From b5ffcbe1af01544cac31f056a700f5382f3e6b14 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 4 Mar 2020 20:59:48 +0200 Subject: gnu: Add bidiv. * gnu/packages/fribidi.scm (bidiv): New variable. * gnu/packages/patches/bidiv-update-fribidi.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 610c81ec97..73fc219383 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -759,6 +759,7 @@ dist_patch_DATA = \ %D%/packages/patches/beignet-correct-file-names.patch \ %D%/packages/patches/benchmark-unbundle-googletest.patch \ %D%/packages/patches/biber-fix-encoding-write.patch \ + %D%/packages/patches/bidiv-update-fribidi.patch \ %D%/packages/patches/binutils-boot-2.20.1a.patch \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ -- cgit 1.4.1 From 745041b59ff90195c5d5aad98310f5ad1a34a693 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 15 Mar 2020 14:23:51 +0100 Subject: gnu: python-jedi: Update to 0.16. * gnu/packages/patches/python-jedi-deleted-variables.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/python-xyz.scm (python-jedi): Update to 0.16. [source](patches): New field. --- gnu/local.mk | 1 + .../patches/python-jedi-deleted-variables.patch | 38 ++++++++++++++++++++++ gnu/packages/python-xyz.scm | 12 ++----- 3 files changed, 42 insertions(+), 9 deletions(-) create mode 100644 gnu/packages/patches/python-jedi-deleted-variables.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 73fc219383..29ca54a0ca 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1330,6 +1330,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-pep8-stdlib-tokenize-compat.patch \ %D%/packages/patches/python-pyfakefs-remove-bad-test.patch \ %D%/packages/patches/python-flint-includes.patch \ + %D%/packages/patches/python-jedi-deleted-variables.patch \ %D%/packages/patches/python-libxml2-utf8.patch \ %D%/packages/patches/python-mox3-python3.6-compat.patch \ %D%/packages/patches/python-testtools.patch \ diff --git a/gnu/packages/patches/python-jedi-deleted-variables.patch b/gnu/packages/patches/python-jedi-deleted-variables.patch new file mode 100644 index 0000000000..53bdc05cde --- /dev/null +++ b/gnu/packages/patches/python-jedi-deleted-variables.patch @@ -0,0 +1,38 @@ +Fix test failure in some environments, including Guix. + +Taken from upstream: +https://github.com/davidhalter/jedi/commit/bec87f7ff82b0731713c6520a14c213341b4cecf + +diff --git a/test/completion/basic.py b/test/completion/basic.py +index b40068179..3ff919ca6 100644 +--- a/test/completion/basic.py ++++ b/test/completion/basic.py +@@ -209,11 +209,11 @@ def global_as_import(): + + deleted_var = 3 + del deleted_var +-#? int() ++#? + deleted_var +-#? ['deleted_var'] ++#? [] + deleted_var +-#! ['deleted_var = 3'] ++#! [] + deleted_var + + # ----------------- +diff --git a/test/test_api/test_full_name.py b/test/test_api/test_full_name.py +index 4fdb861b0..6858b6ca8 100644 +--- a/test/test_api/test_full_name.py ++++ b/test/test_api/test_full_name.py +@@ -112,7 +112,8 @@ def test_os_path(Script): + + def test_os_issues(Script): + """Issue #873""" +- assert [c.name for c in Script('import os\nos.nt''').complete()] == ['nt'] ++ # nt is not found, because it's deleted ++ assert [c.name for c in Script('import os\nos.nt''').complete()] == [] + + + def test_param_name(Script): diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm index d2bf1c57e7..902a197fbb 100644 --- a/gnu/packages/python-xyz.scm +++ b/gnu/packages/python-xyz.scm @@ -11217,25 +11217,19 @@ characters, mouse support, and auto suggestions.") (define-public python-jedi (package (name "python-jedi") - (version "0.15.1") + (version "0.16.0") (source (origin (method url-fetch) (uri (pypi-uri "jedi" version)) + (patches (search-patches "python-jedi-deleted-variables.patch")) (sha256 (base32 - "0bp4pxhsynaarbvzblsn5x32lzp29svy3sxfy8i6m5iwz9s9r1ds")))) + "1mb5kmrk9bkc3kwzx02j62cdan1jqd92q1z7h7wi9d30jg5p3j6m")))) (build-system python-build-system) (arguments `(#:phases (modify-phases %standard-phases - (add-after 'unpack 'disable-file-completion-test - ;; A single parameterized test currently fail (see: - ;; https://github.com/davidhalter/jedi/issues/1395). Remove it. - (lambda _ - (substitute* "test/test_api/test_completion.py" - ((".*'example.py', 'rb\"' \\+ join\\('\\.\\.'.*") "")) - #t)) (replace 'check (lambda _ (setenv "HOME" "/tmp") -- cgit 1.4.1 From 45ebd90c186558556f2fe28ff2eb0cd424768b55 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 15 Mar 2020 15:03:33 +0100 Subject: gnu: python-alembic: Update to 1.4.1. * gnu/packages/patches/python-alembic-exceptions-cause.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/databases.scm (python-alembic): Update to 1.4.1. [source](patches): New field. [arguments]: New field, override check phase. --- gnu/local.mk | 1 + gnu/packages/databases.scm | 10 +++- .../patches/python-alembic-exceptions-cause.patch | 69 ++++++++++++++++++++++ 3 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/python-alembic-exceptions-cause.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 29ca54a0ca..3be54b2627 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1320,6 +1320,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3.8-search-paths.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ + %D%/packages/patches/python-alembic-exceptions-cause.patch \ %D%/packages/patches/python-axolotl-AES-fix.patch \ %D%/packages/patches/python-cairocffi-dlopen-path.patch \ %D%/packages/patches/python-cffi-x87-stack-clean.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index a4854580e8..be4db42332 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -2613,15 +2613,21 @@ You might also want to install the following optional dependencies: (define-public python-alembic (package (name "python-alembic") - (version "1.0.11") + (version "1.4.1") (source (origin (method url-fetch) (uri (pypi-uri "alembic" version)) + (patches (search-patches "python-alembic-exceptions-cause.patch")) (sha256 (base32 - "1k5hag0vahd5vrf9abx8fdj2whrwaw2iq2yp736mmxnbsn5xkdyd")))) + "0a4hzn76csgbf1px4f5vfm256byvjrqkgi9869nkcjrwjn35c6kr")))) (build-system python-build-system) + (arguments + '(#:phases (modify-phases %standard-phases + (replace 'check + (lambda _ + (invoke "pytest" "-vv")))))) (native-inputs `(("python-mock" ,python-mock) ("python-pytest-cov" ,python-pytest-cov))) diff --git a/gnu/packages/patches/python-alembic-exceptions-cause.patch b/gnu/packages/patches/python-alembic-exceptions-cause.patch new file mode 100644 index 0000000000..b9844e5ad0 --- /dev/null +++ b/gnu/packages/patches/python-alembic-exceptions-cause.patch @@ -0,0 +1,69 @@ +Fix a test failure with newer versions of SQLalchemy due to missing +"causes" for some exceptions. + +diff --git a/alembic/operations/ops.py b/alembic/operations/ops.py +index 5ec2762..7129472 100644 +--- a/alembic/operations/ops.py ++++ b/alembic/operations/ops.py +@@ -108,6 +108,7 @@ def from_constraint(cls, constraint): + "primary_key_constraint": "primary", + "check_constraint": "check", + "column_check_constraint": "check", ++ "table_or_column_check_constraint": "check", + } + + constraint_table = sqla_compat._table_for_constraint(constraint) +@@ -707,6 +708,7 @@ def batch_create_foreign_key( + "create_check_constraint", "batch_create_check_constraint" + ) + @AddConstraintOp.register_add_constraint("check_constraint") ++@AddConstraintOp.register_add_constraint("table_or_column_check_constraint") + @AddConstraintOp.register_add_constraint("column_check_constraint") + class CreateCheckConstraintOp(AddConstraintOp): + """Represent a create check constraint operation.""" +diff --git a/alembic/testing/assertions.py b/alembic/testing/assertions.py +index 3dc08f0..a78e5e8 100644 +--- a/alembic/testing/assertions.py ++++ b/alembic/testing/assertions.py +@@ -2,10 +2,9 @@ + + import re + ++from sqlalchemy import util + from sqlalchemy.engine import default + from sqlalchemy.testing.assertions import _expect_warnings +-from sqlalchemy.testing.assertions import assert_raises # noqa +-from sqlalchemy.testing.assertions import assert_raises_message # noqa + from sqlalchemy.testing.assertions import eq_ # noqa + from sqlalchemy.testing.assertions import is_ # noqa + from sqlalchemy.testing.assertions import is_false # noqa +@@ -17,6 +16,29 @@ + from ..util.compat import py3k + + ++def assert_raises(except_cls, callable_, *args, **kw): ++ try: ++ callable_(*args, **kw) ++ success = False ++ except except_cls: ++ success = True ++ ++ # assert outside the block so it works for AssertionError too ! ++ assert success, "Callable did not raise an exception" ++ ++ ++def assert_raises_message(except_cls, msg, callable_, *args, **kwargs): ++ try: ++ callable_(*args, **kwargs) ++ assert False, "Callable did not raise an exception" ++ except except_cls as e: ++ assert re.search(msg, util.text_type(e), re.UNICODE), "%r !~ %s" % ( ++ msg, ++ e, ++ ) ++ print(util.text_type(e).encode("utf-8")) ++ ++ + def eq_ignore_whitespace(a, b, msg=None): + # sqlalchemy.testing.assertion has this function + # but not with the special "!U" detection part -- cgit 1.4.1 From f24aaa81de8c709adfda2e89271c562a5ca8d959 Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Sun, 15 Mar 2020 19:07:57 +0100 Subject: gnu: BlueZ: Update to 5.54. * gnu/packages/linux.scm (bluez): Update to 5.54. [replacement]: Remove field. (bluez/fixed): Remove variable. * gnu/packages/patches/bluez-CVE-2020-0556.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 - gnu/packages/linux.scm | 13 +- gnu/packages/patches/bluez-CVE-2020-0556.patch | 180 ------------------------- 3 files changed, 2 insertions(+), 192 deletions(-) delete mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3be54b2627..b628bbee0c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,7 +764,6 @@ dist_patch_DATA = \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ - %D%/packages/patches/bluez-CVE-2020-0556.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-bs4.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index f1bc5798ab..fda7570d89 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -4039,8 +4039,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") - (replacement bluez/fixed) - (version "5.53") + (version "5.54") (source (origin (method url-fetch) (uri (string-append @@ -4048,7 +4047,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") version ".tar.xz")) (sha256 (base32 - "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq")))) + "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8")))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -4105,14 +4104,6 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) -(define bluez/fixed - (package - (inherit bluez) - (source (origin - (inherit (package-source bluez)) - (patches (append (origin-patches (package-source bluez)) - (search-patches "bluez-CVE-2020-0556.patch"))))))) - (define-public fuse-exfat (package (name "fuse-exfat") diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch deleted file mode 100644 index 7c34459a3a..0000000000 --- a/gnu/packages/patches/bluez-CVE-2020-0556.patch +++ /dev/null @@ -1,180 +0,0 @@ -Fix CVE-2020-0556: - -https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 - -Patches copied from upstream source repository: - -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 - -From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:18 +0000 -Subject: [PATCH] HID accepts bonded device connections only. - -This change adds a configuration for platforms to choose a more secure -posture for the HID profile. While some older mice are known to not -support pairing or encryption, some platform may choose a more secure -posture by requiring the device to be bonded and require the -connection to be encrypted when bonding is required. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html ---- - profiles/input/device.c | 23 ++++++++++++++++++++++- - profiles/input/device.h | 1 + - profiles/input/input.conf | 8 ++++++++ - profiles/input/manager.c | 13 ++++++++++++- - 4 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/profiles/input/device.c b/profiles/input/device.c -index 2cb3811c8..d89da2d7c 100644 ---- a/profiles/input/device.c -+++ b/profiles/input/device.c -@@ -92,6 +92,7 @@ struct input_device { - - static int idle_timeout = 0; - static bool uhid_enabled = false; -+static bool classic_bonded_only = false; - - void input_set_idle_timeout(int timeout) - { -@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) - uhid_enabled = state; - } - -+void input_set_classic_bonded_only(bool state) -+{ -+ classic_bonded_only = state; -+} -+ - static void input_device_enter_reconnect_mode(struct input_device *idev); - static int connection_disconnect(struct input_device *idev, uint32_t flags); - -@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) - if (device_name_known(idev->device)) - device_get_name(idev->device, req->name, sizeof(req->name)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) { -+ error("Rejected connection from !bonded device %s", dst_addr); -+ goto cleanup; -+ } -+ - /* Encryption is mandatory for keyboards */ -- if (req->subclass & 0x40) { -+ /* Some platforms may choose to require encryption for all devices */ -+ /* Note that this only matters for pre 2.1 devices as otherwise the */ -+ /* device is encrypted by default by the lower layers */ -+ if (classic_bonded_only || req->subclass & 0x40) { - if (!bt_io_set(idev->intr_io, &gerr, - BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, - BT_IO_OPT_INVALID)) { -@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) - DBG("path=%s reconnect_mode=%s", idev->path, - reconnect_mode_to_string(idev->reconnect_mode)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) -+ return; -+ - /* Only attempt an auto-reconnect when the device is required to - * accept reconnections from the host. - */ -diff --git a/profiles/input/device.h b/profiles/input/device.h -index 51a9aee18..3044db673 100644 ---- a/profiles/input/device.h -+++ b/profiles/input/device.h -@@ -29,6 +29,7 @@ struct input_conn; - - void input_set_idle_timeout(int timeout); - void input_enable_userspace_hid(bool state); -+void input_set_classic_bonded_only(bool state); - - int input_device_register(struct btd_service *service); - void input_device_unregister(struct btd_service *service); -diff --git a/profiles/input/input.conf b/profiles/input/input.conf -index 3e1d65aae..166aff4a4 100644 ---- a/profiles/input/input.conf -+++ b/profiles/input/input.conf -@@ -11,3 +11,11 @@ - # Enable HID protocol handling in userspace input profile - # Defaults to false (HIDP handled in HIDP kernel module) - #UserspaceHID=true -+ -+# Limit HID connections to bonded devices -+# The HID Profile does not specify that devices must be bonded, however some -+# platforms may want to make sure that input connections only come from bonded -+# device connections. Several older mice have been known for not supporting -+# pairing/encryption. -+# Defaults to false to maximize device compatibility. -+#ClassicBondedOnly=true -diff --git a/profiles/input/manager.c b/profiles/input/manager.c -index 1d31b0652..5cd27b839 100644 ---- a/profiles/input/manager.c -+++ b/profiles/input/manager.c -@@ -96,7 +96,7 @@ static int input_init(void) - config = load_config_file(CONFIGDIR "/input.conf"); - if (config) { - int idle_timeout; -- gboolean uhid_enabled; -+ gboolean uhid_enabled, classic_bonded_only; - - idle_timeout = g_key_file_get_integer(config, "General", - "IdleTimeout", &err); -@@ -114,6 +114,17 @@ static int input_init(void) - input_enable_userspace_hid(uhid_enabled); - } else - g_clear_error(&err); -+ -+ classic_bonded_only = g_key_file_get_boolean(config, "General", -+ "ClassicBondedOnly", &err); -+ -+ if (!err) { -+ DBG("input.conf: ClassicBondedOnly=%s", -+ classic_bonded_only ? "true" : "false"); -+ input_set_classic_bonded_only(classic_bonded_only); -+ } else -+ g_clear_error(&err); -+ - } - - btd_profile_register(&input_profile); --- -2.25.1 - -From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:16 +0000 -Subject: [PATCH] HOGP must only accept data from bonded devices. - -HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm ---- - profiles/input/hog.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index 83c017dcb..dfac68921 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) - return -EINVAL; - } - -+ /* HOGP 1.0 Section 6.1 requires bonding */ -+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) -+ return -ECONNREFUSED; -+ - /* TODO: Replace GAttrib with bt_gatt_client */ - bt_hog_attach(dev->hog, attrib); - --- -2.25.1 - -- cgit 1.4.1 From 8bbbbb39350eb559951972abae2622195393b51e Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 15 Mar 2020 21:03:39 -0400 Subject: Revert "gnu: BlueZ: Update to 5.54." This reverts commit f24aaa81de8c709adfda2e89271c562a5ca8d959. This change caused too many rebuilds for the master branch. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 13 +- gnu/packages/patches/bluez-CVE-2020-0556.patch | 180 +++++++++++++++++++++++++ 3 files changed, 192 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index b628bbee0c..3be54b2627 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,6 +764,7 @@ dist_patch_DATA = \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ + %D%/packages/patches/bluez-CVE-2020-0556.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-bs4.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index fda7570d89..f1bc5798ab 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -4039,7 +4039,8 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") - (version "5.54") + (replacement bluez/fixed) + (version "5.53") (source (origin (method url-fetch) (uri (string-append @@ -4047,7 +4048,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") version ".tar.xz")) (sha256 (base32 - "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8")))) + "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq")))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -4104,6 +4105,14 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) +(define bluez/fixed + (package + (inherit bluez) + (source (origin + (inherit (package-source bluez)) + (patches (append (origin-patches (package-source bluez)) + (search-patches "bluez-CVE-2020-0556.patch"))))))) + (define-public fuse-exfat (package (name "fuse-exfat") diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch new file mode 100644 index 0000000000..7c34459a3a --- /dev/null +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch @@ -0,0 +1,180 @@ +Fix CVE-2020-0556: + +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 + +Patches copied from upstream source repository: + +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 + +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:18 +0000 +Subject: [PATCH] HID accepts bonded device connections only. + +This change adds a configuration for platforms to choose a more secure +posture for the HID profile. While some older mice are known to not +support pairing or encryption, some platform may choose a more secure +posture by requiring the device to be bonded and require the +connection to be encrypted when bonding is required. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +--- + profiles/input/device.c | 23 ++++++++++++++++++++++- + profiles/input/device.h | 1 + + profiles/input/input.conf | 8 ++++++++ + profiles/input/manager.c | 13 ++++++++++++- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 2cb3811c8..d89da2d7c 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -92,6 +92,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; ++static bool classic_bonded_only = false; + + void input_set_idle_timeout(int timeout) + { +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) + uhid_enabled = state; + } + ++void input_set_classic_bonded_only(bool state) ++{ ++ classic_bonded_only = state; ++} ++ + static void input_device_enter_reconnect_mode(struct input_device *idev); + static int connection_disconnect(struct input_device *idev, uint32_t flags); + +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) + if (device_name_known(idev->device)) + device_get_name(idev->device, req->name, sizeof(req->name)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) { ++ error("Rejected connection from !bonded device %s", dst_addr); ++ goto cleanup; ++ } ++ + /* Encryption is mandatory for keyboards */ +- if (req->subclass & 0x40) { ++ /* Some platforms may choose to require encryption for all devices */ ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ ++ /* device is encrypted by default by the lower layers */ ++ if (classic_bonded_only || req->subclass & 0x40) { + if (!bt_io_set(idev->intr_io, &gerr, + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, + BT_IO_OPT_INVALID)) { +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) + DBG("path=%s reconnect_mode=%s", idev->path, + reconnect_mode_to_string(idev->reconnect_mode)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) ++ return; ++ + /* Only attempt an auto-reconnect when the device is required to + * accept reconnections from the host. + */ +diff --git a/profiles/input/device.h b/profiles/input/device.h +index 51a9aee18..3044db673 100644 +--- a/profiles/input/device.h ++++ b/profiles/input/device.h +@@ -29,6 +29,7 @@ struct input_conn; + + void input_set_idle_timeout(int timeout); + void input_enable_userspace_hid(bool state); ++void input_set_classic_bonded_only(bool state); + + int input_device_register(struct btd_service *service); + void input_device_unregister(struct btd_service *service); +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 3e1d65aae..166aff4a4 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -11,3 +11,11 @@ + # Enable HID protocol handling in userspace input profile + # Defaults to false (HIDP handled in HIDP kernel module) + #UserspaceHID=true ++ ++# Limit HID connections to bonded devices ++# The HID Profile does not specify that devices must be bonded, however some ++# platforms may want to make sure that input connections only come from bonded ++# device connections. Several older mice have been known for not supporting ++# pairing/encryption. ++# Defaults to false to maximize device compatibility. ++#ClassicBondedOnly=true +diff --git a/profiles/input/manager.c b/profiles/input/manager.c +index 1d31b0652..5cd27b839 100644 +--- a/profiles/input/manager.c ++++ b/profiles/input/manager.c +@@ -96,7 +96,7 @@ static int input_init(void) + config = load_config_file(CONFIGDIR "/input.conf"); + if (config) { + int idle_timeout; +- gboolean uhid_enabled; ++ gboolean uhid_enabled, classic_bonded_only; + + idle_timeout = g_key_file_get_integer(config, "General", + "IdleTimeout", &err); +@@ -114,6 +114,17 @@ static int input_init(void) + input_enable_userspace_hid(uhid_enabled); + } else + g_clear_error(&err); ++ ++ classic_bonded_only = g_key_file_get_boolean(config, "General", ++ "ClassicBondedOnly", &err); ++ ++ if (!err) { ++ DBG("input.conf: ClassicBondedOnly=%s", ++ classic_bonded_only ? "true" : "false"); ++ input_set_classic_bonded_only(classic_bonded_only); ++ } else ++ g_clear_error(&err); ++ + } + + btd_profile_register(&input_profile); +-- +2.25.1 + +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:16 +0000 +Subject: [PATCH] HOGP must only accept data from bonded devices. + +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm +--- + profiles/input/hog.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index 83c017dcb..dfac68921 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) + return -EINVAL; + } + ++ /* HOGP 1.0 Section 6.1 requires bonding */ ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) ++ return -ECONNREFUSED; ++ + /* TODO: Replace GAttrib with bt_gatt_client */ + bt_hog_attach(dev->hog, attrib); + +-- +2.25.1 + -- cgit 1.4.1 From 0a044f75b54d92417debf600fe7c4c4f86af344d Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 16 Mar 2020 03:55:16 +0100 Subject: gnu: python-flask-restful: Update to 0.3.8. * gnu/packages/patches/python-flask-restful-werkzeug-compat.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/python-web.scm (python-flask-restful): Update to 0.3.8. [source](patches): New field. [native-inputs]: Remove PYTHON-SPHINX. --- gnu/local.mk | 1 + .../python-flask-restful-werkzeug-compat.patch | 36 ++++++++++++++++++++++ gnu/packages/python-web.scm | 8 ++--- 3 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/python-flask-restful-werkzeug-compat.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3be54b2627..1dd7e0a6a8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1327,6 +1327,7 @@ dist_patch_DATA = \ %D%/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch \ %D%/packages/patches/python-configobj-setuptools.patch \ %D%/packages/patches/python-faker-fix-build-32bit.patch \ + %D%/packages/patches/python-flask-restful-werkzeug-compat.patch \ %D%/packages/patches/python-keras-integration-test.patch \ %D%/packages/patches/python-pep8-stdlib-tokenize-compat.patch \ %D%/packages/patches/python-pyfakefs-remove-bad-test.patch \ diff --git a/gnu/packages/patches/python-flask-restful-werkzeug-compat.patch b/gnu/packages/patches/python-flask-restful-werkzeug-compat.patch new file mode 100644 index 0000000000..0e928ef455 --- /dev/null +++ b/gnu/packages/patches/python-flask-restful-werkzeug-compat.patch @@ -0,0 +1,36 @@ +We need one patch on top of 0.3.8 for compatibility with Werkzeug 1.0. + +Taken from upstream: +https://github.com/flask-restful/flask-restful/commit/73376a488907af3042b52678ac4c23f8a8911e5b + +diff --git a/tests/test_api.py b/tests/test_api.py +index f7f8e661..6795d362 100644 +--- a/tests/test_api.py ++++ b/tests/test_api.py +@@ -445,7 +445,9 @@ def test_handle_non_api_error(self): + + resp = app.get("/foo") + self.assertEquals(resp.status_code, 404) +- self.assertEquals('text/html', resp.headers['Content-Type']) ++ # in newer versions of werkzeug this is `text/html; charset=utf8` ++ content_type, _, _ = resp.headers['Content-Type'].partition(';') ++ self.assertEquals('text/html', content_type) + + def test_non_api_error_404_catchall(self): + app = Flask(__name__) +diff --git a/tests/test_reqparse.py b/tests/test_reqparse.py +index 2f1fbedf..9776f17c 100644 +--- a/tests/test_reqparse.py ++++ b/tests/test_reqparse.py +@@ -2,9 +2,9 @@ + import unittest + from mock import Mock, patch + from flask import Flask +-from werkzeug import exceptions, MultiDict ++from werkzeug import exceptions + from werkzeug.wrappers import Request +-from werkzeug.datastructures import FileStorage ++from werkzeug.datastructures import FileStorage, MultiDict + from flask_restful.reqparse import Argument, RequestParser, Namespace + import six + import decimal diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm index 6d4204bad0..ae01f83611 100644 --- a/gnu/packages/python-web.scm +++ b/gnu/packages/python-web.scm @@ -2173,14 +2173,15 @@ pretty printer and a tree visitor.") (define-public python-flask-restful (package (name "python-flask-restful") - (version "0.3.7") + (version "0.3.8") (source (origin (method url-fetch) (uri (pypi-uri "Flask-RESTful" version)) + (patches (search-patches "python-flask-restful-werkzeug-compat.patch")) (sha256 (base32 - "1a9cbwkr6krryyzq4sd3f415nkkc6dyfls5i3pgyibs94g0hw97q")))) + "05b9lzx5yc3wgml2bcq50lq35h66m8zpj6dc9advcb5z3acsbaay")))) (build-system python-build-system) (propagated-inputs `(("python-aniso8601" ,python-aniso8601) @@ -2191,8 +2192,7 @@ pretty printer and a tree visitor.") `(;; Optional dependency of Flask. Tests need it. ("python-blinker" ,python-blinker) ("python-mock" ,python-mock) ; For tests - ("python-nose" ,python-nose) ; For tests - ("python-sphinx" ,python-sphinx))) + ("python-nose" ,python-nose))) ;for tests (home-page "https://www.github.com/flask-restful/flask-restful/") (synopsis -- cgit 1.4.1 From e76cbdcd90e603d98f9d074aa2ee0788c65d97df Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 16 Mar 2020 04:39:17 +0100 Subject: gnu: beets: Fix build with newer Werkzeug. * gnu/packages/patches/beets-werkzeug-compat.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/music.scm (beets)[source](patches): New field. --- gnu/local.mk | 1 + gnu/packages/music.scm | 1 + gnu/packages/patches/beets-werkzeug-compat.patch | 18 ++++++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 gnu/packages/patches/beets-werkzeug-compat.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 1dd7e0a6a8..5cde920c8c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -756,6 +756,7 @@ dist_patch_DATA = \ %D%/packages/patches/bash-completion-directories.patch \ %D%/packages/patches/bastet-change-source-of-unordered_set.patch \ %D%/packages/patches/bazaar-CVE-2017-14176.patch \ + %D%/packages/patches/beets-werkzeug-compat.patch \ %D%/packages/patches/beignet-correct-file-names.patch \ %D%/packages/patches/benchmark-unbundle-googletest.patch \ %D%/packages/patches/biber-fix-encoding-write.patch \ diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm index f6585f60d4..fd9cd6c30f 100644 --- a/gnu/packages/music.scm +++ b/gnu/packages/music.scm @@ -2941,6 +2941,7 @@ Songs can be searched by artist, name or even by a part of the song text.") (source (origin (method url-fetch) (uri (pypi-uri "beets" version)) + (patches (search-patches "beets-werkzeug-compat.patch")) (sha256 (base32 "0m40rjimvfgy1dv04p8f8d5dvi2855v4ix99a9xr900cmcn476yj")))) diff --git a/gnu/packages/patches/beets-werkzeug-compat.patch b/gnu/packages/patches/beets-werkzeug-compat.patch new file mode 100644 index 0000000000..1a91c3a3f9 --- /dev/null +++ b/gnu/packages/patches/beets-werkzeug-compat.patch @@ -0,0 +1,18 @@ +Be compatible with python-werkzeug 1.0.0. + +Taken from upstream: +https://github.com/beetbox/beets/commit/d43d54e21cde97f57f19486925ab56b419254cc8 + +diff --git a/beetsplug/web/__init__.py b/beetsplug/web/__init__.py +index f53fb3a954..21ff5d94ed 100644 +--- a/beetsplug/web/__init__.py ++++ b/beetsplug/web/__init__.py +@@ -169,7 +169,7 @@ def to_python(self, value): + return ids + + def to_url(self, value): +- return ','.join(value) ++ return ','.join(str(v) for v in value) + + + class QueryConverter(PathConverter): -- cgit 1.4.1 From 5144e314925d6014b496bcc6090f46e97318b5fa Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Tue, 17 Mar 2020 00:19:01 +0100 Subject: gnu: eigen: Update to 3.3.7. * gnu/packages/algebra.scm (eigen): Update to 3.3.7. [source]: Add a patch to fix a test failure. * gnu/packages/patches/eigen-stabilise-sparseqr-test.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/algebra.scm | 7 +- .../patches/eigen-stabilise-sparseqr-test.patch | 74 ++++++++++++++++++++++ 3 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/eigen-stabilise-sparseqr-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5cde920c8c..caa73d44d4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -826,6 +826,7 @@ dist_patch_DATA = \ %D%/packages/patches/dstat-fix-crash-when-specifying-delay.patch \ %D%/packages/patches/dstat-skip-devices-without-io.patch \ %D%/packages/patches/dvd+rw-tools-add-include.patch \ + %D%/packages/patches/eigen-stabilise-sparseqr-test.patch \ %D%/packages/patches/einstein-build.patch \ %D%/packages/patches/elfutils-tests-ptrace.patch \ %D%/packages/patches/elixir-path-length.patch \ diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm index 50cb3001cb..8682ecd8d0 100644 --- a/gnu/packages/algebra.scm +++ b/gnu/packages/algebra.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2014, 2018 Mark H Weaver ;;; Copyright © 2016, 2018, 2019 Ricardo Wurmus ;;; Copyright © 2017 Efraim Flashner -;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice +;;; Copyright © 2017, 2018, 2019, 2020 Tobias Geerinckx-Rice ;;; Copyright © 2017 Marius Bakke ;;; Copyright © 2017, 2019 Eric Bavier ;;; Copyright © 2020 Björn Höfling @@ -910,15 +910,16 @@ Sine Transform} (DST) and @dfn{Discrete Hartley Transform} (DHT).") (define-public eigen (package (name "eigen") - (version "3.3.5") + (version "3.3.7") (source (origin (method url-fetch) (uri (string-append "https://bitbucket.org/eigen/eigen/get/" version ".tar.bz2")) (sha256 (base32 - "1qh3yrwn78ms5yhwbpl5wvblk4gbz02cacdygxylr7i9xbrvylkk")) + "1km3fyfzyqfdvmnl79drps3fjwnz3zbh0c7l34mfbqyvvs8cy4wz")) (file-name (string-append name "-" version ".tar.bz2")) + (patches (search-patches "eigen-stabilise-sparseqr-test.patch")) (modules '((guix build utils))) (snippet ;; There are 3 test failures in the "unsupported" directory, diff --git a/gnu/packages/patches/eigen-stabilise-sparseqr-test.patch b/gnu/packages/patches/eigen-stabilise-sparseqr-test.patch new file mode 100644 index 0000000000..b95b46077a --- /dev/null +++ b/gnu/packages/patches/eigen-stabilise-sparseqr-test.patch @@ -0,0 +1,74 @@ +From: Tobias Geerinckx-Rice +Date: Mon, 16 Mar 2020 22:51:37 +0000 +Subject: gnu: eigen: Stabilise sparseqr test. + +Taken verbatim from this[0] upstream commit. + +[0]: https://gitlab.com/libeigen/eigen/-/commit/3b5deeb546d4017b24846f5b0dc3296a50a039fe + +From 3b5deeb546d4017b24846f5b0dc3296a50a039fe Mon Sep 17 00:00:00 2001 +From: Gael Guennebaud +Date: Tue, 19 Feb 2019 22:57:51 +0100 +Subject: [PATCH] bug #899: make sparseqr unit test more stable by 1) trying + with larger threshold and 2) relax rank computation for rank-deficient + problems. + +--- + test/sparseqr.cpp | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +diff --git a/test/sparseqr.cpp b/test/sparseqr.cpp +index 3ffe62314..3576cc626 100644 +--- a/test/sparseqr.cpp ++++ b/test/sparseqr.cpp +@@ -43,6 +43,7 @@ int generate_sparse_rectangular_problem(MatrixType& A, DenseMat& dA, int maxRows + + template void test_sparseqr_scalar() + { ++ typedef typename NumTraits::Real RealScalar; + typedef SparseMatrix MatrixType; + typedef Matrix DenseMat; + typedef Matrix DenseVector; +@@ -91,14 +92,34 @@ template void test_sparseqr_scalar() + exit(0); + return; + } +- +- VERIFY_IS_APPROX(A * x, b); +- +- //Compare with a dense QR solver ++ ++ // Compare with a dense QR solver + ColPivHouseholderQR dqr(dA); + refX = dqr.solve(b); + +- VERIFY_IS_EQUAL(dqr.rank(), solver.rank()); ++ bool rank_deficient = A.cols()>A.rows() || dqr.rank() we might have to increase the threshold ++ // to get a correct solution. ++ RealScalar th = RealScalar(20)*dA.colwise().norm().maxCoeff()*(A.rows()+A.cols()) * NumTraits::epsilon(); ++ for(Index k=0; (k<16) && !test_isApprox(A*x,b); ++k) ++ { ++ th *= RealScalar(10); ++ solver.setPivotThreshold(th); ++ solver.compute(A); ++ x = solver.solve(b); ++ } ++ } ++ ++ VERIFY_IS_APPROX(A * x, b); ++ ++ // For rank deficient problem, the estimated rank might ++ // be slightly off, so let's only raise a warning in such cases. ++ if(rank_deficient) ++g_test_level; ++ VERIFY_IS_EQUAL(solver.rank(), dqr.rank()); ++ if(rank_deficient) --g_test_level; ++ + if(solver.rank()==A.cols()) // full rank + VERIFY_IS_APPROX(x, refX); + // else +-- +2.24.1 + -- cgit 1.4.1