From f55aa0c7b72c6e4f08f77aa84e196895182860e7 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 9 Mar 2018 20:06:39 -0500 Subject: gnu: zsh: Fix CVE-2018-{7548,7549}. * gnu/packages/patches/zsh-CVE-2018-7548.patch, gnu/packages/patches/zsh-CVE-2018-7549.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/shells.scm (zsh)[source]: Use them. --- gnu/local.mk | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index d90d8a318d..fbf7b2a7c7 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1181,7 +1181,9 @@ dist_patch_DATA = \ %D%/packages/patches/xinetd-CVE-2013-4342.patch \ %D%/packages/patches/xmodmap-asprintf.patch \ %D%/packages/patches/libyaml-CVE-2014-9130.patch \ - %D%/packages/patches/zathura-plugindir-environment-variable.patch + %D%/packages/patches/zathura-plugindir-environment-variable.patch \ + %D%/packages/patches/zsh-CVE-2018-7548.patch \ + %D%/packages/patches/zsh-CVE-2018-7549.patch MISC_DISTRO_FILES = \ %D%/packages/ld-wrapper.in -- cgit 1.4.1 From 594bd3a08aeac24cf4939a4f06f2551ff8f61167 Mon Sep 17 00:00:00 2001 From: Gábor Boskovits Date: Sat, 10 Mar 2018 11:45:36 +0100 Subject: gnu: java-jeromq: Fix tests. * gnu/packages/patches/java-jeromq-fix-tests.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/java.scm (java-jeromq)[source](patches): Add it. [arguments](#test-exclude): Disable more failing tests. --- gnu/local.mk | 1 + gnu/packages/java.scm | 11 +- gnu/packages/patches/java-jeromq-fix-tests.patch | 253 +++++++++++++++++++++++ 3 files changed, 263 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/java-jeromq-fix-tests.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index fbf7b2a7c7..5c95cdae21 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -785,6 +785,7 @@ dist_patch_DATA = \ %D%/packages/patches/intltool-perl-compatibility.patch \ %D%/packages/patches/isl-0.11.1-aarch64-support.patch \ %D%/packages/patches/jacal-fix-texinfo.patch \ + %D%/packages/patches/java-jeromq-fix-tests.patch \ %D%/packages/patches/java-powermock-fix-java-files.patch \ %D%/packages/patches/java-xerces-bootclasspath.patch \ %D%/packages/patches/java-xerces-build_dont_unzip.patch \ diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 43a3a62889..bdfd3fd41b 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -8578,7 +8578,8 @@ protocol-independent framework to build mail and messaging applications.") (file-name (string-append name "-" version "-checkout")) (sha256 (base32 - "1gxkp7lv2ahymgrqdw94ncq54bmp4m4sw5m1x9gkp7l5bxn0xsyj")))) + "1gxkp7lv2ahymgrqdw94ncq54bmp4m4sw5m1x9gkp7l5bxn0xsyj")) + (patches (search-patches "java-jeromq-fix-tests.patch")))) (build-system ant-build-system) (arguments `(#:jar-name "java-jeromq.jar" @@ -8592,7 +8593,13 @@ protocol-independent framework to build mail and messaging applications.") ;; Failures "**/DealerSpecTest.java" "**/CustomDecoderTest.java" - "**/CustomEncoderTest.java"))) + "**/CustomEncoderTest.java" + "**/ConnectRidTest.java" + "**/ReqSpecTest.java" + "**/PushPullSpecTest.java" + "**/PubSubHwmTest.java" + "**/RouterSpecTest.java" + "**/ProxyTest.java"))) (inputs `(("java-jnacl" ,java-jnacl))) (native-inputs diff --git a/gnu/packages/patches/java-jeromq-fix-tests.patch b/gnu/packages/patches/java-jeromq-fix-tests.patch new file mode 100644 index 0000000000..5466b92707 --- /dev/null +++ b/gnu/packages/patches/java-jeromq-fix-tests.patch @@ -0,0 +1,253 @@ +From 5803aadd3f209eba1ffbb2cf7bf16778019dbee1 Mon Sep 17 00:00:00 2001 +From: fredoboulo +Date: Fri, 23 Feb 2018 23:55:57 +0100 +Subject: [PATCH] Fix #524 : V1 and V2 protocol downgrades handle received data + in handshake buffer + +This patch is upstream pull request, see: +https://gihub.com/zeromq/jeromq/pull/527. + +It is merged on commit c2afa9c, and we can drop it on the +0.4.4 release. + +--- + src/main/java/zmq/io/StreamEngine.java | 21 ++++++++++-- + src/test/java/zmq/io/AbstractProtocolVersion.java | 41 +++++++++++++---------- + src/test/java/zmq/io/V0ProtocolTest.java | 12 +++++++ + src/test/java/zmq/io/V1ProtocolTest.java | 16 +++++++-- + src/test/java/zmq/io/V2ProtocolTest.java | 16 +++++++-- + 5 files changed, 81 insertions(+), 25 deletions(-) + +diff --git a/src/main/java/zmq/io/StreamEngine.java b/src/main/java/zmq/io/StreamEngine.java +index b8933c92..fe2f2d8d 100644 +--- a/src/main/java/zmq/io/StreamEngine.java ++++ b/src/main/java/zmq/io/StreamEngine.java +@@ -816,9 +816,7 @@ private boolean handshake() + assert (bufferSize == headerSize); + + // Make sure the decoder sees the data we have already received. +- greetingRecv.flip(); +- inpos = greetingRecv; +- insize = greetingRecv.limit(); ++ decodeDataAfterHandshake(0); + + // To allow for interoperability with peers that do not forward + // their subscriptions, we inject a phantom subscription message +@@ -846,6 +844,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V1.revision) { + } + encoder = new V1Encoder(errno, Config.OUT_BATCH_SIZE.getValue()); + decoder = new V1Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator); ++ ++ decodeDataAfterHandshake(V2_GREETING_SIZE); + } + else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) { + // ZMTP/2.0 framing. +@@ -859,6 +859,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) { + } + encoder = new V2Encoder(errno, Config.OUT_BATCH_SIZE.getValue()); + decoder = new V2Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator); ++ ++ decodeDataAfterHandshake(V2_GREETING_SIZE); + } + else { + zmtpVersion = Protocol.V3; +@@ -904,6 +906,19 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) { + return true; + } + ++ private void decodeDataAfterHandshake(int greetingSize) ++ { ++ final int pos = greetingRecv.position(); ++ if (pos > greetingSize) { ++ // data is present after handshake ++ greetingRecv.position(greetingSize).limit(pos); ++ ++ // Make sure the decoder sees this extra data. ++ inpos = greetingRecv; ++ insize = greetingRecv.remaining(); ++ } ++ } ++ + private Msg identityMsg() + { + Msg msg = new Msg(options.identitySize); +diff --git a/src/test/java/zmq/io/AbstractProtocolVersion.java b/src/test/java/zmq/io/AbstractProtocolVersion.java +index e60db403..aa06b4a7 100644 +--- a/src/test/java/zmq/io/AbstractProtocolVersion.java ++++ b/src/test/java/zmq/io/AbstractProtocolVersion.java +@@ -18,15 +18,18 @@ + import zmq.SocketBase; + import zmq.ZError; + import zmq.ZMQ; ++import zmq.ZMQ.Event; + import zmq.util.Utils; + + public abstract class AbstractProtocolVersion + { ++ protected static final int REPETITIONS = 1000; ++ + static class SocketMonitor extends Thread + { +- private final Ctx ctx; +- private final String monitorAddr; +- private final List events = new ArrayList<>(); ++ private final Ctx ctx; ++ private final String monitorAddr; ++ private final ZMQ.Event[] events = new ZMQ.Event[1]; + + public SocketMonitor(Ctx ctx, String monitorAddr) + { +@@ -41,15 +44,15 @@ public void run() + boolean rc = s.connect(monitorAddr); + assertThat(rc, is(true)); + // Only some of the exceptional events could fire +- while (true) { +- ZMQ.Event event = ZMQ.Event.read(s); +- if (event == null && s.errno() == ZError.ETERM) { +- break; +- } +- assertThat(event, notNullValue()); +- +- events.add(event); ++ ++ ZMQ.Event event = ZMQ.Event.read(s); ++ if (event == null && s.errno() == ZError.ETERM) { ++ s.close(); ++ return; + } ++ assertThat(event, notNullValue()); ++ ++ events[0] = event; + s.close(); + } + } +@@ -69,11 +72,12 @@ public void run() + boolean rc = ZMQ.setSocketOption(receiver, ZMQ.ZMQ_LINGER, 0); + assertThat(rc, is(true)); + +- SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor"); +- monitor.start(); + rc = ZMQ.monitorSocket(receiver, "inproc://monitor", ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL); + assertThat(rc, is(true)); + ++ SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor"); ++ monitor.start(); ++ + rc = ZMQ.bind(receiver, host); + assertThat(rc, is(true)); + +@@ -81,17 +85,18 @@ public void run() + OutputStream out = sender.getOutputStream(); + for (ByteBuffer raw : raws) { + out.write(raw.array()); +- ZMQ.msleep(100); + } + + Msg msg = ZMQ.recv(receiver, 0); + assertThat(msg, notNullValue()); + assertThat(new String(msg.data(), ZMQ.CHARSET), is(payload)); + +- ZMQ.msleep(500); +- assertThat(monitor.events.size(), is(1)); +- assertThat(monitor.events.get(0).event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL)); +- assertThat((Integer) monitor.events.get(0).arg, is(version)); ++ monitor.join(); ++ ++ final Event event = monitor.events[0]; ++ assertThat(event, notNullValue()); ++ assertThat(event.event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL)); ++ assertThat((Integer) event.arg, is(version)); + + InputStream in = sender.getInputStream(); + byte[] data = new byte[255]; +diff --git a/src/test/java/zmq/io/V0ProtocolTest.java b/src/test/java/zmq/io/V0ProtocolTest.java +index bd547d23..1a5b7aef 100644 +--- a/src/test/java/zmq/io/V0ProtocolTest.java ++++ b/src/test/java/zmq/io/V0ProtocolTest.java +@@ -10,6 +10,18 @@ + + public class V0ProtocolTest extends AbstractProtocolVersion + { ++ @Test ++ public void testFixIssue524() throws IOException, InterruptedException ++ { ++ for (int idx = 0; idx < REPETITIONS; ++idx) { ++ if (idx % 100 == 0) { ++ System.out.print(idx + " "); ++ } ++ testProtocolVersion0short(); ++ } ++ System.out.println(); ++ } ++ + @Test(timeout = 2000) + public void testProtocolVersion0short() throws IOException, InterruptedException + { +diff --git a/src/test/java/zmq/io/V1ProtocolTest.java b/src/test/java/zmq/io/V1ProtocolTest.java +index e1045f34..764159d0 100644 +--- a/src/test/java/zmq/io/V1ProtocolTest.java ++++ b/src/test/java/zmq/io/V1ProtocolTest.java +@@ -10,7 +10,19 @@ + + public class V1ProtocolTest extends AbstractProtocolVersion + { +- @Test(timeout = 2000) ++ @Test ++ public void testFixIssue524() throws IOException, InterruptedException ++ { ++ for (int idx = 0; idx < REPETITIONS; ++idx) { ++ if (idx % 100 == 0) { ++ System.out.print(idx + " "); ++ } ++ testProtocolVersion1short(); ++ } ++ System.out.println(); ++ } ++ ++ @Test + public void testProtocolVersion1short() throws IOException, InterruptedException + { + List raws = raws(0); +@@ -25,7 +37,7 @@ public void testProtocolVersion1short() throws IOException, InterruptedException + assertProtocolVersion(1, raws, "abcdefg"); + } + +- @Test(timeout = 2000) ++ @Test + public void testProtocolVersion1long() throws IOException, InterruptedException + { + List raws = raws(0); +diff --git a/src/test/java/zmq/io/V2ProtocolTest.java b/src/test/java/zmq/io/V2ProtocolTest.java +index d5e64bce..7fda31bc 100644 +--- a/src/test/java/zmq/io/V2ProtocolTest.java ++++ b/src/test/java/zmq/io/V2ProtocolTest.java +@@ -21,7 +21,19 @@ protected ByteBuffer identity() + .put((byte) 0); + } + +- @Test(timeout = 2000) ++ @Test ++ public void testFixIssue524() throws IOException, InterruptedException ++ { ++ for (int idx = 0; idx < REPETITIONS; ++idx) { ++ if (idx % 100 == 0) { ++ System.out.print(idx + " "); ++ } ++ testProtocolVersion2short(); ++ } ++ System.out.println(); ++ } ++ ++ @Test + public void testProtocolVersion2short() throws IOException, InterruptedException + { + List raws = raws(1); +@@ -38,7 +50,7 @@ public void testProtocolVersion2short() throws IOException, InterruptedException + assertProtocolVersion(2, raws, "abcdefg"); + } + +- @Test(timeout = 2000) ++ @Test + public void testProtocolVersion2long() throws IOException, InterruptedException + { + List raws = raws(1); -- cgit 1.4.1 From 5400fdfd5d3c2201ee3ea8ec0d55690c221a91d8 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 12 Mar 2018 18:08:04 +0100 Subject: gnu: lrzip: Fix CVE-2017-8842. * gnu/packages/compression.scm (lrzip)[source]: Add patch. * gnu/packages/patches/lrzip-CVE-2017-8842.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 3 ++- gnu/packages/patches/lrzip-CVE-2017-8842.patch | 23 +++++++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/lrzip-CVE-2017-8842.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5c95cdae21..97d5e00c2b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -885,6 +885,7 @@ dist_patch_DATA = \ %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch \ %D%/packages/patches/llvm-for-extempore.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ + %D%/packages/patches/lrzip-CVE-2017-8842.patch \ %D%/packages/patches/lua-CVE-2014-5461.patch \ %D%/packages/patches/lua-pkgconfig.patch \ %D%/packages/patches/lua51-liblua-so.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index d44ae2d259..86efe2a40e 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1017,7 +1017,8 @@ human-readable output.") "http://ck.kolivas.org/apps/lrzip/lrzip-" version ".tar.bz2")) (sha256 (base32 - "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d")))) + "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d")) + (patches (search-patches "lrzip-CVE-2017-8842.patch")))) (build-system gnu-build-system) (native-inputs `(;; nasm is only required when building for 32-bit x86 platforms diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch new file mode 100644 index 0000000000..89b4f2f5d9 --- /dev/null +++ b/gnu/packages/patches/lrzip-CVE-2017-8842.patch @@ -0,0 +1,23 @@ +From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001 +From: Con Kolivas +Date: Fri, 9 Mar 2018 17:39:40 +1100 +Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get + +--- + libzpaq/libzpaq.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h +index 93387da..cbe211d 100644 +--- a/libzpaq/libzpaq.h ++++ b/libzpaq/libzpaq.h +@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader { + + int get() { + if (progress && !(*s_len % 128)) { +- int pct = (total_len - *s_len) * 100 / total_len; ++ int pct = (total_len > 0) ? ++ (total_len - *s_len) * 100 / total_len : 100; + + if (pct / 10 != *last_pct / 10) { + int i; -- cgit 1.4.1 From 8e1cd1a2c53a2944012d5b2c1670e7203cdf91b6 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 5 Mar 2018 11:08:32 +0200 Subject: gnu: Add debian-archive-keyring. * gnu/packages/debian.scm (debian-archive-keyring): New variable. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 1 + gnu/packages/debian.scm | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 gnu/packages/debian.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 97d5e00c2b..5a3ae502f2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -120,6 +120,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/datastructures.scm \ %D%/packages/dav.scm \ %D%/packages/dc.scm \ + %D%/packages/debian.scm \ %D%/packages/debug.scm \ %D%/packages/dejagnu.scm \ %D%/packages/dico.scm \ diff --git a/gnu/packages/debian.scm b/gnu/packages/debian.scm new file mode 100644 index 0000000000..70131ff451 --- /dev/null +++ b/gnu/packages/debian.scm @@ -0,0 +1,62 @@ +;;; Copyright © 2018 Efraim Flashner +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages debian) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix download) + #:use-module (guix packages) + #:use-module (guix build-system gnu) + #:use-module (gnu packages gnupg)) + +(define-public debian-archive-keyring + (package + (name "debian-archive-keyring") + (version "2017.7") + (source + (origin + (method url-fetch) + (uri (string-append "mirror://debian/pool/main/d/" name "/" + name "_" version ".tar.xz")) + (sha256 + (base32 + "1pdwgipfi0y4svhxlw8arhq792f1g3vlmw4raphizy7sa65vd4ca")))) + (build-system gnu-build-system) + (arguments + '(#:test-target "verify-results" + #:parallel-build? #f ; has race conditions + #:phases + (modify-phases %standard-phases + (delete 'configure) ; no configure script + (replace 'install + (lambda* (#:key outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (apt (string-append out "/etc/apt/trusted.gpg.d/")) + (key (string-append out "/share/keyrings/"))) + (install-file "keyrings/debian-archive-keyring.gpg" key) + (install-file "keyrings/debian-archive-removed-keys.gpg" key) + (for-each (lambda (file) + (install-file file apt)) + (find-files "trusted.gpg" "\\.gpg$"))) + #t))))) + (native-inputs + `(("gnupg" ,gnupg) + ("jetring" ,jetring))) + (home-page "https://packages.qa.debian.org/d/debian-archive-keyring.html") + (synopsis "GnuPG archive keys of the Debian archive") + (description + "The Debian project digitally signs its Release files. This package +contains the archive keys used for that.") + (license (list license:public-domain ; the keys + license:gpl2+)))) ; see debian/copyright -- cgit 1.4.1 From 2b5c5f03c2f0a84f84a5517e2e6f5fa9f276ffa5 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Wed, 14 Mar 2018 13:21:26 +0100 Subject: gnu: Add ada.scm to GNU_SYSTEM_MODULES. This is a follow-up to commit ebd43a2a45f9ac0ce702ef5810eddafd0830db5f. * gnu/local.mk (GNU_SYSTEM_MODULES): Add ada.scm. --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5a3ae502f2..165b830673 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -50,6 +50,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/accessibility.scm \ %D%/packages/acct.scm \ %D%/packages/acl.scm \ + %D%/packages/ada.scm \ %D%/packages/admin.scm \ %D%/packages/adns.scm \ %D%/packages/agda.scm \ -- cgit 1.4.1 From 20ecede9690cb7f75bc8fee60619a4adf82ba4d5 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 15 Mar 2018 11:31:31 -0400 Subject: gnu: shadow: Fix CVE-2018-7169. * gnu/packages/patches/shadow-CVE-2018-7169.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/admin.scm (shadow)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/admin.scm | 1 + gnu/packages/patches/shadow-CVE-2018-7169.patch | 191 ++++++++++++++++++++++++ 3 files changed, 193 insertions(+) create mode 100644 gnu/packages/patches/shadow-CVE-2018-7169.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 165b830673..69e4d2b7b5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1082,6 +1082,7 @@ dist_patch_DATA = \ %D%/packages/patches/scotch-test-threading.patch \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ + %D%/packages/patches/shadow-CVE-2018-7169.patch \ %D%/packages/patches/shepherd-close-fds.patch \ %D%/packages/patches/shepherd-herd-status-sorted.patch \ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index ad31bc498f..d6f4a5fabc 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -360,6 +360,7 @@ hostname.") (uri (string-append "https://github.com/shadow-maint/shadow/releases/" "download/" version "/shadow-" version ".tar.xz")) + (patches (search-patches "shadow-CVE-2018-7169.patch")) (sha256 (base32 "0hdpai78n63l3v3fgr3kkiqzhd0awrpfnnzz4mf7lmxdh61qb37w")))) diff --git a/gnu/packages/patches/shadow-CVE-2018-7169.patch b/gnu/packages/patches/shadow-CVE-2018-7169.patch new file mode 100644 index 0000000000..eeae5b9b71 --- /dev/null +++ b/gnu/packages/patches/shadow-CVE-2018-7169.patch @@ -0,0 +1,191 @@ +Fix CVE-2018-7169: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169 + +Patch copied from upstream source repository: + +https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 + +From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 15 Feb 2018 23:49:40 +1100 +Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group + +This is necessary to match the kernel-side policy of "self-mapping in a +user namespace is fine, but you cannot drop groups" -- a policy that was +created in order to stop user namespaces from allowing trivial privilege +escalation by dropping supplementary groups that were "blacklisted" from +certain paths. + +This is the simplest fix for the underlying issue, and effectively makes +it so that unless a user has a valid mapping set in /etc/subgid (which +only administrators can modify) -- and they are currently trying to use +that mapping -- then /proc/$pid/setgroups will be set to deny. This +workaround is only partial, because ideally it should be possible to set +an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow +administrators to further restrict newgidmap(1). + +We also don't write anything in the "allow" case because "allow" is the +default, and users may have already written "deny" even if they +technically are allowed to use setgroups. And we don't write anything if +the setgroups policy is already "deny". + +Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 +Fixes: CVE-2018-7169 +Reported-by: Craig Furman +Signed-off-by: Aleksa Sarai +--- + src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 80 insertions(+), 9 deletions(-) + +diff --git a/src/newgidmap.c b/src/newgidmap.c +index b1e33513..59a2e75c 100644 +--- a/src/newgidmap.c ++++ b/src/newgidmap.c +@@ -46,32 +46,37 @@ + */ + const char *Prog; + +-static bool verify_range(struct passwd *pw, struct map_range *range) ++ ++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups) + { + /* An empty range is invalid */ + if (range->count == 0) + return false; + +- /* Test /etc/subgid */ +- if (have_sub_gids(pw->pw_name, range->lower, range->count)) ++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */ ++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) { ++ *allow_setgroups = true; + return true; ++ } + +- /* Allow a process to map its own gid */ +- if ((range->count == 1) && (pw->pw_gid == range->lower)) ++ /* Allow a process to map its own gid. */ ++ if ((range->count == 1) && (pw->pw_gid == range->lower)) { ++ /* noop -- if setgroups is enabled already we won't disable it. */ + return true; ++ } + + return false; + } + + static void verify_ranges(struct passwd *pw, int ranges, +- struct map_range *mappings) ++ struct map_range *mappings, bool *allow_setgroups) + { + struct map_range *mapping; + int idx; + + mapping = mappings; + for (idx = 0; idx < ranges; idx++, mapping++) { +- if (!verify_range(pw, mapping)) { ++ if (!verify_range(pw, mapping, allow_setgroups)) { + fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"), + Prog, + mapping->upper, +@@ -89,6 +94,70 @@ static void usage(void) + exit(EXIT_FAILURE); + } + ++void write_setgroups(int proc_dir_fd, bool allow_setgroups) ++{ ++ int setgroups_fd; ++ char *policy, policy_buffer[4096]; ++ ++ /* ++ * Default is "deny", and any "allow" will out-rank a "deny". We don't ++ * forcefully write an "allow" here because the process we are writing ++ * mappings for may have already set themselves to "deny" (and "allow" ++ * is the default anyway). So allow_setgroups == true is a noop. ++ */ ++ policy = "deny\n"; ++ if (allow_setgroups) ++ return; ++ ++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC); ++ if (setgroups_fd < 0) { ++ /* ++ * If it's an ENOENT then we are on too old a kernel for the setgroups ++ * code to exist. Emit a warning and bail on this. ++ */ ++ if (ENOENT == errno) { ++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog); ++ goto out; ++ } ++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* ++ * Check whether the policy is already what we want. /proc/self/setgroups ++ * is write-once, so attempting to write after it's already written to will ++ * fail. ++ */ ++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) { ++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (!strncmp(policy_buffer, policy, strlen(policy))) ++ goto out; ++ ++ /* Write the policy. */ ++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) { ++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (dprintf(setgroups_fd, "%s", policy) < 0) { ++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"), ++ Prog, ++ policy, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++out: ++ close(setgroups_fd); ++} ++ + /* + * newgidmap - Set the gid_map for the specified process + */ +@@ -103,6 +172,7 @@ int main(int argc, char **argv) + struct stat st; + struct passwd *pw; + int written; ++ bool allow_setgroups = false; + + Prog = Basename (argv[0]); + +@@ -145,7 +215,7 @@ int main(int argc, char **argv) + (unsigned long) getuid ())); + return EXIT_FAILURE; + } +- ++ + /* Get the effective uid and effective gid of the target process */ + if (fstat(proc_dir_fd, &st) < 0) { + fprintf(stderr, _("%s: Could not stat directory for target %u\n"), +@@ -177,8 +247,9 @@ int main(int argc, char **argv) + if (!mappings) + usage(); + +- verify_ranges(pw, ranges, mappings); ++ verify_ranges(pw, ranges, mappings, &allow_setgroups); + ++ write_setgroups(proc_dir_fd, allow_setgroups); + write_mapping(proc_dir_fd, ranges, mappings, "gid_map"); + sub_gid_close(); + +-- +2.16.2 + -- cgit 1.4.1 From 77166eb758ff565837db9e9a26d34ba9aaa16281 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 15 Mar 2018 13:57:48 -0400 Subject: gnu: util-linux: Fix CVE-2018-7738. * gnu/packages/patches/util-linux-CVE-2018-7738.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (util-linux)[replacement]: New field. (util-linux/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 10 +++++ .../patches/util-linux-CVE-2018-7738.patch | 49 ++++++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 gnu/packages/patches/util-linux-CVE-2018-7738.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 69e4d2b7b5..788b260e5e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1135,6 +1135,7 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-overflow-long-fsize.patch \ %D%/packages/patches/unzip-remove-build-date.patch \ %D%/packages/patches/ustr-fix-build-with-gcc-5.patch \ + %D%/packages/patches/util-linux-CVE-2018-7738.patch \ %D%/packages/patches/util-linux-tests.patch \ %D%/packages/patches/upower-builddir.patch \ %D%/packages/patches/valgrind-enable-arm.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index bd6f005719..df6d7468ac 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -547,6 +547,7 @@ providing the system administrator with some help in common tasks.") (define-public util-linux (package (name "util-linux") + (replacement util-linux/fixed) (version "2.31") (source (origin (method url-fetch) @@ -634,6 +635,15 @@ block devices, UUIDs, TTYs, and many other tools.") (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+ license:bsd-4 license:public-domain)))) +(define util-linux/fixed + (package + (inherit util-linux) + (source + (origin + (inherit (package-source util-linux)) + (patches (append (origin-patches (package-source util-linux)) + (search-patches "util-linux-CVE-2018-7738.patch"))))))) + (define-public ddate (package (name "ddate") diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch new file mode 100644 index 0000000000..080e2f56ba --- /dev/null +++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch @@ -0,0 +1,49 @@ +Fix CVE-2018-7738: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738 + +Patch copied from upstream source repository: + +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55 + +From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 16 Nov 2017 16:27:32 +0100 +Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in + paths + + # mount /dev/sdc1 /mnt/test/foo\ bar + # umount + +has to return "/mnt/test/foo\ bar". + +Changes: + + * don't use mount | awk output, we have findmnt + * force compgen use \n as entries separator + +Addresses: https://github.com/karelzak/util-linux/issues/539 +Signed-off-by: Karel Zak +--- + bash-completion/umount | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/bash-completion/umount b/bash-completion/umount +index d76cb9fff..98c90d61a 100644 +--- a/bash-completion/umount ++++ b/bash-completion/umount +@@ -40,9 +40,10 @@ _umount_module() + return 0 + ;; + esac +- local DEVS_MPOINTS +- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')" +- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) ) +- return 0 ++ ++ local oldifs=$IFS ++ IFS=$'\n' ++ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) ) ++ IFS=$oldifs + } + complete -F _umount_module umount -- cgit 1.4.1 From 3c274149688472cca4f506483b82d0b7865481b3 Mon Sep 17 00:00:00 2001 From: Gábor Boskovits Date: Tue, 13 Mar 2018 22:55:10 +0100 Subject: gnu: java-simple-xml: Fix java8 test failures. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/patches/javas-simple-xml-fix-tests.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/java.scm (java-simple-xml)[source](patches): Add it. Signed-off-by: Ludovic Courtès --- gnu/local.mk | 1 + .../patches/java-simple-xml-fix-tests.patch | 37 ++++++++++++++++++++++ gnu/packages/xml.scm | 3 +- 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/java-simple-xml-fix-tests.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 788b260e5e..f27565bb29 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -789,6 +789,7 @@ dist_patch_DATA = \ %D%/packages/patches/jacal-fix-texinfo.patch \ %D%/packages/patches/java-jeromq-fix-tests.patch \ %D%/packages/patches/java-powermock-fix-java-files.patch \ + %D%/packages/patches/java-simple-xml-fix-tests.patch \ %D%/packages/patches/java-xerces-bootclasspath.patch \ %D%/packages/patches/java-xerces-build_dont_unzip.patch \ %D%/packages/patches/java-xerces-xjavac_taskdef.patch \ diff --git a/gnu/packages/patches/java-simple-xml-fix-tests.patch b/gnu/packages/patches/java-simple-xml-fix-tests.patch new file mode 100644 index 0000000000..6270b87009 --- /dev/null +++ b/gnu/packages/patches/java-simple-xml-fix-tests.patch @@ -0,0 +1,37 @@ +From b3b7a305f1278ec414500bf96c4c7a7f634c941b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jens=20Thee=C3=9F?= +Date: Thu, 15 Sep 2016 13:08:26 +0200 +Subject: [PATCH] Dictionary uses stable order. This fixes unit tests. + +This is upstream pull request #15: +https://github.com/ngallagher/simplexml/pull/15 +This software is unmaintained, this pull request will no get merged. +The patch is modified, to match the directory layout of the tarball. + +--- + src/main/java/org/simpleframework/xml/util/Dictionary.java | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/main/java/org/simpleframework/xml/util/Dictionary.java b/src/main/java/org/simpleframework/xml/util/Dictionary.java +index 077d2514..c7327426 100644 +--- a/src/org/simpleframework/xml/util/Dictionary.java ++++ b/src/org/simpleframework/xml/util/Dictionary.java +@@ -19,8 +19,8 @@ + package org.simpleframework.xml.util; + + import java.util.AbstractSet; +-import java.util.HashMap; + import java.util.Iterator; ++import java.util.LinkedHashMap; + + /** + * The Dictionary object represents a mapped set of entry +@@ -134,7 +134,7 @@ public T remove(String name) { + * + * @see org.simpleframework.xml.util.Entry + */ +- private static class Table extends HashMap { ++ private static class Table extends LinkedHashMap { + + /** + * Constructor for the Table object. This will diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 6c1d2a7796..212b1c8e8a 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -1309,7 +1309,8 @@ SAX2 APIs.") version ".zip")) (sha256 (base32 - "0w19k1awslmihpwsxwjbg89hv0vjhk4k3i0vrfchy3mqknd988y5")))) + "0w19k1awslmihpwsxwjbg89hv0vjhk4k3i0vrfchy3mqknd988y5")) + (patches (search-patches "java-simple-xml-fix-tests.patch")))) (build-system ant-build-system) (arguments `(#:build-target "build" -- cgit 1.4.1 From be5ed142135e939cd23fcfe88c553fd28b32ac53 Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Sun, 25 Feb 2018 14:30:46 +0000 Subject: gnu: Add terraform-docs. * gnu/packages/terraform.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 1 + gnu/packages/terraform.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 gnu/packages/terraform.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index f27565bb29..dfb3073d7a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -411,6 +411,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/tcl.scm \ %D%/packages/telephony.scm \ %D%/packages/terminals.scm \ + %D%/packages/terraform.scm \ %D%/packages/texinfo.scm \ %D%/packages/tex.scm \ %D%/packages/textutils.scm \ diff --git a/gnu/packages/terraform.scm b/gnu/packages/terraform.scm new file mode 100644 index 0000000000..71b214ed0a --- /dev/null +++ b/gnu/packages/terraform.scm @@ -0,0 +1,52 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2018 Christopher Baines +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages terraform) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix git-download) + #:use-module (guix build-system go) + #:use-module (gnu packages golang)) + +(define-public terraform-docs + (package + (name "terraform-docs") + (version "0.3.0") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/segmentio/terraform-docs") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "0xchpik32ab8m89s6jv671vswg8xhprfvh6s5md0zd36482d2nmm")))) + (build-system go-build-system) + (native-inputs + `(("go-github-com-hashicorp-hcl" ,go-github-com-hashicorp-hcl) + ("go-github-com-tj-docopt" ,go-github-com-tj-docopt))) + (arguments + '(#:import-path "github.com/segmentio/terraform-docs")) + (synopsis "Generate documentation from Terraform modules") + (description + "The @code{terraform-docs} utility can generate documentation describing +the inputs and outputs for modules of the Terraform infrastructure management +tool. These can be shown, or written to a file in JSON or Markdown formats.") + (home-page "https://github.com/segmentio/terraform-docs") + (license license:expat))) -- cgit 1.4.1