From 6cf27c89a579fa7db3c6d4b2ad45fbfda1553f6c Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 5 Oct 2016 15:12:14 +0100 Subject: gnu: notmuch: Enable tests. * gnu/packages/patches/notmuch-emacs-25-compatibility-fix.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/mail.scm (notmuch)[source]: Use patch. [arguments]: Add verbose make flags. Add phase 'patch-notmuch-lib.el' to fix hard-coded /bin/sh. Add 'prepare-test-environment' phase to patch test shebangs and set environment. [native-inputs]: Change from 'emacs-minimal' to 'emacs-no-x'. Add dtach, gnupg, man, perl and which. --- .../notmuch-emacs-25-compatibility-fix.patch | 46 ++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 gnu/packages/patches/notmuch-emacs-25-compatibility-fix.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/notmuch-emacs-25-compatibility-fix.patch b/gnu/packages/patches/notmuch-emacs-25-compatibility-fix.patch new file mode 100644 index 0000000000..9ddfd4fe10 --- /dev/null +++ b/gnu/packages/patches/notmuch-emacs-25-compatibility-fix.patch @@ -0,0 +1,46 @@ +This fixes a test failure with emacs-25. Picked from +https://git.notmuchmail.org/git?p=notmuch;a=commit;h=f575a346df09c82691bb9e7c462836d982fe31f7 + +From f575a346df09c82691bb9e7c462836d982fe31f7 Mon Sep 17 00:00:00 2001 +From: David Bremner +Date: Sun, 9 Oct 2016 19:30:44 -0300 +Subject: [PATCH] emacs/show: force notmuch-show-buttonise-links to act on + lines + +This seems to fix a problem with emacs 25 creating partial buttons by +calling n-s-b-l with a region that does not include the whole button. +I'm not 100% sure it's legit to act outside the region passed by +jit-lock, but goto-address-fontify-region (where I borrowed the code +from) already does this, so this patch to not make things worse. +--- + emacs/notmuch-show.el | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/emacs/notmuch-show.el b/emacs/notmuch-show.el +index 641398d..e7d16f8 100644 +--- a/emacs/notmuch-show.el ++++ b/emacs/notmuch-show.el +@@ -1174,13 +1174,15 @@ This also turns id:\"\"-parts and mid: links into + buttons for a corresponding notmuch search." + (goto-address-fontify-region start end) + (save-excursion +- (let (links) +- (goto-char start) +- (while (re-search-forward notmuch-id-regexp end t) ++ (let (links ++ (beg-line (progn (goto-char start) (line-beginning-position))) ++ (end-line (progn (goto-char end) (line-end-position)))) ++ (goto-char beg-line) ++ (while (re-search-forward notmuch-id-regexp end-line t) + (push (list (match-beginning 0) (match-end 0) + (match-string-no-properties 0)) links)) +- (goto-char start) +- (while (re-search-forward notmuch-mid-regexp end t) ++ (goto-char beg-line) ++ (while (re-search-forward notmuch-mid-regexp end-line t) + (let* ((mid-cid (match-string-no-properties 1)) + (mid (save-match-data + (string-match "^[^/]*" mid-cid) +-- +2.10.1 + -- cgit 1.4.1 From 5e270e8e8f5f158dedadb646457a64c7125d54f0 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Tue, 18 Oct 2016 22:46:51 +0200 Subject: gnu: lftp: Update to 4.7.3. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/ftp.scm (lftp): Update to 4.7.3. [source]: Use HTTPS. Remove patch. [arguments]: Add ‘disable-impure-tests’ phase. Add #:configure-flags with explicit location of readline headers. [home-page]: Use HTTPS. * gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/ftp.scm | 25 +++++-- .../lftp-dont-save-unknown-host-fingerprint.patch | 81 ---------------------- 3 files changed, 18 insertions(+), 89 deletions(-) delete mode 100644 gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 73444aa6d4..18ba0c2596 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -619,7 +619,6 @@ dist_patch_DATA = \ %D%/packages/patches/kobodeluxe-graphics-window-signed-char.patch \ %D%/packages/patches/laby-make-install.patch \ %D%/packages/patches/ldc-disable-tests.patch \ - %D%/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch \ %D%/packages/patches/liba52-enable-pic.patch \ %D%/packages/patches/liba52-link-with-libm.patch \ %D%/packages/patches/liba52-set-soname.patch \ diff --git a/gnu/packages/ftp.scm b/gnu/packages/ftp.scm index 4c2d893c17..8ef620ce76 100644 --- a/gnu/packages/ftp.scm +++ b/gnu/packages/ftp.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014, 2015 Ludovic Courtès ;;; Copyright © 2015 Andreas Enge ;;; Copyright © 2015 Mark H Weaver +;;; Copyright © 2016 Tobias Geerinckx-Rice ;;; ;;; This file is part of GNU Guix. ;;; @@ -33,18 +34,16 @@ (define-public lftp (package (name "lftp") - (version "4.6.1") + (version "4.7.3") (source (origin (method url-fetch) - (uri (list (string-append "http://lftp.yar.ru/ftp/lftp-" + (uri (list (string-append "https://lftp.yar.ru/ftp/lftp-" version ".tar.xz") - (string-append "http://lftp.yar.ru/ftp/old/lftp-" + (string-append "https://lftp.yar.ru/ftp/old/lftp-" version ".tar.xz"))) (sha256 (base32 - "1grmp8zg7cjgjinz66mrh53whigkqzl90nlxj05hapnhk3ns3vni")) - (patches (search-patches - "lftp-dont-save-unknown-host-fingerprint.patch")))) + "0z4flhqvq9w9md1348jdw0lnk0dlljyicz8597inl6jcvjf2a8iv")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -52,7 +51,19 @@ `(("zlib" ,zlib) ("readline" ,readline) ("gnutls" ,gnutls))) - (home-page "http://lftp.yar.ru/") + (arguments + `(#:phases + (modify-phases %standard-phases + ;; Disable tests that require network access, which is most of them. + (add-before 'check 'disable-impure-tests + (lambda _ + (substitute* "tests/Makefile" + (("(ftp-cls-l|ftp-list|http-get)\\$\\(EXEEXT\\)") "") + (("lftp-https-get ") ""))))) + #:configure-flags + (list (string-append "--with-readline=" + (assoc-ref %build-inputs "readline"))))) + (home-page "https://lftp.yar.ru/") (synopsis "Command-line file transfer program") (description "LFTP is a sophisticated FTP/HTTP client, and a file transfer program diff --git a/gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch b/gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch deleted file mode 100644 index e170d11308..0000000000 --- a/gnu/packages/patches/lftp-dont-save-unknown-host-fingerprint.patch +++ /dev/null @@ -1,81 +0,0 @@ -Fixes "saves unknown host's fingerprint in known_hosts without any prompt". -See: - - https://github.com/lavv17/lftp/issues/116 - https://bugs.debian.org/774769 - -From bc7b476e782d77839765f56bbdb4cee9f36b54ec Mon Sep 17 00:00:00 2001 -From: "Alexander V. Lukyanov" -Date: Tue, 13 Jan 2015 15:33:54 +0300 -Subject: [PATCH] add settings fish:auto-confirm and sftp:auto-confirm - -New host keys are now not confirmed by default, this should improve security. -Suggested by Marcin Szewczyk ---- - doc/lftp.1 | 8 ++++++++ - src/SSH_Access.cc | 5 +++-- - src/resource.cc | 2 ++ - 3 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/doc/lftp.1 b/doc/lftp.1 -index cabc1be..ed6c388 100644 ---- a/doc/lftp.1 -+++ b/doc/lftp.1 -@@ -1384,6 +1384,10 @@ address family in dns:order. - .BR file:charset \ (string) - local character set. It is set from current locale initially. - .TP -+.BR fish:auto-confirm \ (boolean) -+when true, lftp answers ``yes'' to all ssh questions, in particular to the -+question about a new host key. Otherwise it answers ``no''. -+.TP - .BR fish:charset \ (string) - the character set used by fish server in requests, replies and file listings. - Default is empty which means the same as local. -@@ -1952,6 +1956,10 @@ minimal chunk size to split the file to. - save pget transfer status this often. Set to `never' to disable saving of the status file. - The status is saved to a file with suffix \fI.lftp-pget-status\fP. - .TP -+.BR sftp:auto-confirm \ (boolean) -+when true, lftp answers ``yes'' to all ssh questions, in particular to the -+question about a new host key. Otherwise it answers ``no''. -+.TP - .BR sftp:charset \ (string) - the character set used by SFTP server in file names and file listings. - Default is empty which means the same as local. This setting is only used -diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc -index 706fc6a..17c716d 100644 ---- a/src/SSH_Access.cc -+++ b/src/SSH_Access.cc -@@ -72,8 +72,9 @@ int SSH_Access::HandleSSHMessage() - } - if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len)) - { -- pty_recv_buf->Put("yes\n"); -- pty_send_buf->Put("yes\n"); -+ const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n"; -+ pty_recv_buf->Put(answer); -+ pty_send_buf->Put(answer); - return m; - } - if(!received_greeting && recv_buf->Size()>0) -diff --git a/src/resource.cc b/src/resource.cc -index 91b2e60..3a5e8b9 100644 ---- a/src/resource.cc -+++ b/src/resource.cc -@@ -339,6 +339,7 @@ static ResType lftp_vars[] = { - {"mirror:no-empty-dirs", "no", ResMgr::BoolValidate,ResMgr::NoClosure}, - {"mirror:require-source", "no", ResMgr::BoolValidate,ResMgr::NoClosure}, - -+ {"sftp:auto-confirm", "no", ResMgr::BoolValidate,0}, - {"sftp:max-packets-in-flight","16", ResMgr::UNumberValidate,0}, - {"sftp:protocol-version", "6", ResMgr::UNumberValidate,0}, - {"sftp:size-read", "32k", ResMgr::UNumberValidate,0}, -@@ -367,6 +368,7 @@ static ResType lftp_vars[] = { - {"dns:strict-dnssec", "no", ResMgr::BoolValidate,0}, - #endif - -+ {"fish:auto-confirm", "no", ResMgr::BoolValidate,0}, - {"fish:shell", "/bin/sh",0,0}, - {"fish:connect-program", "ssh -a -x",0,0}, - {"fish:charset", "", ResMgr::CharsetValidate,0}, -- cgit 1.4.1 From c645cef7da813ca305a9adeab08f34e925e560cc Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 18 Oct 2016 23:37:25 -0400 Subject: gnu: openssh: Fix CVE-2016-8858. * gnu/packages/patches/openssh-memory-exhaustion.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/ssh.scm (openssh)[source]: Use it. --- gnu/local.mk | 1 + .../patches/openssh-memory-exhaustion.patch | 39 ++++++++++++++++++++++ gnu/packages/ssh.scm | 1 + 3 files changed, 41 insertions(+) create mode 100644 gnu/packages/patches/openssh-memory-exhaustion.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 18ba0c2596..76fd64d666 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -734,6 +734,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjpeg-CVE-2016-5157.patch \ %D%/packages/patches/openjpeg-CVE-2016-7163.patch \ %D%/packages/patches/openjpeg-use-after-free-fix.patch \ + %D%/packages/patches/openssh-memory-exhaustion.patch \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ diff --git a/gnu/packages/patches/openssh-memory-exhaustion.patch b/gnu/packages/patches/openssh-memory-exhaustion.patch new file mode 100644 index 0000000000..91fe294ca4 --- /dev/null +++ b/gnu/packages/patches/openssh-memory-exhaustion.patch @@ -0,0 +1,39 @@ +Fix a memory exhaustion bug in the key exchange, whereby an unauthenticated user +could potentially consume 38400 MB of memory on the server: + +http://seclists.org/oss-sec/2016/q4/185 + +Patch adapted from upstream source repository: + +https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad + +From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 +From: "markus@openbsd.org" +Date: Mon, 10 Oct 2016 19:28:48 +0000 +Subject: [PATCH] upstream commit + +Unregister the KEXINIT handler after message has been +received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause +allocation of up to 128MB -- until the connection is closed. Reported by +shilei-c at 360.cn + +Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 +--- + kex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kex.c b/kex.c +index 3f97f8c..6a94bc5 100644 +--- a/kex.c ++++ b/kex.c +@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +-- +2.10.1 + diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 9fd1506dbd..af5aae1029 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -121,6 +121,7 @@ a server that supports the SSH-2 protocol.") tail) (string-append "http://ftp2.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/" tail)))) + (patches (search-patches "openssh-memory-exhaustion.patch")) (sha256 (base32 "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz")))) (build-system gnu-build-system) -- cgit 1.4.1 From 0b71c15c8086544236d3348caedeff3a84ab2948 Mon Sep 17 00:00:00 2001 From: Eric Bavier Date: Mon, 17 Oct 2016 17:17:50 -0500 Subject: gnu: slim: Do not reset session after failed login. * gnu/packages/patches/slim-reset.patch: New patch. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/display-managers.scm (slim)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/display-managers.scm | 1 + gnu/packages/patches/slim-reset.patch | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 gnu/packages/patches/slim-reset.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 76fd64d666..e5cc9f5aa0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -829,6 +829,7 @@ dist_patch_DATA = \ %D%/packages/patches/slim-session.patch \ %D%/packages/patches/slim-config.patch \ %D%/packages/patches/slim-sigusr1.patch \ + %D%/packages/patches/slim-reset.patch \ %D%/packages/patches/slock-CVE-2016-6866.patch \ %D%/packages/patches/slurm-configure-remove-nonfree-contribs.patch \ %D%/packages/patches/soprano-find-clucene.patch \ diff --git a/gnu/packages/display-managers.scm b/gnu/packages/display-managers.scm index 1371bb5f39..5479bb529a 100644 --- a/gnu/packages/display-managers.scm +++ b/gnu/packages/display-managers.scm @@ -199,6 +199,7 @@ create smooth, animated user interfaces.") (sha256 (base32 "1pqhk22jb4aja4hkrm7rjgbgzjyh7i4zswdgf5nw862l2znzxpi1")) (patches (search-patches "slim-config.patch" + "slim-reset.patch" "slim-session.patch" "slim-sigusr1.patch")))) (build-system cmake-build-system) diff --git a/gnu/packages/patches/slim-reset.patch b/gnu/packages/patches/slim-reset.patch new file mode 100644 index 0000000000..eebee6b7b5 --- /dev/null +++ b/gnu/packages/patches/slim-reset.patch @@ -0,0 +1,33 @@ +Do not reset chosen session and maintain the session-choser dialog after a +failed login attempt. + +Patch by E. Bavier + +--- slim-1.3.6/panel.cpp.orig 1969-12-31 18:00:00.000000000 -0600 ++++ slim-1.3.6/panel.cpp 2016-10-17 17:00:07.259649063 -0500 +@@ -260,13 +260,12 @@ + } + + void Panel::ClearPanel() { +- session_name = ""; +- session_exec = ""; + Reset(); + XClearWindow(Dpy, Root); + XClearWindow(Dpy, Win); + Cursor(SHOW); + ShowText(); ++ ShowSession(); + XFlush(Dpy); + } + +@@ -760,9 +760,7 @@ + pair ses = cfg->nextSession(); + session_name = ses.first; + session_exec = ses.second; +- if (session_name.size() > 0) { +- ShowSession(); +- } ++ ShowSession(); + } + + /* Display session type on the screen */ -- cgit 1.4.1 From 17d50dfdbb0b0b2a28d0b9f498c33ba7d920a92b Mon Sep 17 00:00:00 2001 From: Eric Bavier Date: Mon, 17 Oct 2016 17:20:24 -0500 Subject: gnu: slim: Display login message. * gnu/packages/patches/slim-login.patch: New patch. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/display-managers.scm (slim)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/display-managers.scm | 1 + gnu/packages/patches/slim-login.patch | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 gnu/packages/patches/slim-login.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index e5cc9f5aa0..c6cd5869d2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -830,6 +830,7 @@ dist_patch_DATA = \ %D%/packages/patches/slim-config.patch \ %D%/packages/patches/slim-sigusr1.patch \ %D%/packages/patches/slim-reset.patch \ + %D%/packages/patches/slim-login.patch \ %D%/packages/patches/slock-CVE-2016-6866.patch \ %D%/packages/patches/slurm-configure-remove-nonfree-contribs.patch \ %D%/packages/patches/soprano-find-clucene.patch \ diff --git a/gnu/packages/display-managers.scm b/gnu/packages/display-managers.scm index 5479bb529a..0eca94550b 100644 --- a/gnu/packages/display-managers.scm +++ b/gnu/packages/display-managers.scm @@ -200,6 +200,7 @@ create smooth, animated user interfaces.") (base32 "1pqhk22jb4aja4hkrm7rjgbgzjyh7i4zswdgf5nw862l2znzxpi1")) (patches (search-patches "slim-config.patch" "slim-reset.patch" + "slim-login.patch" "slim-session.patch" "slim-sigusr1.patch")))) (build-system cmake-build-system) diff --git a/gnu/packages/patches/slim-login.patch b/gnu/packages/patches/slim-login.patch new file mode 100644 index 0000000000..6fa25de849 --- /dev/null +++ b/gnu/packages/patches/slim-login.patch @@ -0,0 +1,35 @@ +Display configurable login message after successful authentication. + +Patch by E. Bavier + +--- slim-1.3.6/panel.cpp.orig 1969-12-31 18:00:00.000000000 -0600 ++++ slim-1.3.6/panel.cpp 2016-10-17 17:00:07.259649063 -0500 +@@ -260,19 +260,19 @@ + + void Panel::ClosePanel() { + XUngrabKeyboard(Dpy, CurrentTime); ++ XClearWindow(Dpy, Root); + XUnmapWindow(Dpy, Win); + XDestroyWindow(Dpy, Win); + XFlush(Dpy); +--- slim-1.3.6/cfg.cpp.orig 2016-10-17 17:08:06.767666139 -0500 ++++ slim-1.3.6/cfg.cpp 2016-10-17 17:06:53.115663516 -0500 +@@ -52,6 +52,7 @@ + options.insert(option("lockfile","/var/run/slim.lock")); + options.insert(option("logfile","/var/log/slim.log")); + options.insert(option("authfile","/var/run/slim.auth")); ++ options.insert(option("login_msg","Logging in...")); + options.insert(option("shutdown_msg","The system is halting...")); + options.insert(option("reboot_msg","The system is rebooting...")); + options.insert(option("sessiondir","")); +--- slim-1.3.6/app.cpp.orig 2016-10-17 17:08:41.731667384 -0500 ++++ slim-1.3.6/app.cpp 2016-10-17 17:07:48.415665486 -0500 +@@ -520,6 +520,8 @@ + struct passwd *pw; + pid_t pid; + ++ LoginPanel->Message((char*)cfg->getOption("login_msg").c_str()); ++ + #ifdef USE_PAM + try{ + pam.open_session(); -- cgit 1.4.1 From 7d2ee59b4aa8e66bb86b980f40346d9e02764e3c Mon Sep 17 00:00:00 2001 From: Christopher Allan Webber Date: Fri, 21 Oct 2016 12:51:18 -0500 Subject: gnu: slim: Fix line numbers in slim-login.patch. This was causing build failures. * gnu/packages/patches/slim-login.patch: Fix line numbers. --- gnu/packages/patches/slim-login.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/slim-login.patch b/gnu/packages/patches/slim-login.patch index 6fa25de849..515573c6fa 100644 --- a/gnu/packages/patches/slim-login.patch +++ b/gnu/packages/patches/slim-login.patch @@ -4,7 +4,7 @@ Patch by E. Bavier --- slim-1.3.6/panel.cpp.orig 1969-12-31 18:00:00.000000000 -0600 +++ slim-1.3.6/panel.cpp 2016-10-17 17:00:07.259649063 -0500 -@@ -260,19 +260,19 @@ +@@ -260,6 +260,7 @@ void Panel::ClosePanel() { XUngrabKeyboard(Dpy, CurrentTime); -- cgit 1.4.1 From a861665b75cb0e727204370aaa43d373ecec3a5a Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sat, 22 Oct 2016 00:24:51 -0400 Subject: gnu: linux-libre@4.1: Add fix for CVE-2016-5195. * gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (linux-libre-4.1): Add patch. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 5 +- .../patches/linux-libre-4.1-CVE-2016-5195.patch | 99 ++++++++++++++++++++++ 3 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index c6cd5869d2..cfd44803f3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -680,6 +680,7 @@ dist_patch_DATA = \ %D%/packages/patches/libxv-CVE-2016-5407.patch \ %D%/packages/patches/libxvmc-CVE-2016-7953.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ + %D%/packages/patches/linux-libre-4.1-CVE-2016-5195.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/llvm-for-extempore.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 4c64bbe1db..f5f683dd69 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -339,7 +339,10 @@ It has been modified to remove all non-free binary blobs.") (make-linux-libre "4.1.34" "0dajsb363p9lgga22ml8gp9k9lxd8mvrzxk9y3h9c6hpzfcmqdqr" %intel-compatible-systems - #:configuration-file kernel-config)) + #:configuration-file kernel-config + #:patches (list %boot-logo-patch + (search-patch + "linux-libre-4.1-CVE-2016-5195.patch")))) ;; Avoid rebuilding kernel variants when there is a minor version bump. (define %linux-libre-version "4.8.3") diff --git a/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch b/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch new file mode 100644 index 0000000000..37a41f61e4 --- /dev/null +++ b/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch @@ -0,0 +1,99 @@ +Fix CVE-2016-5195, a.k.a. Dirty COW. +Backported to linux-libre-4.1.x by Mark H Weaver . + +From 18652320ea99913c95e7130d654be7f1da6b694f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 13 Oct 2016 13:07:36 -0700 +Subject: [PATCH] mm: remove gup_flags FOLL_WRITE games from __get_user_pages() + +commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. + +This is an ancient bug that was actually attempted to be fixed once +(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix +get_user_pages() race for write access") but that was then undone due to +problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). + +In the meantime, the s390 situation has long been fixed, and we can now +fix it by checking the pte_dirty() bit properly (and do it better). The +s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement +software dirty bits") which made it into v3.9. Earlier kernels will +have to look at the page state itself. + +Also, the VM has become more scalable, and what used a purely +theoretical race back then has become easier to trigger. + +To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, +we already did a COW" rather than play racy games with FOLL_WRITE that +is very fundamental, and then use the pte dirty flag to validate that +the FOLL_COW flag is still valid. + +Reported-and-tested-by: Phil "not Paul" Oester +Acked-by: Hugh Dickins +Reviewed-by: Michal Hocko +Cc: Andy Lutomirski +Cc: Kees Cook +Cc: Oleg Nesterov +Cc: Willy Tarreau +Cc: Nick Piggin +Cc: Greg Thelen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mm.h | 1 + + mm/gup.c | 14 ++++++++++++-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 6b85ec6..7cadf0a 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -2064,6 +2064,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, + #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */ + #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */ + #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */ ++#define FOLL_COW 0x4000 /* internal GUP flag */ + + typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, + void *data); +diff --git a/mm/gup.c b/mm/gup.c +index 6297f6b..e6de9e7 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -32,6 +32,16 @@ static struct page *no_page_table(struct vm_area_struct *vma, + return NULL; + } + ++/* ++ * FOLL_FORCE can write to even unwritable pte's, but only ++ * after we've gone through a COW cycle and they are dirty. ++ */ ++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) ++{ ++ return pte_write(pte) || ++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); ++} ++ + static struct page *follow_page_pte(struct vm_area_struct *vma, + unsigned long address, pmd_t *pmd, unsigned int flags) + { +@@ -66,7 +76,7 @@ retry: + } + if ((flags & FOLL_NUMA) && pte_protnone(pte)) + goto no_page; +- if ((flags & FOLL_WRITE) && !pte_write(pte)) { ++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) { + pte_unmap_unlock(ptep, ptl); + return NULL; + } +@@ -315,7 +325,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma, + * reCOWed by userspace write). + */ + if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) +- *flags &= ~FOLL_WRITE; ++ *flags |= FOLL_COW; + return 0; + } + +-- +2.10.1 + -- cgit 1.4.1 From eccd1d24c9d5988557f03b058a7bc7e482a119f7 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 23 Oct 2016 10:17:10 +0300 Subject: gnu: hop: Update to 2.5.1. * gnu/packages/scheme.scm (hop): Update to 2.5.1. [source]: Remove patch. * gnu/packages/patches/hop-bigloo-4.0b.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/patches/hop-bigloo-4.0b.patch | 122 ----------------------------- gnu/packages/scheme.scm | 7 +- 3 files changed, 3 insertions(+), 127 deletions(-) delete mode 100644 gnu/packages/patches/hop-bigloo-4.0b.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index cfd44803f3..eb8322ed97 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -594,7 +594,6 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ %D%/packages/patches/higan-remove-march-native-flag.patch \ - %D%/packages/patches/hop-bigloo-4.0b.patch \ %D%/packages/patches/hop-linker-flags.patch \ %D%/packages/patches/hydra-disable-darcs-test.patch \ %D%/packages/patches/hypre-doc-tables.patch \ diff --git a/gnu/packages/patches/hop-bigloo-4.0b.patch b/gnu/packages/patches/hop-bigloo-4.0b.patch deleted file mode 100644 index 312bfdd117..0000000000 --- a/gnu/packages/patches/hop-bigloo-4.0b.patch +++ /dev/null @@ -1,122 +0,0 @@ -Bigloo 4.0b removes `xml-attribute-encode', which leads to a build failure -in Hop. - -This patch allows Hop to be compiled with Bigloo 4.0b. - - -changeset: 3327:3515f7f1aef2 -branch: 2.4.x -user: Manuel Serrano -date: Wed Jul 31 12:41:10 2013 +0200 -summary: Fix serialization bug - -diff -r 7244c4d30ad4 -r 3515f7f1aef2 runtime/js_comp.scm ---- a/runtime/js_comp.scm Fri Jul 19 08:28:13 2013 +0200 -+++ b/runtime/js_comp.scm Wed Jul 31 12:41:10 2013 +0200 -@@ -143,10 +143,17 @@ - (display "{ " op) - (display-seq fields op - (lambda (f op) -+ (let ((iv (class-field-info f))) - (display "'" op) - (display (class-field-name f) op) - (display "': " op) -- (compile ((class-field-accessor f) obj) op))) -+ (cond -+ ((and (pair? iv) (memq :client iv)) -+ => -+ (lambda (x) -+ (compile (when (pair? (cdr x)) (cadr x)) op))) -+ (else -+ (compile ((class-field-accessor f) obj) op)))))) - (display "}" op)) - - (let ((klass (object-class obj))) -diff -r 7244c4d30ad4 -r 3515f7f1aef2 runtime/xml.scm ---- a/runtime/xml.scm Fri Jul 19 08:28:13 2013 +0200 -+++ b/runtime/xml.scm Wed Jul 31 12:41:10 2013 +0200 -@@ -55,6 +55,7 @@ - (generic xml-write-attribute ::obj ::obj ::output-port ::xml-backend) - (generic xml-write-expression ::obj ::output-port) - (xml-write-attributes ::pair-nil ::output-port ::xml-backend) -+ (xml-attribute-encode obj) - - (xml->string ::obj ::xml-backend) - -@@ -613,6 +614,52 @@ - (display ">" p)))) - - ;*---------------------------------------------------------------------*/ -+;* xml-attribute-encode ... */ -+;*---------------------------------------------------------------------*/ -+(define (xml-attribute-encode obj) -+ (if (not (string? obj)) -+ obj -+ (let ((ol (string-length obj))) -+ (define (count str ol) -+ (let loop ((i 0) -+ (j 0)) -+ (if (=fx i ol) -+ j -+ (let ((c (string-ref str i))) -+ ;; attribute values should escape &#... -+ (if (or (char=? c #\') (char=? c #\&)) -+ (loop (+fx i 1) (+fx j 5)) -+ (loop (+fx i 1) (+fx j 1))))))) -+ (define (encode str ol nl) -+ (if (=fx nl ol) -+ obj -+ (let ((nstr (make-string nl))) -+ (let loop ((i 0) -+ (j 0)) -+ (if (=fx j nl) -+ nstr -+ (let ((c (string-ref str i))) -+ (case c -+ ((#\') -+ (string-set! nstr j #\&) -+ (string-set! nstr (+fx j 1) #\#) -+ (string-set! nstr (+fx j 2) #\3) -+ (string-set! nstr (+fx j 3) #\9) -+ (string-set! nstr (+fx j 4) #\;) -+ (loop (+fx i 1) (+fx j 5))) -+ ((#\&) -+ (string-set! nstr j #\&) -+ (string-set! nstr (+fx j 1) #\#) -+ (string-set! nstr (+fx j 2) #\3) -+ (string-set! nstr (+fx j 3) #\8) -+ (string-set! nstr (+fx j 4) #\;) -+ (loop (+fx i 1) (+fx j 5))) -+ (else -+ (string-set! nstr j c) -+ (loop (+fx i 1) (+fx j 1)))))))))) -+ (encode obj ol (count obj ol))))) -+ -+;*---------------------------------------------------------------------*/ - ;* xml-write-attributes ... */ - ;*---------------------------------------------------------------------*/ - (define (xml-write-attributes attr p backend) -diff -r 7244c4d30ad4 -r 3515f7f1aef2 share/hop-serialize.js ---- a/share/hop-serialize.js Fri Jul 19 08:28:13 2013 +0200 -+++ b/share/hop-serialize.js Wed Jul 31 12:41:10 2013 +0200 -@@ -942,7 +942,7 @@ - case 0x2e /* . */: return null; - case 0x3c /* < */: return read_cnst(); - case 0x22 /* " */: return read_string( s ); -- case 0x25 /* " */: return decodeURIComponent( read_string( s ) ); -+ case 0x25 /* % */: return decodeURIComponent( read_string( s ) ); - case 0x55 /* U */: return read_string( s ); - case 0x5b /* [ */: return read_vector( read_size( s ) ); - case 0x28 /* ( */: return read_list( read_size( s ) ); -diff -r 7244c4d30ad4 -r 3515f7f1aef2 src/main.scm ---- a/src/main.scm Fri Jul 19 08:28:13 2013 +0200 -+++ b/src/main.scm Wed Jul 31 12:41:10 2013 +0200 -@@ -59,8 +59,6 @@ - (for-each register-srfi! (cons 'hop-server (hop-srfis))) - ;; set the library load path - (bigloo-library-path-set! (hop-library-path)) -- ;; define the Hop macros -- (hop-install-expanders!) - ;; setup the hop readers - (bigloo-load-reader-set! hop-read) - (bigloo-load-module-set! diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm index 41a7bf5328..c8e747d02d 100644 --- a/gnu/packages/scheme.scm +++ b/gnu/packages/scheme.scm @@ -283,16 +283,15 @@ Scheme and C programs and between Scheme and Java programs.") (define-public hop (package (name "hop") - (version "2.4.0") + (version "2.5.1") (source (origin (method url-fetch) (uri (string-append "ftp://ftp-sop.inria.fr/indes/fp/Hop/hop-" version ".tar.gz")) (sha256 (base32 - "1v2r4ga58kk1sx0frn8qa8ccmjpic9csqzpk499wc95y9c4b1wy3")) - (patches (search-patches "hop-bigloo-4.0b.patch" - "hop-linker-flags.patch")))) + "1bvp7pc71bln5yvfj87s8750c6l53wjl6f8m12v62q9926adhwys")) + (patches (search-patches "hop-linker-flags.patch")))) (build-system gnu-build-system) (arguments `(#:phases -- cgit 1.4.1