)))) + (bytevector->u8-list + (gen-random-bv %transmission-salt-length %gcry-strong-random)))))) + +(define (uglify-field-name field-name) + (string-delete #\? (symbol->string field-name))) + +(define (serialize-field field-name val) + ;; "Serialize" each configuration field as a G-expression containing a + ;; name-value pair, the collection of which will subsequently be serialized + ;; to disk as a JSON object. + #~(#$(uglify-field-name field-name) . #$val)) + +(define serialize-boolean serialize-field) +(define serialize-integer serialize-field) +(define serialize-rational serialize-field) + +(define serialize-string serialize-field) +(define-maybe string) +;; Override the definition of "serialize-maybe-string", as we need to output a +;; name-value pair for the JSON builder. +(set! serialize-maybe-string + (lambda (field-name val) + (serialize-string field-name + (if (and (symbol? val) + (eq? val 'disabled)) + "" + val)))) + +(define (string-list? val) + (and (list? val) + (and-map (lambda (x) + (and (string? x) + (not (string-index x #\,)))) + val))) +(define (serialize-string-list field-name val) + (serialize-field field-name (string-join val ","))) + +(define days + '((sunday . #b0000001) + (monday . #b0000010) + (tuesday . #b0000100) + (wednesday . #b0001000) + (thursday . #b0010000) + (friday . #b0100000) + (saturday . #b1000000))) +(define day-lists + (list (cons 'weekdays '(monday tuesday wednesday thursday friday)) + (cons 'weekends '(saturday sunday)) + (cons 'all (map car days)))) +(define (day-list? val) + (or (and (symbol? val) + (assq val day-lists)) + (and (list? val) + (and-map (lambda (x) + (and (symbol? x) + (assq x days))) + val)))) +(define (serialize-day-list field-name val) + (serialize-integer field-name + (reduce logior + #b0000000 + (map (lambda (day) + (assq-ref days day)) + (if (symbol? val) + (assq-ref day-lists val) + val))))) + +(define encryption-modes + '((prefer-unencrypted-connections . 0) + (prefer-encrypted-connections . 1) + (require-encrypted-connections . 2))) +(define (encryption-mode? val) + (and (symbol? val) + (assq val encryption-modes))) +(define (serialize-encryption-mode field-name val) + (serialize-integer field-name (assq-ref encryption-modes val))) + +(define serialize-file-like serialize-field) + +(define (file-object? val) + (or (string? val) + (file-like? val))) +(define (serialize-file-object field-name val) + (if (file-like? val) + (serialize-file-like field-name val) + (serialize-string field-name val))) +(define-maybe file-object) +(set! serialize-maybe-file-object + (lambda (field-name val) + (if (and (symbol? val) + (eq? val 'disabled)) + (serialize-string field-name "") + (serialize-file-object field-name val)))) + +(define (file-object-list? val) + (and (list? val) + (and-map file-object? val))) +(define serialize-file-object-list serialize-field) + +(define message-levels + '((none . 0) + (error . 1) + (info . 2) + (debug . 3))) +(define (message-level? val) + (and (symbol? val) + (assq val message-levels))) +(define (serialize-message-level field-name val) + (serialize-integer field-name (assq-ref message-levels val))) + +(define (non-negative-integer? val) + (and (integer? val) + (not (negative? val)))) +(define serialize-non-negative-integer serialize-integer) + +(define (non-negative-rational? val) + (and (rational? val) + (not (negative? val)))) +(define serialize-non-negative-rational serialize-rational) + +(define (port-number? val) + (and (integer? val) + (>= val 1) + (<= val 65535))) +(define serialize-port-number serialize-integer) + +(define preallocation-modes + '((none . 0) + (fast . 1) + (sparse . 1) + (full . 2))) +(define (preallocation-mode? val) + (and (symbol? val) + (assq val preallocation-modes))) +(define (serialize-preallocation-mode field-name val) + (serialize-integer field-name (assq-ref preallocation-modes val))) + +(define tcp-types-of-service + '((default . "default") + (low-cost . "lowcost") + (throughput . "throughput") + (low-delay . "lowdelay") + (reliability . "reliability"))) +(define (tcp-type-of-service? val) + (and (symbol? val) + (assq val tcp-types-of-service))) +(define (serialize-tcp-type-of-service field-name val) + (serialize-string field-name (assq-ref tcp-types-of-service val))) + +(define (transmission-password-hash? val) + (and (string? val) + (= (string-length val) 49) + (eqv? (string-ref val 0) #\{) + (string-every char-set:hex-digit val 1 41))) +(define serialize-transmission-password-hash serialize-string) +(define-maybe transmission-password-hash) +(set! serialize-maybe-transmission-password-hash serialize-maybe-string) + +(define (umask? val) + (and (integer? val) + (>= val #o000) + (<= val #o777))) +(define serialize-umask serialize-integer) ; must use decimal representation + +(define-configuration transmission-daemon-configuration + ;; Settings internal to this service definition. + (transmission + (package transmission) + "The Transmission package to use.") + (stop-wait-period + (non-negative-integer 10) + "The period, in seconds, to wait when stopping the service for +@command{transmission-daemon} to exit before killing its process. This allows +the daemon time to complete its housekeeping and send a final update to +trackers as it shuts down. On slow hosts, or hosts with a slow network +connection, this value may need to be increased.") + + ;; Files and directories. + (download-dir + (string (string-append %transmission-daemon-configuration-directory + "/downloads")) + "The directory to which torrent files are downloaded.") + (incomplete-dir-enabled? + (boolean #f) + "If @code{#t}, files will be held in @code{incomplete-dir} while their +torrent is being downloaded, then moved to @code{download-dir} once the +torrent is complete. Otherwise, files for all torrents (including those still +being downloaded) will be placed in @code{download-dir}.") + (incomplete-dir + (maybe-string 'disabled) + "The directory in which files from incompletely downloaded torrents will be +held when @code{incomplete-dir-enabled?} is @code{#t}.") + (umask + (umask #o022) + "The file mode creation mask used for downloaded files. (See the +@command{umask} man page for more information.)") + (rename-partial-files? + (boolean #t) + "When @code{#t}, ``.part'' is appended to the name of partially downloaded +files.") + (preallocation + (preallocation-mode 'fast) + "The mode by which space should be preallocated for downloaded files, one +of @code{none}, @code{fast} (or @code{sparse}) and @code{full}. Specifying +@code{full} will minimize disk fragmentation at a cost to file-creation +speed.") + (watch-dir-enabled? + (boolean #f) + "If @code{#t}, the directory specified by @code{watch-dir} will be watched +for new @file{.torrent} files and the torrents they describe added +automatically (and the original files removed, if +@code{trash-original-torrent-files?} is @code{#t}).") + (watch-dir + (maybe-string 'disabled) + "The directory to be watched for @file{.torrent} files indicating new +torrents to be added, when @code{watch-dir-enabled} is @code{#t}.") + (trash-original-torrent-files? + (boolean #f) + "When @code{#t}, @file{.torrent} files will be deleted from the watch +directory once their torrent has been added (see +@code{watch-directory-enabled?}).") + + ;; Bandwidth limits. + (speed-limit-down-enabled? + (boolean #f) + "When @code{#t}, the daemon's download speed will be limited to the rate +specified by @code{speed-limit-down}.") + (speed-limit-down + (non-negative-integer 100) + "The default global-maximum download speed, in kilobytes per second.") + (speed-limit-up-enabled? + (boolean #f) + "When @code{#t}, the daemon's upload speed will be limited to the rate +specified by @code{speed-limit-up}.") + (speed-limit-up + (non-negative-integer 100) + "The default global-maximum upload speed, in kilobytes per second.") + (alt-speed-enabled? + (boolean #f) + "When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} are used (in place of @code{speed-limit-down} and +@code{speed-limit-up}, if they are enabled) to constrain the daemon's +bandwidth usage. This can be scheduled to occur automatically at certain +times during the week; see @code{alt-speed-time-enabled?}.") + (alt-speed-down + (non-negative-integer 50) + "The alternate global-maximum download speed, in kilobytes per second.") + (alt-speed-up + (non-negative-integer 50) + "The alternate global-maximum upload speed, in kilobytes per second.") + + ;; Bandwidth-limit scheduling. + (alt-speed-time-enabled? + (boolean #f) + "When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} will be enabled automatically during the periods specified +by @code{alt-speed-time-day}, @code{alt-speed-time-begin} and +@code{alt-time-speed-end}.") + (alt-speed-time-day + (day-list 'all) + "The days of the week on which the alternate-speed schedule should be used, +specified either as a list of days (@code{sunday}, @code{monday}, and so on) +or using one of the symbols @code{weekdays}, @code{weekends} or @code{all}.") + (alt-speed-time-begin + (non-negative-integer 540) + "The time of day at which to enable the alternate speed limits, +expressed as a number of minutes since midnight.") + (alt-speed-time-end + (non-negative-integer 1020) + "The time of day at which to disable the alternate speed limits, +expressed as a number of minutes since midnight.") + + ;; Peer networking. + (bind-address-ipv4 + (string "0.0.0.0") + "The IP address at which to listen for peer connections, or ``0.0.0.0'' to +listen at all available IP addresses.") + (bind-address-ipv6 + (string "::") + "The IPv6 address at which to listen for peer connections, or ``::'' to +listen at all available IPv6 addresses.") + (peer-port-random-on-start? + (boolean #f) + "If @code{#t}, when the daemon starts it will select a port at random on +which to listen for peer connections, from the range specified (inclusively) +by @code{peer-port-random-low} and @code{peer-port-random-high}. Otherwise, +it listens on the port specified by @code{peer-port}.") + (peer-port-random-low + (port-number 49152) + "The lowest selectable port number when @code{peer-port-random-on-start?} +is @code{#t}.") + (peer-port-random-high + (port-number 65535) + "The highest selectable port number when @code{peer-port-random-on-start} +is @code{#t}.") + (peer-port + (port-number 51413) + "The port on which to listen for peer connections when +@code{peer-port-random-on-start?} is @code{#f}.") + (port-forwarding-enabled? + (boolean #t) + "If @code{#t}, the daemon will attempt to configure port-forwarding on an +upstream gateway automatically using @acronym{UPnP} and @acronym{NAT-PMP}.") + (encryption + (encryption-mode 'prefer-encrypted-connections) + "The encryption preference for peer connections, one of +@code{prefer-unencrypted-connections}, @code{prefer-encrypted-connections} or +@code{require-encrypted-connections}.") + (peer-congestion-algorithm + (maybe-string 'disabled) + "The TCP congestion-control algorithm to use for peer connections, +specified using a string recognized by the operating system in calls to +@code{setsockopt} (or set to @code{disabled}, in which case the +operating-system default is used). + +Note that on GNU/Linux systems, the kernel must be configured to allow +processes to use a congestion-control algorithm not in the default set; +otherwise, it will deny these requests with ``Operation not permitted''. To +see which algorithms are available on your system and which are currently +permitted for use, look at the contents of the files +@file{tcp_available_congestion_control} and +@file{tcp_allowed_congestion_control} in the @file{/proc/sys/net/ipv4} +directory. + +As an example, to have Transmission Daemon use +@uref{http://www-ece.rice.edu/networks/TCP-LP/, the TCP Low Priority +congestion-control algorithm}, you'll need to modify your kernel configuration +to build in support for the algorithm, then update your operating-system +configuration to allow its use by adding a @code{sysctl-service-type} +service (or updating the existing one's configuration) with lines like the +following: + +@lisp +(service sysctl-service-type + (sysctl-configuration + (settings + (\"net.ipv4.tcp_allowed_congestion_control\" . + \"reno cubic lp\")))) +@end lisp + +The Transmission Daemon configuration can then be updated with + +@lisp +(peer-congestion-algorithm \"lp\") +@end lisp + +and the system reconfigured to have the changes take effect.") + (peer-socket-tos + (tcp-type-of-service 'default) + "The type of service to request in outgoing @acronym{TCP} packets, +one of @code{default}, @code{low-cost}, @code{throughput}, @code{low-delay} +and @code{reliability}.") + (peer-limit-global + (non-negative-integer 200) + "The global limit on the number of connected peers.") + (peer-limit-per-torrent + (non-negative-integer 50) + "The per-torrent limit on the number of connected peers.") + (upload-slots-per-torrent + (non-negative-integer 14) + "The maximum number of peers to which the daemon will upload data +simultaneously for each torrent.") + (peer-id-ttl-hours + (non-negative-integer 6) + "The maximum lifespan, in hours, of the peer ID associated with each public +torrent before it is regenerated.") + + ;; Peer blocklists. + (blocklist-enabled? + (boolean #f) + "When @code{#t}, the daemon will ignore peers mentioned in the blocklist it +has most recently downloaded from @code{blocklist-url}.") + (blocklist-url + (maybe-string 'disabled) + "The URL of a peer blocklist (in @acronym{P2P}-plaintext or eMule +@file{.dat} format) to be periodically downloaded and applied when +@code{blocklist-enabled?} is @code{#t}.") + + ;; Queueing. + (download-queue-enabled? + (boolean #t) + "If @code{#t}, the daemon will be limited to downloading at most +@code{download-queue-size} non-stalled torrents simultaneously.") + (download-queue-size + (non-negative-integer 5) + "The size of the daemon's download queue, which limits the number of +non-stalled torrents it will download at any one time when +@code{download-queue-enabled?} is @code{#t}.") + (seed-queue-enabled? + (boolean #f) + "If @code{#t}, the daemon will be limited to seeding at most +@code{seed-queue-size} non-stalled torrents simultaneously.") + (seed-queue-size + (non-negative-integer 10) + "The size of the daemon's seed queue, which limits the number of +non-stalled torrents it will seed at any one time when +@code{seed-queue-enabled?} is @code{#t}.") + (queue-stalled-enabled? + (boolean #t) + "When @code{#t}, the daemon will consider torrents for which it has not +shared data in the past @code{queue-stalled-minutes} minutes to be stalled and +not count them against its @code{download-queue-size} and +@code{seed-queue-size} limits.") + (queue-stalled-minutes + (non-negative-integer 30) + "The maximum period, in minutes, a torrent may be idle before it is +considered to be stalled, when @code{queue-stalled-enabled?} is @code{#t}.") + + ;; Seeding limits. + (ratio-limit-enabled? + (boolean #f) + "When @code{#t}, a torrent being seeded will automatically be paused once +it reaches the ratio specified by @code{ratio-limit}.") + (ratio-limit + (non-negative-rational 2.0) + "The ratio at which a torrent being seeded will be paused, when +@code{ratio-limit-enabled?} is @code{#t}.") + (idle-seeding-limit-enabled? + (boolean #f) + "When @code{#t}, a torrent being seeded will automatically be paused once +it has been idle for @code{idle-seeding-limit} minutes.") + (idle-seeding-limit + (non-negative-integer 30) + "The maximum period, in minutes, a torrent being seeded may be idle before +it is paused, when @code{idle-seeding-limit-enabled?} is @code{#t}.") + + ;; BitTorrent extensions. + (dht-enabled? + (boolean #t) + "Enable @uref{http://bittorrent.org/beps/bep_0005.html, the distributed +hash table (@acronym{DHT}) protocol}, which supports the use of trackerless +torrents.") + (lpd-enabled? + (boolean #f) + "Enable @url{https://en.wikipedia.org/wiki/Local_Peer_Discovery, local peer +discovery} (@acronym{LPD}), which allows the discovery of peers on the local +network and may reduce the amount of data sent over the public Internet.") + (pex-enabled? + (boolean #t) + "Enable @url{https://en.wikipedia.org/wiki/Peer_exchange, peer +exchange} (@acronym{PEX}), which reduces the daemon's reliance on external +trackers and may improve its performance.") + (utp-enabled? + (boolean #t) + "Enable @url{http://bittorrent.org/beps/bep_0029.html, the micro transport +protocol} (@acronym{uTP}), which aims to reduce the impact of BitTorrent +traffic on other users of the local network while maintaining full utilization +of the available bandwidth.") + + ;; Remote procedure call (RPC) interface. + (rpc-enabled? + (boolean #t) + "If @code{#t}, enable the remote procedure call (@acronym{RPC}) interface, +which allows remote control of the daemon via its Web interface, the +@command{transmission-remote} command-line client, and similar tools.") + (rpc-bind-address + (string "0.0.0.0") + "The IP address at which to listen for @acronym{RPC} connections, or +``0.0.0.0'' to listen at all available IP addresses.") + (rpc-port + (port-number 9091) + "The port on which to listen for @acronym{RPC} connections.") + (rpc-url + (string "/transmission/") + "The path prefix to use in the @acronym{RPC}-endpoint @acronym{URL}.") + (rpc-authentication-required? + (boolean #f) + "When @code{#t}, clients must authenticate (see @code{rpc-username} and +@code{rpc-password}) when using the @acronym{RPC} interface. Note this has +the side effect of disabling host-name whitelisting (see +@code{rpc-host-whitelist-enabled?}.") + (rpc-username + (maybe-string 'disabled) + "The username required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}.") + (rpc-password + (maybe-transmission-password-hash 'disabled) + "The password required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}. This must be specified +using a password hash in the format recognized by Transmission clients, either +copied from an existing @file{settings.json} file or generated using the +@code{transmission-password-hash} procedure.") + (rpc-whitelist-enabled? + (boolean #t) + "When @code{#t}, @acronym{RPC} requests will be accepted only when they +originate from an address specified in @code{rpc-whitelist}.") + (rpc-whitelist + (string-list '("127.0.0.1" "::1")) + "The list of IP and IPv6 addresses from which @acronym{RPC} requests will +be accepted when @code{rpc-whitelist-enabled?} is @code{#t}. Wildcards may be +specified using @samp{*}.") + (rpc-host-whitelist-enabled? + (boolean #t) + "When @code{#t}, @acronym{RPC} requests will be accepted only when they are +addressed to a host named in @code{rpc-host-whitelist}. Note that requests to +``localhost'' or ``localhost.'', or to a numeric address, are always accepted +regardless of these settings. + +Note also this functionality is disabled when +@code{rpc-authentication-required?} is @code{#t}.") + (rpc-host-whitelist + (string-list '()) + "The list of host names recognized by the @acronym{RPC} server when +@code{rpc-host-whitelist-enabled?} is @code{#t}.") + + ;; Miscellaneous. + (message-level + (message-level 'info) + "The minimum severity level of messages to be logged (to +@file{/var/log/transmission.log}) by the daemon, one of @code{none} (no +logging), @code{error}, @code{info} and @code{debug}.") + (start-added-torrents? + (boolean #t) + "When @code{#t}, torrents are started as soon as they are added; otherwise, +they are added in ``paused'' state.") + (script-torrent-done-enabled? + (boolean #f) + "When @code{#t}, the script specified by +@code{script-torrent-done-filename} will be invoked each time a torrent +completes.") + (script-torrent-done-filename + (maybe-file-object 'disabled) + "A file name or file-like object specifying a script to run each time a +torrent completes, when @code{script-torrent-done-enabled?} is @code{#t}.") + (scrape-paused-torrents-enabled? + (boolean #t) + "When @code{#t}, the daemon will scrape trackers for a torrent even when +the torrent is paused.") + (cache-size-mb + (non-negative-integer 4) + "The amount of memory, in megabytes, to allocate for the daemon's in-memory +cache. A larger value may increase performance by reducing the frequency of +disk I/O.") + (prefetch-enabled? + (boolean #t) + "When @code{#t}, the daemon will try to improve I/O performance by hinting +to the operating system which data is likely to be read next from disk to +satisfy requests from peers.")) + +(define (transmission-daemon-shepherd-service config) + "Return a for Transmission Daemon with CONFIG." + (let ((transmission + (transmission-daemon-configuration-transmission config)) + (stop-wait-period + (transmission-daemon-configuration-stop-wait-period config))) + (list + (shepherd-service + (provision '(transmission-daemon transmission bittorrent)) + (requirement '(networking)) + (documentation "Share files using the BitTorrent protocol.") + (start #~(make-forkexec-constructor + '(#$(file-append transmission "/bin/transmission-daemon") + "--config-dir" + #$%transmission-daemon-configuration-directory + "--foreground") + #:user #$%transmission-daemon-user + #:group #$%transmission-daemon-group + #:directory #$%transmission-daemon-configuration-directory + #:log-file #$%transmission-daemon-log-file + #:environment-variables + '("CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"))) + (stop #~(lambda (pid) + (kill pid SIGTERM) + + ;; Transmission Daemon normally needs some time to shut down, + ;; as it will complete some housekeeping and send a final + ;; update to trackers before it exits. + ;; + ;; Wait a reasonable period for it to stop before continuing. + ;; If we don't do this, restarting the service can fail as the + ;; new daemon process finds the old one still running and + ;; attached to the port used for peer connections. + (let wait-before-killing ((period #$stop-wait-period)) + (if (zero? (car (waitpid pid WNOHANG))) + (if (positive? period) + (begin + (sleep 1) + (wait-before-killing (- period 1))) + (begin + (format #t + #$(G_ "Wait period expired; killing \ +transmission-daemon (pid ~a).~%") + pid) + (display #$(G_ "(If you see this message \ +regularly, you may need to increase the value +of 'stop-wait-period' in the service configuration.)\n")) + (kill pid SIGKILL))))) + #f)) + (actions + (list + (shepherd-action + (name 'reload) + (documentation "Reload the settings file from disk.") + (procedure #~(lambda (pid) + (if pid + (begin + (kill pid SIGHUP) + (display #$(G_ "Service transmission-daemon has \ +been asked to reload its settings file."))) + (display #$(G_ "Service transmission-daemon is not \ +running.")))))))))))) + +(define %transmission-daemon-accounts + (list (user-group + (name %transmission-daemon-group) + (system? #t)) + (user-account + (name %transmission-daemon-user) + (group %transmission-daemon-group) + (comment "Transmission Daemon service account") + (home-directory %transmission-daemon-configuration-directory) + (shell (file-append shadow "/sbin/nologin")) + (system? #t)))) + +(define %transmission-daemon-log-rotations + (list (log-rotation + (files (list %transmission-daemon-log-file))))) + +(define (transmission-daemon-computed-settings-file config) + "Return a @code{computed-file} object that, when unquoted in a G-expression, +produces a Transmission settings file (@file{settings.json}) matching CONFIG." + (let ((settings + ;; "Serialize" the configuration settings as a list of G-expressions + ;; containing a name-value pair, which will ultimately be sorted and + ;; serialized to the settings file as a JSON object. + (map + (lambda (field) + ((configuration-field-serializer field) + (configuration-field-name field) + ((configuration-field-getter field) config))) + (filter + (lambda (field) + ;; Omit configuration fields that are used only internally by + ;; this service definition. + (not (memq (configuration-field-name field) + '(transmission stop-wait-period)))) + transmission-daemon-configuration-fields)))) + (computed-file + "settings.json" + (with-extensions (list guile-gcrypt guile-json-4) + (with-imported-modules (source-module-closure '((json builder))) + #~(begin + (use-modules (json builder)) + + (with-output-to-file #$output + (lambda () + (scm->json (sort-list '(#$@settings) + (lambda (x y) + (string<=? (car x) (car y)))) + #:pretty #t))))))))) + +(define (transmission-daemon-activation config) + "Return the Transmission Daemon activation GEXP for CONFIG." + (let ((config-dir %transmission-daemon-configuration-directory) + (incomplete-dir-enabled + (transmission-daemon-configuration-incomplete-dir-enabled? config)) + (incomplete-dir + (transmission-daemon-configuration-incomplete-dir config)) + (watch-dir-enabled + (transmission-daemon-configuration-watch-dir-enabled? config)) + (watch-dir + (transmission-daemon-configuration-watch-dir config))) + (with-imported-modules (source-module-closure '((guix build utils))) + #~(begin + (use-modules (guix build utils)) + + (let ((owner (getpwnam #$%transmission-daemon-user))) + (define (mkdir-p/perms directory perms) + (mkdir-p directory) + (chown directory (passwd:uid owner) (passwd:gid owner)) + (chmod directory perms)) + + ;; Create the directories Transmission Daemon is configured to use + ;; and assign them suitable permissions. + (for-each (lambda (directory-specification) + (apply mkdir-p/perms directory-specification)) + '(#$@(append + `((,config-dir #o750)) + (if incomplete-dir-enabled + `((,incomplete-dir #o750)) + '()) + (if watch-dir-enabled + `((,watch-dir #o770)) + '()))))) + + ;; Generate and activate the daemon's settings file, settings.json. + (activate-special-files + '((#$(string-append config-dir "/settings.json") + #$(transmission-daemon-computed-settings-file config)))))))) + +(define transmission-daemon-service-type + (service-type + (name 'transmission) + (extensions + (list (service-extension shepherd-root-service-type + transmission-daemon-shepherd-service) + (service-extension account-service-type + (const %transmission-daemon-accounts)) + (service-extension rottlog-service-type + (const %transmission-daemon-log-rotations)) + (service-extension activation-service-type + transmission-daemon-activation))) + (default-value (transmission-daemon-configuration)) + (description "Share files using the BitTorrent protocol."))) + +(define (generate-transmission-daemon-documentation) + (generate-documentation + `((transmission-daemon-configuration + ,transmission-daemon-configuration-fields)) + 'transmission-daemon-configuration)) diff --git a/po/packages/POTFILES.in b/po/packages/POTFILES.in index 9a178edfa6..398f9adfdf 100644 --- a/po/packages/POTFILES.in +++ b/po/packages/POTFILES.in @@ -59,5 +59,6 @@ gnu/packages/wordnet.scm gnu/packages/xiph.scm gnu/services/base.scm gnu/services/certbot.scm +gnu/services/file-sharing.scm gnu/services/networking.scm gnu/services/version-control.scm diff --git a/tests/services/file-sharing.scm b/tests/services/file-sharing.scm new file mode 100644 index 0000000000..27bec57325 --- /dev/null +++ b/tests/services/file-sharing.scm @@ -0,0 +1,59 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Simon South +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (tests services file-sharing) + #:use-module (gnu services file-sharing) + #:use-module (srfi srfi-64)) + +;;; Tests for the (gnu services file-sharing) module. + +(test-begin "file-sharing") + + +;;; +;;; Transmission Daemon. +;;; + +(define %transmission-salt-length 8) + +(define (valid-transmission-salt? salt) + (and (string? salt) + (eqv? (string-length salt) %transmission-salt-length))) + +(test-assert "transmission-random-salt" + (valid-transmission-salt? (transmission-random-salt))) + +(test-equal "transmission-password-hash, typical values" + "{ef6fba106cdef3aac64d1410090cae353cbecde53ceVVQO2" + (transmission-password-hash "transmission" "3ceVVQO2")) + +(test-equal "transmission-password-hash, empty password" + "{820f816515d8969d058d07a1de018650619ee7ffCp.I5SWg" + (transmission-password-hash "" "Cp.I5SWg")) + +(test-error "transmission-password-hash, salt value too short" + (transmission-password-hash + "transmission" + (make-string (- %transmission-salt-length 1) #\a))) + +(test-error "transmission-password-hash, salt value too long" + (transmission-password-hash + "transmission" + (make-string (+ %transmission-salt-length 1) #\a))) + +(test-end "file-sharing") -- cgit 1.4.1 From d588cc8fa96e4a4bce56fac2ba3bbaaeaaed0047 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Fri, 12 Feb 2021 15:53:45 -0800 Subject: gnu: diffoscope: Update to use python-magic. Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/238 * gnu/packages/patches/diffoscope-revert-to-magic-open.patch: Remove file. * gnu/local.mk [dist_patch_DATA]: Update. * gnu/packages/diffoscope.scm (diffoscope)[source]: Remove patch. [inputs]: Remove python-file. --- gnu/local.mk | 1 - gnu/packages/diffoscope.scm | 5 +- .../patches/diffoscope-revert-to-magic-open.patch | 70 ---------------------- 3 files changed, 1 insertion(+), 75 deletions(-) delete mode 100644 gnu/packages/patches/diffoscope-revert-to-magic-open.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0625c6c5eb..ad6e02116e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -927,7 +927,6 @@ dist_patch_DATA = \ %D%/packages/patches/desmume-gcc6-fixes.patch \ %D%/packages/patches/desmume-gcc7-fixes.patch \ %D%/packages/patches/dfu-programmer-fix-libusb.patch \ - %D%/packages/patches/diffoscope-revert-to-magic-open.patch \ %D%/packages/patches/diffutils-gets-undeclared.patch \ %D%/packages/patches/dkimproxy-add-ipv6-support.patch \ %D%/packages/patches/docbook-xsl-nonrecursive-string-subst.patch \ diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm index a31ac485c2..feb0324db2 100644 --- a/gnu/packages/diffoscope.scm +++ b/gnu/packages/diffoscope.scm @@ -81,9 +81,7 @@ (file-name (git-file-name name version)) (sha256 (base32 - "0vc4a38ii6b10af4c7cxfkvj4lk4ihx1xs4q5lshnkyg74gmm21b")) - (patches (search-patches - "diffoscope-revert-to-magic-open.patch")))) + "0vc4a38ii6b10af4c7cxfkvj4lk4ihx1xs4q5lshnkyg74gmm21b")))) (build-system python-build-system) (arguments `(#:phases (modify-phases %standard-phases @@ -137,7 +135,6 @@ (install-file "doc/diffoscope.1" man) #t)))))) (inputs `(("rpm" ,rpm) ;for rpm-python - ("python-file" ,python-file) ("python-debian" ,python-debian) ("python-libarchive-c" ,python-libarchive-c) ("python-magic" ,python-magic) diff --git a/gnu/packages/patches/diffoscope-revert-to-magic-open.patch b/gnu/packages/patches/diffoscope-revert-to-magic-open.patch deleted file mode 100644 index d52b26ead5..0000000000 --- a/gnu/packages/patches/diffoscope-revert-to-magic-open.patch +++ /dev/null @@ -1,70 +0,0 @@ -From b658c3a6819ccb9a104b13e973132c66f0965965 Mon Sep 17 00:00:00 2001 -From: Vagrant Cascadian -Date: Thu, 11 Feb 2021 17:28:21 -0800 -Subject: [PATCH] Revert "Prefer to use magic.Magic over the magic.open - compatibility interface. (Closes: reproducible-builds/diffoscope#236)" - -This reverts commit c72c30f29ea3760eb4c785644dc7cd4c26833740. ---- - diffoscope/comparators/utils/file.py | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/diffoscope/comparators/utils/file.py b/diffoscope/comparators/utils/file.py -index fb3b4316..32700f02 100644 ---- a/diffoscope/comparators/utils/file.py -+++ b/diffoscope/comparators/utils/file.py -@@ -65,37 +65,37 @@ def _run_tests(fold, tests): - - - class File(metaclass=abc.ABCMeta): -- if hasattr(magic, "Magic"): # use python-magic -+ if hasattr(magic, "open"): # use Magic-file-extensions from file - - @classmethod - def guess_file_type(cls, path): - if not hasattr(cls, "_mimedb"): -- cls._mimedb = magic.Magic() -- return maybe_decode(cls._mimedb.from_file(path)) -+ cls._mimedb = magic.open(magic.NONE) -+ cls._mimedb.load() -+ return cls._mimedb.file( -+ path.encode("utf-8", errors="surrogateescape") -+ ) - - @classmethod - def guess_encoding(cls, path): - if not hasattr(cls, "_mimedb_encoding"): -- cls._mimedb_encoding = magic.Magic(mime_encoding=True) -- return maybe_decode(cls._mimedb_encoding.from_file(path)) -+ cls._mimedb_encoding = magic.open(magic.MAGIC_MIME_ENCODING) -+ cls._mimedb_encoding.load() -+ return cls._mimedb_encoding.file(path) - -- else: # use Magic-file-extensions from file -+ else: # use python-magic - - @classmethod - def guess_file_type(cls, path): - if not hasattr(cls, "_mimedb"): -- cls._mimedb = magic.open(magic.NONE) -- cls._mimedb.load() -- return cls._mimedb.file( -- path.encode("utf-8", errors="surrogateescape") -- ) -+ cls._mimedb = magic.Magic() -+ return maybe_decode(cls._mimedb.from_file(path)) - - @classmethod - def guess_encoding(cls, path): - if not hasattr(cls, "_mimedb_encoding"): -- cls._mimedb_encoding = magic.open(magic.MAGIC_MIME_ENCODING) -- cls._mimedb_encoding.load() -- return cls._mimedb_encoding.file(path) -+ cls._mimedb_encoding = magic.Magic(mime_encoding=True) -+ return maybe_decode(cls._mimedb_encoding.from_file(path)) - - def __init__(self, container=None): - self._comments = [] --- -2.30.0 - -- cgit 1.4.1 From adae5d75b6029b5d034030cff24e1ba4d8b3144a Mon Sep 17 00:00:00 2001 From: Stefan Reichör Date: Fri, 12 Feb 2021 22:51:54 +0100 Subject: gnu: Add run. * gnu/packages/task-runners.scm (run): New variable. Signed-off-by: Nicolas Goaziou --- gnu/local.mk | 1 + gnu/packages/task-runners.scm | 49 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 gnu/packages/task-runners.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ad6e02116e..250901f6d9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -533,6 +533,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/synergy.scm \ %D%/packages/syndication.scm \ %D%/packages/task-management.scm \ + %D%/packages/task-runners.scm \ %D%/packages/tbb.scm \ %D%/packages/tcl.scm \ %D%/packages/telegram.scm \ diff --git a/gnu/packages/task-runners.scm b/gnu/packages/task-runners.scm new file mode 100644 index 0000000000..49a07fa3bd --- /dev/null +++ b/gnu/packages/task-runners.scm @@ -0,0 +1,49 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Stefan Reichör +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages task-runners) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix git-download) + #:use-module (gnu packages golang) + #:use-module (guix build-system go)) + +(define-public run + (package + (name "run") + (version "0.7.2") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/TekWizely/run") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 "17n11lqhywq4z62w2rakdq80v7mxf83rgln19vj4v4nxpwd2hjjw")))) + (build-system go-build-system) + (propagated-inputs + `(("go-github-com-tekwizely-go-parsing" ,go-github-com-tekwizely-go-parsing))) + (arguments + `(#:import-path "github.com/tekwizely/run")) + (synopsis "Easily manage and invoke small scripts and wrappers") + (description + "Run is a tool to easily manage and invoke small scripts and wrappers by +using a Runfile.") + (home-page "https://github.com/TekWizely/run") + (license license:expat))) -- cgit 1.4.1 From 301d1bacc1f33ed5f2f546488c3a1dbc66cc3f4f Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 17 Feb 2021 16:06:12 +0200 Subject: gnu: ruby-rubocop: Update to 1.10.0. * gnu/packages/ruby.scm (ruby-rubocop): Update to 1.10.0. [source]: Remove patch. [arguments]: Remove custom 'remove-problematic-tests, 'disable-bundler, 'replace-git-ls-files phases. Add custom 'check phase. [native-inputs]: Add ruby-memory-profiler, ruby-rake, ruby-rubocop-minimal, ruby-rubocop-performance-minimal, ruby-rubocop-rspec-minimal, ruby-simplecov, ruby-stackprof. Replace ruby-webmock-2 with ruby-webmock. (ruby-rubocop-minimal, ruby-rubocop-performance-minimal, ruby-rubocop-rspec-minimal): New variables. * gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../ruby-rubocop-break-dependency-cycle.patch | 101 --------------------- gnu/packages/ruby.scm | 78 ++++++++++------ 3 files changed, 49 insertions(+), 131 deletions(-) delete mode 100644 gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 250901f6d9..c3398c62fd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1597,7 +1597,6 @@ dist_patch_DATA = \ %D%/packages/patches/rnp-disable-ruby-rnp-tests.patch \ %D%/packages/patches/rnp-unbundle-googletest.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ - %D%/packages/patches/ruby-rubocop-break-dependency-cycle.patch\ %D%/packages/patches/ruby-sanitize-system-libxml.patch \ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/runc-CVE-2019-5736.patch \ diff --git a/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch b/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch deleted file mode 100644 index 035a98fa33..0000000000 --- a/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch +++ /dev/null @@ -1,101 +0,0 @@ -From ff3f00b7f33332ebf1c3c05abc4a781684775b3c Mon Sep 17 00:00:00 2001 -From: Maxim Cournoyer -Date: Tue, 14 Jul 2020 11:50:12 -0400 -Subject: [PATCH] config: Drop rubocop-performance, rubocop-rspec requirements. - -This patch removes Rubocop extensions from Rubocop's closure to break -a dependency cycle with itself. - -* .rubocop.yml: Remove rubocop-performance and rubocop-rspec and their -corresponding directives. -* .rubocop_todo.yml: Likewise. ---- - .rubocop.yml | 15 --------------- - .rubocop_todo.yml | 44 -------------------------------------------- - 2 files changed, 59 deletions(-) - -diff --git a/.rubocop.yml b/.rubocop.yml -index 4f05d5be2..f12ef7c06 100644 ---- a/.rubocop.yml -+++ b/.rubocop.yml -@@ -3,8 +3,6 @@ - inherit_from: .rubocop_todo.yml - require: - - rubocop/cop/internal_affairs -- - rubocop-performance -- - rubocop-rspec - - AllCops: - NewCops: enable -@@ -106,16 +104,3 @@ Metrics/ClassLength: - Metrics/ModuleLength: - Exclude: - - 'spec/**/*.rb' -- --RSpec/FilePath: -- Exclude: -- - spec/rubocop/formatter/junit_formatter_spec.rb -- --RSpec/PredicateMatcher: -- EnforcedStyle: explicit -- --RSpec/MessageSpies: -- EnforcedStyle: receive -- --RSpec/NestedGroups: -- Max: 7 -diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml -index 3f72042d1..fa637cd42 100644 ---- a/.rubocop_todo.yml -+++ b/.rubocop_todo.yml -@@ -24,47 +24,3 @@ Metrics/MethodLength: - # Configuration parameters: CountComments. - Metrics/ModuleLength: - Max: 132 -- --# Offense count: 10 --RSpec/AnyInstance: -- Exclude: -- - 'spec/rubocop/cli_spec.rb' -- - 'spec/rubocop/cop/lint/duplicate_methods_spec.rb' -- - 'spec/rubocop/cop/team_spec.rb' -- - 'spec/rubocop/target_finder_spec.rb' -- --# Offense count: 981 --# Configuration parameters: Prefixes. --# Prefixes: when, with, without --RSpec/ContextWording: -- Enabled: false -- --# Offense count: 3810 --# Configuration parameters: Max. --RSpec/ExampleLength: -- Enabled: false -- --# Offense count: 38 --RSpec/ExpectOutput: -- Exclude: -- - 'spec/rubocop/cli/cli_auto_gen_config_spec.rb' -- - 'spec/rubocop/cli/cli_options_spec.rb' -- - 'spec/rubocop/config_spec.rb' -- - 'spec/rubocop/cop/cop_spec.rb' -- - 'spec/rubocop/formatter/disabled_config_formatter_spec.rb' -- - 'spec/rubocop/formatter/formatter_set_spec.rb' -- - 'spec/rubocop/options_spec.rb' -- - 'spec/rubocop/rake_task_spec.rb' -- - 'spec/rubocop/result_cache_spec.rb' -- - 'spec/rubocop/target_finder_spec.rb' -- --# Offense count: 434 --RSpec/MultipleExpectations: -- Max: 25 -- --# Offense count: 5 --RSpec/SubjectStub: -- Exclude: -- - 'spec/rubocop/config_spec.rb' -- - 'spec/rubocop/formatter/json_formatter_spec.rb' -- - 'spec/rubocop/formatter/progress_formatter_spec.rb' --- -2.27.0 - diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 58614a61ac..6c9583b3cf 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -1584,6 +1584,16 @@ enforcing & linting tool.") (home-page "https://github.com/rubocop-hq/rubocop-rspec") (license license:expat))) +(define-public ruby-rubocop-rspec-minimal + (hidden-package + (package + (inherit ruby-rubocop-rspec) + (arguments + (substitute-keyword-arguments (package-arguments ruby-rubocop-rspec) + ((#:tests? _ #f) #f))) + (propagated-inputs '()) + (native-inputs '())))) + (define-public ruby-rubocop-performance (package (name "ruby-rubocop-performance") @@ -1625,6 +1635,16 @@ for performance optimizations in Ruby code.") (home-page "https://docs.rubocop.org/rubocop-performance/") (license license:expat))) +(define-public ruby-rubocop-performance-minimal + (hidden-package + (package + (inherit ruby-rubocop-performance) + (arguments + (substitute-keyword-arguments (package-arguments ruby-rubocop-performance) + ((#:tests? _ #f) #f))) + (propagated-inputs '()) + (native-inputs '())))) + (define-public ruby-gimme (let ((revision "1") (commit "4e71f0236f1271871916dd403261d26533db34c0")) @@ -7270,7 +7290,7 @@ run.") (define-public ruby-rubocop (package (name "ruby-rubocop") - (version "0.88.0") + (version "1.10.0") (source (origin (method git-fetch) ;no tests in distributed gem @@ -7280,42 +7300,25 @@ run.") (file-name (git-file-name name version)) (sha256 (base32 - "1d06893jp8pd85fvgp5d16vqcf31bafi430v4f4y746ihyvhzz5r")) - (patches (search-patches "ruby-rubocop-break-dependency-cycle.patch")))) + "0wjw9vpzr4f3nf1zf010bag71w4hdi0haybdn7r5rlmw45pmim29")))) (build-system ruby-build-system) (arguments '(#:test-target "default" #:phases (modify-phases %standard-phases - (add-after 'unpack 'remove-problematic-tests - ;; These tests depend on Rubocop extensions, which cannot be - ;; included as they cause a dependency cycle with Rubocop itself. - (lambda _ - (delete-file "spec/rubocop/config_loader_spec.rb") - (substitute* "Gemfile" - ((".*'rubocop-performance'.*") "") - ((".*'rubocop-rspec'.*") "")) - ;; Prevent "Unnecessary disabling of RSpec/* (unknown cop)" - ;; errors. - (substitute* (find-files "spec/rubocop/cop/" "_spec\\.rb$") - (("# (rubocop:(enable|disable) RSpec.*)" _ what) - (string-append "# Disabled: " what))) - #t)) - (add-after 'unpack 'disable-bundler - (lambda _ - (substitute* "Rakefile" - (("Bundler\\.setup.*") "nil\n")) - #t)) - (replace 'replace-git-ls-files - (lambda _ - (substitute* "rubocop.gemspec" - (("`git ls-files(.*)`" _ files) - (format #f "`find ~a -type f| sort`" files))) - #t)) (add-before 'check 'set-home (lambda _ (setenv "HOME" (getcwd)) #t)) + ;; Rubocop depends on itself for tests, directly and indirectly. By + ;; regenerating the TODO list we test rubocop against itself and + ;; forgo adjusting the test suite to our environment each release. + (replace 'check + (lambda* (#:key tests? #:allow-other-keys) + (when tests? + (make-file-writable ".rubocop_todo.yml") + (invoke "./exe/rubocop" "--auto-gen-config")) + #t)) (add-before 'check 'make-adoc-files-writable (lambda _ (let ((adoc-files (find-files "docs/modules/ROOT/pages" @@ -7324,10 +7327,17 @@ run.") #t))))) (native-inputs `(("ruby-bump" ,ruby-bump) + ("ruby-memory-profiler" ,ruby-memory-profiler) ("ruby-pry" ,ruby-pry) + ("ruby-rake" ,ruby-rake) ("ruby-rspec" ,ruby-rspec) + ("ruby-rubocop-minimal" ,ruby-rubocop-minimal) + ("ruby-rubocop-performance-minimal" ,ruby-rubocop-performance-minimal) + ("ruby-rubocop-rspec-minimal" ,ruby-rubocop-rspec-minimal) + ("ruby-simplecov" ,ruby-simplecov) + ("ruby-stackprof" ,ruby-stackprof) ("ruby-test-queue" ,ruby-test-queue) - ("ruby-webmock" ,ruby-webmock-2) + ("ruby-webmock" ,ruby-webmock) ("ruby-yard" ,ruby-yard))) (propagated-inputs `(("ruby-parallel" ,ruby-parallel) @@ -7345,6 +7355,16 @@ the community-driven Ruby Style Guide.") (home-page "https://github.com/rubocop-hq/rubocop") (license license:expat))) +(define-public ruby-rubocop-minimal + (hidden-package + (package + (inherit ruby-rubocop) + (arguments + (substitute-keyword-arguments (package-arguments ruby-rubocop) + ((#:tests? _ #f) #f))) + (propagated-inputs '()) + (native-inputs '())))) + (define-public ruby-contest (package (name "ruby-contest") -- cgit 1.4.1 From f3318fefe42d773297267ad940a2ec5893c5c094 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Fri, 19 Feb 2021 17:56:52 +0100 Subject: gnu: Add perl-math-matrixreal. * gnu/packages/perl-maths.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 1 + gnu/packages/perl-maths.scm | 48 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 gnu/packages/perl-maths.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c3398c62fd..0dd5fc2a29 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -436,6 +436,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/perl.scm \ %D%/packages/perl-check.scm \ %D%/packages/perl-compression.scm \ + %D%/packages/perl-maths.scm \ %D%/packages/perl-web.scm \ %D%/packages/perl6.scm \ %D%/packages/photo.scm \ diff --git a/gnu/packages/perl-maths.scm b/gnu/packages/perl-maths.scm new file mode 100644 index 0000000000..e03458a9c0 --- /dev/null +++ b/gnu/packages/perl-maths.scm @@ -0,0 +1,48 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Ricardo Wurmus +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages perl-maths) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix build-system perl) + #:use-module (gnu packages perl) + #:use-module (gnu packages perl-check)) + +(define-public perl-math-matrixreal + (package + (name "perl-math-matrixreal") + (version "2.13") + (source (origin + (method url-fetch) + (uri (string-append + "mirror://cpan/authors/id/L/LE/LETO/Math-MatrixReal-" + version ".tar.gz")) + (sha256 + (base32 + "1cml5wqd99hm398gl8f147ccsck9v179l7a6vqjj4kfkdnja37sg")))) + (build-system perl-build-system) + (native-inputs + `(("perl-module-build" ,perl-module-build) + ("perl-test-most" ,perl-test-most))) + (home-page "https://metacpan.org/release/Math-MatrixReal") + (synopsis "Manipulate NxN matrices of real numbers") + (description "This package provides the @code{Math::MatrixReal} module. +It implements the data type \"matrix of real numbers\" (and consequently also +\"vector of real numbers\").") + (license license:perl-license))) -- cgit 1.4.1 From f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 Feb 2021 17:45:05 -0500 Subject: gnu: Python 3.9: Fix CVE-2021-3177. * gnu/packages/patches/python-3.9-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-3.9)[source]: Use it. --- gnu/local.mk | 1 + .../patches/python-3.9-CVE-2021-3177.patch | 194 +++++++++++++++++++++ gnu/packages/python.scm | 3 +- 3 files changed, 197 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/python-3.9-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0dd5fc2a29..5588cda2e1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1527,6 +1527,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3-fix-tests.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ + %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ %D%/packages/patches/python-CVE-2020-26116.patch \ %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch \ diff --git a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch b/gnu/packages/patches/python-3.9-CVE-2021-3177.patch new file mode 100644 index 0000000000..155f17deca --- /dev/null +++ b/gnu/packages/patches/python-3.9-CVE-2021-3177.patch @@ -0,0 +1,194 @@ +Fix CVE-2021-3177 for Python 3.9: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from upstream source repository: + +https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932 + +From c347cbe694743cee120457aa6626712f7799a932 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 Jan 2021 13:29:31 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24247) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson + +Co-authored-by: Benjamin Peterson +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +new file mode 100644 +index 0000000000000..7df65a156feab +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index b0a36a30248f7..f2506de54498e 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -489,58 +489,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -549,22 +538,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 27e9b70432..730c371fda 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -11,7 +11,7 @@ ;;; Copyright © 2015, 2016 Christopher Allan Webber ;;; Copyright © 2015 Eric Dvorsak ;;; Copyright © 2015, 2016 David Thompson -;;; Copyright © 2015, 2016, 2017 Leo Famulari +;;; Copyright © 2015, 2016, 2017, 2021 Leo Famulari ;;; Copyright © 2015, 2017 Ben Woodcroft ;;; Copyright © 2015, 2016 Erik Edrosa ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Efraim Flashner @@ -531,6 +531,7 @@ data types.") version "/Python-" version ".tar.xz")) (patches (search-patches "python-3.9-fix-tests.patch" + "python-3.9-CVE-2021-3177.patch" "python-3-deterministic-build-info.patch" "python-3-search-paths.patch")) (sha256 -- cgit 1.4.1 From 51697aab42f3dea316b5b396ebd342b44b65193d Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Fri, 19 Feb 2021 18:46:46 +0100 Subject: gnu: lrzip: Update to 0.640. * gnu/packages/compression.scm (lrzip): Update to 0.640. [source]: Remove obsolete patch 'lrzip-CVE-2017-8842.patch'. [inputs]: Add lz4. * gnu/packages/patches/lrzip-CVE-2017-8842.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 - gnu/packages/compression.scm | 9 +++++---- gnu/packages/patches/lrzip-CVE-2017-8842.patch | 23 ----------------------- 3 files changed, 5 insertions(+), 28 deletions(-) delete mode 100644 gnu/packages/patches/lrzip-CVE-2017-8842.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5588cda2e1..33da7b979a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1328,7 +1328,6 @@ dist_patch_DATA = \ %D%/packages/patches/llvm-9-fix-scev-miscompilation.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ %D%/packages/patches/lrcalc-includes.patch \ - %D%/packages/patches/lrzip-CVE-2017-8842.patch \ %D%/packages/patches/lsh-fix-x11-forwarding.patch \ %D%/packages/patches/lsof-fatal-test-failures.patch \ %D%/packages/patches/lua-CVE-2014-5461.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 89107141ec..1db8b093a3 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -31,6 +31,7 @@ ;;; Copyright © 2020 Guillaume Le Vaillant ;;; Copyright © 2020 Léo Le Bouter ;;; Copyright © 2021 Antoine Côté +;;; Copyright © 2021 Vincent Legoll ;;; ;;; This file is part of GNU Guix. ;;; @@ -1109,16 +1110,15 @@ human-readable output.") (define-public lrzip (package (name "lrzip") - (version "0.631") + (version "0.640") (source (origin (method url-fetch) (uri (string-append - "http://ck.kolivas.org/apps/lrzip/lrzip-" version ".tar.bz2")) + "http://ck.kolivas.org/apps/lrzip/lrzip-" version ".tar.xz")) (sha256 (base32 - "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d")) - (patches (search-patches "lrzip-CVE-2017-8842.patch")))) + "175466drfpz8rsfr0pzfn5rqrj3wmcmcs3i2sfmw366w2kbjm4j9")))) (build-system gnu-build-system) (native-inputs `(;; nasm is only required when building for 32-bit x86 platforms @@ -1129,6 +1129,7 @@ human-readable output.") ("perl" ,perl))) (inputs `(("bzip2" ,bzip2) + ("lz4" ,lz4) ("lzo" ,lzo) ("zlib" ,zlib))) (home-page "http://ck.kolivas.org/apps/lrzip/") diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch deleted file mode 100644 index 89b4f2f5d9..0000000000 --- a/gnu/packages/patches/lrzip-CVE-2017-8842.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001 -From: Con Kolivas -Date: Fri, 9 Mar 2018 17:39:40 +1100 -Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get - ---- - libzpaq/libzpaq.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h -index 93387da..cbe211d 100644 ---- a/libzpaq/libzpaq.h -+++ b/libzpaq/libzpaq.h -@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader { - - int get() { - if (progress && !(*s_len % 128)) { -- int pct = (total_len - *s_len) * 100 / total_len; -+ int pct = (total_len > 0) ? -+ (total_len - *s_len) * 100 / total_len : 100; - - if (pct / 10 != *last_pct / 10) { - int i; -- cgit 1.4.1 From ae1f36f2a8b78dfac9ee1aaf7d9aa9f0e7ce8e51 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 21 Feb 2021 10:44:15 +0200 Subject: gnu: screen: Patch CVE-2021-26937. * gnu/packages/screen.scm (screen)[source]: Add patch. * gnu/packages/patches/screen-CVE-2021-26937.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/patches/screen-CVE-2021-26937.patch | 66 ++++++++++++++++++++++++ gnu/packages/screen.scm | 5 +- 3 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/screen-CVE-2021-26937.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 33da7b979a..8191c6917a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1619,6 +1619,7 @@ dist_patch_DATA = \ %D%/packages/patches/scheme48-tests.patch \ %D%/packages/patches/scotch-build-parallelism.patch \ %D%/packages/patches/scotch-integer-declarations.patch \ + %D%/packages/patches/screen-CVE-2021-26937.patch \ %D%/packages/patches/screen-hurd-path-max.patch \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seed-webkit.patch \ diff --git a/gnu/packages/patches/screen-CVE-2021-26937.patch b/gnu/packages/patches/screen-CVE-2021-26937.patch new file mode 100644 index 0000000000..d87a54a83f --- /dev/null +++ b/gnu/packages/patches/screen-CVE-2021-26937.patch @@ -0,0 +1,66 @@ +https://salsa.debian.org/debian/screen/-/raw/debian/4.8.0-5/debian/patches/99_CVE-2021-26937.patch + +Description: [CVE-2021-26937] Fix out of bounds array access +Author: Michael Schröder +Bug-Debian: https://bugs.debian.org/982435 +Bug: https://savannah.gnu.org/bugs/?60030 +Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html +Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3 +Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html + +--- a/encoding.c ++++ b/encoding.c +@@ -43,7 +43,7 @@ + # ifdef UTF8 + static int recode_char __P((int, int, int)); + static int recode_char_to_encoding __P((int, int)); +-static void comb_tofront __P((int, int)); ++static void comb_tofront __P((int)); + # ifdef DW_CHARS + static int recode_char_dw __P((int, int *, int, int)); + static int recode_char_dw_to_encoding __P((int, int *, int)); +@@ -1263,6 +1263,8 @@ + {0x30000, 0x3FFFD}, + }; + ++ if (c >= 0xdf00 && c <= 0xdfff) ++ return 1; /* dw combining sequence */ + return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || + (cjkwidth && + bisearch(c, ambiguous, +@@ -1330,11 +1332,12 @@ + } + + static void +-comb_tofront(root, i) +-int root, i; ++comb_tofront(i) ++int i; + { + for (;;) + { ++ int root = i >= 0x700 ? 0x801 : 0x800; + debug1("bring to front: %x\n", i); + combchars[combchars[i]->prev]->next = combchars[i]->next; + combchars[combchars[i]->next]->prev = combchars[i]->prev; +@@ -1396,9 +1399,9 @@ + { + /* full, recycle old entry */ + if (c1 >= 0xd800 && c1 < 0xe000) +- comb_tofront(root, c1 - 0xd800); ++ comb_tofront(c1 - 0xd800); + i = combchars[root]->prev; +- if (c1 == i + 0xd800) ++ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) + { + /* completely full, can't recycle */ + debug("utf8_handle_comp: completely full!\n"); +@@ -1422,7 +1425,7 @@ + mc->font = (i >> 8) + 0xd8; + mc->fontx = 0; + debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); +- comb_tofront(root, i); ++ comb_tofront(i); + } + + #else /* !UTF8 */ diff --git a/gnu/packages/screen.scm b/gnu/packages/screen.scm index 0491731e20..4426d9d562 100644 --- a/gnu/packages/screen.scm +++ b/gnu/packages/screen.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2013 Cyril Roelandt ;;; Copyright © 2014 Mark H Weaver ;;; Copyright © 2015, 2017 Eric Bavier -;;; Copyright © 2016, 2017, 2019, 2020 Efraim Flashner +;;; Copyright © 2016, 2017, 2019, 2020, 2021 Efraim Flashner ;;; Copyright © 2016 Alex Griffin ;;; Copyright © 2017 Mathieu Othacehe ;;; Copyright © 2017, 2018, 2019, 2020 Tobias Geerinckx-Rice @@ -44,7 +44,8 @@ (method url-fetch) (uri (string-append "mirror://gnu/screen/screen-" version ".tar.gz")) - (patches (search-patches "screen-hurd-path-max.patch")) + (patches (search-patches "screen-hurd-path-max.patch" + "screen-CVE-2021-26937.patch")) (sha256 (base32 "18ascpjzsy70h6hk7wpg8zmzjwgdyrdr7c6z4pg5z4l9hhyv24bf")))) (build-system gnu-build-system) -- cgit 1.4.1 From 0c6f1b1a6d78f1a59c030378a25d0346333bd40b Mon Sep 17 00:00:00 2001 From: Nicolas Goaziou Date: Sun, 21 Feb 2021 10:35:43 +0100 Subject: gnu: exiv2-0.26: Remove variable. * gnu/packages/image.scm (exiv2-0.26): Remove variable. * gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch: * gnu/packages/patches/exiv2-CVE-2017-14860.patch: Remove files. * gnu/local.mk (dist_patch_DATA): Apply removal. --- gnu/local.mk | 2 - gnu/packages/image.scm | 28 --------- .../patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 ---------------------- gnu/packages/patches/exiv2-CVE-2017-14860.patch | 48 ---------------- 4 files changed, 144 deletions(-) delete mode 100644 gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch delete mode 100644 gnu/packages/patches/exiv2-CVE-2017-14860.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8191c6917a..95d5835fa4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -972,8 +972,6 @@ dist_patch_DATA = \ %D%/packages/patches/evolution-data-server-locales.patch \ %D%/packages/patches/evolution-data-server-libical-compat.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ - %D%/packages/patches/exiv2-CVE-2017-14860.patch \ - %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ %D%/packages/patches/extempore-unbundle-external-dependencies.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/farstream-make.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 68221afff1..2d83313d9e 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1352,34 +1352,6 @@ and XMP metadata of images in various formats.") ;; . (license license:gpl2+))) -(define-public exiv2-0.26 - (package - (inherit exiv2) - (version "0.26") - (source (origin - (method url-fetch) - (uri (list (string-append "https://www.exiv2.org/builds/exiv2-" - version "-trunk.tar.gz") - (string-append "https://www.exiv2.org/exiv2-" - version ".tar.gz") - (string-append "https://fossies.org/linux/misc/exiv2-" - version ".tar.gz"))) - (patches (search-patches "exiv2-CVE-2017-14860.patch" - "exiv2-CVE-2017-14859-14862-14864.patch")) - (sha256 - (base32 - "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7")))) - (build-system gnu-build-system) - (arguments '(#:tests? #f)) ; no `check' target - (propagated-inputs - `(("expat" ,expat) - ("zlib" ,zlib))) - (native-inputs - `(("intltool" ,intltool))) - - ;; People should rely on the newer version, so don't expose it. - (properties `((hidden? . #t))))) - (define-public devil (package (name "devil") diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch deleted file mode 100644 index 69e65aeb6b..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch +++ /dev/null @@ -1,66 +0,0 @@ -Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607 - -From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= -Date: Sat, 7 Oct 2017 23:08:36 +0200 -Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 - -The invalid memory dereference in -Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() -is caused further up the call-stack, by -v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() -passing an invalid pData pointer (pData points outside of the Tiff -file). pData can be set out of bounds in the (size > 4) branch where -baseOffset() and offset are added to pData_ without checking whether -the result is still in the file. As offset comes from an untrusted -source, an attacker can craft an arbitrarily large offset into the -file. - -This commit adds a check into the problematic branch, whether the -result of the addition would be out of bounds of the Tiff -file. Furthermore the whole operation is checked for possible -overflows. ---- - src/tiffvisitor.cpp | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp -index 4ab733d4..ef13542e 100644 ---- a/src/tiffvisitor.cpp -+++ b/src/tiffvisitor.cpp -@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$") - #include - #include - #include -+#include - - // ***************************************************************************** - namespace { -@@ -1517,7 +1518,19 @@ namespace Exiv2 { - size = 0; - } - if (size > 4) { -+ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, -+ // as offset can be arbitrarily large -+ if ((static_cast(baseOffset()) > std::numeric_limits::max() - static_cast(offset)) -+ || (static_cast(baseOffset() + offset) > std::numeric_limits::max() - reinterpret_cast(pData_))) -+ { -+ throw Error(59); -+ } -+ if (pData_ + static_cast(baseOffset()) + static_cast(offset) > pLast_) { -+ throw Error(58); -+ } - pData = const_cast(pData_) + baseOffset() + offset; -+ -+ // check for size being invalid - if (size > static_cast(pLast_ - pData)) { - #ifndef SUPPRESS_WARNINGS - EXV_ERROR << "Upper boundary of data for " diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch deleted file mode 100644 index 43e6076b71..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14860.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix CVE-2017-14860. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 -https://nvd.nist.gov/vuln/detail/CVE-2017-14860 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce - -From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= -Date: Fri, 6 Oct 2017 23:09:08 +0200 -Subject: [PATCH] Fix for CVE-2017-14860 - -A heap buffer overflow could occur in memcpy when icc.size_ is larger -than data.size_ - pad, as then memcpy would read out of bounds of data. - -This commit adds a sanity check to iccLength (= icc.size_): if it is -larger than data.size_ - pad (i.e. an overflow would be caused) an -exception is thrown. - -This fixes #71. ---- - src/jp2image.cpp | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 747145cf..748d39b5 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -269,10 +269,15 @@ namespace Exiv2 - std::cout << "Exiv2::Jp2Image::readMetadata: " - << "Color data found" << std::endl; - #endif -- long pad = 3 ; // 3 padding bytes 2 0 0 -+ const long pad = 3 ; // 3 padding bytes 2 0 0 - DataBuf data(subBox.length+8); - io_->read(data.pData_,data.size_); -- long iccLength = getULong(data.pData_+pad, bigEndian); -+ const long iccLength = getULong(data.pData_+pad, bigEndian); -+ // subtracting pad from data.size_ is safe: -+ // size_ is at least 8 and pad = 3 -+ if (iccLength > data.size_ - pad) { -+ throw Error(58); -+ } - DataBuf icc(iccLength); - ::memcpy(icc.pData_,data.pData_+pad,icc.size_); - #ifdef DEBUG -- cgit 1.4.1 From 4ac9db0d75edcacb3a0c98659620cfea3c1e1993 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 21 Feb 2021 21:15:05 +0100 Subject: image: Add rock64 support. * gnu/system/images/rock64.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. --- gnu/local.mk | 1 + gnu/system/images/rock64.scm | 64 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 gnu/system/images/rock64.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 95d5835fa4..b8bccc1b7c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -664,6 +664,7 @@ GNU_SYSTEM_MODULES = \ %D%/system/images/novena.scm \ %D%/system/images/pine64.scm \ %D%/system/images/pinebook-pro.scm \ + %D%/system/images/rock64.scm \ \ %D%/machine.scm \ \ diff --git a/gnu/system/images/rock64.scm b/gnu/system/images/rock64.scm new file mode 100644 index 0000000000..3f193e8528 --- /dev/null +++ b/gnu/system/images/rock64.scm @@ -0,0 +1,64 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Marius Bakke +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu system images rock64) + #:use-module (gnu bootloader) + #:use-module (gnu bootloader u-boot) + #:use-module (gnu image) + #:use-module (gnu packages linux) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services networking) + #:use-module (gnu system) + #:use-module (gnu system file-systems) + #:use-module (gnu system image) + #:use-module (srfi srfi-26) + #:export (rock64-barebones-os + rock64-image-type + rock64-barebones-raw-image)) + +(define rock64-barebones-os + (operating-system + (host-name "jiehkkevarri") + (timezone "Europe/Oslo") + (locale "en_US.utf8") + (bootloader (bootloader-configuration + (bootloader u-boot-rock64-rk3328-bootloader) + (target "/dev/sda"))) + (initrd-modules '()) + (kernel linux-libre-arm64-generic) + (file-systems (cons (file-system + (device (file-system-label "my-root")) + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (services (append (list (service dhcp-client-service-type)) + %base-services)))) + +(define rock64-image-type + (image-type + (name 'rock64-raw) + (constructor (cut image-with-os (arm64-disk-image (expt 2 24)) <>)))) + +(define rock64-barebones-raw-image + (image + (inherit + (os->image rock64-barebones-os #:type rock64-image-type)) + (name 'rock64-barebones-raw-image))) + +rock64-barebones-raw-image -- cgit 1.4.1 From ebd8e447e99c4847bc5cdb5738ac5413a7278ba2 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 23 Feb 2021 15:15:02 +0200 Subject: gnu: ruby-tzinfo-data: Update to 1.2021.1. * gnu/packages/ruby.scm (ruby-tzinfo-data): Update to 1.2021.1. [source]: Remove patch. [arguments]: Add custom 'patch-source, 'pre-check phases. [native-inputs]: Add IANA timezone data files. * gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../ruby-tzinfo-data-ignore-broken-test.patch | 13 ----- gnu/packages/ruby.scm | 61 +++++++++++++++++++--- 3 files changed, 54 insertions(+), 21 deletions(-) delete mode 100644 gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index b8bccc1b7c..3591295f0c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1598,7 +1598,6 @@ dist_patch_DATA = \ %D%/packages/patches/rnp-unbundle-googletest.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-sanitize-system-libxml.patch \ - %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/runc-CVE-2019-5736.patch \ %D%/packages/patches/rust-1.19-mrustc.patch \ %D%/packages/patches/rust-1.25-accept-more-detailed-gdb-lines.patch \ diff --git a/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch b/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch deleted file mode 100644 index 5d1f04b994..0000000000 --- a/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/tc_definitions.rb b/test/tc_definitions.rb -index 7b20a3d..75b9798 100644 ---- a/test/tc_definitions.rb -+++ b/test/tc_definitions.rb -@@ -58,7 +58,7 @@ class TCDefinitions < Minitest::Test - identifier = $3.to_sym - is_dst = $4 == '1' - -- if utc && local -+ if utc && local && !line.match(/Sun Oct 25 01:59:59 2037 UT = Sun Oct 25 02:59:59 2037 WEST isdst=1 gmtoff=3600/) - tzi_local = zone.utc_to_local(utc) - tzi_period = zone.period_for_utc(utc) - tzi_identifier = tzi_period.zone_identifier diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index dc38171176..bd25bd5373 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -78,6 +78,7 @@ #:use-module (guix packages) #:use-module (guix download) #:use-module (guix git-download) + #:use-module (guix gexp) #:use-module (guix utils) #:use-module (guix build-system gnu) #:use-module (gnu packages xml) @@ -5817,7 +5818,7 @@ aware transformations between times in different time zones.") (define-public ruby-tzinfo-data (package (name "ruby-tzinfo-data") - (version "1.2017.3") + (version "1.2021.1") (source (origin (method git-fetch) @@ -5829,15 +5830,61 @@ aware transformations between times in different time zones.") (file-name (git-file-name name version)) (sha256 (base32 - "0v3phl5l3jrm6waxcszqmj2dkjhqawxfsxb6mss7vkp1hlckqcdp")) - ;; Remove the known test failure. - ;; https://github.com/tzinfo/tzinfo-data/issues/10 - ;; https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1587128 - (patches (search-patches - "ruby-tzinfo-data-ignore-broken-test.patch")))) + "0yzyr3rf8qaw6kxfc0gwpxsb7gl3rhfpx9g1c2z15vapyminhi60")))) (build-system ruby-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-after 'unpack 'patch-source + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "Rakefile" + (("https://data.iana.org/time-zones/releases") + (assoc-ref inputs "tzdata"))) + #t)) + (add-before 'check 'pre-check + (lambda _ + (setenv "HOME" (getcwd)) + (substitute* "Rakefile" + ;; Don't need gpg, and it may break after a time. + (("gpg ") "echo ") + ((" sh\\(\\\"make -C" text) + (string-append " sh(\"sed -i 's@/bin/sh@sh@' #{tzdb_combined_path}/Makefile \")\n" + " sh(\"sed -i 's@cc=@cc?=@' #{tzdb_combined_path}/Makefile \")\n" text))) + (setenv "cc" ,(cc-for-target)) + #t))))) (propagated-inputs `(("ruby-tzinfo" ,ruby-tzinfo))) + (native-inputs + `(("tzdata" + ,(file-union "tzdata-for-ruby-tzdata-info" + `(("tzdata2021a.tar.gz" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzdata2021a.tar.gz") + (sha256 + (base32 + "022fn6gkmp7pamlgab04x0dm5hnyn2m2fcnyr3pvm36612xd5rrr")))) + ("tzdata2021a.tar.gz.asc" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzdata2021a.tar.gz.asc") + (sha256 + (base32 + "0n7h2w8ji1lrxpk0d44wyfshlhr7c9jmwj6lqbxlyvqnfi3gbicx")))) + ("tzcode2021a.tar.gz" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzcode2021a.tar.gz") + (sha256 + (base32 + "1l02b0jiwp3fl0xd6227i69d26rmx3yrnq0ssq9vvdmm4jhvyipb")))) + ("tzcode2021a.tar.gz.asc" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzcode2021a.tar.gz.asc") + (sha256 + (base32 + "1qhlj4lr810s47s1lwcvv1sgvg2sflf98w4sbg1lc8wzv5qxxv7g"))))))))) (synopsis "Data from the IANA Time Zone database") (description "This library provides @code{TZInfo::Data}, which contains data from the -- cgit 1.4.1 From c2fdc528dde477c74a59954b925b69c12a3f208c Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 23 Feb 2021 15:29:13 +0200 Subject: gnu: ruby-rack: Update to 2.2.3. * gnu/packages/ruby.scm (ruby-rack): Update to 2.2.3. [source]: Remove patch. Add snippet. [arguments]: Adjust custom 'fix-tests phase. Remove 'make-files-writable phase. [native-inputs]: Remove ruby-minitest-sprint, which. Add ruby-minitest-global-expectations. [propagated-inputs]: Remove ruby-concurrent. * gnu/packages/patches/ruby-rack-ignore-failing-test.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../patches/ruby-rack-ignore-failing-test.patch | 13 --------- gnu/packages/ruby.scm | 34 +++++++++------------- 3 files changed, 13 insertions(+), 35 deletions(-) delete mode 100644 gnu/packages/patches/ruby-rack-ignore-failing-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3591295f0c..a9294047eb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1596,7 +1596,6 @@ dist_patch_DATA = \ %D%/packages/patches/rnp-add-version.cmake.patch \ %D%/packages/patches/rnp-disable-ruby-rnp-tests.patch \ %D%/packages/patches/rnp-unbundle-googletest.patch \ - %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-sanitize-system-libxml.patch \ %D%/packages/patches/runc-CVE-2019-5736.patch \ %D%/packages/patches/rust-1.19-mrustc.patch \ diff --git a/gnu/packages/patches/ruby-rack-ignore-failing-test.patch b/gnu/packages/patches/ruby-rack-ignore-failing-test.patch deleted file mode 100644 index f50d68c9c4..0000000000 --- a/gnu/packages/patches/ruby-rack-ignore-failing-test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/spec_server.rb b/test/spec_server.rb -index a3690bc..16c9536 100644 ---- a/test/spec_server.rb -+++ b/test/spec_server.rb -@@ -161,7 +161,7 @@ describe Rack::Server do - it "check pid file presence and not owned process" do - pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path - server = Rack::Server.new(:pid => pidfile) -- server.send(:pidfile_process_status).must_equal :not_owned -+ #server.send(:pidfile_process_status).must_equal :not_owned - end - - it "not write pid file when it is created after check" do diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 1a86862ebd..8f3166ff31 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -45,7 +45,6 @@ (define-module (gnu packages ruby) #:use-module ((guix licenses) #:prefix license:) #:use-module (gnu packages) - #:use-module (gnu packages base) #:use-module (gnu packages bison) #:use-module (gnu packages c) #:use-module (gnu packages check) @@ -6890,21 +6889,25 @@ generates Ruby program.") (define-public ruby-rack (package (name "ruby-rack") - (version "2.0.6") + (version "2.2.3") (source (origin (method git-fetch) - ;; Download from GitHub so that the patch can be applied. + ;; Download from GitHub so that the snippet can be applied and tests run. (uri (git-reference (url "https://github.com/rack/rack") (commit version))) (file-name (git-file-name name version)) (sha256 (base32 - "1n7z4g1x6yxip096cdc04wq7yk7ywpinq28g2xjb46r4nlv5h0j6")) + "1qrm5z5v586738bnkr9188dvz0s25nryw6sgvx18jjlkizayw1g4")) ;; Ignore test which fails inside the build environment but works ;; outside. - (patches (search-patches "ruby-rack-ignore-failing-test.patch")))) + (modules '((guix build utils))) + (snippet + '(begin (substitute* "test/spec_files.rb" + (("res.body.must_equal expected_body") "")) + #t)))) (build-system ruby-build-system) (arguments '(#:phases @@ -6918,30 +6921,19 @@ generates Ruby program.") ;; "/gnu/store". (let ((size-diff (- (string-length (which "ruby")) (string-length "/usr/bin/env ruby")))) - (substitute* '("test/spec_file.rb") - (("193") - (number->string (+ 193 size-diff))) + (substitute* '("test/spec_files.rb") + (("208" bytes) + (number->string (+ (string->number bytes) size-diff))) (("bytes(.)22-33" all delimiter) (string-append "bytes" delimiter (number->string (+ 22 size-diff)) "-" (number->string (+ 33 size-diff)))))) - #t)) - (add-before 'reset-gzip-timestamps 'make-files-writable - (lambda* (#:key outputs #:allow-other-keys) - ;; Make sure .gz files are writable so that the - ;; 'reset-gzip-timestamps' phase can do its work. - (let ((out (assoc-ref outputs "out"))) - (for-each make-file-writable - (find-files out "\\.gz$")) - #t)))))) + #t))))) (native-inputs `(("ruby-minitest" ,ruby-minitest) - ("ruby-minitest-sprint" ,ruby-minitest-sprint) - ("which" ,which))) - (propagated-inputs - `(("ruby-concurrent" ,ruby-concurrent))) + ("ruby-minitest-global-expectations" ,ruby-minitest-global-expectations))) (synopsis "Unified web application interface for Ruby") (description "Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses, -- cgit 1.4.1 From 84e082e31706411e7f9c3189a83f8ed0b4016fe7 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 Feb 2021 18:09:57 -0500 Subject: gnu: Python: Fix CVE-2021-3177. * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-3.8)[replacement]: New field. (python-3.8/fixed): New variable. --- gnu/local.mk | 1 + .../patches/python-3.8-CVE-2021-3177.patch | 194 +++++++++++++++++++++ gnu/packages/python.scm | 9 + 3 files changed, 204 insertions(+) create mode 100644 gnu/packages/patches/python-3.8-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index a9294047eb..ae5a65cfcf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1524,6 +1524,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3-search-paths.patch \ %D%/packages/patches/python-3-fix-tests.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ + %D%/packages/patches/python-3.8-CVE-2021-3177.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ diff --git a/gnu/packages/patches/python-3.8-CVE-2021-3177.patch b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch new file mode 100644 index 0000000000..01f6b52865 --- /dev/null +++ b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch @@ -0,0 +1,194 @@ +Fix CVE-2021-3177 for Python 3.8: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from upstream source repository: + +https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f + +From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 Jan 2021 13:28:52 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24248) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson + +Co-authored-by: Benjamin Peterson +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +#diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#new file mode 100644 +#index 0000000000000..7df65a156feab +#--- /dev/null +#+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#@@ -0,0 +1,2 @@ +#+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and +#+:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index a9b8675cd951b..de75918d49f37 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 730c371fda..5c5be0d78c 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -364,6 +364,7 @@ data types.") (define-public python-3.8 (package (inherit python-2) (name "python") + (replacement python-3.8/fixed) (version "3.8.2") (source (origin (method url-fetch) @@ -521,6 +522,14 @@ data types.") (version-major+minor version) "/site-packages")))))))) +(define python-3.8/fixed + (package + (inherit python-3.8) + (source (origin + (inherit (package-source python-3.8)) + (patches (append (search-patches "python-3.8-CVE-2021-3177.patch") + (origin-patches (package-source python-3.8)))))))) + (define-public python-3.9 (package (inherit python-3.8) (name "python-next") -- cgit 1.4.1 From 66fa2d318a1e4da3679fa1c5a70cd3972dc0efbf Mon Sep 17 00:00:00 2001 From: Jelle Licht Date: Tue, 16 Feb 2021 23:28:58 +0100 Subject: gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287]. Fixes CVE-2020-8287. * gnu/packages/web.scm (http-parser): Update to 2.9.4-1.ec8b5ee. [source]: Add patch to mitigate CVE. * gnu/packages/patches/patches/http-parser-CVE-2020-8287.patch: New file. * gnu/local.mk [dist_patch_DATA]: New patch. --- gnu/local.mk | 1 + .../patches/http-parser-CVE-2020-8287.patch | 75 ++++++++++++ gnu/packages/web.scm | 136 +++++++++++---------- 3 files changed, 146 insertions(+), 66 deletions(-) create mode 100644 gnu/packages/patches/http-parser-CVE-2020-8287.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ae5a65cfcf..ab0c1b0e97 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1164,6 +1164,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/http-parser-CVE-2020-8287.patch \ %D%/packages/patches/http-parser-fix-assertion-on-armhf.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-cross.patch \ diff --git a/gnu/packages/patches/http-parser-CVE-2020-8287.patch b/gnu/packages/patches/http-parser-CVE-2020-8287.patch new file mode 100644 index 0000000000..580f773099 --- /dev/null +++ b/gnu/packages/patches/http-parser-CVE-2020-8287.patch @@ -0,0 +1,75 @@ +From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny +--- + http_parser.c | 7 +++++++ + test.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/http_parser.c b/http_parser.c +index 9be003e7322..e9b2b9e83b9 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +diff --git a/test.c b/test.c +index 3f7c77b3494..2e5a9ebd678 100644 +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ const struct message responses[] = + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index e4ba0d5bf9..010e01debb 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6162,78 +6162,82 @@ into your tests. It automatically starts up a HTTP server in a separate thread (license license:expat))) (define-public http-parser - (package - (name "http-parser") - (version "2.9.4") - (home-page "https://github.com/nodejs/http-parser") - (source - (origin - (method git-fetch) - (uri (git-reference (url home-page) - (commit (string-append "v" version)))) - (sha256 - (base32 "1vda4dp75pjf5fcph73sy0ifm3xrssrmf927qd1x8g3q46z0cv6c")) - (file-name (git-file-name name version)) - (patches - (list - (origin - ;; Treat an empty port (e.g. `http://hostname:/`) when parsing - ;; URLs as if no port were specified. This patch is applied - ;; to Fedora's http-parser and to libgit2's bundled version. - (method url-fetch) - (uri (string-append - "https://src.fedoraproject.org/rpms/http-parser/raw/" - "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" - "f/0001-url-treat-empty-port-as-default.patch")) - (sha256 - (base32 - "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g"))))))) - (build-system gnu-build-system) - (arguments - `(#:test-target "test" - #:make-flags - (list (string-append "PREFIX=" - (assoc-ref %outputs "out")) - "library" - ,@(if (%current-target-system) - '() - '("CC=gcc"))) - #:phases - (modify-phases %standard-phases - ,@(match (%current-system) + (let ((commit "ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d") + (revision "1")) + (package + (name "http-parser") + (version (git-version "2.9.4" revision commit)) + (home-page "https://github.com/nodejs/http-parser") + (source + (origin + (method git-fetch) + (uri (git-reference (url home-page) + (commit commit))) + (sha256 + (base32 "0f297hrbx0kvy3qwgm9rhmbnjww6iljlcz9grsc9d4km1qj1071i")) + (file-name (git-file-name name version)) + (patches + (append + (search-patches "http-parser-CVE-2020-8287.patch") + (list + (origin + ;; Treat an empty port (e.g. `http://hostname:/`) when parsing + ;; URLs as if no port were specified. This patch is applied + ;; to Fedora's http-parser and to libgit2's bundled version. + (method url-fetch) + (uri (string-append + "https://src.fedoraproject.org/rpms/http-parser/raw/" + "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" + "f/0001-url-treat-empty-port-as-default.patch")) + (sha256 + (base32 + "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))) + (build-system gnu-build-system) + (arguments + `(#:test-target "test" + #:make-flags + (list (string-append "PREFIX=" + (assoc-ref %outputs "out")) + "library" + ,@(if (%current-target-system) + '() + '("CC=gcc"))) + #:phases + (modify-phases %standard-phases + ,@(match (%current-system) + ("armhf-linux" + '((add-before 'check 'apply-assertion.patch + (lambda* (#:key inputs #:allow-other-keys) + (let ((patch (assoc-ref inputs "assertion.patch"))) + (invoke "patch" "-p1" "-i" patch) + #t))))) + (_ '())) + ,@(if (%current-target-system) + '((replace 'configure + (lambda* (#:key target #:allow-other-keys) + (substitute* (find-files "." "Makefile") + (("CC\\?=.*$") + (string-append "CC=" target "-gcc\n")) + (("AR\\?=.*$") + (string-append "AR=" target "-ar\n"))) + #t))) + '((delete 'configure)))))) + (native-inputs + `(,@(match (%current-system) ("armhf-linux" - '((add-before 'check 'apply-assertion.patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "assertion.patch"))) - (invoke "patch" "-p1" "-i" patch) - #t))))) - (_ '())) - ,@(if (%current-target-system) - '((replace 'configure - (lambda* (#:key target #:allow-other-keys) - (substitute* (find-files "." "Makefile") - (("CC\\?=.*$") - (string-append "CC=" target "-gcc\n")) - (("AR\\?=.*$") - (string-append "AR=" target "-ar\n"))) - #t))) - '((delete 'configure)))))) - (native-inputs - `(,@(match (%current-system) - ("armhf-linux" - ;; A fix for which in turn - ;; breaks i686-linux builds. - `(("assertion.patch" - ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) - (_ '())))) - (synopsis "HTTP request/response parser for C") - (description "This is a parser for HTTP messages written in C. It parses + ;; A fix for which in turn + ;; breaks i686-linux builds. + `(("assertion.patch" + ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) + (_ '())))) + (synopsis "HTTP request/response parser for C") + (description "This is a parser for HTTP messages written in C. It parses both requests and responses. The parser is designed to be used in high-performance HTTP applications. It does not make any syscalls nor allocations, it does not buffer data, it can be interrupted at anytime. Depending on your architecture, it only requires about 40 bytes of data per message stream (in a web server that is per connection).") - (license license:expat))) + (license license:expat)))) (define-public python-httpretty (package -- cgit 1.4.1 From b5586c666e13988ce7ec983907ffb06a564f1d4f Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Wed, 24 Feb 2021 16:33:18 +0100 Subject: gnu: http-server: Fix build on i686-linux. * gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch: Remove it. * gnu/local.mk (dist_patch_DATA): Update it. * gnu/packages/web.scm (http-parser)[source]: Remove a test assertion failing on i686-linux. [arguments]: Remove the "assertion.patch" that is merged upstream. [native-inputs]: Ditto. [synopsis]: Wrap it. --- gnu/local.mk | 1 - .../http-parser-fix-assertion-on-armhf.patch | 39 ---------------------- gnu/packages/web.scm | 30 ++++++----------- 3 files changed, 11 insertions(+), 59 deletions(-) delete mode 100644 gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ab0c1b0e97..8d46cda639 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1165,7 +1165,6 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ %D%/packages/patches/http-parser-CVE-2020-8287.patch \ - %D%/packages/patches/http-parser-fix-assertion-on-armhf.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-cross.patch \ %D%/packages/patches/hurd-xattr.patch \ diff --git a/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch b/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch deleted file mode 100644 index 79bd3e8dbc..0000000000 --- a/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Tobias Geerinckx-Rice -Date: Wed, 20 May 2020 19:17:13 +0200 -Subject: [PATCH] gnu: http-client: Fix assertion on armhf-linux. - -Copied verbatim from [0] to fix guix pull[1] on ARM systems. - -[0]: https://github.com/nodejs/http-parser/pull/510 -[1]: https://issues.guix.gnu.org/40604 - -From 0e5868aebb9eb92b078d27bb2774c2154dc167e2 Mon Sep 17 00:00:00 2001 -From: Ben Noordhuis -Date: Thu, 30 Apr 2020 11:22:50 +0200 -Subject: [PATCH] Fix sizeof(http_parser) assert - -The result should be 32 on both 32 bits and 64 bits architectures -because of struct padding. - -Fixes: https://github.com/nodejs/http-parser/issues/507 ---- - test.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/test.c b/test.c -index 7983424..f60a84f 100644 ---- a/test.c -+++ b/test.c -@@ -4220,8 +4220,11 @@ main (void) - patch = version & 255; - printf("http_parser v%u.%u.%u (0x%06lx)\n", major, minor, patch, version); - -+ /* Should be 32 on both 32 bits and 64 bits architectures because of -+ * struct padding, see https://github.com/nodejs/http-parser/issues/507. -+ */ - printf("sizeof(http_parser) = %u\n", (unsigned int)sizeof(http_parser)); -- assert(sizeof(http_parser) == 4 + 4 + 8 + 2 + 2 + 4 + sizeof(void *)); -+ assert(sizeof(http_parser) == 32); - - //// API - test_preserve_data(); diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index b3c0831ac4..e9a17f3b78 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6191,7 +6191,15 @@ into your tests. It automatically starts up a HTTP server in a separate thread "f/0001-url-treat-empty-port-as-default.patch")) (sha256 (base32 - "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))) + "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))) + (modules '((guix build utils))) + (snippet + '(begin + ;; This assertion fails when building for i686-linux. + (substitute* "test.c" + (("assert\\(sizeof\\(http_parser\\) == 32\\);") + "assert(1);")) + #t)))) (build-system gnu-build-system) (arguments `(#:test-target "test" @@ -6204,14 +6212,6 @@ into your tests. It automatically starts up a HTTP server in a separate thread '("CC=gcc"))) #:phases (modify-phases %standard-phases - ,@(match (%current-system) - ("armhf-linux" - '((add-before 'check 'apply-assertion.patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "assertion.patch"))) - (invoke "patch" "-p1" "-i" patch) - #t))))) - (_ '())) ,@(if (%current-target-system) '((replace 'configure (lambda* (#:key target #:allow-other-keys) @@ -6222,17 +6222,9 @@ into your tests. It automatically starts up a HTTP server in a separate thread (string-append "AR=" target "-ar\n"))) #t))) '((delete 'configure)))))) - (native-inputs - `(,@(match (%current-system) - ("armhf-linux" - ;; A fix for which in turn - ;; breaks i686-linux builds. - `(("assertion.patch" - ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) - (_ '())))) (synopsis "HTTP request/response parser for C") - (description "This is a parser for HTTP messages written in C. It parses -both requests and responses. The parser is designed to be used in + (description "This is a parser for HTTP messages written in C. It +parses both requests and responses. The parser is designed to be used in high-performance HTTP applications. It does not make any syscalls nor allocations, it does not buffer data, it can be interrupted at anytime. Depending on your architecture, it only requires about 40 bytes of data per -- cgit 1.4.1 From 10b909a0249fd53d589890b357232db4165690f5 Mon Sep 17 00:00:00 2001 From: Greg Hogan Date: Wed, 24 Feb 2021 14:12:28 +0000 Subject: gnu: Python 3.9: Update to 3.9.2. * gnu/packages/python.scm (python-3.9): Update to 3.9.2. [source]: Remove obsolete patch. * gnu/packages/patches/python-3.9-CVE-2021-3177.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 - .../patches/python-3.9-CVE-2021-3177.patch | 194 --------------------- gnu/packages/python.scm | 6 +- 3 files changed, 3 insertions(+), 198 deletions(-) delete mode 100644 gnu/packages/patches/python-3.9-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8d46cda639..8d1465158a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1526,7 +1526,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-3.8-fix-tests.patch \ %D%/packages/patches/python-3.8-CVE-2021-3177.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ - %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ %D%/packages/patches/python-CVE-2020-26116.patch \ %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch \ diff --git a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch b/gnu/packages/patches/python-3.9-CVE-2021-3177.patch deleted file mode 100644 index 155f17deca..0000000000 --- a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch +++ /dev/null @@ -1,194 +0,0 @@ -Fix CVE-2021-3177 for Python 3.9: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 - -Patch copied from upstream source repository: - -https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932 - -From c347cbe694743cee120457aa6626712f7799a932 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 18 Jan 2021 13:29:31 -0800 -Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode - formatting in ctypes param reprs. (GH-24247) - -(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) - -Co-authored-by: Benjamin Peterson - -Co-authored-by: Benjamin Peterson ---- - Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ - .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + - Modules/_ctypes/callproc.c | 51 +++++++------------ - 3 files changed, 64 insertions(+), 32 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst - -diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py -index e4c25fd880cef..531894fdec838 100644 ---- a/Lib/ctypes/test/test_parameters.py -+++ b/Lib/ctypes/test/test_parameters.py -@@ -201,6 +201,49 @@ def __dict__(self): - with self.assertRaises(ZeroDivisionError): - WorseStruct().__setstate__({}, b'foo') - -+ def test_parameter_repr(self): -+ from ctypes import ( -+ c_bool, -+ c_char, -+ c_wchar, -+ c_byte, -+ c_ubyte, -+ c_short, -+ c_ushort, -+ c_int, -+ c_uint, -+ c_long, -+ c_ulong, -+ c_longlong, -+ c_ulonglong, -+ c_float, -+ c_double, -+ c_longdouble, -+ c_char_p, -+ c_wchar_p, -+ c_void_p, -+ ) -+ self.assertRegex(repr(c_bool.from_param(True)), r"^$") -+ self.assertEqual(repr(c_char.from_param(97)), "") -+ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") -+ self.assertEqual(repr(c_byte.from_param(98)), "") -+ self.assertEqual(repr(c_ubyte.from_param(98)), "") -+ self.assertEqual(repr(c_short.from_param(511)), "") -+ self.assertEqual(repr(c_ushort.from_param(511)), "") -+ self.assertRegex(repr(c_int.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_long.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") -+ self.assertEqual(repr(c_float.from_param(1.5)), "") -+ self.assertEqual(repr(c_double.from_param(1.5)), "") -+ self.assertEqual(repr(c_double.from_param(1e300)), "") -+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") -+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") -+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") -+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") -+ - ################################################################ - - if __name__ == '__main__': -diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -new file mode 100644 -index 0000000000000..7df65a156feab ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -@@ -0,0 +1,2 @@ -+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and -+:class:`ctypes.c_longdouble` values. -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index b0a36a30248f7..f2506de54498e 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -489,58 +489,47 @@ is_literal_char(unsigned char c) - static PyObject * - PyCArg_repr(PyCArgObject *self) - { -- char buffer[256]; - switch(self->tag) { - case 'b': - case 'B': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.b); -- break; - case 'h': - case 'H': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.h); -- break; - case 'i': - case 'I': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.i); -- break; - case 'l': - case 'L': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.l); -- break; - - case 'q': - case 'Q': -- sprintf(buffer, --#ifdef MS_WIN32 -- "", --#else -- "", --#endif -+ return PyUnicode_FromFormat("", - self->tag, self->value.q); -- break; - case 'd': -- sprintf(buffer, "", -- self->tag, self->value.d); -- break; -- case 'f': -- sprintf(buffer, "", -- self->tag, self->value.f); -- break; -- -+ case 'f': { -+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); -+ if (f == NULL) { -+ return NULL; -+ } -+ PyObject *result = PyUnicode_FromFormat("", self->tag, f); -+ Py_DECREF(f); -+ return result; -+ } - case 'c': - if (is_literal_char((unsigned char)self->value.c)) { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.c); - } - else { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, (unsigned char)self->value.c); - } -- break; - - /* Hm, are these 'z' and 'Z' codes useful at all? - Shouldn't they be replaced by the functionality of c_string -@@ -549,22 +538,20 @@ PyCArg_repr(PyCArgObject *self) - case 'z': - case 'Z': - case 'P': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.p); - break; - - default: - if (is_literal_char((unsigned char)self->tag)) { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - (unsigned char)self->tag, (void *)self); - } - else { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - (unsigned char)self->tag, (void *)self); - } -- break; - } -- return PyUnicode_FromString(buffer); - } - - static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 5c5be0d78c..9d97050c66 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -59,6 +59,7 @@ ;;; Copyright © 2018 Vagrant Cascadian ;;; Copyright © 2019 Tanguy Le Carrour ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen +;;; Copyright © 2021 Greg Hogan ;;; ;;; This file is part of GNU Guix. ;;; @@ -533,19 +534,18 @@ data types.") (define-public python-3.9 (package (inherit python-3.8) (name "python-next") - (version "3.9.1") + (version "3.9.2") (source (origin (method url-fetch) (uri (string-append "https://www.python.org/ftp/python/" version "/Python-" version ".tar.xz")) (patches (search-patches "python-3.9-fix-tests.patch" - "python-3.9-CVE-2021-3177.patch" "python-3-deterministic-build-info.patch" "python-3-search-paths.patch")) (sha256 (base32 - "1zq3k4ymify5ig739zyvx9s2ainvchxb1zpy139z74krr653y74r")) + "0z94vv5qhlwvcgc4sy9sdiqs0220s84wx3b62vslh5419z2k881w")) (modules '((guix build utils))) (snippet '(begin -- cgit 1.4.1 From 83a614b6c3dfebee653e656c62635e65faf9e15a Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Sun, 28 Feb 2021 03:03:39 +0100 Subject: gnu: wpa-supplicant, hostapd: Fix CVE-2021-27803. See . * gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/admin.scm (wpa-supplicant-minimal, hostapd): Apply it. --- gnu/local.mk | 1 + gnu/packages/admin.scm | 8 +++- .../patches/wpa-supplicant-CVE-2021-27803.patch | 50 ++++++++++++++++++++++ 3 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8d1465158a..f8ff065242 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1730,6 +1730,7 @@ dist_patch_DATA = \ %D%/packages/patches/wordnet-CVE-2008-2149.patch \ %D%/packages/patches/wordnet-CVE-2008-3908-pt1.patch \ %D%/packages/patches/wordnet-CVE-2008-3908-pt2.patch \ + %D%/packages/patches/wpa-supplicant-CVE-2021-27803.patch \ %D%/packages/patches/x265-arm-flags.patch \ %D%/packages/patches/xf86-video-ark-remove-mibstore.patch \ %D%/packages/patches/xf86-video-mach64-glibc-2.20.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index cf27eea084..2ca99774b8 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1656,7 +1656,9 @@ features of sudo with a fraction of the codebase.") ;; Disable D-Bus to save ~14MiB on the closure size. (("^CONFIG_CTRL_IFACE_DBUS" line _) (string-append "#" line))) - #t)))) + #t)) + (patches + (search-patches "wpa-supplicant-CVE-2021-27803.patch")))) (build-system gnu-build-system) (arguments `(#:phases @@ -1820,7 +1822,9 @@ command.") ".tar.gz")) (sha256 (base32 - "1mrbvg4v7vm7mknf0n29mf88k3s4a4qj6r4d51wq8hmjj1m7s7c8")))) + "1mrbvg4v7vm7mknf0n29mf88k3s4a4qj6r4d51wq8hmjj1m7s7c8")) + (patches + (search-patches "wpa-supplicant-CVE-2021-27803.patch")))) (build-system gnu-build-system) (arguments `(#:phases diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch b/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch new file mode 100644 index 0000000000..1942bb3d55 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch @@ -0,0 +1,50 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f86b..05fd593494ef 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.25.1 + -- cgit 1.4.1 From 9c30f26b8dca1be5b0cdaeea04a3484905cfd4f2 Mon Sep 17 00:00:00 2001 From: 宋文武 Date: Wed, 17 Feb 2021 19:50:33 +0800 Subject: gnu: retroarch: Update to 1.9.0. * gnu/packages/emulators.scm (retroarch): Update to 1.9.0. [source]: Remove 'retroarch-disable-online-updater.patch' and snippet. Add 'retroarch-LIBRETRO_DIRECTORY.patch'. [native-search-paths]: New field. * gnu/packages/patches/retroarch-disable-online-updater.patch: Remove file. * gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. --- gnu/local.mk | 2 +- gnu/packages/emulators.scm | 24 ++++++------- .../patches/retroarch-LIBRETRO_DIRECTORY.patch | 32 +++++++++++++++++ .../patches/retroarch-disable-online-updater.patch | 41 ---------------------- 4 files changed, 44 insertions(+), 55 deletions(-) create mode 100644 gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch delete mode 100644 gnu/packages/patches/retroarch-disable-online-updater.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index f8ff065242..76bb7ef1f0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1592,7 +1592,7 @@ dist_patch_DATA = \ %D%/packages/patches/rtags-separate-rct.patch \ %D%/packages/patches/racket-store-checksum-override.patch \ %D%/packages/patches/remake-impure-dirs.patch \ - %D%/packages/patches/retroarch-disable-online-updater.patch \ + %D%/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch \ %D%/packages/patches/rnp-add-version.cmake.patch \ %D%/packages/patches/rnp-disable-ruby-rnp-tests.patch \ %D%/packages/patches/rnp-unbundle-googletest.patch \ diff --git a/gnu/packages/emulators.scm b/gnu/packages/emulators.scm index 6c044e3397..dcbffa0a28 100644 --- a/gnu/packages/emulators.scm +++ b/gnu/packages/emulators.scm @@ -1273,7 +1273,7 @@ as RetroArch.") (define-public retroarch (package (name "retroarch") - (version "1.8.1") + (version "1.9.0") (source (origin (method git-fetch) @@ -1282,18 +1282,9 @@ as RetroArch.") (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 - (base32 "0y7rcpz7psf8k3agsrq277jdm651vbnn9xpqvmj2in1a786idya7")) + (base32 "1n0dcv85vqrdr79psnf009hi4r2mvsgsjbghrrc9pm5g7ywwwcvp")) (patches - (search-patches "retroarch-disable-online-updater.patch")) - (modules '((guix build utils))) - (snippet - '(begin - ;; Don't suggest using the Online Updater if available: it never - ;; is. This disables translation of this particular message. - (substitute* (find-files "menu/drivers" "\\.c$") - (("msg_hash_to_str\\(MSG_MISSING_ASSETS\\)") - "\"Warning: Missing assets, go get some\"")) - #t)))) + (search-patches "retroarch-LIBRETRO_DIRECTORY.patch")))) (build-system gnu-build-system) (arguments `(#:tests? #f ; no tests @@ -1328,7 +1319,9 @@ as RetroArch.") '("--enable-neon" "--enable-floathard") '()) (string-append "--prefix=" out) - (string-append "--global-config-dir=" etc) + ;; Non-free software are available through the core updater, + ;; disable it. See . + "--disable-update_cores" "--disable-builtinminiupnpc"))))))) (inputs `(("alsa-lib" ,alsa-lib) @@ -1354,6 +1347,11 @@ as RetroArch.") `(("pkg-config" ,pkg-config) ("wayland-protocols" ,wayland-protocols) ("which" ,which))) + (native-search-paths + (list (search-path-specification + (variable "LIBRETRO_DIRECTORY") + (separator #f) ; single entry + (files '("lib/libretro"))))) (home-page "https://www.libretro.com/") (synopsis "Reference frontend for the libretro API") (description diff --git a/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch b/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch new file mode 100644 index 0000000000..30515cbe48 --- /dev/null +++ b/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch @@ -0,0 +1,32 @@ +From f308dc91660954ab88bb41868c0b9809592923e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= +Date: Sat, 20 Feb 2021 20:37:39 +0800 +Subject: [PATCH] Allow set libretro_directory via environment variable + +--- + retroarch.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/retroarch.c b/retroarch.c +index 6a88c3108e..6807c12b5b 100644 +--- a/retroarch.c ++++ b/retroarch.c +@@ -36038,6 +36038,15 @@ static void retroarch_parse_input_and_config( + #endif + config_load(&p_rarch->g_extern); + ++ /* Override settings via environment variables */ ++ if (getenv("LIBRETRO_DIRECTORY")) { ++ settings_t *settings = p_rarch->configuration_settings; ++ retroarch_override_setting_set(RARCH_OVERRIDE_SETTING_LIBRETRO_DIRECTORY, NULL); ++ configuration_set_string(settings, ++ settings->paths.directory_libretro, ++ getenv("LIBRETRO_DIRECTORY")); ++ } ++ + /* Second pass: All other arguments override the config file */ + optind = 1; + +-- +2.30.0 + diff --git a/gnu/packages/patches/retroarch-disable-online-updater.patch b/gnu/packages/patches/retroarch-disable-online-updater.patch deleted file mode 100644 index ea74cc5409..0000000000 --- a/gnu/packages/patches/retroarch-disable-online-updater.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Tobias Geerinckx-Rice -Date: Fri, 29 Nov 2019 20:32:54 +0100 -Subject: [PATCH]: gnu: retroarch: Disable the on-line updater. - -This disables the entire ‘Online Updater’ sub-menu to address -. Perhaps that is more than is -necessary. - -diff -Naur a/menu/menu_displaylist.c b/menu/menu_displaylist.c ---- a/menu/menu_displaylist.c 1970-01-01 01:00:01.000000000 +0100 -+++ b/menu/menu_displaylist.c 2019-11-29 18:35:27.467948854 +0100 -@@ -8444,11 +8444,6 @@ - MENU_ENUM_LABEL_NETPLAY, - PARSE_ACTION, false) == 0) - count++; -- if (settings->bools.menu_show_online_updater) -- if (menu_displaylist_parse_settings_enum(info->list, -- MENU_ENUM_LABEL_ONLINE_UPDATER, -- PARSE_ACTION, false) == 0) -- count++; - if (menu_displaylist_parse_settings_enum(info->list, - MENU_ENUM_LABEL_SETTINGS, PARSE_ACTION, false) == 0) - count++; -diff -Naur retroarch.a/menu/menu_setting.c retroarch.c/menu/menu_setting.c ---- a/menu/menu_setting.c 1970-01-01 01:00:01.000000000 +0100 -+++ b/menu/menu_setting.c 2019-11-29 18:35:35.753957312 +0100 -@@ -7291,14 +7291,6 @@ - &group_info, - &subgroup_info, - parent_group); -- -- CONFIG_ACTION( -- list, list_info, -- MENU_ENUM_LABEL_ONLINE_UPDATER, -- MENU_ENUM_LABEL_VALUE_ONLINE_UPDATER, -- &group_info, -- &subgroup_info, -- parent_group); - #endif - - CONFIG_ACTION( -- cgit 1.4.1 From e05c0b334d55d1399303ce097f70eaa2ca3ad7df Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Sun, 28 Feb 2021 04:40:05 +0100 Subject: gnu: qemu: Fix CVE-2021-20203. * gnu/packages/patches/qemu-CVE-2021-20203.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/virtualization.scm (qemu): Apply it. --- gnu/local.mk | 1 + gnu/packages/patches/qemu-CVE-2021-20203.patch | 172 +++++++++++++++++++++++++ gnu/packages/virtualization.scm | 3 +- 3 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/qemu-CVE-2021-20203.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 76bb7ef1f0..83753e6b4e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1561,6 +1561,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/pypy3-7.3.1-fix-tests.patch \ %D%/packages/patches/qemu-build-info-manual.patch \ + %D%/packages/patches/qemu-CVE-2021-20203.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ %D%/packages/patches/qpdfview-qt515-compat.patch \ %D%/packages/patches/qrcodegen-cpp-make-install.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2021-20203.patch b/gnu/packages/patches/qemu-CVE-2021-20203.patch new file mode 100644 index 0000000000..9d2ceaa649 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2021-20203.patch @@ -0,0 +1,172 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_INVALID, + DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, + MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, + URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 87556C433E0 + for ; Sat, 30 Jan 2021 13:20:40 +0000 (UTC) +Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by mail.kernel.org (Postfix) with ESMTPS id EF26964DE1 + for ; Sat, 30 Jan 2021 13:20:39 +0000 (UTC) +DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EF26964DE1 +Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com +Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Received: from localhost ([::1]:42488 helo=lists1p.gnu.org) + by lists.gnu.org with esmtp (Exim 4.90_1) + (envelope-from ) + id 1l5qB3-0008CX-02 + for qemu-devel@archiver.kernel.org; Sat, 30 Jan 2021 08:20:37 -0500 +Received: from eggs.gnu.org ([2001:470:142:3::10]:45174) + by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) + (Exim 4.90_1) (envelope-from ) + id 1l5q9q-0007ld-1c + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:22 -0500 +Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:42898) + by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) + (Exim 4.90_1) (envelope-from ) + id 1l5q9k-0007Ia-TV + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:21 -0500 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; + s=mimecast20190719; t=1612012753; + h=from:from:reply-to:subject:subject:date:date:message-id:message-id: + to:to:cc:cc:mime-version:mime-version:content-type:content-type: + content-transfer-encoding:content-transfer-encoding; + bh=7vu4z8M+bFjhFzEuAYsQG4i3APx7aMqv7tFxRRO5+8Q=; + b=egCsTdgVBnRlHnVN84HsSpNOUl/NkqEnGuv9rRdG2AZ1Fee5ZatpJm5zJ7YUW2HvzB4rtO + EaDIKaN1wzf/yHf0CsJ60TPGG3DqQSC/EsTSr2l/GNGq4prDYTXVrS3rXFu9ofByUVvzwU + q9Iy1X1Bh3S21m7jXY0AYx4Tu9Ikq9w= +Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com + [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id + us-mta-588-1JF7mzMfP1KpRpNKj4cAWQ-1; Sat, 30 Jan 2021 08:19:08 -0500 +X-MC-Unique: 1JF7mzMfP1KpRpNKj4cAWQ-1 +Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com + [10.5.11.22]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8F0F439380; + Sat, 30 Jan 2021 13:19:07 +0000 (UTC) +Received: from localhost.localdomain (unknown [10.33.36.2]) + by smtp.corp.redhat.com (Postfix) with ESMTPS id 17D581002C11; + Sat, 30 Jan 2021 13:19:04 +0000 (UTC) +From: P J P +To: Dmitry Fleytman +Subject: [PATCH] net: vmxnet3: validate configuration values during activate + (CVE-2021-20203) +Date: Sat, 30 Jan 2021 18:46:52 +0530 +Message-Id: <20210130131652.954143-1-ppandit@redhat.com> +MIME-Version: 1.0 +X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 +Authentication-Results: relay.mimecast.com; + auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ppandit@redhat.com +X-Mimecast-Spam-Score: 0 +X-Mimecast-Originator: redhat.com +Content-Transfer-Encoding: 8bit +Content-Type: text/plain; charset="US-ASCII" +Received-SPF: pass client-ip=63.128.21.124; envelope-from=ppandit@redhat.com; + helo=us-smtp-delivery-124.mimecast.com +X-Spam_score_int: -30 +X-Spam_score: -3.1 +X-Spam_bar: --- +X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.255, + DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, + RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, + SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no +X-Spam_action: no action +X-BeenThere: qemu-devel@nongnu.org +X-Mailman-Version: 2.1.23 +Precedence: list +List-Id: +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Cc: Gaoning Pan , QEMU Developers , + Prasad J Pandit +Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Sender: "Qemu-devel" + +Archived-At: +List-Archive: + +From: Prasad J Pandit + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit +--- + hw/net/vmxnet3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index eff299f629..4a910ca971 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); +-- +2.29.2 + + + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 8da57cf6ab..1f8c3beea0 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -141,7 +141,8 @@ (sha256 (base32 "1rd41wwlvp0vpialjp2czs6i3lsc338xc72l3zkbb7ixjfslw5y9")) - (patches (search-patches "qemu-build-info-manual.patch")) + (patches (search-patches "qemu-build-info-manual.patch" + "qemu-CVE-2021-20203.patch")) (modules '((guix build utils))) (snippet '(begin -- cgit 1.4.1 From 3505d86502c80fa390d2c6db103697307d596b0e Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Mon, 1 Mar 2021 02:56:51 +0100 Subject: gnu: openscad: Update to 2021.01 [maybe fixes TALOS-2020-1222, TALOS-2020-1223]. TALOS-2020-1222 has yet to be disclosed and has no known CVE number. TALOS-2020-1223 has CVE-2020-28599 assigned. * gnu/packages/engineering.scm (openscad): Update to 2021.01. [patches]: Remove. Boost 1.72 is supported now upstream. [arguments]: In replacement 'check phase, disable some tests requiring experimental "lazy-union" feature. Also disable PDF-related tests requiring ghostscript and failing either way. * gnu/local.mk (dist_patch_DATA): Remove patch. * gnu/packages/patches/openscad-parser-boost-1.72.patch: Ditto. --- gnu/local.mk | 1 - gnu/packages/engineering.scm | 18 ++++++++++----- .../patches/openscad-parser-boost-1.72.patch | 26 ---------------------- 3 files changed, 13 insertions(+), 32 deletions(-) delete mode 100644 gnu/packages/patches/openscad-parser-boost-1.72.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 83753e6b4e..0954158d4c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1429,7 +1429,6 @@ dist_patch_DATA = \ %D%/packages/patches/openssh-fix-ssh-copy-id.patch \ %D%/packages/patches/openssh-hurd.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ - %D%/packages/patches/openscad-parser-boost-1.72.patch \ %D%/packages/patches/opensles-add-license-file.patch \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.1-c-rehash-in.patch \ diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm index fb6895f911..8517d2abde 100644 --- a/gnu/packages/engineering.scm +++ b/gnu/packages/engineering.scm @@ -2476,7 +2476,7 @@ specification can be downloaded at @url{http://3mf.io/specification/}.") (define-public openscad (package (name "openscad") - (version "2019.05") + (version "2021.01") (source (origin (method url-fetch) @@ -2484,9 +2484,7 @@ specification can be downloaded at @url{http://3mf.io/specification/}.") ".src.tar.gz")) (sha256 (base32 - "0nbgk5q5pgnw53la0kccdcpz2f4xf6d6076rkn0q08z57hkc85ha")) - (patches (search-patches - "openscad-parser-boost-1.72.patch")))) + "0n83szr88h8snccjrslr96mgw3f65x3sq726n6x5vxp5wybw4f6r")))) (build-system cmake-build-system) (inputs `(("boost" ,boost) @@ -2529,7 +2527,17 @@ specification can be downloaded at @url{http://3mf.io/specification/}.") (with-directory-excursion "tests" (invoke "cmake" ".") (invoke "make") - (invoke "ctest")) + (invoke "ctest" "--exclude-regex" + (string-join + (list + "astdumptest_allexpressions" + "echotest_function-literal-compare" + "echotest_function-literal-tests" + "echotest_allexpressions" + "lazyunion-*" + "pdfexporttest_centered" + "pdfexporttest_simple-pdf") + "|"))) ;; strip python test files since lib dir ends up in out/share (for-each delete-file (find-files "libraries/MCAD" ".*\\.py")) diff --git a/gnu/packages/patches/openscad-parser-boost-1.72.patch b/gnu/packages/patches/openscad-parser-boost-1.72.patch deleted file mode 100644 index 35311e6173..0000000000 --- a/gnu/packages/patches/openscad-parser-boost-1.72.patch +++ /dev/null @@ -1,26 +0,0 @@ -https://github.com/openscad/openscad/commit/b6c170cc5d.patch - -From b6c170cc5dd1bc677176ee732cdb0ddae57e5cf0 Mon Sep 17 00:00:00 2001 -From: Jan Beich -Date: Fri, 25 Oct 2019 15:10:26 +0000 -Subject: [PATCH] Add missing header bootlegged by Boost < 1.72 - -src/parser.y:76:6: error: no template named 'stack' in namespace 'std' -std::stack scope_stack; -~~~~~^ ---- - src/parser.y | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/parser.y b/src/parser.y -index 7f4fd56ca7..4c77c989ea 100644 ---- a/src/parser.y -+++ b/src/parser.y -@@ -46,6 +46,7 @@ - #include "printutils.h" - #include "memory.h" - #include -+#include - #include - #include "boost-utils.h" - #include "feature.h" -- cgit 1.4.1 From c48c69194fee468d2ac16ccc25f012312083bf89 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Tue, 2 Mar 2021 18:08:27 +0100 Subject: gnu: python-matplotlib: Fix running under Wayland with GTK3. * gnu/packages/python-xyz.scm (python-matplotlib)[source]: Add patch. * gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../python-matplotlib-run-under-wayland-gtk3.patch | 31 ++++++++++++++++++++++ gnu/packages/python-xyz.scm | 5 ++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0954158d4c..81ca759503 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1539,6 +1539,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-pyfakefs-remove-bad-test.patch \ %D%/packages/patches/python-flint-includes.patch \ %D%/packages/patches/python-libxml2-utf8.patch \ + %D%/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch \ %D%/packages/patches/python-mediafile-wavpack.patch \ %D%/packages/patches/python-memcached-syntax-warnings.patch \ %D%/packages/patches/python-mox3-python3.6-compat.patch \ diff --git a/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch b/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch new file mode 100644 index 0000000000..6f067763b5 --- /dev/null +++ b/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch @@ -0,0 +1,31 @@ +From: Tobias Geerinckx-Rice +Date: Tue, 02 Mar 2021 18:04:33 +0100 +Subject: [PATCH] gnu: python-matplotlib: Run under Wayland with GTK3. + +Adopted from upstream's fix[0] for +. + +[0]: https://github.com/liuyun88/matplotlib/commit/3d5000463bd23cb046681220f5511f07743f7d82 + +--- +diff -Naur a/lib/matplotlib/backends/backend_gtk3.py b/lib/matplotlib/backends/backend_gtk3.py +--- a/lib/matplotlib/backends/backend_gtk3.py 2019-11-21 23:47:05.000000000 +0100 ++++ b/lib/matplotlib/backends/backend_gtk3.py 2021-03-02 18:00:57.479929766 +0100 +@@ -42,11 +42,12 @@ + + try: ++ _display = Gdk.Display.get_default() + cursord = { +- cursors.MOVE : Gdk.Cursor.new(Gdk.CursorType.FLEUR), +- cursors.HAND : Gdk.Cursor.new(Gdk.CursorType.HAND2), +- cursors.POINTER : Gdk.Cursor.new(Gdk.CursorType.LEFT_PTR), +- cursors.SELECT_REGION : Gdk.Cursor.new(Gdk.CursorType.TCROSS), +- cursors.WAIT : Gdk.Cursor.new(Gdk.CursorType.WATCH), ++ cursors.MOVE : Gdk.Cursor.new_from_name(_display, "move"), ++ cursors.HAND : Gdk.Cursor.new_from_name(_display, "pointer"), ++ cursors.POINTER : Gdk.Cursor.new_from_name(_display, "default"), ++ cursors.SELECT_REGION : Gdk.Cursor.new_from_name(_display, "crosshair"), ++ cursors.WAIT : Gdk.Cursor.new_from_name(_display, "wait"), + } + except TypeError as exc: + # Happens when running headless. Convert to ImportError to cooperate with diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm index 01f1e66258..456cfea5c6 100644 --- a/gnu/packages/python-xyz.scm +++ b/gnu/packages/python-xyz.scm @@ -5131,8 +5131,9 @@ convert between colorspaces like sRGB, XYZ, CIEL*a*b*, CIECAM02, CAM02-UCS, etc. (method url-fetch) (uri (pypi-uri "matplotlib" version)) (sha256 - (base32 - "1nmshfqh7wyg15i16hx1yiylcvzkws29ivn66n3i0wyqwcpjr3lf")))) + (base32 "1nmshfqh7wyg15i16hx1yiylcvzkws29ivn66n3i0wyqwcpjr3lf")) + (patches + (search-patches "python-matplotlib-run-under-wayland-gtk3.patch")))) (build-system python-build-system) (propagated-inputs ; the following packages are all needed at run time `(("python-cycler" ,python-cycler) -- cgit 1.4.1 From 3905580180d8f8ed1eec07baa307b4bff0d726d6 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 1 Mar 2021 13:35:19 -0500 Subject: gnu: Python 2: Fix CVE-2021-3177. * gnu/packages/patches/python-2.7-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-2.7)[replacement]: New field. (python-2.7/fixed): New variable. --- gnu/local.mk | 1 + .../patches/python-2.7-CVE-2021-3177.patch | 157 +++++++++++++++++++++ gnu/packages/python.scm | 9 ++ 3 files changed, 167 insertions(+) create mode 100644 gnu/packages/patches/python-2.7-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 81ca759503..47294d6e23 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1518,6 +1518,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-2.7-search-paths.patch \ %D%/packages/patches/python-2.7-site-prefixes.patch \ %D%/packages/patches/python-2.7-source-date-epoch.patch \ + %D%/packages/patches/python-2.7-CVE-2021-3177.patch \ %D%/packages/patches/python-3-arm-alignment.patch \ %D%/packages/patches/python-3-deterministic-build-info.patch \ %D%/packages/patches/python-3-search-paths.patch \ diff --git a/gnu/packages/patches/python-2.7-CVE-2021-3177.patch b/gnu/packages/patches/python-2.7-CVE-2021-3177.patch new file mode 100644 index 0000000000..9f2032ad4a --- /dev/null +++ b/gnu/packages/patches/python-2.7-CVE-2021-3177.patch @@ -0,0 +1,157 @@ +Fix CVE-2021-3177 for Python 2.7: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from Debian: + +https://salsa.debian.org/cpython-team/python2/-/blob/e54f3303884f1362f3311ec36f070b40603dd76e/debian/patches/CVE-2021-3177.diff + +bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -206,6 +206,49 @@ class SimpleTypesTestCase(unittest.TestC + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param('a')), "") ++ self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -460,50 +460,53 @@ PyCArg_dealloc(PyCArgObject *self) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.l); +- break; + + #ifdef HAVE_LONG_LONG + case 'q': + case 'Q': +- sprintf(buffer, +- "", ++ return PyString_FromFormat("", + self->tag, self->value.q); +- break; + #endif + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *r = PyObject_Repr(f); ++ Py_DECREF(f); ++ if (r == NULL) { ++ return NULL; ++ } ++ char *value = PyString_AsString(r); ++ if (value == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyString_FromFormat("", self->tag, value); ++ Py_DECREF(r); ++ return result; ++ } + + case 'c': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.c); +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -512,16 +515,13 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.p); +- break; + + default: +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self); +- break; + } +- return PyString_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 9d97050c66..e05c91b3d0 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -107,6 +107,7 @@ (define-public python-2.7 (package (name "python2") + (replacement python-2.7/fixed) (version "2.7.17") (source (origin @@ -350,6 +351,14 @@ data types.") (properties '((cpe-name . "python"))) (license license:psfl))) +(define python-2.7/fixed + (package + (inherit python-2.7) + (source (origin + (inherit (package-source python-2.7)) + (patches (append (search-patches "python-2.7-CVE-2021-3177.patch") + (origin-patches (package-source python-2.7)))))))) + ;; Current 2.x version. (define-public python-2 python-2.7) -- cgit 1.4.1 From 759a526f5fdd49b9136a639269afd77e2599dcb6 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Wed, 3 Mar 2021 06:39:37 +0100 Subject: gnu: openssh: Update to 8.5p1. * gnu/packages/patches/openssh-fix-ssh-copy-id.patch: Remove patch. * gnu/local.mk (dist_patch_DATA): Also unregister it. * gnu/packages/ssh.scm (openssh): Update to 8.5p1. --- gnu/local.mk | 1 - gnu/packages/patches/openssh-fix-ssh-copy-id.patch | 38 ---------------------- gnu/packages/ssh.scm | 7 ++-- 3 files changed, 3 insertions(+), 43 deletions(-) delete mode 100644 gnu/packages/patches/openssh-fix-ssh-copy-id.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 47294d6e23..3557d9f429 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1426,7 +1426,6 @@ dist_patch_DATA = \ %D%/packages/patches/openfoam-4.1-cleanup.patch \ %D%/packages/patches/openjdk-10-idlj-reproducibility.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ - %D%/packages/patches/openssh-fix-ssh-copy-id.patch \ %D%/packages/patches/openssh-hurd.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ %D%/packages/patches/opensles-add-license-file.patch \ diff --git a/gnu/packages/patches/openssh-fix-ssh-copy-id.patch b/gnu/packages/patches/openssh-fix-ssh-copy-id.patch deleted file mode 100644 index 6adba639a3..0000000000 --- a/gnu/packages/patches/openssh-fix-ssh-copy-id.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fix a bug where ssh-copy-id would fail with "EOF: command not found": - -https://github.com/openssh/openssh-portable/pull/206 - -Patch copied from upstream source repository: - -https://github.com/openssh/openssh-portable/commit/d9e727dcc04a52caaac87543ea1d230e9e6b5604 - -From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001 -From: Oleg -Date: Thu, 1 Oct 2020 12:09:08 +0300 -Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id - ---- - contrib/ssh-copy-id | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -index 392f64f94..a76907717 100644 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -247,7 +247,7 @@ installkeys_sh() { - # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing - # the cat adds the keys we're getting via STDIN - # and if available restorecon is used to restore the SELinux context -- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) -+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF - cd; - umask 077; - mkdir -p $(dirname "${AUTH_KEY_FILE}") && -@@ -258,6 +258,7 @@ installkeys_sh() { - restorecon -F .ssh ${AUTH_KEY_FILE}; - fi - EOF -+ ) - - # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index c94631036b..b73e9633ea 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -186,16 +186,15 @@ a server that supports the SSH-2 protocol.") (define-public openssh (package (name "openssh") - (version "8.4p1") + (version "8.5p1") (source (origin (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" "openssh-" version ".tar.gz")) - (patches (search-patches "openssh-hurd.patch" - "openssh-fix-ssh-copy-id.patch")) + (patches (search-patches "openssh-hurd.patch")) (sha256 (base32 - "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as")))) + "09gc8rv7728chxraab85dzkdikaw4aph1wlcwcc9kai9si0kybzm")))) (build-system gnu-build-system) (native-inputs `(("groff" ,groff) ("pkg-config" ,pkg-config))) -- cgit 1.4.1 From 6891f95739c733df217ceaf5d0787cbed380ec1c Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Thu, 4 Mar 2021 19:43:17 -0500 Subject: gnu: mupdf: Fix CVE-2021-3407. * gnu/packages/pdf.scm (mupdf)[source]: Add patch. * gnu/packages/patches/mupdf-CVE-2021-3407.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/patches/mupdf-CVE-2021-3407.patch | 51 ++++++++++++++++++++++++++ gnu/packages/pdf.scm | 3 +- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2021-3407.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3557d9f429..25afb99618 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1382,6 +1382,7 @@ dist_patch_DATA = \ %D%/packages/patches/mumps-shared-mumps.patch \ %D%/packages/patches/mumps-shared-pord.patch \ %D%/packages/patches/mupdf-fix-linkage.patch \ + %D%/packages/patches/mupdf-CVE-2021-3407.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/mupen64plus-video-z64-glew-correct-path.patch \ %D%/packages/patches/musl-cross-locale.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2021-3407.patch b/gnu/packages/patches/mupdf-CVE-2021-3407.patch new file mode 100644 index 0000000000..9f901517c5 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2021-3407.patch @@ -0,0 +1,51 @@ +This patch came from https://git.ghostscript.com/?p=mupdf.git;a=patch;h=cee7cefc610d42fd383b3c80c12cbc675443176a +and fixes CVE-2021-3407. + +From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Fri, 22 Jan 2021 17:05:15 +0000 +Subject: [PATCH] Bug 703366: Fix double free of object during linearization. + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. +--- + source/pdf/pdf-parse.c | 6 ++++++ + source/pdf/pdf-xref.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d4..5761c3351 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59..30197b4b8 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { +-- +2.17.1 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index daea7ee8ad..e81c3caf87 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -724,7 +724,8 @@ extracting content or merging files.") "mupdf-" version "-source.tar.xz")) (sha256 (base32 "16m5sksil22sshxy70xkslsb2qhvcqb1d95i9savnhds1xn4ybar")) - (patches (search-patches "mupdf-fix-linkage.patch")) + (patches (search-patches "mupdf-fix-linkage.patch" + "mupdf-CVE-2021-3407.patch")) (modules '((guix build utils))) (snippet '(begin -- cgit 1.4.1 From fc193b6518ad8df0cc92cb50b88217430dea47e3 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Fri, 5 Mar 2021 23:31:15 +0100 Subject: gnu: cgal: Update to 5.2 [security fixes]. * gnu/packages/patches/cgal-security-pr-5371.patch: New patch. Downloaded from , with hunks on files matching pattern "*Convex_decomposition_3*" removed because they don't exist in cgal's released sources. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/graphics.scm (cgal): Update to 5.2. [source]: Apply patch. --- gnu/local.mk | 1 + gnu/packages/graphics.scm | 10 +- gnu/packages/patches/cgal-security-pr-5371.patch | 1611 ++++++++++++++++++++++ 3 files changed, 1618 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/cgal-security-pr-5371.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 25afb99618..4900dabc36 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -879,6 +879,7 @@ dist_patch_DATA = \ %D%/packages/patches/cdparanoia-fpic.patch \ %D%/packages/patches/cdrtools-3.01-mkisofs-isoinfo.patch \ %D%/packages/patches/ceph-disable-cpu-optimizations.patch \ + %D%/packages/patches/cgal-security-pr-5371.patch \ %D%/packages/patches/chmlib-inttypes.patch \ %D%/packages/patches/cl-asdf-config-directories.patch \ %D%/packages/patches/clamav-config-llvm-libs.patch \ diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm index 7e83c7ea4e..db04b93f20 100644 --- a/gnu/packages/graphics.scm +++ b/gnu/packages/graphics.scm @@ -718,15 +718,17 @@ more.") (define-public cgal (package (name "cgal") - (version "4.14.2") + (version "5.2") (source (origin (method url-fetch) (uri (string-append - "https://github.com/CGAL/cgal/releases/download/releases/" - "CGAL-" version "/CGAL-" version ".tar.xz")) + "https://github.com/CGAL/cgal/releases/download/v" version + "/CGAL-" version ".tar.xz")) (sha256 (base32 - "08lrp3hfwdypggz4138bnkh6bjxn441zg2y9xnq5mrjfc5ini6w1")))) + "08sr2k2dm4zasfbvisqpvs6djqw3rywzwpzr701an870nvnqck3l")) + (patches (search-patches "cgal-security-pr-5371.patch")) + (patch-flags '("-p2")))) (build-system cmake-build-system) (arguments '(#:tests? #f)) ; no test target diff --git a/gnu/packages/patches/cgal-security-pr-5371.patch b/gnu/packages/patches/cgal-security-pr-5371.patch new file mode 100644 index 0000000000..dea53dceaf --- /dev/null +++ b/gnu/packages/patches/cgal-security-pr-5371.patch @@ -0,0 +1,1611 @@ +From 618b409b0fbcef7cb536a4134ae3a424ef5aae45 Mon Sep 17 00:00:00 2001 +From: Maxime Gimeno +Date: Mon, 18 Jan 2021 15:40:40 +0100 +Subject: [PATCH 1/8] Fix Nef_2 and Nef_S2 IO + +--- + Nef_2/include/CGAL/Nef_2/PM_io_parser.h | 74 ++++++++++++--- + Nef_2/include/CGAL/Nef_polyhedron_2.h | 2 + + Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h | 106 ++++++++++++++++------ + 3 files changed, 142 insertions(+), 40 deletions(-) + +diff --git a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +index 85295f3d85a..9b84dd37fbe 100644 +--- a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h ++++ b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +@@ -200,6 +200,11 @@ bool PM_io_parser::read_vertex(Vertex_handle v) + !(in >> p) || + !check_sep("}") ) return false; + ++ if(!(f >= 0 && ((iso && f < fn) || (!iso && f < en)))) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + if (iso) v->set_face(Face_of[f]); + else v->set_halfedge(Halfedge_of[f]); + mark(v) = m; point(v) = p; +@@ -229,10 +234,14 @@ bool PM_io_parser::read_hedge(Halfedge_handle e) + !(in >> f) || !check_sep(",") || + !(in >> m) || !check_sep("}") ) + return false; +- CGAL_assertion_msg +- (eo >= 0 || (std::size_t) eo < en || epr >= 0 || (std::size_t) epr < en || ene >= 0 || (std::size_t) ene < en || +- v >= 0 || (std::size_t) v < vn || f >= 0 || (std::size_t) f < fn , +- "wrong index in read_hedge"); ++ ++ if(!(eo >= 0 && (std::size_t) eo < en && epr >= 0 && (std::size_t) epr < en && ene >= 0 && (std::size_t) ene < en && ++ v >= 0 && (std::size_t) v < vn && f >= 0 && (std::size_t) f < fn )) ++ { ++ in.clear(std::ios_base::badbit); ++ std::cerr<<"wrong index in read_hedge"<opposite()]); +@@ -267,14 +276,32 @@ bool PM_io_parser::read_face(Face_handle f) + int n, ei, vi; Mark m; + if ( !(in >> n) || !check_sep("{") ) return false; + if ( !(in >> ei) || !check_sep(",") ) return false; +- if (ei >= 0) f->set_halfedge(Halfedge_of[ei]); ++ if (ei >= 0 && ei < en) ++ { ++ f->set_halfedge(Halfedge_of[ei]); ++ } ++ else ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + while (in >> ei) { + CGAL_assertion_msg(ei >= 0 && (std::size_t) ei < en, "wrong index in face cycle list."); ++ if (!(ei >= 0 && ei < en)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + f->store_fc(Halfedge_of[ei]); + } in.clear(); + if (!check_sep(",")) { return false; } + while (in >> vi) { + CGAL_assertion_msg(vi >= 0 && (std::size_t) vi < vn, "wrong index in iso vertex list."); ++ if (!(vi >= 0 && vi < vn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + f->store_iv(Vertex_of[vi]); + } in.clear(); + if (!check_sep(",") || !(in >> m) || !check_sep("}") ) +@@ -313,13 +340,26 @@ template + void PM_io_parser::read() + { + if ( !check_sep("Plane_map_2") ) +- CGAL_error_msg("PM_io_parser::read: no embedded_PM header."); ++ { ++ std::cerr<<"PM_io_parser::read: no embedded_PM header."<> vn)) ) +- CGAL_error_msg("PM_io_parser::read: wrong node line."); ++ { ++ std::cerr<<"PM_io_parser::read: wrong node line."<> en) && (en%2==0)) ) +- CGAL_error_msg("PM_io_parser::read: wrong edge line."); ++ { ++ std::cerr<<"PM_io_parser::read: wrong edge line."<> fn)) ) +- CGAL_error_msg("PM_io_parser::read: wrong face line."); ++ { ++ std::cerr<<"PM_io_parser::read: wrong face line."<::read() + + for(i=0; i> + std::cerr << "Nef_polyhedron_2 input corrupted." << std::endl; + NP = Nef_polyhedron_2(); + } ++ if(!is) ++ return is; + typename Nef_polyhedron_2::Topological_explorer D(NP.explorer()); + D.check_integrity_and_topological_planarity(); + return is; +diff --git a/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h b/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h +index 7bddd3036d5..631c63dc5dc 100644 +--- a/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h ++++ b/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h +@@ -203,8 +203,14 @@ bool SM_io_parser::read_vertex(SVertex_handle v) + !(in >> p) || + !check_sep("}") ) return false; + +- if (iso) set_face(v,SFace_of[f]); +- else set_first_out_edge(v,Edge_of[f]); ++ if(f<0 || (iso && f > fn) || (!iso && f > en)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } ++ ++ if (iso) this->set_face(v,SFace_of[f]); ++ else this->set_first_out_edge(v,Edge_of[f]); + v->mark() = m; v->point() = p; + return true; + } +@@ -235,17 +241,21 @@ bool SM_io_parser::read_edge(SHalfedge_handle e) + !(in >> m) || !check_sep(",") || + !(in >> k) || !check_sep("}") ) + return false; +- CGAL_assertion_msg ++ if (! + (eo >= 0 && eo < en && epr >= 0 && epr < en && ene >= 0 && ene < en && +- v >= 0 && v < vn && f >= 0 && f < fn , +- "wrong index in read_edge"); ++ v >= 0 && v < vn && f >= 0 && f < fn )) ++ { ++ std::cerr<<"wrong index in read_edge"<twin()]); +- set_prev(e,Edge_of[epr]); +- set_next(e,Edge_of[ene]); +- set_source(e,SVertex_of[v]); +- set_face(e,SFace_of[f]); ++ this->set_prev(e,Edge_of[epr]); ++ this->set_next(e,Edge_of[ene]); ++ this->set_source(e,SVertex_of[v]); ++ this->set_face(e,SFace_of[f]); + e->mark() = m; + e->circle() = k; + return true; +@@ -274,7 +284,7 @@ bool SM_io_parser::read_loop(SHalfloop_handle l) + CGAL_assertion_msg( + (lo >= 0 && lo < 2 && f >= 0 && f < fn),"wrong index in read_edge"); + +- set_face(l,SFace_of[f]); ++ this->set_face(l,SFace_of[f]); + l->mark() = m; + l->circle() = k; + return true; +@@ -303,21 +313,33 @@ bool SM_io_parser::read_face(SFace_handle f) + int n, ei, vi, li; Mark m; + if ( !(in >> n) || !check_sep("{") ) return false; + while (in >> ei) { +- CGAL_assertion_msg(ei >= 0 && ei < en, +- "wrong index in face cycle list."); +- store_sm_boundary_object(Edge_of[ei],f); ++ if(!(ei >= 0 && ei < en)) ++ { ++ std::cerr<<"wrong index in face cycle list."<store_sm_boundary_object(Edge_of[ei],f); + } in.clear(); + if (!check_sep(",")) { return false; } + while (in >> vi) { +- CGAL_assertion_msg(vi >= 0 && vi < vn, +- "wrong index in iso vertex list."); +- store_sm_boundary_object(SVertex_of[vi],f); ++ if(!(vi >= 0 && vi < vn)) ++ { ++ std::cerr<<"wrong index in iso vertex list."<store_sm_boundary_object(SVertex_of[vi],f); + } in.clear(); + if (!check_sep(",")) { return false; } + while (in >> li) { +- CGAL_assertion_msg(li >= 0 && li < 2, +- "wrong index in iso vertex list."); +- store_sm_boundary_object(Loop_of[li],f); ++ if(!(li >= 0 && li < 2)) ++ { ++ std::cerr<<"wrong index in iso vertex list."<store_sm_boundary_object(Loop_of[li],f); + } in.clear(); + if (!check_sep(",") || !(in >> m) || !check_sep("}") ) + return false; +@@ -357,16 +379,36 @@ void SM_io_parser::print() const + template + void SM_io_parser::read() + { ++ if ( !check_sep("Nef_polyhedron_S2") ) ++ { ++ std::cerr<<"Missing line in header"<> vn)) ) +- CGAL_error_msg("SM_io_parser::read: wrong vertex line."); ++ { ++ std::cerr<<"SM_io_parser::read: wrong vertex line."<> en) && (en%2==0)) ) +- CGAL_error_msg("SM_io_parser::read: wrong edge line."); ++ { ++ std::cerr<<"SM_io_parser::read: wrong edge line."<> ln)) ) +- CGAL_error_msg("SM_io_parser::read: wrong loop line."); ++ { ++ std::cerr<<"SM_io_parser::read: wrong loop line."<> fn)) ) +- CGAL_error_msg("SM_io_parser::read: wrong face line."); ++ { ++ std::cerr<<"SM_io_parser::read: wrong face line."<::read() + + for(i=0; i +Date: Tue, 19 Jan 2021 12:24:08 +0100 +Subject: [PATCH 2/8] Fix Nef_3 + +--- + Nef_3/include/CGAL/Nef_3/SNC_io_parser.h | 195 ++++++++++++++++++++++- + 1 file changed, 188 insertions(+), 7 deletions(-) + +diff --git a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +index 5eee7528ee7..04d9d0ac8e8 100644 +--- a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h ++++ b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +@@ -1444,40 +1444,61 @@ void SNC_io_parser::read_items(int plus01) { + typename std::vector::iterator vi; + for(vi=Vertex_of.begin(); vi!=Vertex_of.end(); ++vi) { + if (!read_vertex(*vi)) +- CGAL_error_msg("SNC_io_parser::read: error in node line"); ++ { ++ std::cerr<<"SNC_io_parser::read: error in node line"<::iterator ei; + for(ei=Edge_of.begin(); ei!=Edge_of.end(); ++ei) { + if (!read_edge(*ei)) +- CGAL_error_msg("SNC_io_parser::read: error in edge line"); ++ { ++ std::cerr<<"SNC_io_parser::read: error in edge line"<::iterator vhf_iterator; + vhf_iterator fi; + for(fi=Halffacet_of.begin(); fi!=Halffacet_of.end(); ++fi) { + if (!read_facet(*fi)) +- CGAL_error_msg("SNC_io_parser::read: error in facet line"); ++ { ++ std::cerr<<"SNC_io_parser::read: error in facet line"<::iterator ci; + for(ci=Volume_of.begin()+plus01; ci!=Volume_of.end(); ++ci) { + if (!read_volume(*ci)) +- CGAL_error_msg("SNC_io_parser::read: error in volume line"); ++ { ++ std::cerr<<"SNC_io_parser::read: error in volume line"<::iterator sei; + for(sei=SEdge_of.begin(); sei!=SEdge_of.end(); ++sei) { + if (!read_sedge(*sei)) +- CGAL_error_msg("SNC_io_parser::read: error in sedge line"); ++ { ++ std::cerr<<"SNC_io_parser::read: error in sedge line"<::iterator sli; + for(sli=SLoop_of.begin(); sli!=SLoop_of.end(); ++sli) { + if (!read_sloop(*sli)) +- CGAL_error_msg("SNC_io_parser::read: error in sloop line"); ++ { ++ std::cerr<<"SNC_io_parser::read: error in sloop line"<::iterator sfi; + for(sfi=SFace_of.begin(); sfi!=SFace_of.end(); ++sfi) { + if (!read_sface(*sfi)) +- CGAL_error_msg("SNC_io_parser::read: error in sface line"); ++ { ++ std::cerr<<"SNC_io_parser::read: error in sface line"<sncp()); +@@ -1535,21 +1556,56 @@ read_vertex(Vertex_handle vh) { + vh->sncp() = this->sncp(); + + in >> index; ++ if(index >= int(en)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end()); + in >> index; ++ if(index >= int(en)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end(); + OK = OK && test_string(","); + in >> index; ++ if(index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end(); + in >> index; ++ if(index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + vh->shalfedges_last() = index >= 0 ? SEdge_of[index] : this->shalfedges_end(); + OK = OK && test_string(","); + in >> index; ++ if(index >= int(sfn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + vh->sfaces_begin() = index >= 0 ? SFace_of[index] : this->sfaces_end(); + in >> index; ++ if(index >= int(sfn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + vh->sfaces_last() = index >= 0 ? SFace_of[index] : this->sfaces_end(); + OK = OK && test_string(","); + in >> index; ++ if(index >= int(sln)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + vh->shalfloop() = index >= 0 ? SLoop_of[index] : this->shalfloops_end(); + OK = OK && test_string("|"); + #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT +@@ -1604,17 +1660,37 @@ read_edge(Halfedge_handle eh) { + OK = OK && test_string("{"); + + in >> index; ++ if(index < 0 || index >= int(en)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + eh->twin() = Edge_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(vn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + eh->center_vertex() = Vertex_of[index]; + OK = OK && test_string(","); + in >> index; + if(index == 0) { + in >> index; ++ if(index < 0 || index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + eh->out_sedge() = SEdge_of[index]; + } else { + in >> index; ++ if(index < 0 || index >= int(sfn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + eh->incident_sface() = SFace_of[index]; + } + OK = OK && test_string("|"); +@@ -1669,6 +1745,11 @@ read_facet(Halffacet_handle fh) { + OK = OK && test_string("{"); + + in >> index; ++ if(index < 0 || index >= int(fn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + fh->twin() = Halffacet_of[index]; + OK = OK && test_string(","); + +@@ -1676,6 +1757,11 @@ read_facet(Halffacet_handle fh) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; ++ if(index < 0 || index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + fh->boundary_entry_objects().push_back(make_object(SEdge_of[index])); + in >> cc; + } +@@ -1684,11 +1770,21 @@ read_facet(Halffacet_handle fh) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; ++ if(index < 0 || index >= int(sln)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + fh->boundary_entry_objects().push_back(make_object(SLoop_of[index])); + in >> cc; + } + + in >> index; ++ if(index < 0 || index >= int(vn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + fh->incident_volume() = Volume_of[index+addInfiBox]; + OK = OK && test_string("|"); + #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT +@@ -1731,6 +1827,11 @@ read_volume(Volume_handle ch) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; ++ if(index < 0 || index >= int(sfn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + ch->shell_entry_objects().push_back(make_object(SFace_of[index])); + in >> cc; + } +@@ -1781,27 +1882,67 @@ read_sedge(SHalfedge_handle seh) { + OK = OK && test_string("{"); + + in >> index; ++ if(index < 0 || index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->twin() = SEdge_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->sprev() = SEdge_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->snext() = SEdge_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(en)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->source() = Edge_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(sfn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->incident_sface() = SFace_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->prev() = SEdge_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(sen)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->next() = SEdge_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= int(fn)) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + seh->facet() = Halffacet_of[index]; + OK = OK && test_string("|"); + #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT +@@ -1852,12 +1993,27 @@ read_sloop(SHalfloop_handle slh) { + OK = OK && test_string("{"); + + in >> index; ++ if(index < 0 || index >= sln) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + slh->twin() = SLoop_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= sfn) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + slh->incident_sface() = SFace_of[index]; + OK = OK && test_string(","); + in >> index; ++ if(index < 0 || index >= fn) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + slh->facet() = Halffacet_of[index]; + OK = OK && test_string("|"); + #ifdef CGAL_NEF_NATURAL_COORDINATE_INPUT +@@ -1904,6 +2060,11 @@ read_sface(SFace_handle sfh) { + OK = OK && test_string("{"); + + in >> index; ++ if(index < 0 || index >= vn) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + sfh->center_vertex() = Vertex_of[index]; + OK = OK && test_string(","); + +@@ -1913,6 +2074,11 @@ read_sface(SFace_handle sfh) { + in >> index; + // sfh->boundary_entry_objects().push_back(SEdge_of[index]); + SM_decorator SD(&*sfh->center_vertex()); ++ if(index < 0 || index >= sen) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + SD.link_as_face_cycle(SEdge_of[index],sfh); + in >> cc; + } +@@ -1921,6 +2087,11 @@ read_sface(SFace_handle sfh) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; ++ if(index < 0 || index >= en) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + sfh->boundary_entry_objects().push_back(make_object(Edge_of[index])); + this->sncp()->store_sm_boundary_item(Edge_of[index], --(sfh->sface_cycles_end())); + in >> cc; +@@ -1930,12 +2101,22 @@ read_sface(SFace_handle sfh) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; ++ if(index < 0 || index >= sln) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + sfh->boundary_entry_objects().push_back(make_object(SLoop_of[index])); + this->sncp()->store_sm_boundary_item(SLoop_of[index], --(sfh->sface_cycles_end())); + in >> cc; + } + + in >> index; ++ if(index < 0 || index >= vn) ++ { ++ in.clear(std::ios_base::badbit); ++ return false; ++ } + sfh->volume() = Volume_of[index+addInfiBox]; + OK = OK && test_string("}"); + in >> sfh->mark(); + +From 9e291e6bbfe23137fb2dd3a0f8d6461229ca2376 Mon Sep 17 00:00:00 2001 +From: Maxime Gimeno +Date: Tue, 19 Jan 2021 14:04:54 +0100 +Subject: [PATCH 3/8] replace cerr by CGAL_warning_msg + +--- + Nef_2/include/CGAL/Nef_2/PM_io_parser.h | 14 +++--- + Nef_3/include/CGAL/Nef_3/SNC_io_parser.h | 53 ++++++++++++++++------- + Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h | 18 ++++---- + 3 files changed, 54 insertions(+), 31 deletions(-) + +diff --git a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +index 9b84dd37fbe..52bc830e115 100644 +--- a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h ++++ b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +@@ -341,23 +341,23 @@ void PM_io_parser::read() + { + if ( !check_sep("Plane_map_2") ) + { +- std::cerr<<"PM_io_parser::read: no embedded_PM header."<> vn)) ) + { +- std::cerr<<"PM_io_parser::read: wrong node line."<> en) && (en%2==0)) ) + { +- std::cerr<<"PM_io_parser::read: wrong edge line."<> fn)) ) + { +- std::cerr<<"PM_io_parser::read: wrong face line."<::read() + for(i=0; i + void SNC_io_parser::read() + { + if ( !check_sep("Selective Nef Complex") ) +- CGAL_error_msg("SNC_io_parser::read: no SNC header."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: no SNC header."); ++ returnl ++ } + std::string kernel_type; + in >> kernel_type; + CGAL_assertion(kernel_type == "standard" || kernel_type == "extended"); + if ( !(check_sep("vertices") && (in >> vn)) ) +- CGAL_error_msg("SNC_io_parser::read: wrong vertex line."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: wrong vertex line."); ++ return; ++ } + if ( !(check_sep("halfedges") && (in >> en) && (en%2==0)) ) +- CGAL_error_msg("SNC_io_parser::read: wrong edge line."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: wrong edge line."); ++ return; ++ } + if ( !(check_sep("facets") && (in >> fn) && (fn%2==0)) ) +- CGAL_error_msg("SNC_io_parser::read: wrong facet line."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: wrong facet line."); ++ } + if ( !(check_sep("volumes") && (in >> cn)) ) +- CGAL_error_msg("SNC_io_parser::read: wrong volume line."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: wrong volume line."); ++ return; ++ } + if ( !(check_sep("shalfedges") && (in >> sen)) ) +- CGAL_error_msg("SNC_io_parser::read: wrong sedge line."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: wrong sedge line."); ++ return; ++ } + if ( !(check_sep("shalfloops") && (in >> sln)) ) +- CGAL_error_msg("SNC_io_parser::read: wrong sloop line."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: wrong sloop line."); ++ return; ++ } + if ( !(check_sep("sfaces") && (in >> sfn)) ) +- CGAL_error_msg("SNC_io_parser::read: wrong sface line."); ++ { ++ CGAL_warning_msg(false, "SNC_io_parser::read: wrong sface line."); ++ return; ++ } + + addInfiBox = (kernel_type == "standard" && Infi_box::extended_kernel()); + +@@ -1445,7 +1468,7 @@ void SNC_io_parser::read_items(int plus01) { + for(vi=Vertex_of.begin(); vi!=Vertex_of.end(); ++vi) { + if (!read_vertex(*vi)) + { +- std::cerr<<"SNC_io_parser::read: error in node line"<::read_items(int plus01) { + for(ei=Edge_of.begin(); ei!=Edge_of.end(); ++ei) { + if (!read_edge(*ei)) + { +- std::cerr<<"SNC_io_parser::read: error in edge line"<::read_items(int plus01) { + for(fi=Halffacet_of.begin(); fi!=Halffacet_of.end(); ++fi) { + if (!read_facet(*fi)) + { +- std::cerr<<"SNC_io_parser::read: error in facet line"<::read_items(int plus01) { + for(ci=Volume_of.begin()+plus01; ci!=Volume_of.end(); ++ci) { + if (!read_volume(*ci)) + { +- std::cerr<<"SNC_io_parser::read: error in volume line"<::read_items(int plus01) { + for(sei=SEdge_of.begin(); sei!=SEdge_of.end(); ++sei) { + if (!read_sedge(*sei)) + { +- std::cerr<<"SNC_io_parser::read: error in sedge line"<::read_items(int plus01) { + for(sli=SLoop_of.begin(); sli!=SLoop_of.end(); ++sli) { + if (!read_sloop(*sli)) + { +- std::cerr<<"SNC_io_parser::read: error in sloop line"<::read_items(int plus01) { + for(sfi=SFace_of.begin(); sfi!=SFace_of.end(); ++sfi) { + if (!read_sface(*sfi)) + { +- std::cerr<<"SNC_io_parser::read: error in sface line"<::read() + { + if ( !check_sep("Nef_polyhedron_S2") ) + { +- std::cerr<<"Missing line in header"<> vn)) ) + { +- std::cerr<<"SM_io_parser::read: wrong vertex line."<> en) && (en%2==0)) ) + { +- std::cerr<<"SM_io_parser::read: wrong edge line."<> ln)) ) + { +- std::cerr<<"SM_io_parser::read: wrong loop line."<> fn)) ) + { +- std::cerr<<"SM_io_parser::read: wrong face line."<::read() + for(i=0; i::read() + for(i=0; i +Date: Wed, 20 Jan 2021 08:38:33 +0100 +Subject: [PATCH 4/8] Fix typo and use setstate + +--- + Nef_2/include/CGAL/Nef_2/PM_io_parser.h | 10 ++-- + Nef_3/include/CGAL/Nef_3/SNC_io_parser.h | 66 +++++++++++------------ + Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h | 10 ++-- + 3 files changed, 43 insertions(+), 43 deletions(-) + +diff --git a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +index 52bc830e115..64a3e94916e 100644 +--- a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h ++++ b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +@@ -202,7 +202,7 @@ bool PM_io_parser::read_vertex(Vertex_handle v) + + if(!(f >= 0 && ((iso && f < fn) || (!iso && f < en)))) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + if (iso) v->set_face(Face_of[f]); +@@ -238,7 +238,7 @@ bool PM_io_parser::read_hedge(Halfedge_handle e) + if(!(eo >= 0 && (std::size_t) eo < en && epr >= 0 && (std::size_t) epr < en && ene >= 0 && (std::size_t) ene < en && + v >= 0 && (std::size_t) v < vn && f >= 0 && (std::size_t) f < fn )) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + std::cerr<<"wrong index in read_hedge"<::read_face(Face_handle f) + } + else + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + while (in >> ei) { + CGAL_assertion_msg(ei >= 0 && (std::size_t) ei < en, "wrong index in face cycle list."); + if (!(ei >= 0 && ei < en)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + f->store_fc(Halfedge_of[ei]); +@@ -299,7 +299,7 @@ bool PM_io_parser::read_face(Face_handle f) + CGAL_assertion_msg(vi >= 0 && (std::size_t) vi < vn, "wrong index in iso vertex list."); + if (!(vi >= 0 && vi < vn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + f->store_iv(Vertex_of[vi]); +diff --git a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +index 21c54dd4133..e5530445153 100644 +--- a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h ++++ b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +@@ -1402,7 +1402,7 @@ void SNC_io_parser::read() + if ( !check_sep("Selective Nef Complex") ) + { + CGAL_warning_msg(false, "SNC_io_parser::read: no SNC header."); +- returnl ++ return; + } + std::string kernel_type; + in >> kernel_type; +@@ -1581,14 +1581,14 @@ read_vertex(Vertex_handle vh) { + in >> index; + if(index >= int(en)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + vh->svertices_begin() = (index >= 0 ? Edge_of[index] : this->svertices_end()); + in >> index; + if(index >= int(en)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + vh->svertices_last() = index >= 0 ? Edge_of[index] : this->svertices_end(); +@@ -1596,14 +1596,14 @@ read_vertex(Vertex_handle vh) { + in >> index; + if(index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + vh->shalfedges_begin() = index >= 0 ? SEdge_of[index] : this->shalfedges_end(); + in >> index; + if(index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + vh->shalfedges_last() = index >= 0 ? SEdge_of[index] : this->shalfedges_end(); +@@ -1611,14 +1611,14 @@ read_vertex(Vertex_handle vh) { + in >> index; + if(index >= int(sfn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + vh->sfaces_begin() = index >= 0 ? SFace_of[index] : this->sfaces_end(); + in >> index; + if(index >= int(sfn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + vh->sfaces_last() = index >= 0 ? SFace_of[index] : this->sfaces_end(); +@@ -1626,7 +1626,7 @@ read_vertex(Vertex_handle vh) { + in >> index; + if(index >= int(sln)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + vh->shalfloop() = index >= 0 ? SLoop_of[index] : this->shalfloops_end(); +@@ -1685,7 +1685,7 @@ read_edge(Halfedge_handle eh) { + in >> index; + if(index < 0 || index >= int(en)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + eh->twin() = Edge_of[index]; +@@ -1693,7 +1693,7 @@ read_edge(Halfedge_handle eh) { + in >> index; + if(index < 0 || index >= int(vn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + eh->center_vertex() = Vertex_of[index]; +@@ -1703,7 +1703,7 @@ read_edge(Halfedge_handle eh) { + in >> index; + if(index < 0 || index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + eh->out_sedge() = SEdge_of[index]; +@@ -1711,7 +1711,7 @@ read_edge(Halfedge_handle eh) { + in >> index; + if(index < 0 || index >= int(sfn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + eh->incident_sface() = SFace_of[index]; +@@ -1770,7 +1770,7 @@ read_facet(Halffacet_handle fh) { + in >> index; + if(index < 0 || index >= int(fn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + fh->twin() = Halffacet_of[index]; +@@ -1782,7 +1782,7 @@ read_facet(Halffacet_handle fh) { + in >> index; + if(index < 0 || index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + fh->boundary_entry_objects().push_back(make_object(SEdge_of[index])); +@@ -1795,7 +1795,7 @@ read_facet(Halffacet_handle fh) { + in >> index; + if(index < 0 || index >= int(sln)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + fh->boundary_entry_objects().push_back(make_object(SLoop_of[index])); +@@ -1805,7 +1805,7 @@ read_facet(Halffacet_handle fh) { + in >> index; + if(index < 0 || index >= int(vn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + fh->incident_volume() = Volume_of[index+addInfiBox]; +@@ -1852,7 +1852,7 @@ read_volume(Volume_handle ch) { + in >> index; + if(index < 0 || index >= int(sfn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + ch->shell_entry_objects().push_back(make_object(SFace_of[index])); +@@ -1907,7 +1907,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->twin() = SEdge_of[index]; +@@ -1915,7 +1915,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->sprev() = SEdge_of[index]; +@@ -1923,7 +1923,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->snext() = SEdge_of[index]; +@@ -1931,7 +1931,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(en)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->source() = Edge_of[index]; +@@ -1939,7 +1939,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(sfn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->incident_sface() = SFace_of[index]; +@@ -1947,7 +1947,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->prev() = SEdge_of[index]; +@@ -1955,7 +1955,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(sen)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->next() = SEdge_of[index]; +@@ -1963,7 +1963,7 @@ read_sedge(SHalfedge_handle seh) { + in >> index; + if(index < 0 || index >= int(fn)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + seh->facet() = Halffacet_of[index]; +@@ -2018,7 +2018,7 @@ read_sloop(SHalfloop_handle slh) { + in >> index; + if(index < 0 || index >= sln) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + slh->twin() = SLoop_of[index]; +@@ -2026,7 +2026,7 @@ read_sloop(SHalfloop_handle slh) { + in >> index; + if(index < 0 || index >= sfn) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + slh->incident_sface() = SFace_of[index]; +@@ -2034,7 +2034,7 @@ read_sloop(SHalfloop_handle slh) { + in >> index; + if(index < 0 || index >= fn) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + slh->facet() = Halffacet_of[index]; +@@ -2085,7 +2085,7 @@ read_sface(SFace_handle sfh) { + in >> index; + if(index < 0 || index >= vn) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + sfh->center_vertex() = Vertex_of[index]; +@@ -2099,7 +2099,7 @@ read_sface(SFace_handle sfh) { + SM_decorator SD(&*sfh->center_vertex()); + if(index < 0 || index >= sen) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + SD.link_as_face_cycle(SEdge_of[index],sfh); +@@ -2112,7 +2112,7 @@ read_sface(SFace_handle sfh) { + in >> index; + if(index < 0 || index >= en) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + sfh->boundary_entry_objects().push_back(make_object(Edge_of[index])); +@@ -2126,7 +2126,7 @@ read_sface(SFace_handle sfh) { + in >> index; + if(index < 0 || index >= sln) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + sfh->boundary_entry_objects().push_back(make_object(SLoop_of[index])); +@@ -2137,7 +2137,7 @@ read_sface(SFace_handle sfh) { + in >> index; + if(index < 0 || index >= vn) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + sfh->volume() = Volume_of[index+addInfiBox]; +diff --git a/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h b/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h +index a9377719f93..d58126bac9c 100644 +--- a/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h ++++ b/Nef_S2/include/CGAL/Nef_S2/SM_io_parser.h +@@ -205,7 +205,7 @@ bool SM_io_parser::read_vertex(SVertex_handle v) + + if(f<0 || (iso && f > fn) || (!iso && f > en)) + { +- in.clear(std::ios_base::badbit); ++ in.setstate(std::ios_base::badbit); + return false; + } + +@@ -246,7 +246,7 @@ bool SM_io_parser::read_edge(SHalfedge_handle e) + v >= 0 && v < vn && f >= 0 && f < fn )) + { + std::cerr<<"wrong index in read_edge"<::read_face(SFace_handle f) + if(!(ei >= 0 && ei < en)) + { + std::cerr<<"wrong index in face cycle list."<store_sm_boundary_object(Edge_of[ei],f); +@@ -326,7 +326,7 @@ bool SM_io_parser::read_face(SFace_handle f) + if(!(vi >= 0 && vi < vn)) + { + std::cerr<<"wrong index in iso vertex list."<store_sm_boundary_object(SVertex_of[vi],f); +@@ -336,7 +336,7 @@ bool SM_io_parser::read_face(SFace_handle f) + if(!(li >= 0 && li < 2)) + { + std::cerr<<"wrong index in iso vertex list."<store_sm_boundary_object(Loop_of[li],f); + +From ffa019712b0ad3b20e3d02edad4d731fda04a2ef Mon Sep 17 00:00:00 2001 +From: Maxime Gimeno +Date: Mon, 25 Jan 2021 12:59:48 +0100 +Subject: [PATCH 5/8] First face may be -1, don't fail on it, just don't use it + +--- + Nef_2/include/CGAL/Nef_2/PM_io_parser.h | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +index 64a3e94916e..d08b08180d6 100644 +--- a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h ++++ b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +@@ -280,11 +280,7 @@ bool PM_io_parser::read_face(Face_handle f) + { + f->set_halfedge(Halfedge_of[ei]); + } +- else +- { +- in.setstate(std::ios_base::badbit); +- return false; +- } ++ + while (in >> ei) { + CGAL_assertion_msg(ei >= 0 && (std::size_t) ei < en, "wrong index in face cycle list."); + if (!(ei >= 0 && ei < en)) + +From d78842712cdfcbb3bdfc5f7cb252d3772fd6a16f Mon Sep 17 00:00:00 2001 +From: Maxime Gimeno +Date: Tue, 26 Jan 2021 09:55:20 +0100 +Subject: [PATCH 6/8] Fix conversion warnigns + +--- + Nef_2/include/CGAL/Nef_2/PM_io_parser.h | 8 ++++---- + Nef_3/include/CGAL/Nef_3/SNC_io_parser.h | 18 +++++++++--------- + 2 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +index d08b08180d6..39b99b37d7c 100644 +--- a/Nef_2/include/CGAL/Nef_2/PM_io_parser.h ++++ b/Nef_2/include/CGAL/Nef_2/PM_io_parser.h +@@ -200,7 +200,7 @@ bool PM_io_parser::read_vertex(Vertex_handle v) + !(in >> p) || + !check_sep("}") ) return false; + +- if(!(f >= 0 && ((iso && f < fn) || (!iso && f < en)))) ++ if(!(f >= 0 && ((iso && (std::size_t)f < fn) || (!iso && (std::size_t)f < en)))) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -276,14 +276,14 @@ bool PM_io_parser::read_face(Face_handle f) + int n, ei, vi; Mark m; + if ( !(in >> n) || !check_sep("{") ) return false; + if ( !(in >> ei) || !check_sep(",") ) return false; +- if (ei >= 0 && ei < en) ++ if (ei >= 0 && (std::size_t) ei < en) + { + f->set_halfedge(Halfedge_of[ei]); + } + + while (in >> ei) { + CGAL_assertion_msg(ei >= 0 && (std::size_t) ei < en, "wrong index in face cycle list."); +- if (!(ei >= 0 && ei < en)) ++ if (!(ei >= 0 && (std::size_t)ei < en)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -293,7 +293,7 @@ bool PM_io_parser::read_face(Face_handle f) + if (!check_sep(",")) { return false; } + while (in >> vi) { + CGAL_assertion_msg(vi >= 0 && (std::size_t) vi < vn, "wrong index in iso vertex list."); +- if (!(vi >= 0 && vi < vn)) ++ if (!(vi >= 0 && (std::size_t)vi < vn)) + { + in.setstate(std::ios_base::badbit); + return false; +diff --git a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +index e5530445153..1dde7f8d0b3 100644 +--- a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h ++++ b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +@@ -1579,7 +1579,7 @@ read_vertex(Vertex_handle vh) { + vh->sncp() = this->sncp(); + + in >> index; +- if(index >= int(en)) ++ if(index >= (int)en) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2016,7 +2016,7 @@ read_sloop(SHalfloop_handle slh) { + OK = OK && test_string("{"); + + in >> index; +- if(index < 0 || index >= sln) ++ if(index < 0 || index >= (int)(sln)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2024,7 +2024,7 @@ read_sloop(SHalfloop_handle slh) { + slh->twin() = SLoop_of[index]; + OK = OK && test_string(","); + in >> index; +- if(index < 0 || index >= sfn) ++ if(index < 0 || index >= (int)(sfn)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2032,7 +2032,7 @@ read_sloop(SHalfloop_handle slh) { + slh->incident_sface() = SFace_of[index]; + OK = OK && test_string(","); + in >> index; +- if(index < 0 || index >= fn) ++ if(index < 0 || index >= (int)(fn)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2083,7 +2083,7 @@ read_sface(SFace_handle sfh) { + OK = OK && test_string("{"); + + in >> index; +- if(index < 0 || index >= vn) ++ if(index < 0 || index >= (int)(sln)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2097,7 +2097,7 @@ read_sface(SFace_handle sfh) { + in >> index; + // sfh->boundary_entry_objects().push_back(SEdge_of[index]); + SM_decorator SD(&*sfh->center_vertex()); +- if(index < 0 || index >= sen) ++ if(index < 0 || index >= (int)(sln)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2110,7 +2110,7 @@ read_sface(SFace_handle sfh) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; +- if(index < 0 || index >= en) ++ if(index < 0 || index >= (int)(sln)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2124,7 +2124,7 @@ read_sface(SFace_handle sfh) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; +- if(index < 0 || index >= sln) ++ if(index < 0 || index >= (int)(sln)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2135,7 +2135,7 @@ read_sface(SFace_handle sfh) { + } + + in >> index; +- if(index < 0 || index >= vn) ++ if(index < 0 || index >= (int)(sln)) + { + in.setstate(std::ios_base::badbit); + return false; + +From 23cc6b0f4a2ac6061b01d86411d58b6da7ff5a34 Mon Sep 17 00:00:00 2001 +From: Maxime Gimeno +Date: Wed, 27 Jan 2021 10:04:45 +0100 +Subject: [PATCH 7/8] Fix read_sface + +--- + .../Convex_decomposition_3/check_decomposition.cpp | 2 ++ + Nef_3/include/CGAL/Nef_3/SNC_io_parser.h | 10 +++++----- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +index 1dde7f8d0b3..a31a07c5d99 100644 +--- a/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h ++++ b/Nef_3/include/CGAL/Nef_3/SNC_io_parser.h +@@ -1803,7 +1803,7 @@ read_facet(Halffacet_handle fh) { + } + + in >> index; +- if(index < 0 || index >= int(vn)) ++ if(index < 0 || index >= int(cn)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2083,7 +2083,7 @@ read_sface(SFace_handle sfh) { + OK = OK && test_string("{"); + + in >> index; +- if(index < 0 || index >= (int)(sln)) ++ if(index < 0 || index >= (int)(vn)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2097,7 +2097,7 @@ read_sface(SFace_handle sfh) { + in >> index; + // sfh->boundary_entry_objects().push_back(SEdge_of[index]); + SM_decorator SD(&*sfh->center_vertex()); +- if(index < 0 || index >= (int)(sln)) ++ if(index < 0 || index >= (int)(sen)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2110,7 +2110,7 @@ read_sface(SFace_handle sfh) { + while(isdigit(cc)) { + in.putback(cc); + in >> index; +- if(index < 0 || index >= (int)(sln)) ++ if(index < 0 || index >= (int)(en)) + { + in.setstate(std::ios_base::badbit); + return false; +@@ -2135,7 +2135,7 @@ read_sface(SFace_handle sfh) { + } + + in >> index; +- if(index < 0 || index >= (int)(sln)) ++ if(index < 0 || index >= (int)(cn)) + { + in.setstate(std::ios_base::badbit); + return false; + -- cgit 1.4.1 From 090456dacb76160280a630d53f4f47b421281c66 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Sat, 6 Mar 2021 04:47:10 +0100 Subject: gnu: ytnef: Fix CVE-2021-3403 and CVE-2021-3404. * gnu/packages/patches/ytnef-CVE-2021-3403.patch, gnu/packages/patches/ytnef-CVE-2021-3404.patch: New patches. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/mail.scm (ytnef): Apply them. --- gnu/local.mk | 2 ++ gnu/packages/mail.scm | 4 +++- gnu/packages/patches/ytnef-CVE-2021-3403.patch | 32 ++++++++++++++++++++++++++ gnu/packages/patches/ytnef-CVE-2021-3404.patch | 30 ++++++++++++++++++++++++ 4 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/ytnef-CVE-2021-3403.patch create mode 100644 gnu/packages/patches/ytnef-CVE-2021-3404.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 4900dabc36..fb3b395852 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1755,6 +1755,8 @@ dist_patch_DATA = \ %D%/packages/patches/xsane-support-ipv6.patch \ %D%/packages/patches/xsane-tighten-default-umask.patch \ %D%/packages/patches/yggdrasil-extra-config.patch \ + %D%/packages/patches/ytnef-CVE-2021-3403.patch \ + %D%/packages/patches/ytnef-CVE-2021-3404.patch \ %D%/packages/patches/zziplib-CVE-2018-16548.patch MISC_DISTRO_FILES = \ diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 0e0934a245..d90bfead72 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -3909,7 +3909,9 @@ It is a replacement for the @command{urlview} program.") (file-name (git-file-name name version)) (sha256 (base32 - "07h48s5qf08503pp9kafqbwipdqghiif22ghki7z8j67gyp04l6l")))) + "07h48s5qf08503pp9kafqbwipdqghiif22ghki7z8j67gyp04l6l")) + (patches (search-patches "ytnef-CVE-2021-3403.patch" + "ytnef-CVE-2021-3404.patch")))) (build-system gnu-build-system) (native-inputs `(("autoconf" ,autoconf) diff --git a/gnu/packages/patches/ytnef-CVE-2021-3403.patch b/gnu/packages/patches/ytnef-CVE-2021-3403.patch new file mode 100644 index 0000000000..4b1c9d659f --- /dev/null +++ b/gnu/packages/patches/ytnef-CVE-2021-3403.patch @@ -0,0 +1,32 @@ +From f2380a53fb84d370eaf6e6c3473062c54c57fac7 Mon Sep 17 00:00:00 2001 +From: Oliver Giles +Date: Mon, 1 Feb 2021 10:12:16 +1300 +Subject: [PATCH] Prevent potential double-free in TNEFSubjectHandler + +If TNEFSubjectHandler is called multiple times, but the last time +failed due to the PREALLOCCHECK, the subject.data member will be +a freed, but invalid pointer. To prevent a double-free next time +TNEFSubjectHandler is entered, set it to zero after freeing. + +Resolves: #85 +Reported-by: jasperla +--- + lib/ytnef.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ytnef.c b/lib/ytnef.c +index b148719..b06c807 100644 +--- a/lib/ytnef.c ++++ b/lib/ytnef.c +@@ -301,8 +301,10 @@ int TNEFFromHandler STD_ARGLIST { + } + // ----------------------------------------------------------------------------- + int TNEFSubjectHandler STD_ARGLIST { +- if (TNEF->subject.data) ++ if (TNEF->subject.data) { + free(TNEF->subject.data); ++ TNEF->subject.data = NULL; ++ } + + PREALLOCCHECK(size, 100); + TNEF->subject.data = calloc(size+1, sizeof(BYTE)); diff --git a/gnu/packages/patches/ytnef-CVE-2021-3404.patch b/gnu/packages/patches/ytnef-CVE-2021-3404.patch new file mode 100644 index 0000000000..e991d6aff1 --- /dev/null +++ b/gnu/packages/patches/ytnef-CVE-2021-3404.patch @@ -0,0 +1,30 @@ +From f9ff4a203b8c155d51a208cadadb62f224fba715 Mon Sep 17 00:00:00 2001 +From: Oliver Giles +Date: Mon, 1 Feb 2021 10:18:17 +1300 +Subject: [PATCH] Ensure the size of the version field is 4 bytes + +A corrupted version field size can cause TNEFVersion to access outside +of allocated memory. Check the version is the expected size and raise +an error if not. + +Resolves: #86 +Reported-by: jasperla +--- + lib/ytnef.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/ytnef.c b/lib/ytnef.c +index b148719..ffede44 100644 +--- a/lib/ytnef.c ++++ b/lib/ytnef.c +@@ -335,6 +335,10 @@ int TNEFRendData STD_ARGLIST { + int TNEFVersion STD_ARGLIST { + WORD major; + WORD minor; ++ if (size != 2 * sizeof(WORD)) { ++ printf("Incorrect size of version field, suspected corruption\n"); ++ return -1; ++ } + minor = SwapWord((BYTE*)data, size); + major = SwapWord((BYTE*)data + 2, size - 2); + -- cgit 1.4.1 From fe830ffd8d761cee27edd069e3d99c1ab891cbf3 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 8 Mar 2021 15:48:08 +0200 Subject: gnu: libcaca: Patch for CVE-2021-3410. * gnu/packages/video.scm (libcaca)[source]: Add patches. * gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch, gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 2 + .../patches/libcaca-CVE-2021-3410-pt1.patch | 137 +++++++++++++++++++++ .../patches/libcaca-CVE-2021-3410-pt2.patch | 96 +++++++++++++++ gnu/packages/video.scm | 6 +- 4 files changed, 239 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch create mode 100644 gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index fb3b395852..3a516d487f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1266,6 +1266,8 @@ dist_patch_DATA = \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ + %D%/packages/patches/libcaca-CVE-2021-3410-pt1.patch \ + %D%/packages/patches/libcaca-CVE-2021-3410-pt2.patch \ %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \ %D%/packages/patches/libcanberra-wayland-crash.patch \ %D%/packages/patches/libcyaml-libyaml-compat.patch \ diff --git a/gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch b/gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch new file mode 100644 index 0000000000..b23b01d33a --- /dev/null +++ b/gnu/packages/patches/libcaca-CVE-2021-3410-pt1.patch @@ -0,0 +1,137 @@ +https://github.com/cacalabs/libcaca/commit/46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd.patch + +From 46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd Mon Sep 17 00:00:00 2001 +From: Sam Hocevar +Date: Fri, 26 Feb 2021 10:55:38 +0100 +Subject: [PATCH] canvas: fix an integer overflow in caca_resize(). + +Fixes: #52 (CVE-2021-3410) +--- + caca/canvas.c | 13 +++++++++++-- + caca/codec/import.c | 1 + + caca/codec/text.c | 21 ++++++++++++++------- + 3 files changed, 26 insertions(+), 9 deletions(-) + +diff --git a/caca/canvas.c b/caca/canvas.c +index 3fdd37ae..d0715392 100644 +--- a/caca/canvas.c ++++ b/caca/canvas.c +@@ -45,6 +45,7 @@ static int caca_resize(caca_canvas_t *, int, int); + * + * If an error occurs, NULL is returned and \b errno is set accordingly: + * - \c EINVAL Specified width or height is invalid. ++ * - \c EOVERFLOW Specified width and height overflowed. + * - \c ENOMEM Not enough memory for the requested canvas size. + * + * \param width The desired canvas width +@@ -200,6 +201,7 @@ int caca_unmanage_canvas(caca_canvas_t *cv, int (*callback)(void *), void *p) + * + * If an error occurs, -1 is returned and \b errno is set accordingly: + * - \c EINVAL Specified width or height is invalid. ++ * - \c EOVERFLOW Specified width and height overflowed. + * - \c EBUSY The canvas is in use by a display driver and cannot be resized. + * - \c ENOMEM Not enough memory for the requested canvas size. If this + * happens, the canvas handle becomes invalid and should not be used. +@@ -363,7 +365,7 @@ int caca_rand(int min, int max) + + int caca_resize(caca_canvas_t *cv, int width, int height) + { +- int x, y, f, old_width, old_height, new_size, old_size; ++ int x, y, f, old_width, old_height, old_size; + + old_width = cv->width; + old_height = cv->height; +@@ -375,7 +377,14 @@ int caca_resize(caca_canvas_t *cv, int width, int height) + * dirty rectangle handling */ + cv->width = width; + cv->height = height; +- new_size = width * height; ++ int new_size = width * height; ++ ++ /* Check for overflow */ ++ if (new_size / width != height) ++ { ++ seterrno(EOVERFLOW); ++ return -1; ++ } + + /* If width or height is smaller (or both), we have the opportunity to + * reduce or even remove dirty rectangles */ +diff --git a/caca/codec/import.c b/caca/codec/import.c +index 8836fd08..2dafe3cf 100644 +--- a/caca/codec/import.c ++++ b/caca/codec/import.c +@@ -61,6 +61,7 @@ static ssize_t import_caca(caca_canvas_t *, void const *, size_t); + * + * If an error occurs, -1 is returned and \b errno is set accordingly: + * - \c ENOMEM Not enough memory to allocate canvas. ++ * - \c EOVERFLOW Importing data caused a value overflow. + * - \c EINVAL Invalid format requested. + * + * \param cv A libcaca canvas in which to import the file. +diff --git a/caca/codec/text.c b/caca/codec/text.c +index 358b7224..94a2a4d7 100644 +--- a/caca/codec/text.c ++++ b/caca/codec/text.c +@@ -46,7 +46,7 @@ ssize_t _import_text(caca_canvas_t *cv, void const *data, size_t size) + char const *text = (char const *)data; + unsigned int width = 0, height = 0, x = 0, y = 0, i; + +- caca_set_canvas_size(cv, width, height); ++ caca_set_canvas_size(cv, 0, 0); + + for(i = 0; i < size; i++) + { +@@ -70,15 +70,19 @@ ssize_t _import_text(caca_canvas_t *cv, void const *data, size_t size) + if(y >= height) + height = y + 1; + +- caca_set_canvas_size(cv, width, height); ++ if (caca_set_canvas_size(cv, width, height) < 0) ++ return -1; + } + + caca_put_char(cv, x, y, ch); + x++; + } + +- if(y > height) +- caca_set_canvas_size(cv, width, height = y); ++ if (y > height) ++ { ++ if (caca_set_canvas_size(cv, width, height = y) < 0) ++ return -1; ++ } + + return (ssize_t)size; + } +@@ -431,7 +435,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8) + { + savedattr = caca_get_attr(cv, -1, -1); + caca_set_attr(cv, im.clearattr); +- caca_set_canvas_size(cv, width = x + wch, height); ++ if (caca_set_canvas_size(cv, width = x + wch, height) < 0) ++ return -1; + caca_set_attr(cv, savedattr); + } + else +@@ -448,7 +453,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8) + caca_set_attr(cv, im.clearattr); + if(growy) + { +- caca_set_canvas_size(cv, width, height = y + 1); ++ if (caca_set_canvas_size(cv, width, height = y + 1) < 0) ++ return -1; + } + else + { +@@ -480,7 +486,8 @@ ssize_t _import_ansi(caca_canvas_t *cv, void const *data, size_t size, int utf8) + { + savedattr = caca_get_attr(cv, -1, -1); + caca_set_attr(cv, im.clearattr); +- caca_set_canvas_size(cv, width, height = y); ++ if (caca_set_canvas_size(cv, width, height = y)) ++ return -1; + caca_set_attr(cv, savedattr); + } + diff --git a/gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch b/gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch new file mode 100644 index 0000000000..e6fd506b37 --- /dev/null +++ b/gnu/packages/patches/libcaca-CVE-2021-3410-pt2.patch @@ -0,0 +1,96 @@ +https://github.com/cacalabs/libcaca/commit/e4968ba6e93e9fd35429eb16895c785c51072015.patch +Patch adjusted to remove the lines modifying caca/t/canvas.cpp. This file does not exist in the current release. + +From e4968ba6e93e9fd35429eb16895c785c51072015 Mon Sep 17 00:00:00 2001 +From: Sam Hocevar +Date: Fri, 26 Feb 2021 12:40:06 +0100 +Subject: [PATCH] Fix a problem in the caca_resize() overflow detection and add + several unit tests. + +--- + caca/canvas.c | 16 ++++++++-------- + caca/t/canvas.cpp | 18 +++++++++++++++--- + tools/makefont.c | 22 +++++++++++++++++++--- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/caca/canvas.c b/caca/canvas.c +index d0715392..08c628c9 100644 +--- a/caca/canvas.c ++++ b/caca/canvas.c +@@ -367,6 +367,14 @@ int caca_resize(caca_canvas_t *cv, int width, int height) + { + int x, y, f, old_width, old_height, old_size; + ++ /* Check for overflow */ ++ int new_size = width * height; ++ if (new_size < 0 || (width > 0 && new_size / width != height)) ++ { ++ seterrno(EOVERFLOW); ++ return -1; ++ } ++ + old_width = cv->width; + old_height = cv->height; + old_size = old_width * old_height; +@@ -377,14 +385,6 @@ int caca_resize(caca_canvas_t *cv, int width, int height) + * dirty rectangle handling */ + cv->width = width; + cv->height = height; +- int new_size = width * height; +- +- /* Check for overflow */ +- if (new_size / width != height) +- { +- seterrno(EOVERFLOW); +- return -1; +- } + + /* If width or height is smaller (or both), we have the opportunity to + * reduce or even remove dirty rectangles */ +diff --git a/tools/makefont.c b/tools/makefont.c +index 226c8838..66718605 100644 +--- a/tools/makefont.c ++++ b/tools/makefont.c +@@ -40,7 +40,8 @@ + * and the UTF-8 glyphs necessary for canvas rotation and mirroring. */ + static unsigned int const blocklist[] = + { +- 0x0000, 0x0080, /* Basic latin: A, B, C, a, b, c */ ++ 0x0020, 0x0080, /* Basic latin: A, B, C, a, b, c */ ++#if 0 + 0x0080, 0x0100, /* Latin-1 Supplement: Ä, Ç, å, ß */ + 0x0100, 0x0180, /* Latin Extended-A: Ā č Ō œ */ + 0x0180, 0x0250, /* Latin Extended-B: Ǝ Ƹ */ +@@ -63,6 +64,7 @@ static unsigned int const blocklist[] = + 0x30a0, 0x3100, /* Katakana: ロ ル */ + 0xff00, 0xfff0, /* Halfwidth and Fullwidth Forms: A, B, C, a, b, c */ + 0x10400, 0x10450, /* Deseret: 𐐒 𐐋 */ ++#endif + 0, 0 + }; + +@@ -317,8 +319,22 @@ int main(int argc, char *argv[]) + printf_unicode(>ab[n]); + + if(gtab[n].same_as == n) +- printf_hex(" */ %s\n", +- glyph_data + gtab[n].data_offset, gtab[n].data_size); ++ { ++ char const *lut = " .:nmW@"; ++ printf("\n"); ++ for (int y = 0; y < height; ++y) ++ { ++ for (int x = 0; x < gtab[n].data_width; ++x) ++ { ++ int val = glyph_data[gtab[n].data_offset + y * gtab[n].data_width + x]; ++ char ch = lut[val * val * 7 / 256 / 256]; ++ printf("%c%c", ch, ch); ++ } ++ printf("\n"); ++ } ++ //printf_hex(" */ %s\n", ++ // glyph_data + gtab[n].data_offset, gtab[n].data_size); ++ } + else + { + printf(" is "); diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index a46a55e855..92ecfb99ff 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2014, 2015, 2016 David Thompson ;;; Copyright © 2014, 2015, 2016, 2018, 2020 Mark H Weaver ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer -;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Efraim Flashner +;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Efraim Flashner ;;; Copyright © 2015 Andy Patterson ;;; Copyright © 2015, 2018, 2019, 2020 Ricardo Wurmus ;;; Copyright © 2015, 2016, 2017, 2018, 2019 Alex Vong @@ -1234,7 +1234,9 @@ ASS/SSA (Advanced Substation Alpha/SubStation Alpha) subtitle format.") version ".tar.gz")) (sha256 (base32 - "1x3j6yfyxl52adgnabycr0n38j9hx2j74la0hz0n8cnh9ry4d2qj")))) + "1x3j6yfyxl52adgnabycr0n38j9hx2j74la0hz0n8cnh9ry4d2qj")) + (patches (search-patches "libcaca-CVE-2021-3410-pt1.patch" + "libcaca-CVE-2021-3410-pt2.patch")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-static"))) -- cgit 1.4.1 From 251b0f7a6fa550ef4e0975668d7ab8c4c7b214d3 Mon Sep 17 00:00:00 2001 From: Felix Gruber Date: Sun, 7 Mar 2021 15:32:33 +0100 Subject: gnu: vtk: Fix build failure. * gnu/packages/image-processing.scm (vtk): Fix build failure. [source]: Add patch to fix build failure with recent versions of freetype. * gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Efraim Flashner --- gnu/local.mk | 3 +- gnu/packages/image-processing.scm | 3 ++ .../vtk-fix-freetypetools-build-failure.patch | 36 ++++++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3a516d487f..bcee06a97a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -31,7 +31,7 @@ # Copyright © 2020 R Veera Kumar # Copyright © 2020 Nicolò Balzarotti # Copyright © 2020 Michael Rohleder -# Copyright © 2020 Felix Gruber +# Copyright © 2020, 2021 Felix Gruber # Copyright © 2020 Ryan Prior # Copyright © 2020 Jan Wielkiewicz # Copyright © 2020 Brice Waegeneire @@ -1720,6 +1720,7 @@ dist_patch_DATA = \ %D%/packages/patches/vsearch-unbundle-cityhash.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ + %D%/packages/patches/vtk-fix-freetypetools-build-failure.patch \ %D%/packages/patches/warsow-qfusion-fix-bool-return-type.patch \ %D%/packages/patches/webkitgtk-share-store.patch \ %D%/packages/patches/webkitgtk-bind-all-fonts.patch \ diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm index 5dfd18d1bd..6f4576b8b9 100644 --- a/gnu/packages/image-processing.scm +++ b/gnu/packages/image-processing.scm @@ -13,6 +13,7 @@ ;;; Copyright © 2020 Pierre Neidhardt ;;; Copyright © 2020 Brendan Tildesley ;;; Copyright © 2021 Oleh Malyi +;;; Copyright © 2021 Felix Gruber ;;; ;;; This file is part of GNU Guix. ;;; @@ -254,6 +255,8 @@ many popular formats.") (sha256 (base32 "1fspgp8k0myr6p2a6wkc21ldcswb4bvmb484m12mxgk1a9vxrhrl")) + (patches + (search-patches "vtk-fix-freetypetools-build-failure.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch b/gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch new file mode 100644 index 0000000000..6988e65872 --- /dev/null +++ b/gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch @@ -0,0 +1,36 @@ +This fixes a build failure in VTK when building against recent versions +of freetype. + + https://gitlab.kitware.com/vtk/vtk/-/merge_requests/7432 + +Patch by Ben Boeckel + +Subject: [PATCH] vtkFreeTypeTools: avoid using an internal macro + +This macro has been removed upstream as it was always intended to be +private. +--- + Rendering/FreeType/vtkFreeTypeTools.cxx | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/Rendering/FreeType/vtkFreeTypeTools.cxx b/Rendering/FreeType/vtkFreeTypeTools.cxx +index c54289dc60..03b899c4da 100644 +--- a/Rendering/FreeType/vtkFreeTypeTools.cxx ++++ b/Rendering/FreeType/vtkFreeTypeTools.cxx +@@ -387,11 +387,8 @@ FTC_CMapCache* vtkFreeTypeTools::GetCMapCache() + } + + //---------------------------------------------------------------------------- +-FT_CALLBACK_DEF(FT_Error) +-vtkFreeTypeToolsFaceRequester(FTC_FaceID face_id, +- FT_Library lib, +- FT_Pointer request_data, +- FT_Face* face) ++static FT_Error vtkFreeTypeToolsFaceRequester( ++ FTC_FaceID face_id, FT_Library lib, FT_Pointer request_data, FT_Face* face) + { + #if VTK_FTFC_DEBUG_CD + printf("vtkFreeTypeToolsFaceRequester()\n"); +-- +2.30.1 + -- cgit 1.4.1 From b66fc0a64bbcf4c198c117f0eca1ee95661b5b4a Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Wed, 10 Mar 2021 09:50:14 +0100 Subject: gnu: bsdiff: Fix CVE-2014-9862. * gnu/packages/patches/bsdiff-CVE-2014-9862.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (bsdiff): Apply it. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 3 ++- gnu/packages/patches/bsdiff-CVE-2014-9862.patch | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/bsdiff-CVE-2014-9862.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index bcee06a97a..dcee722e79 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -840,6 +840,7 @@ dist_patch_DATA = \ %D%/packages/patches/bazaar-CVE-2017-14176.patch \ %D%/packages/patches/bc-fix-cross-compilation.patch \ %D%/packages/patches/bear-disable-preinstall-tests.patch \ + %D%/packages/patches/bsdiff-CVE-2014-9862.patch \ %D%/packages/patches/bsd-games-2.17-64bit.patch \ %D%/packages/patches/bsd-games-add-configure-config.patch \ %D%/packages/patches/bsd-games-add-wrapper.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 32fd358ac8..fbe3b06347 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -963,7 +963,8 @@ tarballs.") (uri (string-append home-page name "-" version ".tar.gz")) (sha256 (base32 - "0j2zm3z271x5aw63mwhr3vymzn45p2vvrlrpm9cz2nywna41b0hq")))) + "0j2zm3z271x5aw63mwhr3vymzn45p2vvrlrpm9cz2nywna41b0hq")) + (patches (search-patches "bsdiff-CVE-2014-9862.patch")))) (build-system gnu-build-system) (arguments `(#:make-flags (list "INSTALL=install" diff --git a/gnu/packages/patches/bsdiff-CVE-2014-9862.patch b/gnu/packages/patches/bsdiff-CVE-2014-9862.patch new file mode 100644 index 0000000000..7aab818090 --- /dev/null +++ b/gnu/packages/patches/bsdiff-CVE-2014-9862.patch @@ -0,0 +1,15 @@ +diff --git a/bspatch.c b/bspatch.c +index 8d95633..ab77722 100644 +--- a/bspatch.c ++++ b/bspatch.c + +@@ -187,6 +187,10 @@ + }; + + /* Sanity-check */ ++ if ((ctrl[0] < 0) || (ctrl[1] < 0)) ++ errx(1,"Corrupt patch\n"); ++ ++ /* Sanity-check */ + if(newpos+ctrl[0]>newsize) + errx(1,"Corrupt patch\n"); -- cgit 1.4.1 From 70128b8afacf332b0aff69ebcad6868fd158e8ad Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Wed, 10 Mar 2021 11:49:35 +0100 Subject: gnu: cyrus-sasl: Fix CVE-2019-19906. * gnu/packages/patches/cyrus-sasl-CVE-2019-19906.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/cyrus-sasl.scm (cyrus-sasl/fixed): New variable. Apply patch. (cyrus-sasl)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/cyrus-sasl.scm | 18 ++++++++++++++++ .../patches/cyrus-sasl-CVE-2019-19906.patch | 25 ++++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 gnu/packages/patches/cyrus-sasl-CVE-2019-19906.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index dcee722e79..43ed97692e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -917,6 +917,7 @@ dist_patch_DATA = \ %D%/packages/patches/cursynth-wave-rand.patch \ %D%/packages/patches/cvs-CVE-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch \ + %D%/packages/patches/cyrus-sasl-CVE-2019-19906.patch \ %D%/packages/patches/c++-gsl-find-system-gtest.patch \ %D%/packages/patches/date-output-pkg-config-files.patch \ %D%/packages/patches/datefudge-gettimeofday.patch \ diff --git a/gnu/packages/cyrus-sasl.scm b/gnu/packages/cyrus-sasl.scm index 3e65a1faf6..691349a38f 100644 --- a/gnu/packages/cyrus-sasl.scm +++ b/gnu/packages/cyrus-sasl.scm @@ -45,6 +45,7 @@ (sha256 (base32 "1m85zcpgfdhm43cavpdkhb1s2zq1b31472hq1w1gs3xh94anp1i6")) (patches (search-patches "cyrus-sasl-ac-try-run-fix.patch")))) + (replacement cyrus-sasl/fixed) (build-system gnu-build-system) (native-inputs `(("autoconf" ,autoconf) @@ -80,3 +81,20 @@ server writers.") (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")) (home-page "https://cyrusimap.org/sasl/"))) + +(define-public cyrus-sasl/fixed + (package + (inherit cyrus-sasl) + (version "2.1.27") + (source (origin + (method url-fetch) + (uri (list (string-append + "https://cyrusimap.org/releases/cyrus-sasl-" + version ".tar.gz") + (string-append + "ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-" + version ".tar.gz"))) + (sha256 (base32 + "1m85zcpgfdhm43cavpdkhb1s2zq1b31472hq1w1gs3xh94anp1i6")) + (patches (search-patches "cyrus-sasl-ac-try-run-fix.patch" + "cyrus-sasl-CVE-2019-19906.patch")))))) diff --git a/gnu/packages/patches/cyrus-sasl-CVE-2019-19906.patch b/gnu/packages/patches/cyrus-sasl-CVE-2019-19906.patch new file mode 100644 index 0000000000..acdf682430 --- /dev/null +++ b/gnu/packages/patches/cyrus-sasl-CVE-2019-19906.patch @@ -0,0 +1,25 @@ +From dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount +Date: Tue, 18 Feb 2020 19:05:12 +0000 +Subject: [PATCH] Fix #587 + +Off by one error in common.c, CVE-2019-19906. + +Thanks to Stephan Zeisberg for reporting +--- + lib/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/common.c b/lib/common.c +index bc3bf1df..9969d6aa 100644 +--- a/lib/common.c ++++ b/lib/common.c +@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen, + + if (add==NULL) add = "(null)"; + +- addlen=strlen(add); /* only compute once */ ++ addlen=strlen(add)+1; /* only compute once */ + if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=SASL_OK) + return SASL_NOMEM; + -- cgit 1.4.1 From 38b0c64d7b3e4c6bfc1da9cd6b9a04d27972e90d Mon Sep 17 00:00:00 2001 From: Lars-Dominik Braun Date: Thu, 4 Mar 2021 12:00:47 +0100 Subject: gnu: python-shouldbe: Remove. Unmaintained upstream and its only dependent (python-gssapi) dropped it. * gnu/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch: Remove. * gnu/local.mk: Drop patch file. * gnu/packages/python-xyz.scm (python-shouldbe): Remove. --- gnu/local.mk | 1 - .../patches/python-shouldbe-0.1.2-cpy3.8.patch | 82 ---------------------- gnu/packages/python-xyz.scm | 23 ------ 3 files changed, 106 deletions(-) delete mode 100644 gnu/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 43ed97692e..667ec79048 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1560,7 +1560,6 @@ dist_patch_DATA = \ %D%/packages/patches/python2-pygobject-2-deprecation.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/python-robotframework-source-date-epoch.patch \ - %D%/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ %D%/packages/patches/python-unittest2-python3-compat.patch \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ diff --git a/gnu/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch b/gnu/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch deleted file mode 100644 index f3b56e42d6..0000000000 --- a/gnu/packages/patches/python-shouldbe-0.1.2-cpy3.8.patch +++ /dev/null @@ -1,82 +0,0 @@ -Fix compatibility with Python 3.8. - -Upstream issue: https://github.com/DirectXMan12/should_be/pull/5 - -diff -x '*.pyc' -Naur shouldbe-0.1.2/should_be/core.py shouldbe-0.1.2.patched/should_be/core.py ---- shouldbe-0.1.2/should_be/core.py 2019-03-06 07:38:22.000000000 +0100 -+++ shouldbe-0.1.2.patched/should_be/core.py 2020-05-18 08:44:24.214664704 +0200 -@@ -103,7 +103,7 @@ - return resf - - --def buildCode(baseCode, argcount=None, kwonlyargcount=None, -+def buildCode(baseCode, argcount=None, posonlyargcount=None, kwonlyargcount=None, - nlocals=None, stacksize=None, flags=None, - code=None, consts=None, names=None, - varnames=None, filename=None, name=None, -@@ -121,6 +121,24 @@ - nlocals or baseCode.co_nlocals, - stacksize or baseCode.co_stacksize, - flags or baseCode.co_flags, -+ code or baseCode.co_code, -+ consts or baseCode.co_consts, -+ names or baseCode.co_names, -+ varnames or baseCode.co_varnames, -+ filename or baseCode.co_filename, -+ name or baseCode.co_name, -+ firstlineno or baseCode.co_firstlineno, -+ lnotab or baseCode.co_lnotab, -+ freevars or baseCode.co_freevars, -+ cellvars or baseCode.co_cellvars) -+ elif hasattr(baseCode, 'co_posonlyargcount'): -+ # Python 3.8 -+ resc = CodeType(argcount or baseCode.co_argcount, -+ posonlyargcount or baseCode.co_posonlyargcount, -+ kwonlyargcount or baseCode.co_kwonlyargcount, -+ nlocals or baseCode.co_nlocals, -+ stacksize or baseCode.co_stacksize, -+ flags or baseCode.co_flags, - code or baseCode.co_code, - consts or baseCode.co_consts, - names or baseCode.co_names, -diff -x '*.pyc' -Naur shouldbe-0.1.2/should_be/tests/test_container_mixin.py shouldbe-0.1.2.patched/should_be/tests/test_container_mixin.py ---- shouldbe-0.1.2/should_be/tests/test_container_mixin.py 2019-03-01 06:38:16.000000000 +0100 -+++ shouldbe-0.1.2.patched/should_be/tests/test_container_mixin.py 2020-05-18 09:00:51.372531064 +0200 -@@ -7,31 +7,31 @@ - self.lst = [1, 2, 3] - - def test_should_include_iter(self): -- err_msg = (r'[a-zA-Z0-9.]+ should have included \[.+?\]' -+ err_msg = (r'[a-zA-Z0-9.()]+ should have included \[.+?\]' - r', but did not have items .+') -- self.assertRaisesRegexp(AssertionError, err_msg, -+ self.assertRaisesRegex(AssertionError, err_msg, - self.lst.should_include, [4]) - - self.lst.should_include([1, 2, 3]) - - def test_should_include_item(self): -- err_msg = (r'[a-zA-Z0-9.]+ should have included .+?' -+ err_msg = (r'[a-zA-Z0-9.()]+ should have included .+?' - r', but did not') -- self.assertRaisesRegexp(AssertionError, err_msg, -+ self.assertRaisesRegex(AssertionError, err_msg, - self.lst.should_include, 4) - - self.lst.should_include(3) - - def test_shouldnt_include_iter(self): - err_msg = 'should not have included' -- self.assertRaisesRegexp(AssertionError, err_msg, -+ self.assertRaisesRegex(AssertionError, err_msg, - self.lst.shouldnt_include, [2, 3]) - - self.lst.shouldnt_include([4, 5]) - - def test_shouldnt_include_item(self): - err_msg = 'should not have included' -- self.assertRaisesRegexp(AssertionError, err_msg, -+ self.assertRaisesRegex(AssertionError, err_msg, - self.lst.shouldnt_include, 3) - - self.lst.shouldnt_include(4) diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm index 585e0014b9..532f26ea8d 100644 --- a/gnu/packages/python-xyz.scm +++ b/gnu/packages/python-xyz.scm @@ -21556,29 +21556,6 @@ and cuts down boilerplate code when testing libraries for asyncio.") (description "This project allows Python code to extend built-in types.") (license (list license:gpl3+ license:expat)))) -(define-public python-shouldbe - (package - (name "python-shouldbe") - (version "0.1.2") - (source - (origin - (method url-fetch) - (uri (pypi-uri "shouldbe" version)) - (sha256 - (base32 - "16zbvjxf71dl4yfbgcr6idyim3mdrfvix1dv8b95p0s9z07372pj")) - (patches (search-patches "python-shouldbe-0.1.2-cpy3.8.patch")))) - (build-system python-build-system) - (propagated-inputs - `(("python-forbiddenfruit" ,python-forbiddenfruit))) - (native-inputs - `(("python-nose" ,python-nose))) - (home-page "https://github.com/directxman12/should_be") - (synopsis "Python Assertion Helpers inspired by Shouldly") - (description - "Python Assertion Helpers inspired by Shouldly.") - (license license:isc))) - (define-public python-k5test (package (name "python-k5test") -- cgit 1.4.1 From e5f89570c1d72c4b674fad6b6ad5591ead02d419 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Wed, 10 Mar 2021 13:01:58 +0100 Subject: gnu: mongodb: Update to 3.4.24 [security fixes]. * gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch: Remove patch. * gnu/local.mk (dist_patch_DATA): Ditto. * gnu/packages/databases.scm (mongodb): Update to 3.4.24. [source]: Drop patch. Update third_party libs folder names. --- gnu/local.mk | 1 - gnu/packages/databases.scm | 13 ++--- ...ngodb-support-unknown-linux-distributions.patch | 55 ---------------------- 3 files changed, 5 insertions(+), 64 deletions(-) delete mode 100644 gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 667ec79048..39037d3499 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1372,7 +1372,6 @@ dist_patch_DATA = \ %D%/packages/patches/mpc123-initialize-ao.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/monero-use-system-miniupnpc.patch \ - %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mono-mdoc-timestamping.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \ %D%/packages/patches/mozjs24-aarch64-support.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index 8bb248fa1d..03d01b582a 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -664,27 +664,24 @@ replacement for the code@{python-memcached} library.") (define-public mongodb (package (name "mongodb") - (version "3.4.10") + (version "3.4.24") (source (origin (method url-fetch) (uri (string-append "https://github.com/mongodb/mongo/archive/r" version ".tar.gz")) (file-name (string-append name "-" version ".tar.gz")) (sha256 - (base32 "0676lvkljj7a5hdhv78dbykqnqrj9lbn9799mi84b8vbnzsq961r")) + (base32 "0y1669sqj8wyf0y0njhxs4qhn1qzjhrs2h2qllya5samxrlrjhkg")) (modules '((guix build utils))) (snippet '(begin (for-each (lambda (dir) (delete-file-recursively (string-append "src/third_party/" dir))) - '("pcre-8.41" "scons-2.5.0" "snappy-1.1.3" + '("pcre-8.42" "scons-2.5.0" "snappy-1.1.3" "valgrind-3.11.0" "wiredtiger" - "yaml-cpp-0.5.3" "zlib-1.2.8")) - #t)) - (patches - (list - (search-patch "mongodb-support-unknown-linux-distributions.patch"))))) + "yaml-cpp-0.6.2" "zlib-1.2.11")) + #t)))) (build-system scons-build-system) (inputs `(("openssl" ,openssl-1.0) diff --git a/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch b/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch deleted file mode 100644 index 6057ebeb08..0000000000 --- a/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch +++ /dev/null @@ -1,55 +0,0 @@ -From e724bb7018a482640c4f194f88b554af2c59d76e Mon Sep 17 00:00:00 2001 -From: Mark Benvenuto -Date: Wed, 20 Sep 2017 11:50:02 -0400 -Subject: [PATCH] SERVER-30857 Support unknown Linux distributions - ---- - src/mongo/rpc/metadata/client_metadata.cpp | 6 ------ - src/mongo/util/processinfo_linux.cpp | 9 ++++++--- - 2 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/src/mongo/rpc/metadata/client_metadata.cpp b/src/mongo/rpc/metadata/client_metadata.cpp -index 845a315dd74..a959a4e31e9 100644 ---- a/src/mongo/rpc/metadata/client_metadata.cpp -+++ b/src/mongo/rpc/metadata/client_metadata.cpp -@@ -302,9 +302,6 @@ void ClientMetadata::serializePrivate(StringData driverName, - StringData osArchitecture, - StringData osVersion, - BSONObjBuilder* builder) { -- invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() && -- !osArchitecture.empty() && !osVersion.empty()); -- - BSONObjBuilder metaObjBuilder(builder->subobjStart(kMetadataDocumentName)); - - { -@@ -347,9 +344,6 @@ Status ClientMetadata::serializePrivate(StringData driverName, - StringData osVersion, - StringData appName, - BSONObjBuilder* builder) { -- invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() && -- !osArchitecture.empty() && !osVersion.empty()); -- - if (appName.size() > kMaxApplicationNameByteLength) { - return Status(ErrorCodes::ClientMetadataAppNameTooLarge, - str::stream() << "The '" << kApplication << "." << kName -diff --git a/src/mongo/util/processinfo_linux.cpp b/src/mongo/util/processinfo_linux.cpp -index c3debf377bd..c2813b026b0 100644 ---- a/src/mongo/util/processinfo_linux.cpp -+++ b/src/mongo/util/processinfo_linux.cpp -@@ -376,10 +376,13 @@ class LinuxSysHelper { - if ((nl = name.find('\n', nl)) != string::npos) - // stop at first newline - name.erase(nl); -- // no standard format for name and version. use kernel version -- version = "Kernel "; -- version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease"); -+ } else { -+ name = "unknown"; - } -+ -+ // There is no standard format for name and version so use the kernel version. -+ version = "Kernel "; -+ version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease"); - } - - /** -- cgit 1.4.1 From c35f87bb1a300c6bde538eaa927a0f7311fb09a0 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Thu, 11 Mar 2021 01:10:29 +0100 Subject: gnu: evolution-data-server: Fix CVE-2020-14928 and CVE-2020-16117. * gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch, gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch: New patches. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/gnome.scm (evolution-data-server): Apply them. --- gnu/local.mk | 2 + gnu/packages/gnome.scm | 4 +- .../evolution-data-server-CVE-2020-14928.patch | 115 +++++++++++++++++++++ .../evolution-data-server-CVE-2020-16117.patch | 28 +++++ 4 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch create mode 100644 gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 39037d3499..e24cee8ecf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -973,6 +973,8 @@ dist_patch_DATA = \ %D%/packages/patches/erlang-man-path.patch \ %D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ + %D%/packages/patches/evolution-data-server-CVE-2020-14928.patch \ + %D%/packages/patches/evolution-data-server-CVE-2020-16117.patch \ %D%/packages/patches/evolution-data-server-locales.patch \ %D%/packages/patches/evolution-data-server-libical-compat.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 5c6d247471..1db2de4751 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -7479,7 +7479,9 @@ Exchange, Last.fm, IMAP/SMTP, Jabber, SIP and Kerberos.") (version-major+minor version) "/" name "-" version ".tar.xz")) (patches (search-patches "evolution-data-server-locales.patch" - "evolution-data-server-libical-compat.patch")) + "evolution-data-server-libical-compat.patch" + "evolution-data-server-CVE-2020-14928.patch" + "evolution-data-server-CVE-2020-16117.patch")) (sha256 (base32 "16z85y6hhazcrp5ngw47w4x9r0j8zrj7awv5im58hhp0xs19zf1y")))) diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch new file mode 100644 index 0000000000..421f292c9d --- /dev/null +++ b/gnu/packages/patches/evolution-data-server-CVE-2020-14928.patch @@ -0,0 +1,115 @@ +From ba82be72cfd427b5d72ff21f929b3a6d8529c4df Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 22 Jun 2020 13:40:17 +0200 +Subject: [PATCH] I#226 - CVE-2020-14928: Response Injection via STARTTLS in + SMTP and POP3 + +Closes https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/226 +--- + src/camel/camel-stream-buffer.c | 19 +++++++++++++++++++ + src/camel/camel-stream-buffer.h | 1 + + src/camel/providers/pop3/camel-pop3-store.c | 2 ++ + src/camel/providers/pop3/camel-pop3-stream.c | 11 +++++++++++ + src/camel/providers/pop3/camel-pop3-stream.h | 1 + + .../providers/smtp/camel-smtp-transport.c | 2 ++ + 6 files changed, 36 insertions(+) + +diff --git a/src/camel/camel-stream-buffer.c b/src/camel/camel-stream-buffer.c +index 3e2e0dd36..a6f605ae5 100644 +--- a/src/camel/camel-stream-buffer.c ++++ b/src/camel/camel-stream-buffer.c +@@ -518,3 +518,22 @@ camel_stream_buffer_read_line (CamelStreamBuffer *sbf, + + return g_strdup ((gchar *) sbf->priv->linebuf); + } ++ ++/** ++ * camel_stream_buffer_discard_cache: ++ * @sbf: a #CamelStreamBuffer ++ * ++ * Discards any cached data in the @sbf. The next read reads ++ * from the stream. ++ * ++ * Since: 3.38 ++ **/ ++void ++camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf) ++{ ++ g_return_if_fail (CAMEL_IS_STREAM_BUFFER (sbf)); ++ ++ sbf->priv->ptr = sbf->priv->buf; ++ sbf->priv->end = sbf->priv->buf; ++ sbf->priv->ptr[0] = '\0'; ++} +diff --git a/src/camel/camel-stream-buffer.h b/src/camel/camel-stream-buffer.h +index ef92cfd8e..094e9926b 100644 +--- a/src/camel/camel-stream-buffer.h ++++ b/src/camel/camel-stream-buffer.h +@@ -93,6 +93,7 @@ gint camel_stream_buffer_gets (CamelStreamBuffer *sbf, + gchar * camel_stream_buffer_read_line (CamelStreamBuffer *sbf, + GCancellable *cancellable, + GError **error); ++void camel_stream_buffer_discard_cache (CamelStreamBuffer *sbf); + + G_END_DECLS + +diff --git a/src/camel/providers/pop3/camel-pop3-store.c b/src/camel/providers/pop3/camel-pop3-store.c +index 81c370f0a..5c9eb1eaa 100644 +--- a/src/camel/providers/pop3/camel-pop3-store.c ++++ b/src/camel/providers/pop3/camel-pop3-store.c +@@ -205,6 +205,8 @@ connect_to_server (CamelService *service, + + if (tls_stream != NULL) { + camel_stream_set_base_stream (stream, tls_stream); ++ /* Truncate any left cached input from the insecure part of the session */ ++ camel_pop3_stream_discard_cache (pop3_engine->stream); + g_object_unref (tls_stream); + } else { + g_prefix_error ( +diff --git a/src/camel/providers/pop3/camel-pop3-stream.c b/src/camel/providers/pop3/camel-pop3-stream.c +index 74bb11e61..c485b9bd6 100644 +--- a/src/camel/providers/pop3/camel-pop3-stream.c ++++ b/src/camel/providers/pop3/camel-pop3-stream.c +@@ -457,3 +457,14 @@ camel_pop3_stream_getd (CamelPOP3Stream *is, + + return 1; + } ++ ++void ++camel_pop3_stream_discard_cache (CamelPOP3Stream *is) ++{ ++ if (is) { ++ is->ptr = is->end = is->buf; ++ is->lineptr = is->linebuf; ++ is->lineend = is->linebuf + CAMEL_POP3_STREAM_LINE_SIZE; ++ is->ptr[0] = '\n'; ++ } ++} +diff --git a/src/camel/providers/pop3/camel-pop3-stream.h b/src/camel/providers/pop3/camel-pop3-stream.h +index bb6dbb903..128c8c45a 100644 +--- a/src/camel/providers/pop3/camel-pop3-stream.h ++++ b/src/camel/providers/pop3/camel-pop3-stream.h +@@ -87,6 +87,7 @@ gint camel_pop3_stream_getd (CamelPOP3Stream *is, + guint *len, + GCancellable *cancellable, + GError **error); ++void camel_pop3_stream_discard_cache (CamelPOP3Stream *is); + + G_END_DECLS + +diff --git a/src/camel/providers/smtp/camel-smtp-transport.c b/src/camel/providers/smtp/camel-smtp-transport.c +index 035baf367..1fc0f3206 100644 +--- a/src/camel/providers/smtp/camel-smtp-transport.c ++++ b/src/camel/providers/smtp/camel-smtp-transport.c +@@ -323,6 +323,8 @@ connect_to_server (CamelService *service, + + if (tls_stream != NULL) { + camel_stream_set_base_stream (stream, tls_stream); ++ /* Truncate any left cached input from the insecure part of the session */ ++ camel_stream_buffer_discard_cache (transport->istream); + g_object_unref (tls_stream); + } else { + g_prefix_error ( +-- +GitLab + diff --git a/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch new file mode 100644 index 0000000000..b2c0622a90 --- /dev/null +++ b/gnu/packages/patches/evolution-data-server-CVE-2020-16117.patch @@ -0,0 +1,28 @@ +From 2cc39592b532cf0dc994fd3694b8e6bf924c9ab5 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 10 Feb 2020 10:00:32 +0100 +Subject: [PATCH] I#189 - Crash on malformed server response with minimal + capabilities + +Closes https://gitlab.gnome.org/GNOME/evolution-data-server/issues/189 +--- + src/camel/providers/imapx/camel-imapx-server.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/camel/providers/imapx/camel-imapx-server.c b/src/camel/providers/imapx/camel-imapx-server.c +index 3c38fb1e9..3883321ec 100644 +--- a/src/camel/providers/imapx/camel-imapx-server.c ++++ b/src/camel/providers/imapx/camel-imapx-server.c +@@ -3045,7 +3045,8 @@ connected: + + /* See if we got new capabilities + * in the STARTTLS response. */ +- imapx_free_capability (is->priv->cinfo); ++ if (is->priv->cinfo) ++ imapx_free_capability (is->priv->cinfo); + is->priv->cinfo = NULL; + if (ic->status->condition == IMAPX_CAPABILITY) { + is->priv->cinfo = ic->status->u.cinfo; +-- +GitLab + -- cgit 1.4.1 From a2943e36c7c6309e955708552a72d532844576a8 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Thu, 11 Mar 2021 01:18:35 +0100 Subject: gnu: evolution: Fix CVE-2020-11879. * gnu/packages/patches/evolution-CVE-2020-11879.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/gnome.scm (evolution): Apply it. --- gnu/local.mk | 1 + gnu/packages/gnome.scm | 3 +- .../patches/evolution-CVE-2020-11879.patch | 122 +++++++++++++++++++++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/evolution-CVE-2020-11879.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index e24cee8ecf..9e20260ec3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -973,6 +973,7 @@ dist_patch_DATA = \ %D%/packages/patches/erlang-man-path.patch \ %D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ + %D%/packages/patches/evolution-CVE-2020-11879.patch \ %D%/packages/patches/evolution-data-server-CVE-2020-14928.patch \ %D%/packages/patches/evolution-data-server-CVE-2020-16117.patch \ %D%/packages/patches/evolution-data-server-locales.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 1db2de4751..5ee28eec03 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -10711,7 +10711,8 @@ generic enough to work for everyone.") "evolution-" version ".tar.xz")) (sha256 (base32 - "164vy8h432pjglafn8y2ms4gsvk3kbgc63h5qp0mk5dv4smsp29c")))) + "164vy8h432pjglafn8y2ms4gsvk3kbgc63h5qp0mk5dv4smsp29c")) + (patches (search-patches "evolution-CVE-2020-11879.patch")))) (build-system cmake-build-system) (arguments `(#:imported-modules (,@%cmake-build-system-modules diff --git a/gnu/packages/patches/evolution-CVE-2020-11879.patch b/gnu/packages/patches/evolution-CVE-2020-11879.patch new file mode 100644 index 0000000000..8c85895aab --- /dev/null +++ b/gnu/packages/patches/evolution-CVE-2020-11879.patch @@ -0,0 +1,122 @@ +From 6489f20d6905cc797e2b2581c415e558c457caa7 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Wed, 12 Feb 2020 18:59:52 +0100 +Subject: [PATCH] I#784 - Warn about and limit what can be attached using + mailto: URI + +Closes https://gitlab.gnome.org/GNOME/evolution/issues/784 +--- + src/composer/e-msg-composer.c | 58 +++++++++++++++++++++++++++++------ + src/e-util/e-system.error.xml | 7 ++++- + 2 files changed, 54 insertions(+), 11 deletions(-) + +diff --git a/src/composer/e-msg-composer.c b/src/composer/e-msg-composer.c +index e4c9ac095e..cd3168d882 100644 +--- a/src/composer/e-msg-composer.c ++++ b/src/composer/e-msg-composer.c +@@ -4761,7 +4761,8 @@ handle_mailto (EMsgComposer *composer, + gchar *header, *content, *buf; + gsize nread, nwritten; + const gchar *p; +- gint len, clen; ++ gint len, clen, has_attachments = 0; ++ gboolean has_blacklisted_attachment = FALSE; + + table = e_msg_composer_get_header_table (composer); + view = e_msg_composer_get_attachment_view (composer); +@@ -4844,22 +4845,36 @@ handle_mailto (EMsgComposer *composer, + } else if (!g_ascii_strcasecmp (header, "attach") || + !g_ascii_strcasecmp (header, "attachment")) { + EAttachment *attachment; ++ GFile *file; + + camel_url_decode (content); +- if (file_is_blacklisted (content)) +- e_alert_submit ( +- E_ALERT_SINK (e_msg_composer_get_editor (composer)), +- "mail:blacklisted-file", +- content, NULL); + if (g_ascii_strncasecmp (content, "file:", 5) == 0) + attachment = e_attachment_new_for_uri (content); + else + attachment = e_attachment_new_for_path (content); +- e_attachment_store_add_attachment (store, attachment); +- e_attachment_load_async ( +- attachment, (GAsyncReadyCallback) +- e_attachment_load_handle_error, composer); ++ file = e_attachment_ref_file (attachment); ++ if (!file || !g_file_peek_path (file) || ++ !g_file_test (g_file_peek_path (file), G_FILE_TEST_EXISTS) || ++ g_file_test (g_file_peek_path (file), G_FILE_TEST_IS_DIR)) { ++ /* Do nothing, simply ignore the attachment request */ ++ } else { ++ has_attachments++; ++ ++ if (file_is_blacklisted (content)) { ++ has_blacklisted_attachment = TRUE; ++ e_alert_submit ( ++ E_ALERT_SINK (e_msg_composer_get_editor (composer)), ++ "mail:blacklisted-file", ++ content, NULL); ++ } ++ ++ e_attachment_store_add_attachment (store, attachment); ++ e_attachment_load_async ( ++ attachment, (GAsyncReadyCallback) ++ e_attachment_load_handle_error, composer); ++ } + g_object_unref (attachment); ++ g_clear_object (&file); + } else if (!g_ascii_strcasecmp (header, "from")) { + /* Ignore */ + } else if (!g_ascii_strcasecmp (header, "reply-to")) { +@@ -4883,6 +4898,29 @@ handle_mailto (EMsgComposer *composer, + + g_free (buf); + ++ if (has_attachments && !has_blacklisted_attachment) { ++ const gchar *primary; ++ gchar *secondary; ++ ++ primary = g_dngettext (GETTEXT_PACKAGE, ++ "Review attachment before sending.", ++ "Review attachments before sending.", ++ has_attachments); ++ ++ secondary = g_strdup_printf (g_dngettext (GETTEXT_PACKAGE, ++ "There had been added %d attachment. Make sure it does not contain any sensitive information before sending the message.", ++ "There had been added %d attachments. Make sure they do not contain any sensitive information before sending the message.", ++ has_attachments), ++ has_attachments); ++ ++ e_alert_submit ( ++ E_ALERT_SINK (e_msg_composer_get_editor (composer)), ++ "system:generic-warning", ++ primary, secondary, NULL); ++ ++ g_free (secondary); ++ } ++ + merge_always_cc_and_bcc (table, to, &cc, &bcc); + + tov = destination_list_to_vector (to); +diff --git a/src/e-util/e-system.error.xml b/src/e-util/e-system.error.xml +index ddcf989fda..02facb7d26 100644 +--- a/src/e-util/e-system.error.xml ++++ b/src/e-util/e-system.error.xml +@@ -1,6 +1,11 @@ + + +- ++ ++ {0} ++ {1} ++ ++ ++ + {0} + {1} + +-- +GitLab + -- cgit 1.4.1 From e940f6d80193dd70ecd28b93e8d85042aa33a7c8 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Thu, 11 Mar 2021 02:02:24 +0100 Subject: gnu: libcroco: Fix CVE-2020-12825. * gnu/packages/patches/libcroco-CVE-2020-12825.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/gnome.scm (libcroco/fixed): New variable. Apply patch. (libcroco)[replacement]: Graft. --- gnu/local.mk | 1 + gnu/packages/gnome.scm | 16 ++ gnu/packages/patches/libcroco-CVE-2020-12825.patch | 187 +++++++++++++++++++++ 3 files changed, 204 insertions(+) create mode 100644 gnu/packages/patches/libcroco-CVE-2020-12825.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 9e20260ec3..eae602a01e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1275,6 +1275,7 @@ dist_patch_DATA = \ %D%/packages/patches/libcaca-CVE-2021-3410-pt2.patch \ %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \ %D%/packages/patches/libcanberra-wayland-crash.patch \ + %D%/packages/patches/libcroco-CVE-2020-12825.patch \ %D%/packages/patches/libcyaml-libyaml-compat.patch \ %D%/packages/patches/libexpected-nofetch.patch \ %D%/packages/patches/libgeotiff-adapt-test-script-for-proj-6.2.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 5ee28eec03..a0796b0115 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -3227,6 +3227,7 @@ the GNOME desktop environment.") (sha256 (base32 "1m110rbj5d2raxcdp4iz0qp172284945awrsbdlq99ksmqsc4zkn")))) + (replacement libcroco/fixed) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -3245,6 +3246,21 @@ XML/CSS rendering engine.") ;; LGPLv2.1-only. (license license:lgpl2.1))) +(define-public libcroco/fixed + (package + (inherit libcroco) + (name "libcroco") + (version "0.6.13") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/" name "/" + (version-major+minor version) "/" + name "-" version ".tar.xz")) + (sha256 + (base32 + "1m110rbj5d2raxcdp4iz0qp172284945awrsbdlq99ksmqsc4zkn")) + (patches (search-patches "libcroco-CVE-2020-12825.patch")))))) + (define-public libgsf (package (name "libgsf") diff --git a/gnu/packages/patches/libcroco-CVE-2020-12825.patch b/gnu/packages/patches/libcroco-CVE-2020-12825.patch new file mode 100644 index 0000000000..35005a6a19 --- /dev/null +++ b/gnu/packages/patches/libcroco-CVE-2020-12825.patch @@ -0,0 +1,187 @@ +From 7b64eb285dd937b34df71c95188301be50dd1409 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 12 Aug 2020 13:54:15 -0500 +Subject: [PATCH] libcroco: Limit recursion in block and any productions + (CVE-2020-12825) + +If we don't have any limits, we can recurse forever and overflow the +stack. + +This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8 + +https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404 +--- + src/st/croco/cr-parser.c | 44 ++++++++++++++++++++++++++-------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/src/st/croco/cr-parser.c b/src/st/croco/cr-parser.c +index 07f4ed9e8b..8304b75614 100644 +--- a/src/cr-parser.c ++++ b/src/cr-parser.c +@@ -136,6 +136,8 @@ struct _CRParserPriv { + + #define CHARS_TAB_SIZE 12 + ++#define RECURSIVE_CALLERS_LIMIT 100 ++ + /** + * IS_NUM: + *@a_char: the char to test. +@@ -343,9 +345,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this); + + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this); + +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls); + +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls); + + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this); + +@@ -783,7 +787,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_parser_try_to_skip_spaces_and_comments (a_this); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + } while (status == CR_OK); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, +@@ -794,7 +798,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, + FALSE); + goto done; +@@ -929,11 +933,11 @@ cr_parser_parse_selector_core (CRParser * a_this) + + RECORD_INITIAL_POS (a_this, &init_pos); + +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + + } while (status == CR_OK); + +@@ -955,10 +959,12 @@ cr_parser_parse_selector_core (CRParser * a_this) + *in chapter 4.1 of the css2 spec. + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*; + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *FIXME: code this function. + */ + static enum CRStatus +-cr_parser_parse_block_core (CRParser * a_this) ++cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token = NULL; + CRInputPos init_pos; +@@ -966,6 +972,9 @@ cr_parser_parse_block_core (CRParser * a_this) + + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token); +@@ -995,13 +1004,13 @@ cr_parser_parse_block_core (CRParser * a_this) + } else if (token->type == CBO_TK) { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } else { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } +@@ -1108,7 +1117,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + ref++; + goto continue_parsing; +@@ -1122,7 +1131,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + if (status == CR_OK) { + ref++; + goto continue_parsing; +@@ -1161,10 +1170,12 @@ cr_parser_parse_value_core (CRParser * a_this) + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*; + * + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *@return CR_OK upon successfull completion, an error code otherwise. + */ + static enum CRStatus +-cr_parser_parse_any_core (CRParser * a_this) ++cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token1 = NULL, + *token2 = NULL; +@@ -1173,6 +1184,9 @@ cr_parser_parse_any_core (CRParser * a_this) + + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1); +@@ -1211,7 +1225,7 @@ cr_parser_parse_any_core (CRParser * a_this) + *We consider parameter as being an "any*" production. + */ + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1236,7 +1250,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1264,7 +1278,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +-- +GitLab + -- cgit 1.4.1 From 1acfda2f949fe61631c7602c865964453ece85e0 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Thu, 11 Mar 2021 02:32:19 +0100 Subject: gnu: geary: Fix CVE-2020-24661. * gnu/packages/patches/geary-CVE-2020-24661.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/gnome.scm (geary): Apply it. --- gnu/local.mk | 1 + gnu/packages/gnome.scm | 3 +- gnu/packages/patches/geary-CVE-2020-24661.patch | 133 ++++++++++++++++++++++++ 3 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/geary-CVE-2020-24661.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index eae602a01e..a68981e48d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1057,6 +1057,7 @@ dist_patch_DATA = \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-brect-bounds.patch \ %D%/packages/patches/gdm-default-session.patch \ + %D%/packages/patches/geary-CVE-2020-24661.patch \ %D%/packages/patches/genimage-signedness.patch \ %D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 50edf9ebd9..d58aa9956b 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -11339,7 +11339,8 @@ these services on the Guix System.") (file-name (git-file-name name version)) (sha256 (base32 - "01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7")))) + "01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7")) + (patches (search-patches "geary-CVE-2020-24661.patch")))) (build-system meson-build-system) (arguments `(#:glib-or-gtk? #t diff --git a/gnu/packages/patches/geary-CVE-2020-24661.patch b/gnu/packages/patches/geary-CVE-2020-24661.patch new file mode 100644 index 0000000000..6cbc224786 --- /dev/null +++ b/gnu/packages/patches/geary-CVE-2020-24661.patch @@ -0,0 +1,133 @@ +From d4e86dc91e1d8a940dc40872fe94ef9ac0fed1b5 Mon Sep 17 00:00:00 2001 +From: Michael Gratton +Date: Tue, 25 Aug 2020 03:54:09 +0000 +Subject: [PATCH] Merge branch 'mjog/866-self-signed-certificates' into + 'mainline' + +Fix invalid certificate pinning when GCR support is unavailable + +Closes #866 + +See merge request GNOME/geary!529 + +(cherry picked from commit 423a55b00f1dc6bee9dc17e67c0aea6f42387a77) + +5088adfe Application.CertificateManager: Rename some methods for clarity +0d957559 Application.CertificateManager: Check locally pinned certs for equality +--- + .../application-certificate-manager.vala | 44 +++++++++---------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/src/client/application/application-certificate-manager.vala b/src/client/application/application-certificate-manager.vala +index 4881d73c0..65f6af4fa 100644 +--- a/src/client/application/application-certificate-manager.vala ++++ b/src/client/application/application-certificate-manager.vala +@@ -381,8 +381,8 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + GLib.TlsCertificateFlags ret = this.parent.verify_chain( + chain, purpose, identity, interaction, flags, cancellable + ); +- if (should_verify(ret, purpose, identity) && +- verify(chain, identity, cancellable)) { ++ if (check_pinned(ret, purpose, identity) && ++ is_pinned(chain, identity, cancellable)) { + ret = 0; + } + return ret; +@@ -399,16 +399,16 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + GLib.TlsCertificateFlags ret = yield this.parent.verify_chain_async( + chain, purpose, identity, interaction, flags, cancellable + ); +- if (should_verify(ret, purpose, identity) && +- yield verify_async(chain, identity, cancellable)) { ++ if (check_pinned(ret, purpose, identity) && ++ yield is_pinned_async(chain, identity, cancellable)) { + ret = 0; + } + return ret; + } + +- private inline bool should_verify(GLib.TlsCertificateFlags parent_ret, +- string purpose, +- GLib.SocketConnectable? identity) { ++ private inline bool check_pinned(GLib.TlsCertificateFlags parent_ret, ++ string purpose, ++ GLib.SocketConnectable? identity) { + // If the parent didn't verify, check for a locally pinned + // cert if it looks like we should, but always reject revoked + // certs +@@ -420,22 +420,22 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + ); + } + +- private bool verify(GLib.TlsCertificate chain, +- GLib.SocketConnectable identity, +- GLib.Cancellable? cancellable) ++ private bool is_pinned(GLib.TlsCertificate chain, ++ GLib.SocketConnectable identity, ++ GLib.Cancellable? cancellable) + throws GLib.Error { +- bool is_verified = false; ++ bool is_pinned = false; + string id = to_name(identity); + TrustContext? context = null; + lock (this.pinned_certs) { + context = this.pinned_certs.get(id); + if (context != null) { +- is_verified = true; ++ is_pinned = context.certificate.is_same(chain); + } else { + // Cert not found in memory, check with GCR if + // enabled. + if (this.use_gcr) { +- is_verified = gcr_trust_is_certificate_pinned( ++ is_pinned = gcr_trust_is_certificate_pinned( + new Gcr.SimpleCertificate(chain.certificate.data), + GLib.TlsDatabase.PURPOSE_AUTHENTICATE_SERVER, + id, +@@ -443,7 +443,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + ); + } + +- if (!is_verified) { ++ if (!is_pinned) { + // Cert is not pinned in memory or in GCR, so look + // for it on disk. Do this even if GCR support is + // enabled, since if the cert was previously saved +@@ -453,7 +453,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + this.store_dir, id, cancellable + ); + this.pinned_certs.set(id, context); +- is_verified = true; ++ is_pinned = context.certificate.is_same(chain); + } catch (GLib.IOError.NOT_FOUND err) { + // Cert was not found saved, so it not pinned + } catch (GLib.Error err) { +@@ -465,18 +465,18 @@ private class Application.TlsDatabase : GLib.TlsDatabase { + } + } + } +- return is_verified; ++ return is_pinned; + } + +- private async bool verify_async(GLib.TlsCertificate chain, +- GLib.SocketConnectable identity, +- GLib.Cancellable? cancellable) ++ private async bool is_pinned_async(GLib.TlsCertificate chain, ++ GLib.SocketConnectable identity, ++ GLib.Cancellable? cancellable) + throws GLib.Error { +- bool is_valid = false; ++ bool pinned = false; + yield Geary.Nonblocking.Concurrent.global.schedule_async(() => { +- is_valid = verify(chain, identity, cancellable); ++ pinned = is_pinned(chain, identity, cancellable); + }, cancellable); +- return is_valid; ++ return pinned; + } + + private TrustContext? lookup_id(string id) { +-- +GitLab + -- cgit 1.4.1 From 21b3b755151028647081fe96d2992b3743531d71 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 11 Mar 2021 05:34:28 -0500 Subject: gnu: glib: Fix CVE-2021-27218 and CVE-2021-27219. * gnu/packages/patches/glib-CVE-2021-27218.patch, gnu/packages/patches/glib-CVE-2021-27219-01.patch, gnu/packages/patches/glib-CVE-2021-27219-02.patch, gnu/packages/patches/glib-CVE-2021-27219-03.patch, gnu/packages/patches/glib-CVE-2021-27219-04.patch, gnu/packages/patches/glib-CVE-2021-27219-05.patch, gnu/packages/patches/glib-CVE-2021-27219-06.patch, gnu/packages/patches/glib-CVE-2021-27219-07.patch, gnu/packages/patches/glib-CVE-2021-27219-08.patch, gnu/packages/patches/glib-CVE-2021-27219-09.patch, gnu/packages/patches/glib-CVE-2021-27219-10.patch, gnu/packages/patches/glib-CVE-2021-27219-11.patch, gnu/packages/patches/glib-CVE-2021-27219-12.patch, gnu/packages/patches/glib-CVE-2021-27219-13.patch, gnu/packages/patches/glib-CVE-2021-27219-14.patch, gnu/packages/patches/glib-CVE-2021-27219-15.patch, gnu/packages/patches/glib-CVE-2021-27219-16.patch, gnu/packages/patches/glib-CVE-2021-27219-17.patch, gnu/packages/patches/glib-CVE-2021-27219-18.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/glib.scm (glib)[replacement]: New field. (glib/fixed): New variable. --- gnu/local.mk | 21 +- gnu/packages/glib.scm | 30 ++- gnu/packages/patches/glib-CVE-2021-27218.patch | 132 ++++++++++ gnu/packages/patches/glib-CVE-2021-27219-01.patch | 176 +++++++++++++ gnu/packages/patches/glib-CVE-2021-27219-02.patch | 264 +++++++++++++++++++ gnu/packages/patches/glib-CVE-2021-27219-03.patch | 136 ++++++++++ gnu/packages/patches/glib-CVE-2021-27219-04.patch | 308 ++++++++++++++++++++++ gnu/packages/patches/glib-CVE-2021-27219-05.patch | 47 ++++ gnu/packages/patches/glib-CVE-2021-27219-06.patch | 94 +++++++ gnu/packages/patches/glib-CVE-2021-27219-07.patch | 118 +++++++++ gnu/packages/patches/glib-CVE-2021-27219-08.patch | 94 +++++++ gnu/packages/patches/glib-CVE-2021-27219-09.patch | 98 +++++++ gnu/packages/patches/glib-CVE-2021-27219-10.patch | 52 ++++ gnu/packages/patches/glib-CVE-2021-27219-11.patch | 57 ++++ gnu/packages/patches/glib-CVE-2021-27219-12.patch | 30 +++ gnu/packages/patches/glib-CVE-2021-27219-13.patch | 32 +++ gnu/packages/patches/glib-CVE-2021-27219-14.patch | 32 +++ gnu/packages/patches/glib-CVE-2021-27219-15.patch | 95 +++++++ gnu/packages/patches/glib-CVE-2021-27219-16.patch | 43 +++ gnu/packages/patches/glib-CVE-2021-27219-17.patch | 37 +++ gnu/packages/patches/glib-CVE-2021-27219-18.patch | 232 ++++++++++++++++ 21 files changed, 2126 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/glib-CVE-2021-27218.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-01.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-02.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-03.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-04.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-05.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-06.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-07.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-08.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-09.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-10.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-11.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-12.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-13.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-14.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-15.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-16.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-17.patch create mode 100644 gnu/packages/patches/glib-CVE-2021-27219-18.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index a68981e48d..c2637926ee 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -2,7 +2,7 @@ # Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès # Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Andreas Enge # Copyright © 2016 Mathieu Lirzin -# Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Mark H Weaver +# Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Mark H Weaver # Copyright © 2016 Chris Marusich # Copyright © 2016, 2017, 2018 Kei Kebreau # Copyright © 2016, 2017 Rene Saavedra @@ -1076,6 +1076,25 @@ dist_patch_DATA = \ %D%/packages/patches/ghostscript-no-header-creationdate.patch \ %D%/packages/patches/glib-appinfo-watch.patch \ %D%/packages/patches/glib-tests-timer.patch \ + %D%/packages/patches/glib-CVE-2021-27218.patch \ + %D%/packages/patches/glib-CVE-2021-27219-01.patch \ + %D%/packages/patches/glib-CVE-2021-27219-02.patch \ + %D%/packages/patches/glib-CVE-2021-27219-03.patch \ + %D%/packages/patches/glib-CVE-2021-27219-04.patch \ + %D%/packages/patches/glib-CVE-2021-27219-05.patch \ + %D%/packages/patches/glib-CVE-2021-27219-06.patch \ + %D%/packages/patches/glib-CVE-2021-27219-07.patch \ + %D%/packages/patches/glib-CVE-2021-27219-08.patch \ + %D%/packages/patches/glib-CVE-2021-27219-09.patch \ + %D%/packages/patches/glib-CVE-2021-27219-10.patch \ + %D%/packages/patches/glib-CVE-2021-27219-11.patch \ + %D%/packages/patches/glib-CVE-2021-27219-12.patch \ + %D%/packages/patches/glib-CVE-2021-27219-13.patch \ + %D%/packages/patches/glib-CVE-2021-27219-14.patch \ + %D%/packages/patches/glib-CVE-2021-27219-15.patch \ + %D%/packages/patches/glib-CVE-2021-27219-16.patch \ + %D%/packages/patches/glib-CVE-2021-27219-17.patch \ + %D%/packages/patches/glib-CVE-2021-27219-18.patch \ %D%/packages/patches/glibc-CVE-2018-11236.patch \ %D%/packages/patches/glibc-CVE-2018-11237.patch \ %D%/packages/patches/glibc-CVE-2019-7309.patch \ diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 9cc2b1b69e..520b723722 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2013, 2014, 2015, 2016, 2019, 2020 Ludovic Courtès ;;; Copyright © 2013, 2015 Andreas Enge ;;; Copyright © 2013 Nikita Karetnikov -;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver +;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver ;;; Copyright © 2016, 2020 Efraim Flashner ;;; Copyright © 2016 Lukas Gradl ;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus @@ -172,6 +172,7 @@ shared NFS home directories.") (package (name "glib") (version "2.62.6") + (replacement glib/fixed) (source (origin (method url-fetch) (uri (string-append "mirror://gnome/sources/" @@ -390,6 +391,33 @@ dynamic loading, and an object system.") (home-page "https://developer.gnome.org/glib/") (license license:lgpl2.1+))) +(define glib/fixed + (package + (inherit glib) + (source (origin + (inherit (package-source glib)) + (patches + (append (search-patches "glib-CVE-2021-27218.patch" + "glib-CVE-2021-27219-01.patch" + "glib-CVE-2021-27219-02.patch" + "glib-CVE-2021-27219-03.patch" + "glib-CVE-2021-27219-04.patch" + "glib-CVE-2021-27219-05.patch" + "glib-CVE-2021-27219-06.patch" + "glib-CVE-2021-27219-07.patch" + "glib-CVE-2021-27219-08.patch" + "glib-CVE-2021-27219-09.patch" + "glib-CVE-2021-27219-10.patch" + "glib-CVE-2021-27219-11.patch" + "glib-CVE-2021-27219-12.patch" + "glib-CVE-2021-27219-13.patch" + "glib-CVE-2021-27219-14.patch" + "glib-CVE-2021-27219-15.patch" + "glib-CVE-2021-27219-16.patch" + "glib-CVE-2021-27219-17.patch" + "glib-CVE-2021-27219-18.patch") + (origin-patches (package-source glib)))))))) + (define-public glib-with-documentation ;; glib's doc must be built in a separate package since it requires gtk-doc, ;; which in turn depends on glib. diff --git a/gnu/packages/patches/glib-CVE-2021-27218.patch b/gnu/packages/patches/glib-CVE-2021-27218.patch new file mode 100644 index 0000000000..00fa5ebf79 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27218.patch @@ -0,0 +1,132 @@ +Backport of: + +From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 10 Feb 2021 23:51:07 +0100 +Subject: [PATCH] gbytearray: Do not accept too large byte arrays + +GByteArray uses guint for storing the length of the byte array, but it +also has a constructor (g_byte_array_new_take) that takes length as a +gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits +for guint). It is possible to call the function with a value greater +than G_MAXUINT, which will result in silent length truncation. This +may happen as a result of unreffing GBytes into GByteArray, so rather +be loud about it. + +(Test case tweaked by Philip Withnall.) + +(Backport 2.66: Add #include gstrfuncsprivate.h in the test case for +`g_memdup2()`.) +--- + glib/garray.c | 6 ++++++ + glib/gbytes.c | 4 ++++ + glib/tests/bytes.c | 35 ++++++++++++++++++++++++++++++++++- + 3 files changed, 44 insertions(+), 1 deletion(-) + +diff --git a/glib/garray.c b/glib/garray.c +index 942e74c9f..fb1a42aaf 100644 +--- a/glib/garray.c ++++ b/glib/garray.c +@@ -2013,6 +2013,10 @@ g_byte_array_new (void) + * Create byte array containing the data. The data will be owned by the array + * and will be freed with g_free(), i.e. it could be allocated using g_strdup(). + * ++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray ++ * stores the length of its data in #guint, which may be shorter than ++ * #gsize. ++ * + * Since: 2.32 + * + * Returns: (transfer full): a new #GByteArray +@@ -2024,6 +2028,8 @@ g_byte_array_new_take (guint8 *data, + GByteArray *array; + GRealArray *real; + ++ g_return_val_if_fail (len <= G_MAXUINT, NULL); ++ + array = g_byte_array_new (); + real = (GRealArray *)array; + g_assert (real->data == NULL); +diff --git a/glib/gbytes.c b/glib/gbytes.c +index 7b72886e5..d56abe6c3 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes, + * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all + * other cases the data is copied. + * ++ * Do not use it if @bytes contains more than %G_MAXUINT ++ * bytes. #GByteArray stores the length of its data in #guint, which ++ * may be shorter than #gsize, that @bytes is using. ++ * + * Returns: (transfer full): a new mutable #GByteArray containing the same byte data + * + * Since: 2.32 +diff --git a/glib/tests/bytes.c b/glib/tests/bytes.c +index 5ea5c2b35..15a6aaad6 100644 +--- a/glib/tests/bytes.c ++++ b/glib/tests/bytes.c +@@ -10,12 +10,12 @@ + */ + + #undef G_DISABLE_ASSERT +-#undef G_LOG_DOMAIN + + #include + #include + #include + #include "glib.h" ++#include "glib/gstrfuncsprivate.h" + + /* Keep in sync with glib/gbytes.c */ + struct _GBytes +@@ -333,6 +333,38 @@ test_to_array_transferred (void) + g_byte_array_unref (array); + } + ++static void ++test_to_array_transferred_oversize (void) ++{ ++ g_test_message ("g_bytes_unref_to_array() can only take GBytes up to " ++ "G_MAXUINT in length; test that longer ones are rejected"); ++ ++ if (sizeof (guint) >= sizeof (gsize)) ++ { ++ g_test_skip ("Skipping test as guint is not smaller than gsize"); ++ } ++ else if (g_test_undefined ()) ++ { ++ GByteArray *array = NULL; ++ GBytes *bytes = NULL; ++ gpointer data = g_memdup2 (NYAN, N_NYAN); ++ gsize len = ((gsize) G_MAXUINT) + 1; ++ ++ bytes = g_bytes_new_take (data, len); ++ g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL, ++ "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed"); ++ array = g_bytes_unref_to_array (g_steal_pointer (&bytes)); ++ g_test_assert_expected_messages (); ++ g_assert_null (array); ++ ++ g_free (data); ++ } ++ else ++ { ++ g_test_skip ("Skipping test as testing undefined behaviour is disabled"); ++ } ++} ++ + static void + test_to_array_two_refs (void) + { +@@ -410,6 +442,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred); + g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs); + g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc); ++ g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize); + g_test_add_func ("/bytes/null", test_null); + + return g_test_run (); +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-01.patch b/gnu/packages/patches/glib-CVE-2021-27219-01.patch new file mode 100644 index 0000000000..5db360d468 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-01.patch @@ -0,0 +1,176 @@ +Backport of: + +From 5e5f75a77e399c638be66d74e5daa8caeb433e00 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:30:52 +0000 +Subject: [PATCH 01/11] gstrfuncs: Add internal g_memdup2() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This will replace the existing `g_memdup()` function for use within +GLib. It has an unavoidable security flaw of taking its `byte_size` +argument as a `guint` rather than as a `gsize`. Most callers will +expect it to be a `gsize`, and may pass in large values which could +silently be truncated, resulting in an undersize allocation compared +to what the caller expects. + +This could lead to a classic buffer overflow vulnerability for many +callers of `g_memdup()`. + +`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`. + +Spotted by Kevin Backhouse of GHSL. + +In GLib 2.68, `g_memdup2()` will be a new public API. In this version +for backport to older stable releases, it’s a new `static inline` API +in a private header, so that use of `g_memdup()` within GLib can be +fixed without adding a new API in a stable release series. + +Signed-off-by: Philip Withnall +Helps: GHSL-2021-045 +Helps: #2319 +--- + docs/reference/glib/meson.build | 1 + + glib/gstrfuncsprivate.h | 55 +++++++++++++++++++++++++++++++++ + glib/meson.build | 1 + + glib/tests/strfuncs.c | 23 ++++++++++++++ + 4 files changed, 80 insertions(+) + create mode 100644 glib/gstrfuncsprivate.h + +diff --git a/docs/reference/glib/meson.build b/docs/reference/glib/meson.build +index bba7649f0..ee39f6d04 100644 +--- a/docs/reference/glib/meson.build ++++ b/docs/reference/glib/meson.build +@@ -22,6 +22,7 @@ if get_option('gtk_doc') + 'gprintfint.h', + 'gmirroringtable.h', + 'gscripttable.h', ++ 'gstrfuncsprivate.h', + 'glib-mirroring-tab', + 'gnulib', + 'pcre', +diff --git a/glib/gstrfuncsprivate.h b/glib/gstrfuncsprivate.h +new file mode 100644 +index 000000000..85c88328a +--- /dev/null ++++ b/glib/gstrfuncsprivate.h +@@ -0,0 +1,55 @@ ++/* GLIB - Library of useful routines for C programming ++ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, see . ++ */ ++ ++#include ++#include ++ ++/* ++ * g_memdup2: ++ * @mem: (nullable): the memory to copy. ++ * @byte_size: the number of bytes to copy. ++ * ++ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it ++ * from @mem. If @mem is %NULL it returns %NULL. ++ * ++ * This replaces g_memdup(), which was prone to integer overflows when ++ * converting the argument from a #gsize to a #guint. ++ * ++ * This static inline version is a backport of the new public API from ++ * GLib 2.68, kept internal to GLib for backport to older stable releases. ++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. ++ * ++ * Returns: (nullable): a pointer to the newly-allocated copy of the memory, ++ * or %NULL if @mem is %NULL. ++ * Since: 2.68 ++ */ ++static inline gpointer ++g_memdup2 (gconstpointer mem, ++ gsize byte_size) ++{ ++ gpointer new_mem; ++ ++ if (mem && byte_size != 0) ++ { ++ new_mem = g_malloc (byte_size); ++ memcpy (new_mem, mem, byte_size); ++ } ++ else ++ new_mem = NULL; ++ ++ return new_mem; ++} +diff --git a/glib/meson.build b/glib/meson.build +index aaf5f00f5..5a6eea397 100644 +--- a/glib/meson.build ++++ b/glib/meson.build +@@ -268,6 +268,7 @@ glib_sources = files( + 'gslist.c', + 'gstdio.c', + 'gstrfuncs.c', ++ 'gstrfuncsprivate.h', + 'gstring.c', + 'gstringchunk.c', + 'gtestutils.c', +diff --git a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c +index e1f9619c7..d968afff9 100644 +--- a/glib/tests/strfuncs.c ++++ b/glib/tests/strfuncs.c +@@ -32,6 +32,8 @@ + #include + #include "glib.h" + ++#include "gstrfuncsprivate.h" ++ + #if defined (_MSC_VER) && (_MSC_VER <= 1800) + #define isnan(x) _isnan(x) + +@@ -219,6 +221,26 @@ test_memdup (void) + g_free (str_dup); + } + ++/* Testing g_memdup2() function with various positive and negative cases */ ++static void ++test_memdup2 (void) ++{ ++ gchar *str_dup = NULL; ++ const gchar *str = "The quick brown fox jumps over the lazy dog"; ++ ++ /* Testing negative cases */ ++ g_assert_null (g_memdup2 (NULL, 1024)); ++ g_assert_null (g_memdup2 (str, 0)); ++ g_assert_null (g_memdup2 (NULL, 0)); ++ ++ /* Testing normal usage cases */ ++ str_dup = g_memdup2 (str, strlen (str) + 1); ++ g_assert_nonnull (str_dup); ++ g_assert_cmpstr (str, ==, str_dup); ++ ++ g_free (str_dup); ++} ++ + /* Testing g_strpcpy() function with various positive and negative cases */ + static void + test_stpcpy (void) +@@ -2523,6 +2545,7 @@ main (int argc, + g_test_add_func ("/strfuncs/has-prefix", test_has_prefix); + g_test_add_func ("/strfuncs/has-suffix", test_has_suffix); + g_test_add_func ("/strfuncs/memdup", test_memdup); ++ g_test_add_func ("/strfuncs/memdup2", test_memdup2); + g_test_add_func ("/strfuncs/stpcpy", test_stpcpy); + g_test_add_func ("/strfuncs/str_match_string", test_str_match_string); + g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold); +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-02.patch b/gnu/packages/patches/glib-CVE-2021-27219-02.patch new file mode 100644 index 0000000000..431959fa8f --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-02.patch @@ -0,0 +1,264 @@ +Backport of: + +From be8834340a2d928ece82025463ae23dee2c333d0 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:37:56 +0000 +Subject: [PATCH 02/11] gio: Use g_memdup2() instead of g_memdup() in obvious + places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()`), so that they use +`g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gdbusconnection.c | 5 +++-- + gio/gdbusinterfaceskeleton.c | 3 ++- + gio/gfile.c | 7 ++++--- + gio/gsettingsschema.c | 5 +++-- + gio/gwin32registrykey.c | 8 +++++--- + gio/tests/async-close-output-stream.c | 6 ++++-- + gio/tests/gdbus-export.c | 5 +++-- + gio/win32/gwinhttpfile.c | 9 +++++---- + 8 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index f1f0921d4..d56453486 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -110,6 +110,7 @@ + #include "gasyncinitable.h" + #include "giostream.h" + #include "gasyncresult.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + #include "gmarshal-internal.h" + +@@ -3997,7 +3998,7 @@ _g_dbus_interface_vtable_copy (const GDBusInterfaceVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusInterfaceVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +@@ -4014,7 +4015,7 @@ _g_dbus_subtree_vtable_copy (const GDBusSubtreeVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusSubtreeVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index 4a06516c1..4a4b719a5 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -28,6 +28,7 @@ + #include "gdbusmethodinvocation.h" + #include "gdbusconnection.h" + #include "gmarshal-internal.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + #include "gioerror.h" + +@@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSkeleton *interface_, + * properly before building the hooked_vtable, so we create it + * once at the last minute. + */ +- interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); ++ interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); + interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call; + } + +diff --git a/gio/gfile.c b/gio/gfile.c +index ba93f7c75..88b341e7d 100644 +--- a/gio/gfile.c ++++ b/gio/gfile.c +@@ -60,6 +60,7 @@ + #include "gasyncresult.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + + /** +@@ -7884,7 +7885,7 @@ measure_disk_usage_progress (gboolean reporting, + g_main_context_invoke_full (g_task_get_context (task), + g_task_get_priority (task), + measure_disk_usage_invoke_progress, +- g_memdup (&progress, sizeof progress), ++ g_memdup2 (&progress, sizeof progress), + g_free); + } + +@@ -7902,7 +7903,7 @@ measure_disk_usage_thread (GTask *task, + data->progress_callback ? measure_disk_usage_progress : NULL, task, + &result.disk_usage, &result.num_dirs, &result.num_files, + &error)) +- g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free); ++ g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free); + else + g_task_return_error (task, error); + } +@@ -7926,7 +7927,7 @@ g_file_real_measure_disk_usage_async (GFile *file, + + task = g_task_new (file, cancellable, callback, user_data); + g_task_set_source_tag (task, g_file_real_measure_disk_usage_async); +- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free); ++ g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free); + g_task_set_priority (task, io_priority); + + g_task_run_in_thread (task, measure_disk_usage_thread); +diff --git a/gio/gsettingsschema.c b/gio/gsettingsschema.c +index 3a60b8c64..dded9b1ca 100644 +--- a/gio/gsettingsschema.c ++++ b/gio/gsettingsschema.c +@@ -20,6 +20,7 @@ + + #include "gsettingsschema-internal.h" + #include "gsettings.h" ++#include "gstrfuncsprivate.h" + + #include "gvdb/gvdb-reader.h" + #include "strinfo.c" +@@ -1058,9 +1059,9 @@ g_settings_schema_list_children (GSettingsSchema *schema) + + if (g_str_has_suffix (key, "/")) + { +- gint length = strlen (key); ++ gsize length = strlen (key); + +- strv[j] = g_memdup (key, length); ++ strv[j] = g_memdup2 (key, length); + strv[j][length - 1] = '\0'; + j++; + } +diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c +index c19fede4e..619fd48af 100644 +--- a/gio/gwin32registrykey.c ++++ b/gio/gwin32registrykey.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + #ifndef _WDMDDK_ + typedef enum _KEY_INFORMATION_CLASS { + KeyBasicInformation, +@@ -247,7 +249,7 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_name_size = iter->value_name_size; + + if (iter->value_data != NULL) +- new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size); ++ new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size); + + new_iter->value_data_size = iter->value_data_size; + +@@ -268,8 +270,8 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize; + + if (iter->value_data_expanded_u8 != NULL) +- new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8, +- iter->value_data_expanded_charsize); ++ new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8, ++ iter->value_data_expanded_charsize); + + new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize; + +diff --git a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c +index 5f6620275..d3f97a119 100644 +--- a/gio/tests/async-close-output-stream.c ++++ b/gio/tests/async-close-output-stream.c +@@ -24,6 +24,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + #define DATA_TO_WRITE "Hello world\n" + + typedef struct +@@ -147,9 +149,9 @@ prepare_data (SetupData *data, + + data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream)); + +- g_assert_cmpint (data->expected_size, >, 0); ++ g_assert_cmpuint (data->expected_size, >, 0); + +- data->expected_output = g_memdup (written, (guint)data->expected_size); ++ data->expected_output = g_memdup2 (written, data->expected_size); + + /* then recreate the streams and prepare them for the asynchronous close */ + destroy_streams (data); +diff --git a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c +index 506c7458a..5513306f8 100644 +--- a/gio/tests/gdbus-export.c ++++ b/gio/tests/gdbus-export.c +@@ -23,6 +23,7 @@ + #include + + #include "gdbus-tests.h" ++#include "gstrfuncsprivate.h" + + /* all tests rely on a shared mainloop */ + static GMainLoop *loop = NULL; +@@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection *connection, + g_assert_not_reached (); + } + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +@@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnection *connection, + { + const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL }; + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c +index cf5eed31d..040ee8564 100644 +--- a/gio/win32/gwinhttpfile.c ++++ b/gio/win32/gwinhttpfile.c +@@ -29,6 +29,7 @@ + #include "gio/gfile.h" + #include "gio/gfileattribute.h" + #include "gio/gfileinfo.h" ++#include "gstrfuncsprivate.h" + #include "gwinhttpfile.h" + #include "gwinhttpfileinputstream.h" + #include "gwinhttpfileoutputstream.h" +@@ -393,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); + child->vfs = winhttp_file->vfs; + child->url = winhttp_file->url; +- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); +- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); +- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); +- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); ++ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); ++ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); ++ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); + child->url.lpszUrlPath = wnew_path; + child->url.dwUrlPathLength = wcslen (wnew_path); + child->url.lpszExtraInfo = NULL; +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-03.patch b/gnu/packages/patches/glib-CVE-2021-27219-03.patch new file mode 100644 index 0000000000..99e849c43c --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-03.patch @@ -0,0 +1,136 @@ +From 6110caea45b235420b98cd41d845cc92238f6781 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:39:25 +0000 +Subject: [PATCH 03/11] gobject: Use g_memdup2() instead of g_memdup() in + obvious places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()`), so that they use +`g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gobject/gsignal.c | 3 ++- + gobject/gtype.c | 9 +++++---- + gobject/gtypemodule.c | 3 ++- + gobject/tests/param.c | 4 +++- + 4 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/gobject/gsignal.c b/gobject/gsignal.c +index 77d8f211e..41c54ab57 100644 +--- a/gobject/gsignal.c ++++ b/gobject/gsignal.c +@@ -28,6 +28,7 @@ + #include + + #include "gsignal.h" ++#include "gstrfuncsprivate.h" + #include "gtype-private.h" + #include "gbsearcharray.h" + #include "gvaluecollector.h" +@@ -1730,7 +1731,7 @@ g_signal_newv (const gchar *signal_name, + node->single_va_closure_is_valid = FALSE; + node->flags = signal_flags & G_SIGNAL_FLAGS_MASK; + node->n_params = n_params; +- node->param_types = g_memdup (param_types, sizeof (GType) * n_params); ++ node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params); + node->return_type = return_type; + node->class_closure_bsa = NULL; + if (accumulator) +diff --git a/gobject/gtype.c b/gobject/gtype.c +index 7d3789400..8441b90e9 100644 +--- a/gobject/gtype.c ++++ b/gobject/gtype.c +@@ -33,6 +33,7 @@ + + #include "glib-private.h" + #include "gconstructor.h" ++#include "gstrfuncsprivate.h" + + #ifdef G_OS_WIN32 + #include +@@ -1470,7 +1471,7 @@ type_add_interface_Wm (TypeNode *node, + iholder->next = iface_node_get_holders_L (iface); + iface_node_set_holders_W (iface, iholder); + iholder->instance_type = NODE_TYPE (node); +- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL; ++ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL; + iholder->plugin = plugin; + + /* create an iface entry for this type */ +@@ -1731,7 +1732,7 @@ type_iface_retrieve_holder_info_Wm (TypeNode *iface, + INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface)); + + check_interface_info_I (iface, instance_type, &tmp_info); +- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info)); ++ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info)); + } + + return iholder; /* we don't modify write lock upon returning NULL */ +@@ -2016,10 +2017,10 @@ type_iface_vtable_base_init_Wm (TypeNode *iface, + IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface); + + if (pentry) +- vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size); + } + if (!vtable) +- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); + entry->vtable = vtable; + vtable->g_type = NODE_TYPE (iface); + vtable->g_instance_type = NODE_TYPE (node); +diff --git a/gobject/gtypemodule.c b/gobject/gtypemodule.c +index 4ecaf8c88..20911fafd 100644 +--- a/gobject/gtypemodule.c ++++ b/gobject/gtypemodule.c +@@ -19,6 +19,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + #include "gtypeplugin.h" + #include "gtypemodule.h" + +@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule *module, + module_type_info->loaded = TRUE; + module_type_info->info = *type_info; + if (type_info->value_table) +- module_type_info->info.value_table = g_memdup (type_info->value_table, ++ module_type_info->info.value_table = g_memdup2 (type_info->value_table, + sizeof (GTypeValueTable)); + + return module_type_info->type; +diff --git a/gobject/tests/param.c b/gobject/tests/param.c +index 758289bf8..971cff162 100644 +--- a/gobject/tests/param.c ++++ b/gobject/tests/param.c +@@ -2,6 +2,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + static void + test_param_value (void) + { +@@ -851,7 +853,7 @@ main (int argc, char *argv[]) + test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d", + data.change_this_flag, data.change_this_type, + data.use_this_flag, data.use_this_type); +- test_data = g_memdup (&data, sizeof (TestParamImplementData)); ++ test_data = g_memdup2 (&data, sizeof (TestParamImplementData)); + g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free); + g_free (test_path); + } +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-04.patch b/gnu/packages/patches/glib-CVE-2021-27219-04.patch new file mode 100644 index 0000000000..3ae01f34b1 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-04.patch @@ -0,0 +1,308 @@ +Backport of: + +From 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:41:21 +0000 +Subject: [PATCH 04/11] glib: Use g_memdup2() instead of g_memdup() in obvious + places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Convert all the call sites which use `g_memdup()`’s length argument +trivially (for example, by passing a `sizeof()` or an existing `gsize` +variable), so that they use `g_memdup2()` instead. + +In almost all of these cases the use of `g_memdup()` would not have +caused problems, but it will soon be deprecated, so best port away from +it + +In particular, this fixes an overflow within `g_bytes_new()`, identified +as GHSL-2021-045 by GHSL team member Kevin Backhouse. + +Signed-off-by: Philip Withnall +Fixes: GHSL-2021-045 +Helps: #2319 +--- + glib/gbytes.c | 6 ++++-- + glib/gdir.c | 3 ++- + glib/ghash.c | 7 ++++--- + glib/giochannel.c | 3 ++- + glib/gslice.c | 3 ++- + glib/gtestutils.c | 3 ++- + glib/gvariant.c | 7 ++++--- + glib/gvarianttype.c | 3 ++- + glib/tests/array-test.c | 4 +++- + glib/tests/option-context.c | 6 ++++-- + 10 files changed, 29 insertions(+), 16 deletions(-) + +diff --git a/glib/gbytes.c b/glib/gbytes.c +index d56abe6c3..dee494820 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -34,6 +34,8 @@ + + #include + ++#include "gstrfuncsprivate.h" ++ + /** + * GBytes: + * +@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data, + { + g_return_val_if_fail (data != NULL || size == 0, NULL); + +- return g_bytes_new_take (g_memdup (data, size), size); ++ return g_bytes_new_take (g_memdup2 (data, size), size); + } + + /** +@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes, + * Copy: Non g_malloc (or compatible) allocator, or static memory, + * so we have to copy, and then unref. + */ +- result = g_memdup (bytes->data, bytes->size); ++ result = g_memdup2 (bytes->data, bytes->size); + *size = bytes->size; + g_bytes_unref (bytes); + } +diff --git a/glib/gdir.c b/glib/gdir.c +index 6b85e99c8..6747a8c6f 100644 +--- a/glib/gdir.c ++++ b/glib/gdir.c +@@ -37,6 +37,7 @@ + #include "gconvert.h" + #include "gfileutils.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtestutils.h" + #include "glibintl.h" + +@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path, + return NULL; + #endif + +- return g_memdup (&dir, sizeof dir); ++ return g_memdup2 (&dir, sizeof dir); + } + + /** +diff --git a/glib/ghash.c b/glib/ghash.c +index e61b03788..26f26062b 100644 +--- a/glib/ghash.c ++++ b/glib/ghash.c +@@ -34,6 +34,7 @@ + #include "gmacros.h" + #include "glib-private.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gatomic.h" + #include "gtestutils.h" + #include "gslice.h" +@@ -964,7 +965,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer + if (hash_table->have_big_keys) + { + if (key != value) +- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); + /* Keys and values are both big now, so no need for further checks */ + return; + } +@@ -972,7 +973,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer + { + if (key != value) + { +- hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size); + is_a_set = FALSE; + } + } +@@ -1000,7 +1001,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer + + /* Just split if necessary */ + if (is_a_set && key != value) +- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); + + #endif + } +diff --git a/glib/giochannel.c b/glib/giochannel.c +index 1956e9dc6..15927c391 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -37,6 +37,7 @@ + #include "giochannel.h" + + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtestutils.h" + #include "glibintl.h" + +@@ -892,7 +893,7 @@ g_io_channel_set_line_term (GIOChannel *channel, + length = strlen (line_term); + + g_free (channel->line_term); +- channel->line_term = line_term ? g_memdup (line_term, length) : NULL; ++ channel->line_term = line_term ? g_memdup2 (line_term, length) : NULL; + channel->line_term_len = length; + } + +diff --git a/glib/gslice.c b/glib/gslice.c +index 4c758c3be..bcdbb8853 100644 +--- a/glib/gslice.c ++++ b/glib/gslice.c +@@ -41,6 +41,7 @@ + #include "gmain.h" + #include "gmem.h" /* gslice.h */ + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gutils.h" + #include "gtrashstack.h" + #include "gtestutils.h" +@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig ckey, + array[i++] = allocator->contention_counters[address]; + array[i++] = allocator_get_magazine_threshold (allocator, address); + *n_values = i; +- return g_memdup (array, sizeof (array[0]) * *n_values); ++ return g_memdup2 (array, sizeof (array[0]) * *n_values); + default: + return NULL; + } +diff --git a/glib/gtestutils.c b/glib/gtestutils.c +index dd789482f..5887ecc36 100644 +--- a/glib/gtestutils.c ++++ b/glib/gtestutils.c +@@ -49,6 +49,7 @@ + #include "gpattern.h" + #include "grand.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtimer.h" + #include "gslice.h" + #include "gspawn.h" +@@ -3798,7 +3799,7 @@ g_test_log_extract (GTestLogBuffer *tbuffer) + if (p <= tbuffer->data->str + mlength) + { + g_string_erase (tbuffer->data, 0, mlength); +- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg))); ++ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg))); + return TRUE; + } + +diff --git a/glib/gvariant.c b/glib/gvariant.c +index b61bf7278..d6f68a9ea 100644 +--- a/glib/gvariant.c ++++ b/glib/gvariant.c +@@ -33,6 +33,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvariant +@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value) + g_variant_ref_sink (value); + + return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT, +- g_memdup (&value, sizeof value), ++ g_memdup2 (&value, sizeof value), + 1, g_variant_is_trusted (value)); + } + +@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVariantType *element_type, + return NULL; + } + +- data = g_memdup (elements, n_elements * element_size); ++ data = g_memdup2 (elements, n_elements * element_size); + value = g_variant_new_from_data (array_type, data, + n_elements * element_size, + FALSE, g_free, data); +@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *value, + if (length) + *length = size; + +- return g_memdup (original, size + 1); ++ return g_memdup2 (original, size + 1); + } + + /** +diff --git a/glib/gvarianttype.c b/glib/gvarianttype.c +index 1a228f73b..07659ff12 100644 +--- a/glib/gvarianttype.c ++++ b/glib/gvarianttype.c +@@ -28,6 +28,7 @@ + + #include + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvarianttype +@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariantType * const *items, + g_assert (offset < sizeof buffer); + buffer[offset++] = ')'; + +- return (GVariantType *) g_memdup (buffer, offset); ++ return (GVariantType *) g_memdup2 (buffer, offset); + } + + /** +diff --git a/glib/tests/array-test.c b/glib/tests/array-test.c +index 3fcf1136a..11982f822 100644 +--- a/glib/tests/array-test.c ++++ b/glib/tests/array-test.c +@@ -29,6 +29,8 @@ + #include + #include "glib.h" + ++#include "gstrfuncsprivate.h" ++ + /* Test data to be passed to any function which calls g_array_new(), providing + * the parameters for that call. Most #GArray tests should be repeated for all + * possible values of #ArrayTestData. */ +@@ -1642,7 +1644,7 @@ byte_array_new_take (void) + GByteArray *gbarray; + guint8 *data; + +- data = g_memdup ("woooweeewow", 11); ++ data = g_memdup2 ("woooweeewow", 11); + gbarray = g_byte_array_new_take (data, 11); + g_assert (gbarray->data == data); + g_assert_cmpuint (gbarray->len, ==, 11); +diff --git a/glib/tests/option-context.c b/glib/tests/option-context.c +index 149d22353..88d2b80d1 100644 +--- a/glib/tests/option-context.c ++++ b/glib/tests/option-context.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include "gstrfuncsprivate.h" ++ + static GOptionEntry main_entries[] = { + { "main-switch", 0, 0, + G_OPTION_ARG_NONE, NULL, +@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv) + static char ** + copy_stringv (char **argv, int argc) + { +- return g_memdup (argv, sizeof (char *) * (argc + 1)); ++ return g_memdup2 (argv, sizeof (char *) * (argc + 1)); + } + + static void +@@ -2323,7 +2325,7 @@ test_group_parse (void) + g_option_context_add_group (context, group); + + argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc); +- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *)); ++ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *)); + + retval = g_option_context_parse (context, &argc, &argv, &error); + +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-05.patch b/gnu/packages/patches/glib-CVE-2021-27219-05.patch new file mode 100644 index 0000000000..62bce1b188 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-05.patch @@ -0,0 +1,47 @@ +From 0cbad673215ec8a049b7fe2ff44b0beed31b376e Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 16:12:24 +0000 +Subject: [PATCH 05/11] gwinhttpfile: Avoid arithmetic overflow when + calculating a size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e. +32-bit unsigned integers. Adding to and multiplying them may cause them +to overflow the unsigned integer bounds, even if the result is passed to +`g_memdup2()` which accepts a `gsize`. + +Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the +arithmetic is done in terms of `gsize`s rather than unsigned integers. + +Spotted by Sebastian Dröge. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/win32/gwinhttpfile.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c +index 040ee8564..246ec0578 100644 +--- a/gio/win32/gwinhttpfile.c ++++ b/gio/win32/gwinhttpfile.c +@@ -394,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); + child->vfs = winhttp_file->vfs; + child->url = winhttp_file->url; +- child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); +- child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); +- child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); +- child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2); ++ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2); ++ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2); ++ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2); + child->url.lpszUrlPath = wnew_path; + child->url.dwUrlPathLength = wcslen (wnew_path); + child->url.lpszExtraInfo = NULL; +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-06.patch b/gnu/packages/patches/glib-CVE-2021-27219-06.patch new file mode 100644 index 0000000000..4e2435f5fd --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-06.patch @@ -0,0 +1,94 @@ +From f9ee2275cbc312c0b4cdbc338a4fbb76eb36fb9a Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:49:00 +0000 +Subject: [PATCH 06/11] gdatainputstream: Handle stop_chars_len internally as + gsize + +Previously it was handled as a `gssize`, which meant that if the +`stop_chars` string was longer than `G_MAXSSIZE` there would be an +overflow. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gdatainputstream.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c +index 2e7750cb5..2cdcbda19 100644 +--- a/gio/gdatainputstream.c ++++ b/gio/gdatainputstream.c +@@ -27,6 +27,7 @@ + #include "gioenumtypes.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + #include + +@@ -856,7 +857,7 @@ static gssize + scan_for_chars (GDataInputStream *stream, + gsize *checked_out, + const char *stop_chars, +- gssize stop_chars_len) ++ gsize stop_chars_len) + { + GBufferedInputStream *bstream; + const char *buffer; +@@ -952,7 +953,7 @@ typedef struct + gsize checked; + + gchar *stop_chars; +- gssize stop_chars_len; ++ gsize stop_chars_len; + gsize length; + } GDataInputStreamReadData; + +@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream *stream, + { + GDataInputStreamReadData *data; + GTask *task; ++ gsize stop_chars_len_unsigned; + + data = g_slice_new0 (GDataInputStreamReadData); +- if (stop_chars_len == -1) +- stop_chars_len = strlen (stop_chars); +- data->stop_chars = g_memdup (stop_chars, stop_chars_len); +- data->stop_chars_len = stop_chars_len; ++ ++ if (stop_chars_len < 0) ++ stop_chars_len_unsigned = strlen (stop_chars); ++ else ++ stop_chars_len_unsigned = (gsize) stop_chars_len; ++ ++ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned); ++ data->stop_chars_len = stop_chars_len_unsigned; + data->last_saw_cr = FALSE; + + task = g_task_new (stream, cancellable, callback, user_data); +@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream *stream, + gssize found_pos; + gssize res; + char *data_until; ++ gsize stop_chars_len_unsigned; + + g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL); + + if (stop_chars_len < 0) +- stop_chars_len = strlen (stop_chars); ++ stop_chars_len_unsigned = strlen (stop_chars); ++ else ++ stop_chars_len_unsigned = (gsize) stop_chars_len; + + bstream = G_BUFFERED_INPUT_STREAM (stream); + + checked = 0; + +- while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1) ++ while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1) + { + if (g_buffered_input_stream_get_available (bstream) == + g_buffered_input_stream_get_buffer_size (bstream)) +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-07.patch b/gnu/packages/patches/glib-CVE-2021-27219-07.patch new file mode 100644 index 0000000000..dad3d285f4 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-07.patch @@ -0,0 +1,118 @@ +Backport of: + +From 2aaf593a9eb96d84fe3be740aca2810a97d95592 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:50:37 +0000 +Subject: [PATCH 07/11] gwin32: Use gsize internally in g_wcsdup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows it to handle strings up to length `G_MAXSIZE` — previously +it would overflow with such strings. + +Update the several copies of it identically. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gwin32appinfo.c | 33 ++++++++++++++++++++++++++------- + gio/gwin32registrykey.c | 34 ++++++++++++++++++++++++++-------- + 2 files changed, 52 insertions(+), 15 deletions(-) + +diff --git a/gio/gwin32appinfo.c b/gio/gwin32appinfo.c +index 9f335b370..dd7a96a4a 100644 +--- a/gio/gwin32appinfo.c ++++ b/gio/gwin32appinfo.c +@@ -464,15 +464,34 @@ static GWin32RegistryKey *applications_key; + /* Watch this key */ + static GWin32RegistryKey *classes_root_key; + ++static gsize ++g_utf16_len (const gunichar2 *str) ++{ ++ gsize result; ++ ++ for (result = 0; str[0] != 0; str++, result++) ++ ; ++ ++ return result; ++} ++ + static gunichar2 * +-g_wcsdup (const gunichar2 *str, gssize str_size) ++g_wcsdup (const gunichar2 *str, gssize str_len) + { +- if (str_size == -1) +- { +- str_size = wcslen (str) + 1; +- str_size *= sizeof (gunichar2); +- } +- return g_memdup (str, str_size); ++ gsize str_len_unsigned; ++ gsize str_size; ++ ++ g_return_val_if_fail (str != NULL, NULL); ++ ++ if (str_len < 0) ++ str_len_unsigned = g_utf16_len (str); ++ else ++ str_len_unsigned = (gsize) str_len; ++ ++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); ++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2); ++ ++ return g_memdup2 (str, str_size); + } + + #define URL_ASSOCIATIONS L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\" +diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c +index 619fd48af..fbd65311a 100644 +--- a/gio/gwin32registrykey.c ++++ b/gio/gwin32registrykey.c +@@ -127,16 +127,34 @@ typedef enum + G_WIN32_REGISTRY_UPDATED_PATH = 1, + } GWin32RegistryKeyUpdateFlag; + ++static gsize ++g_utf16_len (const gunichar2 *str) ++{ ++ gsize result; ++ ++ for (result = 0; str[0] != 0; str++, result++) ++ ; ++ ++ return result; ++} ++ + static gunichar2 * +-g_wcsdup (const gunichar2 *str, +- gssize str_size) ++g_wcsdup (const gunichar2 *str, gssize str_len) + { +- if (str_size == -1) +- { +- str_size = wcslen (str) + 1; +- str_size *= sizeof (gunichar2); +- } +- return g_memdup (str, str_size); ++ gsize str_len_unsigned; ++ gsize str_size; ++ ++ g_return_val_if_fail (str != NULL, NULL); ++ ++ if (str_len < 0) ++ str_len_unsigned = g_utf16_len (str); ++ else ++ str_len_unsigned = (gsize) str_len; ++ ++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); ++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2); ++ ++ return g_memdup2 (str, str_size); + } + + /** +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-08.patch b/gnu/packages/patches/glib-CVE-2021-27219-08.patch new file mode 100644 index 0000000000..2c021ad317 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-08.patch @@ -0,0 +1,94 @@ +From ba8ca443051f93a74c0d03d62e70402036f967a5 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 13:58:32 +0000 +Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when + converting paths + +Previously, the code in `convert_path()` could not handle keys longer +than `G_MAXINT`, and would overflow if that was exceeded. + +Convert the code to use `gsize` and `g_memdup2()` throughout, and +change from identifying the position of the final slash in the string +using a signed offset `i`, to using a pointer to the character (and +`strrchr()`). This allows the slash to be at any position in a +`G_MAXSIZE`-long string, without sacrificing a bit of the offset for +indicating whether a slash was found. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gkeyfilesettingsbackend.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c +index cd5765afd..25b057672 100644 +--- a/gio/gkeyfilesettingsbackend.c ++++ b/gio/gkeyfilesettingsbackend.c +@@ -33,6 +33,7 @@ + #include "gfilemonitor.h" + #include "gsimplepermission.h" + #include "gsettingsbackendinternal.h" ++#include "gstrfuncsprivate.h" + #include "giomodule-priv.h" + #include "gportalsupport.h" + +@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb, + gchar **group, + gchar **basename) + { +- gint key_len = strlen (key); +- gint i; ++ gsize key_len = strlen (key); ++ const gchar *last_slash; + + if (key_len < kfsb->prefix_len || + memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0) +@@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend *kfsb, + key_len -= kfsb->prefix_len; + key += kfsb->prefix_len; + +- for (i = key_len; i >= 0; i--) +- if (key[i] == '/') +- break; ++ last_slash = strrchr (key, '/'); + + if (kfsb->root_group) + { + /* if a root_group was specified, make sure the user hasn't given + * a path that ghosts that group name + */ +- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0) ++ if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0) + return FALSE; + } + else + { + /* if no root_group was given, ensure that the user gave a path */ +- if (i == -1) ++ if (last_slash == NULL) + return FALSE; + } + + if (group) + { +- if (i >= 0) ++ if (last_slash != NULL) + { +- *group = g_memdup (key, i + 1); +- (*group)[i] = '\0'; ++ *group = g_memdup2 (key, (last_slash - key) + 1); ++ (*group)[(last_slash - key)] = '\0'; + } + else + *group = g_strdup (kfsb->root_group); + } + + if (basename) +- *basename = g_memdup (key + i + 1, key_len - i); ++ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); + + return TRUE; + } +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-09.patch b/gnu/packages/patches/glib-CVE-2021-27219-09.patch new file mode 100644 index 0000000000..4de0c1b349 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-09.patch @@ -0,0 +1,98 @@ +From 65ec7f4d6e8832c481f6e00e2eb007b9a60024ce Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 14:00:53 +0000 +Subject: [PATCH 09/11] gsocket: Use gsize to track native sockaddr's size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don’t use an `int`, that’s potentially too small. In practical terms, +this is not a problem, since no socket address is going to be that big. + +By making these changes we can use `g_memdup2()` without warnings, +though. Fewer warnings is good. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gsocket.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/gio/gsocket.c b/gio/gsocket.c +index 66073af83..a3af149e8 100644 +--- a/gio/gsocket.c ++++ b/gio/gsocket.c +@@ -75,6 +75,7 @@ + #include "gcredentialsprivate.h" + #include "glibintl.h" + #include "gioprivate.h" ++#include "gstrfuncsprivate.h" + + #ifdef G_OS_WIN32 + /* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */ +@@ -174,7 +175,7 @@ static gboolean g_socket_datagram_based_condition_wait (GDatagramBased + GError **error); + + static GSocketAddress * +-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len); ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len); + + static gssize + g_socket_receive_message_with_timeout (GSocket *socket, +@@ -260,7 +261,7 @@ struct _GSocketPrivate + struct { + GSocketAddress *addr; + struct sockaddr *native; +- gint native_len; ++ gsize native_len; + guint64 last_used; + } recv_addr_cache[RECV_ADDR_CACHE_SIZE]; + }; +@@ -5211,14 +5212,14 @@ g_socket_send_messages_with_timeout (GSocket *socket, + } + + static GSocketAddress * +-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len) + { + GSocketAddress *saddr; + gint i; + guint64 oldest_time = G_MAXUINT64; + gint oldest_index = 0; + +- if (native_len <= 0) ++ if (native_len == 0) + return NULL; + + saddr = NULL; +@@ -5226,7 +5227,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) + { + GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr; + gpointer tmp_native = socket->priv->recv_addr_cache[i].native; +- gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len; ++ gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len; + + if (!tmp) + continue; +@@ -5256,7 +5257,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) + g_free (socket->priv->recv_addr_cache[oldest_index].native); + } + +- socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len); ++ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len); + socket->priv->recv_addr_cache[oldest_index].native_len = native_len; + socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr); + socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time (); +@@ -5404,6 +5405,9 @@ g_socket_receive_message_with_timeout (GSocket *socket, + /* do it */ + while (1) + { ++ /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */ ++ G_STATIC_ASSERT (sizeof addr <= G_MAXINT); ++ + addrlen = sizeof addr; + if (address) + result = WSARecvFrom (socket->priv->fd, +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-10.patch b/gnu/packages/patches/glib-CVE-2021-27219-10.patch new file mode 100644 index 0000000000..36198b8eef --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-10.patch @@ -0,0 +1,52 @@ +From 777b95a88f006d39d9fe6d3321db17e7b0d4b9a4 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 14:07:39 +0000 +Subject: [PATCH 10/11] gtlspassword: Forbid very long TLS passwords +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The public API `g_tls_password_set_value_full()` (and the vfunc it +invokes) can only accept a `gssize` length. Ensure that nul-terminated +strings passed to `g_tls_password_set_value()` can’t exceed that length. +Use `g_memdup2()` to avoid an overflow if they’re longer than +`G_MAXUINT` similarly. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + gio/gtlspassword.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c +index 1e437a7b6..dbcec41a8 100644 +--- a/gio/gtlspassword.c ++++ b/gio/gtlspassword.c +@@ -23,6 +23,7 @@ + #include "glibintl.h" + + #include "gioenumtypes.h" ++#include "gstrfuncsprivate.h" + #include "gtlspassword.h" + + #include +@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password, + g_return_if_fail (G_IS_TLS_PASSWORD (password)); + + if (length < 0) +- length = strlen ((gchar *)value); ++ { ++ /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ ++ gsize length_unsigned = strlen ((gchar *) value); ++ g_return_if_fail (length_unsigned > G_MAXSSIZE); ++ length = (gssize) length_unsigned; ++ } + +- g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free); ++ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free); + } + + /** +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-11.patch b/gnu/packages/patches/glib-CVE-2021-27219-11.patch new file mode 100644 index 0000000000..4413cb9827 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-11.patch @@ -0,0 +1,57 @@ +From ecdf91400e9a538695a0895b95ad7e8abcdf1749 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Thu, 4 Feb 2021 14:09:40 +0000 +Subject: [PATCH 11/11] giochannel: Forbid very long line terminator strings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The public API `GIOChannel.line_term_len` is only a `guint`. Ensure that +nul-terminated strings passed to `g_io_channel_set_line_term()` can’t +exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()` +is due to be deprecated), but not to avoid a bug, since it’s also +limited to `G_MAXUINT`. + +Signed-off-by: Philip Withnall +Helps: #2319 +--- + glib/giochannel.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/glib/giochannel.c b/glib/giochannel.c +index 15927c391..66c6591f0 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -884,16 +884,25 @@ g_io_channel_set_line_term (GIOChannel *channel, + const gchar *line_term, + gint length) + { ++ guint length_unsigned; ++ + g_return_if_fail (channel != NULL); + g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */ + + if (line_term == NULL) +- length = 0; +- else if (length < 0) +- length = strlen (line_term); ++ length_unsigned = 0; ++ else if (length >= 0) ++ length_unsigned = (guint) length; ++ else ++ { ++ /* FIXME: We’re constrained by line_term_len being a guint here */ ++ gsize length_size = strlen (line_term); ++ g_return_if_fail (length_size > G_MAXUINT); ++ length_unsigned = (guint) length_size; ++ } + + g_free (channel->line_term); +- channel->line_term = line_term ? g_memdup2 (line_term, length) : NULL; ++ channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL; + channel->line_term_len = length; + } + +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-12.patch b/gnu/packages/patches/glib-CVE-2021-27219-12.patch new file mode 100644 index 0000000000..4fdbb81750 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-12.patch @@ -0,0 +1,30 @@ +From f8273b9aded135fe07094faebd527e43851aaf6e Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" +Date: Sun, 7 Feb 2021 23:32:40 +0100 +Subject: [PATCH 1/5] giochannel: Fix length_size bounds check + +The inverted condition is an obvious error introduced by ecdf91400e9a. + +Fixes https://gitlab.gnome.org/GNOME/glib/-/issues/2323 + +(cherry picked from commit a149bf2f9030168051942124536e303af8ba6176) +--- + glib/giochannel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glib/giochannel.c b/glib/giochannel.c +index 66c6591f0..0d9d5f223 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -897,7 +897,7 @@ g_io_channel_set_line_term (GIOChannel *channel, + { + /* FIXME: We’re constrained by line_term_len being a guint here */ + gsize length_size = strlen (line_term); +- g_return_if_fail (length_size > G_MAXUINT); ++ g_return_if_fail (length_size <= G_MAXUINT); + length_unsigned = (guint) length_size; + } + +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-13.patch b/gnu/packages/patches/glib-CVE-2021-27219-13.patch new file mode 100644 index 0000000000..6a287cc3a2 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-13.patch @@ -0,0 +1,32 @@ +From e069c50467712e6d607822afd6b6c15c2c343dff Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 8 Feb 2021 10:34:50 +0000 +Subject: [PATCH 2/5] giochannel: Don't store negative line_term_len in + GIOChannel struct + +Adding test coverage indicated that this was another bug in 0cc11f74. + +Fixes: 0cc11f74 "giochannel: Forbid very long line terminator strings" +Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2323 +Signed-off-by: Simon McVittie +(cherry picked from commit 5dc8b0014c03e7491d93b90275ab442e888a9628) +--- + glib/giochannel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/glib/giochannel.c b/glib/giochannel.c +index 0d9d5f223..4c39b9dc0 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -903,7 +903,7 @@ g_io_channel_set_line_term (GIOChannel *channel, + + g_free (channel->line_term); + channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL; +- channel->line_term_len = length; ++ channel->line_term_len = length_unsigned; + } + + /** +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-14.patch b/gnu/packages/patches/glib-CVE-2021-27219-14.patch new file mode 100644 index 0000000000..78de2846da --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-14.patch @@ -0,0 +1,32 @@ +From 4506d1859a863087598c8d122740bae25b65b099 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 8 Feb 2021 10:04:48 +0000 +Subject: [PATCH 4/5] gtlspassword: Fix inverted assertion + +The intention here was to assert that the length of the password fits +in a gssize. Passwords more than half the size of virtual memory are +probably excessive. + +Fixes: a8b204ff "gtlspassword: Forbid very long TLS passwords" +Signed-off-by: Simon McVittie +(cherry picked from commit 61bb52ec42de1082bfb06ce1c737fc295bfe60b8) +--- + gio/gtlspassword.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c +index dbcec41a8..bd86a6dfe 100644 +--- a/gio/gtlspassword.c ++++ b/gio/gtlspassword.c +@@ -291,7 +291,7 @@ g_tls_password_set_value (GTlsPassword *password, + { + /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ + gsize length_unsigned = strlen ((gchar *) value); +- g_return_if_fail (length_unsigned > G_MAXSSIZE); ++ g_return_if_fail (length_unsigned <= G_MAXSSIZE); + length = (gssize) length_unsigned; + } + +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-15.patch b/gnu/packages/patches/glib-CVE-2021-27219-15.patch new file mode 100644 index 0000000000..37ef85b4fa --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-15.patch @@ -0,0 +1,95 @@ +From 3d1550354c3c6a8491c39881752d51cb7515f2c2 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 8 Feb 2021 10:22:39 +0000 +Subject: [PATCH 5/5] tls-interaction: Add test coverage for various ways to + set the password + +Signed-off-by: Simon McVittie +(cherry picked from commit df4501316ca3903072400504a5ea76498db19538) +--- + gio/tests/tls-interaction.c | 55 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +diff --git a/gio/tests/tls-interaction.c b/gio/tests/tls-interaction.c +index 4f0737d7e..5661e8e0d 100644 +--- a/gio/tests/tls-interaction.c ++++ b/gio/tests/tls-interaction.c +@@ -174,6 +174,38 @@ test_interaction_ask_password_finish_failure (GTlsInteraction *interaction, + } + + ++/* Return a copy of @str that is allocated in a silly way, to exercise ++ * custom free-functions. The returned pointer points to a copy of @str ++ * in a buffer of the form "BEFORE \0 str \0 AFTER". */ ++static guchar * ++special_dup (const char *str) ++{ ++ GString *buf = g_string_new ("BEFORE"); ++ guchar *ret; ++ ++ g_string_append_c (buf, '\0'); ++ g_string_append (buf, str); ++ g_string_append_c (buf, '\0'); ++ g_string_append (buf, "AFTER"); ++ ret = (guchar *) g_string_free (buf, FALSE); ++ return ret + strlen ("BEFORE") + 1; ++} ++ ++ ++/* Free a copy of @str that was made with special_dup(), after asserting ++ * that it has not been corrupted. */ ++static void ++special_free (gpointer p) ++{ ++ gchar *s = p; ++ gchar *buf = s - strlen ("BEFORE") - 1; ++ ++ g_assert_cmpstr (buf, ==, "BEFORE"); ++ g_assert_cmpstr (s + strlen (s) + 1, ==, "AFTER"); ++ g_free (buf); ++} ++ ++ + static GTlsInteractionResult + test_interaction_ask_password_sync_success (GTlsInteraction *interaction, + GTlsPassword *password, +@@ -181,6 +213,8 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction, + GError **error) + { + TestInteraction *self; ++ const guchar *value; ++ gsize len; + + g_assert (TEST_IS_INTERACTION (interaction)); + self = TEST_INTERACTION (interaction); +@@ -192,6 +226,27 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction, + g_assert (error != NULL); + g_assert (*error == NULL); + ++ /* Exercise different ways to set the value */ ++ g_tls_password_set_value (password, (const guchar *) "foo", 4); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "foo", 4); ++ ++ g_tls_password_set_value (password, (const guchar *) "bar", -1); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "bar", 3); ++ ++ g_tls_password_set_value_full (password, special_dup ("baa"), 4, special_free); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "baa", 4); ++ ++ g_tls_password_set_value_full (password, special_dup ("baz"), -1, special_free); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "baz", 3); ++ + /* Don't do this in real life. Include a null terminator for testing */ + g_tls_password_set_value (password, (const guchar *)"the password", 13); + return G_TLS_INTERACTION_HANDLED; +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-16.patch b/gnu/packages/patches/glib-CVE-2021-27219-16.patch new file mode 100644 index 0000000000..43635e72ed --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-16.patch @@ -0,0 +1,43 @@ +From cb9ee701ef46c1819eed4e2a4dc181682bdfc176 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 10 Feb 2021 21:16:39 +0000 +Subject: [PATCH 1/3] gkeyfilesettingsbackend: Fix basename handling when group + is unset + +Fix an effective regression in commit +7781a9cbd2fd0aa84bee0f4eee88470640ff6706, which happens when +`convert_path()` is called with a `key` which contains no slashes. In +that case, the `key` is entirely the `basename`. + +Prior to commit 7781a9cb, the code worked through a fluke of `i == -1` +cancelling out with the various additions in the `g_memdup()` call, and +effectively resulting in `g_strdup (key)`. + +Spotted by Guido Berhoerster. + +Signed-off-by: Philip Withnall +--- + gio/gkeyfilesettingsbackend.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c +index 25b057672..861c3a661 100644 +--- a/gio/gkeyfilesettingsbackend.c ++++ b/gio/gkeyfilesettingsbackend.c +@@ -185,7 +185,12 @@ convert_path (GKeyfileSettingsBackend *kfsb, + } + + if (basename) +- *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); ++ { ++ if (last_slash != NULL) ++ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); ++ else ++ *basename = g_strdup (key); ++ } + + return TRUE; + } +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-17.patch b/gnu/packages/patches/glib-CVE-2021-27219-17.patch new file mode 100644 index 0000000000..3153979071 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-17.patch @@ -0,0 +1,37 @@ +From 31e0d403ba635dbbacbfbff74295e5db02558d76 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 10 Feb 2021 21:19:30 +0000 +Subject: [PATCH 2/3] gkeyfilesettingsbackend: Disallow empty key or group + names + +These should never have been allowed; they will result in precondition +failures from the `GKeyFile` later on in the code. + +A test will be added for this shortly. + +Signed-off-by: Philip Withnall +--- + gio/gkeyfilesettingsbackend.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c +index 861c3a661..de216e615 100644 +--- a/gio/gkeyfilesettingsbackend.c ++++ b/gio/gkeyfilesettingsbackend.c +@@ -158,6 +158,13 @@ convert_path (GKeyfileSettingsBackend *kfsb, + + last_slash = strrchr (key, '/'); + ++ /* Disallow empty group names or key names */ ++ if (key_len == 0 || ++ (last_slash != NULL && ++ (*(last_slash + 1) == '\0' || ++ last_slash == key))) ++ return FALSE; ++ + if (kfsb->root_group) + { + /* if a root_group was specified, make sure the user hasn't given +-- +2.30.1 + diff --git a/gnu/packages/patches/glib-CVE-2021-27219-18.patch b/gnu/packages/patches/glib-CVE-2021-27219-18.patch new file mode 100644 index 0000000000..c18d44ddeb --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-27219-18.patch @@ -0,0 +1,232 @@ +Backport of: + +From 221c26685354dea2b2732df94404e8e5e77a1591 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 10 Feb 2021 21:21:36 +0000 +Subject: [PATCH 3/3] tests: Add tests for key name handling in the keyfile + backend + +This tests the two recent commits. + +Signed-off-by: Philip Withnall +--- + gio/tests/gsettings.c | 171 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 170 insertions(+), 1 deletion(-) + +diff --git a/gio/tests/gsettings.c b/gio/tests/gsettings.c +index baadca8f5..afe594a23 100644 +--- a/gio/tests/gsettings.c ++++ b/gio/tests/gsettings.c +@@ -1,3 +1,4 @@ ++#include + #include + #include + #include +@@ -1740,6 +1741,14 @@ key_changed_cb (GSettings *settings, const gchar *key, gpointer data) + (*b) = TRUE; + } + ++typedef struct ++{ ++ const gchar *path; ++ const gchar *root_group; ++ const gchar *keyfile_group; ++ const gchar *root_path; ++} KeyfileTestData; ++ + /* + * Test that using a keyfile works + */ +@@ -1834,7 +1843,11 @@ test_keyfile (Fixture *fixture, + g_free (str); + + g_settings_set (settings, "farewell", "s", "cheerio"); +- ++ ++ /* Check that empty keys/groups are not allowed. */ ++ g_assert_false (g_settings_is_writable (settings, "")); ++ g_assert_false (g_settings_is_writable (settings, "/")); ++ + /* When executing as root, changing the mode of the keyfile will have + * no effect on the writability of the settings. + */ +@@ -1866,6 +1879,149 @@ test_keyfile (Fixture *fixture, + g_free (keyfile_path); + } + ++/* ++ * Test that using a keyfile works with a schema with no path set. ++ */ ++static void ++test_keyfile_no_path (Fixture *fixture, ++ gconstpointer user_data) ++{ ++ const KeyfileTestData *test_data = user_data; ++ GSettingsBackend *kf_backend; ++ GSettings *settings; ++ GKeyFile *keyfile; ++ gboolean writable; ++ gchar *key = NULL; ++ GError *error = NULL; ++ gchar *keyfile_path = NULL, *store_path = NULL; ++ ++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL); ++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL); ++ kf_backend = g_keyfile_settings_backend_new (store_path, test_data->root_path, test_data->root_group); ++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, test_data->path); ++ g_object_unref (kf_backend); ++ ++ g_settings_reset (settings, "test-boolean"); ++ g_assert_true (g_settings_get_boolean (settings, "test-boolean")); ++ ++ writable = g_settings_is_writable (settings, "test-boolean"); ++ g_assert_true (writable); ++ g_settings_set (settings, "test-boolean", "b", FALSE); ++ ++ g_assert_false (g_settings_get_boolean (settings, "test-boolean")); ++ ++ g_settings_delay (settings); ++ g_settings_set (settings, "test-boolean", "b", TRUE); ++ g_settings_apply (settings); ++ ++ keyfile = g_key_file_new (); ++ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL)); ++ ++ g_assert_true (g_key_file_get_boolean (keyfile, test_data->keyfile_group, "test-boolean", NULL)); ++ ++ g_key_file_free (keyfile); ++ ++ g_settings_reset (settings, "test-boolean"); ++ g_settings_apply (settings); ++ keyfile = g_key_file_new (); ++ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL)); ++ ++ g_assert_false (g_key_file_get_string (keyfile, test_data->keyfile_group, "test-boolean", &error)); ++ g_assert_error (error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_KEY_NOT_FOUND); ++ g_clear_error (&error); ++ ++ /* Check that empty keys/groups are not allowed. */ ++ g_assert_false (g_settings_is_writable (settings, "")); ++ g_assert_false (g_settings_is_writable (settings, "/")); ++ ++ /* Keys which ghost the root group name are not allowed. This can only be ++ * tested when the path is `/` as otherwise it acts as a prefix and prevents ++ * any ghosting. */ ++ if (g_str_equal (test_data->path, "/")) ++ { ++ key = g_strdup_printf ("%s/%s", test_data->root_group, ""); ++ g_assert_false (g_settings_is_writable (settings, key)); ++ g_free (key); ++ ++ key = g_strdup_printf ("%s/%s", test_data->root_group, "/"); ++ g_assert_false (g_settings_is_writable (settings, key)); ++ g_free (key); ++ ++ key = g_strdup_printf ("%s/%s", test_data->root_group, "test-boolean"); ++ g_assert_false (g_settings_is_writable (settings, key)); ++ g_free (key); ++ } ++ ++ g_key_file_free (keyfile); ++ g_object_unref (settings); ++ ++ /* Clean up the temporary directory. */ ++ g_assert_cmpint (g_chmod (keyfile_path, 0777) == 0 ? 0 : errno, ==, 0); ++ g_assert_cmpint (g_remove (store_path) == 0 ? 0 : errno, ==, 0); ++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0); ++ g_free (store_path); ++ g_free (keyfile_path); ++} ++ ++/* ++ * Test that a keyfile rejects writes to keys outside its root path. ++ */ ++static void ++test_keyfile_outside_root_path (Fixture *fixture, ++ gconstpointer user_data) ++{ ++ GSettingsBackend *kf_backend; ++ GSettings *settings; ++ gchar *keyfile_path = NULL, *store_path = NULL; ++ ++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL); ++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL); ++ kf_backend = g_keyfile_settings_backend_new (store_path, "/tests/basic-types/", "root"); ++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/tests/"); ++ g_object_unref (kf_backend); ++ ++ g_assert_false (g_settings_is_writable (settings, "test-boolean")); ++ ++ g_object_unref (settings); ++ ++ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so ++ * don’t error on failure. */ ++ g_remove (store_path); ++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0); ++ g_free (store_path); ++ g_free (keyfile_path); ++} ++ ++/* ++ * Test that a keyfile rejects writes to keys in the root if no root group is set. ++ */ ++static void ++test_keyfile_no_root_group (Fixture *fixture, ++ gconstpointer user_data) ++{ ++ GSettingsBackend *kf_backend; ++ GSettings *settings; ++ gchar *keyfile_path = NULL, *store_path = NULL; ++ ++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL); ++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL); ++ kf_backend = g_keyfile_settings_backend_new (store_path, "/", NULL); ++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/"); ++ g_object_unref (kf_backend); ++ ++ g_assert_false (g_settings_is_writable (settings, "test-boolean")); ++ g_assert_true (g_settings_is_writable (settings, "child/test-boolean")); ++ ++ g_object_unref (settings); ++ ++ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so ++ * don’t error on failure. */ ++ g_remove (store_path); ++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0); ++ g_free (store_path); ++ g_free (keyfile_path); ++} ++ + /* Test that getting child schemas works + */ + static void +@@ -2844,6 +3000,14 @@ main (int argc, char *argv[]) + gchar *override_text; + gchar *enums; + gint result; ++ const KeyfileTestData keyfile_test_data_explicit_path = { "/tests/", "root", "tests", "/" }; ++ const KeyfileTestData keyfile_test_data_empty_path = { "/", "root", "root", "/" }; ++ const KeyfileTestData keyfile_test_data_long_path = { ++ "/tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch/", ++ "root", ++ "tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch", ++ "/" ++ }; + + /* Meson build sets this */ + #ifdef TEST_LOCALE_PATH +@@ -2967,6 +3131,11 @@ main (int argc, char *argv[]) + } + + g_test_add ("/gsettings/keyfile", Fixture, NULL, setup, test_keyfile, teardown); ++ g_test_add ("/gsettings/keyfile/explicit-path", Fixture, &keyfile_test_data_explicit_path, setup, test_keyfile_no_path, teardown); ++ g_test_add ("/gsettings/keyfile/empty-path", Fixture, &keyfile_test_data_empty_path, setup, test_keyfile_no_path, teardown); ++ g_test_add ("/gsettings/keyfile/long-path", Fixture, &keyfile_test_data_long_path, setup, test_keyfile_no_path, teardown); ++ g_test_add ("/gsettings/keyfile/outside-root-path", Fixture, NULL, setup, test_keyfile_outside_root_path, teardown); ++ g_test_add ("/gsettings/keyfile/no-root-group", Fixture, NULL, setup, test_keyfile_no_root_group, teardown); + g_test_add_func ("/gsettings/child-schema", test_child_schema); + g_test_add_func ("/gsettings/strinfo", test_strinfo); + g_test_add_func ("/gsettings/enums", test_enums); +-- +2.30.1 + -- cgit 1.4.1 From feff80cec3c97a3df2c20d300be12d67f79d4f22 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Thu, 11 Mar 2021 15:13:55 +0200 Subject: Revert "gnu: mongodb: Update to 3.4.24 [security fixes]." This reverts commit e5f89570c1d72c4b674fad6b6ad5591ead02d419. After this version mongodb switched to the Server Side Public License (https://www.mongodb.com/licensing/server-side-public-license) which is not a FOSS license. --- gnu/local.mk | 1 + gnu/packages/databases.scm | 13 +++-- ...ngodb-support-unknown-linux-distributions.patch | 55 ++++++++++++++++++++++ 3 files changed, 64 insertions(+), 5 deletions(-) create mode 100644 gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c2637926ee..a39c5d8592 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1396,6 +1396,7 @@ dist_patch_DATA = \ %D%/packages/patches/mpc123-initialize-ao.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/monero-use-system-miniupnpc.patch \ + %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mono-mdoc-timestamping.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \ %D%/packages/patches/mozjs24-aarch64-support.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index 03d01b582a..8bb248fa1d 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -664,24 +664,27 @@ replacement for the code@{python-memcached} library.") (define-public mongodb (package (name "mongodb") - (version "3.4.24") + (version "3.4.10") (source (origin (method url-fetch) (uri (string-append "https://github.com/mongodb/mongo/archive/r" version ".tar.gz")) (file-name (string-append name "-" version ".tar.gz")) (sha256 - (base32 "0y1669sqj8wyf0y0njhxs4qhn1qzjhrs2h2qllya5samxrlrjhkg")) + (base32 "0676lvkljj7a5hdhv78dbykqnqrj9lbn9799mi84b8vbnzsq961r")) (modules '((guix build utils))) (snippet '(begin (for-each (lambda (dir) (delete-file-recursively (string-append "src/third_party/" dir))) - '("pcre-8.42" "scons-2.5.0" "snappy-1.1.3" + '("pcre-8.41" "scons-2.5.0" "snappy-1.1.3" "valgrind-3.11.0" "wiredtiger" - "yaml-cpp-0.6.2" "zlib-1.2.11")) - #t)))) + "yaml-cpp-0.5.3" "zlib-1.2.8")) + #t)) + (patches + (list + (search-patch "mongodb-support-unknown-linux-distributions.patch"))))) (build-system scons-build-system) (inputs `(("openssl" ,openssl-1.0) diff --git a/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch b/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch new file mode 100644 index 0000000000..6057ebeb08 --- /dev/null +++ b/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch @@ -0,0 +1,55 @@ +From e724bb7018a482640c4f194f88b554af2c59d76e Mon Sep 17 00:00:00 2001 +From: Mark Benvenuto +Date: Wed, 20 Sep 2017 11:50:02 -0400 +Subject: [PATCH] SERVER-30857 Support unknown Linux distributions + +--- + src/mongo/rpc/metadata/client_metadata.cpp | 6 ------ + src/mongo/util/processinfo_linux.cpp | 9 ++++++--- + 2 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/mongo/rpc/metadata/client_metadata.cpp b/src/mongo/rpc/metadata/client_metadata.cpp +index 845a315dd74..a959a4e31e9 100644 +--- a/src/mongo/rpc/metadata/client_metadata.cpp ++++ b/src/mongo/rpc/metadata/client_metadata.cpp +@@ -302,9 +302,6 @@ void ClientMetadata::serializePrivate(StringData driverName, + StringData osArchitecture, + StringData osVersion, + BSONObjBuilder* builder) { +- invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() && +- !osArchitecture.empty() && !osVersion.empty()); +- + BSONObjBuilder metaObjBuilder(builder->subobjStart(kMetadataDocumentName)); + + { +@@ -347,9 +344,6 @@ Status ClientMetadata::serializePrivate(StringData driverName, + StringData osVersion, + StringData appName, + BSONObjBuilder* builder) { +- invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() && +- !osArchitecture.empty() && !osVersion.empty()); +- + if (appName.size() > kMaxApplicationNameByteLength) { + return Status(ErrorCodes::ClientMetadataAppNameTooLarge, + str::stream() << "The '" << kApplication << "." << kName +diff --git a/src/mongo/util/processinfo_linux.cpp b/src/mongo/util/processinfo_linux.cpp +index c3debf377bd..c2813b026b0 100644 +--- a/src/mongo/util/processinfo_linux.cpp ++++ b/src/mongo/util/processinfo_linux.cpp +@@ -376,10 +376,13 @@ class LinuxSysHelper { + if ((nl = name.find('\n', nl)) != string::npos) + // stop at first newline + name.erase(nl); +- // no standard format for name and version. use kernel version +- version = "Kernel "; +- version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease"); ++ } else { ++ name = "unknown"; + } ++ ++ // There is no standard format for name and version so use the kernel version. ++ version = "Kernel "; ++ version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease"); + } + + /** -- cgit 1.4.1 From 2f9132e2e0b1e01398a01a32972e87f45ec2f7a6 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Thu, 11 Mar 2021 23:23:00 +0200 Subject: Revert "Revert "gnu: mongodb: Update to 3.4.24 [security fixes]."" This reverts commit feff80cec3c97a3df2c20d300be12d67f79d4f22. I was mistaken, there are still branches of mongodb which are still licensed under the AGPL3 --- gnu/local.mk | 1 - gnu/packages/databases.scm | 13 ++--- ...ngodb-support-unknown-linux-distributions.patch | 55 ---------------------- 3 files changed, 5 insertions(+), 64 deletions(-) delete mode 100644 gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index a39c5d8592..c2637926ee 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1396,7 +1396,6 @@ dist_patch_DATA = \ %D%/packages/patches/mpc123-initialize-ao.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/monero-use-system-miniupnpc.patch \ - %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mono-mdoc-timestamping.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \ %D%/packages/patches/mozjs24-aarch64-support.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index 29270ce2be..aa64507b00 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -667,27 +667,24 @@ replacement for the code@{python-memcached} library.") (define-public mongodb (package (name "mongodb") - (version "3.4.10") + (version "3.4.24") (source (origin (method url-fetch) (uri (string-append "https://github.com/mongodb/mongo/archive/r" version ".tar.gz")) (file-name (string-append name "-" version ".tar.gz")) (sha256 - (base32 "0676lvkljj7a5hdhv78dbykqnqrj9lbn9799mi84b8vbnzsq961r")) + (base32 "0y1669sqj8wyf0y0njhxs4qhn1qzjhrs2h2qllya5samxrlrjhkg")) (modules '((guix build utils))) (snippet '(begin (for-each (lambda (dir) (delete-file-recursively (string-append "src/third_party/" dir))) - '("pcre-8.41" "scons-2.5.0" "snappy-1.1.3" + '("pcre-8.42" "scons-2.5.0" "snappy-1.1.3" "valgrind-3.11.0" "wiredtiger" - "yaml-cpp-0.5.3" "zlib-1.2.8")) - #t)) - (patches - (list - (search-patch "mongodb-support-unknown-linux-distributions.patch"))))) + "yaml-cpp-0.6.2" "zlib-1.2.11")) + #t)))) (build-system scons-build-system) (inputs `(("openssl" ,openssl-1.0) diff --git a/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch b/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch deleted file mode 100644 index 6057ebeb08..0000000000 --- a/gnu/packages/patches/mongodb-support-unknown-linux-distributions.patch +++ /dev/null @@ -1,55 +0,0 @@ -From e724bb7018a482640c4f194f88b554af2c59d76e Mon Sep 17 00:00:00 2001 -From: Mark Benvenuto -Date: Wed, 20 Sep 2017 11:50:02 -0400 -Subject: [PATCH] SERVER-30857 Support unknown Linux distributions - ---- - src/mongo/rpc/metadata/client_metadata.cpp | 6 ------ - src/mongo/util/processinfo_linux.cpp | 9 ++++++--- - 2 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/src/mongo/rpc/metadata/client_metadata.cpp b/src/mongo/rpc/metadata/client_metadata.cpp -index 845a315dd74..a959a4e31e9 100644 ---- a/src/mongo/rpc/metadata/client_metadata.cpp -+++ b/src/mongo/rpc/metadata/client_metadata.cpp -@@ -302,9 +302,6 @@ void ClientMetadata::serializePrivate(StringData driverName, - StringData osArchitecture, - StringData osVersion, - BSONObjBuilder* builder) { -- invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() && -- !osArchitecture.empty() && !osVersion.empty()); -- - BSONObjBuilder metaObjBuilder(builder->subobjStart(kMetadataDocumentName)); - - { -@@ -347,9 +344,6 @@ Status ClientMetadata::serializePrivate(StringData driverName, - StringData osVersion, - StringData appName, - BSONObjBuilder* builder) { -- invariant(!driverName.empty() && !driverVersion.empty() && !osType.empty() && !osName.empty() && -- !osArchitecture.empty() && !osVersion.empty()); -- - if (appName.size() > kMaxApplicationNameByteLength) { - return Status(ErrorCodes::ClientMetadataAppNameTooLarge, - str::stream() << "The '" << kApplication << "." << kName -diff --git a/src/mongo/util/processinfo_linux.cpp b/src/mongo/util/processinfo_linux.cpp -index c3debf377bd..c2813b026b0 100644 ---- a/src/mongo/util/processinfo_linux.cpp -+++ b/src/mongo/util/processinfo_linux.cpp -@@ -376,10 +376,13 @@ class LinuxSysHelper { - if ((nl = name.find('\n', nl)) != string::npos) - // stop at first newline - name.erase(nl); -- // no standard format for name and version. use kernel version -- version = "Kernel "; -- version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease"); -+ } else { -+ name = "unknown"; - } -+ -+ // There is no standard format for name and version so use the kernel version. -+ version = "Kernel "; -+ version += LinuxSysHelper::readLineFromFile("/proc/sys/kernel/osrelease"); - } - - /** -- cgit 1.4.1 From 5a06b83fc92710c5846a83bbf49f0ea84c8ecec2 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 12 Mar 2021 00:48:58 -0500 Subject: gnu: glib: Fix CVE-2021-28153. * gnu/packages/patches/glib-CVE-2021-28153.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/glib.scm (glib/fixed): Add the new patch. --- gnu/local.mk | 1 + gnu/packages/glib.scm | 3 +- gnu/packages/patches/glib-CVE-2021-28153.patch | 283 +++++++++++++++++++++++++ 3 files changed, 286 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/glib-CVE-2021-28153.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c2637926ee..ce30d1db1c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1095,6 +1095,7 @@ dist_patch_DATA = \ %D%/packages/patches/glib-CVE-2021-27219-16.patch \ %D%/packages/patches/glib-CVE-2021-27219-17.patch \ %D%/packages/patches/glib-CVE-2021-27219-18.patch \ + %D%/packages/patches/glib-CVE-2021-28153.patch \ %D%/packages/patches/glibc-CVE-2018-11236.patch \ %D%/packages/patches/glibc-CVE-2018-11237.patch \ %D%/packages/patches/glibc-CVE-2019-7309.patch \ diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 520b723722..eaa319a2ff 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -415,7 +415,8 @@ dynamic loading, and an object system.") "glib-CVE-2021-27219-15.patch" "glib-CVE-2021-27219-16.patch" "glib-CVE-2021-27219-17.patch" - "glib-CVE-2021-27219-18.patch") + "glib-CVE-2021-27219-18.patch" + "glib-CVE-2021-28153.patch") (origin-patches (package-source glib)))))))) (define-public glib-with-documentation diff --git a/gnu/packages/patches/glib-CVE-2021-28153.patch b/gnu/packages/patches/glib-CVE-2021-28153.patch new file mode 100644 index 0000000000..54443186d9 --- /dev/null +++ b/gnu/packages/patches/glib-CVE-2021-28153.patch @@ -0,0 +1,283 @@ +Backport of: + +From 317b3b587058a05dca95d56dac26568c5b098d33 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:35:40 +0000 +Subject: [PATCH] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION + with symlinks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking +the destination file and re-creating it from scratch. That did +previously work, but in the process the code would call `open(O_CREAT)` +on the file. If the file was a dangling symlink, this would create the +destination file (empty). That’s not an intended side-effect, and has +security implications if the symlink is controlled by a lower-privileged +process. + +Fix that by not opening the destination file if it’s a symlink, and +adjusting the rest of the code to cope with + - the fact that `fd == -1` is not an error iff `is_symlink` is true, + - and that `original_stat` will contain the `lstat()` results for the + symlink now, rather than the `stat()` results for its target (again, + iff `is_symlink` is true). + +This means that the target of the dangling symlink is no longer created, +which was the bug. The symlink itself continues to be replaced (as +before) with the new file — this is the intended behaviour of +`g_file_replace()`. + +The behaviour for non-symlink cases, or cases where the symlink was not +dangling, should be unchanged. + +Includes a unit test. + +Signed-off-by: Philip Withnall + +Fixes: #2325 +--- + gio/glocalfileoutputstream.c | 70 ++++++++++++++++------- + gio/tests/file.c | 108 +++++++++++++++++++++++++++++++++++ + 2 files changed, 158 insertions(+), 20 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index a3dd62172..553fcbbae 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -874,16 +874,22 @@ handle_overwrite_open (const char *filename, + /* Could be a symlink, or it could be a regular ELOOP error, + * but then the next open will fail too. */ + is_symlink = TRUE; +- fd = g_open (filename, open_flags, mode); ++ if (!(flags & G_FILE_CREATE_REPLACE_DESTINATION)) ++ fd = g_open (filename, open_flags, mode); + } +-#else +- fd = g_open (filename, open_flags, mode); +- errsv = errno; ++#else /* if !O_NOFOLLOW */ + /* This is racy, but we do it as soon as possible to minimize the race */ + is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK); ++ ++ if (!is_symlink || !(flags & G_FILE_CREATE_REPLACE_DESTINATION)) ++ { ++ fd = g_open (filename, open_flags, mode); ++ errsv = errno; ++ } + #endif + +- if (fd == -1) ++ if (fd == -1 && ++ (!is_symlink || !(flags & G_FILE_CREATE_REPLACE_DESTINATION))) + { + char *display_name = g_filename_display_name (filename); + g_set_error (error, G_IO_ERROR, +@@ -893,13 +899,25 @@ handle_overwrite_open (const char *filename, + g_free (display_name); + return -1; + } +- ++ ++ if (!is_symlink) ++ { + #ifdef G_OS_WIN32 +- res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); ++ res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); + #else +- res = fstat (fd, &original_stat); ++ res = fstat (fd, &original_stat); + #endif +- errsv = errno; ++ errsv = errno; ++ } ++ else ++ { ++#ifdef G_OS_WIN32 ++ res = GLIB_PRIVATE_CALL (g_win32_lstat_utf8) (filename, &original_stat); ++#else ++ res = g_lstat (filename, &original_stat); ++#endif ++ errsv = errno; ++ } + + if (res != 0) + { +@@ -916,16 +934,27 @@ handle_overwrite_open (const char *filename, + if (!S_ISREG (original_stat.st_mode)) + { + if (S_ISDIR (original_stat.st_mode)) +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_IS_DIRECTORY, +- _("Target file is a directory")); +- else +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_NOT_REGULAR_FILE, +- _("Target file is not a regular file")); +- goto err_out; ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_IS_DIRECTORY, ++ _("Target file is a directory")); ++ goto err_out; ++ } ++ else if (!is_symlink || ++#ifdef S_ISLNK ++ !S_ISLNK (original_stat.st_mode) ++#else ++ FALSE ++#endif ++ ) ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_NOT_REGULAR_FILE, ++ _("Target file is not a regular file")); ++ goto err_out; ++ } + } + + if (etag != NULL) +@@ -1006,7 +1035,8 @@ handle_overwrite_open (const char *filename, + } + } + +- g_close (fd, NULL); ++ if (fd >= 0) ++ g_close (fd, NULL); + *temp_filename = tmp_filename; + return tmpfd; + } +diff --git a/gio/tests/file.c b/gio/tests/file.c +index efb2eaadd..bc55f3af4 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -804,6 +804,113 @@ test_replace_cancel (void) + g_object_unref (tmpdir); + } + ++static void ++test_replace_symlink (void) ++{ ++#ifdef G_OS_UNIX ++ gchar *tmpdir_path = NULL; ++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL; ++ GFileOutputStream *stream = NULL; ++ const gchar *new_contents = "this is a test message which should be written to source and not target"; ++ gsize n_written; ++ GFileEnumerator *enumerator = NULL; ++ GFileInfo *info = NULL; ++ gchar *contents = NULL; ++ gsize length = 0; ++ GError *local_error = NULL; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325"); ++ g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesn’t follow symlinks"); ++ ++ /* Create a fresh, empty working directory. */ ++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error); ++ g_assert_no_error (local_error); ++ tmpdir = g_file_new_for_path (tmpdir_path); ++ ++ g_test_message ("Using temporary directory %s", tmpdir_path); ++ g_free (tmpdir_path); ++ ++ /* Create symlink `source` which points to `target`. */ ++ source_file = g_file_get_child (tmpdir, "source"); ++ target_file = g_file_get_child (tmpdir, "target"); ++ g_file_make_symbolic_link (source_file, "target", NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Ensure that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Replace the `source` symlink with a regular file using ++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without* ++ * following the symlink */ ++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */, ++ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents), ++ &n_written, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (n_written, ==, strlen (new_contents)); ++ ++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&stream); ++ ++ /* At this point, there should still only be one file: `source`. It should ++ * now be a regular file. `target` should not exist. */ ++ enumerator = g_file_enumerate_children (tmpdir, ++ G_FILE_ATTRIBUTE_STANDARD_NAME "," ++ G_FILE_ATTRIBUTE_STANDARD_TYPE, ++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_nonnull (info); ++ ++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source"); ++ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR); ++ ++ g_clear_object (&info); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_null (info); ++ ++ g_file_enumerator_close (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_clear_object (&enumerator); ++ ++ /* Double-check that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Check the content of `source`. */ ++ g_file_load_contents (source_file, ++ NULL, ++ &contents, ++ &length, ++ NULL, ++ &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpstr (contents, ==, new_contents); ++ g_assert_cmpuint (length, ==, strlen (new_contents)); ++ g_free (contents); ++ ++ /* Tidy up. */ ++ g_file_delete (source_file, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_file_delete (tmpdir, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&target_file); ++ g_clear_object (&source_file); ++ g_clear_object (&tmpdir); ++#else /* if !G_OS_UNIX */ ++ g_test_skip ("Symlink replacement tests can only be run on Unix") ++#endif ++} ++ + static void + on_file_deleted (GObject *object, + GAsyncResult *result, +@@ -1754,6 +1861,7 @@ main (int argc, char *argv[]) + g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete); + g_test_add_func ("/file/replace-load", test_replace_load); + g_test_add_func ("/file/replace-cancel", test_replace_cancel); ++ g_test_add_func ("/file/replace-symlink", test_replace_symlink); + g_test_add_func ("/file/async-delete", test_async_delete); + #ifdef G_OS_UNIX + g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode); +-- +2.30.1 + -- cgit 1.4.1 From 453e101fc3f7dac9aabcd6122cf05fb7925103c7 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 12 Mar 2021 03:51:45 -0500 Subject: gnu: gdk-pixbuf: Fix CVE-2020-29385. * gnu/packages/patches/gdk-pixbuf-CVE-2020-29385.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gtk.scm (gdk-pixbuf)[replacement]: New field. (gdk-pixbuf/fixed): New variable. (gdk-pixbuf+svg): Use package/inherit. --- gnu/local.mk | 1 + gnu/packages/gtk.scm | 14 +++++- .../patches/gdk-pixbuf-CVE-2020-29385.patch | 53 ++++++++++++++++++++++ 3 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/gdk-pixbuf-CVE-2020-29385.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ce30d1db1c..c0020fad41 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1056,6 +1056,7 @@ dist_patch_DATA = \ %D%/packages/patches/gdb-hurd.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-brect-bounds.patch \ + %D%/packages/patches/gdk-pixbuf-CVE-2020-29385.patch \ %D%/packages/patches/gdm-default-session.patch \ %D%/packages/patches/geary-CVE-2020-24661.patch \ %D%/packages/patches/genimage-signedness.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index b9e81c9650..ee2c91264f 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013 Andreas Enge ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès -;;; Copyright © 2014, 2015, 2017, 2018, 2019 Mark H Weaver +;;; Copyright © 2014, 2015, 2017, 2018, 2019, 2021 Mark H Weaver ;;; Copyright © 2014 Eric Bavier ;;; Copyright © 2015 Federico Beffa ;;; Copyright © 2015 Paul van der Walt @@ -557,6 +557,7 @@ highlighting and other features typical of a source code editor.") (package (name "gdk-pixbuf") (version "2.40.0") + (replacement gdk-pixbuf/fixed) (source (origin (method url-fetch) (uri (string-append "mirror://gnome/sources/" name "/" @@ -613,11 +614,20 @@ in the GNOME project.") (license license:lgpl2.0+) (home-page "https://developer.gnome.org/gdk-pixbuf/"))) +(define gdk-pixbuf/fixed + (package + (inherit gdk-pixbuf) + (source (origin + (inherit (package-source gdk-pixbuf)) + (patches + (append (search-patches "gdk-pixbuf-CVE-2020-29385.patch") + (origin-patches (package-source gdk-pixbuf)))))))) + ;; To build gdk-pixbuf with SVG support, we need librsvg, and librsvg depends ;; on gdk-pixbuf, so this new varibale. Also, librsvg adds 90MiB to the ;; closure size. (define-public gdk-pixbuf+svg - (package (inherit gdk-pixbuf) + (package/inherit gdk-pixbuf (name "gdk-pixbuf+svg") (inputs `(("librsvg" ,librsvg) diff --git a/gnu/packages/patches/gdk-pixbuf-CVE-2020-29385.patch b/gnu/packages/patches/gdk-pixbuf-CVE-2020-29385.patch new file mode 100644 index 0000000000..e6ac4de00b --- /dev/null +++ b/gnu/packages/patches/gdk-pixbuf-CVE-2020-29385.patch @@ -0,0 +1,53 @@ +Fix CVE-2020-29385. Note that we omit the binary test file +tests/test-images/fail/hang_114.gif from the following commit, to avoid +requiring 'git' to apply the patch. + + +From bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 Mon Sep 17 00:00:00 2001 +From: Robert Ancell +Date: Mon, 30 Nov 2020 12:26:12 +1300 +Subject: [PATCH] gif: Fix LZW decoder accepting invalid LZW code. + +The code value after a reset wasn't being validated, which means we would +accept invalid codes. This could cause an infinite loop in the decoder. + +Fixes CVE-2020-29385 + +Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164 +--- + gdk-pixbuf/lzw.c | 13 +++++++------ + tests/test-images/fail/hang_114.gif | Bin 0 -> 5561 bytes + 2 files changed, 7 insertions(+), 6 deletions(-) + create mode 100644 tests/test-images/fail/hang_114.gif + +diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c +index 9e052a6f7..105daf2b1 100644 +--- a/gdk-pixbuf/lzw.c ++++ b/gdk-pixbuf/lzw.c +@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self, + if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) { + if (self->code < self->code_table_size) + add_code (self, self->code); +- else if (self->code == self->code_table_size) ++ else + add_code (self, self->last_code); +- else { +- /* Invalid code received - just stop here */ +- self->last_code = self->eoi_code; +- return output_length; +- } + + /* When table is full increase code size */ + if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX) + self->code_size++; + } + ++ /* Invalid code received - just stop here */ ++ if (self->code >= self->code_table_size) { ++ self->last_code = self->eoi_code; ++ return output_length; ++ } ++ + /* Convert codeword into indexes */ + n_written += write_indexes (self, output + n_written, output_length - n_written); + } -- cgit 1.4.1 From bc16eacc99e801ac30cbe2aa649a2be3ca5c102a Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 12 Mar 2021 05:24:36 -0500 Subject: gnu: cairo: Fix CVE-2018-19876 and CVE-2020-35492. * gnu/packages/patches/cairo-CVE-2018-19876.patch, gnu/packages/patches/cairo-CVE-2020-35492.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gtk.scm (cairo)[replacement]: New field. (cairo/fixed): New variable. (cairo-xcb): Use package/inherit. --- gnu/local.mk | 2 + gnu/packages/gtk.scm | 13 ++++++- gnu/packages/patches/cairo-CVE-2018-19876.patch | 37 +++++++++++++++++++ gnu/packages/patches/cairo-CVE-2020-35492.patch | 49 +++++++++++++++++++++++++ 4 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/cairo-CVE-2018-19876.patch create mode 100644 gnu/packages/patches/cairo-CVE-2020-35492.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c0020fad41..fd070d6791 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -871,6 +871,8 @@ dist_patch_DATA = \ %D%/packages/patches/blender-2.79-python-3.8-fix.patch \ %D%/packages/patches/bpftrace-disable-bfd-disasm.patch \ %D%/packages/patches/byobu-writable-status.patch \ + %D%/packages/patches/cairo-CVE-2018-19876.patch \ + %D%/packages/patches/cairo-CVE-2020-35492.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-sqlite.patch \ %D%/packages/patches/calibre-remove-test-unrar.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index ee2c91264f..9fc4967181 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -124,6 +124,7 @@ tools have full access to view and control running applications.") (package (name "cairo") (version "1.16.0") + (replacement cairo/fixed) (source (origin (method url-fetch) (uri (string-append "https://cairographics.org/releases/cairo-" @@ -174,6 +175,15 @@ affine transformation (scale, rotation, shear, etc.).") (license license:lgpl2.1) ; or Mozilla Public License 1.1 (home-page "https://cairographics.org/"))) +(define cairo/fixed + (package + (inherit cairo) + (source (origin + (inherit (package-source cairo)) + (patches (append (search-patches "cairo-CVE-2018-19876.patch" + "cairo-CVE-2020-35492.patch") + (origin-patches (package-source cairo)))))))) + (define-public cairo-sans-poppler ;; Variant used to break the dependency cycle between Poppler and Cairo. (package/inherit cairo @@ -181,8 +191,7 @@ affine transformation (scale, rotation, shear, etc.).") (properties `((hidden? . #t))))) (define-public cairo-xcb - (package - (inherit cairo) + (package/inherit cairo (name "cairo-xcb") (inputs `(("mesa" ,mesa) diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch b/gnu/packages/patches/cairo-CVE-2018-19876.patch new file mode 100644 index 0000000000..c0fba2ecaa --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2018-19876.patch @@ -0,0 +1,37 @@ +Copied from Debian. + +From: Carlos Garcia Campos +Date: Mon, 19 Nov 2018 12:33:07 +0100 +Subject: ft: Use FT_Done_MM_Var instead of free when available in + cairo_ft_apply_variations + +Fixes a crash when using freetype >= 2.9 + +[This is considered to be security-sensitive because WebKitGTK+ sets its +own memory allocator, which is not compatible with system free(), making +this a remotely triggerable denial of service or memory corruption.] + +Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645 +Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 +Bug-Debian: https://bugs.debian.org/916389 +Bug-CVE: CVE-2018-19876 +--- + src/cairo-ft-font.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c +index 325dd61..981973f 100644 +--- a/src/cairo-ft-font.c ++++ b/src/cairo-ft-font.c +@@ -2393,7 +2393,11 @@ skip: + done: + free (coords); + free (current_coords); ++#if HAVE_FT_DONE_MM_VAR ++ FT_Done_MM_Var (face->glyph->library, ft_mm_var); ++#else + free (ft_mm_var); ++#endif + } + } + diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch b/gnu/packages/patches/cairo-CVE-2020-35492.patch new file mode 100644 index 0000000000..e8b90fa5c5 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2020-35492.patch @@ -0,0 +1,49 @@ +Copied from Debian. + +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[trimmed test case, since not used in Debian build] + +--- + src/cairo-image-compositor.c | 8 ++-- + +--- cairo-1.16.0.orig/src/cairo-image-compositor.c ++++ cairo-1.16.0/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; -- cgit 1.4.1 From 825cc7e0d4bc7f052831f905a92945678441fb55 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 12 Mar 2021 05:36:54 -0500 Subject: gnu: gnome-shell: Fix CVE-2020-17489. * gnu/packages/patches/gnome-shell-CVE-2020-17489.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnome.scm (gnome-shell)[source]: Add patch. --- gnu/local.mk | 1 + gnu/packages/gnome.scm | 3 +- .../patches/gnome-shell-CVE-2020-17489.patch | 46 ++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/gnome-shell-CVE-2020-17489.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index fd070d6791..46f76c16cc 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1134,6 +1134,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnash-fix-giflib-version.patch \ %D%/packages/patches/gnome-shell-theme.patch \ %D%/packages/patches/gnome-shell-disable-test.patch \ + %D%/packages/patches/gnome-shell-CVE-2020-17489.patch \ %D%/packages/patches/gnome-settings-daemon-gc.patch \ %D%/packages/patches/gnome-todo-delete-esource-duplicate.patch \ %D%/packages/patches/gnome-tweaks-search-paths.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index f38401f726..d2881dbec6 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -8449,7 +8449,8 @@ properties, screen resolution, and other GNOME parameters.") (sha256 (base32 "0l3mdn7g2c22mdhrqkxvvc1pk2w0v32f2v4a6n1phvaalwcg75nj")) - (patches (search-patches "gnome-shell-theme.patch" + (patches (search-patches "gnome-shell-CVE-2020-17489.patch" + "gnome-shell-theme.patch" "gnome-shell-disable-test.patch")) (modules '((guix build utils))) (snippet diff --git a/gnu/packages/patches/gnome-shell-CVE-2020-17489.patch b/gnu/packages/patches/gnome-shell-CVE-2020-17489.patch new file mode 100644 index 0000000000..4b7748950e --- /dev/null +++ b/gnu/packages/patches/gnome-shell-CVE-2020-17489.patch @@ -0,0 +1,46 @@ +From 05b7aec747282f62212b605249d518280ff80059 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Mon, 27 Jul 2020 10:58:22 -0400 +Subject: [PATCH] loginDialog: Reset auth prompt on vt switch before fade in + +At the moment, if a user switches to the login screen vt, +the login screen fades in whatever was on screen prior, and +then does a reset. + +It makes more sense to reset first, so we fade in what the +user is going to interact with instead of what they interacted +with before. + +Fixes: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997 +--- + js/gdm/loginDialog.js | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/js/gdm/loginDialog.js b/js/gdm/loginDialog.js +index c3f90dc58..6b35ebb16 100644 +--- a/js/gdm/loginDialog.js ++++ b/js/gdm/loginDialog.js +@@ -920,16 +920,15 @@ var LoginDialog = GObject.registerClass({ + if (this.opacity == 255 && this._authPrompt.verificationStatus == AuthPrompt.AuthPromptStatus.NOT_VERIFYING) + return; + ++ if (this._authPrompt.verificationStatus !== AuthPrompt.AuthPromptStatus.NOT_VERIFYING) ++ this._authPrompt.reset(); ++ + this._bindOpacity(); + this.ease({ + opacity: 255, + duration: _FADE_ANIMATION_TIME, + mode: Clutter.AnimationMode.EASE_OUT_QUAD, +- onComplete: () => { +- if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING) +- this._authPrompt.reset(); +- this._unbindOpacity(); +- } ++ onComplete: () => this._unbindOpacity(), + }); + } + +-- +2.30.1 + -- cgit 1.4.1 From 748e2ec07a4f484dd4416b4cac5c28b1b13c47ee Mon Sep 17 00:00:00 2001 From: Greg Hogan Date: Tue, 19 Jan 2021 12:51:36 +0000 Subject: gnu: Add aws-c-cal. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/c.scm (aws-c-cal): New variable. * gnu/packages/patches/aws-c-cal-cmake-prefix.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Ludovic Courtès --- gnu/local.mk | 1 + gnu/packages/c.scm | 30 +++++++++++++++++++++++ gnu/packages/patches/aws-c-cal-cmake-prefix.patch | 13 ++++++++++ 3 files changed, 44 insertions(+) create mode 100644 gnu/packages/patches/aws-c-cal-cmake-prefix.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 46f76c16cc..44c665d5b0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -830,6 +830,7 @@ dist_patch_DATA = \ %D%/packages/patches/avahi-localstatedir.patch \ %D%/packages/patches/avidemux-install-to-lib.patch \ %D%/packages/patches/awesome-reproducible-png.patch \ + %D%/packages/patches/aws-c-cal-cmake-prefix.patch \ %D%/packages/patches/aws-c-event-stream-cmake-prefix.patch \ %D%/packages/patches/aws-checksums-cmake-prefix.patch \ %D%/packages/patches/azr3.patch \ diff --git a/gnu/packages/c.scm b/gnu/packages/c.scm index 1e338bd7bd..c83e6f36e3 100644 --- a/gnu/packages/c.scm +++ b/gnu/packages/c.scm @@ -52,6 +52,7 @@ #:use-module (gnu packages autotools) #:use-module (gnu packages gettext) #:use-module (gnu packages pkg-config) + #:use-module (gnu packages tls) #:use-module (gnu packages xml)) (define-public tcc @@ -619,3 +620,32 @@ event stream encoding, a binary format for bidirectional client-server communication.") (home-page "https://github.com/awslabs/aws-c-event-stream") (license license:asl2.0))) + +(define-public aws-c-cal + (package + (name "aws-c-cal") + (version "0.4.5") + (source (origin + (method git-fetch) + (uri (git-reference + (url (string-append "https://github.com/awslabs/" name)) + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "04acra1mnzw9q7jycs5966akfbgnx96hkrq90nq0dhw8pvarlyv6")) + (patches (search-patches "aws-c-cal-cmake-prefix.patch")))) + (build-system cmake-build-system) + (arguments + '(#:configure-flags + '("-DBUILD_SHARED_LIBS=ON"))) + (propagated-inputs + `(("aws-c-common" ,aws-c-common))) + (inputs + `(("openssl" ,openssl) + ("openssl:static" ,openssl "static"))) + (synopsis "Amazon Web Services Crypto Abstraction Layer") + (description "This library provides a C99 wrapper for hash, HMAC, and ECC +cryptographic primitives for the @acronym{AWS,Amazon Web Services} SDK.") + (home-page "https://github.com/awslabs/aws-c-cal") + (license license:asl2.0))) diff --git a/gnu/packages/patches/aws-c-cal-cmake-prefix.patch b/gnu/packages/patches/aws-c-cal-cmake-prefix.patch new file mode 100644 index 0000000000..1ee7aa851d --- /dev/null +++ b/gnu/packages/patches/aws-c-cal-cmake-prefix.patch @@ -0,0 +1,13 @@ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -10,6 +10,10 @@ endif() + + option(BYO_CRYPTO "Set this if you want to provide your own cryptography implementation. This will cause the defaults to not be compiled." OFF) + ++if (DEFINED ENV{CMAKE_PREFIX_PATH}) ++ set(CMAKE_PREFIX_PATH $ENV{CMAKE_PREFIX_PATH}) ++endif() ++ + if (DEFINED CMAKE_PREFIX_PATH) + file(TO_CMAKE_PATH "${CMAKE_PREFIX_PATH}" CMAKE_PREFIX_PATH) + endif() -- cgit 1.4.1 From 8ea7b6f91e42133181dc7d48df3f92bfa4bb67c3 Mon Sep 17 00:00:00 2001 From: Greg Hogan Date: Tue, 19 Jan 2021 12:53:18 +0000 Subject: gnu: Add aws-c-io. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/c.scm (aws-c-io): New variable. * gnu/packages/patches/aws-c-io-cmake-prefix.patch, gnu/packages/patches/aws-c-io-disable-networking-tests.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. Signed-off-by: Ludovic Courtès --- gnu/local.mk | 2 + gnu/packages/c.scm | 31 +++++++++ gnu/packages/patches/aws-c-io-cmake-prefix.patch | 13 ++++ .../aws-c-io-disable-networking-tests.patch | 81 ++++++++++++++++++++++ 4 files changed, 127 insertions(+) create mode 100644 gnu/packages/patches/aws-c-io-cmake-prefix.patch create mode 100644 gnu/packages/patches/aws-c-io-disable-networking-tests.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 44c665d5b0..e2bebb90d2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -832,6 +832,8 @@ dist_patch_DATA = \ %D%/packages/patches/awesome-reproducible-png.patch \ %D%/packages/patches/aws-c-cal-cmake-prefix.patch \ %D%/packages/patches/aws-c-event-stream-cmake-prefix.patch \ + %D%/packages/patches/aws-c-io-cmake-prefix.patch \ + %D%/packages/patches/aws-c-io-disable-networking-tests.patch \ %D%/packages/patches/aws-checksums-cmake-prefix.patch \ %D%/packages/patches/azr3.patch \ %D%/packages/patches/bash-reproducible-linux-pgrp-pipe.patch \ diff --git a/gnu/packages/c.scm b/gnu/packages/c.scm index c83e6f36e3..74c4b673a7 100644 --- a/gnu/packages/c.scm +++ b/gnu/packages/c.scm @@ -621,6 +621,37 @@ communication.") (home-page "https://github.com/awslabs/aws-c-event-stream") (license license:asl2.0))) +(define-public aws-c-io + (package + (name "aws-c-io") + (version "0.9.2") + (source (origin + (method git-fetch) + (uri (git-reference + (url (string-append "https://github.com/awslabs/" name)) + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1vwyf1pm0hhcypyjc9xh9x7y50ic79xlbck1yf9d9wz0bnh43p7v")) + (patches + (search-patches + "aws-c-io-cmake-prefix.patch" + "aws-c-io-disable-networking-tests.patch")))) + (build-system cmake-build-system) + (arguments + '(#:configure-flags + '("-DBUILD_SHARED_LIBS=ON"))) + (propagated-inputs + `(("aws-c-cal" ,aws-c-cal) + ("aws-c-common" ,aws-c-common) + ("s2n" ,s2n))) + (synopsis "Event driven framework for implementing application protocols") + (description "This library provides a C99 framework for constructing +event-driven, asynchronous network application protocols.") + (home-page "https://github.com/awslabs/aws-c-io") + (license license:asl2.0))) + (define-public aws-c-cal (package (name "aws-c-cal") diff --git a/gnu/packages/patches/aws-c-io-cmake-prefix.patch b/gnu/packages/patches/aws-c-io-cmake-prefix.patch new file mode 100644 index 0000000000..da3e4eb4a5 --- /dev/null +++ b/gnu/packages/patches/aws-c-io-cmake-prefix.patch @@ -0,0 +1,13 @@ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -6,6 +6,10 @@ if (POLICY CMP0069) + cmake_policy(SET CMP0069 NEW) # Enable LTO/IPO if available in the compiler, see AwsCFlags + endif() + ++if (DEFINED ENV{CMAKE_PREFIX_PATH}) ++ set(CMAKE_PREFIX_PATH $ENV{CMAKE_PREFIX_PATH}) ++endif() ++ + if (DEFINED CMAKE_PREFIX_PATH) + file(TO_CMAKE_PATH "${CMAKE_PREFIX_PATH}" CMAKE_PREFIX_PATH) + endif() diff --git a/gnu/packages/patches/aws-c-io-disable-networking-tests.patch b/gnu/packages/patches/aws-c-io-disable-networking-tests.patch new file mode 100644 index 0000000000..09fe11310c --- /dev/null +++ b/gnu/packages/patches/aws-c-io-disable-networking-tests.patch @@ -0,0 +1,81 @@ +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -52,8 +52,8 @@ add_test_case(local_socket_communication) + add_net_test_case(tcp_socket_communication) + add_net_test_case(udp_socket_communication) + add_test_case(udp_bind_connect_communication) +-add_net_test_case(connect_timeout) +-add_net_test_case(connect_timeout_cancelation) ++#add_net_test_case(connect_timeout) ++#add_net_test_case(connect_timeout_cancelation) + if (USE_VSOCK) + add_test_case(vsock_loopback_socket_communication) + endif () +@@ -64,7 +64,7 @@ add_test_case(incoming_tcp_sock_errors) + add_test_case(incoming_duplicate_tcp_bind_errors) + add_test_case(incoming_udp_sock_errors) + add_test_case(wrong_thread_read_write_fails) +-add_net_test_case(cleanup_before_connect_or_timeout_doesnt_explode) ++#add_net_test_case(cleanup_before_connect_or_timeout_doesnt_explode) + add_test_case(cleanup_in_accept_doesnt_explode) + add_test_case(cleanup_in_write_cb_doesnt_explode) + add_test_case(sock_write_cb_is_async) +@@ -81,21 +81,21 @@ add_test_case(channel_tasks_run) + add_test_case(channel_rejects_post_shutdown_tasks) + add_test_case(channel_cancels_pending_tasks) + add_test_case(channel_duplicate_shutdown) +-add_net_test_case(channel_connect_some_hosts_timeout) ++#add_net_test_case(channel_connect_some_hosts_timeout) + +-add_net_test_case(test_default_with_ipv6_lookup) ++#add_net_test_case(test_default_with_ipv6_lookup) + add_test_case(test_resolver_ipv6_address_lookup) +-add_net_test_case(test_default_with_multiple_lookups) ++#add_net_test_case(test_default_with_multiple_lookups) + add_test_case(test_resolver_ipv4_address_lookup) +-add_net_test_case(test_default_with_ipv4_only_lookup) ++#add_net_test_case(test_default_with_ipv4_only_lookup) + add_test_case(test_resolver_ttls) + add_test_case(test_resolver_connect_failure_recording) + add_test_case(test_resolver_ttl_refreshes_on_resolve) + + add_net_test_case(test_resolver_listener_create_destroy) +-add_net_test_case(test_resolver_add_listener_before_host) +-add_net_test_case(test_resolver_add_listener_after_host) +-add_net_test_case(test_resolver_add_multiple_listeners_fn) ++#add_net_test_case(test_resolver_add_listener_before_host) ++#add_net_test_case(test_resolver_add_listener_after_host) ++#add_net_test_case(test_resolver_add_multiple_listeners_fn) + add_net_test_case(test_resolver_listener_host_re_add_fn) + add_net_test_case(test_resolver_listener_multiple_results) + add_net_test_case(test_resolver_listener_address_expired_fn) +@@ -119,20 +119,20 @@ add_test_case(socket_handler_close) + if (NOT BYO_CRYPTO) + add_net_test_case(test_concurrent_cert_import) + add_test_case(tls_channel_echo_and_backpressure_test) +- add_net_test_case(tls_client_channel_negotiation_error_expired) +- add_net_test_case(tls_client_channel_negotiation_error_wrong_host) +- add_net_test_case(tls_client_channel_negotiation_error_self_signed) +- add_net_test_case(tls_client_channel_negotiation_error_untrusted_root) ++ #add_net_test_case(tls_client_channel_negotiation_error_expired) ++ #add_net_test_case(tls_client_channel_negotiation_error_wrong_host) ++ #add_net_test_case(tls_client_channel_negotiation_error_self_signed) ++ #add_net_test_case(tls_client_channel_negotiation_error_untrusted_root) + #track these down in s2n and find out why that aren't failing. + #add_net_test_case(tls_client_channel_negotiation_error_revoked) + #add_net_test_case(tls_client_channel_negotiation_error_pinning) +- add_net_test_case(tls_client_channel_negotiation_error_socket_closed) +- add_net_test_case(tls_client_channel_negotiation_success) +- add_net_test_case(tls_client_channel_negotiation_success_ecc256) +- add_net_test_case(tls_client_channel_negotiation_success_ecc384) ++ #add_net_test_case(tls_client_channel_negotiation_error_socket_closed) ++ #add_net_test_case(tls_client_channel_negotiation_success) ++ #add_net_test_case(tls_client_channel_negotiation_success_ecc256) ++ #add_net_test_case(tls_client_channel_negotiation_success_ecc384) + add_net_test_case(tls_server_multiple_connections) + add_net_test_case(tls_server_hangup_during_negotiation) +- add_net_test_case(tls_client_channel_no_verify) ++ #add_net_test_case(tls_client_channel_no_verify) + add_net_test_case(test_tls_negotiation_timeout) + add_net_test_case(tls_double_channel) + add_net_test_case(alpn_successfully_negotiates) -- cgit 1.4.1 From 74e2c0e00f58c8bf948f7dc7c5ae2876af910d5a Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sat, 13 Mar 2021 03:41:14 -0500 Subject: gnu: gnutls: Fix CVE-2021-20231 and CVE-2021-20232. * gnu/packages/patches/gnutls-CVE-2021-20231.patch, gnu/packages/patches/gnutls-CVE-2021-20232.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/tls.scm (gnutls)[replacement]: New field. (gnutls/fixed): New variable. (guile2.2-gnutls): Use package/inherit. --- gnu/local.mk | 2 + gnu/packages/patches/gnutls-CVE-2021-20231.patch | 62 ++++++++++++++++++++++++ gnu/packages/patches/gnutls-CVE-2021-20232.patch | 60 +++++++++++++++++++++++ gnu/packages/tls.scm | 15 ++++-- 4 files changed, 136 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/gnutls-CVE-2021-20231.patch create mode 100644 gnu/packages/patches/gnutls-CVE-2021-20232.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index e2bebb90d2..551503e053 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1144,6 +1144,8 @@ dist_patch_DATA = \ %D%/packages/patches/gnupg-default-pinentry.patch \ %D%/packages/patches/gnutls-skip-trust-store-test.patch \ %D%/packages/patches/gnutls-cross.patch \ + %D%/packages/patches/gnutls-CVE-2021-20231.patch \ + %D%/packages/patches/gnutls-CVE-2021-20232.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ diff --git a/gnu/packages/patches/gnutls-CVE-2021-20231.patch b/gnu/packages/patches/gnutls-CVE-2021-20231.patch new file mode 100644 index 0000000000..5186522eee --- /dev/null +++ b/gnu/packages/patches/gnutls-CVE-2021-20231.patch @@ -0,0 +1,62 @@ +From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 29 Jan 2021 14:06:05 +0100 +Subject: [PATCH 1/2] key_share: avoid use-after-free around realloc + +Signed-off-by: Daiki Ueno +--- + lib/ext/key_share.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c +index ab8abf8fe..a8c4bb5cf 100644 +--- a/lib/ext/key_share.c ++++ b/lib/ext/key_share.c +@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, + { + unsigned i; + int ret; +- unsigned char *lengthp; +- unsigned int cur_length; + unsigned int generated = 0; + const gnutls_group_entry_st *group; + const version_entry_st *ver; + + /* this extension is only being sent on client side */ + if (session->security_parameters.entity == GNUTLS_CLIENT) { ++ unsigned int length_pos; ++ + ver = _gnutls_version_max(session); + if (unlikely(ver == NULL || ver->key_shares == 0)) + return 0; +@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, + if (!have_creds_for_tls13(session)) + return 0; + +- /* write the total length later */ +- lengthp = &extdata->data[extdata->length]; ++ length_pos = extdata->length; + + ret = + _gnutls_buffer_append_prefix(extdata, 16, 0); + if (ret < 0) + return gnutls_assert_val(ret); + +- cur_length = extdata->length; +- + if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ + group = get_group(session); + if (unlikely(group == NULL)) +@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, + } + + /* copy actual length */ +- _gnutls_write_uint16(extdata->length - cur_length, lengthp); ++ _gnutls_write_uint16(extdata->length - length_pos - 2, ++ &extdata->data[length_pos]); + + } else { /* server */ + ver = get_version(session); +-- +2.30.2 + diff --git a/gnu/packages/patches/gnutls-CVE-2021-20232.patch b/gnu/packages/patches/gnutls-CVE-2021-20232.patch new file mode 100644 index 0000000000..dc3a0be690 --- /dev/null +++ b/gnu/packages/patches/gnutls-CVE-2021-20232.patch @@ -0,0 +1,60 @@ +From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 29 Jan 2021 14:06:23 +0100 +Subject: [PATCH 2/2] pre_shared_key: avoid use-after-free around realloc + +Signed-off-by: Daiki Ueno +--- + lib/ext/pre_shared_key.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c +index a042c6488..380bf39ed 100644 +--- a/lib/ext/pre_shared_key.c ++++ b/lib/ext/pre_shared_key.c +@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, + size_t spos; + gnutls_datum_t username = {NULL, 0}; + gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; +- gnutls_datum_t client_hello; ++ unsigned client_hello_len; + unsigned next_idx; + const mac_entry_st *prf_res = NULL; + const mac_entry_st *prf_psk = NULL; +@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, + assert(extdata->length >= sizeof(mbuffer_st)); + assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); + ext_offset -= sizeof(mbuffer_st); +- client_hello.data = extdata->data+sizeof(mbuffer_st); +- client_hello.size = extdata->length-sizeof(mbuffer_st); ++ client_hello_len = extdata->length-sizeof(mbuffer_st); + + next_idx = 0; + +@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, + } + + if (prf_res && rkey.size > 0) { ++ gnutls_datum_t client_hello; ++ ++ client_hello.data = extdata->data+sizeof(mbuffer_st); ++ client_hello.size = client_hello_len; ++ + ret = compute_psk_binder(session, prf_res, + binders_len, binders_pos, + ext_offset, &rkey, &client_hello, 1, +@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, + } + + if (prf_psk && user_key.size > 0 && info) { ++ gnutls_datum_t client_hello; ++ ++ client_hello.data = extdata->data+sizeof(mbuffer_st); ++ client_hello.size = client_hello_len; ++ + ret = compute_psk_binder(session, prf_psk, + binders_len, binders_pos, + ext_offset, &user_key, &client_hello, 0, +-- +2.30.2 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index e0741ad310..e8e1350e29 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès -;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver +;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver ;;; Copyright © 2014 Ian Denhardt ;;; Copyright © 2013, 2015 Andreas Enge ;;; Copyright © 2015 David Thompson @@ -165,6 +165,7 @@ living in the same process.") (package (name "gnutls") (version "3.6.15") + (replacement gnutls/fixed) (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -256,6 +257,15 @@ required structures.") (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) +(define gnutls/fixed + (package + (inherit gnutls) + (source (origin + (inherit (package-source gnutls)) + (patches (append (search-patches "gnutls-CVE-2021-20231.patch" + "gnutls-CVE-2021-20232.patch") + (origin-patches (package-source gnutls)))))))) + (define-public gnutls/guile-2.0 ;; GnuTLS for Guile 2.0. (package/inherit gnutls @@ -274,8 +284,7 @@ required structures.") ,@(package-inputs gnutls))))) (define-public guile2.2-gnutls - (package - (inherit gnutls) + (package/inherit gnutls (name "guile2.2-gnutls") (inputs `(("guile" ,guile-2.2) ,@(alist-delete "guile" -- cgit 1.4.1 From 31d289a4759909d24dd309ac24d42902a8c20da0 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Wed, 10 Mar 2021 08:29:53 +0100 Subject: gnu: unzip: Add patches from Fedora [security fixes]. Non-exhaustively fixes CVE-2016-9844, CVE-2018-1000035, CVE-2018-18384, and CVE-2019-13232. * gnu/packages/patches/unzip-COVSCAN-fix-unterminated-string.patch, gnu/packages/patches/unzip-CVE-2016-9844.patch, gnu/packages/patches/unzip-CVE-2018-1000035.patch, gnu/packages/patches/unzip-CVE-2018-18384.patch, gnu/packages/patches/unzip-case-insensitive.patch, gnu/packages/patches/unzip-alt-iconv-utf8-print.patch, gnu/packages/patches/unzip-alt-iconv-utf8.patch, gnu/packages/patches/unzip-close.patch, gnu/packages/patches/unzip-exec-shield.patch, gnu/packages/patches/unzip-fix-recmatch.patch, gnu/packages/patches/unzip-manpage-fix.patch, gnu/packages/patches/unzip-overflow.patch, gnu/packages/patches/unzip-symlink.patch, gnu/packages/patches/unzip-timestamp.patch, gnu/packages/patches/unzip-valgrind.patch, gnu/packages/patches/unzip-x-option.patch, gnu/packages/patches/unzip-zipbomb-manpage.patch, gnu/packages/patches/unzip-zipbomb-part1.patch, gnu/packages/patches/unzip-zipbomb-part2.patch, gnu/packages/patches/unzip-zipbomb-part3.patch: New patches. * gnu/local.mk (dist_patch_DATA): Register them. * gnu/packages/compression.scm (unzip/fixed): New variable. Apply patches. (unzip)[replacement]: Graft. --- gnu/local.mk | 20 + gnu/packages/compression.scm | 49 +++ .../unzip-COVSCAN-fix-unterminated-string.patch | 131 ++++++ gnu/packages/patches/unzip-CVE-2016-9844.patch | 39 ++ gnu/packages/patches/unzip-CVE-2018-1000035.patch | 34 ++ gnu/packages/patches/unzip-CVE-2018-18384.patch | 35 ++ .../patches/unzip-alt-iconv-utf8-print.patch | 381 ++++++++++++++++ gnu/packages/patches/unzip-alt-iconv-utf8.patch | 398 +++++++++++++++++ gnu/packages/patches/unzip-caseinsensitive.patch | 131 ++++++ gnu/packages/patches/unzip-close.patch | 176 ++++++++ gnu/packages/patches/unzip-exec-shield.patch | 10 + gnu/packages/patches/unzip-fix-recmatch.patch | 477 +++++++++++++++++++++ gnu/packages/patches/unzip-manpage-fix.patch | 11 + gnu/packages/patches/unzip-overflow.patch | 25 ++ gnu/packages/patches/unzip-symlink.patch | 17 + gnu/packages/patches/unzip-timestamp.patch | 41 ++ gnu/packages/patches/unzip-valgrind.patch | 26 ++ gnu/packages/patches/unzip-x-option.patch | 28 ++ gnu/packages/patches/unzip-zipbomb-manpage.patch | 25 ++ gnu/packages/patches/unzip-zipbomb-part1.patch | 25 ++ gnu/packages/patches/unzip-zipbomb-part2.patch | 349 +++++++++++++++ gnu/packages/patches/unzip-zipbomb-part3.patch | 112 +++++ 22 files changed, 2540 insertions(+) create mode 100644 gnu/packages/patches/unzip-COVSCAN-fix-unterminated-string.patch create mode 100644 gnu/packages/patches/unzip-CVE-2016-9844.patch create mode 100644 gnu/packages/patches/unzip-CVE-2018-1000035.patch create mode 100644 gnu/packages/patches/unzip-CVE-2018-18384.patch create mode 100644 gnu/packages/patches/unzip-alt-iconv-utf8-print.patch create mode 100644 gnu/packages/patches/unzip-alt-iconv-utf8.patch create mode 100644 gnu/packages/patches/unzip-caseinsensitive.patch create mode 100644 gnu/packages/patches/unzip-close.patch create mode 100644 gnu/packages/patches/unzip-exec-shield.patch create mode 100644 gnu/packages/patches/unzip-fix-recmatch.patch create mode 100644 gnu/packages/patches/unzip-manpage-fix.patch create mode 100644 gnu/packages/patches/unzip-overflow.patch create mode 100644 gnu/packages/patches/unzip-symlink.patch create mode 100644 gnu/packages/patches/unzip-timestamp.patch create mode 100644 gnu/packages/patches/unzip-valgrind.patch create mode 100644 gnu/packages/patches/unzip-x-option.patch create mode 100644 gnu/packages/patches/unzip-zipbomb-manpage.patch create mode 100644 gnu/packages/patches/unzip-zipbomb-part1.patch create mode 100644 gnu/packages/patches/unzip-zipbomb-part2.patch create mode 100644 gnu/packages/patches/unzip-zipbomb-part3.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 551503e053..6500f5bda2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1740,6 +1740,26 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-initialize-symlink-flag.patch \ %D%/packages/patches/unzip-overflow-long-fsize.patch \ %D%/packages/patches/unzip-remove-build-date.patch \ + %D%/packages/patches/unzip-case-insensitive.patch \ + %D%/packages/patches/unzip-COVSCAN-fix-unterminated-string.patch \ + %D%/packages/patches/unzip-CVE-2016-9844.patch \ + %D%/packages/patches/unzip-CVE-2018-1000035.patch \ + %D%/packages/patches/unzip-CVE-2018-18384.patch \ + %D%/packages/patches/unzip-alt-iconv-utf8-print.patch \ + %D%/packages/patches/unzip-alt-iconv-utf8.patch \ + %D%/packages/patches/unzip-close.patch \ + %D%/packages/patches/unzip-exec-shield.patch \ + %D%/packages/patches/unzip-fix-recmatch.patch \ + %D%/packages/patches/unzip-manpage-fix.patch \ + %D%/packages/patches/unzip-overflow.patch \ + %D%/packages/patches/unzip-symlink.patch \ + %D%/packages/patches/unzip-timestamp.patch \ + %D%/packages/patches/unzip-valgrind.patch \ + %D%/packages/patches/unzip-x-option.patch \ + %D%/packages/patches/unzip-zipbomb-manpage.patch \ + %D%/packages/patches/unzip-zipbomb-part1.patch \ + %D%/packages/patches/unzip-zipbomb-part2.patch \ + %D%/packages/patches/unzip-zipbomb-part3.patch \ %D%/packages/patches/ustr-fix-build-with-gcc-5.patch \ %D%/packages/patches/util-linux-tests.patch \ %D%/packages/patches/upower-builddir.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 99569f68c9..7a4f70f2b4 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1594,6 +1594,7 @@ Compression ratios of 2:1 to 3:1 are common for text files.") "unzip-overflow-on-invalid-input.patch" "unzip-format-secure.patch" "unzip-overflow-long-fsize.patch")))) + (replacement unzip/fixed) (build-system gnu-build-system) ;; no inputs; bzip2 is not supported, since not compiled with BZ_NO_STDIO (arguments @@ -1629,6 +1630,54 @@ recreates the stored directory structure by default.") (license (license:non-copyleft "file://LICENSE" "See LICENSE in the distribution.")))) +(define-public unzip/fixed + (package + (inherit unzip) + (version "6.0") + (source + (origin + (method url-fetch) + (uri (string-append "mirror://sourceforge/infozip" + "/UnZip%206.x%20%28latest%29/UnZip%206.0/unzip60.tar.gz")) + (sha256 + (base32 + "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83")) + (patches (search-patches "unzip-CVE-2014-8139.patch" + "unzip-CVE-2014-8140.patch" + "unzip-CVE-2014-8141.patch" + "unzip-CVE-2014-9636.patch" + "unzip-CVE-2015-7696.patch" + "unzip-CVE-2015-7697.patch" + "unzip-allow-greater-hostver-values.patch" + "unzip-initialize-symlink-flag.patch" + "unzip-remove-build-date.patch" + "unzip-attribs-overflow.patch" + "unzip-overflow-on-invalid-input.patch" + "unzip-format-secure.patch" + "unzip-overflow-long-fsize.patch" + + ;; From Fedora + "unzip-alt-iconv-utf8.patch" + "unzip-alt-iconv-utf8-print.patch" + "unzip-fix-recmatch.patch" + "unzip-caseinsensitive.patch" + "unzip-close.patch" + "unzip-COVSCAN-fix-unterminated-string.patch" + "unzip-CVE-2016-9844.patch" + "unzip-CVE-2018-1000035.patch" + "unzip-CVE-2018-18384.patch" + "unzip-exec-shield.patch" + "unzip-manpage-fix.patch" + "unzip-overflow.patch" + "unzip-timestamp.patch" + "unzip-valgrind.patch" + "unzip-x-option.patch" + ;; CVE-2019-13232 + "unzip-zipbomb-manpage.patch" + "unzip-zipbomb-part1.patch" + "unzip-zipbomb-part2.patch" + "unzip-zipbomb-part3.patch")))))) + (define-public ziptime (let ((commit "2a5bc9dfbf7c6a80e5f7cb4dd05b4036741478bc") (revision "0")) diff --git a/gnu/packages/patches/unzip-COVSCAN-fix-unterminated-string.patch b/gnu/packages/patches/unzip-COVSCAN-fix-unterminated-string.patch new file mode 100644 index 0000000000..717377119b --- /dev/null +++ b/gnu/packages/patches/unzip-COVSCAN-fix-unterminated-string.patch @@ -0,0 +1,131 @@ +From 06d1b08aef94984256cad3c5a54cedb10295681f Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Thu, 8 Nov 2018 09:31:18 +0100 +Subject: [PATCH] Possible unterminated string fix + +--- + unix/unix.c | 4 +++- + unix/unxcfg.h | 2 +- + unzip.c | 12 ++++++++---- + zipinfo.c | 12 ++++++++---- + 4 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/unix/unix.c b/unix/unix.c +index 59b622d..cd57f80 100644 +--- a/unix/unix.c ++++ b/unix/unix.c +@@ -1945,7 +1945,9 @@ void init_conversion_charsets() + for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++) + if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) { + strncpy(OEM_CP, dos_charset_map[i].archive_charset, +- sizeof(OEM_CP)); ++ MAX_CP_NAME - 1); ++ ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + break; + } + } +diff --git a/unix/unxcfg.h b/unix/unxcfg.h +index 8729de2..9ee8cfe 100644 +--- a/unix/unxcfg.h ++++ b/unix/unxcfg.h +@@ -228,7 +228,7 @@ typedef struct stat z_stat; + /* and notfirstcall are used by do_wild(). */ + + +-#define MAX_CP_NAME 25 ++#define MAX_CP_NAME 25 + 1 + + #ifdef SETLOCALE + # undef SETLOCALE +diff --git a/unzip.c b/unzip.c +index 2d94a38..a485f2b 100644 +--- a/unzip.c ++++ b/unzip.c +@@ -1561,7 +1561,8 @@ int uz_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -1570,7 +1571,8 @@ int uz_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +@@ -1665,7 +1667,8 @@ int uz_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -1674,7 +1677,8 @@ int uz_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +diff --git a/zipinfo.c b/zipinfo.c +index accca2a..cb7e08d 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -519,7 +519,8 @@ int zi_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -528,7 +529,8 @@ int zi_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +@@ -568,7 +570,8 @@ int zi_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -577,7 +580,8 @@ int zi_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +-- +2.14.5 + diff --git a/gnu/packages/patches/unzip-CVE-2016-9844.patch b/gnu/packages/patches/unzip-CVE-2016-9844.patch new file mode 100644 index 0000000000..0e4a173397 --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2016-9844.patch @@ -0,0 +1,39 @@ +From 754137e70cf58a64ad524b704a86b651ba0cde07 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 14 Dec 2016 16:30:36 +0100 +Subject: [PATCH] Fix CVE-2016-9844 (rhbz#1404283) + +Fixes buffer overflow in zipinfo in similar way like fix for +CVE-2014-9913 provided by upstream. +--- + zipinfo.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/zipinfo.c b/zipinfo.c +index c03620e..accca2a 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -1984,7 +1984,19 @@ static int zi_short(__G) /* return PK-type error code */ + ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); + methbuf[3] = dtype[dnum]; + } else if (methnum >= NUM_METHODS) { /* unknown */ +- sprintf(&methbuf[1], "%03u", G.crec.compression_method); ++ /* 2016-12-05 SMS. ++ * https://launchpad.net/bugs/1643750 ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the "u", ++ * and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); ++ } ++ + } + + for (k = 0; k < 15; ++k) +-- +2.5.5 + diff --git a/gnu/packages/patches/unzip-CVE-2018-1000035.patch b/gnu/packages/patches/unzip-CVE-2018-1000035.patch new file mode 100644 index 0000000000..8ca713865c --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2018-1000035.patch @@ -0,0 +1,34 @@ +--- a/fileio.c 2014-12-05 05:06:05 -0600 ++++ b/fileio.c 2017-11-14 01:06:28 -0600 +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2017 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -1582,6 +1582,8 @@ + int r = IZ_PW_ENTERED; + char *m; + char *prompt; ++ char *ep; ++ char *zp; + + #ifndef REENTRANT + /* tell picky compilers to shut up about "unused variable" warnings */ +@@ -1590,9 +1592,12 @@ + + if (*rcnt == 0) { /* First call for current entry */ + *rcnt = 2; +- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) { +- sprintf(prompt, LoadFarString(PasswPrompt), +- FnFilter1(zfn), FnFilter2(efn)); ++ zp = FnFilter1( zfn); ++ ep = FnFilter2( efn); ++ prompt = (char *)malloc( /* Slightly too long (2* "%s"). */ ++ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep)); ++ if (prompt != (char *)NULL) { ++ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep); + m = prompt; + } else + m = (char *)LoadFarString(PasswPrompt2); diff --git a/gnu/packages/patches/unzip-CVE-2018-18384.patch b/gnu/packages/patches/unzip-CVE-2018-18384.patch new file mode 100644 index 0000000000..54d4b8cb64 --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2018-18384.patch @@ -0,0 +1,35 @@ +--- unzip60/list.c ++++ unzip60/list.c +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[13]; ++ char sgn, cfactorstr[1+10+1+1]; /* %NUL */ + int longhdr=(uO.vflag>1); + #endif + int date_format; +@@ -389,9 +389,9 @@ int list_files(__G) /* return PK-type + } + #else /* !WINDLL */ + if (cfactor == 100) +- sprintf(cfactorstr, LoadFarString(CompFactor100)); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100)); + else +- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor); + if (longhdr) + Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats), + FmZofft(G.crec.ucsize, "8", "u"), methbuf, +@@ -471,9 +471,9 @@ int list_files(__G) /* return PK-type + + #else /* !WINDLL */ + if (cfactor == 100) +- sprintf(cfactorstr, LoadFarString(CompFactor100)); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100)); + else +- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor); + if (longhdr) { + Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer), + FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"), diff --git a/gnu/packages/patches/unzip-alt-iconv-utf8-print.patch b/gnu/packages/patches/unzip-alt-iconv-utf8-print.patch new file mode 100644 index 0000000000..0b0153ba54 --- /dev/null +++ b/gnu/packages/patches/unzip-alt-iconv-utf8-print.patch @@ -0,0 +1,381 @@ +From ca0212ba19b64488b9e8459a762c11ecd6e7d0bd Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Tue, 24 Nov 2015 17:56:11 +0100 +Subject: [PATCH] print correctly non-ascii filenames + +--- + extract.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++-------------- + unzpriv.h | 7 ++ + 2 files changed, 233 insertions(+), 63 deletions(-) + +diff --git a/extract.c b/extract.c +index 0ee4e93..741b7e0 100644 +--- a/extract.c ++++ b/extract.c +@@ -2648,8 +2648,21 @@ static void set_deferred_symlink(__G__ slnk_entry) + } /* end function set_deferred_symlink() */ + #endif /* SYMLINKS */ + ++/* ++ * If Unicode is supported, assume we have what we need to do this ++ * check using wide characters, avoiding MBCS issues. ++ */ + +- ++#ifndef UZ_FNFILTER_REPLACECHAR ++ /* A convenient choice for the replacement of unprintable char codes is ++ * the "single char wildcard", as this character is quite unlikely to ++ * appear in filenames by itself. The following default definition ++ * sets the replacement char to a question mark as the most common ++ * "single char wildcard"; this setting should be overridden in the ++ * appropiate system-specific configuration header when needed. ++ */ ++# define UZ_FNFILTER_REPLACECHAR '?' ++#endif + + /*************************/ + /* Function fnfilter() */ /* here instead of in list.c for SFX */ +@@ -2661,48 +2674,168 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */ + extent size; + { + #ifndef NATIVE /* ASCII: filter ANSI escape codes, etc. */ +- ZCONST uch *r=(ZCONST uch *)raw; ++ ZCONST uch *r; // =(ZCONST uch *)raw; + uch *s=space; + uch *slim=NULL; + uch *se=NULL; + int have_overflow = FALSE; + +- if (size > 0) { +- slim = space + size +-#ifdef _MBCS +- - (MB_CUR_MAX - 1) +-#endif +- - 4; ++# if defined( UNICODE_SUPPORT) && defined( _MBCS) ++/* If Unicode support is enabled, and we have multi-byte characters, ++ * then do the isprint() checks by first converting to wide characters ++ * and checking those. This avoids our having to parse multi-byte ++ * characters for ourselves. After the wide-char replacements have been ++ * made, the wide string is converted back to the local character set. ++ */ ++ wchar_t *wstring; /* wchar_t version of raw */ ++ size_t wslen; /* length of wstring */ ++ wchar_t *wostring; /* wchar_t version of output string */ ++ size_t woslen; /* length of wostring */ ++ char *newraw; /* new raw */ ++ ++ /* 2012-11-06 SMS. ++ * Changed to check the value returned by mbstowcs(), and bypass the ++ * Unicode processing if it fails. This seems to fix a problem ++ * reported in the SourceForge forum, but it's not clear that we ++ * should be doing any Unicode processing without some evidence that ++ * the name actually is Unicode. (Check bit 11 in the flags before ++ * coming here?) ++ * http://sourceforge.net/p/infozip/bugs/40/ ++ */ ++ ++ if (MB_CUR_MAX <= 1) ++ { ++ /* There's no point to converting multi-byte chars if there are ++ * no multi-byte chars. ++ */ ++ wslen = (size_t)-1; + } +- while (*r) { +- if (size > 0 && s >= slim && se == NULL) { +- se = s; ++ else ++ { ++ /* Get Unicode wide character count (for storage allocation). */ ++ wslen = mbstowcs( NULL, raw, 0); ++ } ++ ++ if (wslen != (size_t)-1) ++ { ++ /* Apparently valid Unicode. Allocate wide-char storage. */ ++ wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t)); ++ if (wstring == NULL) { ++ strcpy( (char *)space, raw); ++ return (char *)space; + } +-#ifdef QDOS +- if (qlflag & 2) { +- if (*r == '/' || *r == '.') { ++ wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t)); ++ if (wostring == NULL) { ++ free(wstring); ++ strcpy( (char *)space, raw); ++ return (char *)space; ++ } ++ ++ /* Convert the multi-byte Unicode to wide chars. */ ++ wslen = mbstowcs(wstring, raw, wslen + 1); ++ ++ /* Filter the wide-character string. */ ++ fnfilterw( wstring, wostring, (2 * (wslen + 1) * sizeof(wchar_t))); ++ ++ /* Convert filtered wide chars back to multi-byte. */ ++ woslen = wcstombs( NULL, wostring, 0); ++ if ((newraw = malloc(woslen + 1)) == NULL) { ++ free(wstring); ++ free(wostring); ++ strcpy( (char *)space, raw); ++ return (char *)space; ++ } ++ woslen = wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1); ++ ++ if (size > 0) { ++ slim = space + size - 4; ++ } ++ r = (ZCONST uch *)newraw; ++ while (*r) { ++ if (size > 0 && s >= slim && se == NULL) { ++ se = s; ++ } ++# ifdef QDOS ++ if (qlflag & 2) { ++ if (*r == '/' || *r == '.') { ++ if (se != NULL && (s > (space + (size-3)))) { ++ have_overflow = TRUE; ++ break; ++ } ++ ++r; ++ *s++ = '_'; ++ continue; ++ } ++ } else ++# endif ++ { + if (se != NULL && (s > (space + (size-3)))) { + have_overflow = TRUE; + break; + } +- ++r; +- *s++ = '_'; +- continue; ++ *s++ = *r++; + } +- } else ++ } ++ if (have_overflow) { ++ strcpy((char *)se, "..."); ++ } else { ++ *s = '\0'; ++ } ++ ++ free(wstring); ++ free(wostring); ++ free(newraw); ++ } ++ else ++# endif /* defined( UNICODE_SUPPORT) && defined( _MBCS) */ ++ { ++ /* No Unicode support, or apparently invalid Unicode. */ ++ r = (ZCONST uch *)raw; ++ ++ if (size > 0) { ++ slim = space + size ++#ifdef _MBCS ++ - (MB_CUR_MAX - 1) ++#endif ++ - 4; ++ } ++ while (*r) { ++ if (size > 0 && s >= slim && se == NULL) { ++ se = s; ++ } ++#ifdef QDOS ++ if (qlflag & 2) { ++ if (*r == '/' || *r == '.') { ++ if (se != NULL && (s > (space + (size-3)))) { ++ have_overflow = TRUE; ++ break; ++ } ++ ++r; ++ *s++ = '_'; ++ continue; ++ } ++ } else + #endif + #ifdef HAVE_WORKING_ISPRINT +-# ifndef UZ_FNFILTER_REPLACECHAR +- /* A convenient choice for the replacement of unprintable char codes is +- * the "single char wildcard", as this character is quite unlikely to +- * appear in filenames by itself. The following default definition +- * sets the replacement char to a question mark as the most common +- * "single char wildcard"; this setting should be overridden in the +- * appropiate system-specific configuration header when needed. +- */ +-# define UZ_FNFILTER_REPLACECHAR '?' +-# endif +- if (!isprint(*r)) { ++ if (!isprint(*r)) { ++ if (*r < 32) { ++ /* ASCII control codes are escaped as "^{letter}". */ ++ if (se != NULL && (s > (space + (size-4)))) { ++ have_overflow = TRUE; ++ break; ++ } ++ *s++ = '^', *s++ = (uch)(64 + *r++); ++ } else { ++ /* Other unprintable codes are replaced by the ++ * placeholder character. */ ++ if (se != NULL && (s > (space + (size-3)))) { ++ have_overflow = TRUE; ++ break; ++ } ++ *s++ = UZ_FNFILTER_REPLACECHAR; ++ INCSTR(r); ++ } ++#else /* !HAVE_WORKING_ISPRINT */ + if (*r < 32) { + /* ASCII control codes are escaped as "^{letter}". */ + if (se != NULL && (s > (space + (size-4)))) { +@@ -2710,47 +2843,30 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */ + break; + } + *s++ = '^', *s++ = (uch)(64 + *r++); ++#endif /* ?HAVE_WORKING_ISPRINT */ + } else { +- /* Other unprintable codes are replaced by the +- * placeholder character. */ ++#ifdef _MBCS ++ unsigned i = CLEN(r); ++ if (se != NULL && (s > (space + (size-i-2)))) { ++ have_overflow = TRUE; ++ break; ++ } ++ for (; i > 0; i--) ++ *s++ = *r++; ++#else + if (se != NULL && (s > (space + (size-3)))) { + have_overflow = TRUE; + break; + } +- *s++ = UZ_FNFILTER_REPLACECHAR; +- INCSTR(r); +- } +-#else /* !HAVE_WORKING_ISPRINT */ +- if (*r < 32) { +- /* ASCII control codes are escaped as "^{letter}". */ +- if (se != NULL && (s > (space + (size-4)))) { +- have_overflow = TRUE; +- break; +- } +- *s++ = '^', *s++ = (uch)(64 + *r++); +-#endif /* ?HAVE_WORKING_ISPRINT */ +- } else { +-#ifdef _MBCS +- unsigned i = CLEN(r); +- if (se != NULL && (s > (space + (size-i-2)))) { +- have_overflow = TRUE; +- break; +- } +- for (; i > 0; i--) + *s++ = *r++; +-#else +- if (se != NULL && (s > (space + (size-3)))) { +- have_overflow = TRUE; +- break; +- } +- *s++ = *r++; + #endif +- } +- } +- if (have_overflow) { +- strcpy((char *)se, "..."); +- } else { +- *s = '\0'; ++ } ++ } ++ if (have_overflow) { ++ strcpy((char *)se, "..."); ++ } else { ++ *s = '\0'; ++ } + } + + #ifdef WINDLL +@@ -2772,6 +2888,53 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */ + } /* end function fnfilter() */ + + ++#if defined( UNICODE_SUPPORT) && defined( _MBCS) ++ ++/****************************/ ++/* Function fnfilter[w]() */ /* (Here instead of in list.c for SFX.) */ ++/****************************/ ++ ++/* fnfilterw() - Convert wide name to safely printable form. */ ++ ++/* fnfilterw() - Convert wide-character name to safely printable form. */ ++ ++wchar_t *fnfilterw( src, dst, siz) ++ ZCONST wchar_t *src; /* Pointer to source char (string). */ ++ wchar_t *dst; /* Pointer to destination char (string). */ ++ extent siz; /* Not used (!). */ ++{ ++ wchar_t *dsx = dst; ++ ++ /* Filter the wide chars. */ ++ while (*src) ++ { ++ if (iswprint( *src)) ++ { ++ /* Printable code. Copy it. */ ++ *dst++ = *src; ++ } ++ else ++ { ++ /* Unprintable code. Substitute something printable for it. */ ++ if (*src < 32) ++ { ++ /* Replace ASCII control code with "^{letter}". */ ++ *dst++ = (wchar_t)'^'; ++ *dst++ = (wchar_t)(64 + *src); ++ } ++ else ++ { ++ /* Replace other unprintable code with the placeholder. */ ++ *dst++ = (wchar_t)UZ_FNFILTER_REPLACECHAR; ++ } ++ } ++ src++; ++ } ++ *dst = (wchar_t)0; /* NUL-terminate the destination string. */ ++ return dsx; ++} /* fnfilterw(). */ ++ ++#endif /* defined( UNICODE_SUPPORT) && defined( _MBCS) */ + + + #ifdef SET_DIR_ATTRIB +diff --git a/unzpriv.h b/unzpriv.h +index 22d3923..e48a652 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -1212,6 +1212,7 @@ + # ifdef UNICODE_WCHAR + # if !(defined(_WIN32_WCE) || defined(POCKET_UNZIP)) + # include ++# include + # endif + # endif + # ifndef _MBCS /* no need to include twice, see below */ +@@ -2410,6 +2411,12 @@ int memflush OF((__GPRO__ ZCONST uch *rawbuf, ulg size)); + char *fnfilter OF((ZCONST char *raw, uch *space, + extent size)); + ++# if defined( UNICODE_SUPPORT) && defined( _MBCS) ++wchar_t *fnfilterw OF((ZCONST wchar_t *src, wchar_t *dst, ++ extent siz)); ++#endif ++ ++ + /*--------------------------------------------------------------------------- + Decompression functions: + ---------------------------------------------------------------------------*/ +-- +2.4.3 + diff --git a/gnu/packages/patches/unzip-alt-iconv-utf8.patch b/gnu/packages/patches/unzip-alt-iconv-utf8.patch new file mode 100644 index 0000000000..b9e37774e2 --- /dev/null +++ b/gnu/packages/patches/unzip-alt-iconv-utf8.patch @@ -0,0 +1,398 @@ +From: Giovanni Scafora +Subject: unzip files encoded with non-latin, non-unicode file names +Last-Update: 2015-02-11 + +Updated 2015-02-11 by Marc Deslauriers +to fix buffer overflow in charset_to_intern() + +Index: unzip-6.0/unix/unix.c +=================================================================== +--- unzip-6.0.orig/unix/unix.c 2015-02-11 08:46:43.675324290 -0500 ++++ unzip-6.0/unix/unix.c 2015-02-11 09:18:04.902081319 -0500 +@@ -30,6 +30,9 @@ + #define UNZIP_INTERNAL + #include "unzip.h" + ++#include ++#include ++ + #ifdef SCO_XENIX + # define SYSNDIR + #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */ +@@ -1874,3 +1877,102 @@ + } + } + #endif /* QLZIP */ ++ ++ ++typedef struct { ++ char *local_charset; ++ char *archive_charset; ++} CHARSET_MAP; ++ ++/* A mapping of local <-> archive charsets used by default to convert filenames ++ * of DOS/Windows Zip archives. Currently very basic. */ ++static CHARSET_MAP dos_charset_map[] = { ++ { "ANSI_X3.4-1968", "CP850" }, ++ { "ISO-8859-1", "CP850" }, ++ { "CP1252", "CP850" }, ++ { "UTF-8", "CP866" }, ++ { "KOI8-R", "CP866" }, ++ { "KOI8-U", "CP866" }, ++ { "ISO-8859-5", "CP866" } ++}; ++ ++char OEM_CP[MAX_CP_NAME] = ""; ++char ISO_CP[MAX_CP_NAME] = ""; ++ ++/* Try to guess the default value of OEM_CP based on the current locale. ++ * ISO_CP is left alone for now. */ ++void init_conversion_charsets() ++{ ++ const char *local_charset; ++ int i; ++ ++ /* Make a guess only if OEM_CP not already set. */ ++ if(*OEM_CP == '\0') { ++ local_charset = nl_langinfo(CODESET); ++ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++) ++ if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) { ++ strncpy(OEM_CP, dos_charset_map[i].archive_charset, ++ sizeof(OEM_CP)); ++ break; ++ } ++ } ++} ++ ++/* Convert a string from one encoding to the current locale using iconv(). ++ * Be as non-intrusive as possible. If error is encountered during covertion ++ * just leave the string intact. */ ++static void charset_to_intern(char *string, char *from_charset) ++{ ++ iconv_t cd; ++ char *s,*d, *buf; ++ size_t slen, dlen, buflen; ++ const char *local_charset; ++ ++ if(*from_charset == '\0') ++ return; ++ ++ buf = NULL; ++ local_charset = nl_langinfo(CODESET); ++ ++ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1) ++ return; ++ ++ slen = strlen(string); ++ s = string; ++ ++ /* Make sure OUTBUFSIZ + 1 never ends up smaller than FILNAMSIZ ++ * as this function also gets called with G.outbuf in fileio.c ++ */ ++ buflen = FILNAMSIZ; ++ if (OUTBUFSIZ + 1 < FILNAMSIZ) ++ { ++ buflen = OUTBUFSIZ + 1; ++ } ++ ++ d = buf = malloc(buflen); ++ if(!d) ++ goto cleanup; ++ ++ bzero(buf,buflen); ++ dlen = buflen - 1; ++ ++ if(iconv(cd, &s, &slen, &d, &dlen) == (size_t)-1) ++ goto cleanup; ++ strncpy(string, buf, buflen); ++ ++ cleanup: ++ free(buf); ++ iconv_close(cd); ++} ++ ++/* Convert a string from OEM_CP to the current locale charset. */ ++inline void oem_intern(char *string) ++{ ++ charset_to_intern(string, OEM_CP); ++} ++ ++/* Convert a string from ISO_CP to the current locale charset. */ ++inline void iso_intern(char *string) ++{ ++ charset_to_intern(string, ISO_CP); ++} +Index: unzip-6.0/unix/unxcfg.h +=================================================================== +--- unzip-6.0.orig/unix/unxcfg.h 2015-02-11 08:46:43.675324290 -0500 ++++ unzip-6.0/unix/unxcfg.h 2015-02-11 08:46:43.671324260 -0500 +@@ -228,4 +228,30 @@ + /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */ + /* and notfirstcall are used by do_wild(). */ + ++ ++#define MAX_CP_NAME 25 ++ ++#ifdef SETLOCALE ++# undef SETLOCALE ++#endif ++#define SETLOCALE(category, locale) setlocale(category, locale) ++#include ++ ++#ifdef _ISO_INTERN ++# undef _ISO_INTERN ++#endif ++#define _ISO_INTERN(str1) iso_intern(str1) ++ ++#ifdef _OEM_INTERN ++# undef _OEM_INTERN ++#endif ++#ifndef IZ_OEM2ISO_ARRAY ++# define IZ_OEM2ISO_ARRAY ++#endif ++#define _OEM_INTERN(str1) oem_intern(str1) ++ ++void iso_intern(char *); ++void oem_intern(char *); ++void init_conversion_charsets(void); ++ + #endif /* !__unxcfg_h */ +Index: unzip-6.0/unzip.c +=================================================================== +--- unzip-6.0.orig/unzip.c 2015-02-11 08:46:43.675324290 -0500 ++++ unzip-6.0/unzip.c 2015-02-11 08:46:43.675324290 -0500 +@@ -327,11 +327,21 @@ + -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\ + -v verbose, multi-page format\n"; + ++#ifndef UNIX + static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ + -h print header line -t print totals for listed files or for all\n\ + -z print zipfile comment -T print file times in sortable decimal format\ + \n -C be case-insensitive %s\ + -x exclude filenames that follow from listing\n"; ++#else /* UNIX */ ++static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ ++ -h print header line -t print totals for listed files or for all\n\ ++ -z print zipfile comment %c-T%c print file times in sortable decimal format\ ++\n %c-C%c be case-insensitive %s\ ++ -x exclude filenames that follow from listing\n\ ++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ ++ -I CHARSET specify a character encoding for UNIX and other archives\n"; ++#endif /* !UNIX */ + #ifdef MORE + static ZCONST char Far ZipInfoUsageLine4[] = + " -M page output through built-in \"more\"\n"; +@@ -664,6 +674,17 @@ + -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ + -C match filenames case-insensitively -L make (some) names \ + lowercase\n %-42s -V retain VMS version numbers\n%s"; ++#elif (defined UNIX) ++static ZCONST char Far UnzipUsageLine4[] = "\ ++modifiers:\n\ ++ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\ ++ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\ ++ -j junk paths (do not make directories) -aa treat ALL files as text\n\ ++ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ ++ -C match filenames case-insensitively -L make (some) names \ ++lowercase\n %-42s -V retain VMS version numbers\n%s\ ++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ ++ -I CHARSET specify a character encoding for UNIX and other archives\n\n"; + #else /* !VMS */ + static ZCONST char Far UnzipUsageLine4[] = "\ + modifiers:\n\ +@@ -802,6 +823,10 @@ + #endif /* UNICODE_SUPPORT */ + + ++#ifdef UNIX ++ init_conversion_charsets(); ++#endif ++ + #if (defined(__IBMC__) && defined(__DEBUG_ALLOC__)) + extern void DebugMalloc(void); + +@@ -1335,6 +1360,11 @@ + argc = *pargc; + argv = *pargv; + ++#ifdef UNIX ++ extern char OEM_CP[MAX_CP_NAME]; ++ extern char ISO_CP[MAX_CP_NAME]; ++#endif ++ + while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) { + s = *argv + 1; + while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */ +@@ -1516,6 +1546,35 @@ + } + break; + #endif /* MACOS */ ++#ifdef UNIX ++ case ('I'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Icharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ } else { /* -I charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case ('j'): /* junk pathnames/directory structure */ + if (negative) + uO.jflag = FALSE, negative = 0; +@@ -1591,6 +1650,35 @@ + } else + ++uO.overwrite_all; + break; ++#ifdef UNIX ++ case ('O'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Ocharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ } else { /* -O charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -O argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case ('p'): /* pipes: extract to stdout, no messages */ + if (negative) { + uO.cflag = FALSE; +Index: unzip-6.0/unzpriv.h +=================================================================== +--- unzip-6.0.orig/unzpriv.h 2015-02-11 08:46:43.675324290 -0500 ++++ unzip-6.0/unzpriv.h 2015-02-11 08:46:43.675324290 -0500 +@@ -3008,7 +3008,7 @@ + !(((islochdr) || (isuxatt)) && \ + ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \ + (hostnum) == FS_HPFS_ || \ +- ((hostnum) == FS_NTFS_ && (hostver) == 50)) { \ ++ ((hostnum) == FS_NTFS_ /* && (hostver) == 50 */ )) { \ + _OEM_INTERN((string)); \ + } else { \ + _ISO_INTERN((string)); \ +Index: unzip-6.0/zipinfo.c +=================================================================== +--- unzip-6.0.orig/zipinfo.c 2015-02-11 08:46:43.675324290 -0500 ++++ unzip-6.0/zipinfo.c 2015-02-11 08:46:43.675324290 -0500 +@@ -457,6 +457,10 @@ + int tflag_slm=TRUE, tflag_2v=FALSE; + int explicit_h=FALSE, explicit_t=FALSE; + ++#ifdef UNIX ++ extern char OEM_CP[MAX_CP_NAME]; ++ extern char ISO_CP[MAX_CP_NAME]; ++#endif + + #ifdef MACOS + uO.lflag = LFLAG; /* reset default on each call */ +@@ -501,6 +505,35 @@ + uO.lflag = 0; + } + break; ++#ifdef UNIX ++ case ('I'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Icharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ } else { /* -I charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case 'l': /* longer form of "ls -l" type listing */ + if (negative) + uO.lflag = -2, negative = 0; +@@ -521,6 +554,35 @@ + G.M_flag = TRUE; + break; + #endif ++#ifdef UNIX ++ case ('O'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Ocharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ } else { /* -O charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -O argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case 's': /* default: shorter "ls -l" type listing */ + if (negative) + uO.lflag = -2, negative = 0; diff --git a/gnu/packages/patches/unzip-caseinsensitive.patch b/gnu/packages/patches/unzip-caseinsensitive.patch new file mode 100644 index 0000000000..3cb68450b9 --- /dev/null +++ b/gnu/packages/patches/unzip-caseinsensitive.patch @@ -0,0 +1,131 @@ +diff --git a/match.c b/match.c +index 6cd656f..4e569f5 100644 +--- a/match.c ++++ b/match.c +@@ -190,10 +190,10 @@ char *___tmp_ptr; + + #endif + +-static int recmatch(p, s, cs) ++static int recmatch(p, s, ci) + ZCONST char *p; /* sh pattern to match */ + ZCONST char *s; /* string to match it to */ +-int cs; /* flag: force case-sensitive matching */ ++int ci; /* flag: force case-insensitive matching */ + /* Recursively compare the sh pattern p with the string s and return 1 if + they match, and 0 or 2 if they don't or if there is a syntax error in the + pattern. This routine recurses on itself no deeper than the number of +@@ -214,7 +214,7 @@ int cs; /* flag: force case-sensitive matching */ + if (CLEN(p) == 2) { + if (CLEN(s) == 2) { + return (*p == *s && *(p+1) == *(s+1)) ? +- recmatch(p + 2, s + 2, cs) : 0; ++ recmatch(p + 2, s + 2, ci) : 0; + } else { + return 0; + } +@@ -230,9 +230,9 @@ int cs; /* flag: force case-sensitive matching */ + /* '?' (or '%' or '#') matches any character (but not an empty string) */ + if (c == WILDCHR_SINGLE) { + if (wild_stop_at_dir) +- return (*s && *s != DIRSEP_CHR) ? recmatch(p, s + CLEN(s), cs) : 0; ++ return (*s && *s != DIRSEP_CHR) ? recmatch(p, s + CLEN(s), ci) : 0; + else +- return *s ? recmatch(p, s + CLEN(s), cs) : 0; ++ return *s ? recmatch(p, s + CLEN(s), ci) : 0; + } + + /* WILDCHR_MULTI ('*') matches any number of characters, including zero */ +@@ -253,14 +253,14 @@ int cs; /* flag: force case-sensitive matching */ + # endif /* ?AMIGA */ + /* Single WILDCHR_MULTI ('*'): this doesn't match slashes */ + for (; *s && *s != DIRSEP_CHR; INCSTR(s)) +- if ((c = recmatch(p, s, cs)) != 0) ++ if ((c = recmatch(p, s, ci)) != 0) + return c; + /* end of pattern: matched if at end of string, else continue */ + if (*p == 0) + return (*s == 0); + /* continue to match if at DIRSEP_CHR in pattern, else give up */ + return (*p == DIRSEP_CHR || (*p == '\\' && p[1] == DIRSEP_CHR)) +- ? recmatch(p, s, cs) : 2; ++ ? recmatch(p, s, ci) : 2; + } + /* Two consecutive WILDCHR_MULTI ("**"): this matches DIRSEP_CHR ('/') */ + p++; /* move p past the second WILDCHR_MULTI */ +@@ -308,17 +308,17 @@ int cs; /* flag: force case-sensitive matching */ + */ + if (q != srest) + return 0; +- return ((cs ? strcmp(p, q) : namecmp(p, q)) == 0); ++ return ((!ci ? strcmp(p, q) : namecmp(p, q)) == 0); + } + #else /* !_MBCS */ +- return ((cs ? strcmp(p, srest) : namecmp(p, srest)) == 0); ++ return ((!ci ? strcmp(p, srest) : namecmp(p, srest)) == 0); + #endif /* ?_MBCS */ + } + else + { + /* pattern contains more wildcards, continue with recursion... */ + for (; *s; INCSTR(s)) +- if ((c = recmatch(p, s, cs)) != 0) ++ if ((c = recmatch(p, s, ci)) != 0) + return c; + return 2; /* 2 means give up--shmatch will return false */ + } +@@ -353,17 +353,17 @@ int cs; /* flag: force case-sensitive matching */ + c = *(p-1); + else + { +- uch cc = (cs ? (uch)*s : case_map((uch)*s)); ++ uch cc = (!ci ? (uch)*s : to_up((uch)*s)); + uch uc = (uch) c; + if (*(p+1) != '-') + for (uc = uc ? uc : (uch)*p; uc <= (uch)*p; uc++) + /* compare range */ +- if ((cs ? uc : case_map(uc)) == cc) +- return r ? 0 : recmatch(q + CLEN(q), s + CLEN(s), cs); ++ if ((!ci ? uc : to_up(uc)) == cc) ++ return r ? 0 : recmatch(q + CLEN(q), s + CLEN(s), ci); + c = e = 0; /* clear range, escape flags */ + } + } +- return r ? recmatch(q + CLEN(q), s + CLEN(s), cs) : 0; ++ return r ? recmatch(q + CLEN(q), s + CLEN(s), ci) : 0; + /* bracket match failed */ + } + #endif /* !VMS */ +@@ -382,18 +382,18 @@ int cs; /* flag: force case-sensitive matching */ + { + /* Match "...]" with "]". Continue after "]" in both. */ + if ((*(p+ 2* CLEN( p)) == ']') && (*s == ']')) +- return recmatch( (p+ 3* CLEN( p)), (s+ CLEN( s)), cs); ++ return recmatch( (p+ 3* CLEN( p)), (s+ CLEN( s)), ci); + + /* Else, look for a reduced match in s, until "]" in or end of s. */ + for (; *s && (*s != ']'); INCSTR(s)) + if (*s == '.') + /* If reduced match, then continue after "..." in p, "." in s. */ +- if ((c = recmatch( (p+ CLEN( p)), s, cs)) != 0) ++ if ((c = recmatch( (p+ CLEN( p)), s, ci)) != 0) + return (int)c; + + /* Match "...]" with "]". Continue after "]" in both. */ + if ((*(p+ 2* CLEN( p)) == ']') && (*s == ']')) +- return recmatch( (p+ 3* CLEN( p)), (s+ CLEN( s)), cs); ++ return recmatch( (p+ 3* CLEN( p)), (s+ CLEN( s)), ci); + + /* No reduced match. Quit. */ + return 2; +@@ -402,8 +402,8 @@ int cs; /* flag: force case-sensitive matching */ + #endif /* def VMS */ + + /* Just a character--compare it */ +- return (cs ? c == *s : case_map((uch)c) == case_map((uch)*s)) ? +- recmatch(p, s + CLEN(s), cs) : 0; ++ return (!ci ? c == *s : to_up((uch)c) == to_up((uch)*s)) ? ++ recmatch(p, s + CLEN(s), ci) : 0; + } + + diff --git a/gnu/packages/patches/unzip-close.patch b/gnu/packages/patches/unzip-close.patch new file mode 100644 index 0000000000..9a238a9006 --- /dev/null +++ b/gnu/packages/patches/unzip-close.patch @@ -0,0 +1,176 @@ +diff -up unzip60/extract.c.close unzip60/extract.c +--- unzip60/extract.c.close 2009-03-14 02:32:52.000000000 +0100 ++++ unzip60/extract.c 2009-11-19 08:17:23.481263496 +0100 +@@ -1924,24 +1924,21 @@ static int extract_or_test_member(__G) + + #ifdef VMS /* VMS: required even for stdout! (final flush) */ + if (!uO.tflag) /* don't close NULL file */ +- close_outfile(__G); ++ error = close_outfile(__G); + #else + #ifdef DLL + if (!uO.tflag && (!uO.cflag || G.redirect_data)) { + if (G.redirect_data) + FINISH_REDIRECT(); + else +- close_outfile(__G); ++ error = close_outfile(__G); + } + #else + if (!uO.tflag && !uO.cflag) /* don't close NULL file or stdout */ +- close_outfile(__G); ++ error = close_outfile(__G); + #endif + #endif /* VMS */ + +- /* GRR: CONVERT close_outfile() TO NON-VOID: CHECK FOR ERRORS! */ +- +- + if (G.disk_full) { /* set by flush() */ + if (G.disk_full > 1) { + #if (defined(DELETE_IF_FULL) && defined(HAVE_UNLINK)) +diff -up unzip60/unix/unix.c.close unzip60/unix/unix.c +--- unzip60/unix/unix.c.close 2009-01-24 00:31:26.000000000 +0100 ++++ unzip60/unix/unix.c 2009-11-19 08:33:25.568389171 +0100 +@@ -1096,10 +1096,41 @@ static int get_extattribs(__G__ pzt, z_u + #ifndef MTS + + /****************************/ ++/* Function CloseError() */ ++/***************************/ ++ ++int CloseError(__G) ++ __GDEF ++{ ++ int errval = PK_OK; ++ ++ if (fclose(G.outfile) < 0) { ++ switch (errno) { ++ case ENOSPC: ++ /* Do we need this on fileio.c? */ ++ Info(slide, 0x4a1, ((char *)slide, "%s: write error (disk full?). Continue? (y/n/^C) ", ++ FnFilter1(G.filename))); ++ fgets(G.answerbuf, 9, stdin); ++ if (*G.answerbuf == 'y') /* stop writing to this file */ ++ G.disk_full = 1; /* pass to next */ ++ else ++ G.disk_full = 2; /* no: exit program */ ++ ++ errval = PK_DISK; ++ break; ++ ++ default: ++ errval = PK_WARN; ++ } ++ } ++ return errval; ++} /* End of CloseError() */ ++ ++/****************************/ + /* Function close_outfile() */ + /****************************/ + +-void close_outfile(__G) /* GRR: change to return PK-style warning level */ ++int close_outfile(__G) + __GDEF + { + union { +@@ -1108,6 +1139,7 @@ void close_outfile(__G) /* GRR: chang + } zt; + ulg z_uidgid[2]; + int have_uidgid_flg; ++ int errval = PK_OK; + + have_uidgid_flg = get_extattribs(__G__ &(zt.t3), z_uidgid); + +@@ -1141,16 +1173,16 @@ void close_outfile(__G) /* GRR: chang + Info(slide, 0x201, ((char *)slide, + "warning: symbolic link (%s) failed: mem alloc overflow\n", + FnFilter1(G.filename))); +- fclose(G.outfile); +- return; ++ errval = CloseError(G.outfile, G.filename); ++ return errval ? errval : PK_WARN; + } + + if ((slnk_entry = (slinkentry *)malloc(slnk_entrysize)) == NULL) { + Info(slide, 0x201, ((char *)slide, + "warning: symbolic link (%s) failed: no mem\n", + FnFilter1(G.filename))); +- fclose(G.outfile); +- return; ++ errval = CloseError(G.outfile, G.filename); ++ return errval ? errval : PK_WARN; + } + slnk_entry->next = NULL; + slnk_entry->targetlen = ucsize; +@@ -1174,10 +1206,10 @@ void close_outfile(__G) /* GRR: chang + "warning: symbolic link (%s) failed\n", + FnFilter1(G.filename))); + free(slnk_entry); +- fclose(G.outfile); +- return; ++ errval = CloseError(G.outfile, G.filename); ++ return errval ? errval : PK_WARN; + } +- fclose(G.outfile); /* close "link" file for good... */ ++ errval = CloseError(G.outfile, G.filename); /* close "link" file for good... */ + slnk_entry->target[ucsize] = '\0'; + if (QCOND2) + Info(slide, 0, ((char *)slide, "-> %s ", +@@ -1188,7 +1220,7 @@ void close_outfile(__G) /* GRR: chang + else + G.slink_head = slnk_entry; + G.slink_last = slnk_entry; +- return; ++ return errval; + } + #endif /* SYMLINKS */ + +@@ -1201,7 +1233,7 @@ void close_outfile(__G) /* GRR: chang + #endif + + #if (defined(NO_FCHOWN)) +- fclose(G.outfile); ++ errval = CloseError(G.outfile, G.filename); + #endif + + /* if -X option was specified and we have UID/GID info, restore it */ +@@ -1227,7 +1259,7 @@ void close_outfile(__G) /* GRR: chang + } + + #if (!defined(NO_FCHOWN) && defined(NO_FCHMOD)) +- fclose(G.outfile); ++ errval = CloseError(G.outfile, G.filename); + #endif + + #if (!defined(NO_FCHOWN) && !defined(NO_FCHMOD)) +@@ -1239,7 +1271,7 @@ void close_outfile(__G) /* GRR: chang + if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr))) + perror("fchmod (file attributes) error"); + +- fclose(G.outfile); ++ errval = CloseError(G.outfile, G.filename); + #endif /* !NO_FCHOWN && !NO_FCHMOD */ + + /* skip restoring time stamps on user's request */ +@@ -1267,6 +1299,7 @@ void close_outfile(__G) /* GRR: chang + #endif + #endif /* NO_FCHOWN || NO_FCHMOD */ + ++ return errval; + } /* end function close_outfile() */ + + #endif /* !MTS */ +diff -up unzip60/unzpriv.h.close unzip60/unzpriv.h +--- unzip60/unzpriv.h.close 2009-04-20 01:59:26.000000000 +0200 ++++ unzip60/unzpriv.h 2009-11-19 08:19:08.610388618 +0100 +@@ -2604,7 +2604,7 @@ char *GetLoadPath OF((__GPRO)); + int SetFileSize OF((FILE *file, zusz_t filesize)); /* local */ + #endif + #ifndef MTS /* macro in MTS */ +- void close_outfile OF((__GPRO)); /* local */ ++ int close_outfile OF((__GPRO)); /* local */ + #endif + #ifdef SET_SYMLINK_ATTRIBS + int set_symlnk_attribs OF((__GPRO__ slinkentry *slnk_entry)); /* local */ diff --git a/gnu/packages/patches/unzip-exec-shield.patch b/gnu/packages/patches/unzip-exec-shield.patch new file mode 100644 index 0000000000..74500aa5d4 --- /dev/null +++ b/gnu/packages/patches/unzip-exec-shield.patch @@ -0,0 +1,10 @@ +diff -up unzip60/crc_i386.S.exec-shield unzip60/crc_i386.S +--- unzip60/crc_i386.S.exec-shield 2007-01-07 06:02:58.000000000 +0100 ++++ unzip60/crc_i386.S 2009-11-18 11:16:39.630389312 +0100 +@@ -302,3 +302,6 @@ _crc32: /* ulg c + #endif /* i386 || _i386 || _I386 || __i386 */ + + #endif /* !USE_ZLIB && !CRC_TABLE_ONLY */ ++ ++.section .note.GNU-stack, "", @progbits ++.previous diff --git a/gnu/packages/patches/unzip-fix-recmatch.patch b/gnu/packages/patches/unzip-fix-recmatch.patch new file mode 100644 index 0000000000..2a8583c8ca --- /dev/null +++ b/gnu/packages/patches/unzip-fix-recmatch.patch @@ -0,0 +1,477 @@ +diff -up unzip60/match.c.recmatch unzip60/match.c +--- unzip60/match.c.recmatch 2005-08-14 13:00:36.000000000 -0400 ++++ unzip60/match.c 2013-05-28 10:29:57.949077543 -0400 +@@ -27,16 +27,14 @@ + + --------------------------------------------------------------------------- + +- Copyright on recmatch() from Zip's util.c (although recmatch() was almost +- certainly written by Mark Adler...ask me how I can tell :-) ): ++ Copyright on recmatch() from Zip's util.c ++ Copyright (c) 1990-2005 Info-ZIP. All rights reserved. + +- Copyright (C) 1990-1992 Mark Adler, Richard B. Wales, Jean-loup Gailly, +- Kai Uwe Rommel and Igor Mandrichenko. ++ See the accompanying file LICENSE, version 2004-May-22 or later ++ for terms of use. ++ If, for some reason, both of these files are missing, the Info-ZIP license ++ also may be found at: ftp://ftp.info-zip.org/pub/infozip/license.html + +- Permission is granted to any individual or institution to use, copy, +- or redistribute this software so long as all of the original files are +- included unmodified, that it is not sold for profit, and that this copy- +- right notice is retained. + + --------------------------------------------------------------------------- + +@@ -53,7 +51,7 @@ + + A set is composed of characters or ranges; a range looks like ``character + hyphen character'' (as in 0-9 or A-Z). [0-9a-zA-Z_] is the minimal set of +- characters allowed in the [..] pattern construct. Other characters are ++ characters ALlowed in the [..] pattern construct. Other characters are + allowed (i.e., 8-bit characters) if your system will support them. + + To suppress the special syntactic significance of any of ``[]*?!^-\'', in- +@@ -101,8 +99,32 @@ + # define WILDCHAR '?' + # define BEG_RANGE '[' + # define END_RANGE ']' ++# define WILDCHR_SINGLE '?' ++# define DIRSEP_CHR '/' ++# define WILDCHR_MULTI '*' + #endif + ++#ifdef WILD_STOP_AT_DIR ++ int wild_stop_at_dir = 1; /* default wildcards do not include / in matches */ ++#else ++ int wild_stop_at_dir = 0; /* default wildcards do include / in matches */ ++#endif ++ ++ ++ ++/* ++ * case mapping functions. case_map is used to ignore case in comparisons, ++ * to_up is used to force upper case even on Unix (for dosify option). ++ */ ++#ifdef USE_CASE_MAP ++# define case_map(c) upper[(c) & 0xff] ++# define to_up(c) upper[(c) & 0xff] ++#else ++# define case_map(c) (c) ++# define to_up(c) ((c) >= 'a' && (c) <= 'z' ? (c)-'a'+'A' : (c)) ++#endif /* USE_CASE_MAP */ ++ ++ + #if 0 /* GRR: add this to unzip.h someday... */ + #if !(defined(MSDOS) && defined(DOSWILD)) + #ifdef WILD_STOP_AT_DIR +@@ -114,8 +136,8 @@ int recmatch OF((ZCONST uch *pattern, ZC + int ignore_case __WDLPRO)); + #endif + #endif /* 0 */ +-static int recmatch OF((ZCONST uch *pattern, ZCONST uch *string, +- int ignore_case __WDLPRO)); ++static int recmatch OF((ZCONST char *, ZCONST char *, ++ int)); + static char *isshexp OF((ZCONST char *p)); + static int namecmp OF((ZCONST char *s1, ZCONST char *s2)); + +@@ -154,192 +176,240 @@ int match(string, pattern, ignore_case _ + } + dospattern[j-1] = '\0'; /* nuke the end "." */ + } +- j = recmatch((uch *)dospattern, (uch *)string, ignore_case __WDL); ++ j = recmatch(dospattern, string, ignore_case); + free(dospattern); + return j == 1; + } else + #endif /* MSDOS && DOSWILD */ +- return recmatch((uch *)pattern, (uch *)string, ignore_case __WDL) == 1; ++ return recmatch(pattern, string, ignore_case) == 1; + } + ++#ifdef _MBCS ++ ++char *___tmp_ptr; + ++#endif + +-static int recmatch(p, s, ic __WDL) +- ZCONST uch *p; /* sh pattern to match */ +- ZCONST uch *s; /* string to which to match it */ +- int ic; /* true for case insensitivity */ +- __WDLDEF /* directory sepchar for WildStopAtDir mode, or 0 */ ++static int recmatch(p, s, cs) ++ZCONST char *p; /* sh pattern to match */ ++ZCONST char *s; /* string to match it to */ ++int cs; /* flag: force case-sensitive matching */ + /* Recursively compare the sh pattern p with the string s and return 1 if +- * they match, and 0 or 2 if they don't or if there is a syntax error in the +- * pattern. This routine recurses on itself no more deeply than the number +- * of characters in the pattern. */ ++ they match, and 0 or 2 if they don't or if there is a syntax error in the ++ pattern. This routine recurses on itself no deeper than the number of ++ characters in the pattern. */ + { +- unsigned int c; /* pattern char or start of range in [-] loop */ ++ int c; /* pattern char or start of range in [-] loop */ ++ /* Get first character, the pattern for new recmatch calls follows */ ++ /* borrowed from Zip's global.c */ ++ int no_wild = 0; ++ int allow_regex=1; ++ /* This fix provided by akt@m5.dion.ne.jp for Japanese. ++ See 21 July 2006 mail. ++ It only applies when p is pointing to a doublebyte character and ++ things like / and wildcards are not doublebyte. This probably ++ should not be needed. */ + +- /* Get first character, the pattern for new recmatch calls follows */ +- c = *p; INCSTR(p); ++#ifdef _MBCS ++ if (CLEN(p) == 2) { ++ if (CLEN(s) == 2) { ++ return (*p == *s && *(p+1) == *(s+1)) ? ++ recmatch(p + 2, s + 2, cs) : 0; ++ } else { ++ return 0; ++ } ++ } ++#endif /* ?_MBCS */ + +- /* If that was the end of the pattern, match if string empty too */ +- if (c == 0) +- return *s == 0; ++ c = *POSTINCSTR(p); + +- /* '?' (or '%') matches any character (but not an empty string). */ +- if (c == WILDCHAR) +-#ifdef WILD_STOP_AT_DIR +- /* If uO.W_flag is non-zero, it won't match '/' */ +- return (*s && (!sepc || *s != (uch)sepc)) +- ? recmatch(p, s + CLEN(s), ic, sepc) : 0; +-#else +- return *s ? recmatch(p, s + CLEN(s), ic) : 0; +-#endif ++ /* If that was the end of the pattern, match if string empty too */ ++ if (c == 0) ++ return *s == 0; ++ ++ /* '?' (or '%' or '#') matches any character (but not an empty string) */ ++ if (c == WILDCHR_SINGLE) { ++ if (wild_stop_at_dir) ++ return (*s && *s != DIRSEP_CHR) ? recmatch(p, s + CLEN(s), cs) : 0; ++ else ++ return *s ? recmatch(p, s + CLEN(s), cs) : 0; ++ } + +- /* '*' matches any number of characters, including zero */ ++ /* WILDCHR_MULTI ('*') matches any number of characters, including zero */ + #ifdef AMIGA +- if (c == '#' && *p == '?') /* "#?" is Amiga-ese for "*" */ +- c = '*', p++; ++ if (!no_wild && c == '#' && *p == '?') /* "#?" is Amiga-ese for "*" */ ++ c = WILDCHR_MULTI, p++; + #endif /* AMIGA */ +- if (c == '*') { +-#ifdef WILD_STOP_AT_DIR +- if (sepc) { +- /* check for single "*" or double "**" */ +-# ifdef AMIGA +- if ((c = p[0]) == '#' && p[1] == '?') /* "#?" is Amiga-ese for "*" */ +- c = '*', p++; +- if (c != '*') { +-# else /* !AMIGA */ +- if (*p != '*') { +-# endif /* ?AMIGA */ +- /* single "*": this doesn't match the dirsep character */ +- for (; *s && *s != (uch)sepc; INCSTR(s)) +- if ((c = recmatch(p, s, ic, sepc)) != 0) +- return (int)c; +- /* end of pattern: matched if at end of string, else continue */ +- if (*p == '\0') +- return (*s == 0); +- /* continue to match if at sepc in pattern, else give up */ +- return (*p == (uch)sepc || (*p == '\\' && p[1] == (uch)sepc)) +- ? recmatch(p, s, ic, sepc) : 2; +- } +- /* "**": this matches slashes */ +- ++p; /* move p behind the second '*' */ +- /* and continue with the non-W_flag code variant */ +- } +-#endif /* WILD_STOP_AT_DIR */ ++ if (!no_wild && c == WILDCHR_MULTI) ++ { ++ if (wild_stop_at_dir) { ++ /* Check for an immediately following WILDCHR_MULTI */ ++# ifdef AMIGA ++ if ((c = p[0]) == '#' && p[1] == '?') /* "#?" is Amiga-ese for "*" */ ++ c = WILDCHR_MULTI, p++; ++ if (c != WILDCHR_MULTI) { ++# else /* !AMIGA */ ++ if (*p != WILDCHR_MULTI) { ++# endif /* ?AMIGA */ ++ /* Single WILDCHR_MULTI ('*'): this doesn't match slashes */ ++ for (; *s && *s != DIRSEP_CHR; INCSTR(s)) ++ if ((c = recmatch(p, s, cs)) != 0) ++ return c; ++ /* end of pattern: matched if at end of string, else continue */ + if (*p == 0) +- return 1; +- if (isshexp((ZCONST char *)p) == NULL) { +- /* Optimization for rest of pattern being a literal string: +- * If there are no other shell expression chars in the rest +- * of the pattern behind the multi-char wildcard, then just +- * compare the literal string tail. +- */ +- ZCONST uch *srest; +- +- srest = s + (strlen((ZCONST char *)s) - strlen((ZCONST char *)p)); +- if (srest - s < 0) +- /* remaining literal string from pattern is longer than rest +- * of test string, there can't be a match +- */ +- return 0; +- else +- /* compare the remaining literal pattern string with the last +- * bytes of the test string to check for a match +- */ ++ return (*s == 0); ++ /* continue to match if at DIRSEP_CHR in pattern, else give up */ ++ return (*p == DIRSEP_CHR || (*p == '\\' && p[1] == DIRSEP_CHR)) ++ ? recmatch(p, s, cs) : 2; ++ } ++ /* Two consecutive WILDCHR_MULTI ("**"): this matches DIRSEP_CHR ('/') */ ++ p++; /* move p past the second WILDCHR_MULTI */ ++ /* continue with the normal non-WILD_STOP_AT_DIR code */ ++ } /* wild_stop_at_dir */ ++ ++ /* Not wild_stop_at_dir */ ++ if (*p == 0) ++ return 1; ++ if (!isshexp((char *)p)) ++ { ++ /* optimization for rest of pattern being a literal string */ ++ ++ /* optimization to handle patterns like *.txt */ ++ /* if the first char in the pattern is '*' and there */ ++ /* are no other shell expression chars, i.e. a literal string */ ++ /* then just compare the literal string at the end */ ++ ++ ZCONST char *srest; ++ ++ srest = s + (strlen(s) - strlen(p)); ++ if (srest - s < 0) ++ /* remaining literal string from pattern is longer than rest of ++ test string, there can't be a match ++ */ ++ return 0; ++ else ++ /* compare the remaining literal pattern string with the last bytes ++ of the test string to check for a match */ + #ifdef _MBCS +- { +- ZCONST uch *q = s; ++ { ++ ZCONST char *q = s; + +- /* MBCS-aware code must not scan backwards into a string from +- * the end. +- * So, we have to move forward by character from our well-known +- * character position s in the test string until we have +- * advanced to the srest position. +- */ +- while (q < srest) +- INCSTR(q); +- /* In case the byte *srest is a trailing byte of a multibyte +- * character in the test string s, we have actually advanced +- * past the position (srest). +- * For this case, the match has failed! +- */ +- if (q != srest) +- return 0; +- return ((ic +- ? namecmp((ZCONST char *)p, (ZCONST char *)q) +- : strcmp((ZCONST char *)p, (ZCONST char *)q) +- ) == 0); +- } ++ /* MBCS-aware code must not scan backwards into a string from ++ * the end. ++ * So, we have to move forward by character from our well-known ++ * character position s in the test string until we have advanced ++ * to the srest position. ++ */ ++ while (q < srest) ++ INCSTR(q); ++ /* In case the byte *srest is a trailing byte of a multibyte ++ * character, we have actually advanced past the position (srest). ++ * For this case, the match has failed! ++ */ ++ if (q != srest) ++ return 0; ++ return ((cs ? strcmp(p, q) : namecmp(p, q)) == 0); ++ } + #else /* !_MBCS */ +- return ((ic +- ? namecmp((ZCONST char *)p, (ZCONST char *)srest) +- : strcmp((ZCONST char *)p, (ZCONST char *)srest) +- ) == 0); ++ return ((cs ? strcmp(p, srest) : namecmp(p, srest)) == 0); + #endif /* ?_MBCS */ +- } else { +- /* pattern contains more wildcards, continue with recursion... */ +- for (; *s; INCSTR(s)) +- if ((c = recmatch(p, s, ic __WDL)) != 0) +- return (int)c; +- return 2; /* 2 means give up--match will return false */ +- } + } +- +- /* Parse and process the list of characters and ranges in brackets */ +- if (c == BEG_RANGE) { +- int e; /* flag true if next char to be taken literally */ +- ZCONST uch *q; /* pointer to end of [-] group */ +- int r; /* flag true to match anything but the range */ +- +- if (*s == 0) /* need a character to match */ +- return 0; +- p += (r = (*p == '!' || *p == '^')); /* see if reverse */ +- for (q = p, e = 0; *q; INCSTR(q)) /* find closing bracket */ +- if (e) +- e = 0; +- else +- if (*q == '\\') /* GRR: change to ^ for MS-DOS, OS/2? */ +- e = 1; +- else if (*q == END_RANGE) +- break; +- if (*q != END_RANGE) /* nothing matches if bad syntax */ +- return 0; +- for (c = 0, e = (*p == '-'); p < q; INCSTR(p)) { +- /* go through the list */ +- if (!e && *p == '\\') /* set escape flag if \ */ +- e = 1; +- else if (!e && *p == '-') /* set start of range if - */ +- c = *(p-1); +- else { +- unsigned int cc = Case(*s); +- +- if (*(p+1) != '-') +- for (c = c ? c : *p; c <= *p; c++) /* compare range */ +- if ((unsigned)Case(c) == cc) /* typecast for MSC bug */ +- return r ? 0 : recmatch(q + 1, s + 1, ic __WDL); +- c = e = 0; /* clear range, escape flags */ +- } +- } +- return r ? recmatch(q + CLEN(q), s + CLEN(s), ic __WDL) : 0; +- /* bracket match failed */ ++ else ++ { ++ /* pattern contains more wildcards, continue with recursion... */ ++ for (; *s; INCSTR(s)) ++ if ((c = recmatch(p, s, cs)) != 0) ++ return c; ++ return 2; /* 2 means give up--shmatch will return false */ + } ++ } + +- /* if escape ('\\'), just compare next character */ +- if (c == '\\' && (c = *p++) == 0) /* if \ at end, then syntax error */ +- return 0; ++#ifndef VMS /* No bracket matching in VMS */ ++ /* Parse and process the list of characters and ranges in brackets */ ++ if (!no_wild && allow_regex && c == '[') ++ { ++ int e; /* flag true if next char to be taken literally */ ++ ZCONST char *q; /* pointer to end of [-] group */ ++ int r; /* flag true to match anything but the range */ ++ ++ if (*s == 0) /* need a character to match */ ++ return 0; ++ p += (r = (*p == '!' || *p == '^')); /* see if reverse */ ++ for (q = p, e = 0; *q; q++) /* find closing bracket */ ++ if (e) ++ e = 0; ++ else ++ if (*q == '\\') ++ e = 1; ++ else if (*q == ']') ++ break; ++ if (*q != ']') /* nothing matches if bad syntax */ ++ return 0; ++ for (c = 0, e = *p == '-'; p < q; p++) /* go through the list */ ++ { ++ if (e == 0 && *p == '\\') /* set escape flag if \ */ ++ e = 1; ++ else if (e == 0 && *p == '-') /* set start of range if - */ ++ c = *(p-1); ++ else ++ { ++ uch cc = (cs ? (uch)*s : case_map((uch)*s)); ++ uch uc = (uch) c; ++ if (*(p+1) != '-') ++ for (uc = uc ? uc : (uch)*p; uc <= (uch)*p; uc++) ++ /* compare range */ ++ if ((cs ? uc : case_map(uc)) == cc) ++ return r ? 0 : recmatch(q + CLEN(q), s + CLEN(s), cs); ++ c = e = 0; /* clear range, escape flags */ ++ } ++ } ++ return r ? recmatch(q + CLEN(q), s + CLEN(s), cs) : 0; ++ /* bracket match failed */ ++ } ++#endif /* !VMS */ + +- /* just a character--compare it */ +-#ifdef QDOS +- return QMatch(Case((uch)c), Case(*s)) ? +- recmatch(p, s + CLEN(s), ic __WDL) : 0; +-#else +- return Case((uch)c) == Case(*s) ? +- recmatch(p, s + CLEN(s), ic __WDL) : 0; +-#endif ++ /* If escape ('\'), just compare next character */ ++ if (!no_wild && c == '\\') ++ if ((c = *p++) == '\0') /* if \ at end, then syntax error */ ++ return 0; ++ ++#ifdef VMS ++ /* 2005-11-06 SMS. ++ Handle "..." wildcard in p with "." or "]" in s. ++ */ ++ if ((c == '.') && (*p == '.') && (*(p+ CLEN( p)) == '.') && ++ ((*s == '.') || (*s == ']'))) ++ { ++ /* Match "...]" with "]". Continue after "]" in both. */ ++ if ((*(p+ 2* CLEN( p)) == ']') && (*s == ']')) ++ return recmatch( (p+ 3* CLEN( p)), (s+ CLEN( s)), cs); ++ ++ /* Else, look for a reduced match in s, until "]" in or end of s. */ ++ for (; *s && (*s != ']'); INCSTR(s)) ++ if (*s == '.') ++ /* If reduced match, then continue after "..." in p, "." in s. */ ++ if ((c = recmatch( (p+ CLEN( p)), s, cs)) != 0) ++ return (int)c; ++ ++ /* Match "...]" with "]". Continue after "]" in both. */ ++ if ((*(p+ 2* CLEN( p)) == ']') && (*s == ']')) ++ return recmatch( (p+ 3* CLEN( p)), (s+ CLEN( s)), cs); ++ ++ /* No reduced match. Quit. */ ++ return 2; ++ } ++ ++#endif /* def VMS */ ++ ++ /* Just a character--compare it */ ++ return (cs ? c == *s : case_map((uch)c) == case_map((uch)*s)) ? ++ recmatch(p, s + CLEN(s), cs) : 0; ++} + +-} /* end function recmatch() */ + + + ++/*************************************************************************************************/ + static char *isshexp(p) + ZCONST char *p; + /* If p is a sh expression, a pointer to the first special character is diff --git a/gnu/packages/patches/unzip-manpage-fix.patch b/gnu/packages/patches/unzip-manpage-fix.patch new file mode 100644 index 0000000000..ec06516bbb --- /dev/null +++ b/gnu/packages/patches/unzip-manpage-fix.patch @@ -0,0 +1,11 @@ +--- unzip60/man/unzip.1 2011-01-11 11:59:59.000000000 +0000 ++++ unzip60/man/unzip_new 2011-02-05 18:45:55.000000000 +0000 +@@ -424,7 +424,7 @@ + .\" Amiga support possible eventually, but not yet + [MS-DOS, OS/2, NT] restore the volume label if the extraction medium is + removable (e.g., a diskette). Doubling the option (\fB\-$$\fP) allows fixed +-media (hard disks) to be labelled as well. By default, volume labels are ++media (hard disks) to be labeled as well. By default, volume labels are + ignored. + .IP \fB\-/\fP\ \fIextensions\fP + [Acorn only] overrides the extension list supplied by Unzip$Ext environment diff --git a/gnu/packages/patches/unzip-overflow.patch b/gnu/packages/patches/unzip-overflow.patch new file mode 100644 index 0000000000..228c28377f --- /dev/null +++ b/gnu/packages/patches/unzip-overflow.patch @@ -0,0 +1,25 @@ +diff --git a/extract.c b/extract.c +index a0a4929..9ef80b3 100644 +--- a/extract.c ++++ b/extract.c +@@ -2214,6 +2214,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2223,6 +2224,12 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) + eb_size <= (compr_offset + EB_CMPRHEADLEN))) + return IZ_EF_TRUNC; /* no compressed data! */ + ++ method = makeword(eb + (EB_HEADSIZE + compr_offset)); ++ if ((method == STORED) && (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) ++ return PK_ERR; /* compressed & uncompressed ++ * should match in STORED ++ * method */ ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff --git a/gnu/packages/patches/unzip-symlink.patch b/gnu/packages/patches/unzip-symlink.patch new file mode 100644 index 0000000000..d7eaf160b4 --- /dev/null +++ b/gnu/packages/patches/unzip-symlink.patch @@ -0,0 +1,17 @@ +diff --git a/process.c b/process.c +index 1e9a1e1..905732b 100644 +--- a/process.c ++++ b/process.c +@@ -1751,6 +1751,12 @@ int process_cdir_file_hdr(__G) /* return PK-type error code */ + = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11); + #endif + ++#ifdef SYMLINKS ++ /* Initialize the symlink flag, may be set by the platform-specific ++ mapattr function. */ ++ G.pInfo->symlink = 0; ++#endif ++ + return PK_COOL; + + } /* end function process_cdir_file_hdr() */ diff --git a/gnu/packages/patches/unzip-timestamp.patch b/gnu/packages/patches/unzip-timestamp.patch new file mode 100644 index 0000000000..2aa9424eb8 --- /dev/null +++ b/gnu/packages/patches/unzip-timestamp.patch @@ -0,0 +1,41 @@ +From: "Steven M. Schweda" +Subject: Do not ignore extra fields containing Unix Timestamps +Bug-Debian: https://bugs.debian.org/842993 +X-Debian-version: 6.0-21 + +--- a/process.c ++++ b/process.c +@@ -2914,10 +2914,13 @@ + break; + + case EF_IZUNIX2: +- if (have_new_type_eb == 0) { +- flags &= ~0x0ff; /* ignore any previous IZUNIX field */ ++ if (have_new_type_eb == 0) { /* (< 1) */ + have_new_type_eb = 1; + } ++ if (have_new_type_eb <= 1) { ++ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */ ++ flags &= 0x0ff; ++ } + #ifdef IZ_HAVE_UXUIDGID + if (have_new_type_eb > 1) + break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */ +@@ -2933,6 +2936,8 @@ + /* new 3rd generation Unix ef */ + have_new_type_eb = 2; + ++ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */ ++ flags &= 0x0ff; + /* + Version 1 byte version of this extra field, currently 1 + UIDSize 1 byte Size of UID field +@@ -2953,8 +2958,6 @@ + uid_size = *((EB_HEADSIZE + 1) + ef_buf); + gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf); + +- flags &= ~0x0ff; /* ignore any previous UNIX field */ +- + if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, + uid_size, &z_uidgid[0]) + && diff --git a/gnu/packages/patches/unzip-valgrind.patch b/gnu/packages/patches/unzip-valgrind.patch new file mode 100644 index 0000000000..41a752023b --- /dev/null +++ b/gnu/packages/patches/unzip-valgrind.patch @@ -0,0 +1,26 @@ +diff --git a/fileio.c b/fileio.c +index ba0a1d0..03fc4be 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2006,6 +2006,7 @@ int do_string(__G__ length, option) /* return PK-type error code */ + unsigned comment_bytes_left; + unsigned int block_len; + int error=PK_OK; ++ unsigned int length2; + #ifdef AMIGA + char tmp_fnote[2 * AMIGA_FILENOTELEN]; /* extra room for squozen chars */ + #endif +@@ -2292,8 +2293,12 @@ int do_string(__G__ length, option) /* return PK-type error code */ + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ if ((length2 = readbuf(__G__ (char *)G.extra_field, length)) == 0) + return PK_EOF; ++ if(length2 < length) { ++ memset (__G__ (char *)G.extra_field+length2, 0 , length-length2); ++ length = length2; ++ } + /* Looks like here is where extra fields are read */ + getZip64Data(__G__ G.extra_field, length); + #ifdef UNICODE_SUPPORT diff --git a/gnu/packages/patches/unzip-x-option.patch b/gnu/packages/patches/unzip-x-option.patch new file mode 100644 index 0000000000..72c77aeb78 --- /dev/null +++ b/gnu/packages/patches/unzip-x-option.patch @@ -0,0 +1,28 @@ +--- ./process.c.orig 2009-03-06 02:25:10.000000000 +0100 ++++ ./process.c 2013-09-12 10:51:16.000000000 +0200 +@@ -2901,9 +2901,9 @@ + */ + + #ifdef IZ_HAVE_UXUIDGID +- if (eb_len >= EB_UX3_MINLEN +- && z_uidgid != NULL +- && (*((EB_HEADSIZE + 0) + ef_buf) == 1) ++ if ((eb_len >= EB_UX3_MINLEN) ++ && (z_uidgid != NULL) ++ && ((*((EB_HEADSIZE + 0) + ef_buf) == 1))) + /* only know about version 1 */ + { + uch uid_size; +@@ -2915,10 +2915,10 @@ + flags &= ~0x0ff; /* ignore any previous UNIX field */ + + if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, +- uid_size, z_uidgid[0]) ++ uid_size, &z_uidgid[0]) + && + read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf, +- gid_size, z_uidgid[1]) ) ++ gid_size, &z_uidgid[1]) ) + { + flags |= EB_UX2_VALID; /* signal success */ + } diff --git a/gnu/packages/patches/unzip-zipbomb-manpage.patch b/gnu/packages/patches/unzip-zipbomb-manpage.patch new file mode 100644 index 0000000000..cdeeea5c93 --- /dev/null +++ b/gnu/packages/patches/unzip-zipbomb-manpage.patch @@ -0,0 +1,25 @@ +From 6fe72291a5563cdbcd2bdd87e36528537b7cdcfb Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Mon, 18 Nov 2019 14:17:46 +0100 +Subject: [PATCH] update the man page + +--- + man/unzip.1 | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/man/unzip.1 b/man/unzip.1 +index 21816d1..4d66073 100644 +--- a/man/unzip.1 ++++ b/man/unzip.1 +@@ -850,6 +850,8 @@ the specified zipfiles were not found. + invalid options were specified on the command line. + .IP 11 + no matching files were found. ++.IP 12 ++invalid zip file with overlapped components (possible zip bomb). + .IP 50 + the disk is (or was) full during extraction. + .IP 51 +-- +2.23.0 + diff --git a/gnu/packages/patches/unzip-zipbomb-part1.patch b/gnu/packages/patches/unzip-zipbomb-part1.patch new file mode 100644 index 0000000000..35cf856522 --- /dev/null +++ b/gnu/packages/patches/unzip-zipbomb-part1.patch @@ -0,0 +1,25 @@ +From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 27 May 2019 08:20:32 -0700 +Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state. + +--- + fileio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fileio.c b/fileio.c +index c042987..bc00d74 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -530,8 +530,10 @@ void undefer_input(__G) + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++ if (G.csize < 0L) ++ G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; diff --git a/gnu/packages/patches/unzip-zipbomb-part2.patch b/gnu/packages/patches/unzip-zipbomb-part2.patch new file mode 100644 index 0000000000..903c845763 --- /dev/null +++ b/gnu/packages/patches/unzip-zipbomb-part2.patch @@ -0,0 +1,349 @@ +From 47b3ceae397d21bf822bc2ac73052a4b1daf8e1c Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Tue, 11 Jun 2019 22:01:18 -0700 +Subject: [PATCH] Detect and reject a zip bomb using overlapped entries. + +This detects an invalid zip file that has at least one entry that +overlaps with another entry or with the central directory to the +end of the file. A Fifield zip bomb uses overlapped local entries +to vastly increase the potential inflation ratio. Such an invalid +zip file is rejected. + +See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's +analysis, construction, and examples of such zip bombs. + +The detection maintains a list of covered spans of the zip files +so far, where the central directory to the end of the file and any +bytes preceding the first entry at zip file offset zero are +considered covered initially. Then as each entry is decompressed +or tested, it is considered covered. When a new entry is about to +be processed, its initial offset is checked to see if it is +contained by a covered span. If so, the zip file is rejected as +invalid. + +This commit depends on a preceding commit: "Fix bug in +undefer_input() that misplaced the input state." +--- + extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + globals.c | 1 + + globals.h | 3 + + process.c | 11 ++++ + unzip.h | 1 + + 5 files changed, 205 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 1acd769..0973a33 100644 +--- a/extract.c ++++ b/extract.c +@@ -319,6 +319,125 @@ static ZCONST char Far UnsupportedExtraField[] = + "\nerror: unsupported extra-field compression type (%u)--skipping\n"; + static ZCONST char Far BadExtraFieldCRC[] = + "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n"; ++static ZCONST char Far NotEnoughMemCover[] = ++ "error: not enough memory for bomb detection\n"; ++static ZCONST char Far OverlappedComponents[] = ++ "error: invalid zip file with overlapped components (possible zip bomb)\n"; ++ ++ ++ ++ ++ ++/* A growable list of spans. */ ++typedef zoff_t bound_t; ++typedef struct { ++ bound_t beg; /* start of the span */ ++ bound_t end; /* one past the end of the span */ ++} span_t; ++typedef struct { ++ span_t *span; /* allocated, distinct, and sorted list of spans */ ++ size_t num; /* number of spans in the list */ ++ size_t max; /* allocated number of spans (num <= max) */ ++} cover_t; ++ ++/* ++ * Return the index of the first span in cover whose beg is greater than val. ++ * If there is no such span, then cover->num is returned. ++ */ ++static size_t cover_find(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t lo = 0, hi = cover->num; ++ while (lo < hi) { ++ size_t mid = (lo + hi) >> 1; ++ if (val < cover->span[mid].beg) ++ hi = mid; ++ else ++ lo = mid + 1; ++ } ++ return hi; ++} ++ ++/* Return true if val lies within any one of the spans in cover. */ ++static int cover_within(cover, val) ++ cover_t *cover; ++ bound_t val; ++{ ++ size_t pos = cover_find(cover, val); ++ return pos > 0 && val < cover->span[pos - 1].end; ++} ++ ++/* ++ * Add a new span to the list, but only if the new span does not overlap any ++ * spans already in the list. The new span covers the values beg..end-1. beg ++ * must be less than end. ++ * ++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for ++ * the list as needed. On success, 0 is returned. If the new span overlaps any ++ * existing spans, then 1 is returned and the new span is not added to the ++ * list. If the new span is invalid because beg is greater than or equal to ++ * end, then -1 is returned. If the list needs to be grown but the memory ++ * allocation fails, then -2 is returned. ++ */ ++static int cover_add(cover, beg, end) ++ cover_t *cover; ++ bound_t beg; ++ bound_t end; ++{ ++ size_t pos; ++ int prec, foll; ++ ++ if (beg >= end) ++ /* The new span is invalid. */ ++ return -1; ++ ++ /* Find where the new span should go, and make sure that it does not ++ overlap with any existing spans. */ ++ pos = cover_find(cover, beg); ++ if ((pos > 0 && beg < cover->span[pos - 1].end) || ++ (pos < cover->num && end > cover->span[pos].beg)) ++ return 1; ++ ++ /* Check for adjacencies. */ ++ prec = pos > 0 && beg == cover->span[pos - 1].end; ++ foll = pos < cover->num && end == cover->span[pos].beg; ++ if (prec && foll) { ++ /* The new span connects the preceding and following spans. Merge the ++ following span into the preceding span, and delete the following ++ span. */ ++ cover->span[pos - 1].end = cover->span[pos].end; ++ cover->num--; ++ memmove(cover->span + pos, cover->span + pos + 1, ++ (cover->num - pos) * sizeof(span_t)); ++ } ++ else if (prec) ++ /* The new span is adjacent only to the preceding span. Extend the end ++ of the preceding span. */ ++ cover->span[pos - 1].end = end; ++ else if (foll) ++ /* The new span is adjacent only to the following span. Extend the ++ beginning of the following span. */ ++ cover->span[pos].beg = beg; ++ else { ++ /* The new span has gaps between both the preceding and the following ++ spans. Assure that there is room and insert the span. */ ++ if (cover->num == cover->max) { ++ size_t max = cover->max == 0 ? 16 : cover->max << 1; ++ span_t *span = realloc(cover->span, max * sizeof(span_t)); ++ if (span == NULL) ++ return -2; ++ cover->span = span; ++ cover->max = max; ++ } ++ memmove(cover->span + pos + 1, cover->span + pos, ++ (cover->num - pos) * sizeof(span_t)); ++ cover->num++; ++ cover->span[pos].beg = beg; ++ cover->span[pos].end = end; ++ } ++ return 0; ++} + + + +@@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + ++ /* One more: initialize cover structure for bomb detection. Start with a ++ span that covers the central directory though the end of the file. */ ++ if (G.cover == NULL) { ++ G.cover = malloc(sizeof(cover_t)); ++ if (G.cover == NULL) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ ((cover_t *)G.cover)->span = NULL; ++ ((cover_t *)G.cover)->max = 0; ++ } ++ ((cover_t *)G.cover)->num = 0; ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, ++ G.extra_bytes + G.ecrec.offset_start_central_directory, ++ G.ziplen) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- + rectory lies at the end of the zipfile and the member files lie at the +@@ -591,7 +733,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + if (error > error_in_archive) + error_in_archive = error; + /* ...and keep going (unless disk full or user break) */ +- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) { ++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC || ++ error == PK_BOMB) { + /* clear reached_end to signal premature stop ... */ + reached_end = FALSE; + /* ... and cancel scanning the central directory */ +@@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk, + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; ++ if (cover_within((cover_t *)G.cover, request)) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + inbuf_offset = request % INBUFSIZ; + bufstart = request - inbuf_offset; + +@@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk, + return IZ_CTRLC; /* cancel operation by user request */ + } + #endif ++ error = cover_add((cover_t *)G.cover, request, ++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf)); ++ if (error < 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(NotEnoughMemCover))); ++ return PK_MEM; ++ } ++ if (error != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */ + UserStop(); + #endif +@@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + } + + undefer_input(__G); ++ ++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { ++ /* skip over data descriptor (harder than it sounds, due to signature ++ * ambiguity) ++ */ ++# define SIG 0x08074b50 ++# define LOW 0xffffffff ++ uch buf[12]; ++ unsigned shy = 12 - readbuf((char *)buf, 12); ++ ulg crc = shy ? 0 : makelong(buf); ++ ulg clen = shy ? 0 : makelong(buf + 4); ++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */ ++ if (crc == SIG && /* if not SIG, no signature */ ++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */ ++ (clen == SIG && /* if not SIG, no signature */ ++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ ++ (ulen == SIG && /* if not SIG, no signature */ ++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ /* if not SIG, have signature */ ++ ))))) ++ /* skip four more bytes to account for signature */ ++ shy += 4 - readbuf((char *)buf, 4); ++ if (G.zip64) ++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ ++ if (shy) ++ error = PK_ERR; ++ } ++ + return error; + + } /* end function extract_or_test_member() */ +diff --git a/globals.c b/globals.c +index fa8cca5..1e0f608 100644 +--- a/globals.c ++++ b/globals.c +@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor() + # if (!defined(NO_TIMESTAMPS)) + uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */ + # endif ++ G.cover = NULL; /* not allocated yet */ + #endif + + uO.lflag=(-1); +diff --git a/globals.h b/globals.h +index 11b7215..2bdcdeb 100644 +--- a/globals.h ++++ b/globals.h +@@ -260,12 +260,15 @@ typedef struct Globals { + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + ++ int zip64; /* true if Zip64 info in extra field */ ++ + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ + int reported_backslash; /* extract.c static */ + int disk_full; + int newfile; ++ void **cover; /* used in extract.c for bomb detection */ + + int didCRlast; /* fileio static */ + ulg numlines; /* fileio static: number of lines printed */ +diff --git a/process.c b/process.c +index 1e9a1e1..d2e4dc3 100644 +--- a/process.c ++++ b/process.c +@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ + } + #endif + ++ /* Free the cover span list and the cover structure. */ ++ if (G.cover != NULL) { ++ free(*(G.cover)); ++ free(G.cover); ++ G.cover = NULL; ++ } ++ + } /* end function free_G_buffers() */ + + +@@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len) + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff + ++ G.zip64 = FALSE; ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + +@@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len) + #if 0 + break; /* Expect only one EF_PKSZ64 block. */ + #endif /* 0 */ ++ ++ G.zip64 = TRUE; + } + + /* Skip this extra field block. */ +diff --git a/unzip.h b/unzip.h +index 5b2a326..ed24a5b 100644 +--- a/unzip.h ++++ b/unzip.h +@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec { + #define PK_NOZIP 9 /* zipfile not found */ + #define PK_PARAM 10 /* bad or illegal parameters specified */ + #define PK_FIND 11 /* no files found */ ++#define PK_BOMB 12 /* likely zip bomb */ + #define PK_DISK 50 /* disk full */ + #define PK_EOF 51 /* unexpected EOF */ + diff --git a/gnu/packages/patches/unzip-zipbomb-part3.patch b/gnu/packages/patches/unzip-zipbomb-part3.patch new file mode 100644 index 0000000000..3b8d67b773 --- /dev/null +++ b/gnu/packages/patches/unzip-zipbomb-part3.patch @@ -0,0 +1,112 @@ +From 6d351831be705cc26d897db44f878a978f4138fc Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Thu, 25 Jul 2019 20:43:17 -0700 +Subject: [PATCH] Do not raise a zip bomb alert for a misplaced central + directory. + +There is a zip-like file in the Firefox distribution, omni.ja, +which is a zip container with the central directory placed at the +start of the file instead of after the local entries as required +by the zip standard. This commit marks the actual location of the +central directory, as well as the end of central directory records, +as disallowed locations. This now permits such containers to not +raise a zip bomb alert, where in fact there are no overlaps. +--- + extract.c | 25 +++++++++++++++++++------ + process.c | 6 ++++++ + unzpriv.h | 10 ++++++++++ + 3 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/extract.c b/extract.c +index 0973a33..1b73cb0 100644 +--- a/extract.c ++++ b/extract.c +@@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + +- /* One more: initialize cover structure for bomb detection. Start with a +- span that covers the central directory though the end of the file. */ ++ /* One more: initialize cover structure for bomb detection. Start with ++ spans that cover any extra bytes at the start, the central directory, ++ the end of central directory record (including the Zip64 end of central ++ directory locator, if present), and the Zip64 end of central directory ++ record, if present. */ + if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +@@ -506,15 +509,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ + ((cover_t *)G.cover)->max = 0; + } + ((cover_t *)G.cover)->num = 0; +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- cover_add((cover_t *)G.cover, ++ if (cover_add((cover_t *)G.cover, + G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.ziplen) != 0) { ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(NotEnoughMemCover))); + return PK_MEM; + } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- +diff --git a/process.c b/process.c +index d2e4dc3..d75d405 100644 +--- a/process.c ++++ b/process.c +@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ + + /* Now, we are (almost) sure that we have a Zip64 archive. */ + G.ecrec.have_ecr64 = 1; ++ G.ecrec.ec_start -= ECLOC64_SIZE+4; ++ G.ecrec.ec64_start = ecrec64_start_offset; ++ G.ecrec.ec64_end = ecrec64_start_offset + ++ 12 + makeint64(&byterec[ECREC64_LENGTH]); + + /* Update the "end-of-central-dir offset" for later checks. */ + G.real_ecrec_offset = ecrec64_start_offset; +@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); + G.ecrec.zipfile_comment_length = + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); ++ G.ecrec.ec_start = G.real_ecrec_offset; ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + + /* Now, we have to read the archive comment, BEFORE the file pointer + is moved away backwards to seek for a Zip64 ECLOC64 structure. +diff --git a/unzpriv.h b/unzpriv.h +index dc9eff5..297b3c7 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { + int have_ecr64; /* valid Zip64 ecdir-record exists */ + int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ + ush zipfile_comment_length; ++ zusz_t ec_start, ec_end; /* offsets of start and end of the ++ end of central directory record, ++ including if present the Zip64 ++ end of central directory locator, ++ which immediately precedes the ++ end of central directory record */ ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these ++ are the offsets of the start and ++ end of the Zip64 end of central ++ directory record */ + } ecdir_rec; + + -- cgit 1.4.1 From 703843922aa32c833b1c0ea56ac7362230e60a3a Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Sun, 14 Mar 2021 09:09:45 +0100 Subject: gun: unzip/fixed: Fix tests on 32-bit systems. * gnu/packages/patches/unzip-32bit-zipbomb-fix.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (unzip/fixed): Apply patch. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 5 ++- gnu/packages/patches/unzip-32bit-zipbomb-fix.patch | 50 ++++++++++++++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/unzip-32bit-zipbomb-fix.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 6500f5bda2..25f8a7fde8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1760,6 +1760,7 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-zipbomb-part1.patch \ %D%/packages/patches/unzip-zipbomb-part2.patch \ %D%/packages/patches/unzip-zipbomb-part3.patch \ + %D%/packages/patches/unzip-32bit-zipbomb-fix.patch \ %D%/packages/patches/ustr-fix-build-with-gcc-5.patch \ %D%/packages/patches/util-linux-tests.patch \ %D%/packages/patches/upower-builddir.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 399e4451e7..123d408e96 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1676,7 +1676,10 @@ recreates the stored directory structure by default.") "unzip-zipbomb-manpage.patch" "unzip-zipbomb-part1.patch" "unzip-zipbomb-part2.patch" - "unzip-zipbomb-part3.patch")))))) + "unzip-zipbomb-part3.patch" + + ;; https://github.com/madler/unzip/issues/2 + "unzip-32bit-zipbomb-fix.patch")))))) (define-public ziptime (let ((commit "2a5bc9dfbf7c6a80e5f7cb4dd05b4036741478bc") diff --git a/gnu/packages/patches/unzip-32bit-zipbomb-fix.patch b/gnu/packages/patches/unzip-32bit-zipbomb-fix.patch new file mode 100644 index 0000000000..ad6a157c56 --- /dev/null +++ b/gnu/packages/patches/unzip-32bit-zipbomb-fix.patch @@ -0,0 +1,50 @@ +From 13f0260beae851f7d5dd96e9ef757d8d6d7daac1 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 9 Feb 2020 07:20:13 -0800 +Subject: [PATCH] Fix false overlapped components detection on 32-bit systems. + +32-bit systems with ZIP64_SUPPORT enabled could have different +size types for zoff_t and zusz_t. That resulted in bad parameter +passing to the bound tracking functions, itself due to the lack of +use of C function prototypes in unzip. This commit assures that +parameters are cast properly for those calls. + +This problem occurred only for ill-chosen make options, which give +a 32-bit zoff_t. A proper build will result in a zoff_t of 64 bits, +even on 32-bit systems. +--- + extract.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/extract.c b/extract.c +index 1b73cb0..d9866f9 100644 +--- a/extract.c ++++ b/extract.c +@@ -329,7 +329,7 @@ static ZCONST char Far OverlappedComponents[] = + + + /* A growable list of spans. */ +-typedef zoff_t bound_t; ++typedef zusz_t bound_t; + typedef struct { + bound_t beg; /* start of the span */ + bound_t end; /* one past the end of the span */ +@@ -518,7 +518,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + return PK_MEM; + } + if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, ++ (bound_t)0, (bound_t)G.extra_bytes) != 0) || + (G.ecrec.have_ecr64 && + cover_add((cover_t *)G.cover, G.ecrec.ec64_start, + G.ecrec.ec64_end) != 0) || +@@ -1216,7 +1217,7 @@ static int extract_or_test_entrylist(__G__ numchunk, + + /* seek_zipf(__G__ pInfo->offset); */ + request = G.pInfo->offset + G.extra_bytes; +- if (cover_within((cover_t *)G.cover, request)) { ++ if (cover_within((cover_t *)G.cover, (bound_t)request)) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(OverlappedComponents))); + return PK_BOMB; -- cgit 1.4.1 From d059485257bbe5b4f4d903b357ec99a3af2d4f39 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sun, 14 Mar 2021 19:12:53 -0400 Subject: gnu: unzip: Remove redundant and unused "unzip-symlink.patch". This is a followup to commit 31d289a4759909d24dd309ac24d42902a8c20da0, which added, but did not use, "unzip-symlink.patch", which is redundant with the pre-existing "unzip-initialize-symlink-flag.patch". * gnu/packages/patches/unzip-symlink.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/patches/unzip-symlink.patch | 17 ----------------- 2 files changed, 18 deletions(-) delete mode 100644 gnu/packages/patches/unzip-symlink.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 25f8a7fde8..cf8849cf59 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1752,7 +1752,6 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-fix-recmatch.patch \ %D%/packages/patches/unzip-manpage-fix.patch \ %D%/packages/patches/unzip-overflow.patch \ - %D%/packages/patches/unzip-symlink.patch \ %D%/packages/patches/unzip-timestamp.patch \ %D%/packages/patches/unzip-valgrind.patch \ %D%/packages/patches/unzip-x-option.patch \ diff --git a/gnu/packages/patches/unzip-symlink.patch b/gnu/packages/patches/unzip-symlink.patch deleted file mode 100644 index d7eaf160b4..0000000000 --- a/gnu/packages/patches/unzip-symlink.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/process.c b/process.c -index 1e9a1e1..905732b 100644 ---- a/process.c -+++ b/process.c -@@ -1751,6 +1751,12 @@ int process_cdir_file_hdr(__G) /* return PK-type error code */ - = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11); - #endif - -+#ifdef SYMLINKS -+ /* Initialize the symlink flag, may be set by the platform-specific -+ mapattr function. */ -+ G.pInfo->symlink = 0; -+#endif -+ - return PK_COOL; - - } /* end function process_cdir_file_hdr() */ -- cgit 1.4.1 From 109f58444beecd1b9b7c502f2a687a6b91c62dc0 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Tue, 16 Mar 2021 12:03:12 -0400 Subject: gnu: mpg321: Fix CVE-2019-14247. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/patches/mpg321-CVE-2019-14247.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/mp3.scm (mpg321)[source]: Apply it. Signed-off-by: Léo Le Bouter Signed-off-by: Leo Famulari --- gnu/local.mk | 1 + gnu/packages/mp3.scm | 4 +++- gnu/packages/patches/mpg321-CVE-2019-14247.patch | 23 +++++++++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mpg321-CVE-2019-14247.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index cf8849cf59..abb1e2140d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1404,6 +1404,7 @@ dist_patch_DATA = \ %D%/packages/patches/mit-krb5-hurd.patch \ %D%/packages/patches/mit-krb5-qualify-short-hostnames.patch \ %D%/packages/patches/mpc123-initialize-ao.patch \ + %D%/packages/patches/mpg321-CVE-2019-14247.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/monero-use-system-miniupnpc.patch \ %D%/packages/patches/mono-mdoc-timestamping.patch \ diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm index 34390d3696..dba3e17558 100644 --- a/gnu/packages/mp3.scm +++ b/gnu/packages/mp3.scm @@ -408,7 +408,9 @@ command-line tool as well as a C library, libmpg123.") version "/mpg321-" version ".tar.gz")) (sha256 (base32 - "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5")))) + "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5")) + (patches + (search-patches "mpg321-CVE-2019-14247.patch")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-alsa"))) (inputs diff --git a/gnu/packages/patches/mpg321-CVE-2019-14247.patch b/gnu/packages/patches/mpg321-CVE-2019-14247.patch new file mode 100644 index 0000000000..03afaccc67 --- /dev/null +++ b/gnu/packages/patches/mpg321-CVE-2019-14247.patch @@ -0,0 +1,23 @@ +This patch was downloaded from https://sourceforge.net/p/mpg321/bugs/51/ and +fixes CVE-2019-14247. + +Description: Handle illegal bitrate value +Author: Chrysostomos Nanakos +Bug-Debian: https://bugs.debian.org/870406 +Bug-Debian: https://bugs.debian.org/887057 + +--- mpg321-0.3.2.orig/mad.c ++++ mpg321-0.3.2/mad.c +@@ -574,6 +574,12 @@ void scan(void const *ptr, ssize_t len, + + if (!is_vbr) + { ++ if (header.bitrate <= 0) ++ { ++ fprintf(stderr, "Illegal bit allocation value\n"); ++ return; ++ } ++ + double time = (len * 8.0) / (header.bitrate); /* time in seconds */ + double timefrac = (double)time - ((long)(time)); + long nsamples = 32 * MAD_NSBSAMPLES(&header); /* samples per frame */ -- cgit 1.4.1 From fef91c0cc8770c6c4fce08bd748e6f241a8cd682 Mon Sep 17 00:00:00 2001 From: Leo Prikler Date: Mon, 15 Mar 2021 20:43:41 +0100 Subject: gnu: Move lolcode to esolangs. * gnu/packages/lolcode.scm (lci): Move from here... * gnu/packages/esolangs.scm (lolcode-lci): ... to here. * gnu/packages/lolcode.scm: Delete file. * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. --- gnu/local.mk | 1 - gnu/packages/esolangs.scm | 37 +++++++++++++++++++++++++++++ gnu/packages/lolcode.scm | 60 ----------------------------------------------- 3 files changed, 37 insertions(+), 61 deletions(-) delete mode 100644 gnu/packages/lolcode.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index abb1e2140d..0422beac82 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -353,7 +353,6 @@ GNU_SYSTEM_MODULES = \ %D%/packages/logging.scm \ %D%/packages/logo.scm \ %D%/packages/loko.scm \ - %D%/packages/lolcode.scm \ %D%/packages/lsof.scm \ %D%/packages/lua.scm \ %D%/packages/lxde.scm \ diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm index 676b355e65..45feedfa28 100644 --- a/gnu/packages/esolangs.scm +++ b/gnu/packages/esolangs.scm @@ -1,4 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2016 Nikita +;;; Copyright © 2019 Tobias Geerinckx-Rice ;;; Copyright © 2020 Hendursaga ;;; Copyright © 2020 Leo Prikler ;;; @@ -22,6 +24,8 @@ #:use-module (gnu packages bison) #:use-module (gnu packages flex) #:use-module (gnu packages ncurses) + #:use-module (gnu packages python) + #:use-module (gnu packages readline) #:use-module (guix build-system cmake) #:use-module (guix build-system copy) #:use-module (guix build-system gnu) @@ -56,6 +60,39 @@ written in C. It supports several @dfn{fingerprints} (opt-in language extension identified by unique ID codes).") (license license:gpl3))) +(define-public lolcode-lci + (package + (name "lolcode-lci") + (version "0.11.2") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/justinmeza/lci") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 "0syw60b93iajgh91ffchirwwhm2kix2753ibx845kyrhzggmdh2l")))) + (build-system cmake-build-system) + (inputs + `(("readline" ,readline))) + (native-inputs + `(("python-2" ,python-2))) ; for the tests + (synopsis "LOLCODE interpreter written in C") + (description + "@code{lci} is a LOLCODE interpreter written in C and is designed to be +correct, portable, fast, and precisely documented. +@enumerate +@item correct: Every effort has been made to test lci's conformance to the +LOLCODE language specification. Unit tests come packaged with the lci source code. +@item portable: lci follows the widely ported ANSI C specification allowing it +to compile on a broad range of systems. +@item fast: Much effort has gone into producing simple and efficient code +whenever possible to the extent that the above points are not compromized. +@end enumerate") + (home-page "http://lolcode.org/") + (license license:gpl3+))) + (define-public shakespeare-spl (package (name "shakespeare-spl") diff --git a/gnu/packages/lolcode.scm b/gnu/packages/lolcode.scm deleted file mode 100644 index cdbff1f4b6..0000000000 --- a/gnu/packages/lolcode.scm +++ /dev/null @@ -1,60 +0,0 @@ -;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2016 Nikita -;;; Copyright © 2019 Tobias Geerinckx-Rice -;;; -;;; This file is part of GNU Guix. -;;; -;;; GNU Guix is free software; you can redistribute it and/or modify it -;;; under the terms of the GNU General Public License as published by -;;; the Free Software Foundation; either version 3 of the License, or (at -;;; your option) any later version. -;;; -;;; GNU Guix is distributed in the hope that it will be useful, but -;;; WITHOUT ANY WARRANTY; without even the implied warranty of -;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;;; GNU General Public License for more details. -;;; -;;; You should have received a copy of the GNU General Public License -;;; along with GNU Guix. If not, see . - -(define-module (gnu packages lolcode) - #:use-module (gnu packages) - #:use-module (gnu packages python) - #:use-module (gnu packages readline) - #:use-module (guix build-system cmake) - #:use-module (guix git-download) - #:use-module ((guix licenses) #:prefix license:) - #:use-module (guix packages)) - -(define-public lci - (package - (name "lci") - (version "0.11.2") - (source - (origin - (method git-fetch) - (uri (git-reference - (url "https://github.com/justinmeza/lci") - (commit (string-append "v" version)))) - (file-name (git-file-name name version)) - (sha256 - (base32 "0syw60b93iajgh91ffchirwwhm2kix2753ibx845kyrhzggmdh2l")))) - (build-system cmake-build-system) - (inputs - `(("readline" ,readline))) - (native-inputs - `(("python-2" ,python-2))) ; for the tests - (synopsis "LOLCODE interpreter written in C") - (description - "@code{lci} is a LOLCODE interpreter written in C and is designed to be -correct, portable, fast, and precisely documented. -@enumerate -@item correct: Every effort has been made to test lci's conformance to the -LOLCODE language specification. Unit tests come packaged with the lci source code. -@item portable: lci follows the widely ported ANSI C specification allowing it -to compile on a broad range of systems. -@item fast: Much effort has gone into producing simple and efficient code -whenever possible to the extent that the above points are not compromized. -@end enumerate") - (home-page "http://lolcode.org/") - (license license:gpl3+))) -- cgit 1.4.1 From 1155a88308df7649fe74bd5bb8279a4d103ce386 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 19 Mar 2021 00:13:42 +0100 Subject: gnu: ungoogled-chromium: Update to 89.0.4389.90-1. * gnu/packages/patches/ungoogled-chromium-system-opus.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/chromium.scm (%preserved-third-party-files): Adjust for 89. (%chromium-version): Remove variable. (%ungoogled-revision): Set to 89.0.4389.90-1. (%ungoogled-origin): Conditionally set file name based on commit/tag. (%guix-patches): Add the new file. (libvpx/chromium): Update to 1.9.0-104-gb5d77a48d. (ungoogled-chromium)[version]: Use %UNGOOGLED-REVISION. [source]: Update hash. [arguments]: Adjust #:configure-flags for build system changes. Don't build with external WebRTC SSL library. Remove obsolete substitution. [inputs]: Remove OPENSSL. Change from PIPEWIRE to PIPEWIRE-0.3. --- gnu/local.mk | 1 + gnu/packages/chromium.scm | 64 +++++++++------------- .../patches/ungoogled-chromium-system-opus.patch | 27 +++++++++ 3 files changed, 55 insertions(+), 37 deletions(-) create mode 100644 gnu/packages/patches/ungoogled-chromium-system-opus.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0422beac82..afd9c17f9c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1725,6 +1725,7 @@ dist_patch_DATA = \ %D%/packages/patches/udiskie-no-appindicator.patch \ %D%/packages/patches/ungoogled-chromium-extension-search-path.patch \ %D%/packages/patches/ungoogled-chromium-system-nspr.patch \ + %D%/packages/patches/ungoogled-chromium-system-opus.patch \ %D%/packages/patches/unison-fix-ocaml-4.08.patch \ %D%/packages/patches/unknown-horizons-python-3.8-distro.patch \ %D%/packages/patches/unzip-CVE-2014-8139.patch \ diff --git a/gnu/packages/chromium.scm b/gnu/packages/chromium.scm index b81a773c3d..de7c887061 100644 --- a/gnu/packages/chromium.scm +++ b/gnu/packages/chromium.scm @@ -65,7 +65,6 @@ #:use-module (gnu packages regex) #:use-module (gnu packages serialization) #:use-module (gnu packages speech) - #:use-module (gnu packages tls) #:use-module (gnu packages valgrind) #:use-module (gnu packages vulkan) #:use-module (gnu packages video) @@ -96,7 +95,6 @@ "net/third_party/quiche" ;BSD-3 "net/third_party/uri_template" ;ASL2.0 "third_party/abseil-cpp" ;ASL2.0 - "third_party/adobe/flash/flapper_version.h" ;no license, trivial "third_party/angle" ;BSD-3 "third_party/angle/src/common/third_party/base" ;BSD-3 "third_party/angle/src/common/third_party/smhasher" ;Public domain @@ -105,10 +103,6 @@ "third_party/angle/src/third_party/libXNVCtrl" ;Expat "third_party/angle/src/third_party/trace_event" ;BSD-3 "third_party/angle/src/third_party/volk" ;Expat - "third_party/angle/third_party/vulkan-headers" ;ASL2.0 - "third_party/angle/third_party/vulkan-loader" ;ASL2.0 - "third_party/angle/third_party/vulkan-tools" ;ASL2.0 - "third_party/angle/third_party/vulkan-validation-layers" ;ASL2.0 "third_party/apple_apsl" ;APSL2.0 "third_party/axe-core" ;MPL2.0 "third_party/blink" ;BSD-3, LGPL2+ @@ -161,7 +155,6 @@ "third_party/emoji-segmenter" ;ASL2.0 "third_party/flatbuffers" ;ASL2.0 "third_party/fusejs" ;ASL2.0 - "third_party/glslang" ;BSD-3, Expat, ASL2.0 "third_party/google_input_tools" ;ASL2.0 "third_party/google_input_tools/third_party/closure_library" ;ASL2.0 "third_party/google_input_tools/third_party/closure_library/third_party/closure" ;Expat @@ -189,6 +182,8 @@ "third_party/libsrtp" ;BSD-3 "third_party/libsync" ;ASL2.0 "third_party/libudev" ;LGPL2.1+ + "third_party/liburlpattern" ;Expat + "third_party/libva_protected_content" ;Expat ;; FIXME: build/linux/unbundle/libvpx.gn does not work for all users. "third_party/libvpx" ;BSD-3 @@ -203,6 +198,7 @@ "third_party/markupsafe" ;BSD-3 "third_party/mesa_headers" ;Expat, SGI "third_party/metrics_proto" ;BSD-3 + "third_party/minigbm" ;BSD-3 "third_party/modp_b64" ;BSD-3 "third_party/nasm" ;BSD-2 "third_party/nearby" ;ASL2.0 @@ -220,7 +216,8 @@ "third_party/pdfium/third_party/skia_shared" ;BSD-3 "third_party/pdfium/third_party/freetype/include/pstables.h" ;FreeType "third_party/perfetto" ;ASL2.0 - "third_party/pffft" ;the "FFTPACK" license, similar to BSD-3 + "third_party/perfetto/protos/third_party/chromium" ;BSD-3 + "third_party/pffft" ;the "FFTPACK" license "third_party/ply" ;BSD-3 "third_party/polymer" ;BSD-3 "third_party/private_membership" ;ASL2.0 @@ -236,7 +233,6 @@ "third_party/s2cellid" ;ASL2.0 "third_party/schema_org" ;CC-BY-SA3.0 "third_party/securemessage" ;ASL2.0 - "third_party/shaka-player" ;ASL2.0 "third_party/shell-encryption" ;ASL2.0 "third_party/skia" ;BSD-3 "third_party/skia/include/third_party/skcms" ;BSD-3 @@ -244,8 +240,6 @@ "third_party/skia/third_party/vulkanmemoryallocator" ;BSD-3, Expat "third_party/smhasher" ;Expat, public domain "third_party/speech-dispatcher" ;GPL2+ - "third_party/spirv-headers" ;ASL2.0 - "third_party/SPIRV-Tools" ;ASL2.0 "third_party/sqlite" ;Public domain "third_party/swiftshader" ;ASL2.0 "third_party/swiftshader/third_party/astc-encoder" ;ASL2.0 @@ -258,6 +252,7 @@ "third_party/ukey2" ;ASL2.0 "third_party/usb_ids" ;BSD-3 "third_party/usrsctp" ;BSD-2 + "third_party/vulkan-deps" ;ASL2.0, BSD-3, Expat "third_party/vulkan_memory_allocator" ;Expat "third_party/wayland/protocol" ;Expat "third_party/wayland/stubs" ;BSD-3, Expat @@ -310,8 +305,7 @@ (string-append "ungoogled-chromium-" category "-" name)))) (sha256 (base32 hash)))) -(define %chromium-version "88.0.4324.182") -(define %ungoogled-revision "b98f2d51406c84a75df96f0da9dee3c0d790963d") +(define %ungoogled-revision "89.0.4389.90-1") (define %debian-revision "debian/84.0.4147.105-1") (define %debian-patches @@ -326,15 +320,20 @@ (uri (git-reference (url "https://github.com/Eloston/ungoogled-chromium") (commit %ungoogled-revision))) (file-name (git-file-name "ungoogled-chromium" - (string-take %ungoogled-revision 7))) + (if (= 40 (string-length %ungoogled-revision)) + (string-take %ungoogled-revision 7) + %ungoogled-revision))) (sha256 (base32 - "1c9y1dn9s06pskkjw2r8lsbplak8m2rwh4drixvjpif7b4cgdhay")))) + "0pr756d1b4wc67d61b21yszi7mx1hsjy14i44j0kvcwm05pgnf79")))) (define %guix-patches (list (local-file (assume-valid-file-name (search-patch "ungoogled-chromium-system-nspr.patch"))) + (local-file + (assume-valid-file-name + (search-patch "ungoogled-chromium-system-opus.patch"))) (local-file (assume-valid-file-name (search-patch "ungoogled-chromium-extension-search-path.patch"))))) @@ -418,7 +417,7 @@ (define libvpx/chromium (package (inherit libvpx) - (version "1.9.0-88-g12059d956") + (version "1.9.0-104-gb5d77a48d") (source (origin (inherit (package-source libvpx)) (uri (git-reference @@ -427,7 +426,7 @@ (file-name (git-file-name "libvpx" version)) (sha256 (base32 - "14knnvfaskfz97vs3lfqrdpcbcx22s6qp16213wdnvnsf4c1lx1b")))))) + "07nkpx8myw5nd4bkaj6l4wr5ipk2c6lg9cwirz0i5qbr659051rk")))))) ;; 'make-ld-wrapper' can only work with an 'ld' executable, so we need ;; this trick to make it wrap 'lld'. @@ -457,17 +456,17 @@ (define-public ungoogled-chromium (package (name "ungoogled-chromium") - (version (string-append %chromium-version "-0." - (string-take %ungoogled-revision 7))) + (version %ungoogled-revision) (synopsis "Graphical web browser") (source (origin (method url-fetch) (uri (string-append "https://commondatastorage.googleapis.com" "/chromium-browser-official/chromium-" - %chromium-version ".tar.xz")) + (string-drop-right %ungoogled-revision 2) + ".tar.xz")) (sha256 (base32 - "10av060ix6lgsvv99lyvyy03r0m3zwdg4hddbi6dycrdxk1iyh9h")) + "16i7bgk2jbcqs2p28nk5mlf0k6wah594pcsfm8b154nxbyf0iihi")) (modules '((guix build utils))) (snippet (force ungoogled-chromium-snippet)))) (build-system gnu-build-system) @@ -488,9 +487,6 @@ ;; Use the "official" release optimizations, as opposed to ;; a developer build. "is_official_build=true" - (string-append "max_jobs_per_link=" - ;; Respect the default cap of 8 jobs. - (number->string (min 8 (parallel-job-count)))) "clang_use_chrome_plugins=false" "chrome_pgo_phase=0" "use_sysroot=false" @@ -533,7 +529,6 @@ "use_system_zlib=true" "use_gnome_keyring=false" ;deprecated by libsecret - "use_openh264=true" "use_pulseaudio=true" "link_pulseaudio=true" "icu_use_data_file=false" @@ -548,6 +543,10 @@ '("use_vaapi=true") '()) + "media_use_ffmpeg=true" + "media_use_libvpx=true" + "media_use_openh264=true" + ;; Do not artifically restrict formats supported by system ffmpeg. "proprietary_codecs=true" "ffmpeg_branding=\"Chrome\"" @@ -556,17 +555,15 @@ "rtc_use_h264=true" "rtc_use_pipewire=true" "rtc_link_pipewire=true" + "rtc_pipewire_version=\"0.3\"" ;; Don't use bundled sources. "rtc_build_json=true" ;FIXME: libc++ std::string ABI difference "rtc_build_libevent=false" "rtc_build_libvpx=false" "rtc_build_opus=false" - "rtc_build_ssl=false" "rtc_build_libsrtp=true" ;FIXME: fails to find headers "rtc_build_usrsctp=true" ;TODO: package this - (string-append "rtc_ssl_root=\"" - (assoc-ref %build-inputs "openssl") - "/include/openssl\"")) + "rtc_build_ssl=true") ;XXX: the bundled BoringSSL is required? #:phases (modify-phases %standard-phases (add-after 'unpack 'patch-stuff @@ -604,12 +601,6 @@ (("third_party/icu/source/(common|i18n)/") "")) - ;; Fix faulty ICU call. Likely fixed in M89. - (substitute* - "third_party/blink/renderer/platform/wtf/text/text_codec_icu.cc" - (("ideographicSpaceCharacter") - "kIdeographicSpaceCharacter")) - ;; XXX: Should be unnecessary when use_system_lcms2=true. (substitute* "third_party/pdfium/core/fxcodec/icc/iccmodule.h" (("include \"third_party/lcms/include/lcms2\\.h\"") @@ -865,11 +856,10 @@ ("nss" ,nss) ("openh264" ,openh264) ("openjpeg" ,openjpeg) ;PDFium only - ("openssl" ,openssl) ("opus" ,opus+custom) ("pango" ,pango) ("pciutils" ,pciutils) - ("pipewire" ,pipewire) + ("pipewire" ,pipewire-0.3) ("pulseaudio" ,pulseaudio) ("snappy" ,snappy) ("speech-dispatcher" ,speech-dispatcher) diff --git a/gnu/packages/patches/ungoogled-chromium-system-opus.patch b/gnu/packages/patches/ungoogled-chromium-system-opus.patch new file mode 100644 index 0000000000..6f887a31a4 --- /dev/null +++ b/gnu/packages/patches/ungoogled-chromium-system-opus.patch @@ -0,0 +1,27 @@ +Add missing build dependency on Opus so that system headers are found. + +Taken from upstream: +https://chromium-review.googlesource.com/c/chromium/src/+/2644623 + +diff --git a/third_party/blink/renderer/modules/webcodecs/BUILD.gn b/third_party/blink/renderer/modules/webcodecs/BUILD.gn +--- a/third_party/blink/renderer/modules/webcodecs/BUILD.gn ++++ b/third_party/blink/renderer/modules/webcodecs/BUILD.gn +@@ -65,6 +65,7 @@ blink_modules_sources("webcodecs") { + "//media/mojo/clients", + "//media/mojo/mojom", + "//third_party/libyuv:libyuv", ++ "//third_party/opus", + ] + if (media_use_openh264) { + deps += [ "//third_party/openh264:encoder" ] +diff --git a/third_party/blink/renderer/modules/webcodecs/DEPS b/third_party/blink/renderer/modules/webcodecs/DEPS +--- a/third_party/blink/renderer/modules/webcodecs/DEPS ++++ b/third_party/blink/renderer/modules/webcodecs/DEPS +@@ -19,6 +19,7 @@ include_rules = [ + + "+third_party/libyuv", + "+third_party/openh264", ++ "+third_party/opus", + + "+ui/gfx/color_space.h", + "+ui/gfx/geometry/rect.h", -- cgit 1.4.1 From 572528e7ddcf6af213c78e70eb60953a82b96a96 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Fri, 19 Mar 2021 11:56:38 +0100 Subject: gnu: busybox: Fix CVE-2021-28831. * gnu/packages/patches/busybox-CVE-2021-28831.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/busybox.scm (busybox): Apply it. --- gnu/local.mk | 1 + gnu/packages/busybox.scm | 3 +- gnu/packages/patches/busybox-CVE-2021-28831.patch | 57 +++++++++++++++++++++++ 3 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/busybox-CVE-2021-28831.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index afd9c17f9c..8325c071bd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -872,6 +872,7 @@ dist_patch_DATA = \ %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ %D%/packages/patches/blender-2.79-python-3.8-fix.patch \ %D%/packages/patches/bpftrace-disable-bfd-disasm.patch \ + %D%/packages/patches/busybox-CVE-2021-28831.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/cairo-CVE-2018-19876.patch \ %D%/packages/patches/cairo-CVE-2020-35492.patch \ diff --git a/gnu/packages/busybox.scm b/gnu/packages/busybox.scm index 5af67e084d..17c90c3c65 100644 --- a/gnu/packages/busybox.scm +++ b/gnu/packages/busybox.scm @@ -41,7 +41,8 @@ version ".tar.bz2")) (sha256 (base32 - "1vhd59qmrdyrr1q7rvxmyl96z192mxl089hi87yl0hcp6fyw8mwx")))) + "1vhd59qmrdyrr1q7rvxmyl96z192mxl089hi87yl0hcp6fyw8mwx")) + (patches (search-patches "busybox-CVE-2021-28831.patch")))) (build-system gnu-build-system) (arguments '(#:phases diff --git a/gnu/packages/patches/busybox-CVE-2021-28831.patch b/gnu/packages/patches/busybox-CVE-2021-28831.patch new file mode 100644 index 0000000000..da3107fbb1 --- /dev/null +++ b/gnu/packages/patches/busybox-CVE-2021-28831.patch @@ -0,0 +1,57 @@ +From f25d254dfd4243698c31a4f3153d4ac72aa9e9bd Mon Sep 17 00:00:00 2001 +From: Samuel Sapalski +Date: Wed, 3 Mar 2021 16:31:22 +0100 +Subject: decompress_gunzip: Fix DoS if gzip is corrupt + +On certain corrupt gzip files, huft_build will set the error bit on +the result pointer. If afterwards abort_unzip is called huft_free +might run into a segmentation fault or an invalid pointer to +free(p). + +In order to mitigate this, we check in huft_free if the error bit +is set and clear it before the linked list is freed. + +Signed-off-by: Samuel Sapalski +Signed-off-by: Peter Kaestle +Signed-off-by: Denys Vlasenko +--- + archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c +index eb3b64930..e93cd5005 100644 +--- a/archival/libarchive/decompress_gunzip.c ++++ b/archival/libarchive/decompress_gunzip.c +@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { + * each table. + * t: table to free + */ ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1) ++#define ERR_RET ((huft_t*)(uintptr_t)1) + static void huft_free(huft_t *p) + { + huft_t *q; + ++ /* ++ * If 'p' has the error bit set we have to clear it, otherwise we might run ++ * into a segmentation fault or an invalid pointer to free(p) ++ */ ++ if (BAD_HUFT(p)) { ++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); ++ } ++ + /* Go through linked list, freeing from the malloced (t[-1]) address. */ + while (p) { + q = (--p)->v.t; +@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current + * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table + * is given: "fixed inflate" decoder feeds us such data. + */ +-#define BAD_HUFT(p) ((uintptr_t)(p) & 1) +-#define ERR_RET ((huft_t*)(uintptr_t)1) + static huft_t* huft_build(const unsigned *b, const unsigned n, + const unsigned s, const struct cp_ext *cp_ext, + unsigned *m) +-- +cgit v1.2.1 + -- cgit 1.4.1 From c4d616f7c665921e1329c75cd2d0cf05094b1306 Mon Sep 17 00:00:00 2001 From: Greg Hogan Date: Mon, 1 Feb 2021 14:01:11 +0000 Subject: gnu: abseil-cpp: Update to 20200923.3. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/cpp.scm (abseil-cpp): Update to 20200923.3. [arguments]: Enable external googletest. * gnu/packages/patches/abseil-cpp-fix.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. Signed-off-by: Ludovic Courtès --- gnu/local.mk | 1 + gnu/packages/cpp.scm | 7 +++++-- gnu/packages/patches/abseil-cpp-fix.patch | 16 ++++++++++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/abseil-cpp-fix.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8325c071bd..c4535daae9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -786,6 +786,7 @@ dist_patch_DATA = \ %D%/packages/patches/abcl-fix-build-xml.patch \ %D%/packages/patches/ableton-link-system-libraries-debian.patch \ %D%/packages/patches/abiword-explictly-cast-bools.patch \ + %D%/packages/patches/abseil-cpp-fix.patch \ %D%/packages/patches/adb-add-libraries.patch \ %D%/packages/patches/aegis-constness-error.patch \ %D%/packages/patches/aegis-perl-tempdir1.patch \ diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm index 02a82091b8..ba361ba5ca 100644 --- a/gnu/packages/cpp.scm +++ b/gnu/packages/cpp.scm @@ -678,7 +678,7 @@ point and then, after each tween step, plugging back the result.") (define-public abseil-cpp (package (name "abseil-cpp") - (version "20200225.2") + (version "20200923.3") (source (origin (method git-fetch) (uri (git-reference @@ -687,11 +687,14 @@ point and then, after each tween step, plugging back the result.") (file-name (git-file-name name version)) (sha256 (base32 - "0dwxg54pv6ihphbia0iw65r64whd7v8nm4wwhcz219642cgpv54y")))) + "1p4djhm1f011ficbjjxx3n8428p8481p20j4glpaawnpsi362hkl")) + ;; Remove after next googletest release and update. + (patches (search-patches "abseil-cpp-fix.patch")))) (build-system cmake-build-system) (arguments `(#:configure-flags (list "-DBUILD_SHARED_LIBS=ON" "-DABSL_RUN_TESTS=ON" + "-DABSL_USE_EXTERNAL_GOOGLETEST=ON" ;; Needed, else we get errors like: ;; ;; ld: CMakeFiles/absl_periodic_sampler_test.dir/internal/periodic_sampler_test.cc.o: diff --git a/gnu/packages/patches/abseil-cpp-fix.patch b/gnu/packages/patches/abseil-cpp-fix.patch new file mode 100644 index 0000000000..38971448f3 --- /dev/null +++ b/gnu/packages/patches/abseil-cpp-fix.patch @@ -0,0 +1,16 @@ +The GTEST_ALLOW_UNINSTANTIATED_PARAMTERIZED_TEST macro was added to googletest +in commit 0b024bd9 on master. It has been used in an abseil-cpp release before +a googletest release. + +--- a/absl/container/internal/unordered_map_modifiers_test.h ++++ b/absl/container/internal/unordered_map_modifiers_test.h +@@ -286,7 +286,9 @@ class UniquePtrModifiersTest : public ::testing::Test { + } + }; + ++#ifdef GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST + GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(UniquePtrModifiersTest); ++#endif + + TYPED_TEST_SUITE_P(UniquePtrModifiersTest); + -- cgit 1.4.1 From 6457985e39d794c0f44d953d475aa19c41025d00 Mon Sep 17 00:00:00 2001 From: Greg Hogan Date: Thu, 11 Mar 2021 20:53:15 +0000 Subject: gnu: abseil-cpp: Patch sterror_test. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/patches/abseil-cpp-fix-gtest.patch: Renamed file. * gnu/packages/patches/abseil-cpp-fix-strerror_test.patch: New file. * gnu/local.mk (dist_patch_DATA): Rename / add files. * gnu/packages/cpp.scm (abseil-cpp)[source]: Use files. Signed-off-by: Ludovic Courtès --- gnu/local.mk | 3 +- gnu/packages/cpp.scm | 5 ++- gnu/packages/patches/abseil-cpp-fix-gtest.patch | 16 +++++++++ .../patches/abseil-cpp-fix-strerror_test.patch | 42 ++++++++++++++++++++++ gnu/packages/patches/abseil-cpp-fix.patch | 16 --------- 5 files changed, 64 insertions(+), 18 deletions(-) create mode 100644 gnu/packages/patches/abseil-cpp-fix-gtest.patch create mode 100644 gnu/packages/patches/abseil-cpp-fix-strerror_test.patch delete mode 100644 gnu/packages/patches/abseil-cpp-fix.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c4535daae9..3d4147a879 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -786,7 +786,8 @@ dist_patch_DATA = \ %D%/packages/patches/abcl-fix-build-xml.patch \ %D%/packages/patches/ableton-link-system-libraries-debian.patch \ %D%/packages/patches/abiword-explictly-cast-bools.patch \ - %D%/packages/patches/abseil-cpp-fix.patch \ + %D%/packages/patches/abseil-cpp-fix-gtest.patch \ + %D%/packages/patches/abseil-cpp-fix-strerror_test.patch \ %D%/packages/patches/adb-add-libraries.patch \ %D%/packages/patches/aegis-constness-error.patch \ %D%/packages/patches/aegis-perl-tempdir1.patch \ diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm index ba361ba5ca..2233d2e993 100644 --- a/gnu/packages/cpp.scm +++ b/gnu/packages/cpp.scm @@ -689,7 +689,10 @@ point and then, after each tween step, plugging back the result.") (base32 "1p4djhm1f011ficbjjxx3n8428p8481p20j4glpaawnpsi362hkl")) ;; Remove after next googletest release and update. - (patches (search-patches "abseil-cpp-fix.patch")))) + (patches + (search-patches + "abseil-cpp-fix-gtest.patch" + "abseil-cpp-fix-strerror_test.patch")))) (build-system cmake-build-system) (arguments `(#:configure-flags (list "-DBUILD_SHARED_LIBS=ON" diff --git a/gnu/packages/patches/abseil-cpp-fix-gtest.patch b/gnu/packages/patches/abseil-cpp-fix-gtest.patch new file mode 100644 index 0000000000..38971448f3 --- /dev/null +++ b/gnu/packages/patches/abseil-cpp-fix-gtest.patch @@ -0,0 +1,16 @@ +The GTEST_ALLOW_UNINSTANTIATED_PARAMTERIZED_TEST macro was added to googletest +in commit 0b024bd9 on master. It has been used in an abseil-cpp release before +a googletest release. + +--- a/absl/container/internal/unordered_map_modifiers_test.h ++++ b/absl/container/internal/unordered_map_modifiers_test.h +@@ -286,7 +286,9 @@ class UniquePtrModifiersTest : public ::testing::Test { + } + }; + ++#ifdef GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST + GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(UniquePtrModifiersTest); ++#endif + + TYPED_TEST_SUITE_P(UniquePtrModifiersTest); + diff --git a/gnu/packages/patches/abseil-cpp-fix-strerror_test.patch b/gnu/packages/patches/abseil-cpp-fix-strerror_test.patch new file mode 100644 index 0000000000..726149b015 --- /dev/null +++ b/gnu/packages/patches/abseil-cpp-fix-strerror_test.patch @@ -0,0 +1,42 @@ +From e2b1bab19a782cb62bb010d1c2925ab7314fb113 Mon Sep 17 00:00:00 2001 +diff --git a/absl/base/internal/strerror.cc b/absl/base/internal/strerror.cc +index d66ba120..0d6226fd 100644 +--- a/absl/base/internal/strerror.cc ++++ b/absl/base/internal/strerror.cc +@@ -51,7 +51,6 @@ const char* StrErrorAdaptor(int errnum, char* buf, size_t buflen) { + } + + std::string StrErrorInternal(int errnum) { +- absl::base_internal::ErrnoSaver errno_saver; + char buf[100]; + const char* str = StrErrorAdaptor(errnum, buf, sizeof buf); + if (*str == '\0') { +@@ -76,6 +75,7 @@ std::array* NewStrErrorTable() { + } // namespace + + std::string StrError(int errnum) { ++ absl::base_internal::ErrnoSaver errno_saver; + static const auto* table = NewStrErrorTable(); + if (errnum >= 0 && errnum < static_cast(table->size())) { + return (*table)[errnum]; +diff --git a/absl/base/internal/strerror_test.cc b/absl/base/internal/strerror_test.cc +index a53da97f..e32d5b5c 100644 +--- a/absl/base/internal/strerror_test.cc ++++ b/absl/base/internal/strerror_test.cc +@@ -62,12 +62,14 @@ TEST(StrErrorTest, MultipleThreads) { + ++counter; + errno = ERANGE; + const std::string value = absl::base_internal::StrError(i); ++ // EXPECT_* could change errno. Stash it first. ++ int check_err = errno; ++ EXPECT_THAT(check_err, Eq(ERANGE)); + // Only the GNU implementation is guaranteed to provide the + // string "Unknown error nnn". POSIX doesn't say anything. + if (!absl::StartsWith(value, "Unknown error ")) { +- EXPECT_THAT(absl::base_internal::StrError(i), Eq(expected_strings[i])); ++ EXPECT_THAT(value, Eq(expected_strings[i])); + } +- EXPECT_THAT(errno, Eq(ERANGE)); + } + }; + diff --git a/gnu/packages/patches/abseil-cpp-fix.patch b/gnu/packages/patches/abseil-cpp-fix.patch deleted file mode 100644 index 38971448f3..0000000000 --- a/gnu/packages/patches/abseil-cpp-fix.patch +++ /dev/null @@ -1,16 +0,0 @@ -The GTEST_ALLOW_UNINSTANTIATED_PARAMTERIZED_TEST macro was added to googletest -in commit 0b024bd9 on master. It has been used in an abseil-cpp release before -a googletest release. - ---- a/absl/container/internal/unordered_map_modifiers_test.h -+++ b/absl/container/internal/unordered_map_modifiers_test.h -@@ -286,7 +286,9 @@ class UniquePtrModifiersTest : public ::testing::Test { - } - }; - -+#ifdef GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST - GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(UniquePtrModifiersTest); -+#endif - - TYPED_TEST_SUITE_P(UniquePtrModifiersTest); - -- cgit 1.4.1