From 1c9cea74b48348a24bbd38e51345c548255666e4 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 7 Jan 2017 12:11:45 -0500 Subject: gnu: python-pygpgme: Fix build failure. * gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnupg.scm (python-pygpgme, python2-pygpgme)[source]: Use it. --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 1889a0ecd6..0c95279e3b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -829,6 +829,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-paste-remove-timing-test.patch \ %D%/packages/patches/python-pycrypto-CVE-2013-7459.patch \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ + %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ -- cgit 1.4.1 From 6499893ef82b85e9ba67b9e086e82644b94a55bb Mon Sep 17 00:00:00 2001 From: Ben Woodcroft Date: Sun, 8 Jan 2017 10:18:41 +1000 Subject: gnu: ruby-yard: Update to 0.9.6. * gnu/packages/ruby.scm (ruby-yard): Update to 0.9.6. [source]: Use 'GitHub' source. [arguments]: Run tests without 'Rakefile'. [native-inputs]: Replace 'ruby-rspec-2' with ruby-rspec'. * gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../ruby-yard-fix-skip-of-markdown-tests.patch | 17 ------ gnu/packages/ruby.scm | 66 ++++++++++------------ 3 files changed, 31 insertions(+), 53 deletions(-) delete mode 100644 gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0c95279e3b..49d9554910 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -844,7 +844,6 @@ dist_patch_DATA = \ %D%/packages/patches/ruby-puma-ignore-broken-test.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ - %D%/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch \ %D%/packages/patches/sed-hurd-path-max.patch \ %D%/packages/patches/scheme48-tests.patch \ %D%/packages/patches/scotch-test-threading.patch \ diff --git a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch b/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch deleted file mode 100644 index f592f5cd51..0000000000 --- a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch +++ /dev/null @@ -1,17 +0,0 @@ -The tests currently fail due to use of 'skip' rather than 'pending' to skip a -test usually not skipped by upstream. This patch has been proposed upstream -at https://github.com/lsegal/yard/pull/1033 - -diff --git a/spec/templates/helpers/html_helper_spec.rb b/spec/templates/helpers/html_helper_spec.rb -index 84624c3..9c4fc2b 100644 ---- a/spec/templates/helpers/html_helper_spec.rb -+++ b/spec/templates/helpers/html_helper_spec.rb -@@ -184,7 +184,7 @@ describe YARD::Templates::Helpers::HtmlHelper do - it "creates tables (markdown specific)" do - log.enter_level(Logger::FATAL) do - unless markup_class(:markdown).to_s == "RedcarpetCompat" -- skip "This test depends on a markdown engine that supports tables" -+ pending "This test depends on a markdown engine that supports tables" - end - end - diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 50dde3f48c..4a2a3c1d31 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -3049,44 +3049,40 @@ features such as filtering and fine grained logging.") (license license:expat))) (define-public ruby-yard - ;; Use git reference because gem is >100 commits out of date and the tests - ;; do not pass with the released gem. - (let ((commit "d816482a0d4850506c3bcccc9434550c536c28c6")) - (package - (name "ruby-yard") - (version (string-append "0.9.5-1." (string-take commit 8))) - (source - (origin - (method git-fetch) - (uri (git-reference - (url "https://github.com/lsegal/yard.git") - (commit commit))) - (file-name (string-append name "-" version "-checkout")) - (sha256 - (base32 - "1j16c85x22if7y0fzi3c900p9wzkx2riq1y7vsj92a0zvwsxai4i")) - (patches (search-patches "ruby-yard-fix-skip-of-markdown-tests.patch")))) - (build-system ruby-build-system) - (arguments - `(#:test-target "spec" - #:phases - (modify-phases %standard-phases - (add-before 'check 'set-HOME-and-disable-failing-test - (lambda _ - ;; $HOME needs to be set to somewhere writeable for tests to run - (setenv "HOME" "/tmp") - #t))))) - (native-inputs - `(("ruby-rspec" ,ruby-rspec-2) - ("ruby-rack" ,ruby-rack))) - (synopsis "Documentation generation tool for Ruby") - (description - "YARD is a documentation generation tool for the Ruby programming + (package + (name "ruby-yard") + (version "0.9.6") + (source + (origin + (method url-fetch) + ;; Tests do not pass if we build from the distributed gem. + (uri (string-append "https://github.com/lsegal/yard/archive/v" + version "tar.gz")) + (file-name (string-append name "-" version ".tar.gz")) + (sha256 + (base32 + "0rsz4bghgx7fryzyhlz8wlnd2m9xgyvf1xhrq58mnzfrrfm41bdg")))) + (build-system ruby-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + (replace 'check + (lambda _ + ;; $HOME needs to be set to somewhere writeable for tests to run + (setenv "HOME" "/tmp") + ;; Run tests without using 'rake' to avoid dependencies. + (zero? (system* "rspec"))))))) + (native-inputs + `(("ruby-rspec" ,ruby-rspec) + ("ruby-rack" ,ruby-rack))) + (synopsis "Documentation generation tool for Ruby") + (description + "YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions.") - (home-page "http://yardoc.org") - (license license:expat)))) + (home-page "http://yardoc.org") + (license license:expat))) (define-public ruby-clap (package -- cgit 1.4.1 From 78cef99b9812f1bb43708f84d316d286a1599bdf Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Sun, 8 Jan 2017 20:08:14 +0100 Subject: gnu: Add Prosody service. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/messaging.scm: New file. * gnu/services/configuration.scm: New exported procedures. * gnu/local.mk (GNU_SYSTEM_MODULES): Add gnu/services/messaging.scm. * doc/guix.texi (Messaging Services): New section. Signed-off-by: Ludovic Courtès --- doc/guix.texi | 393 +++++++++++++++++++++- gnu/local.mk | 1 + gnu/services/configuration.scm | 3 + gnu/services/messaging.scm | 726 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 1122 insertions(+), 1 deletion(-) create mode 100644 gnu/services/messaging.scm (limited to 'gnu/local.mk') diff --git a/doc/guix.texi b/doc/guix.texi index e52382e976..d46a7743d0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -29,7 +29,8 @@ Copyright @copyright{} 2016 John Darrington@* Copyright @copyright{} 2016 ng0@* Copyright @copyright{} 2016 Jan Nieuwenhuizen@* Copyright @copyright{} 2016 Julien Lepiller@* -Copyright @copyright{} 2016 Alex ter Weele +Copyright @copyright{} 2016 Alex ter Weele@* +Copyright @copyright{} 2017 Clément Lassieur Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -204,6 +205,7 @@ Services * Desktop Services:: D-Bus and desktop services. * Database Services:: SQL databases. * Mail Services:: IMAP, POP3, SMTP, and all that. +* Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. * Network File System:: NFS related services. @@ -8110,6 +8112,7 @@ declaration. * Desktop Services:: D-Bus and desktop services. * Database Services:: SQL databases. * Mail Services:: IMAP, POP3, SMTP, and all that. +* Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. * Network File System:: NFS related services. @@ -11724,6 +11727,394 @@ remote servers. Run @command{man smtpd.conf} for more information. @end table @end deftp +@node Messaging Services +@subsubsection Messaging Services + +@cindex messaging +@cindex jabber +@cindex XMPP +The @code{(gnu services messaging)} module provides Guix service +definitions for messaging services: currently only Prosody is supported. + +@subsubheading Prosody Service + +@deffn {Scheme Variable} prosody-service-type +This is the type for the @uref{http://prosody.im, Prosody XMPP +communication server}. Its value must be a @code{prosody-configuration} +record as in this example: + +@example +(service prosody-service-type + (prosody-configuration + (modules-enabled (cons "groups" %default-modules-enabled)) + (int-components + (list + (int-component-configuration + (hostname "conference.example.net") + (plugin "muc") + (mod-muc (mod-muc-configuration))))) + (virtualhosts + (list + (virtualhost-configuration + (domain "example.net")))))) +@end example + +See below for details about @code{prosody-configuration}. + +@end deffn + +By default, Prosody does not need much configuration. Only one +@code{virtualhosts} field is needed: it specifies the domain you wish +Prosody to serve. + +Prosodyctl will help you generate X.509 certificates and keys: + +@example +prosodyctl cert request example.net +@end example + +The available configuration parameters follow. Each parameter +definition is preceded by its type; for example, @samp{string-list foo} +indicates that the @code{foo} parameter should be specified as a list of +strings. Types starting with @code{maybe-} denote parameters that won't +show up in @code{prosody.cfg.lua} when their value is @code{'disabled}. + +There is also a way to specify the configuration as a string, if you +have an old @code{prosody.cfg.lua} file that you want to port over from +some other system; see the end for more details. + +@c The following documentation was initially generated by +@c (generate-documentation) in (gnu services messaging). Manually maintained +@c documentation is better, so we shouldn't hesitate to edit below as +@c needed. However if the change you want to make to this documentation +@c can be done in an automated way, it's probably easier to change +@c (generate-documentation) than to make it below and have to deal with +@c the churn as Prosody updates. + +Available @code{prosody-configuration} fields are: + +@deftypevr {@code{prosody-configuration} parameter} package prosody +The Prosody package. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} file-name data-path +Location of the Prosody data storage directory. See +@url{http://prosody.im/doc/configure}. +Defaults to @samp{"/var/lib/prosody"}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} file-name-list plugin-paths +Additional plugin directories. They are searched in all the specified +paths in order. See @url{http://prosody.im/doc/plugins_directory}. +Defaults to @samp{()}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} string-list admins +This is a list of accounts that are admins for the server. Note that you +must create the accounts separately. See @url{http://prosody.im/doc/admins} and +@url{http://prosody.im/doc/creating_accounts}. +Example: @code{(admins '("user1@@example.com" "user2@@example.net"))} +Defaults to @samp{()}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} boolean use-libevent? +Enable use of libevent for better performance under high load. See +@url{http://prosody.im/doc/libevent}. +Defaults to @samp{#f}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} module-list modules-enabled +This is the list of modules Prosody will load on startup. It looks for +@code{mod_modulename.lua} in the plugins folder, so make sure that exists too. +Documentation on modules can be found at: @url{http://prosody.im/doc/modules}. +Defaults to @samp{%default-modules-enabled}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} string-list modules-disabled +@samp{"offline"}, @samp{"c2s"} and @samp{"s2s"} are auto-loaded, but +should you want to disable them then add them to this list. +Defaults to @samp{()}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} file-name groups-file +Path to a text file where the shared groups are defined. If this path is +empty then @samp{mod_groups} does nothing. See +@url{http://prosody.im/doc/modules/mod_groups}. +Defaults to @samp{"/var/lib/prosody/sharedgroups.txt"}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} boolean allow-registration? +Disable account creation by default, for security. See +@url{http://prosody.im/doc/creating_accounts}. +Defaults to @samp{#f}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} maybe-ssl-configuration ssl +These are the SSL/TLS-related settings. Most of them are disabled so to +use Prosody's defaults. If you do not completely understand these options, do +not add them to your config, it is easy to lower the security of your server +using them. See @url{http://prosody.im/doc/advanced_ssl_config}. + +Available @code{ssl-configuration} fields are: + +@deftypevr {@code{ssl-configuration} parameter} maybe-string protocol +This determines what handshake to use. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} file-name key +Path to your private key file, relative to @code{/etc/prosody}. +Defaults to @samp{"/etc/prosody/certs/key.pem"}. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} file-name certificate +Path to your certificate file, relative to @code{/etc/prosody}. +Defaults to @samp{"/etc/prosody/certs/cert.pem"}. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} file-name capath +Path to directory containing root certificates that you wish Prosody to +trust when verifying the certificates of remote servers. +Defaults to @samp{"/etc/ssl/certs"}. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-file-name cafile +Path to a file containing root certificates that you wish Prosody to trust. +Similar to @code{capath} but with all certificates concatenated together. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-string-list verify +A list of verification options (these mostly map to OpenSSL's +@code{set_verify()} flags). +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-string-list options +A list of general options relating to SSL/TLS. These map to OpenSSL's +@code{set_options()}. For a full list of options available in LuaSec, see the +LuaSec source. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-non-negative-integer depth +How long a chain of certificate authorities to check when looking for a +trusted root certificate. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-string ciphers +An OpenSSL cipher string. This selects what ciphers Prosody will offer to +clients, and in what order. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-file-name dhparam +A path to a file containing parameters for Diffie-Hellman key exchange. You +can create such a file with: +@code{openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048} +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-string curve +Curve for Elliptic curve Diffie-Hellman. Prosody's default is +@samp{"secp384r1"}. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-string-list verifyext +A list of "extra" verification options. +@end deftypevr + +@deftypevr {@code{ssl-configuration} parameter} maybe-string password +Password for encrypted private keys. +@end deftypevr + +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} boolean c2s-require-encryption? +Whether to force all client-to-server connections to be encrypted or not. +See @url{http://prosody.im/doc/modules/mod_tls}. +Defaults to @samp{#f}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} boolean s2s-require-encryption? +Whether to force all server-to-server connections to be encrypted or not. +See @url{http://prosody.im/doc/modules/mod_tls}. +Defaults to @samp{#f}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} boolean s2s-secure-auth? +Whether to require encryption and certificate authentication. This +provides ideal security, but requires servers you communicate with to support +encryption AND present valid, trusted certificates. See +@url{http://prosody.im/doc/s2s#security}. +Defaults to @samp{#f}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} string-list s2s-insecure-domains +Many servers don't support encryption or have invalid or self-signed +certificates. You can list domains here that will not be required to +authenticate using certificates. They will be authenticated using DNS. See +@url{http://prosody.im/doc/s2s#security}. +Defaults to @samp{()}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} string-list s2s-secure-domains +Even if you leave @code{s2s-secure-auth?} disabled, you can still require +valid certificates for some domains by specifying a list here. See +@url{http://prosody.im/doc/s2s#security}. +Defaults to @samp{()}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} string authentication +Select the authentication backend to use. The default provider stores +passwords in plaintext and uses Prosody's configured data storage to store the +authentication data. If you do not trust your server please see +@url{http://prosody.im/doc/modules/mod_auth_internal_hashed} for information +about using the hashed backend. See also +@url{http://prosody.im/doc/authentication} +Defaults to @samp{"internal_plain"}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} maybe-string log +Set logging options. Advanced logging configuration is not yet supported +by the GuixSD Prosody Service. See @url{http://prosody.im/doc/logging}. +Defaults to @samp{"*syslog"}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} file-name pidfile +File to write pid in. See @url{http://prosody.im/doc/modules/mod_posix}. +Defaults to @samp{"/var/run/prosody/prosody.pid"}. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} virtualhost-configuration-list virtualhosts +A host in Prosody is a domain on which user accounts can be created. For +example if you want your users to have addresses like +@samp{"john.smith@@example.com"} then you need to add a host +@samp{"example.com"}. All options in this list will apply only to this host. + +Note: the name "virtual" host is used in configuration to avoid confusion with +the actual physical host that Prosody is installed on. A single Prosody +instance can serve many domains, each one defined as a VirtualHost entry in +Prosody's configuration. Conversely a server that hosts a single domain would +have just one VirtualHost entry. + +See @url{http://prosody.im/doc/configure#virtual_host_settings}. + +Available @code{virtualhost-configuration} fields are: + +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus: +@deftypevr {@code{virtualhost-configuration} parameter} string domain +Domain you wish Prosody to serve. +@end deftypevr + +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} int-component-configuration-list int-components +Components are extra services on a server which are available to clients, +usually on a subdomain of the main server (such as +@samp{"mycomponent.example.com"}). Example components might be chatroom +servers, user directories, or gateways to other protocols. + +Internal components are implemented with Prosody-specific plugins. To add an +internal component, you simply fill the hostname field, and the plugin you wish +to use for the component. + +See @url{http://prosody.im/doc/components}. +Defaults to @samp{()}. + +Available @code{int-component-configuration} fields are: + +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus: +@deftypevr {@code{int-component-configuration} parameter} string hostname +Hostname of the component. +@end deftypevr + +@deftypevr {@code{int-component-configuration} parameter} string plugin +Plugin you wish to use for the component. +@end deftypevr + +@deftypevr {@code{int-component-configuration} parameter} maybe-mod-muc-configuration mod-muc +Multi-user chat (MUC) is Prosody's module for allowing you to create +hosted chatrooms/conferences for XMPP users. + +General information on setting up and using multi-user chatrooms can be found +in the "Chatrooms" documentation (@url{http://prosody.im/doc/chatrooms}), +which you should read if you are new to XMPP chatrooms. + +See also @url{http://prosody.im/doc/modules/mod_muc}. + +Available @code{mod-muc-configuration} fields are: + +@deftypevr {@code{mod-muc-configuration} parameter} string name +The name to return in service discovery responses. +Defaults to @samp{"Prosody Chatrooms"}. +@end deftypevr + +@deftypevr {@code{mod-muc-configuration} parameter} string-or-boolean restrict-room-creation +If @samp{#t}, this will only allow admins to create new chatrooms. +Otherwise anyone can create a room. The value @samp{"local"} restricts room +creation to users on the service's parent domain. E.g. @samp{user@@example.com} +can create rooms on @samp{rooms.example.com}. The value @samp{"admin"} +restricts to service administrators only. +Defaults to @samp{#f}. +@end deftypevr + +@deftypevr {@code{mod-muc-configuration} parameter} non-negative-integer max-history-messages +Maximum number of history messages that will be sent to the member that has +just joined the room. +Defaults to @samp{20}. +@end deftypevr + +@end deftypevr + +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} ext-component-configuration-list ext-components +External components use XEP-0114, which most standalone components +support. To add an external component, you simply fill the hostname field. See +@url{http://prosody.im/doc/components}. +Defaults to @samp{()}. + +Available @code{ext-component-configuration} fields are: + +all these @code{prosody-configuration} fields: @code{admins}, @code{use-libevent?}, @code{modules-enabled}, @code{modules-disabled}, @code{groups-file}, @code{allow-registration?}, @code{ssl}, @code{c2s-require-encryption?}, @code{s2s-require-encryption?}, @code{s2s-secure-auth?}, @code{s2s-insecure-domains}, @code{s2s-secure-domains}, @code{authentication}, @code{log}, plus: +@deftypevr {@code{ext-component-configuration} parameter} string component-secret +Password which the component will use to log in. +@end deftypevr + +@deftypevr {@code{ext-component-configuration} parameter} string hostname +Hostname of the component. +@end deftypevr + +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} non-negative-integer-list component-ports +Port(s) Prosody listens on for component connections. +@end deftypevr + +@deftypevr {@code{prosody-configuration} parameter} string component-interface +Interface Prosody listens on for component connections. +Defaults to @samp{"127.0.0.1"}. +@end deftypevr + +It could be that you just want to get a @code{prosody.cfg.lua} +up and running. In that case, you can pass an +@code{opaque-prosody-configuration} record as the value of +@code{prosody-service-type}. As its name indicates, an opaque configuration +does not have easy reflective capabilities. +Available @code{opaque-prosody-configuration} fields are: + +@deftypevr {@code{opaque-prosody-configuration} parameter} package prosody +The prosody package. +@end deftypevr + +@deftypevr {@code{opaque-prosody-configuration} parameter} string prosody.cfg.lua +The contents of the @code{prosody.cfg.lua} to use. +@end deftypevr + +For example, if your @code{prosody.cfg.lua} is just the empty +string, you could instantiate a prosody service like this: + +@example +(service prosody-service-type + (opaque-prosody-configuration + (prosody.cfg.lua ""))) +@end example + @node Kerberos Services @subsubsection Kerberos Services @cindex Kerberos diff --git a/gnu/local.mk b/gnu/local.mk index 49d9554910..cc42a122de 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -414,6 +414,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/lirc.scm \ %D%/services/mail.scm \ %D%/services/mcron.scm \ + %D%/services/messaging.scm \ %D%/services/networking.scm \ %D%/services/nfs.scm \ %D%/services/shepherd.scm \ diff --git a/gnu/services/configuration.scm b/gnu/services/configuration.scm index 94c5f21557..a98db64fa5 100644 --- a/gnu/services/configuration.scm +++ b/gnu/services/configuration.scm @@ -28,10 +28,13 @@ #:use-module (srfi srfi-35) #:export (configuration-field configuration-field-name + configuration-field-type configuration-missing-field configuration-field-error configuration-field-serializer configuration-field-getter + configuration-field-default-value-thunk + configuration-field-documentation serialize-configuration define-configuration validate-configuration diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm new file mode 100644 index 0000000000..0b5aa1fae8 --- /dev/null +++ b/gnu/services/messaging.scm @@ -0,0 +1,726 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2017 Clément Lassieur +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services messaging) + #:use-module (gnu packages messaging) + #:use-module (gnu packages admin) + #:use-module (gnu services) + #:use-module (gnu services shepherd) + #:use-module (gnu services configuration) + #:use-module (gnu system shadow) + #:use-module (guix gexp) + #:use-module (guix records) + #:use-module (guix packages) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-35) + #:use-module (ice-9 match) + #:export (prosody-service-type + prosody-configuration + opaque-prosody-configuration + + virtualhost-configuration + int-component-configuration + ext-component-configuration + + mod-muc-configuration + ssl-configuration + + %default-modules-enabled)) + +;;; Commentary: +;;; +;;; Messaging services. +;;; +;;; Code: + +(define (id ctx . parts) + (datum->syntax ctx (apply symbol-append (map syntax->datum parts)))) + +(define-syntax define-maybe + (lambda (x) + (syntax-case x () + ((_ stem) + (with-syntax + ((stem? (id #'stem #'stem #'?)) + (maybe-stem? (id #'stem #'maybe- #'stem #'?)) + (serialize-stem (id #'stem #'serialize- #'stem)) + (serialize-maybe-stem (id #'stem #'serialize-maybe- #'stem))) + #'(begin + (define (maybe-stem? val) + (or (eq? val 'disabled) (stem? val))) + (define (serialize-maybe-stem field-name val) + (when (stem? val) (serialize-stem field-name val))))))))) + +(define-syntax define-all-configurations + (lambda (stx) + (define (make-pred arg) + (lambda (field target) + (and (memq (syntax->datum target) `(common ,arg)) field))) + (syntax-case stx () + ((_ stem (field (field-type def) doc target) ...) + (with-syntax (((new-field-type ...) + (map (lambda (field-type target) + (if (and (eq? 'common (syntax->datum target)) + (not (string-prefix? + "maybe-" + (symbol->string + (syntax->datum field-type))))) + (id #'stem #'maybe- field-type) field-type)) + #'(field-type ...) #'(target ...))) + ((new-def ...) + (map (lambda (def target) + (if (eq? 'common (syntax->datum target)) + #''disabled def)) + #'(def ...) #'(target ...))) + ((new-doc ...) + (map (lambda (doc target) + (if (eq? 'common (syntax->datum target)) + "" doc)) + #'(doc ...) #'(target ...)))) + #`(begin + (define common-fields + '(#,@(filter-map (make-pred #f) #'(field ...) #'(target ...)))) + (define-configuration prosody-configuration + #,@(filter-map (make-pred 'global) + #'((field (field-type def) doc) ...) + #'(target ...))) + (define-configuration virtualhost-configuration + #,@(filter-map (make-pred 'virtualhost) + #'((field (new-field-type new-def) new-doc) ...) + #'(target ...))) + (define-configuration int-component-configuration + #,@(filter-map (make-pred 'int-component) + #'((field (new-field-type new-def) new-doc) ...) + #'(target ...))) + (define-configuration ext-component-configuration + #,@(filter-map (make-pred 'ext-component) + #'((field (new-field-type new-def) new-doc) ...) + #'(target ...))))))))) + +(define (uglify-field-name field-name) + (let ((str (symbol->string field-name))) + (string-join (string-split (if (string-suffix? "?" str) + (substring str 0 (1- (string-length str))) + str) + #\-) + "_"))) + +(define (serialize-field field-name val) + (format #t "~a = ~a;\n" (uglify-field-name field-name) val)) +(define (serialize-field-list field-name val) + (serialize-field field-name + (with-output-to-string + (lambda () + (format #t "{\n") + (for-each (lambda (x) + (format #t "~a;\n" x)) + val) + (format #t "}"))))) + +(define (serialize-boolean field-name val) + (serialize-field field-name (if val "true" "false"))) +(define-maybe boolean) + +(define (string-or-boolean? val) + (or (string? val) (boolean? val))) +(define (serialize-string-or-boolean field-name val) + (if (string? val) + (serialize-string field-name val) + (serialize-boolean field-name val))) + +(define (non-negative-integer? val) + (and (exact-integer? val) (not (negative? val)))) +(define (serialize-non-negative-integer field-name val) + (serialize-field field-name val)) +(define-maybe non-negative-integer) + +(define (non-negative-integer-list? val) + (and (list? val) (and-map non-negative-integer? val))) +(define (serialize-non-negative-integer-list field-name val) + (serialize-field-list field-name val)) +(define-maybe non-negative-integer-list) + +(define (enclose-quotes s) + (format #f "\"~a\"" s)) +(define (serialize-string field-name val) + (serialize-field field-name (enclose-quotes val))) +(define-maybe string) + +(define (string-list? val) + (and (list? val) + (and-map (lambda (x) + (and (string? x) (not (string-index x #\,)))) + val))) +(define (serialize-string-list field-name val) + (serialize-field-list field-name (map enclose-quotes val))) +(define-maybe string-list) + +(define (module-list? val) + (string-list? val)) +(define (serialize-module-list field-name val) + (serialize-string-list field-name (cons "posix" val))) +(define-maybe module-list) + +(define (file-name? val) + (and (string? val) + (string-prefix? "/" val))) +(define (serialize-file-name field-name val) + (serialize-string field-name val)) +(define-maybe file-name) + +(define (file-name-list? val) + (and (list? val) (and-map file-name? val))) +(define (serialize-file-name-list field-name val) + (serialize-string-list field-name val)) +(define-maybe file-name) + +(define-configuration mod-muc-configuration + (name + (string "Prosody Chatrooms") + "The name to return in service discovery responses.") + + (restrict-room-creation + (string-or-boolean #f) + "If @samp{#t}, this will only allow admins to create new chatrooms. +Otherwise anyone can create a room. The value @samp{\"local\"} restricts room +creation to users on the service's parent domain. E.g. @samp{user@@example.com} +can create rooms on @samp{rooms.example.com}. The value @samp{\"admin\"} +restricts to service administrators only.") + + (max-history-messages + (non-negative-integer 20) + "Maximum number of history messages that will be sent to the member that has +just joined the room.")) +(define (serialize-mod-muc-configuration field-name val) + (serialize-configuration val mod-muc-configuration-fields)) +(define-maybe mod-muc-configuration) + +(define-configuration ssl-configuration + (protocol + (maybe-string 'disabled) + "This determines what handshake to use.") + + (key + (file-name "/etc/prosody/certs/key.pem") + "Path to your private key file, relative to @code{/etc/prosody}.") + + (certificate + (file-name "/etc/prosody/certs/cert.pem") + "Path to your certificate file, relative to @code{/etc/prosody}.") + + (capath + (file-name "/etc/ssl/certs") + "Path to directory containing root certificates that you wish Prosody to +trust when verifying the certificates of remote servers.") + + (cafile + (maybe-file-name 'disabled) + "Path to a file containing root certificates that you wish Prosody to trust. +Similar to @code{capath} but with all certificates concatenated together.") + + (verify + (maybe-string-list 'disabled) + "A list of verification options (these mostly map to OpenSSL's +@code{set_verify()} flags).") + + (options + (maybe-string-list 'disabled) + "A list of general options relating to SSL/TLS. These map to OpenSSL's +@code{set_options()}. For a full list of options available in LuaSec, see the +LuaSec source.") + + (depth + (maybe-non-negative-integer 'disabled) + "How long a chain of certificate authorities to check when looking for a +trusted root certificate.") + + (ciphers + (maybe-string 'disabled) + "An OpenSSL cipher string. This selects what ciphers Prosody will offer to +clients, and in what order.") + + (dhparam + (maybe-file-name 'disabled) + "A path to a file containing parameters for Diffie-Hellman key exchange. You +can create such a file with: +@code{openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048}") + + (curve + (maybe-string 'disabled) + "Curve for Elliptic curve Diffie-Hellman. Prosody's default is +@samp{\"secp384r1\"}.") + + (verifyext + (maybe-string-list 'disabled) + "A list of \"extra\" verification options.") + + (password + (maybe-string 'disabled) + "Password for encrypted private keys.")) +(define (serialize-ssl-configuration field-name val) + (format #t "ssl = {\n") + (serialize-configuration val ssl-configuration-fields) + (format #t "};\n")) +(define-maybe ssl-configuration) + +(define %default-modules-enabled + '("roster" + "saslauth" + "tls" + "dialback" + "disco" + "private" + "vcard" + "version" + "uptime" + "time" + "ping" + "pep" + "register" + "admin_adhoc")) + +;; Guile bug. Use begin wrapper, because otherwise virtualhost-configuration +;; is assumed to be a function. See +;; https://www.gnu.org/software/guile/manual/html_node/R6RS-Incompatibilities.html +(begin + (define (virtualhost-configuration-list? val) + (and (list? val) (and-map virtualhost-configuration? val))) + (define (serialize-virtualhost-configuration-list l) + (for-each + (lambda (val) (serialize-virtualhost-configuration val)) l)) + + (define (int-component-configuration-list? val) + (and (list? val) (and-map int-component-configuration? val))) + (define (serialize-int-component-configuration-list l) + (for-each + (lambda (val) (serialize-int-component-configuration val)) l)) + + (define (ext-component-configuration-list? val) + (and (list? val) (and-map ext-component-configuration? val))) + (define (serialize-ext-component-configuration-list l) + (for-each + (lambda (val) (serialize-ext-component-configuration val)) l)) + + (define-all-configurations prosody-configuration + (prosody + (package prosody) + "The Prosody package." + global) + + (data-path + (file-name "/var/lib/prosody") + "Location of the Prosody data storage directory. See +@url{http://prosody.im/doc/configure}." + global) + + (plugin-paths + (file-name-list '()) + "Additional plugin directories. They are searched in all the specified +paths in order. See @url{http://prosody.im/doc/plugins_directory}." + global) + + (admins + (string-list '()) + "This is a list of accounts that are admins for the server. Note that you +must create the accounts separately. See @url{http://prosody.im/doc/admins} and +@url{http://prosody.im/doc/creating_accounts}. +Example: @code{(admins '(\"user1@@example.com\" \"user2@@example.net\"))}" + common) + + (use-libevent? + (boolean #f) + "Enable use of libevent for better performance under high load. See +@url{http://prosody.im/doc/libevent}." + common) + + (modules-enabled + (module-list %default-modules-enabled) + "This is the list of modules Prosody will load on startup. It looks for +@code{mod_modulename.lua} in the plugins folder, so make sure that exists too. +Documentation on modules can be found at: @url{http://prosody.im/doc/modules}. +Defaults to @samp{%default-modules-enabled}." + common) + + (modules-disabled + (string-list '()) + "@samp{\"offline\"}, @samp{\"c2s\"} and @samp{\"s2s\"} are auto-loaded, but +should you want to disable them then add them to this list." + common) + + (groups-file + (file-name "/var/lib/prosody/sharedgroups.txt") + "Path to a text file where the shared groups are defined. If this path is +empty then @samp{mod_groups} does nothing. See +@url{http://prosody.im/doc/modules/mod_groups}." + common) + + (allow-registration? + (boolean #f) + "Disable account creation by default, for security. See +@url{http://prosody.im/doc/creating_accounts}." + common) + + (ssl + (maybe-ssl-configuration (ssl-configuration)) + "These are the SSL/TLS-related settings. Most of them are disabled so to +use Prosody's defaults. If you do not completely understand these options, do +not add them to your config, it is easy to lower the security of your server +using them. See @url{http://prosody.im/doc/advanced_ssl_config}." + common) + + (c2s-require-encryption? + (boolean #f) + "Whether to force all client-to-server connections to be encrypted or not. +See @url{http://prosody.im/doc/modules/mod_tls}." + common) + + (s2s-require-encryption? + (boolean #f) + "Whether to force all server-to-server connections to be encrypted or not. +See @url{http://prosody.im/doc/modules/mod_tls}." + common) + + (s2s-secure-auth? + (boolean #f) + "Whether to require encryption and certificate authentication. This +provides ideal security, but requires servers you communicate with to support +encryption AND present valid, trusted certificates. See +@url{http://prosody.im/doc/s2s#security}." + common) + + (s2s-insecure-domains + (string-list '()) + "Many servers don't support encryption or have invalid or self-signed +certificates. You can list domains here that will not be required to +authenticate using certificates. They will be authenticated using DNS. See +@url{http://prosody.im/doc/s2s#security}." + common) + + (s2s-secure-domains + (string-list '()) + "Even if you leave @code{s2s-secure-auth?} disabled, you can still require +valid certificates for some domains by specifying a list here. See +@url{http://prosody.im/doc/s2s#security}." + common) + + (authentication + (string "internal_plain") + "Select the authentication backend to use. The default provider stores +passwords in plaintext and uses Prosody's configured data storage to store the +authentication data. If you do not trust your server please see +@url{http://prosody.im/doc/modules/mod_auth_internal_hashed} for information +about using the hashed backend. See also +@url{http://prosody.im/doc/authentication}" + common) + + ;; TODO: Handle more complicated log structures. + (log + (maybe-string "*syslog") + "Set logging options. Advanced logging configuration is not yet supported +by the GuixSD Prosody Service. See @url{http://prosody.im/doc/logging}." + common) + + (pidfile + (file-name "/var/run/prosody/prosody.pid") + "File to write pid in. See @url{http://prosody.im/doc/modules/mod_posix}." + global) + + (virtualhosts + (virtualhost-configuration-list + (list (virtualhost-configuration + (domain "localhost")))) + "A host in Prosody is a domain on which user accounts can be created. For +example if you want your users to have addresses like +@samp{\"john.smith@@example.com\"} then you need to add a host +@samp{\"example.com\"}. All options in this list will apply only to this host. + +Note: the name \"virtual\" host is used in configuration to avoid confusion with +the actual physical host that Prosody is installed on. A single Prosody +instance can serve many domains, each one defined as a VirtualHost entry in +Prosody's configuration. Conversely a server that hosts a single domain would +have just one VirtualHost entry. + +See @url{http://prosody.im/doc/configure#virtual_host_settings}." + global) + + (int-components + (int-component-configuration-list '()) + "Components are extra services on a server which are available to clients, +usually on a subdomain of the main server (such as +@samp{\"mycomponent.example.com\"}). Example components might be chatroom +servers, user directories, or gateways to other protocols. + +Internal components are implemented with Prosody-specific plugins. To add an +internal component, you simply fill the hostname field, and the plugin you wish +to use for the component. + +See @url{http://prosody.im/doc/components}." + global) + + (ext-components + (ext-component-configuration-list '()) + "External components use XEP-0114, which most standalone components +support. To add an external component, you simply fill the hostname field. See +@url{http://prosody.im/doc/components}." + global) + + (component-secret + (string (configuration-missing-field 'ext-component 'component-secret)) + "Password which the component will use to log in." + ext-component) + + (component-ports + (non-negative-integer-list '(5347)) + "Port(s) Prosody listens on for component connections." + global) + + (component-interface + (string "127.0.0.1") + "Interface Prosody listens on for component connections." + global) + + (domain + (string (configuration-missing-field 'virtualhost 'domain)) + "Domain you wish Prosody to serve." + virtualhost) + + (hostname + (string (configuration-missing-field 'int-component 'hostname)) + "Hostname of the component." + int-component) + + (plugin + (string (configuration-missing-field 'int-component 'plugin)) + "Plugin you wish to use for the component." + int-component) + + (mod-muc + (maybe-mod-muc-configuration 'disabled) + "Multi-user chat (MUC) is Prosody's module for allowing you to create +hosted chatrooms/conferences for XMPP users. + +General information on setting up and using multi-user chatrooms can be found +in the \"Chatrooms\" documentation (@url{http://prosody.im/doc/chatrooms}), +which you should read if you are new to XMPP chatrooms. + +See also @url{http://prosody.im/doc/modules/mod_muc}." + int-component) + + (hostname + (string (configuration-missing-field 'ext-component 'hostname)) + "Hostname of the component." + ext-component))) + +;; Serialize Virtualhost line first. +(define (serialize-virtualhost-configuration config) + (define (rest? field) + (not (memq (configuration-field-name field) + '(domain)))) + (let ((domain (virtualhost-configuration-domain config)) + (rest (filter rest? virtualhost-configuration-fields))) + (format #t "VirtualHost \"~a\"\n" domain) + (serialize-configuration config rest))) + +;; Serialize Component line first. +(define (serialize-int-component-configuration config) + (define (rest? field) + (not (memq (configuration-field-name field) + '(hostname plugin)))) + (let ((hostname (int-component-configuration-hostname config)) + (plugin (int-component-configuration-plugin config)) + (rest (filter rest? int-component-configuration-fields))) + (format #t "Component \"~a\" \"~a\"\n" hostname plugin) + (serialize-configuration config rest))) + +;; Serialize Component line first. +(define (serialize-ext-component-configuration config) + (define (rest? field) + (not (memq (configuration-field-name field) + '(hostname)))) + (let ((hostname (ext-component-configuration-hostname config)) + (rest (filter rest? ext-component-configuration-fields))) + (format #t "Component \"~a\"\n" hostname) + (serialize-configuration config rest))) + +;; Serialize virtualhosts and components last. +(define (serialize-prosody-configuration config) + (define (rest? field) + (not (memq (configuration-field-name field) + '(virtualhosts int-components ext-components)))) + (let ((rest (filter rest? prosody-configuration-fields))) + (serialize-configuration config rest)) + (serialize-virtualhost-configuration-list + (prosody-configuration-virtualhosts config)) + (serialize-int-component-configuration-list + (prosody-configuration-int-components config)) + (serialize-ext-component-configuration-list + (prosody-configuration-ext-components config))) + +(define-configuration opaque-prosody-configuration + (prosody + (package prosody) + "The prosody package.") + + (prosody.cfg.lua + (string (configuration-missing-field 'opaque-prosody-configuration + 'prosody.cfg.lua)) + "The contents of the @code{prosody.cfg.lua} to use.")) + +(define (prosody-shepherd-service config) + "Return a for Prosody with CONFIG." + (let* ((prosody (if (opaque-prosody-configuration? config) + (opaque-prosody-configuration-prosody config) + (prosody-configuration-prosody config))) + (prosodyctl-bin (file-append prosody "/bin/prosodyctl")) + (prosodyctl-action (lambda args + #~(lambda _ + (zero? (system* #$prosodyctl-bin #$@args)))))) + (list (shepherd-service + (documentation "Run the Prosody XMPP server") + (provision '(prosody)) + (requirement '(networking syslogd user-processes)) + (start (prosodyctl-action "start")) + (stop (prosodyctl-action "stop")))))) + +(define %prosody-accounts + (list (user-group (name "prosody") (system? #t)) + (user-account + (name "prosody") + (group "prosody") + (system? #t) + (comment "Prosody daemon user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + +(define (prosody-activation config) + "Return the activation gexp for CONFIG." + (let* ((config-dir "/etc/prosody") + (default-certs-dir "/etc/prosody/certs") + (data-path (prosody-configuration-data-path config)) + (pidfile-dir (dirname (prosody-configuration-pidfile config))) + (config-str + (if (opaque-prosody-configuration? config) + (opaque-prosody-configuration-prosody.cfg.lua config) + (with-output-to-string + (lambda () + (serialize-prosody-configuration config))))) + (config-file (plain-file "prosody.cfg.lua" config-str))) + #~(begin + (define %user (getpw "prosody")) + + (mkdir-p #$config-dir) + (chown #$config-dir (passwd:uid %user) (passwd:gid %user)) + (copy-file #$config-file (string-append #$config-dir + "/prosody.cfg.lua")) + + (mkdir-p #$default-certs-dir) + (chown #$default-certs-dir (passwd:uid %user) (passwd:gid %user)) + (chmod #$default-certs-dir #o750) + + (mkdir-p #$data-path) + (chown #$data-path (passwd:uid %user) (passwd:gid %user)) + (chmod #$data-path #o750) + + (mkdir-p #$pidfile-dir) + (chown #$pidfile-dir (passwd:uid %user) (passwd:gid %user))))) + +(define prosody-service-type + (service-type (name 'prosody) + (extensions + (list (service-extension shepherd-root-service-type + prosody-shepherd-service) + (service-extension account-service-type + (const %prosody-accounts)) + (service-extension activation-service-type + prosody-activation))))) + +;; A little helper to make it easier to document all those fields. +(define (generate-documentation) + (define documentation + `((prosody-configuration + ,prosody-configuration-fields + (ssl ssl-configuration) + (virtualhosts virtualhost-configuration) + (int-components int-component-configuration) + (ext-components ext-component-configuration)) + (ssl-configuration ,ssl-configuration-fields) + (int-component-configuration ,int-component-configuration-fields + (mod-muc mod-muc-configuration)) + (ext-component-configuration ,ext-component-configuration-fields) + (mod-muc-configuration ,mod-muc-configuration-fields) + (virtualhost-configuration ,virtualhost-configuration-fields) + (opaque-prosody-configuration ,opaque-prosody-configuration-fields))) + (define (generate configuration-name) + (match (assq-ref documentation configuration-name) + ((fields . sub-documentation) + (format #t "\nAvailable @code{~a} fields are:\n\n" configuration-name) + (when (memq configuration-name + '(virtualhost-configuration + int-component-configuration + ext-component-configuration)) + (format #t "all these @code{prosody-configuration} fields: ~a, plus:\n" + (string-join (map (lambda (s) + (format #f "@code{~a}" s)) common-fields) + ", "))) + (for-each + (lambda (f) + (let ((field-name (configuration-field-name f)) + (field-type (configuration-field-type f)) + (field-docs (string-trim-both + (configuration-field-documentation f))) + (default (catch #t + (configuration-field-default-value-thunk f) + (lambda _ 'nope)))) + (define (escape-chars str chars escape) + (with-output-to-string + (lambda () + (string-for-each (lambda (c) + (when (char-set-contains? chars c) + (display escape)) + (display c)) + str)))) + (define (show-default? val) + (or (string? default) (number? default) (boolean? default) + (and (list? val) (and-map show-default? val)))) + (format #t "@deftypevr {@code{~a} parameter} ~a ~a\n~a\n" + configuration-name field-type field-name field-docs) + (when (show-default? default) + (format #t "Defaults to @samp{~a}.\n" + (escape-chars (format #f "~s" default) + (char-set #\@ #\{ #\}) + #\@))) + (for-each generate (or (assq-ref sub-documentation field-name) '())) + (format #t "@end deftypevr\n\n"))) + (filter (lambda (f) + (not (string=? "" (configuration-field-documentation f)))) + fields))))) + (generate 'prosody-configuration) + (format #t "It could be that you just want to get a @code{prosody.cfg.lua} +up and running. In that case, you can pass an +@code{opaque-prosody-configuration} record as the value of +@code{prosody-service-type}. As its name indicates, an opaque configuration +does not have easy reflective capabilities.") + (generate 'opaque-prosody-configuration) + (format #t "For example, if your @code{prosody.cfg.lua} is just the empty +string, you could instantiate a prosody service like this: + +@example +(service prosody-service-type + (opaque-prosody-configuration + (prosody.cfg.lua \"\"))) +@end example")) -- cgit 1.4.1 From 84aafbbb664925ed1a9de3e53238bc54c743a968 Mon Sep 17 00:00:00 2001 From: José Miguel Sánchez García Date: Mon, 9 Jan 2017 18:15:37 +0100 Subject: gnu: Add nim. * gnu/packages/nim.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add nim.scm. --- gnu/local.mk | 1 + gnu/packages/nim.scm | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 gnu/packages/nim.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index cc42a122de..a7b917e6e7 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -272,6 +272,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/networking.scm \ %D%/packages/nfs.scm \ %D%/packages/nickle.scm \ + %D%/packages/nim.scm \ %D%/packages/ninja.scm \ %D%/packages/node.scm \ %D%/packages/noweb.scm \ diff --git a/gnu/packages/nim.scm b/gnu/packages/nim.scm new file mode 100644 index 0000000000..c249e2be93 --- /dev/null +++ b/gnu/packages/nim.scm @@ -0,0 +1,59 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2017 José Miguel Sánchez García +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages nim) + #:use-module (guix build-system gnu) + #:use-module (guix download) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages)) + +(define-public nim + (package + (name "nim") + (version "0.16.0") + (source + (origin + (method url-fetch) + (uri (string-append "http://nim-lang.org/download/" + name "-" version ".tar.xz")) + (sha256 + (base32 + "0rsibhkc5n548bn9yyb9ycrdgaph5kq84sfxc9gabjs7pqirh6cy")))) + (build-system gnu-build-system) + (arguments + `(#:tests? #f ; No tests. + #:phases + (modify-phases %standard-phases + (delete 'configure) + (add-after 'unpack 'patch-installer + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (substitute* "install.sh" + (("1/nim") "1")) + #t))) + (replace 'install + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (zero? (system* "./install.sh" out)))))))) + (home-page "http://nim-lang.org") + (synopsis "Statically-typed, imperative programming language") + (description "Nim (formerly known as Nimrod) is a statically-typed, +imperative programming language that tries to give the programmer ultimate power +without compromises on runtime efficiency. This means it focuses on compile-time +mechanisms in all their various forms.") + (license license:expat))) -- cgit 1.4.1 From 4b96149d8b199048aa526159120d14a44d6ee054 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 10 Jan 2017 03:22:33 -0500 Subject: gnu: libtiff: Fix CVE-2016-{10092,10093,10094} and others. * gnu/packages/patches/libtiff-CVE-2016-10092.patch, gnu/packages/patches/libtiff-CVE-2016-10093.patch, gnu/packages/patches/libtiff-CVE-2016-10094.patch, gnu/packages/patches/libtiff-assertion-failure.patch, gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch, gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch, gnu/packages/patches/libtiff-divide-by-zero.patch, gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch, gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch, gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch, gnu/packages/patches/libtiff-invalid-read.patch, gnu/packages/patches/libtiff-null-dereference.patch, gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libtiff)[replacement]: New field. (libtiff/fixed): New variable. --- gnu/local.mk | 15 +++ gnu/packages/image.scm | 24 ++++ gnu/packages/patches/libtiff-CVE-2016-10092.patch | 42 +++++++ gnu/packages/patches/libtiff-CVE-2016-10093.patch | 53 +++++++++ gnu/packages/patches/libtiff-CVE-2016-10094.patch | 34 ++++++ .../patches/libtiff-assertion-failure.patch | 60 ++++++++++ .../patches/libtiff-divide-by-zero-ojpeg.patch | 63 ++++++++++ .../patches/libtiff-divide-by-zero-tiffcp.patch | 104 ++++++++++++++++ .../patches/libtiff-divide-by-zero-tiffcrop.patch | 57 +++++++++ gnu/packages/patches/libtiff-divide-by-zero.patch | 67 +++++++++++ .../libtiff-heap-overflow-pixarlog-luv.patch | 131 ++++++++++++++++++++ .../libtiff-heap-overflow-tif-dirread.patch | 132 +++++++++++++++++++++ .../patches/libtiff-heap-overflow-tiffcp.patch | 67 +++++++++++ .../patches/libtiff-heap-overflow-tiffcrop.patch | 60 ++++++++++ gnu/packages/patches/libtiff-invalid-read.patch | 64 ++++++++++ .../patches/libtiff-null-dereference.patch | 42 +++++++ .../patches/libtiff-tiffcp-underflow.patch | 41 +++++++ 17 files changed, 1056 insertions(+) create mode 100644 gnu/packages/patches/libtiff-CVE-2016-10092.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2016-10093.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2016-10094.patch create mode 100644 gnu/packages/patches/libtiff-assertion-failure.patch create mode 100644 gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch create mode 100644 gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch create mode 100644 gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch create mode 100644 gnu/packages/patches/libtiff-divide-by-zero.patch create mode 100644 gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch create mode 100644 gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch create mode 100644 gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch create mode 100644 gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch create mode 100644 gnu/packages/patches/libtiff-invalid-read.patch create mode 100644 gnu/packages/patches/libtiff-null-dereference.patch create mode 100644 gnu/packages/patches/libtiff-tiffcp-underflow.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index a7b917e6e7..e34ae17796 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -683,6 +683,21 @@ dist_patch_DATA = \ %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtheora-config-guess.patch \ + %D%/packages/patches/libtiff-CVE-2016-10092.patch \ + %D%/packages/patches/libtiff-CVE-2016-10093.patch \ + %D%/packages/patches/libtiff-CVE-2016-10094.patch \ + %D%/packages/patches/libtiff-assertion-failure.patch \ + %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ + %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \ + %D%/packages/patches/libtiff-divide-by-zero-tiffcrop.patch \ + %D%/packages/patches/libtiff-divide-by-zero.patch \ + %D%/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch \ + %D%/packages/patches/libtiff-heap-overflow-tif-dirread.patch \ + %D%/packages/patches/libtiff-heap-overflow-tiffcp.patch \ + %D%/packages/patches/libtiff-heap-overflow-tiffcrop.patch \ + %D%/packages/patches/libtiff-invalid-read.patch \ + %D%/packages/patches/libtiff-null-dereference.patch \ + %D%/packages/patches/libtiff-tiffcp-underflow.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ %D%/packages/patches/libupnp-CVE-2016-6255.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 4e40533a21..a9bbf192cc 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2015 Amirouche Boubekki ;;; Copyright © 2014 John Darrington ;;; Copyright © 2016 Leo Famulari +;;; Copyright © 2016, 2017 Leo Famulari ;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2016 Tobias Geerinckx-Rice ;;; Copyright © 2016 Eric Bavier @@ -258,6 +259,7 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") + (replacement libtiff/fixed) (version "4.0.7") (source (origin (method url-fetch) @@ -290,6 +292,28 @@ collection of tools for doing simple manipulations of TIFF images.") "See COPYRIGHT in the distribution.")) (home-page "http://www.simplesystems.org/libtiff/"))) +(define libtiff/fixed + (package + (inherit libtiff) + (source + (origin + (inherit (package-source libtiff)) + (patches (search-patches "libtiff-heap-overflow-tiffcp.patch" + "libtiff-null-dereference.patch" + "libtiff-heap-overflow-tif-dirread.patch" + "libtiff-heap-overflow-pixarlog-luv.patch" + "libtiff-divide-by-zero.patch" + "libtiff-divide-by-zero-ojpeg.patch" + "libtiff-tiffcp-underflow.patch" + "libtiff-invalid-read.patch" + "libtiff-CVE-2016-10092.patch" + "libtiff-heap-overflow-tiffcrop.patch" + "libtiff-divide-by-zero-tiffcrop.patch" + "libtiff-CVE-2016-10093.patch" + "libtiff-divide-by-zero-tiffcp.patch" + "libtiff-assertion-failure.patch" + "libtiff-CVE-2016-10094.patch")))))) + (define-public libwmf (package (name "libwmf") diff --git a/gnu/packages/patches/libtiff-CVE-2016-10092.patch b/gnu/packages/patches/libtiff-CVE-2016-10092.patch new file mode 100644 index 0000000000..d5fd796169 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10092.patch @@ -0,0 +1,42 @@ +Fix CVE-2016-10092: + +http://bugzilla.maptools.org/show_bug.cgi?id=2620 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092 +https://security-tracker.debian.org/tracker/CVE-2016-10092 + +2016-12-03 Even Rouault + + * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) + mode so that the output buffer is correctly incremented to avoid write + outside bounds. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1178; previous revision: 1.1177 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.47; previous revision: 1.46 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.46 +retrieving revision 1.47 +diff -u -r1.46 -r1.47 +--- libtiff/tools/tiffcrop.c 18 Nov 2016 14:58:46 -0000 1.46 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -3698,7 +3698,7 @@ + (unsigned long) strip, (unsigned long)rows); + return 0; + } +- bufp += bytes_read; ++ bufp += stripsize; + } + + return 1; diff --git a/gnu/packages/patches/libtiff-CVE-2016-10093.patch b/gnu/packages/patches/libtiff-CVE-2016-10093.patch new file mode 100644 index 0000000000..5897ec1029 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10093.patch @@ -0,0 +1,53 @@ +Fix CVE-2016-10093: + +http://bugzilla.maptools.org/show_bug.cgi?id=2610 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093 +https://security-tracker.debian.org/tracker/CVE-2016-10093 + +2016-12-03 Even Rouault + + * tools/tiffcp.c: fix uint32 underflow/overflow that can cause + heap-based buffer overflow. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1187; previous revision: 1.1186 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.59; previous revision: 1.58 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.58 +retrieving revision 1.59 +diff -u -r1.58 -r1.59 +--- libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 +@@ -1163,7 +1163,7 @@ + + static void + cpStripToTile(uint8* out, uint8* in, +- uint32 rows, uint32 cols, int outskew, int inskew) ++ uint32 rows, uint32 cols, int outskew, int64 inskew) + { + while (rows-- > 0) { + uint32 j = cols; +@@ -1320,7 +1320,7 @@ + tdata_t tilebuf; + uint32 imagew = TIFFScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew; ++ int64 iskew = (int64)imagew - (int64)tilew; + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +@@ -1348,7 +1348,7 @@ + status = 0; + goto done; + } +- if (colb + tilew > imagew) { ++ if (colb > iskew) { + uint32 width = imagew - colb; + uint32 oskew = tilew - width; + cpStripToTile(bufp + colb, diff --git a/gnu/packages/patches/libtiff-CVE-2016-10094.patch b/gnu/packages/patches/libtiff-CVE-2016-10094.patch new file mode 100644 index 0000000000..9018773565 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10094.patch @@ -0,0 +1,34 @@ +Fix CVE-2016-10094: + +http://bugzilla.maptools.org/show_bug.cgi?id=2640 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094 +https://security-tracker.debian.org/tracker/CVE-2016-10094 + +2016-12-20 Even Rouault + + * tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1199; previous revision: 1.1198 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.101; previous revision: 1.100 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.100 +retrieving revision 1.101 +diff -u -r1.100 -r1.101 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:28:17 -0000 1.101 +@@ -2895,7 +2895,7 @@ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count >= 4) { ++ if (count > 4) { + int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); diff --git a/gnu/packages/patches/libtiff-assertion-failure.patch b/gnu/packages/patches/libtiff-assertion-failure.patch new file mode 100644 index 0000000000..ef747fbdd7 --- /dev/null +++ b/gnu/packages/patches/libtiff-assertion-failure.patch @@ -0,0 +1,60 @@ +Fix assertion failure in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +2016-12-03 Even Rouault + + * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert +check. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1188; previous revision: 1.1187 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.60; previous revision: 1.59 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.59 +retrieving revision 1.60 +diff -u -r1.59 -r1.60 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 +@@ -45,7 +45,6 @@ + #include + + #include +-#include + + #ifdef HAVE_UNISTD_H + # include +@@ -1393,7 +1392,12 @@ + status = 0; + goto done; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ status = 0; ++ goto done; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { +@@ -1584,7 +1588,12 @@ + _TIFFfree(obuf); + return 0; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { diff --git a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch new file mode 100644 index 0000000000..2a96b68521 --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch @@ -0,0 +1,63 @@ +Fix divide-by-zero in OJPEGDecodeRaw(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +2016-12-03 Even Rouault + + * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure +in + OJPEGPreDecode(). This will avoid a divide by zero, and potential other +issues. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1177; previous revision: 1.1176 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c +new revision: 1.66; previous revision: 1.65 + +Index: libtiff/libtiff/tif_ojpeg.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v +retrieving revision 1.65 +retrieving revision 1.66 +diff -u -r1.65 -r1.66 +--- libtiff/libtiff/tif_ojpeg.c 4 Sep 2016 21:32:56 -0000 1.65 ++++ libtiff/libtiff/tif_ojpeg.c 3 Dec 2016 11:15:18 -0000 1.66 +@@ -1,4 +1,4 @@ +-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ + + /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 + specification is now totally obsolete and deprecated for new applications and +@@ -244,6 +244,7 @@ + + typedef struct { + TIFF* tif; ++ int decoder_ok; + #ifndef LIBJPEG_ENCAP_EXTERNAL + JMP_BUF exit_jmpbuf; + #endif +@@ -722,6 +723,7 @@ + } + sp->write_curstrile++; + } ++ sp->decoder_ok = 1; + return(1); + } + +@@ -784,8 +786,14 @@ + static int + OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) + { ++ static const char module[]="OJPEGDecode"; + OJPEGState* sp=(OJPEGState*)tif->tif_data; + (void)s; ++ if( !sp->decoder_ok ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); ++ return 0; ++ } + if (sp->libjpeg_jpeg_query_style==0) + { + if (OJPEGDecodeRaw(tif,buf,cc)==0) diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch new file mode 100644 index 0000000000..d3f1c2b60e --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch @@ -0,0 +1,104 @@ +Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2597 +http://bugzilla.maptools.org/show_bug.cgi?id=2607 + +2016-12-03 Even Rouault + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1183; previous revision: 1.1182 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.57; previous revision: 1.56 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1378,7 +1378,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) +@@ -1387,6 +1387,12 @@ + (void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample"); ++ status = 0; ++ goto done; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + +2016-12-03 Even Rouault + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1186; previous revision: 1.1185 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.58; previous revision: 1.57 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.57 +retrieving revision 1.58 +diff -u -r1.57 -r1.58 +--- libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1569,7 +1569,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tl, tw; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + obuf = _TIFFmalloc(TIFFTileSize(out)); + if (obuf == NULL) +@@ -1578,6 +1578,12 @@ + (void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch new file mode 100644 index 0000000000..823293f1cf --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch @@ -0,0 +1,57 @@ +Fix divide-by-zero in readSeparateStripsIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +2016-12-03 Even Rouault + + * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is +missing. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1180; previous revision: 1.1179 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 13:00:04 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -1164,7 +1164,7 @@ + tdata_t obuf; + + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps); + bytes_per_sample = (bps + 7) / 8; + if( width == 0 || + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || +@@ -4760,7 +4760,7 @@ + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32 j; + int32 bytes_read = 0; +- uint16 bps, planar; ++ uint16 bps = 0, planar; + uint32 nstrips; + uint32 strips_per_sample; + uint32 src_rowsize, dst_rowsize, rows_processed, rps; +@@ -4780,7 +4780,7 @@ + } + + memset (srcbuffs, '\0', sizeof(srcbuffs)); +- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar); + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); + if (rps > length) diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch new file mode 100644 index 0000000000..6dbd4666cd --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero.patch @@ -0,0 +1,67 @@ +Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero: + +http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +2016-12-02 Even Rouault + + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by zero. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1173; previous revision: 1.1172 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c +new revision: 1.50; previous revision: 1.49 +/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h +new revision: 1.90; previous revision: 1.89 + +Index: libtiff/libtiff/tif_read.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v +retrieving revision 1.49 +retrieving revision 1.50 +diff -u -r1.49 -r1.50 +--- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49 ++++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 +@@ -1,4 +1,4 @@ +-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */ ++/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -346,7 +346,7 @@ + rowsperstrip=td->td_rowsperstrip; + if (rowsperstrip>td->td_imagelength) + rowsperstrip=td->td_imagelength; +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); + stripinplane=(strip%stripsperplane); + plane=(uint16)(strip/stripsperplane); + rows=td->td_imagelength-stripinplane*rowsperstrip; +Index: libtiff/libtiff/tiffiop.h +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v +retrieving revision 1.89 +retrieving revision 1.90 +diff -u -r1.89 -r1.90 +--- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89 ++++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90 +@@ -1,4 +1,4 @@ +-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */ ++/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -250,6 +250,10 @@ + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ + 0U) ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ ++#define TIFFhowmany_32_maxuint_compat(x, y) \ ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) diff --git a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch new file mode 100644 index 0000000000..2d5e23586d --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch @@ -0,0 +1,131 @@ +Fix heap-based buffer overflow in _TIFFmemcpy(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +2016-12-03 Even Rouault + + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. + The fix for LUV has not been tested, but suffers from the same kind + of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1175; previous revision: 1.1174 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v <-- libtiff/tif_luv.c +new revision: 1.44; previous revision: 1.43 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v <-- +libtiff/tif_pixarlog.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/libtiff/tif_luv.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v +retrieving revision 1.43 +retrieving revision 1.44 +diff -u -r1.43 -r1.44 +--- libtiff/libtiff/tif_luv.c 4 Sep 2016 21:32:56 -0000 1.43 ++++ libtiff/libtiff/tif_luv.c 2 Dec 2016 23:05:51 -0000 1.44 +@@ -1,4 +1,4 @@ +-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1997 Greg Ward Larson +@@ -158,6 +158,7 @@ + typedef struct logLuvState LogLuvState; + + struct logLuvState { ++ int encoder_state; /* 1 if encoder correctly initialized */ + int user_datafmt; /* user data format */ + int encode_meth; /* encoding method */ + int pixel_size; /* bytes per pixel */ +@@ -1552,6 +1553,7 @@ + td->td_photometric, "must be either LogLUV or LogL"); + break; + } ++ sp->encoder_state = 1; + return (1); + notsupported: + TIFFErrorExt(tif->tif_clientdata, module, +@@ -1563,19 +1565,27 @@ + static void + LogLuvClose(TIFF* tif) + { ++ LogLuvState* sp = (LogLuvState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* + * For consistency, we always want to write out the same + * bitspersample and sampleformat for our TIFF file, + * regardless of the data format being used by the application. + * Since this routine is called after tags have been set but + * before they have been recorded in the file, we reset them here. ++ * Note: this is really a nasty approach. See PixarLogClose + */ +- td->td_samplesperpixel = +- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; +- td->td_bitspersample = 16; +- td->td_sampleformat = SAMPLEFORMAT_INT; ++ if( sp->encoder_state ) ++ { ++ /* See PixarLogClose. Might avoid issues with tags whose size depends ++ * on those below, but not completely sure this is enough. */ ++ td->td_samplesperpixel = ++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; ++ td->td_bitspersample = 16; ++ td->td_sampleformat = SAMPLEFORMAT_INT; ++ } + } + + static void +Index: libtiff/libtiff/tif_pixarlog.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/libtiff/tif_pixarlog.c 23 Sep 2016 22:12:18 -0000 1.48 ++++ libtiff/libtiff/tif_pixarlog.c 2 Dec 2016 23:05:51 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ ++/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1996-1997 Sam Leffler +@@ -1233,8 +1233,10 @@ + static void + PixarLogClose(TIFF* tif) + { ++ PixarLogState* sp = (PixarLogState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* In a really sneaky (and really incorrect, and untruthful, and + * troublesome, and error-prone) maneuver that completely goes against + * the spirit of TIFF, and breaks TIFF, on close, we covertly +@@ -1243,8 +1245,19 @@ + * readers that don't know about PixarLog, or how to set + * the PIXARLOGDATFMT pseudo-tag. + */ +- td->td_bitspersample = 8; +- td->td_sampleformat = SAMPLEFORMAT_UINT; ++ ++ if (sp->state&PLSTATE_INIT) { ++ /* We test the state to avoid an issue such as in ++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 ++ * What appends in that case is that the bitspersample is 1 and ++ * a TransferFunction is set. The size of the TransferFunction ++ * depends on 1<td_bitspersample = 8; ++ td->td_sampleformat = SAMPLEFORMAT_UINT; ++ } + } + + static void diff --git a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch new file mode 100644 index 0000000000..68889b121b --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch @@ -0,0 +1,132 @@ +Fix heap-based buffer overflow in TIFFFillStrip(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2608 + +2016-12-03 Even Rouault + + * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to + instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, +rowsperstrip), + instead of a logic based on the total size of data. Which is faulty is + the total size of data is not sufficient to fill the whole image, and +thus + results in reading outside of the StripByCounts/StripOffsets arrays +when + using TIFFReadScanline(). + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + + * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done + for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 +since + the above change is a better fix that makes it unnecessary. + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1176; previous revision: 1.1175 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- +libtiff/tif_dirread.c +new revision: 1.205; previous revision: 1.204 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c +new revision: 1.38; previous revision: 1.37 + +Index: libtiff/libtiff/tif_dirread.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v +retrieving revision 1.204 +retrieving revision 1.205 +diff -u -r1.204 -r1.205 +--- libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204 ++++ libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ ++/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -5502,8 +5502,7 @@ + uint64 rowblockbytes; + uint64 stripbytes; + uint32 strip; +- uint64 nstrips64; +- uint32 nstrips32; ++ uint32 nstrips; + uint32 rowsperstrip; + uint64* newcounts; + uint64* newoffsets; +@@ -5534,18 +5533,17 @@ + return; + + /* +- * never increase the number of strips in an image ++ * never increase the number of rows per strip + */ + if (rowsperstrip >= td->td_rowsperstrip) + return; +- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); +- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ +- return; +- nstrips32 = (uint32)nstrips64; ++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); ++ if( nstrips == 0 ) ++ return; + +- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); +- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripOffsets\" array"); + if (newcounts == NULL || newoffsets == NULL) { + /* +@@ -5562,18 +5560,18 @@ + * Fill the strip information arrays with new bytecounts and offsets + * that reflect the broken-up format. + */ +- for (strip = 0; strip < nstrips32; strip++) { ++ for (strip = 0; strip < nstrips; strip++) { + if (stripbytes > bytecount) + stripbytes = bytecount; + newcounts[strip] = stripbytes; +- newoffsets[strip] = offset; ++ newoffsets[strip] = stripbytes ? offset : 0; + offset += stripbytes; + bytecount -= stripbytes; + } + /* + * Replace old single strip info with multi-strip info. + */ +- td->td_stripsperimage = td->td_nstrips = nstrips32; ++ td->td_stripsperimage = td->td_nstrips = nstrips; + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + + _TIFFfree(td->td_stripbytecount); +Index: libtiff/libtiff/tif_strip.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v +retrieving revision 1.37 +retrieving revision 1.38 +diff -u -r1.37 -r1.38 +--- libtiff/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37 ++++ libtiff/libtiff/tif_strip.c 3 Dec 2016 11:02:15 -0000 1.38 +@@ -1,4 +1,4 @@ +-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */ ++/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -63,15 +63,6 @@ + TIFFDirectory *td = &tif->tif_dir; + uint32 nstrips; + +- /* If the value was already computed and store in td_nstrips, then return it, +- since ChopUpSingleUncompressedStrip might have altered and resized the +- since the td_stripbytecount and td_stripoffset arrays to the new value +- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in +- tif_dirread.c ~line 3612. +- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ +- if( td->td_nstrips ) +- return td->td_nstrips; +- + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : + TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch new file mode 100644 index 0000000000..f0fef08bf3 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch @@ -0,0 +1,67 @@ +Fix heap buffer overflow in tiffcp when parsing number of inks: + +http://bugzilla.maptools.org/show_bug.cgi?id=2599 + +2016-12-03 Even Rouault + + * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is +called, + limit the return number of inks to SamplesPerPixel, so that code that +parses + ink names doesn't go past the end of the buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1184; previous revision: 1.1183 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c +new revision: 1.128; previous revision: 1.127 + +Index: libtiff/libtiff/tif_dir.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v +retrieving revision 1.127 +retrieving revision 1.128 +diff -u -r1.127 -r1.128 +--- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127 ++++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */ ++/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -854,6 +854,32 @@ + if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ + return 0; + ++ if( tag == TIFFTAG_NUMBEROFINKS ) ++ { ++ int i; ++ for (i = 0; i < td->td_customValueCount; i++) { ++ uint16 val; ++ TIFFTagValue *tv = td->td_customValues + i; ++ if (tv->info->field_tag != tag) ++ continue; ++ val = *(uint16 *)tv->value; ++ /* Truncate to SamplesPerPixel, since the */ ++ /* setting code for INKNAMES assume that there are SamplesPerPixel */ ++ /* inknames. */ ++ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ ++ if( val > td->td_samplesperpixel ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", ++ "Truncating NumberOfInks from %u to %u", ++ val, td->td_samplesperpixel); ++ val = td->td_samplesperpixel; ++ } ++ *va_arg(ap, uint16*) = val; ++ return 1; ++ } ++ return 0; ++ } ++ + /* + * We want to force the custom code to be used for custom + * fields even if the tag happens to match a well known diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch new file mode 100644 index 0000000000..8166c55758 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch @@ -0,0 +1,60 @@ +Fix heap-based buffer overflow in combineSeparateSamples16bits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +2016-12-03 Even Rouault + + * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap allocated +buffer. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1179; previous revision: 1.1178 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.48; previous revision: 1.47 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.47 +retrieving revision 1.48 +diff -u -r1.47 -r1.48 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -4815,10 +4815,17 @@ + nstrips = TIFFNumberOfStrips(in); + strips_per_sample = nstrips /spp; + ++ /* Add 3 padding bytes for combineSeparateSamples32bits */ ++ if( (size_t) stripsize > 0xFFFFFFFFU - 3U ) ++ { ++ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } ++ + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + srcbuffs[s] = NULL; +- buff = _TIFFmalloc(stripsize); ++ buff = _TIFFmalloc(stripsize + 3); + if (!buff) + { + TIFFError ("readSeparateStripsIntoBuffer", +@@ -4827,6 +4834,9 @@ + _TIFFfree (srcbuffs[i]); + return 0; + } ++ buff[stripsize] = 0; ++ buff[stripsize+1] = 0; ++ buff[stripsize+2] = 0; + srcbuffs[s] = buff; + } + diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch new file mode 100644 index 0000000000..92742d8757 --- /dev/null +++ b/gnu/packages/patches/libtiff-invalid-read.patch @@ -0,0 +1,64 @@ +Fix invalid read in t2p_writeproc(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2639 + +2016-12-20 Even Rouault + + * tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1198; previous revision: 1.1197 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.100; previous revision: 1.99 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.99 +retrieving revision 1.100 +diff -u -r1.99 -r1.100 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:13:26 -0000 1.99 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 +@@ -2896,6 +2896,7 @@ + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { + if (count >= 4) { ++ int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; +@@ -2903,22 +2904,23 @@ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; + xuint32 = bufferoffset; +- bufferoffset -= 2; +- bufferoffset += TIFFReadRawTile( ++ bufferoffset -= 2; ++ retTIFFReadRawTile= TIFFReadRawTile( + input, + tile, + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); ++ if( retTIFFReadRawTile < 0 ) ++ { ++ _TIFFfree(buffer); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return(0); ++ } ++ bufferoffset += retTIFFReadRawTile; + /* Overwrite SOI marker of image scan with previously */ + /* saved end of JpegTables */ + buffer[xuint32-2]=table_end[0]; + buffer[xuint32-1]=table_end[1]; +- } else { +- bufferoffset += TIFFReadRawTile( +- input, +- tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), +- -1); + } + } + t2pWriteFile(output, (tdata_t) buffer, bufferoffset); diff --git a/gnu/packages/patches/libtiff-null-dereference.patch b/gnu/packages/patches/libtiff-null-dereference.patch new file mode 100644 index 0000000000..8c6345b804 --- /dev/null +++ b/gnu/packages/patches/libtiff-null-dereference.patch @@ -0,0 +1,42 @@ +Fix NULL pointer dereference in TIFFReadRawData(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2594 + + +2016-12-03 Even Rouault + + * tools/tiffinfo.c: fix null pointer dereference in -r mode when + * the +image has + no StripByteCount tag. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1182; previous revision: 1.1181 +/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v <-- tools/tiffinfo.c +new revision: 1.26; previous revision: 1.25 + +Index: libtiff/tools/tiffinfo.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v +retrieving revision 1.25 +retrieving revision 1.26 +diff -u -r1.25 -r1.26 +--- libtiff/tools/tiffinfo.c 12 Nov 2016 20:06:05 -0000 1.25 ++++ libtiff/tools/tiffinfo.c 3 Dec 2016 14:18:49 -0000 1.26 +@@ -1,4 +1,4 @@ +-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */ ++/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -417,7 +417,7 @@ + uint64* stripbc=NULL; + + TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc); +- if (nstrips > 0) { ++ if (stripbc != NULL && nstrips > 0) { + uint32 bufsize = (uint32) stripbc[0]; + tdata_t buf = _TIFFmalloc(bufsize); + tstrip_t s; diff --git a/gnu/packages/patches/libtiff-tiffcp-underflow.patch b/gnu/packages/patches/libtiff-tiffcp-underflow.patch new file mode 100644 index 0000000000..5615cbb3e1 --- /dev/null +++ b/gnu/packages/patches/libtiff-tiffcp-underflow.patch @@ -0,0 +1,41 @@ +Fix a integer underflow in tiffcp that led to heap overflows in +TIFFReverseBits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2598 + +2016-12-02 Even Rouault + + * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that + can cause various issues, such as buffer overflows in the library. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1174; previous revision: 1.1173 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.56; previous revision: 1.55 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.55 +retrieving revision 1.56 +diff -u -r1.55 -r1.56 +--- libtiff/tools/tiffcp.c 8 Oct 2016 15:54:57 -0000 1.55 ++++ libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -985,7 +985,7 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 row = 0; + _TIFFmemset(buf, 0, stripsize); +- for (s = 0; s < ns; s++) { ++ for (s = 0; s < ns && row < imagelength; s++) { + tsize_t cc = (row + rowsperstrip > imagelength) ? + TIFFVStripSize(in, imagelength - row) : stripsize; + if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 -- cgit 1.4.1 From b0a567640cf66f396de3fb4a827f9cf8a7ee0abb Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 10 Jan 2017 15:27:44 -0500 Subject: gnu: cracklib: Fix buffer overflow. * gnu/packages/patches/cracklib-fix-buffer-overflow.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/password-utils.scm (cracklib)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/password-utils.scm | 3 +- .../patches/cracklib-fix-buffer-overflow.patch | 39 ++++++++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/cracklib-fix-buffer-overflow.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index e34ae17796..21580a3870 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -511,6 +511,7 @@ dist_patch_DATA = \ %D%/packages/patches/cpio-CVE-2016-2037.patch \ %D%/packages/patches/cpufrequtils-fix-aclocal.patch \ %D%/packages/patches/cracklib-CVE-2016-6318.patch \ + %D%/packages/patches/cracklib-fix-buffer-overflow.patch \ %D%/packages/patches/crda-optional-gcrypt.patch \ %D%/packages/patches/crossmap-allow-system-pysam.patch \ %D%/packages/patches/csound-header-ordering.patch \ diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm index f8111b2abf..cb8dacc3ea 100644 --- a/gnu/packages/password-utils.scm +++ b/gnu/packages/password-utils.scm @@ -173,7 +173,8 @@ and vice versa.") (uri (string-append "https://github.com/cracklib/cracklib/" "releases/download/" name "-" version "/" name "-" version ".tar.gz")) - (patches (search-patches "cracklib-CVE-2016-6318.patch")) + (patches (search-patches "cracklib-CVE-2016-6318.patch" + "cracklib-fix-buffer-overflow.patch")) (sha256 (base32 "0hrkb0prf7n92w6rxgq0ilzkk6rkhpys2cfqkrbzswp27na7dkqp")))) diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch new file mode 100644 index 0000000000..b1c990f282 --- /dev/null +++ b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch @@ -0,0 +1,39 @@ +Fix buffer overflow processing long words in Mangle(). + +Patch adpated from upstream commit, omitting changes to 'NEWS': + +https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb + +From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001 +From: Jan Dittberner +Date: Thu, 25 Aug 2016 17:17:53 +0200 +Subject: [PATCH] Fix a buffer overflow processing long words + +A buffer overflow processing long words has been discovered. This commit +applies the patch from +https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch +by Howard Guo. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and +http://www.openwall.com/lists/oss-security/2016/08/23/8 +--- + src/NEWS | 1 + + src/lib/rules.c | 5 ++--- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/lib/rules.c b/src/lib/rules.c +index d193cc0..3a2aa46 100644 +--- a/lib/rules.c ++++ b/lib/rules.c +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */ + { + int limit; + register char *ptr; +- static char area[STRINGSIZE]; +- char area2[STRINGSIZE]; +- area[0] = '\0'; ++ static char area[STRINGSIZE * 2] = {0}; ++ char area2[STRINGSIZE * 2] = {0}; + strcpy(area, input); + + for (ptr = control; *ptr; ptr++) -- cgit 1.4.1 From 7f760a8474a7857275bdcc000ff8814b48d9c35a Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 9 Jan 2017 03:55:52 -0500 Subject: gnu: totem: Update to 3.22.0. * gnu/packages/gnome.scm (totem): Update to 3.22.0. [source]: Remove patch. * gnu/packages/patches/totem-debug-format-fix.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/gnome.scm | 5 ++--- gnu/packages/patches/totem-debug-format-fix.patch | 11 ----------- 3 files changed, 2 insertions(+), 15 deletions(-) delete mode 100644 gnu/packages/patches/totem-debug-format-fix.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 21580a3870..13519b0e64 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -899,7 +899,6 @@ dist_patch_DATA = \ %D%/packages/patches/ttf2eot-cstddef.patch \ %D%/packages/patches/ttfautohint-source-date-epoch.patch \ %D%/packages/patches/tophat-build-with-later-seqan.patch \ - %D%/packages/patches/totem-debug-format-fix.patch \ %D%/packages/patches/tuxpaint-stamps-path.patch \ %D%/packages/patches/unrtf-CVE-2016-10091.patch \ %D%/packages/patches/unzip-CVE-2014-8139.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 67d6b9d54d..be0687e17f 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -3213,7 +3213,7 @@ for application developers.") (define-public totem (package (name "totem") - (version "3.20.1") + (version "3.22.0") (source (origin (method url-fetch) @@ -3222,8 +3222,7 @@ for application developers.") name "-" version ".tar.xz")) (sha256 (base32 - "09swnhp46cyy2svqx02fzy555pjgc61lyjw56v9rz1mfc41lh8kg")) - (patches (search-patches "totem-debug-format-fix.patch")))) + "1sjgjqhpsh3kipnbc8y31xz64s61xjayxq98pi0vkgbl2rdmnsh2")))) (build-system glib-or-gtk-build-system) (native-inputs `(("pkg-config" ,pkg-config) diff --git a/gnu/packages/patches/totem-debug-format-fix.patch b/gnu/packages/patches/totem-debug-format-fix.patch deleted file mode 100644 index 7ddd31ee10..0000000000 --- a/gnu/packages/patches/totem-debug-format-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- totem-3.20.1/src/backend/bacon-video-widget.c.orig 2016-03-22 12:45:32.000000000 -0400 -+++ totem-3.20.1/src/backend/bacon-video-widget.c 2016-05-11 02:49:55.299109551 -0400 -@@ -2334,7 +2334,7 @@ - if (!gst_toc_entry_get_start_stop_times (entry, &start, &stop)) { - GST_DEBUG ("Chapter #%d (couldn't get times)", i); - } else { -- GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, start, stop); -+ GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, (long) start, (long) stop); - } - } - -- cgit 1.4.1 From 5713993f3549feb3b4ecb55f486df68ad79d6c66 Mon Sep 17 00:00:00 2001 From: David Craven Date: Sat, 14 Jan 2017 17:26:13 +0100 Subject: gnu: libxt: Add libxt-guix-search-paths.patch. Followup to 54d8d0fef1a0224f118dbfad8fceece06d322eab. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 21580a3870..04c88b02a2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -721,6 +721,7 @@ dist_patch_DATA = \ %D%/packages/patches/libxml2-CVE-2016-5131.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxslt-CVE-2016-4738.patch \ + %D%/packages/patches/libxt-guix-search-paths.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/llvm-for-extempore.patch \ -- cgit 1.4.1 From b84257c0ffaa26b635f6a617d28da4b7edf26442 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Sat, 31 Dec 2016 15:48:22 +0100 Subject: gnu: Add tipp10 touch typing tutor. * gnu/packages/education.scm (touch10): New variable. * gnu/packages/patches/tipp10-fix-compiling.patch, gnu/packages/patches/tipp10-remove-license-code.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 2 + gnu/packages/education.scm | 58 ++++ gnu/packages/patches/tipp10-fix-compiling.patch | 213 +++++++++++++ .../patches/tipp10-remove-license-code.patch | 332 +++++++++++++++++++++ 4 files changed, 605 insertions(+) create mode 100644 gnu/packages/patches/tipp10-fix-compiling.patch create mode 100644 gnu/packages/patches/tipp10-remove-license-code.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 04c88b02a2..d378872372 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -896,6 +896,8 @@ dist_patch_DATA = \ %D%/packages/patches/texi2html-i18n.patch \ %D%/packages/patches/tidy-CVE-2015-5522+5523.patch \ %D%/packages/patches/tinyxml-use-stl.patch \ + %D%/packages/patches/tipp10-fix-compiling.patch \ + %D%/packages/patches/tipp10-remove-license-code.patch \ %D%/packages/patches/tk-find-library.patch \ %D%/packages/patches/ttf2eot-cstddef.patch \ %D%/packages/patches/ttfautohint-source-date-epoch.patch \ diff --git a/gnu/packages/education.scm b/gnu/packages/education.scm index 3a883079fe..43e73a0e0d 100644 --- a/gnu/packages/education.scm +++ b/gnu/packages/education.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2016 Danny Milosavljevic ;;; Copyright © 2016 Ricardo Wurmus +;;; Copyright © 2016 Hartmut Goebel ;;; ;;; This file is part of GNU Guix. ;;; @@ -138,3 +139,60 @@ of categories with some of the activities available in that category. @end enumerate ") (license license:gpl3+))) + +(define-public tipp10 + (package + (name "tipp10") + (version "2.1.0") + (source (origin + (method url-fetch) + ;; guix download is not able to handle the download links on the + ;; home-page, which use '' + (uri (string-append "mirror://debian/pool/main/" + "t/tipp10/tipp10_2.1.0.orig.tar.gz")) + (sha256 + (base32 + "0d387b404j88gsv6kv0rb7wxr23v5g5vl6s5l7602x8pxf7slbbx")) + (patches (search-patches "tipp10-fix-compiling.patch" + "tipp10-remove-license-code.patch")))) + (build-system cmake-build-system) + (arguments + `(#:tests? #f ; packages has no tests + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'disable-new-version-check + (lambda _ + ;; Make new version check to default to false. + ;; TODO: Remove the checkbox from the dialog and the check itself + (substitute* '("widget/settingspages.cpp" "widget/mainwindow.cpp") + (("settings.value(\"check_new_version\", true)") + "settings.value(\"check_new_version\", false)")))) + (replace 'configure + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + ;; Make program honor $PREFIX + (substitute* "tipp10.pro" + (("\\.path = /usr/") (string-append ".path = " out "/"))) + (substitute* "def/defines.h" + (("\"/usr/") (string-append "\"" out "/"))) + ;; Recreate Makefile + (zero? (system* "qmake")))))))) + (inputs + `(("qt4" ,qt-4) + ("sqlite" ,sqlite))) + (home-page "https://www.tipp10.com/") + (synopsis "Touch typing tutor") + (description "Tipp10 is a touch typing tutor for Windows, Mac OS and +Linux. The ingenious thing about the software is its intelligence feature: +Characters that are mistyped are repeated more frequently. Beginners will +find their way around right away so they can start practicing without a hitch. + +Useful support functions and an extensive progress tracker, topical lessons +and the ability to create your own practice lessons make learning to type +easy. + +Note: To change the language settings choose Datei (File) → +Grundeinstellungen (Generell Settings) → Sprache (Language) and change from +Deutsch to English. The you have restart the program to have the change take +effect.") + (license license:gpl2))) diff --git a/gnu/packages/patches/tipp10-fix-compiling.patch b/gnu/packages/patches/tipp10-fix-compiling.patch new file mode 100644 index 0000000000..4c206d4d83 --- /dev/null +++ b/gnu/packages/patches/tipp10-fix-compiling.patch @@ -0,0 +1,213 @@ +Description: Debian patches to make tipp10 compile +Author: Christoph Martin +Last-Update: 2016-07-20 + +https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0001-FixCompiling + +--- a/widget/tickerboard.cpp ++++ b/widget/tickerboard.cpp +@@ -97,7 +97,8 @@ void TickerBoard::startTicker(bool wasPa + + if (tickerSpeed == 50) { + scrollOffset = 290; +- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-290, 0, qr); //contentsRect()); + } + + startFlag = true; +@@ -153,7 +154,8 @@ void TickerBoard::changeChar() { + scrollOffset = 0; + } else { + scrollOffset = 290; +- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-290, 0, qr); //contentsRect()); + } + splitLesson(); + } +@@ -242,7 +244,8 @@ void TickerBoard::progress() { + + // Move ticker 1 pixel to left + scrollOffset++; +- scroll(-1, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-1, 0, qr); //contentsRect()); + + if ((lessonOffset - scrollOffset) <= 30) { + setSpeed(tickerSpeed); +@@ -265,14 +268,16 @@ void TickerBoard::progress() { + // 160 pixels overage (because the user must see at least the next word) + if ((lessonOffset - scrollOffset) > 200) { + scrollOffset += (lessonOffset - scrollOffset) - 200; +- scroll(-((lessonOffset - scrollOffset) - 200), 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-((lessonOffset - scrollOffset) - 200), 0, qr); //contentsRect()); + } + } else { + // If the user types faster than the ticker, move ticker faster after + // 160 pixels overage (because the user must see at least the next word) + if ((lessonOffset - scrollOffset) > 280) { + scrollOffset += 570; +- scroll(-570, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect()); ++ const QRect qr = QRect(10, 15, 590, 35); ++ scroll(-570, 0, qr); //contentsRect()); + } + + } +--- a/widget/settingspages.cpp ++++ b/widget/settingspages.cpp +@@ -501,7 +501,7 @@ void DatabasePage::writeSettings() { + QSettings settings; + #endif + settings.beginGroup("database"); +- settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString::QString(APP_USER_DB)); ++ settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString(APP_USER_DB)); + settings.endGroup(); + } + +--- a/widget/lessondialog.cpp ++++ b/widget/lessondialog.cpp +@@ -89,7 +89,7 @@ void LessonDialog::updateContent() { + *lessonData = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts); + // Delete empty lines + for (int i = 0; i < lessonData->size(); i++) { +- if (QString::QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") { ++ if (QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") { + lessonData->removeAt(i); + } + } +@@ -259,7 +259,7 @@ void LessonDialog::clickSave() { + contentList = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts); + // Delete empty lines + for (i = 0; i < contentList.size(); i++) { +- if (QString::QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") { ++ if (QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") { + contentList.removeAt(i); + } + } +--- a/sql/chartablesql.cpp ++++ b/sql/chartablesql.cpp +@@ -57,7 +57,7 @@ QVariant CharSqlModel::data(const QModel + // Read the unicode value + unicode = value.toInt(); + // Convert unicode to a char +- unicodeToChar = QString::QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'"; ++ unicodeToChar = QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'"; + return unicodeToChar; + } else { + // Last column (error weight) +--- a/sql/startsql.cpp ++++ b/sql/startsql.cpp +@@ -344,7 +344,7 @@ bool StartSql::updateOwnLesson(QString l + for (i = 0; i < content.size(); i++) { + //simplifiedContent = QString::QString( + // content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive).simplified(); +- simplifiedContent = trim(QString::QString( ++ simplifiedContent = trim(QString( + content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive)); + + if (!query.exec("INSERT INTO own_content VALUES(NULL,'" + +--- a/def/defines.h ++++ b/def/defines.h +@@ -27,9 +27,9 @@ Foundation, Inc., 51 Franklin Street, Fi + #define DEFINES_H + + // OS constants +-#define APP_WIN true ++#define APP_WIN false + #define APP_MAC false +-#define APP_X11 false ++#define APP_X11 true + #define APP_PORTABLE false //at least one of the 3 OS must be true too! + + // Languages +@@ -47,6 +47,7 @@ Foundation, Inc., 51 Franklin Street, Fi + #define APP_URL "http://www.tipp10.com" + #define APP_DB "tipp10v2.template" + #define APP_USER_DB "tipp10v2.db" ++#define APP_SHARE_DIR "/usr/share/tipp10" + + // Update constants + #define UPDATE_URL "www.tipp10.com" +--- a/tipp10.pro ++++ b/tipp10.pro +@@ -88,3 +88,15 @@ SOURCES += main.cpp \ + sql/startsql.cpp \ + games/abcrainwidget.cpp \ + games/charball.cpp ++ ++target.path = /usr/bin/ ++INSTALLS += target ++share.path = /usr/share/tipp10/ ++share.files = release/* *wav ++INSTALLS += share ++desktop.path = /usr/share/applications/ ++desktop.files = tipp10.desktop ++INSTALLS += desktop ++pixmap.path = /usr/share/pixmaps/ ++pixmap.files = tipp10.png ++INSTALLS += pixmap +--- a/sql/connection.h ++++ b/sql/connection.h +@@ -179,11 +179,13 @@ static bool createConnection() { + CANCEL_NO, "Betroffener Pfad:\n" + dbPath);*/ + // Try to create new databae in user path + // Exist a database in the program dir? +- if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) { ++ // if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) { ++ if (QFile::exists(QString(APP_SHARE_DIR) + "/" + dbNameTemplate)) { + //if (QFile::exists(":/" + dbNameTemplate)) { + // A database exist in the program dir + // -> copy database to user home dir +- QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate); ++ // QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate); ++ QFile file(QString(APP_SHARE_DIR) + "/" + dbNameTemplate); + //QFile file(":/" + dbNameTemplate); + if (file.copy(dbPath)) { + QFile::setPermissions(dbPath, QFile::permissions(dbPath) | QFile::WriteUser); +@@ -229,7 +231,8 @@ static bool createConnection() { + // Exist a database in user's home dir? + if (!QFile::exists(dbPath)) { + // Exist a database template in the program dir? +- dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate; ++ // dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate; ++ dbPath = QString(APP_SHARE_DIR) + "/" + dbNameTemplate; + //dbPath = ":/" + dbNameTemplate; + if (QFile::exists(dbPath)) { + // A database template exist in the program dir +--- a/widget/helpbrowser.cpp ++++ b/widget/helpbrowser.cpp +@@ -52,13 +52,15 @@ HelpBrowser::HelpBrowser(QString link, Q + textBrowser->setOpenExternalLinks(true); + + textBrowser->setSource(QString("file:///") + +- QCoreApplication::applicationDirPath() + ++ // QCoreApplication::applicationDirPath() + ++ APP_SHARE_DIR + + QString("/help/") + language + QString("/index.html")); + + if (link != "") { + + textBrowser->setSource(QString("file:///") + +- QCoreApplication::applicationDirPath() + ++ // QCoreApplication::applicationDirPath() + ++ APP_SHARE_DIR + + QString("/help/") + language + QString("/content/") + link); + + } +--- a/tipp10.desktop ++++ b/tipp10.desktop +@@ -1,10 +1,10 @@ + [Desktop Entry] +-Encoding=UTF-8 + Name=TIPP10 + Comment=Touch Typing Tutor + Comment[de]=10-Finger-Schreibtrainer +-Exec=tipp10 ++Exec=/usr/bin/tipp10 + Icon=tipp10.png + Terminal=false + Type=Application + Categories=Education; ++Keywords=learning;touchtyping diff --git a/gnu/packages/patches/tipp10-remove-license-code.patch b/gnu/packages/patches/tipp10-remove-license-code.patch new file mode 100644 index 0000000000..4b7487e726 --- /dev/null +++ b/gnu/packages/patches/tipp10-remove-license-code.patch @@ -0,0 +1,332 @@ +Description: Remove license dialog and license key checking + +https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0002-RemoveLicenseCode + +--- a/main.cpp ++++ b/main.cpp +@@ -33,7 +33,6 @@ Foundation, Inc., 51 Franklin Street, Fi + #include "def/defines.h" + #include "sql/connection.h" + #include "widget/mainwindow.h" +-#include "widget/licensedialog.h" + #include "widget/illustrationdialog.h" + + int main(int argc, char *argv[]) { +@@ -59,7 +58,7 @@ int main(int argc, char *argv[]) { + QSettings settings; + #endif + +- // Read/write language, license key and show illustration flag ++ // Read/write language and show illustration flag + settings.beginGroup("general"); + QString languageGui = settings.value("language_gui", + QLocale::system().name()).toString(); +@@ -101,7 +100,6 @@ int main(int argc, char *argv[]) { + QString languageLesson = settings.value("language_lesson", + "").toString(); + +- QString licenseKey = settings.value("licensekey", "").toString(); + bool showIllustration = settings.value("check_illustration", true).toBool(); + bool useNativeStyle = settings.value("check_native_style", false).toBool(); + settings.endGroup(); +--- a/tipp10.pro ++++ b/tipp10.pro +@@ -43,7 +43,6 @@ HEADERS += def/defines.h \ + widget/helpbrowser.h \ + widget/companylogo.h \ + widget/errormessage.h \ +- widget/licensedialog.h \ + widget/txtmessagedialog.h \ + widget/checkversion.h \ + sql/connection.h \ +@@ -78,7 +77,6 @@ SOURCES += main.cpp \ + widget/helpbrowser.cpp \ + widget/companylogo.cpp \ + widget/errormessage.cpp \ +- widget/licensedialog.cpp \ + widget/txtmessagedialog.cpp \ + widget/checkversion.cpp \ + sql/lessontablesql.cpp \ +--- a/widget/licensedialog.cpp ++++ /dev/null +@@ -1,168 +0,0 @@ +-/* +-Copyright (c) 2006-2009, Tom Thielicke IT Solutions +- +-This program is free software; you can redistribute it and/or +-modify it under the terms of the GNU General Public License +-as published by the Free Software Foundation; either version 2 +-of the License. +- +-This program is distributed in the hope that it will be useful, +-but WITHOUT ANY WARRANTY; without even the implied warranty of +-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-GNU General Public License for more details. +- +-You should have received a copy of the GNU General Public License +-along with this program; if not, write to the Free Software +-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +-02110-1301, USA. +-*/ +- +-/**************************************************************** +-** +-** Implementation of the LicenseDialog class +-** File name: licensedialog.cpp +-** +-****************************************************************/ +- +-#include +-#include +-#include +-#include +-#include +- +-#include "licensedialog.h" +-#include "def/defines.h" +- +-LicenseDialog::LicenseDialog(QWidget *parent) : QDialog(parent) { +- +- setWindowFlags(windowFlags() ^ Qt::WindowContextHelpButtonHint); +- +- setWindowTitle(tr("Lizenznummer")); +- setWindowIcon(QIcon(":/img/" + QString(ICON_FILENAME))); +- +- // Create texbox +- createLineEdit(); +- +- // Create buttons +- createButtons(); +- +- // Set the layout of all widgets created above +- createLayout(); +- +- lineLicensing->setFocus(); +-} +- +-void LicenseDialog::createButtons() { +- //Buttons +- buttonOk = new QPushButton(this); +- buttonDemo = new QPushButton(this); +- +- buttonOk->setText(tr("&Ok")); +- buttonDemo->setText(tr("&Demo starten")); +- buttonDemo->setToolTip(tr("Im Demo-Modus koennen pro Lektion nur\n" +- "10 Schriftzeichen eingegeben werden")); +- +- buttonOk->setDefault(true); +- // Widget connections +- connect(buttonOk, SIGNAL(clicked()), this, SLOT(clickOk())); +- connect(buttonDemo, SIGNAL(clicked()), this, SLOT(clickDemo())); +-} +- +-void LicenseDialog::createLineEdit() { +- +- lineLicensing = new QLineEdit(); +- lineLicensing->setInputMask(">NNNNNNNNNNNNNN"); +- +- labelLicensing = new QLabel(tr("Bitte geben Sie Ihre Lizenznummer " +- "(ohne Leerzeichen) ein, " +- "die Sie im Arbeitsbuch (Schulbuch) auf Seite 3 finden:")); +- +- labelLicensing->setWordWrap(true); +-} +- +-void LicenseDialog::createLayout() { +- // Button layout horizontal +- QHBoxLayout *buttonLayoutHorizontal = new QHBoxLayout; +- buttonLayoutHorizontal->addStretch(1); +- buttonLayoutHorizontal->addWidget(buttonDemo); +- buttonLayoutHorizontal->addWidget(buttonOk); +- // Full layout of all widgets vertical +- QVBoxLayout *mainLayout = new QVBoxLayout; +- mainLayout->addSpacing(1); +- mainLayout->addWidget(labelLicensing); +- mainLayout->addSpacing(1); +- mainLayout->addWidget(lineLicensing); +- mainLayout->addSpacing(1); +- mainLayout->addLayout(buttonLayoutHorizontal); +- mainLayout->setMargin(15); +- mainLayout->setSpacing(15); +- // Pass layout to parent widget (this) +- this->setLayout(mainLayout); +-} +- +-void LicenseDialog::clickOk() { +- +- // Check license key +- if (!checkLicenseKey(lineLicensing->text())) { +- +- // License key is wrong +- +- // Message to the user +- QMessageBox::information(0, APP_NAME, +- tr("Die eingegebene Lizenznummer ist leider nicht " +- "korrekt.\nBitte ueberpruefen Sie die Schreibweise.")); +- +- lineLicensing->setFocus(); +- +- } else { +- +- // License key is ok +- writeSettings(); +- accept(); +- } +-} +- +-void LicenseDialog::clickDemo() { +- accept(); +-} +- +-bool LicenseDialog::checkLicenseKey(QString licenseKey) { +- if (licenseKey.size() == 14 && +- licenseKey[0].isLetter() && +- licenseKey[1].isLetter() && +- (licenseKey.mid(2, 2) == "39" || +- licenseKey.mid(2, 2) == "41" || +- licenseKey.mid(2, 2) == "43" || +- licenseKey.mid(2, 2) == "49" || +- licenseKey.mid(2, 2) == "99") && +- licenseKey[4].isDigit() && +- licenseKey[5].isDigit() && +- licenseKey[6].isDigit() && +- licenseKey[7].isLetter() && +- licenseKey[8].isDigit() && +- licenseKey[9].isDigit() && +- licenseKey[10].isDigit() && +- licenseKey[11].isDigit() && +- licenseKey[12].isLetter() && +- licenseKey[13].isLetter()) { +- +- return true; +- } +- return false; +-} +- +-void LicenseDialog::writeSettings() { +- // Saves settings of the startwiget +- // (uses the default constructor of QSettings, passing +- // the application and company name see main function) +- #if APP_PORTABLE +- QSettings settings(QCoreApplication::applicationDirPath() + +- "/portable/settings.ini", QSettings::IniFormat); +- #else +- QSettings settings; +- #endif +- +- settings.beginGroup("general"); +- settings.setValue("licensekey", lineLicensing->text()); +- settings.endGroup(); +-} +--- a/widget/licensedialog.h ++++ /dev/null +@@ -1,85 +0,0 @@ +-/* +-Copyright (c) 2006-2009, Tom Thielicke IT Solutions +- +-This program is free software; you can redistribute it and/or +-modify it under the terms of the GNU General Public License +-as published by the Free Software Foundation; either version 2 +-of the License. +- +-This program is distributed in the hope that it will be useful, +-but WITHOUT ANY WARRANTY; without even the implied warranty of +-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-GNU General Public License for more details. +- +-You should have received a copy of the GNU General Public License +-along with this program; if not, write to the Free Software +-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +-02110-1301, USA. +-*/ +- +-/**************************************************************** +-** +-** Definition of the LicenseDialog class +-** File name: licensedialog.h +-** +-****************************************************************/ +- +-#ifndef LICENSEDIALOG_H +-#define LICENSEDIALOG_H +- +-#include +-#include +-#include +-#include +-#include +-#include +- +-//! The LicenseDialog class provides a license input widget. +-/*! +- The LicenseDialog class shows a dialog to enter a license key. +- +- @author Tom Thielicke, s712715 +- @version 0.0.1 +- @date 09.09.2008 +-*/ +-class LicenseDialog : public QDialog { +- Q_OBJECT +- +- public: +- +- //! Constructor, creates two table objects and provide it in two tabs. +- LicenseDialog(QWidget *parent = 0); +- +- bool checkLicenseKey(QString licenseKey); +- +- public slots: +- +- private slots: +- +- //! Start button pressed +- void clickOk(); +- +- //! Demo button pressed +- void clickDemo(); +- +- private: +- +- //! Creates a cancel and a ok button. +- void createButtons(); +- +- //! Creates a textbox. +- void createLineEdit(); +- +- //! Creates the layout of the complete class. +- void createLayout(); +- +- //! Writes user settings +- void writeSettings(); +- +- QPushButton *buttonOk; +- QPushButton *buttonDemo; +- QLabel *labelLicensing; +- QLineEdit *lineLicensing; +-}; +- +-#endif //LICENSEDIALOG_H +--- a/widget/mainwindow.cpp ++++ b/widget/mainwindow.cpp +@@ -116,11 +116,6 @@ void MainWindow::closeEvent(QCloseEvent + } + } + +-bool MainWindow::checkLicenseKey(QString licenseKey) { +- +- return false; +-} +- + void MainWindow::createMenu() { + //Mac-Version: + //----------- +--- a/widget/mainwindow.h ++++ b/widget/mainwindow.h +@@ -39,7 +39,6 @@ Foundation, Inc., 51 Franklin Street, Fi + #include "trainingwidget.h" + #include "evaluationwidget.h" + #include "illustrationdialog.h" +-#include "licensedialog.h" + #include "games/abcrainwidget.h" + #include "helpbrowser.h" + -- cgit 1.4.1 From 2be1b4712d362fa9face12a731e75038ae9d59ba Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Sat, 7 Jan 2017 20:16:00 +0100 Subject: gnu: Add openvpn service. * gnu/services/vpn.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (VPN Services): New section. --- doc/guix.texi | 360 +++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/vpn.scm | 491 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 852 insertions(+) create mode 100644 gnu/services/vpn.scm (limited to 'gnu/local.mk') diff --git a/doc/guix.texi b/doc/guix.texi index fa07aba5ad..55657ec81c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -208,6 +208,7 @@ Services * Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* VPN Services:: VPN daemons. * Network File System:: NFS related services. * Continuous Integration:: The Cuirass service. * Miscellaneous Services:: Other services. @@ -8120,6 +8121,7 @@ declaration. * Messaging Services:: Messaging services. * Kerberos Services:: Kerberos services. * Web Services:: Web servers. +* VPN Services:: VPN daemons. * Network File System:: NFS related services. * Continuous Integration:: The Cuirass service. * Miscellaneous Services:: Other services. @@ -12354,6 +12356,364 @@ Whether the server should add its configuration to response. @end table @end deftp +@node VPN Services +@subsubsection VPN Services +@cindex VPN (virtual private network) +@cindex virtual private network (VPN) + +The @code{(gnu services vpn)} module provides services related to +@dfn{virtual private networks} (VPNs). It provides a @emph{client} service for +your machine to connect to a VPN, and a @emph{servire} service for your machine +to host a VPN. Both services use @uref{https://openvpn.net/, OpenVPN}. + +@deffn {Scheme Procedure} openvpn-client-service @ + [#:config (openvpn-client-configuration)] + +Return a service that runs @command{openvpn}, a VPN daemon, as a client. +@end deffn + +@deffn {Scheme Procedure} openvpn-server-service @ + [#:config (openvpn-server-configuration)] + +Return a service that runs @command{openvpn}, a VPN daemon, as a server. + +Both can be run simultaneously. +@end deffn + +@c %automatically generated documentation + +Available @code{openvpn-client-configuration} fields are: + +@deftypevr @code{openvpn-client-configuration} parameter package openvpn +The OpenVPN package. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter string pid-file +The OpenVPN pid file. + +Defaults to @samp{"/var/run/openvpn/openvpn.pid"}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter proto proto +The protocol (UDP or TCP) used to open a channel between clients and +servers. + +Defaults to @samp{udp}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter dev dev +The device type used to represent the VPN connection. + +Defaults to @samp{tun}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter string ca +The certificate authority to check connections against. + +Defaults to @samp{"/etc/openvpn/ca.crt"}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter string cert +The certificate of the machine the daemon is running on. It should be +signed by the authority given in @code{ca}. + +Defaults to @samp{"/etc/openvpn/client.crt"}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter string key +The key of the machine the daemon is running on. It must be the key whose +certificate is @code{cert}. + +Defaults to @samp{"/etc/openvpn/client.key"}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter boolean comp-lzo? +Whether to use the lzo compression algorithm. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter boolean persist-key? +Don't re-read key files across SIGUSR1 or --ping-restart. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter boolean persist-tun? +Don't close and reopen TUN/TAP device or run up/down scripts across +SIGUSR1 or --ping-restart restarts. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter number verbosity +Verbosity level. + +Defaults to @samp{3}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter tls-auth-client tls-auth +Add an additional layer of HMAC authentication on top of the TLS control +channel to protect against DoS attacks. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter key-usage verify-key-usage? +Whether to check the server certificate has server usage extension. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter bind bind? +Bind to a specific local port number. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter resolv-retry resolv-retry? +Retry resolving server address. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-client-configuration} parameter openvpn-remote-list remote +A list of remote servers to connect to. + +Defaults to @samp{()}. + +Available @code{openvpn-remote-configuration} fields are: + +@deftypevr @code{openvpn-remote-configuration} parameter string name +Server name. + +Defaults to @samp{"my-server"}. + +@end deftypevr + +@deftypevr @code{openvpn-remote-configuration} parameter number port +Port number the server listens to. + +Defaults to @samp{1194}. + +@end deftypevr + +@end deftypevr +@c %end of automatic openvpn-client documentation + +@c %automatically generated documentation + +Available @code{openvpn-server-configuration} fields are: + +@deftypevr @code{openvpn-server-configuration} parameter package openvpn +The OpenVPN package. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter string pid-file +The OpenVPN pid file. + +Defaults to @samp{"/var/run/openvpn/openvpn.pid"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter proto proto +The protocol (UDP or TCP) used to open a channel between clients and +servers. + +Defaults to @samp{udp}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter dev dev +The device type used to represent the VPN connection. + +Defaults to @samp{tun}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter string ca +The certificate authority to check connections against. + +Defaults to @samp{"/etc/openvpn/ca.crt"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter string cert +The certificate of the machine the daemon is running on. It should be +signed by the authority given in @code{ca}. + +Defaults to @samp{"/etc/openvpn/client.crt"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter string key +The key of the machine the daemon is running on. It must be the key whose +certificate is @code{cert}. + +Defaults to @samp{"/etc/openvpn/client.key"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter boolean comp-lzo? +Whether to use the lzo compression algorithm. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter boolean persist-key? +Don't re-read key files across SIGUSR1 or --ping-restart. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter boolean persist-tun? +Don't close and reopen TUN/TAP device or run up/down scripts across +SIGUSR1 or --ping-restart restarts. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter number verbosity +Verbosity level. + +Defaults to @samp{3}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter tls-auth-server tls-auth +Add an additional layer of HMAC authentication on top of the TLS control +channel to protect against DoS attacks. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter number port +Specifies the port number on which the server listens. + +Defaults to @samp{1194}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter ip-mask server +An ip and mask specifying the subnet inside the virtual network. + +Defaults to @samp{"10.8.0.0 255.255.255.0"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter cidr6 server-ipv6 +A CIDR notation specifying the IPv6 subnet inside the virtual network. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter string dh +The Diffie-Hellman parameters file. + +Defaults to @samp{"/etc/openvpn/dh2048.pem"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter string ifconfig-pool-persist +The file that records client IPs. + +Defaults to @samp{"/etc/openvpn/ipp.txt"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter gateway redirect-gateway? +When true, the server will act as a gateway for its clients. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter boolean client-to-client? +When true, clients are alowed to talk to each other inside the VPN. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter keepalive keepalive +Causes ping-like messages to be sent back and forth over the link so +that each side knows when the other side has gone down. @code{keepalive} +requires a pair. The first element is the period of the ping sending, +and the second element is the timeout before considering the other side +down. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter number max-clients +The maximum number of clients. + +Defaults to @samp{100}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter string status +The status file. This file shows a small report on current connection. +It is trunkated and rewritten every minute. + +Defaults to @samp{"/var/run/openvpn/status"}. + +@end deftypevr + +@deftypevr @code{openvpn-server-configuration} parameter openvpn-ccd-list client-config-dir +The list of configuration for some clients. + +Defaults to @samp{()}. + +Available @code{openvpn-ccd-configuration} fields are: + +@deftypevr @code{openvpn-ccd-configuration} parameter string name +Client name. + +Defaults to @samp{"client"}. + +@end deftypevr + +@deftypevr @code{openvpn-ccd-configuration} parameter ip-mask iroute +Client own network + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr @code{openvpn-ccd-configuration} parameter ip-mask ifconfig-push +Client VPN IP. + +Defaults to @samp{#f}. + +@end deftypevr + +@end deftypevr + + +@c %end of automatic openvpn-server documentation + + @node Network File System @subsubsection Network File System @cindex NFS diff --git a/gnu/local.mk b/gnu/local.mk index d378872372..81d774eb6a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -424,6 +424,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/spice.scm \ %D%/services/ssh.scm \ %D%/services/version-control.scm \ + %D%/services/vpn.scm \ %D%/services/web.scm \ %D%/services/xorg.scm \ \ diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm new file mode 100644 index 0000000000..c21995453e --- /dev/null +++ b/gnu/services/vpn.scm @@ -0,0 +1,491 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2017 Julien Lepiller +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services vpn) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu system shadow) + #:use-module (gnu packages admin) + #:use-module (gnu packages vpn) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (guix gexp) + #:use-module (srfi srfi-1) + #:use-module (ice-9 match) + #:use-module (ice-9 regex) + #:export (openvpn-client-service + openvpn-server-service + openvpn-client-service-type + openvpn-server-service-type + openvpn-client-configuration + openvpn-server-configuration + openvpn-remote-configuration + openvpn-ccd-configuration + generate-openvpn-client-documentation + generate-openvpn-server-documentation)) + +;;; +;;; OpenVPN. +;;; + +(define (uglify-field-name name) + (match name + ('verbosity "verb") + (_ (let ((str (symbol->string name))) + (if (string-suffix? "?" str) + (substring str 0 (1- (string-length str))) + str))))) + +(define (serialize-field field-name val) + (if (eq? field-name 'pid-file) + (format #t "") + (format #t "~a ~a\n" (uglify-field-name field-name) val))) +(define serialize-string serialize-field) +(define (serialize-boolean field-name val) + (if val + (serialize-field field-name val) + (format #t ""))) + +(define (ip-mask? val) + (and (string? val) + (if (string-match "^([0-9]+\\.){3}[0-9]+ ([0-9]+\\.){3}[0-9]+$" val) + (let ((numbers (string-tokenize val char-set:digit))) + (all-lte numbers (list 255 255 255 255 255 255 255 255))) + #f))) +(define serialize-ip-mask serialize-string) + +(define-syntax define-enumerated-field-type + (lambda (x) + (define (id-append ctx . parts) + (datum->syntax ctx (apply symbol-append (map syntax->datum parts)))) + (syntax-case x () + ((_ name (option ...)) + #`(begin + (define (#,(id-append #'name #'name #'?) x) + (memq x '(option ...))) + (define (#,(id-append #'name #'serialize- #'name) field-name val) + (serialize-field field-name val))))))) + +(define-enumerated-field-type proto + (udp tcp udp6 tcp6)) +(define-enumerated-field-type dev + (tun tap)) + +(define key-usage? boolean?) +(define (serialize-key-usage field-name value) + (if value + (format #t "remote-cert-tls server\n") + #f)) + +(define bind? boolean?) +(define (serialize-bind field-name value) + (if value + #f + (format #t "nobind\n"))) + +(define resolv-retry? boolean?) +(define (serialize-resolv-retry field-name value) + (if value + (format #t "resolv-retry infinite\n") + #f)) + +(define (serialize-tls-auth role location) + (serialize-field 'tls-auth + (string-append location " " (match role + ('server "0") + ('client "1"))))) +(define (tls-auth? val) + (or (eq? val #f) + (string? val))) +(define (serialize-tls-auth-server field-name val) + (serialize-tls-auth 'server val)) +(define (serialize-tls-auth-client field-name val) + (serialize-tls-auth 'client val)) +(define tls-auth-server? tls-auth?) +(define tls-auth-client? tls-auth?) + +(define (serialize-number field-name val) + (serialize-field field-name (number->string val))) + +(define (all-lte left right) + (if (eq? left '()) + (eq? right '()) + (and (<= (string->number (car left)) (car right)) + (all-lte (cdr left) (cdr right))))) + +(define (cidr4? val) + (if (string? val) + (if (string-match "^([0-9]+\\.){3}[0-9]+/[0-9]+$" val) + (let ((numbers (string-tokenize val char-set:digit))) + (all-lte numbers (list 255 255 255 255 32))) + #f) + (eq? val #f))) + +(define (cidr6? val) + (if (string? val) + (string-match "^([0-9a-f]{0,4}:){0,8}/[0-9]{1,3}$" val) + (eq? val #f))) + +(define (serialize-cidr4 field-name val) + (if (eq? val #f) #f (serialize-field field-name val))) + +(define (serialize-cidr6 field-name val) + (if (eq? val #f) #f (serialize-field field-name val))) + +(define (ip? val) + (if (string? val) + (if (string-match "^([0-9]+\\.){3}[0-9]+$" val) + (let ((numbers (string-tokenize val char-set:digit))) + (all-lte numbers (list 255 255 255 255))) + #f) + (eq? val #f))) +(define (serialize-ip field-name val) + (if (eq? val #f) #f (serialize-field field-name val))) + +(define (keepalive? val) + (and (list? val) + (and (number? (car val)) + (number? (car (cdr val)))))) +(define (serialize-keepalive field-name val) + (format #t "~a ~a ~a\n" (uglify-field-name field-name) + (number->string (car val)) (number->string (car (cdr val))))) + +(define gateway? boolean?) +(define (serialize-gateway field-name val) + (and val + (format #t "push \"redirect-gateway\"\n"))) + + +(define-configuration openvpn-remote-configuration + (name + (string "my-server") + "Server name.") + (port + (number 1194) + "Port number the server listens to.")) + +(define-configuration openvpn-ccd-configuration + (name + (string "client") + "Client name.") + (iroute + (ip-mask #f) + "Client own network") + (ifconfig-push + (ip-mask #f) + "Client VPN IP.")) + +(define (openvpn-remote-list? val) + (and (list? val) + (or (eq? val '()) + (and (openvpn-remote-configuration? (car val)) + (openvpn-remote-list? (cdr val)))))) +(define (serialize-openvpn-remote-list field-name val) + (for-each (lambda (remote) + (format #t "remote ~a ~a\n" (openvpn-remote-configuration-name remote) + (number->string (openvpn-remote-configuration-port remote)))) + val)) + +(define (openvpn-ccd-list? val) + (and (list? val) + (or (eq? val '()) + (and (openvpn-ccd-configuration? (car val)) + (openvpn-ccd-list? (cdr val)))))) +(define (serialize-openvpn-ccd-list field-name val) + #f) + +(define (create-ccd-directory val) + "Create a ccd directory containing files for the ccd configuration option +of OpenVPN. Each file in this directory represents particular settings for a +client. Each file is named after the name of the client." + (let ((files (map (lambda (ccd) + (list (openvpn-ccd-configuration-name ccd) + (with-output-to-string + (lambda () + (serialize-configuration + ccd openvpn-ccd-configuration-fields))))) + val))) + (computed-file "ccd" + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (use-modules (ice-9 match)) + (mkdir-p #$output) + (for-each + (lambda (ccd) + (match ccd + ((name config-string) + (call-with-output-file + (string-append #$output "/" name) + (lambda (port) (display config-string port)))))) + '#$files)))))) + +(define-syntax define-split-configuration + (lambda (x) + (syntax-case x () + ((_ name1 name2 (common-option ...) (first-option ...) (second-option ...)) + #`(begin + (define-configuration #,#'name1 + common-option ... + first-option ...) + (define-configuration #,#'name2 + common-option ... + second-option ...)))))) + +(define-split-configuration openvpn-client-configuration + openvpn-server-configuration + ((openvpn + (package openvpn) + "The OpenVPN package.") + + (pid-file + (string "/var/run/openvpn/openvpn.pid") + "The OpenVPN pid file.") + + (proto + (proto 'udp) + "The protocol (UDP or TCP) used to open a channel between clients and +servers.") + + (dev + (dev 'tun) + "The device type used to represent the VPN connection.") + + (ca + (string "/etc/openvpn/ca.crt") + "The certificate authority to check connections against.") + + (cert + (string "/etc/openvpn/client.crt") + "The certificate of the machine the daemon is running on. It should be signed +by the authority given in @code{ca}.") + + (key + (string "/etc/openvpn/client.key") + "The key of the machine the daemon is running on. It must be the whose +certificate is @code{cert}.") + + (comp-lzo? + (boolean #t) + "Whether to use the lzo compression algorithm.") + + (persist-key? + (boolean #t) + "Don't re-read key files across SIGUSR1 or --ping-restart.") + + (persist-tun? + (boolean #t) + "Don't close and reopen TUN/TAP device or run up/down scripts across +SIGUSR1 or --ping-restart restarts.") + + (verbosity + (number 3) + "Verbosity level.")) + ;; client-specific configuration + ((tls-auth + (tls-auth-client #f) + "Add an additional layer of HMAC authentication on top of the TLS control +channel to protect against DoS attacks.") + + (verify-key-usage? + (key-usage #t) + "Whether to check the server certificate has server usage extension.") + + (bind? + (bind #f) + "Bind to a specific local port number.") + + (resolv-retry? + (resolv-retry #t) + "Retry resolving server address.") + + (remote + (openvpn-remote-list '()) + "A list of remote servers to connect to.")) + ;; server-specific configuration + ((tls-auth + (tls-auth-server #f) + "Add an additional layer of HMAC authentication on top of the TLS control +channel to protect against DoS attacks.") + + (port + (number 1194) + "Specifies the port number on which the server listens.") + + (server + (ip-mask "10.8.0.0 255.255.255.0") + "An ip and mask specifying the subnet inside the virtual network.") + + (server-ipv6 + (cidr6 #f) + "A CIDR notation specifying the IPv6 subnet inside the virtual network.") + + (dh + (string "/etc/openvpn/dh2048.pem") + "The Diffie-Hellman parameters file.") + + (ifconfig-pool-persist + (string "/etc/openvpn/ipp.txt") + "The file that records client IPs.") + + (redirect-gateway? + (gateway #f) + "When true, the server will act as a gateway for its clients.") + + (client-to-client? + (boolean #f) + "When true, clients are alowed to talk to each other inside the VPN.") + + (keepalive + (keepalive '(10 120)) + "Causes ping-like messages to be sent back and forth over the link so that +each side knows when the other side has gone down. @code{keepalive} requires +a pair. The first element is the period of the ping sending, and the second +element is the timeout before considering the other side down.") + + (max-clients + (number 100) + "The maximum number of clients.") + + (status + (string "/var/run/openvpn/status") + "The status file. This file shows a small report on current connection. It +is trunkated and rewritten every minute.") + + (client-config-dir + (openvpn-ccd-list '()) + "The list of configuration for some clients."))) + +(define (openvpn-config-file role config) + (let ((config-str + (with-output-to-string + (lambda () + (serialize-configuration config + (match role + ('server + openvpn-server-configuration-fields) + ('client + openvpn-client-configuration-fields)))))) + (ccd-dir (match role + ('server (create-ccd-directory + (openvpn-server-configuration-client-config-dir + config))) + ('client #f)))) + (computed-file "openvpn.conf" + #~(begin + (use-modules (ice-9 match)) + (call-with-output-file #$output + (lambda (port) + (match '#$role + ('server (display "" port)) + ('client (display "client\n" port))) + (display #$config-str port) + (match '#$role + ('server (display + (string-append "client-config-dir " + #$ccd-dir "\n") port)) + ('client (display "" port))))))))) + +(define (openvpn-shepherd-service role) + (lambda (config) + (let* ((config-file (openvpn-config-file role config)) + (pid-file ((match role + ('server openvpn-server-configuration-pid-file) + ('client openvpn-client-configuration-pid-file)) + config)) + (openvpn ((match role + ('server openvpn-server-configuration-openvpn) + ('client openvpn-client-configuration-openvpn)) + config)) + (log-file (match role + ('server "/var/log/openvpn-server.log") + ('client "/var/log/openvpn-client.log")))) + (list (shepherd-service + (documentation (string-append "Run the OpenVPN " + (match role + ('server "server") + ('client "client")) + " daemon.")) + (provision (match role + ('server '(vpn-server)) + ('client '(vpn-client)))) + (requirement '(networking)) + (start #~(make-forkexec-constructor + (list (string-append #$openvpn "/sbin/openvpn") + "--writepid" #$pid-file "--config" #$config-file + "--daemon") + #:pid-file #$pid-file)) + (stop #~(make-kill-destructor))))))) + +(define %openvpn-accounts + (list (user-group (name "openvpn") (system? #t)) + (user-account + (name "openvpn") + (group "openvpn") + (system? #t) + (comment "Openvpn daemon user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + +(define %openvpn-activation + #~(mkdir-p "/var/run/openvpn")) + +(define openvpn-server-service-type + (service-type (name 'openvpn-server) + (extensions + (list (service-extension shepherd-root-service-type + (openvpn-shepherd-service 'server)) + (service-extension account-service-type + (const %openvpn-accounts)) + (service-extension activation-service-type + (const %openvpn-activation)))))) + +(define openvpn-client-service-type + (service-type (name 'openvpn-client) + (extensions + (list (service-extension shepherd-root-service-type + (openvpn-shepherd-service 'client)) + (service-extension account-service-type + (const %openvpn-accounts)) + (service-extension activation-service-type + (const %openvpn-activation)))))) + +(define* (openvpn-client-service #:key (config (openvpn-client-configuration))) + (validate-configuration config openvpn-client-configuration-fields) + (service openvpn-client-service-type config)) + +(define* (openvpn-server-service #:key (config (openvpn-server-configuration))) + (validate-configuration config openvpn-server-configuration-fields) + (service openvpn-server-service-type config)) + +(define (generate-openvpn-server-documentation) + (generate-documentation + `((openvpn-server-configuration + ,openvpn-server-configuration-fields + (ccd openvpn-ccd-configuration)) + (openvpn-ccd-configuration ,openvpn-ccd-configuration-fields)) + 'openvpn-server-configuration)) + +(define (generate-openvpn-client-documentation) + (generate-documentation + `((openvpn-client-configuration + ,openvpn-client-configuration-fields + (remote openvpn-remote-configuration)) + (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) + 'openvpn-client-configuration)) -- cgit 1.4.1 From af8c7e10147acd105fe33f60baab2d1d21f38f7b Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 12 Jan 2017 19:06:55 +0100 Subject: gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mujs. * gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch, gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/pdf.scm (mupdf)[replacement]: New field. (mupdf/fixed): New variable. Co-authored-by: Leo Famulari --- gnu/local.mk | 2 + .../patches/mupdf-mujs-CVE-2016-10132.patch | 188 +++++++++++++++++++++ .../patches/mupdf-mujs-CVE-2016-10133.patch | 36 ++++ gnu/packages/pdf.scm | 16 +- 4 files changed, 241 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch create mode 100644 gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 81d774eb6a..58554160d2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -755,6 +755,8 @@ dist_patch_DATA = \ %D%/packages/patches/multiqc-fix-git-subprocess-error.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ + %D%/packages/patches/mupdf-mujs-CVE-2016-10132.patch \ + %D%/packages/patches/mupdf-mujs-CVE-2016-10133.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch new file mode 100644 index 0000000000..e752e57ec5 --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch @@ -0,0 +1,188 @@ +Fix CVE-2016-10132: + +https://bugs.ghostscript.com/show_bug.cgi?id=697381 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132 + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569 + +From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Fri, 2 Dec 2016 14:56:20 -0500 +Subject: [PATCH] Fix 697381: check allocation when compiling regular + expressions. + +Also use allocator callback function. +--- + thirdparty/mujs/jsgc.c | 2 +- + thirdparty/mujs/jsregexp.c | 2 +- + thirdparty/mujs/jsstate.c | 6 ------ + thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++---------- + thirdparty/mujs/regexp.h | 7 +++++++ + 5 files changed, 44 insertions(+), 18 deletions(-) + +diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c +index 4f7e7dc..f80111e 100644 +--- a/thirdparty/mujs/jsgc.c ++++ b/thirdparty/mujs/jsgc.c +@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj) + jsG_freeproperty(J, obj->head); + if (obj->type == JS_CREGEXP) { + js_free(J, obj->u.r.source); +- js_regfree(obj->u.r.prog); ++ js_regfreex(J->alloc, J->actx, obj->u.r.prog); + } + if (obj->type == JS_CITERATOR) + jsG_freeiterator(J, obj->u.iter.head); +diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c +index a2d5156..7b09c06 100644 +--- a/thirdparty/mujs/jsregexp.c ++++ b/thirdparty/mujs/jsregexp.c +@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags) + if (flags & JS_REGEXP_I) opts |= REG_ICASE; + if (flags & JS_REGEXP_M) opts |= REG_NEWLINE; + +- prog = js_regcomp(pattern, opts, &error); ++ prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error); + if (!prog) + js_syntaxerror(J, "regular expression: %s", error); + +diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c +index 638cab3..fd5bcf6 100644 +--- a/thirdparty/mujs/jsstate.c ++++ b/thirdparty/mujs/jsstate.c +@@ -9,12 +9,6 @@ + + static void *js_defaultalloc(void *actx, void *ptr, int size) + { +- if (size == 0) { +- free(ptr); +- return NULL; +- } +- if (!ptr) +- return malloc((size_t)size); + return realloc(ptr, (size_t)size); + } + +diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c +index 9852be2..01c18a3 100644 +--- a/thirdparty/mujs/regexp.c ++++ b/thirdparty/mujs/regexp.c +@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog) + } + #endif + +-Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp) + { + struct cstate g; + Renode *node; + Reinst *split, *jump; + int i; + +- g.prog = malloc(sizeof (Reprog)); +- g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2); ++ g.pstart = NULL; ++ g.prog = NULL; + + if (setjmp(g.kaboom)) { + if (errorp) *errorp = g.error; +- free(g.pstart); +- free(g.prog); ++ alloc(ctx, g.pstart, 0); ++ alloc(ctx, g.prog, 0); + return NULL; + } + ++ g.prog = alloc(ctx, NULL, sizeof (Reprog)); ++ if (!g.prog) ++ die(&g, "cannot allocate regular expression"); ++ g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2); ++ if (!g.pstart) ++ die(&g, "cannot allocate regular expression parse list"); ++ + g.source = pattern; + g.ncclass = 0; + g.nsub = 1; +@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) + die(&g, "syntax error"); + + g.prog->nsub = g.nsub; +- g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst)); ++ g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst)); ++ if (!g.prog->start) ++ die(&g, "cannot allocate regular expression instruction list"); + + split = emit(g.prog, I_SPLIT); + split->x = split + 3; +@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) + dumpprog(g.prog); + #endif + +- free(g.pstart); ++ alloc(ctx, g.pstart, 0); + + if (errorp) *errorp = NULL; + return g.prog; + } + +-void regfree(Reprog *prog) ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog) + { + if (prog) { +- free(prog->start); +- free(prog); ++ alloc(ctx, prog->start, 0); ++ alloc(ctx, prog, 0); + } + } + ++static void *default_alloc(void *ctx, void *p, int n) ++{ ++ return realloc(p, (size_t)n); ++} ++ ++Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++{ ++ return regcompx(default_alloc, NULL, pattern, cflags, errorp); ++} ++ ++void regfree(Reprog *prog) ++{ ++ regfreex(default_alloc, NULL, prog); ++} ++ + /* Match */ + + static int isnewline(int c) +diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h +index 4bb4615..6bb73e8 100644 +--- a/thirdparty/mujs/regexp.h ++++ b/thirdparty/mujs/regexp.h +@@ -1,6 +1,8 @@ + #ifndef regexp_h + #define regexp_h + ++#define regcompx js_regcompx ++#define regfreex js_regfreex + #define regcomp js_regcomp + #define regexec js_regexec + #define regfree js_regfree +@@ -8,6 +10,11 @@ + typedef struct Reprog Reprog; + typedef struct Resub Resub; + ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp); ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ Reprog *prog); ++ + Reprog *regcomp(const char *pattern, int cflags, const char **errorp); + int regexec(Reprog *prog, const char *string, Resub *sub, int eflags); + void regfree(Reprog *prog); +-- +2.9.1 + diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch new file mode 100644 index 0000000000..d73849262c --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch @@ -0,0 +1,36 @@ +Fix CVE-2016-10133: + +https://bugs.ghostscript.com/show_bug.cgi?id=697401 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133 + +Patch lifted from upstream source repository: + +https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24 + +From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Thu, 12 Jan 2017 14:47:01 +0100 +Subject: [PATCH] Fix 697401: Error when dropping extra arguments to + lightweight functions. + +--- + thirdparty/mujs/jsrun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c +index ee80845..782a6f9 100644 +--- a/thirdparty/mujs/jsrun.c ++++ b/thirdparty/mujs/jsrun.c +@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen + jsR_savescope(J, scope); + + if (n > F->numparams) { +- js_pop(J, F->numparams - n); ++ js_pop(J, n - F->numparams); + n = F->numparams; + } + for (i = n; i < F->varlen; ++i) +-- +2.9.1 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 9b3571e67b..5e1c0db51e 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -6,10 +6,11 @@ ;;; Copyright © 2016 Roel Janssen ;;; Coypright © 2016 ng0 ;;; Coypright © 2016 Efraim Flashner -;;; Coypright © 2016 Marius Bakke +;;; Coypright © 2016, 2017 Marius Bakke ;;; Coypright © 2016 Ludovic Courtès ;;; Coypright © 2016 Julien Lepiller ;;; Copyright © 2016 Arun Isaac +;;; Copyright © 2017 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -480,6 +481,7 @@ extracting content or merging files.") (define-public mupdf (package (name "mupdf") + (replacement mupdf/fixed) (version "1.10a") (source (origin @@ -538,6 +540,18 @@ line tools for batch rendering (pdfdraw), rewriting files (pdfclean), and examining the file structure (pdfshow).") (license license:agpl3+))) +(define mupdf/fixed + (package + (inherit mupdf) + (source + (origin + (inherit (package-source mupdf)) + (patches + (append + (origin-patches (package-source mupdf)) + (search-patches "mupdf-mujs-CVE-2016-10132.patch" + "mupdf-mujs-CVE-2016-10133.patch"))))))) + (define-public qpdf (package (name "qpdf") -- cgit 1.4.1 From f733e603452c46640e57b1a0de34ecef324e5711 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 18 Jan 2017 18:13:21 +0100 Subject: gnu: xf86-video-nv: Update to 2.1.21. * gnu/packages/xorg.scm (xf86-video-nv): Update to 2.1.21. [source]: Remove upstreamed patch. * gnu/packages/patches/xf86-video-nv-remove-mibstore.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../patches/xf86-video-nv-remove-mibstore.patch | 72 ---------------------- gnu/packages/xorg.scm | 5 +- 3 files changed, 2 insertions(+), 76 deletions(-) delete mode 100644 gnu/packages/patches/xf86-video-nv-remove-mibstore.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 7e816f79af..acaf3936ab 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -948,7 +948,6 @@ dist_patch_DATA = \ %D%/packages/patches/xf86-video-intel-compat-api.patch \ %D%/packages/patches/xf86-video-intel-glibc-2.20.patch \ %D%/packages/patches/xf86-video-mach64-glibc-2.20.patch \ - %D%/packages/patches/xf86-video-nv-remove-mibstore.patch \ %D%/packages/patches/xf86-video-tga-remove-mibstore.patch \ %D%/packages/patches/xfce4-panel-plugins.patch \ %D%/packages/patches/xfce4-session-fix-xflock4.patch \ diff --git a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch b/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch deleted file mode 100644 index 48588ed0e4..0000000000 --- a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch +++ /dev/null @@ -1,72 +0,0 @@ -Removes references to mibstore.h and miInitializeBackingStore, which -have been removed from xorg-server. Zack Rusin -wrote: "It was a noop for at least 5 years and it has been removed." -See: http://patches.openembedded.org/patch/46133/ - -diff -ru xf86-video-nv-2.1.20.orig/src/g80_driver.c xf86-video-nv-2.1.20/src/g80_driver.c ---- xf86-video-nv-2.1.20.orig/src/g80_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/g80_driver.c 2014-12-17 10:11:42.197579082 -0500 -@@ -34,7 +34,6 @@ - #include - #endif - #include --#include - #include - #include - #include -@@ -833,7 +832,6 @@ - } - } - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/nv_driver.c xf86-video-nv-2.1.20/src/nv_driver.c ---- xf86-video-nv-2.1.20.orig/src/nv_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/nv_driver.c 2014-12-17 10:11:39.037563413 -0500 -@@ -2550,7 +2550,6 @@ - if (!pNv->NoAccel) - NVAccelInit(pScreen); - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/nv_include.h xf86-video-nv-2.1.20/src/nv_include.h ---- xf86-video-nv-2.1.20.orig/src/nv_include.h 2012-07-17 02:48:19.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/nv_include.h 2014-12-17 10:11:22.089479372 -0500 -@@ -24,9 +24,6 @@ - /* All drivers initialising the SW cursor need this */ - #include "mipointer.h" - --/* All drivers implementing backing store need this */ --#include "mibstore.h" -- - #include "micmap.h" - - #include "xf86DDC.h" -diff -ru xf86-video-nv-2.1.20.orig/src/riva_driver.c xf86-video-nv-2.1.20/src/riva_driver.c ---- xf86-video-nv-2.1.20.orig/src/riva_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/riva_driver.c 2014-12-17 10:11:31.101524060 -0500 -@@ -1168,7 +1168,6 @@ - if (!pRiva->NoAccel) - RivaAccelInit(pScreen); - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/riva_include.h xf86-video-nv-2.1.20/src/riva_include.h ---- xf86-video-nv-2.1.20.orig/src/riva_include.h 2012-07-17 02:48:45.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/riva_include.h 2014-12-17 10:11:12.229430478 -0500 -@@ -22,9 +22,6 @@ - /* All drivers initialising the SW cursor need this */ - #include "mipointer.h" - --/* All drivers implementing backing store need this */ --#include "mibstore.h" -- - #include "micmap.h" - - #include "xf86DDC.h" diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index 87bf91409c..3c8adc9e37 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -2953,7 +2953,7 @@ kernel mode setting (KMS).") (define-public xf86-video-nv (package (name "xf86-video-nv") - (version "2.1.20") + (version "2.1.21") (source (origin (method url-fetch) @@ -2963,8 +2963,7 @@ kernel mode setting (KMS).") ".tar.bz2")) (sha256 (base32 - "1gqh1khc4zalip5hh2nksgs7i3piqq18nncgmsx9qvzi05azd5c3")) - (patches (search-patches "xf86-video-nv-remove-mibstore.patch")))) + "0bdk3pc5y0n7p53q4gc2ff7bw16hy5hwdjjxkm5j3s7hdyg6960z")))) (build-system gnu-build-system) (inputs `(("xorg-server" ,xorg-server))) (native-inputs `(("pkg-config" ,pkg-config))) -- cgit 1.4.1 From a0029fda3bd6f8e5cd3b66aba583e4d863f1cac1 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 18 Jan 2017 18:19:49 +0100 Subject: gnu: xf86-video-glint: Update to 1.2.9. * gnu/packages/xorg.scm (xf86-video-glint): Update to 1.2.9. [source]: Remove upstreamed patch. * gnu/packages/patches/xf86-video-glint-remove-mibstore.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../patches/xf86-video-glint-remove-mibstore.patch | 24 ---------------------- gnu/packages/xorg.scm | 5 ++--- 3 files changed, 2 insertions(+), 28 deletions(-) delete mode 100644 gnu/packages/patches/xf86-video-glint-remove-mibstore.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index acaf3936ab..24dcd03fd4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -943,7 +943,6 @@ dist_patch_DATA = \ %D%/packages/patches/xf86-video-ark-remove-mibstore.patch \ %D%/packages/patches/xf86-video-ast-remove-mibstore.patch \ %D%/packages/patches/xf86-video-geode-glibc-2.20.patch \ - %D%/packages/patches/xf86-video-glint-remove-mibstore.patch \ %D%/packages/patches/xf86-video-i128-remove-mibstore.patch \ %D%/packages/patches/xf86-video-intel-compat-api.patch \ %D%/packages/patches/xf86-video-intel-glibc-2.20.patch \ diff --git a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch b/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch deleted file mode 100644 index 969ed7e41e..0000000000 --- a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch +++ /dev/null @@ -1,24 +0,0 @@ -Removes references to mibstore.h and miInitializeBackingStore, which -have been removed from xorg-server. Zack Rusin -wrote: "It was a noop for at least 5 years and it has been removed." -See: http://patches.openembedded.org/patch/46133/ - ---- xf86-video-glint-1.2.8/src/glint_driver.c.~1~ 2012-07-15 22:50:47.000000000 -0400 -+++ xf86-video-glint-1.2.8/src/glint_driver.c 2014-12-19 00:42:39.162714279 -0500 -@@ -52,8 +52,6 @@ - #include "compiler.h" - #include "mipointer.h" - --#include "mibstore.h" -- - #include "pm3_regs.h" - #include "glint_regs.h" - #include "IBM.h" -@@ -2904,7 +2902,6 @@ - } - } - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index 3c8adc9e37..1a551084bd 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -2720,7 +2720,7 @@ compositing. Both support Xv overlay and dynamic rotation with XRandR.") (define-public xf86-video-glint (package (name "xf86-video-glint") - (version "1.2.8") + (version "1.2.9") (source (origin (method url-fetch) @@ -2730,8 +2730,7 @@ compositing. Both support Xv overlay and dynamic rotation with XRandR.") ".tar.bz2")) (sha256 (base32 - "08a2aark2yn9irws9c78d9q44dichr03i9zbk61jgr54ncxqhzv5")) - (patches (search-patches "xf86-video-glint-remove-mibstore.patch")))) + "1lkpspvrvrp9s539bhfdjfh4andaqyk63l6zjn8m3km95smk6a45")))) (build-system gnu-build-system) (inputs `(("xf86dgaproto" ,xf86dgaproto) ("xorg-server" ,xorg-server))) -- cgit 1.4.1 From 9ca19727678b4c86ed700b31c2c8c951ef170c7e Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 18 Jan 2017 23:21:46 +0200 Subject: gnu: qemu: Fix CVE-2017-5525, CVE-2017-5526. * gnu/packages/qemu.scm (qemu)[source]: Add patches. * gnu/packages/patches/qemu-CVE-2017-5525.patch, gnu/packages/patches/qemu-CVE-2017-5526.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 2 + gnu/packages/patches/qemu-CVE-2017-5525.patch | 55 +++++++++++++++++++++++++ gnu/packages/patches/qemu-CVE-2017-5526.patch | 58 +++++++++++++++++++++++++++ gnu/packages/qemu.scm | 6 ++- 4 files changed, 119 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/qemu-CVE-2017-5525.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-5526.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 24dcd03fd4..79031882fb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -852,6 +852,8 @@ dist_patch_DATA = \ %D%/packages/patches/python-pycrypto-CVE-2013-7459.patch \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ + %D%/packages/patches/qemu-CVE-2017-5525.patch \ + %D%/packages/patches/qemu-CVE-2017-5526.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch new file mode 100644 index 0000000000..d0c0c82a4a --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5525.patch @@ -0,0 +1,55 @@ +From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 14 Dec 2016 18:30:21 -0800 +Subject: [PATCH] audio: ac97: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401 +this patch is from qemu-git + +Currently the ac97 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/audio/ac97.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c +index cbd959e..c306575 100644 +--- a/hw/audio/ac97.c ++++ b/hw/audio/ac97.c +@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) + ac97_on_reset (&s->dev.qdev); + } + ++static void ac97_exit(PCIDevice *dev) ++{ ++ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); ++ ++ AUD_close_in(&s->card, s->voice_pi); ++ AUD_close_out(&s->card, s->voice_po); ++ AUD_close_in(&s->card, s->voice_mc); ++ AUD_remove_card(&s->card); ++} ++ + static int ac97_init (PCIBus *bus) + { + pci_create_simple (bus, -1, "AC97"); +@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = ac97_realize; ++ k->exit = ac97_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; + k->revision = 0x01; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch new file mode 100644 index 0000000000..5a6d796458 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5526.patch @@ -0,0 +1,58 @@ +From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 14 Dec 2016 18:32:22 -0800 +Subject: [PATCH] audio: es1370: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da +this patch is from qemu-git. + +Currently the es1370 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/audio/es1370.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+), 0 deletions(-) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 8449b5f..883ec69 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) + es1370_reset (s); + } + ++static void es1370_exit(PCIDevice *dev) ++{ ++ ES1370State *s = ES1370(dev); ++ int i; ++ ++ for (i = 0; i < 2; ++i) { ++ AUD_close_out(&s->card, s->dac_voice[i]); ++ } ++ ++ AUD_close_in(&s->card, s->adc_voice); ++ AUD_remove_card(&s->card); ++} ++ + static int es1370_init (PCIBus *bus) + { + pci_create_simple (bus, -1, TYPE_ES1370); +@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = es1370_realize; ++ k->exit = es1370_exit; + k->vendor_id = PCI_VENDOR_ID_ENSONIQ; + k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; + k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; +-- +1.7.0.4 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 61c15ae9d3..693864f7d8 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès ;;; Copyright © 2015, 2016, 2017 Mark H Weaver -;;; Copyright © 2016 Efraim Flashner +;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2016 Ricardo Wurmus ;;; ;;; This file is part of GNU Guix. @@ -76,7 +76,9 @@ version ".tar.bz2")) (sha256 (base32 - "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")))) + "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")) + (patches (search-patches "qemu-CVE-2017-5525.patch" + "qemu-CVE-2017-5526.patch")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: -- cgit 1.4.1 From 89e34644d94860fafc053b759961ba8b55a6c77c Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 18 Jan 2017 09:57:43 +0100 Subject: gnu: Move Kerberos implemetations to (gnu packages kerberos). * gnu/packages/mit-krb5.scm: Remove. * gnu/packages/shishi.scm: Remove. * gnu/packages/kerberos.scm: New file, from the concatenation of these two. * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. * gnu/packages/admin.scm, gnu/packages/cyrus-sasl.scm, gnu/packages/gnome.scm, gnu/packages/gnuzilla.scm, gnu/packages/gsasl.scm, gnu/packages/java.scm, gnu/packages/networking.scm, gnu/packages/nfs.scm, gnu/packages/onc-rpc.scm, gnu/packages/ssh.scm, gnu/packages/web.scm: Adjust accordingly. --- gnu/local.mk | 5 +- gnu/packages/admin.scm | 4 +- gnu/packages/cyrus-sasl.scm | 4 +- gnu/packages/gnome.scm | 4 +- gnu/packages/gnuzilla.scm | 4 +- gnu/packages/gsasl.scm | 2 +- gnu/packages/java.scm | 2 +- gnu/packages/kerberos.scm | 131 ++++++++++++++++++++++++++++++++++++++++++++ gnu/packages/mit-krb5.scm | 86 ----------------------------- gnu/packages/networking.scm | 4 +- gnu/packages/nfs.scm | 2 +- gnu/packages/onc-rpc.scm | 4 +- gnu/packages/shishi.scm | 70 ----------------------- gnu/packages/ssh.scm | 4 +- gnu/packages/web.scm | 4 +- 15 files changed, 152 insertions(+), 178 deletions(-) create mode 100644 gnu/packages/kerberos.scm delete mode 100644 gnu/packages/mit-krb5.scm delete mode 100644 gnu/packages/shishi.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 79031882fb..217d31712d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès +# Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès # Copyright © 2013, 2014, 2015, 2016 Andreas Enge # Copyright © 2016 Mathieu Lirzin # Copyright © 2013, 2014, 2015, 2016 Mark H Weaver @@ -199,6 +199,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/julia.scm \ %D%/packages/kde.scm \ %D%/packages/kde-frameworks.scm \ + %D%/packages/kerberos.scm \ %D%/packages/key-mon.scm \ %D%/packages/kodi.scm \ %D%/packages/language.scm \ @@ -252,7 +253,6 @@ GNU_SYSTEM_MODULES = \ %D%/packages/mingw.scm \ %D%/packages/mg.scm \ %D%/packages/microcom.scm \ - %D%/packages/mit-krb5.scm \ %D%/packages/moe.scm \ %D%/packages/monitoring.scm \ %D%/packages/mono.scm \ @@ -339,7 +339,6 @@ GNU_SYSTEM_MODULES = \ %D%/packages/serveez.scm \ %D%/packages/shells.scm \ %D%/packages/shellutils.scm \ - %D%/packages/shishi.scm \ %D%/packages/skarnet.scm \ %D%/packages/skribilo.scm \ %D%/packages/slang.scm \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index def9a6fbf3..b4695dc1e7 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2013 Cyril Roelandt ;;; Copyright © 2014, 2015, 2016 Mark H Weaver ;;; Copyright © 2014, 2015, 2016 Eric Bavier @@ -75,7 +75,7 @@ #:use-module (gnu packages man) #:use-module (gnu packages autotools) #:use-module (gnu packages gnome) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages gtk)) (define-public aide diff --git a/gnu/packages/cyrus-sasl.scm b/gnu/packages/cyrus-sasl.scm index 89a4a49797..62bd718ab9 100644 --- a/gnu/packages/cyrus-sasl.scm +++ b/gnu/packages/cyrus-sasl.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès ;;; Copyright © 2013 Andreas Enge ;;; Copyright © 2016 Leo Famulari ;;; @@ -21,7 +21,7 @@ (define-module (gnu packages cyrus-sasl) #:use-module (gnu packages) #:use-module (gnu packages databases) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages tls) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index e279ef7ed6..f6f7aae696 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2015 Andreas Enge -;;; Copyright © 2014, 2015, 2016 Ludovic Courtès +;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2014 Ian Denhardt ;;; Copyright © 2014, 2016 Eric Bavier ;;; Copyright © 2014, 2015 Federico Beffa @@ -110,7 +110,7 @@ #:use-module (gnu packages xdisorg) #:use-module (gnu packages freedesktop) #:use-module (gnu packages mail) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages multiprecision) #:use-module (gnu packages backup) #:use-module (gnu packages nettle) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index e5388b42a3..678dc4e27f 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2015 Andreas Enge -;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu ;;; Copyright © 2016 Efraim Flashner @@ -36,7 +36,7 @@ #:use-module (gnu packages gnome) #:use-module (gnu packages libcanberra) #:use-module (gnu packages cups) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages linux) #:use-module (gnu packages perl) #:use-module (gnu packages pkg-config) diff --git a/gnu/packages/gsasl.scm b/gnu/packages/gsasl.scm index ce39aed655..4c8f818f91 100644 --- a/gnu/packages/gsasl.scm +++ b/gnu/packages/gsasl.scm @@ -21,7 +21,7 @@ #:use-module (gnu packages compression) #:use-module (gnu packages libidn) #:use-module (gnu packages nettle) - #:use-module (gnu packages shishi) + #:use-module (gnu packages kerberos) #:use-module (gnu packages tls) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 3a08fd83a8..d7df4f6bad 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -47,7 +47,7 @@ #:use-module (gnu packages wget) #:use-module (gnu packages pkg-config) #:use-module (gnu packages perl) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages xml) #:use-module (gnu packages xorg) #:use-module (gnu packages zip) diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm new file mode 100644 index 0000000000..3178784f92 --- /dev/null +++ b/gnu/packages/kerberos.scm @@ -0,0 +1,131 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2012, 2013 Andreas Enge +;;; Copyright © 2014, 2015, 2016 Mark H Weaver +;;; Copyright © 2016 Leo Famulari +;;; Copyright © 2016 Efraim Flashner +;;; Copyright © 2012, 2013 Nikita Karetnikov +;;; Copyright © 2012 Ludovic Courtès +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages kerberos) + #:use-module (gnu packages) + #:use-module (gnu packages bison) + #:use-module (gnu packages perl) + #:use-module (gnu packages gnupg) + #:use-module (gnu packages libidn) + #:use-module (gnu packages linux) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages compression) + #:use-module (gnu packages tls) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix utils) + #:use-module (guix build-system gnu)) + +(define-public mit-krb5 + (package + (name "mit-krb5") + (version "1.14.3") + (source (origin + (method url-fetch) + (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/" + (version-major+minor version) + "/krb5-" version ".tar.gz")) + (sha256 + (base32 + "1jgjiyh1sp72lkxvk437lz5hzcibvw99jc4ihzfz03fg43aj0ind")))) + (build-system gnu-build-system) + (native-inputs + `(("bison" ,bison) + ("perl" ,perl))) + (arguments + `(;; Work around "No rule to make target '../../include/gssapi/gssapi.h', + ;; needed by 'authgss_prot.so'." + #:parallel-build? #f + + ;; Likewise with tests. + #:parallel-tests? #f + + ;; XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call + ;; while running the tests in 'src/tests'. + #:tests? ,(string=? (%current-system) "x86_64-linux") + + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'enter-source-directory + (lambda _ + (chdir "src") + #t)) + (add-before 'check 'pre-check + (lambda* (#:key inputs #:allow-other-keys) + (let ((perl (assoc-ref inputs "perl"))) + (substitute* "plugins/kdb/db2/libdb2/test/run.test" + (("/bin/cat") (string-append perl "/bin/perl")) + (("D/bin/sh") (string-append "D" (which "bash"))) + (("bindir=/bin/.") (string-append "bindir=" perl "/bin")))) + + ;; avoid service names since /etc/services is unavailable + (substitute* "tests/resolve/Makefile" + (("-p telnet") "-p 23")) + #t))))) + (synopsis "MIT Kerberos 5") + (description + "Massachusetts Institute of Technology implementation of Kerberos. +Kerberos is a network authentication protocol designed to provide strong +authentication for client/server applications by using secret-key +cryptography.") + (license (license:non-copyleft "file://NOTICE" + "See NOTICE in the distribution.")) + (home-page "http://web.mit.edu/kerberos/"))) + +(define-public shishi + (package + (name "shishi") + (version "1.0.2") + (source + (origin + (method url-fetch) + (uri (string-append "mirror://gnu/shishi/shishi-" + version ".tar.gz")) + (sha256 + (base32 + "032qf72cpjdfffq1yq54gz3ahgqf2ijca4vl31sfabmjzq9q370d")))) + (build-system gnu-build-system) + (native-inputs `(("pkg-config" ,pkg-config))) + (inputs + `(("gnutls" ,gnutls) + ("libidn" ,libidn) + ("linux-pam" ,linux-pam-1.2) + ("zlib" ,zlib) + ;; libgcrypt 1.6 fails because of the following test: + ;; #include + ;; /* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c + ;; will fail on startup if we don't have 1.4.4 or later, so + ;; test for it early. */ + ;; #if !defined GCRY_MODULE_ID_USER + ;; error too old libgcrypt + ;; #endif + ("libgcrypt" ,libgcrypt-1.5) + ("libtasn1" ,libtasn1))) + (home-page "http://www.gnu.org/software/shishi/") + (synopsis "Implementation of the Kerberos 5 network security system") + (description + "GNU Shishi is a free implementation of the Kerberos 5 network security +system. It is used to allow non-secure network nodes to communicate in a +secure manner through client-server mutual authentication via tickets.") + (license license:gpl3+))) diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm deleted file mode 100644 index 3299c7b5c4..0000000000 --- a/gnu/packages/mit-krb5.scm +++ /dev/null @@ -1,86 +0,0 @@ -;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013 Andreas Enge -;;; Copyright © 2015, 2016 Mark H Weaver -;;; Copyright © 2016 Leo Famulari -;;; Copyright © 2016 Efraim Flashner -;;; -;;; This file is part of GNU Guix. -;;; -;;; GNU Guix is free software; you can redistribute it and/or modify it -;;; under the terms of the GNU General Public License as published by -;;; the Free Software Foundation; either version 3 of the License, or (at -;;; your option) any later version. -;;; -;;; GNU Guix is distributed in the hope that it will be useful, but -;;; WITHOUT ANY WARRANTY; without even the implied warranty of -;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;;; GNU General Public License for more details. -;;; -;;; You should have received a copy of the GNU General Public License -;;; along with GNU Guix. If not, see . - -(define-module (gnu packages mit-krb5) - #:use-module (gnu packages) - #:use-module (gnu packages bison) - #:use-module (gnu packages perl) - #:use-module (guix licenses) - #:use-module (guix packages) - #:use-module (guix download) - #:use-module (guix utils) - #:use-module (guix build-system gnu)) - -(define-public mit-krb5 - (package - (name "mit-krb5") - (version "1.14.3") - (source (origin - (method url-fetch) - (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/" - (version-major+minor version) - "/krb5-" version ".tar.gz")) - (sha256 - (base32 - "1jgjiyh1sp72lkxvk437lz5hzcibvw99jc4ihzfz03fg43aj0ind")))) - (build-system gnu-build-system) - (native-inputs - `(("bison" ,bison) - ("perl" ,perl))) - (arguments - `(;; Work around "No rule to make target '../../include/gssapi/gssapi.h', - ;; needed by 'authgss_prot.so'." - #:parallel-build? #f - - ;; Likewise with tests. - #:parallel-tests? #f - - ;; XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call - ;; while running the tests in 'src/tests'. - #:tests? ,(string=? (%current-system) "x86_64-linux") - - #:phases - (modify-phases %standard-phases - (add-after 'unpack 'enter-source-directory - (lambda _ - (chdir "src") - #t)) - (add-before 'check 'pre-check - (lambda* (#:key inputs #:allow-other-keys) - (let ((perl (assoc-ref inputs "perl"))) - (substitute* "plugins/kdb/db2/libdb2/test/run.test" - (("/bin/cat") (string-append perl "/bin/perl")) - (("D/bin/sh") (string-append "D" (which "bash"))) - (("bindir=/bin/.") (string-append "bindir=" perl "/bin")))) - - ;; avoid service names since /etc/services is unavailable - (substitute* "tests/resolve/Makefile" - (("-p telnet") "-p 23")) - #t))))) - (synopsis "MIT Kerberos 5") - (description - "Massachusetts Institute of Technology implementation of Kerberos. -Kerberos is a network authentication protocol designed to provide strong -authentication for client/server applications by using secret-key -cryptography.") - (license (non-copyleft "file://NOTICE" - "See NOTICE in the distribution.")) - (home-page "http://web.mit.edu/kerberos/"))) diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm index 982ae0a655..87ee0a1d8e 100644 --- a/gnu/packages/networking.scm +++ b/gnu/packages/networking.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2014 Ludovic Courtès +;;; Copyright © 2014, 2017 Ludovic Courtès ;;; Copyright © 2015, 2016 Ricardo Wurmus ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2015, 2016 Stefan Reichör @@ -53,7 +53,7 @@ #:use-module (gnu packages libidn) #:use-module (gnu packages linux) #:use-module (gnu packages lua) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages ncurses) #:use-module (gnu packages pcre) #:use-module (gnu packages perl) diff --git a/gnu/packages/nfs.scm b/gnu/packages/nfs.scm index 650a2af0d6..f18fe6cb51 100644 --- a/gnu/packages/nfs.scm +++ b/gnu/packages/nfs.scm @@ -22,7 +22,7 @@ #:use-module (gnu packages databases) #:use-module (gnu packages gsasl) #:use-module (gnu packages libevent) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages onc-rpc) #:use-module (gnu packages pkg-config) #:use-module (guix build-system cmake) diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm index 5353846ece..5f67823a40 100644 --- a/gnu/packages/onc-rpc.scm +++ b/gnu/packages/onc-rpc.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2014 Ludovic Courtès +;;; Copyright © 2014, 2017 Ludovic Courtès ;;; Copyright © 2016 John Darrington ;;; ;;; This file is part of GNU Guix. @@ -21,7 +21,7 @@ #:use-module (guix licenses) #:use-module (guix packages) #:use-module (guix download) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages pkg-config) #:use-module (guix build-system gnu)) diff --git a/gnu/packages/shishi.scm b/gnu/packages/shishi.scm deleted file mode 100644 index 7e02843d38..0000000000 --- a/gnu/packages/shishi.scm +++ /dev/null @@ -1,70 +0,0 @@ -;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013 Nikita Karetnikov -;;; Copyright © 2012 Ludovic Courtès -;;; Copyright © 2014 Mark H Weaver -;;; Copyright © 2016 Efraim Flashner -;;; -;;; This file is part of GNU Guix. -;;; -;;; GNU Guix is free software; you can redistribute it and/or modify it -;;; under the terms of the GNU General Public License as published by -;;; the Free Software Foundation; either version 3 of the License, or (at -;;; your option) any later version. -;;; -;;; GNU Guix is distributed in the hope that it will be useful, but -;;; WITHOUT ANY WARRANTY; without even the implied warranty of -;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;;; GNU General Public License for more details. -;;; -;;; You should have received a copy of the GNU General Public License -;;; along with GNU Guix. If not, see . - -(define-module (gnu packages shishi) - #:use-module ((guix licenses) #:select (gpl3+)) - #:use-module (gnu packages) - #:use-module (gnu packages gnupg) - #:use-module (gnu packages libidn) - #:use-module (gnu packages linux) - #:use-module (gnu packages pkg-config) - #:use-module (gnu packages compression) - #:use-module (gnu packages tls) - #:use-module (guix packages) - #:use-module (guix download) - #:use-module (guix build-system gnu)) - -(define-public shishi - (package - (name "shishi") - (version "1.0.2") - (source - (origin - (method url-fetch) - (uri (string-append "mirror://gnu/shishi/shishi-" - version ".tar.gz")) - (sha256 - (base32 - "032qf72cpjdfffq1yq54gz3ahgqf2ijca4vl31sfabmjzq9q370d")))) - (build-system gnu-build-system) - (native-inputs `(("pkg-config" ,pkg-config))) - (inputs - `(("gnutls" ,gnutls) - ("libidn" ,libidn) - ("linux-pam" ,linux-pam-1.2) - ("zlib" ,zlib) - ;; libgcrypt 1.6 fails because of the following test: - ;; #include - ;; /* GCRY_MODULE_ID_USER was added in 1.4.4 and gc-libgcrypt.c - ;; will fail on startup if we don't have 1.4.4 or later, so - ;; test for it early. */ - ;; #if !defined GCRY_MODULE_ID_USER - ;; error too old libgcrypt - ;; #endif - ("libgcrypt" ,libgcrypt-1.5) - ("libtasn1" ,libtasn1))) - (home-page "http://www.gnu.org/software/shishi/") - (synopsis "Implementation of the Kerberos 5 network security system") - (description - "GNU Shishi is a free implementation of the Kerberos 5 network security -system. It is used to allow non-secure network nodes to communicate in a -secure manner through client-server mutual authentication via tickets.") - (license gpl3+))) diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 0fe6598bb2..9d1d9cc0a9 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2013, 2014 Andreas Enge ;;; Copyright © 2014, 2015, 2016 Mark H Weaver ;;; Copyright © 2015, 2016 Efraim Flashner @@ -38,7 +38,7 @@ #:use-module (gnu packages multiprecision) #:use-module (gnu packages ncurses) #:use-module (gnu packages nettle) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages perl) #:use-module (gnu packages pkg-config) #:autoload (gnu packages protobuf) (protobuf) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index b94c6c0c83..c62acbd5b3 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2015 Andreas Enge ;;; Copyright © 2013 Aljosha Papsch -;;; Copyright © 2014, 2015, 2016 Ludovic Courtès +;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès ;;; Copyright © 2014, 2015, 2016 Mark H Weaver ;;; Copyright © 2015, 2016 Ricardo Wurmus ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer @@ -58,7 +58,7 @@ #:use-module (gnu packages databases) #:use-module (gnu packages bison) #:use-module (gnu packages flex) - #:use-module (gnu packages mit-krb5) + #:use-module (gnu packages kerberos) #:use-module (gnu packages gd) #:use-module (gnu packages gettext) #:use-module (gnu packages glib) -- cgit 1.4.1 From 11f3885bb59cbdeec08a929996b4fc39b1746a3e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 19 Jan 2017 14:43:24 +0100 Subject: tests: Add 'nginx-service-type' test. * gnu/tests/web.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 3 +- gnu/tests/web.scm | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 gnu/tests/web.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 217d31712d..2da8b82db9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -457,7 +457,8 @@ GNU_SYSTEM_MODULES = \ %D%/tests/nfs.scm \ %D%/tests/install.scm \ %D%/tests/mail.scm \ - %D%/tests/ssh.scm + %D%/tests/ssh.scm \ + %D%/tests/web.scm patchdir = $(guilemoduledir)/%D%/packages/patches diff --git a/gnu/tests/web.scm b/gnu/tests/web.scm new file mode 100644 index 0000000000..bae0e8fad7 --- /dev/null +++ b/gnu/tests/web.scm @@ -0,0 +1,146 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2017 Ludovic Courtès +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests web) + #:use-module (gnu tests) + #:use-module (gnu system) + #:use-module (gnu system grub) + #:use-module (gnu system file-systems) + #:use-module (gnu system shadow) + #:use-module (gnu system vm) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services web) + #:use-module (gnu services networking) + #:use-module (guix gexp) + #:use-module (guix store) + #:use-module (guix monads) + #:export (%test-nginx)) + +(define %index.html-contents + ;; Contents of the /index.html file served by nginx. + "Hello, nginx!") + +(define %make-http-root + ;; Create our server root in /srv. + #~(begin + (mkdir "/srv") + (call-with-output-file "/srv/index.html" + (lambda (port) + (display #$%index.html-contents port))))) + +(define %nginx-servers + ;; Server blocks. + (list (nginx-server-configuration + (root "/srv") + (http-port 8042) + (https-port #f) + (ssl-certificate #f) + (ssl-certificate-key #f)))) + +(define %nginx-os + ;; Operating system under test. + (operating-system + (host-name "komputilo") + (timezone "Europe/Berlin") + (locale "en_US.utf8") + + (bootloader (grub-configuration (device "/dev/sdX"))) + (file-systems %base-file-systems) + (firmware '()) + (users %base-user-accounts) + (services (cons* (dhcp-client-service) + (service nginx-service-type + (nginx-configuration + (log-directory "/var/log/nginx") + (server-blocks %nginx-servers))) + (simple-service 'make-http-root activation-service-type + %make-http-root) + %base-services)))) + +(define* (run-nginx-test #:optional (http-port 8042)) + "Run tests in %NGINX-OS, which has nginx running and listening on +HTTP-PORT." + (mlet* %store-monad ((os -> (marionette-operating-system + %nginx-os + #:imported-modules '((gnu services herd) + (guix combinators)))) + (command (system-qemu-image/shared-store-script + os #:graphic? #f))) + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette) + (web uri) + (web client) + (web response)) + + (define marionette + ;; Forward the guest's HTTP-PORT, where nginx is listening, to + ;; port 8080 in the host. + (make-marionette (list #$command "-net" + (string-append + "user,hostfwd=tcp::8080-:" + #$(number->string http-port))))) + + (mkdir #$output) + (chdir #$output) + + (test-begin "nginx") + + ;; Wait for nginx to be up and running. + (test-eq "service running" + 'running! + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (start-service 'nginx) + 'running!) + marionette)) + + ;; Make sure the PID file is created. + (test-assert "PID file" + (marionette-eval + '(file-exists? "/var/run/nginx/pid") + marionette)) + + ;; Retrieve the index.html file we put in /srv. + (test-equal "http-get" + '(200 #$%index.html-contents) + (let-values (((response text) + (http-get "http://localhost:8080/index.html" + #:decode-body? #t))) + (list (response-code response) text))) + + ;; There should be a log file in here. + (test-assert "log file" + (marionette-eval + '(file-exists? "/var/log/nginx/access.log") + marionette)) + + (test-end) + (exit (= (test-runner-fail-count (test-runner-current)) 0))))) + + (gexp->derivation "nginx-test" test))) + +(define %test-nginx + (system-test + (name "nginx") + (description "Connect to a running NGINX server.") + (value (run-nginx-test)))) -- cgit 1.4.1 From cacf4e9db0b656759d0cac0badcd90897c7f50db Mon Sep 17 00:00:00 2001 From: José Miguel Sánchez García Date: Fri, 20 Jan 2017 11:59:15 +0100 Subject: gnu: Add compton. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/compton.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add compton.scm Signed-off-by: Ludovic Courtès --- gnu/local.mk | 1 + gnu/packages/compton.scm | 106 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 gnu/packages/compton.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 2da8b82db9..c2e7d49fb9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -78,6 +78,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/code.scm \ %D%/packages/commencement.scm \ %D%/packages/compression.scm \ + %D%/packages/compton.scm \ %D%/packages/conkeror.scm \ %D%/packages/conky.scm \ %D%/packages/connman.scm \ diff --git a/gnu/packages/compton.scm b/gnu/packages/compton.scm new file mode 100644 index 0000000000..a0a644db7b --- /dev/null +++ b/gnu/packages/compton.scm @@ -0,0 +1,106 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2017 José Miguel Sánchez García +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages compton) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix build-system gnu) + #:use-module (gnu packages docbook) + #:use-module (gnu packages documentation) + #:use-module (gnu packages gl) + #:use-module (gnu packages glib) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages python) + #:use-module (gnu packages textutils) + #:use-module (gnu packages xdisorg) + #:use-module (gnu packages xml) + #:use-module (gnu packages xorg)) + +(define-public compton + (let ((upstream-version "0.1_beta2")) + (package + (name "compton") + (version (string-filter (char-set-complement (char-set #\_)) + upstream-version)) + (source (origin + (method url-fetch) + (uri (string-append + "https://github.com/chjj/" name "/archive/v" + upstream-version ".tar.gz")) + (sha256 + (base32 + "02dhlqqcwnmlf2dxg7rd4lapgqahgndzixdkbpxicq9jawmdb73v")) + (file-name (string-append name "-" version "-checkout")))) + (build-system gnu-build-system) + (inputs + `(("dbus" ,dbus) + ("docbook-xml" ,docbook-xml) + ("libconfig" ,libconfig) + ("libx11" ,libx11) + ("libxcomposite" ,libxcomposite) + ("libxdamage" ,libxdamage) + ("libxext" ,libxext) + ("libxfixes" ,libxfixes) + ("libxinerama" ,libxinerama) + ("libxml2" ,libxml2) + ("libxrandr" ,libxrandr) + ("libxrender" ,libxrender) + ("libxslt" ,libxslt) + ("mesa" ,mesa) + ("xprop" ,xprop) + ("xwininfo" ,xwininfo))) + (native-inputs + `(("asciidoc" ,asciidoc) + ("libdrm" ,libdrm) + ("pkg-config" ,pkg-config) + ("python" ,python) + ("xproto" ,xproto))) + (arguments + `(#:make-flags (list + "CC=gcc" + "NO_REGEX_PCRE=1" ; pcre makes build fail + (string-append "PREFIX=" (assoc-ref %outputs "out"))) + #:tests? #f ; no tests + #:phases + (modify-phases %standard-phases + (delete 'configure)))) + (home-page "https://github.com/chjj/compton") + (synopsis "Compositor for X11") + (description + "Compton is a compositor for the Xorg display server and a for of +xcompmgr-dana, which implements some changes like: + +@itemize +@item OpenGL backend (@command{--backend glx}), in addition to the old X Render +backend. +@item Inactive window transparency (@command{-i}) and dimming +(@command{--inactive-dim}). +@item Menu transparency (@command{-m}, thanks to Dana). +@item Shadows are now enabled for argb windows, e.g terminals with transparency +@item Removed serverside shadows (and simple compositing) to clean the code, +the only option that remains is clientside shadows. +@item Configuration files (see the man page for more details). +@item Colored shadows (@command{--shadow-[red/green/blue]}). +@item A new fade system. +@item VSync support (not always working). +@item Blur of background of transparent windows, window color inversion (bad in +performance). +@item Some more options... +@end itemize\n") + (license license:expat)))) -- cgit 1.4.1 From 8ba237a280cf4a16e6ae41e9ba5d42cab852f1b4 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 22 Jan 2017 13:40:44 +0200 Subject: gnu: qemu: Patch CVE-2016-10155, CVE-2017-5552. * gnu/packages/qemu.scm (qemu)[source]: Add patches. * gnu/packages/patches/qemu-CVE-2016-10155.patch, gnu/packages/patches/qemu-CVE-2017-5552.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 2 ++ gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 ++++++++++++++++++++++++++ gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 +++++++++++++++++++++++ gnu/packages/qemu.scm | 6 ++-- 4 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c2e7d49fb9..d321824ece 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -853,8 +853,10 @@ dist_patch_DATA = \ %D%/packages/patches/python-pycrypto-CVE-2013-7459.patch \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ + %D%/packages/patches/qemu-CVE-2016-10155.patch \ %D%/packages/patches/qemu-CVE-2017-5525.patch \ %D%/packages/patches/qemu-CVE-2017-5526.patch \ + %D%/packages/patches/qemu-CVE-2017-5552.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch new file mode 100644 index 0000000000..825edaa815 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-10155.patch @@ -0,0 +1,49 @@ +From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 28 Nov 2016 17:49:04 -0800 +Subject: [PATCH] watchdog: 6300esb: add exit function + +When the Intel 6300ESB watchdog is hot unplug. The timer allocated +in realize isn't freed thus leaking memory leak. This patch avoid +this through adding the exit function. + +http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e +this patch is from qemu-git. + +Signed-off-by: Li Qiang +Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> +Signed-off-by: Paolo Bonzini +--- + hw/watchdog/wdt_i6300esb.c | 9 +++++++++ + 1 files changed, 9 insertions(+), 0 deletions(-) + +diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c +index a83d951..49b3cd1 100644 +--- a/hw/watchdog/wdt_i6300esb.c ++++ b/hw/watchdog/wdt_i6300esb.c +@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) + /* qemu_register_coalesced_mmio (addr, 0x10); ? */ + } + ++static void i6300esb_exit(PCIDevice *dev) ++{ ++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); ++ ++ timer_del(d->timer); ++ timer_free(d->timer); ++} ++ + static WatchdogTimerModel model = { + .wdt_name = "i6300esb", + .wdt_description = "Intel 6300ESB", +@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) + k->config_read = i6300esb_config_read; + k->config_write = i6300esb_config_write; + k->realize = i6300esb_realize; ++ k->exit = i6300esb_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; + k->class_id = PCI_CLASS_SYSTEM_OTHER; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch new file mode 100644 index 0000000000..50911f4f36 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5552.patch @@ -0,0 +1,44 @@ +From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Thu, 29 Dec 2016 03:11:26 -0500 +Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the virgl_renderer_resource_attach_iov function fails the +'res_iovs' will be leaked. Add check of the return value to +free the 'res_iovs' when failing. + +http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689 +this patch is from qemu-git. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu-3d.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index e29f099..b13ced3 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, +- res_iovs, att_rb.nr_entries); ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ res_iovs, att_rb.nr_entries); ++ ++ if (ret != 0) ++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); + } + + static void virgl_resource_detach_backing(VirtIOGPU *g, +-- +1.7.0.4 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 693864f7d8..1c10ab9aee 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -77,8 +77,10 @@ (sha256 (base32 "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")) - (patches (search-patches "qemu-CVE-2017-5525.patch" - "qemu-CVE-2017-5526.patch")))) + (patches (search-patches "qemu-CVE-2016-10155.patch" + "qemu-CVE-2017-5525.patch" + "qemu-CVE-2017-5526.patch" + "qemu-CVE-2017-5552.patch")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: -- cgit 1.4.1 From 62cf8fa7cd2126cce5f1ac37feeb3ca75db6f6bf Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 23 Jan 2017 02:06:40 -0500 Subject: gnu: libtiff: Fix CVE-2017-5225. * gnu/packages/patches/libtiff-CVE-2017-5225.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/image.scm (libtiff/fixed)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/image.scm | 3 +- gnu/packages/patches/libtiff-CVE-2017-5225.patch | 86 ++++++++++++++++++++++++ 3 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtiff-CVE-2017-5225.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index d321824ece..3d8e462d63 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -689,6 +689,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-CVE-2016-10092.patch \ %D%/packages/patches/libtiff-CVE-2016-10093.patch \ %D%/packages/patches/libtiff-CVE-2016-10094.patch \ + %D%/packages/patches/libtiff-CVE-2017-5225.patch \ %D%/packages/patches/libtiff-assertion-failure.patch \ %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index a9bbf192cc..637819947c 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -312,7 +312,8 @@ collection of tools for doing simple manipulations of TIFF images.") "libtiff-CVE-2016-10093.patch" "libtiff-divide-by-zero-tiffcp.patch" "libtiff-assertion-failure.patch" - "libtiff-CVE-2016-10094.patch")))))) + "libtiff-CVE-2016-10094.patch" + "libtiff-CVE-2017-5225.patch")))))) (define-public libwmf (package diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch b/gnu/packages/patches/libtiff-CVE-2017-5225.patch new file mode 100644 index 0000000000..3158b49360 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-5225.patch @@ -0,0 +1,86 @@ +Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp): + +http://bugzilla.maptools.org/show_bug.cgi?id=2656 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 +https://security-tracker.debian.org/tracker/CVE-2017-5225 + +2017-01-11 Even Rouault + + * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based +overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + + +less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1210; previous revision: 1.1209 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.61; previous revision: 1.60 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.60 +retrieving revision 1.61 +diff -u -r1.60 -r1.61 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 ++++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61 +#@@ -1,4 +1,4 @@ +#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */ +#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */ +# +# /* +# * Copyright (c) 1988-1997 Sam Leffler +@@ -591,7 +591,7 @@ + static int + tiffcp(TIFF* in, TIFF* out) + { +- uint16 bitspersample, samplesperpixel = 1; ++ uint16 bitspersample = 1, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; + copyFunc cf; + uint32 width, length; +@@ -1067,6 +1067,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpContig2SeparateByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1120,6 +1130,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpSeparate2ContigByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1784,7 +1804,7 @@ + uint32 w, l, tw, tl; + int bychunk; + +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { + fprintf(stderr, + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", -- cgit 1.4.1 From 2903ee1ea51fffa4e62d18d9f6807c8956fc4c8d Mon Sep 17 00:00:00 2001 From: Thomas Danckaert Date: Mon, 23 Jan 2017 19:21:52 +0100 Subject: gnu: duplicity: Update to 0.7.11. * gnu/packages/backup.scm (duplicity): Update to 0.7.11. [source]: Remove patches. [inputs]: Add lftp, update gnupg, remove python-2, make python2-lockfile a propagated input, make python2-mock a native-input. [propagated-inputs]: Add python2-lockfile, python2-urllib3. [native-inputs]: Add python2-pexpect, python2-mock. [arguments]: Add build phase to embed gnupg store name. * gnu/packages/patches/duplicity-piped-password.patch: Delete it. * gnu/packages/patches/duplicity-test_selection-tmp.patch: Delete it. * gnu/local.mk (dist_patch_DATA): Remove patches. Signed-off-by: Marius Bakke --- gnu/local.mk | 2 -- gnu/packages/backup.scm | 28 ++++++++++++++-------- .../patches/duplicity-piped-password.patch | 20 ---------------- .../patches/duplicity-test_selection-tmp.patch | 18 -------------- 4 files changed, 18 insertions(+), 50 deletions(-) delete mode 100644 gnu/packages/patches/duplicity-piped-password.patch delete mode 100644 gnu/packages/patches/duplicity-test_selection-tmp.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3d8e462d63..0026e85a31 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -528,8 +528,6 @@ dist_patch_DATA = \ %D%/packages/patches/doc++-include-directives.patch \ %D%/packages/patches/doc++-segfault-fix.patch \ %D%/packages/patches/doxygen-test.patch \ - %D%/packages/patches/duplicity-piped-password.patch \ - %D%/packages/patches/duplicity-test_selection-tmp.patch \ %D%/packages/patches/elfutils-tests-ptrace.patch \ %D%/packages/patches/elixir-disable-failing-tests.patch \ %D%/packages/patches/einstein-build.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index 8cfe470ec6..8dbe32ebdd 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -34,6 +34,7 @@ #:use-module (gnu packages compression) #:use-module (gnu packages databases) #:use-module (gnu packages dejagnu) + #:use-module (gnu packages ftp) #:use-module (gnu packages glib) #:use-module (gnu packages gnupg) #:use-module (gnu packages gperf) @@ -52,7 +53,7 @@ (define-public duplicity (package (name "duplicity") - (version "0.6.26") + (version "0.7.11") (source (origin (method url-fetch) @@ -62,18 +63,19 @@ version ".tar.gz")) (sha256 (base32 - "0jh79syhr8n3l81jxlwsmwm1pklb4d923m2lgqbswyavh1fqmvwb")) - (patches (search-patches "duplicity-piped-password.patch" - "duplicity-test_selection-tmp.patch")))) + "01zcq9cwn4pvj68rihgjvcdgccnxvz4jrba38sbv6nqz19cs2ixh")))) (build-system python-build-system) (native-inputs - `(("util-linux" ,util-linux))) ;setsid command, for the tests + `(("util-linux" ,util-linux) ;setsid command, for the tests + ("python-pexpect" ,python2-pexpect) + ("mock" ,python2-mock))) + (propagated-inputs + `(("lockfile" ,python2-lockfile) + ("urllib3" ,python2-urllib3))) (inputs - `(("python" ,python-2) - ("librsync" ,librsync) - ("mock" ,python2-mock) ;for testing - ("lockfile" ,python2-lockfile) - ("gnupg" ,gnupg-1) ;gpg executable needed + `(("librsync" ,librsync) + ("lftp" ,lftp) + ("gnupg" ,gnupg) ;gpg executable needed ("util-linux" ,util-linux) ;for setsid ("tzdata" ,tzdata))) (arguments @@ -81,6 +83,12 @@ #:test-target "test" #:phases (modify-phases %standard-phases + (add-before + 'build 'patch-source ; embed gpg store name + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "duplicity/gpginterface.py" + (("self.call = 'gpg'") + (string-append "self.call = '" (assoc-ref inputs "gnupg") "/bin/gpg'"))))) (add-before 'check 'check-setup (lambda* (#:key inputs #:allow-other-keys) (substitute* "testing/functional/__init__.py" diff --git a/gnu/packages/patches/duplicity-piped-password.patch b/gnu/packages/patches/duplicity-piped-password.patch deleted file mode 100644 index db50f5df32..0000000000 --- a/gnu/packages/patches/duplicity-piped-password.patch +++ /dev/null @@ -1,20 +0,0 @@ -This test, on three occasions, is failing with the error: - - EOF: End Of File (EOF) in read_nonblocking(). Braindead platform. - ---- duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:14:52.146001614 -0500 -+++ duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:13:20.333546342 -0500 -@@ -156,13 +156,6 @@ - self.run_duplicity(options=["remove-older-than", "50000", "--force", self.backend_url]) - self.assertEqual(self.get_backend_files(), second_chain) - -- def test_piped_password(self): -- """Make sure that prompting for a password works""" -- self.set_environ("PASSPHRASE", None) -- self.backup("full", "testfiles/empty_dir", -- passphrase_input=[self.sign_passphrase, self.sign_passphrase]) -- self.restore(passphrase_input=[self.sign_passphrase]) -- - - class OldFilenamesFinalTest(FinalTest): - diff --git a/gnu/packages/patches/duplicity-test_selection-tmp.patch b/gnu/packages/patches/duplicity-test_selection-tmp.patch deleted file mode 100644 index 8f66be4dcc..0000000000 --- a/gnu/packages/patches/duplicity-test_selection-tmp.patch +++ /dev/null @@ -1,18 +0,0 @@ -Reported upstream at https://bugs.launchpad.net/duplicity/+bug/1375019 - ---- duplicity-0.6.24/testing/unit/test_selection.py 2014-05-09 08:27:40.000000000 -0500 -+++ duplicity-0.6.24/testing/unit/test_selection.py 2014-09-28 12:28:53.932324380 -0500 -@@ -431,10 +431,10 @@ - [(), ('1',), ('1', '1'), ('1', '2'), ('1', '3')]) - - self.root = Path("/") -- self.ParseTest([("--exclude", "/home/*"), -- ("--include", "/home"), -+ self.ParseTest([("--exclude", "/tmp/*"), -+ ("--include", "/tmp"), - ("--exclude", "/")], -- [(), ("home",)]) -+ [(), ("tmp",)]) - - if __name__ == "__main__": - unittest.main() -- cgit 1.4.1 From 84b60a7cdfca1421a478894e279104a0c18a7c6d Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 23 Jan 2017 01:31:24 -0500 Subject: gnu: lcms: Fix an out-of-bounds read. * gnu/packages/patches/lcms-fix-out-of-bounds-read.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/ghostscript.scm (lcms)[replacement]: New field. [properties]: Specify the 'cpe-name'. (lcms/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/ghostscript.scm | 9 ++++++ .../patches/lcms-fix-out-of-bounds-read.patch | 34 ++++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 gnu/packages/patches/lcms-fix-out-of-bounds-read.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0026e85a31..26933d4a28 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -655,6 +655,7 @@ dist_patch_DATA = \ %D%/packages/patches/kobodeluxe-midicon-segmentation-fault.patch \ %D%/packages/patches/kobodeluxe-graphics-window-signed-char.patch \ %D%/packages/patches/laby-make-install.patch \ + %D%/packages/patches/lcms-fix-out-of-bounds-read.patch \ %D%/packages/patches/ldc-disable-tests.patch \ %D%/packages/patches/liba52-enable-pic.patch \ %D%/packages/patches/liba52-link-with-libm.patch \ diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index 46b8c51299..a00448a8c6 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -39,6 +39,7 @@ (define-public lcms (package (name "lcms") + (replacement lcms/fixed) (version "2.6") (source (origin (method url-fetch) @@ -58,6 +59,14 @@ Consortium standard (ICC), approved as ISO 15076-1.") (license license:x11) (home-page "http://www.littlecms.com/"))) +(define lcms/fixed + (package + (inherit lcms) + (source + (origin + (inherit (package-source lcms)) + (patches (search-patches "lcms-fix-out-of-bounds-read.patch")))))) + (define-public libpaper (package (name "libpaper") diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch new file mode 100644 index 0000000000..d9f7ac6a36 --- /dev/null +++ b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch @@ -0,0 +1,34 @@ +Fix an out-of-bounds heap read in Type_MLU_Read(): + +http://seclists.org/oss-sec/2016/q3/288 +https://bugzilla.redhat.com/show_bug.cgi?id=1367357 + +Patch copied from upstream source repository: + +https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2 + +From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 +From: Marti +Date: Mon, 15 Aug 2016 23:31:39 +0200 +Subject: [PATCH] Added an extra check to MLU bounds + +Thanks to Ibrahim el-sayed for spotting the bug +--- + src/cmstypes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cmstypes.c b/src/cmstypes.c +index cb61860..c7328b9 100644 +--- a/src/cmstypes.c ++++ b/src/cmstypes.c +@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU + + // Check for overflow + if (Offset < (SizeOfHeader + 8)) goto Error; ++ if ((Offset + Len) > SizeOfTag + 8) goto Error; + + // True begin of the string + BeginOfThisString = Offset - SizeOfHeader - 8; +-- +2.11.0 + -- cgit 1.4.1