From bbe04ae102211d6486691652a4892744ee7f9a85 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 14 Oct 2015 11:56:13 +0200 Subject: gnu: dbus: Update to 1.10.0. * gnu/packages/glib.scm (dbus)[source]: Update to 1.10.0. [arguments]: Add --sysconfdir=/etc. * gnu/packages/patches/dbus-localstatedir.patch: Update. --- gnu/packages/patches/dbus-localstatedir.patch | 39 ++++++++++++++++----------- 1 file changed, 24 insertions(+), 15 deletions(-) (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/dbus-localstatedir.patch b/gnu/packages/patches/dbus-localstatedir.patch index 61bed91b5c..921ec29be4 100644 --- a/gnu/packages/patches/dbus-localstatedir.patch +++ b/gnu/packages/patches/dbus-localstatedir.patch @@ -1,25 +1,34 @@ Do not try to create $localstatedir and $sysconfdir since we cannot do this when they are /var and /etc. ---- dbus-1.6.4/bus/Makefile.in 2013-09-11 16:15:13.000000000 +0200 -+++ dbus-1.6.4/bus/Makefile.in 2013-09-11 16:15:15.000000000 +0200 -@@ -1510,9 +1510,6 @@ clean-local: - /bin/rm *.bb *.bbg *.da *.gcov || true - +--- a/bus/Makefile.in ++++ b/bus/Makefile.in +@@ -565,7 +565,7 @@ top_build_prefix = @top_build_prefix@ + top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ + dbusdatadir = $(datadir)/dbus-1 +-legacydbusdatadir = $(sysconfdir)/dbus-1 ++legacydbusdatadir = $(prefix)/etc/dbus-1 + dbus_daemon_execdir = $(DBUS_DAEMONDIR) + DBUS_BUS_LIBS = \ + $(XML_LIBS) \ +@@ -1669,7 +1669,6 @@ clean-local: install-data-hook: -- $(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/dbus -- $(mkinstalldirs) $(DESTDIR)$(configdir)/system.d -- $(mkinstalldirs) $(DESTDIR)$(configdir)/session.d - $(mkinstalldirs) $(DESTDIR)$(datadir)/dbus-1/services - $(mkinstalldirs) $(DESTDIR)$(datadir)/dbus-1/system-services + $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/session.d + $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/services +-@DBUS_UNIX_TRUE@ $(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/dbus + @DBUS_UNIX_TRUE@ $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/system.d + @DBUS_UNIX_TRUE@ $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/system-services # Install dbus.socket as default implementation of a D-Bus stack. - ---- dbus-1.6.4/tools/Makefile.in 2013-09-11 16:10:31.000000000 +0200 -+++ dbus-1.6.4/tools/Makefile.in 2013-09-11 16:10:32.000000000 +0200 -@@ -757,11 +757,6 @@ uninstall-am: uninstall-binPROGRAMS +diff --git a/tools/Makefile.in b/tools/Makefile.in +index 915971d..6b6897d 100644 +--- a/tools/Makefile.in ++++ b/tools/Makefile.in +@@ -1055,12 +1055,6 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_examplesSCRIPTS + .PRECIOUS: Makefile - # create the /var/lib/dbus directory for dbus-uuidgen +-# create the /var/lib/dbus directory for dbus-uuidgen -install-data-local: - $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/dbus - -- cgit 1.4.1 From 53b5856ac1b19a6e7c74f781b1f14bf37965a8a4 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 14 Oct 2015 14:39:23 +0200 Subject: gnu: glib: Update to 2.46.0. * gnu/packages/glib.scm (glib): Update to 2.46.0. * gnu/packages/patches/glib-tests-desktop.patch: Add hunk to disable 'gdbus-unix-addresses' test. --- gnu/packages/glib.scm | 4 ++-- gnu/packages/patches/glib-tests-desktop.patch | 18 ++++++++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) (limited to 'gnu/packages/patches') diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 9137db3949..c223b56096 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -124,7 +124,7 @@ shared NFS home directories.") (define glib (package (name "glib") - (version "2.44.1") + (version "2.46.0") (source (origin (method url-fetch) (uri (string-append "mirror://gnome/sources/" @@ -132,7 +132,7 @@ shared NFS home directories.") name "-" version ".tar.xz")) (sha256 (base32 - "01yabrfp64i11mrks3p1gcks99lw0zm7f5vhkc53sl4amyndw4c8")) + "1d5cpb2zp5js98jjnbfn1fb96kj1j3q3fz16gkqq0zdfd4sfikmi")) (patches (list (search-patch "glib-tests-homedir.patch") (search-patch "glib-tests-desktop.patch") (search-patch "glib-tests-prlimit.patch") diff --git a/gnu/packages/patches/glib-tests-desktop.patch b/gnu/packages/patches/glib-tests-desktop.patch index 61f48607f7..642234ebbc 100644 --- a/gnu/packages/patches/glib-tests-desktop.patch +++ b/gnu/packages/patches/glib-tests-desktop.patch @@ -56,11 +56,12 @@ database, the `update-desktop-database' program, which we don't provide. ----------------------------- The hunk below removes tests that depend on `gdbus-testserver.py', -because that script depends on python-gobject. +because that script depends on python-gobject. The second hunk +disables a test that expects /etc/machine-id in the build environment. ---- glib-2.39.1/gio/tests/Makefile.in 2014-01-20 00:18:16.000000000 +0100 -+++ glib-2.39.1/gio/tests/Makefile.in 2014-01-20 00:18:47.000000000 +0100 -@@ -171,20 +171,13 @@ check_PROGRAMS = $(am__EXEEXT_14) +--- glib-2.46.0/gio/tests/Makefile.in 2015-10-14 14:11:00.928809504 +0200 ++++ glib-2.46.0/gio/tests/Makefile.in 2015-10-14 14:12:13.157291092 +0200 +@@ -186,20 +186,13 @@ check_PROGRAMS = $(am__EXEEXT_16) @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-auth \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-bz627724 \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-close-pending \ @@ -79,7 +80,16 @@ because that script depends on python-gobject. @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-test-codegen-old \ -@HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gdbus-threading \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gmenumodel \ + @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ gnotification \ @HAVE_DBUS_DAEMON_TRUE@@OS_UNIX_TRUE@ $(NULL) +@@ -321,8 +314,7 @@ libresourceplugin_la_LINK = $(LIBTOOL) $ + am__EXEEXT_1 = + @OS_UNIX_TRUE@am__EXEEXT_2 = contenttype$(EXEEXT) file$(EXEEXT) \ + @OS_UNIX_TRUE@ gdbus-peer-object-manager$(EXEEXT) \ +-@OS_UNIX_TRUE@ gdbus-unix-addresses$(EXEEXT) \ + @OS_UNIX_TRUE@ live-g-file$(EXEEXT) socket-address$(EXEEXT) \ + @OS_UNIX_TRUE@ stream-rw_all$(EXEEXT) unix-fd$(EXEEXT) \ + @OS_UNIX_TRUE@ unix-streams$(EXEEXT) $(am__EXEEXT_1) \ The test below depends on the availability /etc/passwd to dbus-daemon. -- cgit 1.4.1 From 1c255eeec9a6e8f6701c8c197b52dd3006ce07a8 Mon Sep 17 00:00:00 2001 From: 宋文武 Date: Wed, 14 Oct 2015 21:42:07 +0800 Subject: gnu: Remove dbus-localstatedir.patch. This is a followup to 25087f. * gnu/packages/patches/dbus-localstatedir.patch: Remove file. --- gnu/packages/patches/dbus-localstatedir.patch | 39 --------------------------- 1 file changed, 39 deletions(-) delete mode 100644 gnu/packages/patches/dbus-localstatedir.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/dbus-localstatedir.patch b/gnu/packages/patches/dbus-localstatedir.patch deleted file mode 100644 index 921ec29be4..0000000000 --- a/gnu/packages/patches/dbus-localstatedir.patch +++ /dev/null @@ -1,39 +0,0 @@ -Do not try to create $localstatedir and $sysconfdir since we cannot do this -when they are /var and /etc. - ---- a/bus/Makefile.in -+++ b/bus/Makefile.in -@@ -565,7 +565,7 @@ top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ - dbusdatadir = $(datadir)/dbus-1 --legacydbusdatadir = $(sysconfdir)/dbus-1 -+legacydbusdatadir = $(prefix)/etc/dbus-1 - dbus_daemon_execdir = $(DBUS_DAEMONDIR) - DBUS_BUS_LIBS = \ - $(XML_LIBS) \ -@@ -1669,7 +1669,6 @@ clean-local: - install-data-hook: - $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/session.d - $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/services --@DBUS_UNIX_TRUE@ $(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/dbus - @DBUS_UNIX_TRUE@ $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/system.d - @DBUS_UNIX_TRUE@ $(mkinstalldirs) $(DESTDIR)$(dbusdatadir)/system-services - # Install dbus.socket as default implementation of a D-Bus stack. -diff --git a/tools/Makefile.in b/tools/Makefile.in -index 915971d..6b6897d 100644 ---- a/tools/Makefile.in -+++ b/tools/Makefile.in -@@ -1055,12 +1055,6 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_examplesSCRIPTS - .PRECIOUS: Makefile - - --# create the /var/lib/dbus directory for dbus-uuidgen --install-data-local: -- $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/dbus -- --installcheck-local: -- test -d $(DESTDIR)$(localstatedir)/lib/dbus - - # Tell versions [3.59,3.63) of GNU make to not export all variables. - # Otherwise a system limit (for SysV at least) may be exceeded. -- cgit 1.4.1 From e75230c1b7a34232ed3fb532d2696349fde507a3 Mon Sep 17 00:00:00 2001 From: 宋文武 Date: Fri, 16 Oct 2015 21:13:02 +0800 Subject: gnu: eudev: Update to 3.1.5. * gnu/packages/linux.scm (eudev): Update to 3.1.5. * gnu/packages/patches/eudev-rules-directory.patch: Adapt to it. --- gnu/packages/linux.scm | 52 +++--------------------- gnu/packages/patches/eudev-rules-directory.patch | 18 ++++---- 2 files changed, 15 insertions(+), 55 deletions(-) (limited to 'gnu/packages/patches') diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 4ee42349f8..474e914c13 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1568,7 +1568,7 @@ from the module-init-tools project.") ;; The post-systemd fork, maintained by Gentoo. (package (name "eudev") - (version "2.1.1") + (version "3.1.5") (source (origin (method url-fetch) (uri (string-append @@ -1576,55 +1576,15 @@ from the module-init-tools project.") version ".tar.gz")) (sha256 (base32 - "0shf5vqiz9fdxl95aa1a8vh0xjxwim3psc39wr2xr8lnahf11vva")) - (patches (list (search-patch "eudev-rules-directory.patch"))) - (modules '((guix build utils))) - (snippet - ;; 'configure' checks uses as an indication of - ;; whether Linux headers are available, but it doesn't actually - ;; use it, and our 'linux-libre-headers' package doesn't - ;; provide it. So just remove that. - '(substitute* "configure" - (("linux/btrfs\\.h") - ""))))) + "0akg9gcc3c2p56xbhlvbybqavcprly5q0bvk655zwl6d62j8an7p")) + (patches (list (search-patch "eudev-rules-directory.patch"))))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config) - ("gperf" ,gperf) - ("glib" ,glib "bin") ; glib-genmarshal, etc. - ("perl" ,perl) ; for the tests - ("python" ,python-2))) ; ditto + ("perl" ,perl) + ("gperf" ,gperf))) (inputs - `(("kmod" ,kmod) - ("pciutils" ,pciutils) - ("usbutils" ,usbutils) - ("util-linux" ,util-linux) - ("glib" ,glib) - ("gobject-introspection" ,gobject-introspection))) - (arguments - `(#:configure-flags (list "--enable-libkmod" - - (string-append - "--with-pci-ids-path=" - (assoc-ref %build-inputs "pciutils") - "/share/pci.ids.gz") - - "--with-firmware-path=/no/firmware" - - ;; Work around undefined reference to - ;; 'mq_getattr' in sc-daemon.c. - "LDFLAGS=-lrt") - #:phases - (alist-cons-before - 'build 'pre-build - ;; The program 'g-ir-scanner' (part of the package - ;; 'gobject-introspection'), to generate .gir files, makes some - ;; library pre-processing. During that phase it looks for the C - ;; compiler as either 'cc' or as defined by the environment variable - ;; 'CC' (with code in 'giscanner/dumper.py'). - (lambda* _ - (setenv "CC" "gcc")) - %standard-phases))) + `(("kmod" ,kmod))) (home-page "http://www.gentoo.org/proj/en/eudev/") (synopsis "Userspace device management") (description "Udev is a daemon which dynamically creates and removes diff --git a/gnu/packages/patches/eudev-rules-directory.patch b/gnu/packages/patches/eudev-rules-directory.patch index 9173e22f76..54fc01c6d5 100644 --- a/gnu/packages/patches/eudev-rules-directory.patch +++ b/gnu/packages/patches/eudev-rules-directory.patch @@ -4,9 +4,9 @@ The old udev 182 supported $UDEV_CONFIG_FILE, which in turn allowed the search path to be customized, but eudev no longer has this, hence this hack. ---- eudev-1.9/src/udev/udev-rules.c 2014-09-13 10:21:59.615980259 +0200 -+++ eudev-1.9/src/udev/udev-rules.c 2014-09-13 10:24:13.839976335 +0200 -@@ -46,15 +46,11 @@ +--- eudev-3.1.5/src/udev/udev-rules.c 2015-10-13 06:22:14.000000000 +0800 ++++ eudev-3.1.5/src/udev/udev-rules.c 2015-10-16 20:45:38.491934336 +0800 +@@ -47,15 +47,11 @@ }; }; @@ -14,23 +14,23 @@ this hack. +static const char* rules_dirs[] = { UDEV_CONF_DIR "/rules.d", UDEV_RULES_DIR, -- "/run/udev/rules.d", +- UDEV_ROOT_RUN "/udev/rules.d", UDEV_LIBEXEC_DIR "/rules.d", -#ifdef HAVE_SPLIT_USR - "/lib/udev/rules.d", - "/usr/lib/udev/rules.d", -#endif -+ NULL, /* placeholder for $EUDEV_RULES_DIRECTORY */ ++ NULL, /* placeholder for $EUDEV_RULES_DIRECTORY */ NULL}; struct udev_rules { -@@ -1637,6 +1633,9 @@ +@@ -1704,6 +1700,9 @@ udev_rules_check_timestamp(rules); -+ /* Allow the user to specify an additional rules directory. */ -+ rules_dirs[3] = getenv("EUDEV_RULES_DIRECTORY"); ++ /* Allow the user to specify an additional rules directory. */ ++ rules_dirs[3] = getenv("EUDEV_RULES_DIRECTORY"); + r = conf_files_list_strv(&files, ".rules", NULL, rules_dirs); if (r < 0) { - log_error("failed to enumerate rules files: %s", strerror(-r)); + log_error_errno(r, "failed to enumerate rules files: %m"); -- cgit 1.4.1 From 5f37e56ba41edb1bd47b7b1663aea07078f943d2 Mon Sep 17 00:00:00 2001 From: 宋文武 Date: Sat, 17 Oct 2015 10:30:25 +0800 Subject: gnu: librsvg: Fix tests. GLib doesn't allow duplicate test case paths any more. * gnu/packages/patches/librsvg-tests.patch: New file. * gnu/packages/gnome.scm (librsvg)[source]: Add patch. * gnu-system.am (dist_patch_DATA): Add it. --- gnu-system.am | 1 + gnu/packages/gnome.scm | 4 +++- gnu/packages/patches/librsvg-tests.patch | 27 +++++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/librsvg-tests.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index ee3c686bb3..36c94d602b 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -527,6 +527,7 @@ dist_patch_DATA = \ gnu/packages/patches/libmad-armv7-thumb-pt2.patch \ gnu/packages/patches/libmad-frame-length.patch \ gnu/packages/patches/libmad-mips-newgcc.patch \ + gnu/packages/patches/librsvg-tests.patch \ gnu/packages/patches/libtheora-config-guess.patch \ gnu/packages/patches/libtool-skip-tests2.patch \ gnu/packages/patches/libssh-CVE-2014-0017.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index fb7fa793ec..5811299d35 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -829,7 +829,9 @@ dealing with different structured file formats.") name "-" version ".tar.xz")) (sha256 (base32 - "00ifd9wjjjsw0ybk5j6qs4yyh66jj34hjmggy6dhrgfy8ksw06k1")))) + "00ifd9wjjjsw0ybk5j6qs4yyh66jj34hjmggy6dhrgfy8ksw06k1")) + (patches + (list (search-patch "librsvg-tests.patch"))))) (build-system gnu-build-system) (arguments `(#:phases diff --git a/gnu/packages/patches/librsvg-tests.patch b/gnu/packages/patches/librsvg-tests.patch new file mode 100644 index 0000000000..dc5b94e185 --- /dev/null +++ b/gnu/packages/patches/librsvg-tests.patch @@ -0,0 +1,27 @@ +From e06fc71a57156123e4e50a39957100a651ab632b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= +Date: Sat, 17 Oct 2015 10:20:33 +0800 +Subject: [PATCH] tests/styles: Don't duplicate test names. + +--- + tests/styles.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/styles.c b/tests/styles.c +index d09b1f2..a938835 100644 +--- a/tests/styles.c ++++ b/tests/styles.c +@@ -97,8 +97,8 @@ static const FixtureData fixtures[] = + {"/styles/selectors/2 or more selectors (stroke)", "592207", "styles/bug592207.svg", "#target", "stroke", .expected.color = 0xff0000ff}, + {"/styles/svg-element-style", "615701", "styles/svg-class.svg", "#svg", "fill", .expected.color = 0xff0000ff}, + {"/styles/presentation attribute in svg element", "620693", "styles/bug620693.svg", "#svg", "stroke", .expected.color = 0xffff0000}, +- {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */}, +- {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}}, ++ {"/styles/!important/1", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */}, ++ {"/styles/!important/2", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}}, + {"/styles/!important/class", "614606", "styles/bug614606.svg", "#path6306", "fill", .expected.color = 0xffff0000 /* red */ }, + {"/styles/!important/element", "614606", "styles/bug614606.svg", "#path6308", "fill", .expected.color = 0xff000000}, + {"/styles/!important/#id prior than class", NULL, "styles/important.svg", "#red", "fill", .expected.color = 0xffff0000 }, +-- +2.5.0 + -- cgit 1.4.1 From b2aab72c14a7992df1910cfed8cf36b789dff203 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sun, 18 Oct 2015 23:51:53 -0400 Subject: gnu: libdrm: Fix symbol check tests on mips64el and armhf. * gnu/packages/patches/libdrm-symbol-check.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/xdisorg.scm (libdrm)[source]: Add patch. --- gnu-system.am | 1 + gnu/packages/patches/libdrm-symbol-check.patch | 195 +++++++++++++++++++++++++ gnu/packages/xdisorg.scm | 3 +- 3 files changed, 198 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libdrm-symbol-check.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 6eb41304a7..859b123c2c 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -519,6 +519,7 @@ dist_patch_DATA = \ gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \ gnu/packages/patches/libbonobo-activation-test-race.patch \ gnu/packages/patches/libcanberra-sound-theme-freedesktop.patch \ + gnu/packages/patches/libdrm-symbol-check.patch \ gnu/packages/patches/libevent-dns-tests.patch \ gnu/packages/patches/libmtp-devices.patch \ gnu/packages/patches/liboop-mips64-deplibs-fix.patch \ diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch new file mode 100644 index 0000000000..676024beb4 --- /dev/null +++ b/gnu/packages/patches/libdrm-symbol-check.patch @@ -0,0 +1,195 @@ +Augment the list of expected symbols to fix the symbol-check tests on +mips64el-linux and armhf-linux. + +--- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig 2015-09-04 11:07:40.000000000 -0400 ++++ libdrm-2.4.65/freedreno/freedreno-symbol-check 2015-10-18 23:57:15.288416229 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_freedreno.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + fd_bo_cpu_fini + fd_bo_cpu_prep + fd_bo_del +--- libdrm-2.4.65/nouveau/nouveau-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/nouveau/nouveau-symbol-check 2015-10-18 23:55:26.078327118 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_NOUVEAU_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_nouveau.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + nouveau_bo_map + nouveau_bo_name_get + nouveau_bo_name_ref +--- libdrm-2.4.65/libkms/kms-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/libkms/kms-symbol-check 2015-10-18 23:46:10.683869471 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBKMS_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libkms.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + kms_bo_create + kms_bo_destroy + kms_bo_get_prop +--- libdrm-2.4.65/intel/intel-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/intel/intel-symbol-check 2015-10-18 23:55:53.309558508 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_INTEL_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_intel.so} | awk '{print $3}' | while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + drm_intel_bo_alloc + drm_intel_bo_alloc_for_render + drm_intel_bo_alloc_tiled +--- libdrm-2.4.65/amdgpu/amdgpu-symbol-check.orig 2015-08-17 10:08:11.000000000 -0400 ++++ libdrm-2.4.65/amdgpu/amdgpu-symbol-check 2015-10-18 23:56:10.606917723 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.am/libdrm_amdgpuinclude_HEADERS + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_amdgpu.so} | awk '{print $3}' | while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + amdgpu_bo_alloc + amdgpu_bo_cpu_map + amdgpu_bo_cpu_unmap +--- libdrm-2.4.65/exynos/exynos-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/exynos/exynos-symbol-check 2015-10-18 23:56:32.025486153 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.am/libdrm_exynos*_HEADERS + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_exynos.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + exynos_bo_create + exynos_bo_destroy + exynos_bo_from_name +--- libdrm-2.4.65/omap/omap-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/omap/omap-symbol-check 2015-10-18 23:56:44.834438626 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.am/libdrm_omap*HEADERS + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_omap.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + omap_bo_cpu_fini + omap_bo_cpu_prep + omap_bo_del +--- libdrm-2.4.65/tegra/tegra-symbol-check.orig 2015-05-04 11:47:43.000000000 -0400 ++++ libdrm-2.4.65/tegra/tegra-symbol-check 2015-10-18 23:57:00.756759698 -0400 +@@ -1,6 +1,6 @@ + #!/bin/bash + +-# The following symbols (past the first five) are taken from the public headers. ++# The following symbols (past the first 12) are taken from the public headers. + # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES + + FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do +@@ -10,6 +10,13 @@ + _end + _fini + _init ++_fbss ++_fdata ++_ftext ++__bss_start__ ++__bss_end__ ++_bss_end__ ++__end__ + drm_tegra_bo_get_flags + drm_tegra_bo_get_handle + drm_tegra_bo_get_tiling diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index 42a0454a35..21e403e9ab 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -209,7 +209,8 @@ rasterisation.") ".tar.bz2")) (sha256 (base32 - "1i4n7mz49l0j4kr0dg9n1j3hlc786ncqgj0v5fci1mz7pp40m5ki")))) + "1i4n7mz49l0j4kr0dg9n1j3hlc786ncqgj0v5fci1mz7pp40m5ki")) + (patches (list (search-patch "libdrm-symbol-check.patch"))))) (build-system gnu-build-system) (inputs `(("libpciaccess" ,libpciaccess) -- cgit 1.4.1 From da51f5bb010d8bfbdeaa63db5a54788da4adf9a2 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 22 Oct 2015 00:25:03 +0200 Subject: gnu: dbus: Add variant with proper helper for service activation. * gnu/packages/patches/dbus-helper-search-path.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/glib.scm (dbus/activation): New variable. --- gnu-system.am | 1 + gnu/packages/glib.scm | 12 ++++++++++++ gnu/packages/patches/dbus-helper-search-path.patch | 18 ++++++++++++++++++ 3 files changed, 31 insertions(+) create mode 100644 gnu/packages/patches/dbus-helper-search-path.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 859b123c2c..3daec42e28 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -427,6 +427,7 @@ dist_patch_DATA = \ gnu/packages/patches/cssc-missing-include.patch \ gnu/packages/patches/clucene-contribs-lib.patch \ gnu/packages/patches/cursynth-wave-rand.patch \ + gnu/packages/patches/dbus-helper-search-path.patch \ gnu/packages/patches/dealii-p4est-interface.patch \ gnu/packages/patches/diffutils-gets-undeclared.patch \ gnu/packages/patches/dfu-programmer-fix-libusb.patch \ diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index 6ef64e4b73..e4bf6ad0fc 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -59,6 +59,7 @@ (name "dbus") (version "1.10.0") (source (origin + ;; TODO: Apply patch from DBUS/ACTIVATION below. (method url-fetch) (uri (string-append "http://dbus.freedesktop.org/releases/dbus/dbus-" @@ -123,6 +124,17 @@ or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.") (license license:gpl2+))) ; or Academic Free License 2.1 +(define-public dbus/activation + ;; D-Bus with a patch to fix service activation. + ;; TODO: Merge with DBUS above. + (package + (inherit dbus) + (version (string-append (package-version dbus) ".a")) + (source (origin + (inherit (package-source dbus)) + (patches + (list (search-patch "dbus-helper-search-path.patch"))))))) + (define glib (package (name "glib") diff --git a/gnu/packages/patches/dbus-helper-search-path.patch b/gnu/packages/patches/dbus-helper-search-path.patch new file mode 100644 index 0000000000..30c142312b --- /dev/null +++ b/gnu/packages/patches/dbus-helper-search-path.patch @@ -0,0 +1,18 @@ +The setuid helper of D-Bus is responsible for "service activation". +It looks for '.service' files in fixed locations, but the default locations +make no sense (see below), so replace them with /etc/dbus-1/system-services. + +--- dbus-1.10.0/dbus/dbus-sysdeps-util-unix.c 2015-10-22 00:07:03.829251854 +0200 ++++ dbus-1.10.0/dbus/dbus-sysdeps-util-unix.c 2015-10-22 00:07:14.893445175 +0200 +@@ -1410,10 +1410,7 @@ _dbus_get_standard_system_servicedirs (D + * be available. + */ + static const char standard_search_path[] = +- "/usr/local/share:" +- "/usr/share:" +- DBUS_DATADIR ":" +- "/lib"; ++ "/etc"; + DBusString servicedir_path; + + _dbus_string_init_const (&servicedir_path, standard_search_path); -- cgit 1.4.1 From c46c931ecfe7fd4a5cbd979263d28d3f1e02bcca Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 22 Oct 2015 14:54:43 -0400 Subject: gnu: unzip: Reorganize security fixes for improved clarity. * gnu/packages/patches/unzip-fix-overflows-and-infloop.patch: Delete file. Its contents are now split into the following new files: * gnu/packages/patches/unzip-CVE-2015-7696.patch, gnu/packages/patches/unzip-CVE-2015-7697.patch, gnu/packages/patches/unzip-overflow-on-invalid-input.patch: New files. * gnu-system.am (dist_patch_DATA): Adjust accordingly. * gnu/packages/zip.scm (unzip)[source]: Adjust patches accordingly. --- gnu-system.am | 4 +- gnu/packages/patches/unzip-CVE-2015-7696.patch | 35 +++++++ gnu/packages/patches/unzip-CVE-2015-7697.patch | 28 ++++++ .../patches/unzip-fix-overflows-and-infloop.patch | 108 --------------------- .../patches/unzip-overflow-on-invalid-input.patch | 40 ++++++++ gnu/packages/zip.scm | 4 +- 6 files changed, 109 insertions(+), 110 deletions(-) create mode 100644 gnu/packages/patches/unzip-CVE-2015-7696.patch create mode 100644 gnu/packages/patches/unzip-CVE-2015-7697.patch delete mode 100644 gnu/packages/patches/unzip-fix-overflows-and-infloop.patch create mode 100644 gnu/packages/patches/unzip-overflow-on-invalid-input.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index e62fe18c97..c4810661a2 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -647,9 +647,11 @@ dist_patch_DATA = \ gnu/packages/patches/unzip-CVE-2014-8140.patch \ gnu/packages/patches/unzip-CVE-2014-8141.patch \ gnu/packages/patches/unzip-CVE-2014-9636.patch \ + gnu/packages/patches/unzip-CVE-2015-7696.patch \ + gnu/packages/patches/unzip-CVE-2015-7697.patch \ gnu/packages/patches/unzip-allow-greater-hostver-values.patch \ gnu/packages/patches/unzip-attribs-overflow.patch \ - gnu/packages/patches/unzip-fix-overflows-and-infloop.patch \ + gnu/packages/patches/unzip-overflow-on-invalid-input.patch \ gnu/packages/patches/unzip-format-secure.patch \ gnu/packages/patches/unzip-initialize-symlink-flag.patch \ gnu/packages/patches/unzip-overflow-long-fsize.patch \ diff --git a/gnu/packages/patches/unzip-CVE-2015-7696.patch b/gnu/packages/patches/unzip-CVE-2015-7696.patch new file mode 100644 index 0000000000..d6a4072673 --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2015-7696.patch @@ -0,0 +1,35 @@ +Copied from Debian. + +From: Petr Stodulka +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: Upstream fix for heap overflow +Bug-Debian: https://bugs.debian.org/802162 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 +Forwarded: yes + +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } diff --git a/gnu/packages/patches/unzip-CVE-2015-7697.patch b/gnu/packages/patches/unzip-CVE-2015-7697.patch new file mode 100644 index 0000000000..d688b42495 --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2015-7697.patch @@ -0,0 +1,28 @@ +Copied from Debian. + +From: Kamil Dudka +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: fix infinite loop when extracting empty bzip2 data +Bug-Debian: https://bugs.debian.org/802160 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 + +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/extract.c ++++ b/extract.c +@@ -2728,6 +2728,12 @@ + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; diff --git a/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch b/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch deleted file mode 100644 index 33498db95e..0000000000 --- a/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch +++ /dev/null @@ -1,108 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e - -From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001 -From: Petr Stodulka -Date: Mon, 14 Sep 2015 18:23:17 +0200 -Subject: [PATCH 1/3] upstream fix for heap overflow - -https://bugzilla.redhat.com/attachment.cgi?id=1073002 ---- - crypt.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/crypt.c b/crypt.c -index 784e411..a8975f2 100644 ---- a/crypt.c -+++ b/crypt.c -@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) - GLOBAL(pInfo->encrypted) = FALSE; - defer_leftover_input(__G); - for (n = 0; n < RAND_HEAD_LEN; n++) { -- b = NEXTBYTE; -+ /* 2012-11-23 SMS. (OUSPG report.) -+ * Quit early if compressed size < HEAD_LEN. The resulting -+ * error message ("unable to get password") could be improved, -+ * but it's better than trying to read nonexistent data, and -+ * then continuing with a negative G.csize. (See -+ * fileio.c:readbyte()). -+ */ -+ if ((b = NEXTBYTE) == (ush)EOF) -+ { -+ return PK_ERR; -+ } - h[n] = (uch)b; - Trace((stdout, " (%02x)", h[n])); - } --- -2.4.6 - - -From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 14 Sep 2015 18:24:56 +0200 -Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data - -Bug: https://sourceforge.net/p/infozip/patches/23/ ---- - extract.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/extract.c b/extract.c -index 7134bfe..29db027 100644 ---- a/extract.c -+++ b/extract.c -@@ -2733,6 +2733,12 @@ __GDEF - int repeated_buf_err; - bz_stream bstrm; - -+ if (G.incnt <= 0 && G.csize <= 0L) { -+ /* avoid an infinite loop */ -+ Trace((stderr, "UZbunzip2() got empty input\n")); -+ return 2; -+ } -+ - #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) - if (G.redirect_slide) - wsize = G.redirect_size, redirSlide = G.redirect_buffer; --- -2.4.6 - - -From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 22 Sep 2015 18:52:23 +0200 -Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input - -Suggested-by: Stefan Cornelius ---- - extract.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/extract.c b/extract.c -index 29db027..b9ae667 100644 ---- a/extract.c -+++ b/extract.c -@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, - if (G.lrec.compression_method == STORED) { - zusz_t csiz_decrypted = G.lrec.csize; - -- if (G.pInfo->encrypted) -+ if (G.pInfo->encrypted) { -+ if (csiz_decrypted <= 12) { -+ /* handle the error now to prevent unsigned overflow */ -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarStringSmall(ErrUnzipNoFile), -+ LoadFarString(InvalidComprData), -+ LoadFarStringSmall2(Inflate))); -+ return PK_ERR; -+ } - csiz_decrypted -= 12; -+ } - if (G.lrec.ucsize != csiz_decrypted) { - Info(slide, 0x401, ((char *)slide, - LoadFarStringSmall2(WrnStorUCSizCSizDiff), --- -2.5.2 - diff --git a/gnu/packages/patches/unzip-overflow-on-invalid-input.patch b/gnu/packages/patches/unzip-overflow-on-invalid-input.patch new file mode 100644 index 0000000000..013002a88c --- /dev/null +++ b/gnu/packages/patches/unzip-overflow-on-invalid-input.patch @@ -0,0 +1,40 @@ +Extracted from a patch in Fedora. + +http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e + +From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 29db027..b9ae667 100644 +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), +-- +2.5.2 + diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm index 83c452778c..b7bed0e86d 100644 --- a/gnu/packages/zip.scm +++ b/gnu/packages/zip.scm @@ -85,11 +85,13 @@ Compression ratios of 2:1 to 3:1 are common for text files.") "unzip-CVE-2014-8140.patch" "unzip-CVE-2014-8141.patch" "unzip-CVE-2014-9636.patch" + "unzip-CVE-2015-7696.patch" + "unzip-CVE-2015-7697.patch" "unzip-allow-greater-hostver-values.patch" "unzip-initialize-symlink-flag.patch" "unzip-remove-build-date.patch" "unzip-attribs-overflow.patch" - "unzip-fix-overflows-and-infloop.patch" + "unzip-overflow-on-invalid-input.patch" "unzip-format-secure.patch" "unzip-overflow-long-fsize.patch"))))) (build-system gnu-build-system) -- cgit 1.4.1 From 2442e69e4182b592757dad473c8c7b1c48ca8284 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 22 Oct 2015 17:10:41 -0400 Subject: Revert "gnu: unzip: Reorganize security fixes for improved clarity." This reverts commit c46c931ecfe7fd4a5cbd979263d28d3f1e02bcca. --- gnu-system.am | 4 +- gnu/packages/patches/unzip-CVE-2015-7696.patch | 35 ------- gnu/packages/patches/unzip-CVE-2015-7697.patch | 28 ------ .../patches/unzip-fix-overflows-and-infloop.patch | 108 +++++++++++++++++++++ .../patches/unzip-overflow-on-invalid-input.patch | 40 -------- gnu/packages/zip.scm | 4 +- 6 files changed, 110 insertions(+), 109 deletions(-) delete mode 100644 gnu/packages/patches/unzip-CVE-2015-7696.patch delete mode 100644 gnu/packages/patches/unzip-CVE-2015-7697.patch create mode 100644 gnu/packages/patches/unzip-fix-overflows-and-infloop.patch delete mode 100644 gnu/packages/patches/unzip-overflow-on-invalid-input.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index c4810661a2..e62fe18c97 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -647,11 +647,9 @@ dist_patch_DATA = \ gnu/packages/patches/unzip-CVE-2014-8140.patch \ gnu/packages/patches/unzip-CVE-2014-8141.patch \ gnu/packages/patches/unzip-CVE-2014-9636.patch \ - gnu/packages/patches/unzip-CVE-2015-7696.patch \ - gnu/packages/patches/unzip-CVE-2015-7697.patch \ gnu/packages/patches/unzip-allow-greater-hostver-values.patch \ gnu/packages/patches/unzip-attribs-overflow.patch \ - gnu/packages/patches/unzip-overflow-on-invalid-input.patch \ + gnu/packages/patches/unzip-fix-overflows-and-infloop.patch \ gnu/packages/patches/unzip-format-secure.patch \ gnu/packages/patches/unzip-initialize-symlink-flag.patch \ gnu/packages/patches/unzip-overflow-long-fsize.patch \ diff --git a/gnu/packages/patches/unzip-CVE-2015-7696.patch b/gnu/packages/patches/unzip-CVE-2015-7696.patch deleted file mode 100644 index d6a4072673..0000000000 --- a/gnu/packages/patches/unzip-CVE-2015-7696.patch +++ /dev/null @@ -1,35 +0,0 @@ -Copied from Debian. - -From: Petr Stodulka -Date: Mon, 14 Sep 2015 18:23:17 +0200 -Subject: Upstream fix for heap overflow -Bug-Debian: https://bugs.debian.org/802162 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 -Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 -Forwarded: yes - ---- - crypt.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - ---- a/crypt.c -+++ b/crypt.c -@@ -465,7 +465,17 @@ - GLOBAL(pInfo->encrypted) = FALSE; - defer_leftover_input(__G); - for (n = 0; n < RAND_HEAD_LEN; n++) { -- b = NEXTBYTE; -+ /* 2012-11-23 SMS. (OUSPG report.) -+ * Quit early if compressed size < HEAD_LEN. The resulting -+ * error message ("unable to get password") could be improved, -+ * but it's better than trying to read nonexistent data, and -+ * then continuing with a negative G.csize. (See -+ * fileio.c:readbyte()). -+ */ -+ if ((b = NEXTBYTE) == (ush)EOF) -+ { -+ return PK_ERR; -+ } - h[n] = (uch)b; - Trace((stdout, " (%02x)", h[n])); - } diff --git a/gnu/packages/patches/unzip-CVE-2015-7697.patch b/gnu/packages/patches/unzip-CVE-2015-7697.patch deleted file mode 100644 index d688b42495..0000000000 --- a/gnu/packages/patches/unzip-CVE-2015-7697.patch +++ /dev/null @@ -1,28 +0,0 @@ -Copied from Debian. - -From: Kamil Dudka -Date: Mon, 14 Sep 2015 18:24:56 +0200 -Subject: fix infinite loop when extracting empty bzip2 data -Bug-Debian: https://bugs.debian.org/802160 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 -Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 - ---- - extract.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/extract.c -+++ b/extract.c -@@ -2728,6 +2728,12 @@ - int repeated_buf_err; - bz_stream bstrm; - -+ if (G.incnt <= 0 && G.csize <= 0L) { -+ /* avoid an infinite loop */ -+ Trace((stderr, "UZbunzip2() got empty input\n")); -+ return 2; -+ } -+ - #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) - if (G.redirect_slide) - wsize = G.redirect_size, redirSlide = G.redirect_buffer; diff --git a/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch b/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch new file mode 100644 index 0000000000..33498db95e --- /dev/null +++ b/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch @@ -0,0 +1,108 @@ +Copied from Fedora. + +http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e + +From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: [PATCH 1/3] upstream fix for heap overflow + +https://bugzilla.redhat.com/attachment.cgi?id=1073002 +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/crypt.c b/crypt.c +index 784e411..a8975f2 100644 +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } +-- +2.4.6 + + +From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data + +Bug: https://sourceforge.net/p/infozip/patches/23/ +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/extract.c b/extract.c +index 7134bfe..29db027 100644 +--- a/extract.c ++++ b/extract.c +@@ -2733,6 +2733,12 @@ __GDEF + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; +-- +2.4.6 + + +From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 29db027..b9ae667 100644 +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), +-- +2.5.2 + diff --git a/gnu/packages/patches/unzip-overflow-on-invalid-input.patch b/gnu/packages/patches/unzip-overflow-on-invalid-input.patch deleted file mode 100644 index 013002a88c..0000000000 --- a/gnu/packages/patches/unzip-overflow-on-invalid-input.patch +++ /dev/null @@ -1,40 +0,0 @@ -Extracted from a patch in Fedora. - -http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e - -From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 22 Sep 2015 18:52:23 +0200 -Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input - -Suggested-by: Stefan Cornelius ---- - extract.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/extract.c b/extract.c -index 29db027..b9ae667 100644 ---- a/extract.c -+++ b/extract.c -@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, - if (G.lrec.compression_method == STORED) { - zusz_t csiz_decrypted = G.lrec.csize; - -- if (G.pInfo->encrypted) -+ if (G.pInfo->encrypted) { -+ if (csiz_decrypted <= 12) { -+ /* handle the error now to prevent unsigned overflow */ -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarStringSmall(ErrUnzipNoFile), -+ LoadFarString(InvalidComprData), -+ LoadFarStringSmall2(Inflate))); -+ return PK_ERR; -+ } - csiz_decrypted -= 12; -+ } - if (G.lrec.ucsize != csiz_decrypted) { - Info(slide, 0x401, ((char *)slide, - LoadFarStringSmall2(WrnStorUCSizCSizDiff), --- -2.5.2 - diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm index b7bed0e86d..83c452778c 100644 --- a/gnu/packages/zip.scm +++ b/gnu/packages/zip.scm @@ -85,13 +85,11 @@ Compression ratios of 2:1 to 3:1 are common for text files.") "unzip-CVE-2014-8140.patch" "unzip-CVE-2014-8141.patch" "unzip-CVE-2014-9636.patch" - "unzip-CVE-2015-7696.patch" - "unzip-CVE-2015-7697.patch" "unzip-allow-greater-hostver-values.patch" "unzip-initialize-symlink-flag.patch" "unzip-remove-build-date.patch" "unzip-attribs-overflow.patch" - "unzip-overflow-on-invalid-input.patch" + "unzip-fix-overflows-and-infloop.patch" "unzip-format-secure.patch" "unzip-overflow-long-fsize.patch"))))) (build-system gnu-build-system) -- cgit 1.4.1 From c595cd47d8d60688f8eb56f25baab2854880e43c Mon Sep 17 00:00:00 2001 From: Eric Bavier Date: Thu, 22 Oct 2015 17:41:39 -0500 Subject: gnu: evilwm: Add patch for lost-focus bug. * gnu/packages/patches/evilwm-lost-focus-bug.patch: New patch. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/wm.scm (evilwm)[source]: Use it. --- gnu-system.am | 1 + gnu/packages/patches/evilwm-lost-focus-bug.patch | 18 ++++++++++++++++++ gnu/packages/wm.scm | 4 +++- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/evilwm-lost-focus-bug.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index e62fe18c97..3e976e9fb7 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -438,6 +438,7 @@ dist_patch_DATA = \ gnu/packages/patches/elfutils-tests-ptrace.patch \ gnu/packages/patches/emacs-exec-path.patch \ gnu/packages/patches/eudev-rules-directory.patch \ + gnu/packages/patches/evilwm-lost-focus-bug.patch \ gnu/packages/patches/expat-CVE-2015-1283.patch \ gnu/packages/patches/fastcap-mulGlobal.patch \ gnu/packages/patches/fastcap-mulSetup.patch \ diff --git a/gnu/packages/patches/evilwm-lost-focus-bug.patch b/gnu/packages/patches/evilwm-lost-focus-bug.patch new file mode 100644 index 0000000000..af24af8fe9 --- /dev/null +++ b/gnu/packages/patches/evilwm-lost-focus-bug.patch @@ -0,0 +1,18 @@ +evilwm may sometimes lose focus after closing a window. This means that +evilwm stops responding to keyboard shortcuts, and if no other window is open +which the mouse can be moved over to regain focus evilwm becomes unusable and +has to be restarted. + +Patch derived from discussion at +https://wiki.archlinux.org/index.php/Evilwm#Lost_focus_bug_fix + +--- evilwm-1.1.1/client.c ++++ evilwm-1.1.1/client.c +@@ -172,6 +172,7 @@ + * _NET_WM_STATE) */ + if (c->remove) { + LOG_DEBUG("setting WithdrawnState\n"); ++ XSetInputFocus(dpy, PointerRoot, RevertToPointerRoot, CurrentTime); + set_wm_state(c, WithdrawnState); + ewmh_withdraw_client(c); + } else { diff --git a/gnu/packages/wm.scm b/gnu/packages/wm.scm index 7f614e18c8..58d7add5e0 100644 --- a/gnu/packages/wm.scm +++ b/gnu/packages/wm.scm @@ -22,6 +22,7 @@ (define-module (gnu packages wm) #:use-module (guix licenses) #:use-module (guix packages) + #:use-module (gnu packages) #:use-module (gnu packages linux) #:use-module (guix build-system gnu) #:use-module (guix build-system haskell) @@ -268,7 +269,8 @@ tiling window manager for X.") version ".tar.gz")) (sha256 (base32 - "0ak0yajzk3v4dg5wmaghv6acf7v02a4iw8qxmq5yw5ard8lrqn3r")))) + "0ak0yajzk3v4dg5wmaghv6acf7v02a4iw8qxmq5yw5ard8lrqn3r")) + (patches (map search-patch '("evilwm-lost-focus-bug.patch"))))) (build-system gnu-build-system) (inputs `(("libx11" ,libx11) -- cgit 1.4.1 From 6747de140d6ef714a7940bfa4cd0db544c9fe945 Mon Sep 17 00:00:00 2001 From: 宋文武 Date: Fri, 23 Oct 2015 21:31:49 +0800 Subject: gnu: bluez: Update to 5.35, fix test. * gnu/packages/patches/bluez-tests.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/linux.scm (bluez): Update to 5.35. [source]: Add patch. --- gnu-system.am | 1 + gnu/packages/linux.scm | 6 ++++-- gnu/packages/patches/bluez-tests.patch | 25 +++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/bluez-tests.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 3daec42e28..9bb537be33 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -411,6 +411,7 @@ dist_patch_DATA = \ gnu/packages/patches/binutils-ld-new-dtags.patch \ gnu/packages/patches/binutils-loongson-workaround.patch \ gnu/packages/patches/bitlbee-configure-doc-fix.patch \ + gnu/packages/patches/bluez-tests.patch \ gnu/packages/patches/boost-mips-avoid-m32.patch \ gnu/packages/patches/calibre-drop-unrar.patch \ gnu/packages/patches/calibre-no-updates-dialog.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 474e914c13..2c2ebab2e4 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -2315,7 +2315,7 @@ applications.") (define-public bluez (package (name "bluez") - (version "5.30") + (version "5.35") (source (origin (method url-fetch) (uri (string-append @@ -2323,7 +2323,9 @@ applications.") version ".tar.xz")) (sha256 (base32 - "0b1qbnq1xzcdw5rajg9yyg31bf21jnff0n6gnf1snz89bbdllfhy")))) + "1qphz25hganfnd5ipfscbj7s70anv5favmwqmi9ig2saciaf1zhs")) + (patches + (list (search-patch "bluez-tests.patch"))))) (build-system gnu-build-system) (arguments '(#:configure-flags diff --git a/gnu/packages/patches/bluez-tests.patch b/gnu/packages/patches/bluez-tests.patch new file mode 100644 index 0000000000..608ded9be2 --- /dev/null +++ b/gnu/packages/patches/bluez-tests.patch @@ -0,0 +1,25 @@ +From 484ad8c9263bb524051a999ce19a994960e69572 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= +Date: Fri, 23 Oct 2015 20:48:57 +0800 +Subject: [PATCH] unit/test-gobex-header: Fix duplicate test names + +--- + unit/test-gobex-header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unit/test-gobex-header.c b/unit/test-gobex-header.c +index 6f49312..8705892 100644 +--- a/unit/test-gobex-header.c ++++ b/unit/test-gobex-header.c +@@ -554,7 +554,7 @@ int main(int argc, char *argv[]) + test_header_encode_name_umlaut); + g_test_add_func("/gobex/test_header_encode_body", + test_header_encode_body); +- g_test_add_func("/gobex/test_header_encode_connid", ++ g_test_add_func("/gobex/test_header_encode_actionid", + test_header_encode_actionid); + g_test_add_func("/gobex/test_header_encode_apparam", + test_header_encode_apparam); +-- +2.5.0 + -- cgit 1.4.1 From 51de92a08e11b11ac9e5bbb2938be2ad0de02d80 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 22 Oct 2015 14:54:43 -0400 Subject: gnu: unzip: Reorganize security fixes for improved clarity. * gnu/packages/patches/unzip-fix-overflows-and-infloop.patch: Delete file. Its contents are now split into the following new files: * gnu/packages/patches/unzip-CVE-2015-7696.patch, gnu/packages/patches/unzip-CVE-2015-7697.patch, gnu/packages/patches/unzip-overflow-on-invalid-input.patch: New files. * gnu-system.am (dist_patch_DATA): Adjust accordingly. * gnu/packages/zip.scm (unzip)[source]: Adjust patches accordingly. --- gnu-system.am | 4 +- gnu/packages/patches/unzip-CVE-2015-7696.patch | 35 +++++++ gnu/packages/patches/unzip-CVE-2015-7697.patch | 28 ++++++ .../patches/unzip-fix-overflows-and-infloop.patch | 108 --------------------- .../patches/unzip-overflow-on-invalid-input.patch | 40 ++++++++ gnu/packages/zip.scm | 4 +- 6 files changed, 109 insertions(+), 110 deletions(-) create mode 100644 gnu/packages/patches/unzip-CVE-2015-7696.patch create mode 100644 gnu/packages/patches/unzip-CVE-2015-7697.patch delete mode 100644 gnu/packages/patches/unzip-fix-overflows-and-infloop.patch create mode 100644 gnu/packages/patches/unzip-overflow-on-invalid-input.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 655c00a679..13eede8bf6 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -651,9 +651,11 @@ dist_patch_DATA = \ gnu/packages/patches/unzip-CVE-2014-8140.patch \ gnu/packages/patches/unzip-CVE-2014-8141.patch \ gnu/packages/patches/unzip-CVE-2014-9636.patch \ + gnu/packages/patches/unzip-CVE-2015-7696.patch \ + gnu/packages/patches/unzip-CVE-2015-7697.patch \ gnu/packages/patches/unzip-allow-greater-hostver-values.patch \ gnu/packages/patches/unzip-attribs-overflow.patch \ - gnu/packages/patches/unzip-fix-overflows-and-infloop.patch \ + gnu/packages/patches/unzip-overflow-on-invalid-input.patch \ gnu/packages/patches/unzip-format-secure.patch \ gnu/packages/patches/unzip-initialize-symlink-flag.patch \ gnu/packages/patches/unzip-overflow-long-fsize.patch \ diff --git a/gnu/packages/patches/unzip-CVE-2015-7696.patch b/gnu/packages/patches/unzip-CVE-2015-7696.patch new file mode 100644 index 0000000000..d6a4072673 --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2015-7696.patch @@ -0,0 +1,35 @@ +Copied from Debian. + +From: Petr Stodulka +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: Upstream fix for heap overflow +Bug-Debian: https://bugs.debian.org/802162 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 +Forwarded: yes + +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } diff --git a/gnu/packages/patches/unzip-CVE-2015-7697.patch b/gnu/packages/patches/unzip-CVE-2015-7697.patch new file mode 100644 index 0000000000..d688b42495 --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2015-7697.patch @@ -0,0 +1,28 @@ +Copied from Debian. + +From: Kamil Dudka +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: fix infinite loop when extracting empty bzip2 data +Bug-Debian: https://bugs.debian.org/802160 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 + +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/extract.c ++++ b/extract.c +@@ -2728,6 +2728,12 @@ + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; diff --git a/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch b/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch deleted file mode 100644 index 33498db95e..0000000000 --- a/gnu/packages/patches/unzip-fix-overflows-and-infloop.patch +++ /dev/null @@ -1,108 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e - -From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001 -From: Petr Stodulka -Date: Mon, 14 Sep 2015 18:23:17 +0200 -Subject: [PATCH 1/3] upstream fix for heap overflow - -https://bugzilla.redhat.com/attachment.cgi?id=1073002 ---- - crypt.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/crypt.c b/crypt.c -index 784e411..a8975f2 100644 ---- a/crypt.c -+++ b/crypt.c -@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) - GLOBAL(pInfo->encrypted) = FALSE; - defer_leftover_input(__G); - for (n = 0; n < RAND_HEAD_LEN; n++) { -- b = NEXTBYTE; -+ /* 2012-11-23 SMS. (OUSPG report.) -+ * Quit early if compressed size < HEAD_LEN. The resulting -+ * error message ("unable to get password") could be improved, -+ * but it's better than trying to read nonexistent data, and -+ * then continuing with a negative G.csize. (See -+ * fileio.c:readbyte()). -+ */ -+ if ((b = NEXTBYTE) == (ush)EOF) -+ { -+ return PK_ERR; -+ } - h[n] = (uch)b; - Trace((stdout, " (%02x)", h[n])); - } --- -2.4.6 - - -From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 14 Sep 2015 18:24:56 +0200 -Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data - -Bug: https://sourceforge.net/p/infozip/patches/23/ ---- - extract.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/extract.c b/extract.c -index 7134bfe..29db027 100644 ---- a/extract.c -+++ b/extract.c -@@ -2733,6 +2733,12 @@ __GDEF - int repeated_buf_err; - bz_stream bstrm; - -+ if (G.incnt <= 0 && G.csize <= 0L) { -+ /* avoid an infinite loop */ -+ Trace((stderr, "UZbunzip2() got empty input\n")); -+ return 2; -+ } -+ - #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) - if (G.redirect_slide) - wsize = G.redirect_size, redirSlide = G.redirect_buffer; --- -2.4.6 - - -From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 22 Sep 2015 18:52:23 +0200 -Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input - -Suggested-by: Stefan Cornelius ---- - extract.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/extract.c b/extract.c -index 29db027..b9ae667 100644 ---- a/extract.c -+++ b/extract.c -@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, - if (G.lrec.compression_method == STORED) { - zusz_t csiz_decrypted = G.lrec.csize; - -- if (G.pInfo->encrypted) -+ if (G.pInfo->encrypted) { -+ if (csiz_decrypted <= 12) { -+ /* handle the error now to prevent unsigned overflow */ -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarStringSmall(ErrUnzipNoFile), -+ LoadFarString(InvalidComprData), -+ LoadFarStringSmall2(Inflate))); -+ return PK_ERR; -+ } - csiz_decrypted -= 12; -+ } - if (G.lrec.ucsize != csiz_decrypted) { - Info(slide, 0x401, ((char *)slide, - LoadFarStringSmall2(WrnStorUCSizCSizDiff), --- -2.5.2 - diff --git a/gnu/packages/patches/unzip-overflow-on-invalid-input.patch b/gnu/packages/patches/unzip-overflow-on-invalid-input.patch new file mode 100644 index 0000000000..013002a88c --- /dev/null +++ b/gnu/packages/patches/unzip-overflow-on-invalid-input.patch @@ -0,0 +1,40 @@ +Extracted from a patch in Fedora. + +http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e + +From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 29db027..b9ae667 100644 +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted <= 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), +-- +2.5.2 + diff --git a/gnu/packages/zip.scm b/gnu/packages/zip.scm index 83c452778c..b7bed0e86d 100644 --- a/gnu/packages/zip.scm +++ b/gnu/packages/zip.scm @@ -85,11 +85,13 @@ Compression ratios of 2:1 to 3:1 are common for text files.") "unzip-CVE-2014-8140.patch" "unzip-CVE-2014-8141.patch" "unzip-CVE-2014-9636.patch" + "unzip-CVE-2015-7696.patch" + "unzip-CVE-2015-7697.patch" "unzip-allow-greater-hostver-values.patch" "unzip-initialize-symlink-flag.patch" "unzip-remove-build-date.patch" "unzip-attribs-overflow.patch" - "unzip-fix-overflows-and-infloop.patch" + "unzip-overflow-on-invalid-input.patch" "unzip-format-secure.patch" "unzip-overflow-long-fsize.patch"))))) (build-system gnu-build-system) -- cgit 1.4.1 From b90e7e5d49e951a24f58d3cd29d37127982ef240 Mon Sep 17 00:00:00 2001 From: David Thompson Date: Fri, 30 Oct 2015 08:40:58 -0400 Subject: gnu: xfce4-session: Fix xflock4. * gnu/packages/patches/xfce4-session-fix-xflock4.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/xfce.scm (xfce4-session)[source]: Add patch. --- gnu-system.am | 1 + .../patches/xfce4-session-fix-xflock4.patch | 31 ++++++++++++++++++++++ gnu/packages/xfce.scm | 5 +++- 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/xfce4-session-fix-xflock4.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index d8430b4732..575c6f53f6 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -687,6 +687,7 @@ dist_patch_DATA = \ gnu/packages/patches/xf86-video-trident-remove-mibstore.patch \ gnu/packages/patches/xf86-video-vmware-glibc-2.20.patch \ gnu/packages/patches/xfce4-panel-plugins.patch \ + gnu/packages/patches/xfce4-session-fix-xflock4.patch \ gnu/packages/patches/xfce4-settings-defaults.patch \ gnu/packages/patches/xmodmap-asprintf.patch \ gnu/packages/patches/zathura-plugindir-environment-variable.patch diff --git a/gnu/packages/patches/xfce4-session-fix-xflock4.patch b/gnu/packages/patches/xfce4-session-fix-xflock4.patch new file mode 100644 index 0000000000..74769e4257 --- /dev/null +++ b/gnu/packages/patches/xfce4-session-fix-xflock4.patch @@ -0,0 +1,31 @@ +From cbb9c769316b4d32956a2c78aa01a38b473f0cfc Mon Sep 17 00:00:00 2001 +From: David Thompson +Date: Fri, 30 Oct 2015 08:30:43 -0400 +Subject: [PATCH] xflock4: Do not override PATH with hardcoded value. + +The PATH "/bin:/usr/bin" may not be a valid search path on the user's +machine. The screen locking program may be in /usr/local/bin or +elsewhere. Distros that do not conform to the FHS, such as GuixSD and +NixOS, will not have their executables in either location. Thus, we +simply leave PATH alone. +--- + scripts/xflock4 | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/scripts/xflock4 b/scripts/xflock4 +index ec4d05d..e7981ac 100644 +--- a/scripts/xflock4 ++++ b/scripts/xflock4 +@@ -21,9 +21,6 @@ + # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + # + +-PATH=/bin:/usr/bin +-export PATH +- + # Lock by xscreensaver or gnome-screensaver, if a respective daemon is running + for lock_cmd in \ + "xscreensaver-command -lock" \ +-- +2.5.0 + diff --git a/gnu/packages/xfce.scm b/gnu/packages/xfce.scm index e42c58050d..914012625f 100644 --- a/gnu/packages/xfce.scm +++ b/gnu/packages/xfce.scm @@ -421,7 +421,10 @@ your system in categories, so you can quickly find and launch them.") "/src/" name "-" version ".tar.bz2")) (sha256 (base32 - "01kvbd09c06j20n155hracsgrq06rlmfgdywffjsvlwpn19m9j38")))) + "01kvbd09c06j20n155hracsgrq06rlmfgdywffjsvlwpn19m9j38")) + (patches + ;; See: https://bugzilla.xfce.org/show_bug.cgi?id=12282 + (list (search-patch "xfce4-session-fix-xflock4.patch"))))) (build-system gnu-build-system) (arguments '(#:configure-flags -- cgit 1.4.1 From 3c3e69728c10bcdffa0c597b2b80a482361aea14 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 31 Oct 2015 13:17:23 +0100 Subject: gnu: guitarix: Compile in C++11 mode. * gnu/packages/patches/guitarix-c++11.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/audio.scm (guitarix)[source]: Use it. [arguments]: Add --cxxflags to #:configure-flags. --- gnu-system.am | 1 + gnu/packages/audio.scm | 6 +- gnu/packages/patches/guitarix-c++11.patch | 297 ++++++++++++++++++++++++++++++ 3 files changed, 302 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/guitarix-c++11.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 0ee4eebeef..3b7e62ce7d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -495,6 +495,7 @@ dist_patch_DATA = \ gnu/packages/patches/guile-present-coding.patch \ gnu/packages/patches/guile-relocatable.patch \ gnu/packages/patches/guile-rsvg-pkgconfig.patch \ + gnu/packages/patches/guitarix-c++11.patch \ gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \ gnu/packages/patches/hop-bigloo-4.0b.patch \ gnu/packages/patches/hop-linker-flags.patch \ diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm index 404a5d9d62..92ece7a47e 100644 --- a/gnu/packages/audio.scm +++ b/gnu/packages/audio.scm @@ -536,7 +536,8 @@ patches that can be used with softsynths such as Timidity and WildMidi.") version ".tar.bz2")) (sha256 (base32 - "1w6dg2n0alfjsx1iy6s53783invygwxk11p1i65cc3nq3zlidcgx")))) + "1w6dg2n0alfjsx1iy6s53783invygwxk11p1i65cc3nq3zlidcgx")) + (patches (list (search-patch "guitarix-c++11.patch"))))) (build-system waf-build-system) (arguments `(#:tests? #f ; no "check" target @@ -544,7 +545,8 @@ patches that can be used with softsynths such as Timidity and WildMidi.") #:configure-flags (list ;; Add the output lib directory to the RUNPATH. - (string-append "--ldflags=-Wl,-rpath=" %output "/lib")))) + (string-append "--ldflags=-Wl,-rpath=" %output "/lib") + "--cxxflags=-std=c++11"))) (inputs `(("libsndfile" ,libsndfile) ("boost" ,boost) diff --git a/gnu/packages/patches/guitarix-c++11.patch b/gnu/packages/patches/guitarix-c++11.patch new file mode 100644 index 0000000000..599855a223 --- /dev/null +++ b/gnu/packages/patches/guitarix-c++11.patch @@ -0,0 +1,297 @@ +Work around a C++11 incompatibility when compiling the gperf-generated +'jsonrpc_methods.cc' with -std=c++11: + + default/src/gx_head/engine/jsonrpc_methods.cc: In function ‘const CmdConnection::methodnames* in_word_set(const char*, unsigned int)’: + default/src/gx_head/engine/jsonrpc_methods.cc:211:26: error: reference to ‘hash’ is ambiguous + register int key = hash (str, len); + ^ +The solution is to run 'gperf -L C++' so that it generates code with +appropriate C++ name-spacing to avoid the ambiguity. + +--- guitarix-0.33.0/tools/make_jsonrpc_methods 2015-10-31 12:45:52.756587435 +0100 ++++ guitarix-0.33.0/tools/make_jsonrpc_methods 2015-10-31 12:47:02.801103366 +0100 +@@ -14,7 +14,7 @@ def add_enums(template_name, hashtable_n + hashtable = open(hashtable_name, "w") + hashtable.write(headline) + hashtable.flush() +- gperf = Popen(gperf_program, stdin=PIPE, stdout=hashtable) ++ gperf = Popen([gperf_program, "-L", "C++"], stdin=PIPE, stdout=hashtable) + enumlist = [] + section = 0 + in_comment = False + +--- guitarix-0.33.0/src/gx_head/engine/jsonrpc.cpp 2015-10-31 12:50:33.934647842 +0100 ++++ guitarix-0.33.0/src/gx_head/engine/jsonrpc.cpp 2015-10-31 12:50:51.238773730 +0100 +@@ -1171,7 +1171,7 @@ bool CmdConnection::request(gx_system::J + } + } + jp.next(gx_system::JsonParser::end_object); +- const methodnames *p = in_word_set(method.c_str(), method.size()); ++ const methodnames *p = Perfect_Hash::in_word_set(method.c_str(), method.size()); + if (!p) { + throw RpcError(-32601, Glib::ustring::compose("Method not found -- '%1'", method)); + } + + +The following part is adapted from an upstream patch for the new libsigc++. + +commit 001aa683814a7bf4537882c7c3acf1dafd851cd5 +Author: Hermann Meyer +Date: Sat Oct 31 09:33:16 2015 +0100 + + * fix libsigc++ removes sigc::group + +diff --git a/src/gx_head/gui/avahi_discover.cpp b/src/gx_head/gui/avahi_discover.cpp +index c49746e..88993c2 100644 +--- a/src/gx_head/gui/avahi_discover.cpp ++++ b/src/gx_head/gui/avahi_discover.cpp +@@ -193,7 +193,9 @@ SelectInstance::SelectInstance(gx_system::CmdlineOptions& options, Gtk::Window * + win->signal_response().connect(sigc::mem_fun(this, &SelectInstance::on_response)); + bld->get_widget("treeview", view); + view->signal_row_activated().connect( +- sigc::group(sigc::mem_fun(win, &Gtk::Dialog::response), 1)); ++ sigc::mem_fun(this,&SelectInstance::on_row)); ++ //view->signal_row_activated().connect( ++ //sigc::group(sigc::mem_fun(win, &Gtk::Dialog::response), 1)); + view->set_model(Gtk::ListStore::create(cols)); + view->get_selection()->set_mode(Gtk::SELECTION_BROWSE); + view->get_selection()->signal_changed().connect( +@@ -242,6 +244,10 @@ void SelectInstance::on_avahi_changed() { + } + } + ++void SelectInstance::on_row(const Gtk::TreePath& path, Gtk::TreeViewColumn* column) { ++ on_response(1); ++} ++ + void SelectInstance::on_response(int response_id) { + if (response_id == 1) { + Gtk::TreeIter i = view->get_selection()->get_selected(); +diff --git a/src/gx_head/gui/gx_main.cpp b/src/gx_head/gui/gx_main.cpp +index d1ad329..a207aa6 100644 +--- a/src/gx_head/gui/gx_main.cpp ++++ b/src/gx_head/gui/gx_main.cpp +@@ -281,8 +281,10 @@ void ErrorPopup::show_msg() { + align->set_padding(50,20,0,10); + Gtk::VBox *vbox = dynamic_cast(dialog->get_child()); + vbox->set_redraw_on_allocate(true); +- vbox->signal_expose_event().connect( +- sigc::group(&gx_cairo::error_box_expose,GTK_WIDGET(vbox->gobj()),sigc::_1,(void*)0),false); ++ g_signal_connect(GTK_WIDGET(vbox->gobj()), "expose-event", ++ G_CALLBACK(gx_cairo::error_box_expose), NULL); ++ // vbox->signal_expose_event().connect( ++ //sigc::group(&gx_cairo::error_box_expose,GTK_WIDGET(vbox->gobj()),sigc::_1,(void*)0),false); + dialog->set_title(_("GUITARIX ERROR")); + dialog->signal_response().connect( + sigc::mem_fun(*this, &ErrorPopup::on_response)); +@@ -306,9 +308,11 @@ GxSplashBox::GxSplashBox() + : Gtk::Window(Gtk::WINDOW_POPUP) { + set_redraw_on_allocate(true); + set_app_paintable(); +- signal_expose_event().connect( +- sigc::group(&gx_cairo::splash_expose, GTK_WIDGET(gobj()), +- sigc::_1, (void*)0), false); ++ g_signal_connect(GTK_WIDGET(gobj()), "expose-event", ++ G_CALLBACK(gx_cairo::splash_expose), NULL); ++ //signal_expose_event().connect( ++ // sigc::group(&gx_cairo::splash_expose, GTK_WIDGET(gobj()), ++ // sigc::_1, (void*)0), false); + set_decorated(false); + set_type_hint(Gdk::WINDOW_TYPE_HINT_SPLASHSCREEN); + set_position(Gtk::WIN_POS_CENTER ); +diff --git a/src/gx_head/gui/gx_main_window.cpp b/src/gx_head/gui/gx_main_window.cpp +index 23c9ae6..eb0e201 100644 +--- a/src/gx_head/gui/gx_main_window.cpp ++++ b/src/gx_head/gui/gx_main_window.cpp +@@ -1303,6 +1303,23 @@ void MainWindow::on_log_activate() { + fLoggingWindow.hide(); + } + } ++// show loggingbox ++bool MainWindow::on_log_activated(GdkEventButton* ev) { ++ if (ev->type == GDK_BUTTON_PRESS && ev->button == 1) { ++ if (!actions.loggingbox->get_active()) { ++ actions.loggingbox->set_active(true); ++ gint rxorg, ryorg; ++ window->get_position(rxorg, ryorg); ++ fLoggingWindow.move(rxorg+5, ryorg+272); ++ fLoggingWindow.show_all(); ++ on_msg_level_changed(); ++ } else { ++ fLoggingWindow.hide(); ++ actions.loggingbox->set_active(false); ++ } ++ } ++ return true; ++} + + void MainWindow::on_engine_toggled() { + gx_engine::GxEngineState s; +@@ -2119,6 +2136,14 @@ bool MainWindow::on_toggle_mute(GdkEventButton* ev) { + return true; + } + ++bool MainWindow::on_jackserverconnection(GdkEventButton* ev) { ++ if (ev->type == GDK_BUTTON_PRESS && ev->button == 1) { ++ bool v = actions.jackserverconnection->get_active(); ++ actions.jackserverconnection->set_active(!v); ++ } ++ return true; ++} ++ + void MainWindow::on_msg_level_changed() { + switch (fLoggingWindow.get_unseen_msg_level()) { + case GxLogger::kWarning: logstate_image->set(pixbuf_log_yellow); break; +@@ -2683,12 +2708,14 @@ MainWindow::MainWindow(gx_engine::GxMachineBase& machine_, gx_system::CmdlineOpt + */ + if (jack) { + jackd_image->set(pixbuf_jack_disconnected); +- jackd_image->get_parent()->signal_button_press_event().connect( +- sigc::bind_return( +- sigc::group( +- sigc::ptr_fun(toggle_action), +- actions.jackserverconnection), +- true)); ++ jackd_image->get_parent()->signal_button_press_event().connect( ++ sigc::mem_fun(*this, &MainWindow::on_jackserverconnection)); ++ //jackd_image->get_parent()->signal_button_press_event().connect( ++ // sigc::bind_return( ++ // sigc::group( ++ // sigc::ptr_fun(toggle_action), ++ // actions.jackserverconnection), ++ // true)); + } else { + jackd_image->hide(); + } +@@ -2823,11 +2850,14 @@ MainWindow::MainWindow(gx_engine::GxMachineBase& machine_, gx_system::CmdlineOpt + false)); + on_msg_level_changed(); + logstate_image->get_parent()->signal_button_press_event().connect( +- sigc::bind_return( +- sigc::group( +- sigc::ptr_fun(toggle_action), +- actions.loggingbox), +- true)); ++ sigc::mem_fun(*this, &MainWindow::on_log_activated)); ++ ++ //logstate_image->get_parent()->signal_button_press_event().connect( ++ //sigc::bind_return( ++ // sigc::group( ++ // sigc::ptr_fun(toggle_action), ++ // actions.loggingbox), ++ // true)); + + /* + ** load plugin definitions into plugin_dict, add to effects_toolpalette +diff --git a/src/gx_head/gui/gx_portmap.cpp b/src/gx_head/gui/gx_portmap.cpp +index d8a6ae6..e711ee7 100644 +--- a/src/gx_head/gui/gx_portmap.cpp ++++ b/src/gx_head/gui/gx_portmap.cpp +@@ -578,12 +578,16 @@ PortMapWindow::PortMapWindow(Glib::RefPtr bld, gx_jack::GxJac + b->set_name("rack_button"); + Gtk::VBox *vbox1; + bld->find_widget("dialog-vbox1", vbox1); +- vbox1->signal_expose_event().connect( +- sigc::group(&gx_cairo::rectangle_skin_color_expose,GTK_WIDGET(vbox1->gobj()),sigc::_1,(void*)0),false); ++ g_signal_connect(GTK_WIDGET(vbox1->gobj()), "expose-event", ++ G_CALLBACK(gx_cairo::rectangle_skin_color_expose), NULL); ++ // vbox1->signal_expose_event().connect( ++ //sigc::group(&gx_cairo::rectangle_skin_color_expose,GTK_WIDGET(vbox1->gobj()),sigc::_1,(void*)0),false); + Gtk::VBox *vbox2; + bld->find_widget("dialog-vbox2", vbox2); +- vbox2->signal_expose_event().connect( +- sigc::group(&gx_cairo::rectangle_skin_color_expose,GTK_WIDGET(vbox2->gobj()),sigc::_1,(void*)0),false); ++ g_signal_connect(GTK_WIDGET(vbox2->gobj()), "expose-event", ++ G_CALLBACK(gx_cairo::rectangle_skin_color_expose), NULL); ++ // vbox2->signal_expose_event().connect( ++// sigc::group(&gx_cairo::rectangle_skin_color_expose,GTK_WIDGET(vbox2->gobj()),sigc::_1,(void*)0),false); + vbox1->set_redraw_on_allocate(true); + vbox2->set_redraw_on_allocate(true); + for (int i = 0; i < number_of_ports; ++i) { +diff --git a/src/headers/avahi_discover.h b/src/headers/avahi_discover.h +index 5af5949..b6f523a 100644 +--- a/src/headers/avahi_discover.h ++++ b/src/headers/avahi_discover.h +@@ -91,6 +91,7 @@ private: + } cols; + private: + void on_response(int response_id); ++ void on_row(const Gtk::TreePath& path, Gtk::TreeViewColumn* column); + void on_avahi_changed(); + void on_selection_changed(); + public: +diff --git a/src/headers/gx_main_window.h b/src/headers/gx_main_window.h +index 3b54285..e7c02ce 100644 +--- a/src/headers/gx_main_window.h ++++ b/src/headers/gx_main_window.h +@@ -720,6 +720,7 @@ private: + void on_load_ladspa(); + void delete_select_jack_control(); + void on_log_activate(); ++ bool on_log_activated(GdkEventButton* ev); + void do_program_change(int pgm); + void on_engine_toggled(); + void on_engine_state_change(gx_engine::GxEngineState state); +@@ -728,6 +729,7 @@ private: + void setup_tuner_temperament(Gxw::RackTuner& tuner); + void setup_tuner(Gxw::RackTuner& tuner); + bool on_toggle_mute(GdkEventButton* ev); ++ bool on_jackserverconnection(GdkEventButton* ev); + void on_msg_level_changed(); + void on_ampdetail_switch(bool compress, bool setparam); + void on_show_oscilloscope(bool v); + +The following is adapted from this upstream patch, which does a whole +bunch of unrelated things. + +commit 44ab541a5a846c0b3832f4225d1ae92183d55550 +Author: Hermann Meyer +Date: Fri Oct 30 08:47:42 2015 +0100 + + * add 53 tet tuner option + * add online preset download widget (requiers libwebkit-1.0 + * fix bug #27 + * fix build fail with c++11 system libs (make c++11 default) + +--- a/src/LV2/gx_amp.lv2/gxamp_gui.cpp ++++ b/src/LV2/gx_amp.lv2/gxamp_gui.cpp +@@ -124,7 +124,7 @@ void GXPluginGUI::set_skin() + gtk_rc_parse_string (toparse.c_str()); + } + +-inline std::string to_string(long long _Val) ++inline std::string t_string(long long _Val) + { // convert int to string + char _Buf[128]; + sprintf(_Buf, "%lld", _Val); +@@ -136,7 +136,7 @@ void GXPluginGUI::set_plug_name() + // Here the plugin should have different name for different amp..... + addKnob = ""; + plugskin = "amp21.png"; +- plug_name = "GUITARIXLV2" + to_string(reinterpret_cast(this)); ++ plug_name = "GUITARIXLV2" + t_string(reinterpret_cast(this)); + //fprintf(stderr,"%s",plug_name.c_str()); + } + +diff --git a/src/LV2/gx_amp_stereo.lv2/gxamp_stereo_gui.cpp b/src/LV2/gx_amp_stereo.lv2/gxamp_stereo_gui.cpp +index d5947ee..edc1caa 100644 +--- a/src/LV2/gx_amp_stereo.lv2/gxamp_stereo_gui.cpp ++++ b/src/LV2/gx_amp_stereo.lv2/gxamp_stereo_gui.cpp +@@ -124,7 +124,7 @@ void GXPluginGUI::set_skin() + gtk_rc_parse_string (toparse.c_str()); + } + +-inline std::string to_string(long long _Val) ++inline std::string t_string(long long _Val) + { // convert int to string + char _Buf[128]; + sprintf(_Buf, "%lld", _Val); +@@ -135,7 +135,7 @@ void GXPluginGUI::set_plug_name() + { + addKnob = ""; + plugskin = "amp21.png"; +- plug_name = "GUITARIXLV2" + to_string(reinterpret_cast(this)); ++ plug_name = "GUITARIXLV2" + t_string(reinterpret_cast(this)); + } + + GtkWidget* GXPluginGUI::make_gui() -- cgit 1.4.1 From f1339551221c3fb220939cd1e8404785af96a8af Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 1 Nov 2015 09:39:13 +0200 Subject: gnu: gsl: Update to 2.0. * gnu/packages/maths.scm (gsl): Update to 2.0. [source]: Remove patches. * gnu/packages/patches/gsl-poly-test-fix-pt1.patch, gnu/packages/patches/gsl-poly-test-fix-pt2.patch: Remove files. * gnu-system.am (dist_patch_DATA): Remove patches. --- gnu-system.am | 2 - gnu/packages/maths.scm | 6 +- gnu/packages/patches/gsl-poly-test-fix-pt1.patch | 84 ------------------------ gnu/packages/patches/gsl-poly-test-fix-pt2.patch | 27 -------- 4 files changed, 2 insertions(+), 117 deletions(-) delete mode 100644 gnu/packages/patches/gsl-poly-test-fix-pt1.patch delete mode 100644 gnu/packages/patches/gsl-poly-test-fix-pt2.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index f140ab6be8..36e7b6e937 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -485,8 +485,6 @@ dist_patch_DATA = \ gnu/packages/patches/grep-CVE-2015-1345.patch \ gnu/packages/patches/grub-gets-undeclared.patch \ gnu/packages/patches/grub-freetype.patch \ - gnu/packages/patches/gsl-poly-test-fix-pt1.patch \ - gnu/packages/patches/gsl-poly-test-fix-pt2.patch \ gnu/packages/patches/guile-1.8-cpp-4.5.patch \ gnu/packages/patches/guile-arm-fixes.patch \ gnu/packages/patches/guile-default-utf8.patch \ diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm index b4b930de47..1aba3623a3 100644 --- a/gnu/packages/maths.scm +++ b/gnu/packages/maths.scm @@ -149,7 +149,7 @@ semiconductors.") (define-public gsl (package (name "gsl") - (version "1.16") + (version "2.0") (source (origin (method url-fetch) @@ -157,9 +157,7 @@ semiconductors.") version ".tar.gz")) (sha256 (base32 - "0lrgipi0z6559jqh82yx8n4xgnxkhzj46v96dl77hahdp58jzg3k")) - (patches (map search-patch '("gsl-poly-test-fix-pt1.patch" - "gsl-poly-test-fix-pt2.patch"))))) + "0bfahlsgil0695104a44c3c8vjkyvxmg3s92371fddcrj6qz0qg3")))) (build-system gnu-build-system) (arguments `(#:parallel-tests? #f diff --git a/gnu/packages/patches/gsl-poly-test-fix-pt1.patch b/gnu/packages/patches/gsl-poly-test-fix-pt1.patch deleted file mode 100644 index 3d1ed4243c..0000000000 --- a/gnu/packages/patches/gsl-poly-test-fix-pt1.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 9cc12d0377dd634b1b97954d076b715f982853b7 Mon Sep 17 00:00:00 2001 -From: Patrick Alken -Date: Fri, 4 Apr 2014 13:36:16 -0600 -Subject: [PATCH] bug fix in sorting of complex numbers (bug #39055) - ---- - poly/test.c | 49 ++++++++++++++++++++++++++++++------------------- - 1 file changed, 30 insertions(+), 19 deletions(-) - -diff --git a/poly/test.c b/poly/test.c -index 9c147f6..d090802 100644 ---- a/poly/test.c -+++ b/poly/test.c -@@ -25,11 +25,21 @@ - #include - #include - -+/* sort by Re(z) then by Im(z) */ - static int - cmp_cplx(const double *a, const double *b) - { -- double t = (a[0] * a[0] + a[1] * a[1]) - (b[0] * b[0] + b[1] * b[1]); -- return t < 0.0 ? -1 : t > 0.0 ? 1 : 0; -+ double r = a[0] - b[0]; -+ -+ if (r == 0.0) -+ { -+ double t = a[1] - b[1]; -+ return t < 0.0 ? -1 : t > 0.0 ? 1 : 0; -+ } -+ else if (r < 0.0) -+ return -1; -+ else -+ return 1; - } - - int -@@ -534,25 +544,26 @@ main (void) - Problem reported by Munagala Ramanath (bug #39055) - */ - -- double a[16] = { 32, -48, -8, 28, -8, 16, -16, 12, -16, 6, 10, -17, 10, 2, -4, 1 }; -+ double a[16] = { 32, -48, -8, 28, -8, 16, -16, 12, -+ -16, 6, 10, -17, 10, 2, -4, 1 }; - double z[16*2]; - -- double expected[16*20] = { -- 1.0000000000000000, 0.00000000000000000, -- 1.0000000000000000, 0.00000000000000000, -- -1.0000000000000000, 0.00000000000000000, -- -0.65893856175240950, 0.83459757287426684, -- -0.65893856175240950, -0.83459757287426684, -- -0.070891117403341281, -1.1359249087587791, -- -0.070891117403341281, 1.1359249087587791, -- 1.1142366961812986, -0.48083981203389980, -- 1.1142366961812986, 0.48083981203389980, -- -1.3066982484920768, 0.00000000000000000, -- 0.57284747839410854, 1.1987808988289705, -- 0.57284747839410854, -1.1987808988289705, -- -1.6078107423472359, 0.00000000000000000, -- 2.0000000000000000, 0.00000000000000000, -- 2.0000000000000000, 0.00000000000000000 }; -+ double expected[16*2] = { -+ -1.6078107423472359, 0.00000000000000000, -+ -1.3066982484920768, 0.00000000000000000, -+ -1.0000000000000000, 0.00000000000000000, -+ -0.65893856175240950, -0.83459757287426684, -+ -0.65893856175240950, 0.83459757287426684, -+ -0.070891117403341281, -1.1359249087587791, -+ -0.070891117403341281, 1.1359249087587791, -+ 0.57284747839410854, -1.1987808988289705, -+ 0.57284747839410854, 1.1987808988289705, -+ 1.0000000000000000, 0.00000000000000000, -+ 1.0000000000000000, 0.00000000000000000, -+ 1.1142366961812986, -0.48083981203389980, -+ 1.1142366961812986, 0.48083981203389980, -+ 2.0000000000000000, 0.00000000000000000, -+ 2.0000000000000000, 0.00000000000000000 }; - - int i; - --- -2.4.3 - diff --git a/gnu/packages/patches/gsl-poly-test-fix-pt2.patch b/gnu/packages/patches/gsl-poly-test-fix-pt2.patch deleted file mode 100644 index 0e6fcf1a53..0000000000 --- a/gnu/packages/patches/gsl-poly-test-fix-pt2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 0466df8660a7b6ddf2e082a1ec38bc6ea25a3c5c Mon Sep 17 00:00:00 2001 -From: Patrick Alken -Date: Mon, 7 Apr 2014 10:59:58 -0600 -Subject: [PATCH] change error test for 15th degree polynomial (bug #39055) - ---- - poly/test.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/poly/test.c b/poly/test.c -index d090802..f6a7e3f 100644 ---- a/poly/test.c -+++ b/poly/test.c -@@ -579,8 +579,8 @@ main (void) - - for (i = 0; i<15; i++) - { -- gsl_test_abs (z[2*i], expected[2*i], 1e-7, "z%d.real, 15th-order polynomial", i); -- gsl_test_abs (z[2*i+1], expected[2*i+1], 1e-7, "z%d.imag, 15th-order polynomial", i); -+ gsl_test_rel (z[2*i], expected[2*i], 1e-7, "z%d.real, 15th-order polynomial", i); -+ gsl_test_rel (z[2*i+1], expected[2*i+1], 1e-7, "z%d.imag, 15th-order polynomial", i); - } - } - --- -2.4.3 - -- cgit 1.4.1 From b95bcb8ae0a8a4f5c29bce8f6486a91d6d5441cc Mon Sep 17 00:00:00 2001 From: Eric Bavier Date: Sun, 1 Nov 2015 09:56:05 -0600 Subject: gnu: Add byobu. * gnu/packages/screen.scm (byobu): New variable. * gnu/packages/patches/byobu-writable-status.patch: New patch. * gnu-system.am (dist_patch_DATA): Add it. --- gnu-system.am | 1 + gnu/packages/patches/byobu-writable-status.patch | 13 ++++++ gnu/packages/screen.scm | 53 ++++++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 gnu/packages/patches/byobu-writable-status.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index c5b87cc6f4..946b77eeff 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -411,6 +411,7 @@ dist_patch_DATA = \ gnu/packages/patches/bitlbee-configure-doc-fix.patch \ gnu/packages/patches/bluez-tests.patch \ gnu/packages/patches/boost-mips-avoid-m32.patch \ + gnu/packages/patches/byobu-writable-status.patch \ gnu/packages/patches/calibre-drop-unrar.patch \ gnu/packages/patches/calibre-no-updates-dialog.patch \ gnu/packages/patches/cdparanoia-fpic.patch \ diff --git a/gnu/packages/patches/byobu-writable-status.patch b/gnu/packages/patches/byobu-writable-status.patch new file mode 100644 index 0000000000..2858280273 --- /dev/null +++ b/gnu/packages/patches/byobu-writable-status.patch @@ -0,0 +1,13 @@ +Skeleton status files are installed read-only. When copying to the config dir +upon initialization, make sure they end up writable. + +--- byobu-5.98/usr/bin/byobu-janitor.in ++++ byobu-5.98/usr/bin/byobu-janitor.in +@@ -82,6 +82,7 @@ + if [ ! -r "$BYOBU_CONFIG_DIR/$f" ]; then + # Copy from skeleton, if possible + cp -f "$BYOBU_PREFIX/share/$PKG/status/$f" "$BYOBU_CONFIG_DIR/$f" ++ chmod +w "$BYOBU_CONFIG_DIR/$f" + # Enable ec2_cost, if we're in ec2 and seeding a new setup + if metadata_available; then + $BYOBU_SED_INLINE -e "s/#ec2_cost/ec2_cost/g" "$($BYOBU_READLINK -f $BYOBU_CONFIG_DIR/$f)" diff --git a/gnu/packages/screen.scm b/gnu/packages/screen.scm index 84cc8c9dc5..fa5235c115 100644 --- a/gnu/packages/screen.scm +++ b/gnu/packages/screen.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013 Cyril Roelandt ;;; Copyright © 2014 Mark H Weaver +;;; Copyright © 2015 Eric Bavier ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,6 +26,8 @@ #:use-module (gnu packages) #:use-module (gnu packages ncurses) #:use-module (gnu packages perl) + #:use-module (gnu packages python) + #:use-module (gnu packages slang) #:use-module (gnu packages texinfo)) (define-public screen @@ -90,3 +93,53 @@ view to show two terminals at once.") allowing you to run a program in an environment that is protected from the controlling terminal and attach to it later.") (license gpl2+))) + +(define-public byobu + (package + (name "byobu") + (version "5.98") + (source + (origin + (method url-fetch) + (uri (string-append "https://launchpad.net/byobu/trunk/" + version "/+download/byobu_" + version ".orig.tar.gz")) + (sha256 + (base32 + "1s8nh4wbds1nh52i0d1hy1b308jjf4siwpq92lna1zh9ll4x71j5")) + (patches (list (search-patch "byobu-writable-status.patch"))))) + (build-system gnu-build-system) + (inputs + `(("python" ,python-wrapper) ;for config and session GUIs + ("python-newt" ,newt "python"))) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-before + 'configure 'provide-locale + (lambda* (#:key inputs #:allow-other-keys) + (let ((libc (assoc-ref inputs "libc"))) ;implicit input + (substitute* "usr/bin/byobu.in" + (("locale") (string-append libc "/bin/locale")))))) + (add-after + 'install 'wrap-python-scripts + (lambda* (#:key inputs outputs #:allow-other-keys) + (let* ((python (string-append (assoc-ref inputs "python") + "/bin/python")) + (out (assoc-ref outputs "out")) + (config (string-append out "/bin/byobu-config")) + (select (string-append out "/bin/byobu-select-session"))) + (wrap-program config + `("BYOBU_PYTHON" = (,python)) + `("PYTHONPATH" ":" prefix (,(getenv "PYTHONPATH")))) + (wrap-program select + `("BYOBU_PYTHON" = (,python))) + #t)))))) + (home-page "http://byobu.co/index.html") + (synopsis "Text-based window manager and terminal multiplexer") + (description + "Byobu is a Japanese term for decorative, multi-panel screens that serve +as folding room dividers. The Byobu software includes an enhanced profile, +configuration utilities, and system status notifications for the GNU Screen +window manager as well as the Tmux terminal multiplexer.") + (license gpl3+))) -- cgit 1.4.1 From 0ca1eb705d29c20f901fc385ee4e1bb1eaa52f75 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 6 Nov 2015 22:08:30 -0500 Subject: gnu: icecat: Add several security fixes. * gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch, gnu/packages/patches/icecat-CVE-2015-7188.patch, gnu/packages/patches/icecat-CVE-2015-7189.patch, gnu/packages/patches/icecat-CVE-2015-7193.patch, gnu/packages/patches/icecat-CVE-2015-7194.patch, gnu/packages/patches/icecat-CVE-2015-7196.patch, gnu/packages/patches/icecat-CVE-2015-7197.patch, gnu/packages/patches/icecat-CVE-2015-7198.patch, gnu/packages/patches/icecat-CVE-2015-7199.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- gnu-system.am | 19 + gnu/packages/gnuzilla.scm | 21 +- .../patches/icecat-CVE-2015-4513-pt01.patch | 36 ++ .../patches/icecat-CVE-2015-4513-pt02.patch | 103 +++++ .../patches/icecat-CVE-2015-4513-pt03.patch | 48 +++ .../patches/icecat-CVE-2015-4513-pt04.patch | 50 +++ .../patches/icecat-CVE-2015-4513-pt05.patch | 25 ++ .../patches/icecat-CVE-2015-4513-pt06.patch | 461 +++++++++++++++++++++ .../patches/icecat-CVE-2015-4513-pt07.patch | 93 +++++ .../patches/icecat-CVE-2015-4513-pt08.patch | 41 ++ .../patches/icecat-CVE-2015-4513-pt09.patch | 65 +++ .../patches/icecat-CVE-2015-4513-pt10.patch | 110 +++++ .../patches/icecat-CVE-2015-4513-pt11.patch | 42 ++ gnu/packages/patches/icecat-CVE-2015-7188.patch | 143 +++++++ gnu/packages/patches/icecat-CVE-2015-7189.patch | 143 +++++++ gnu/packages/patches/icecat-CVE-2015-7193.patch | 397 ++++++++++++++++++ gnu/packages/patches/icecat-CVE-2015-7194.patch | 32 ++ gnu/packages/patches/icecat-CVE-2015-7196.patch | 27 ++ gnu/packages/patches/icecat-CVE-2015-7197.patch | 70 ++++ gnu/packages/patches/icecat-CVE-2015-7198.patch | 27 ++ gnu/packages/patches/icecat-CVE-2015-7199.patch | 84 ++++ 21 files changed, 2036 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7188.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7189.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7193.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7194.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7196.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7197.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7198.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7199.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 946b77eeff..f3ded69a78 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -500,6 +500,25 @@ dist_patch_DATA = \ gnu/packages/patches/hwloc-gather-topology-lstopo.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch \ + gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch \ + gnu/packages/patches/icecat-CVE-2015-7188.patch \ + gnu/packages/patches/icecat-CVE-2015-7189.patch \ + gnu/packages/patches/icecat-CVE-2015-7193.patch \ + gnu/packages/patches/icecat-CVE-2015-7194.patch \ + gnu/packages/patches/icecat-CVE-2015-7196.patch \ + gnu/packages/patches/icecat-CVE-2015-7197.patch \ + gnu/packages/patches/icecat-CVE-2015-7198.patch \ + gnu/packages/patches/icecat-CVE-2015-7199.patch \ gnu/packages/patches/icecat-avoid-bundled-includes.patch \ gnu/packages/patches/icecat-freetype-2.6.patch \ gnu/packages/patches/icu4c-CVE-2014-6585.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 07453989df..49e3b31537 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -239,7 +239,26 @@ standards.") (base32 "0vm6f7f1i5vkq2713mgzjdfnm8rpz9l0q8sv4s123vsam0j9gzh8")) (patches (map search-patch '("icecat-avoid-bundled-includes.patch" - "icecat-freetype-2.6.patch"))) + "icecat-freetype-2.6.patch" + "icecat-CVE-2015-4513-pt01.patch" + "icecat-CVE-2015-4513-pt02.patch" + "icecat-CVE-2015-4513-pt03.patch" + "icecat-CVE-2015-4513-pt04.patch" + "icecat-CVE-2015-4513-pt05.patch" + "icecat-CVE-2015-4513-pt06.patch" + "icecat-CVE-2015-4513-pt07.patch" + "icecat-CVE-2015-4513-pt08.patch" + "icecat-CVE-2015-4513-pt09.patch" + "icecat-CVE-2015-4513-pt10.patch" + "icecat-CVE-2015-4513-pt11.patch" + "icecat-CVE-2015-7188.patch" + "icecat-CVE-2015-7189.patch" + "icecat-CVE-2015-7193.patch" + "icecat-CVE-2015-7194.patch" + "icecat-CVE-2015-7196.patch" + "icecat-CVE-2015-7197.patch" + "icecat-CVE-2015-7198.patch" + "icecat-CVE-2015-7199.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch new file mode 100644 index 0000000000..f003e3cf68 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch @@ -0,0 +1,36 @@ +From 3df141cb85a530d7ddc3a7555d44235e49341837 Mon Sep 17 00:00:00 2001 +From: Karl Tomlinson +Date: Sat, 19 Sep 2015 00:51:03 +1200 +Subject: [PATCH] Bug 1206564 - skip copying of listeners. r=roc, a=sylvestre + +--HG-- +extra : source : ddd169d6bd65771a6811a3bb223a4a385b101690 +--- + widget/gtk/nsWindow.cpp | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/widget/gtk/nsWindow.cpp b/widget/gtk/nsWindow.cpp +index dd1895b..d8e8e42 100644 +--- a/widget/gtk/nsWindow.cpp ++++ b/widget/gtk/nsWindow.cpp +@@ -461,12 +461,11 @@ nsWindow::DispatchDeactivateEvent(void) + void + nsWindow::DispatchResized(int32_t aWidth, int32_t aHeight) + { +- nsIWidgetListener *listeners[] = +- { mWidgetListener, mAttachedWidgetListener }; +- for (size_t i = 0; i < ArrayLength(listeners); ++i) { +- if (listeners[i]) { +- listeners[i]->WindowResized(this, aWidth, aHeight); +- } ++ if (mWidgetListener) { ++ mWidgetListener->WindowResized(this, aWidth, aHeight); ++ } ++ if (mAttachedWidgetListener) { ++ mAttachedWidgetListener->WindowResized(this, aWidth, aHeight); + } + } + +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch new file mode 100644 index 0000000000..9a77ed908b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch @@ -0,0 +1,103 @@ +From d463cb5f0374bfc7c62ae5f1c89edd3ca35084e5 Mon Sep 17 00:00:00 2001 +From: Olli Pettay +Date: Thu, 24 Sep 2015 03:53:31 +0300 +Subject: [PATCH] Bug 1204669 - optimize out hashtable lookups caused by extra + GetPrototypeBinding call, r=bz,waldo, a=al + +--HG-- +extra : source : 91657db26f49f885f2338cb8c9302cdf18999f1f +--- + dom/xbl/nsXBLPrototypeBinding.h | 9 +++++++-- + dom/xbl/nsXBLService.cpp | 6 +++--- + mfbt/WeakPtr.h | 8 +++++++- + 3 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/dom/xbl/nsXBLPrototypeBinding.h b/dom/xbl/nsXBLPrototypeBinding.h +index be2cb5a..1aaa07f 100644 +--- a/dom/xbl/nsXBLPrototypeBinding.h ++++ b/dom/xbl/nsXBLPrototypeBinding.h +@@ -17,6 +17,7 @@ + #include "nsXBLProtoImplMethod.h" + #include "nsXBLPrototypeHandler.h" + #include "nsXBLPrototypeResources.h" ++#include "mozilla/WeakPtr.h" + + class nsIAtom; + class nsIContent; +@@ -35,9 +36,12 @@ class CSSStyleSheet; + // Instances of this class are owned by the nsXBLDocumentInfo object returned + // by XBLDocumentInfo(). Consumers who want to refcount things should refcount + // that. +-class nsXBLPrototypeBinding final ++class nsXBLPrototypeBinding final : ++ public mozilla::SupportsWeakPtr + { + public: ++ MOZ_DECLARE_WEAKREFERENCE_TYPENAME(nsXBLPrototypeBinding) ++ + nsIContent* GetBindingElement() const { return mBinding; } + void SetBindingElement(nsIContent* aElement); + +@@ -289,7 +293,8 @@ protected: + nsXBLProtoImpl* mImplementation; // Our prototype implementation (includes methods, properties, fields, + // the constructor, and the destructor). + +- nsXBLPrototypeBinding* mBaseBinding; // Weak. The docinfo will own our base binding. ++ // Weak. The docinfo will own our base binding. ++ mozilla::WeakPtr mBaseBinding; + bool mInheritStyle; + bool mCheckedBaseProto; + bool mKeyHandlersRegistered; +diff --git a/dom/xbl/nsXBLService.cpp b/dom/xbl/nsXBLService.cpp +index 2204520..978c6fc 100644 +--- a/dom/xbl/nsXBLService.cpp ++++ b/dom/xbl/nsXBLService.cpp +@@ -732,7 +732,8 @@ nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, + if (!docInfo) + return NS_ERROR_FAILURE; + +- nsXBLPrototypeBinding* protoBinding = docInfo->GetPrototypeBinding(ref); ++ WeakPtr protoBinding = ++ docInfo->GetPrototypeBinding(ref); + + if (!protoBinding) { + #ifdef DEBUG +@@ -783,7 +784,7 @@ nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, + NS_ENSURE_SUCCESS(rv, rv); + + nsCOMPtr baseBindingURI; +- nsXBLPrototypeBinding* baseProto = protoBinding->GetBasePrototype(); ++ WeakPtr baseProto = protoBinding->GetBasePrototype(); + if (baseProto) { + baseBindingURI = baseProto->BindingURI(); + } +@@ -828,7 +829,6 @@ nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, + + if (!aPeekOnly) { + // Make a new binding +- protoBinding = docInfo->GetPrototypeBinding(ref); + NS_ENSURE_STATE(protoBinding); + nsXBLBinding *newBinding = new nsXBLBinding(protoBinding); + +diff --git a/mfbt/WeakPtr.h b/mfbt/WeakPtr.h +index 6e5de43..22ba20e 100644 +--- a/mfbt/WeakPtr.h ++++ b/mfbt/WeakPtr.h +@@ -172,7 +172,13 @@ public: + + WeakPtr& operator=(T* aOther) + { +- return *this = aOther->SelfReferencingWeakPtr(); ++ if (aOther) { ++ *this = aOther->SelfReferencingWeakPtr(); ++ } else if (!mRef || mRef->get()) { ++ // Ensure that mRef is dereferenceable in the uninitialized state. ++ mRef = new WeakReference(nullptr); ++ } ++ return *this; + } + + MOZ_IMPLICIT WeakPtr(T* aOther) +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch new file mode 100644 index 0000000000..4f86629068 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch @@ -0,0 +1,48 @@ +From 88312d4d167aba886fdbd563afcfd5cc96a9d813 Mon Sep 17 00:00:00 2001 +From: Boris Zbarsky +Date: Fri, 11 Sep 2015 21:59:43 -0400 +Subject: [PATCH] Bug 1191942 - Make sure to not schedule + requestAnimationFrame callbacks if animations are paused. r=roc, a=ritu + +--HG-- +extra : source : ed8a6af1508ac68a28d017e26935e7a12dbda864 +extra : intermediate-source : 254e3cb723ed279f68b0c88ad30dc35b6a93ce84 +--- + dom/base/nsDocument.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp +index 47f611e..087501c 100644 +--- a/dom/base/nsDocument.cpp ++++ b/dom/base/nsDocument.cpp +@@ -3928,7 +3928,7 @@ void + nsDocument::DeleteShell() + { + mExternalResourceMap.HideViewers(); +- if (IsEventHandlingEnabled()) { ++ if (IsEventHandlingEnabled() && !AnimationsPaused()) { + RevokeAnimationFrameNotifications(); + } + +@@ -4687,7 +4687,7 @@ nsDocument::SetScriptGlobalObject(nsIScriptGlobalObject *aScriptGlobalObject) + // our layout history state now. + mLayoutHistoryState = GetLayoutHistoryState(); + +- if (mPresShell && !EventHandlingSuppressed()) { ++ if (mPresShell && !EventHandlingSuppressed() && !AnimationsPaused()) { + RevokeAnimationFrameNotifications(); + } + +@@ -10276,7 +10276,8 @@ nsIDocument::ScheduleFrameRequestCallback(const FrameRequestCallbackHolder& aCal + DebugOnly request = + mFrameRequestCallbacks.AppendElement(FrameRequest(aCallback, newHandle)); + NS_ASSERTION(request, "This is supposed to be infallible!"); +- if (!alreadyRegistered && mPresShell && IsEventHandlingEnabled()) { ++ if (!alreadyRegistered && mPresShell && IsEventHandlingEnabled() && ++ !AnimationsPaused()) { + mPresShell->GetPresContext()->RefreshDriver()-> + ScheduleFrameRequestCallbacks(this); + } +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch new file mode 100644 index 0000000000..f6f3cd3585 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch @@ -0,0 +1,50 @@ +From 97bd3ada2a0ac6eff0e03e6eec8d2012af3bb57d Mon Sep 17 00:00:00 2001 +From: Jan de Mooij +Date: Mon, 28 Sep 2015 13:30:42 +0200 +Subject: [PATCH] Bug 1205707 part 1 - Clean up some is-TypedArrayObject code + in Ion. r=Waldo, a=sylvestre + +--- + js/src/jit/MCallOptimize.cpp | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp +index 7fdede8..2c6a533 100644 +--- a/js/src/jit/MCallOptimize.cpp ++++ b/js/src/jit/MCallOptimize.cpp +@@ -2122,6 +2122,19 @@ IonBuilder::inlineIsTypedArray(CallInfo& callInfo) + return InliningStatus_Inlined; + } + ++static bool ++IsTypedArrayObject(CompilerConstraintList* constraints, MDefinition* def) ++{ ++ MOZ_ASSERT(def->type() == MIRType_Object); ++ ++ TemporaryTypeSet* types = def->resultTypeSet(); ++ if (!types) ++ return false; ++ ++ return types->forAllClasses(constraints, IsTypedArrayClass) == ++ TemporaryTypeSet::ForAllResult::ALL_TRUE; ++} ++ + IonBuilder::InliningStatus + IonBuilder::inlineTypedArrayLength(CallInfo& callInfo) + { +@@ -2132,8 +2145,10 @@ IonBuilder::inlineTypedArrayLength(CallInfo& callInfo) + if (getInlineReturnType() != MIRType_Int32) + return InliningStatus_NotInlined; + +- // We assume that when calling this function we always +- // have a TypedArray. The native asserts that as well. ++ // Note that the argument we see here is not necessarily a typed array. ++ // If it's not, this call should be unreachable though. ++ if (!IsTypedArrayObject(constraints(), callInfo.getArg(0))) ++ return InliningStatus_NotInlined; + + MInstruction* length = addTypedArrayLength(callInfo.getArg(0)); + current->push(length); +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch new file mode 100644 index 0000000000..b25f2231a7 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch @@ -0,0 +1,25 @@ +From d91a58cb0094d0421439a915be0b4879a45d20d4 Mon Sep 17 00:00:00 2001 +From: Brian Hackett +Date: Mon, 12 Oct 2015 17:15:12 -0600 +Subject: [PATCH] Bug 1209471 - Fix group used for Array.concat result, + r=jandem. a=al + +--- + js/src/jsarray.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp +index 3d574d5..b4ff057 100644 +--- a/js/src/jsarray.cpp ++++ b/js/src/jsarray.cpp +@@ -2661,6 +2661,7 @@ js::array_concat(JSContext* cx, unsigned argc, Value* vp) + narr = NewDenseEmptyArray(cx); + if (!narr) + return false; ++ TryReuseArrayGroup(aobj, narr); + args.rval().setObject(*narr); + length = 0; + } +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch new file mode 100644 index 0000000000..33dbf68f2c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch @@ -0,0 +1,461 @@ +From 13b2b587c183e85618868752e05ec46bd5a0af86 Mon Sep 17 00:00:00 2001 +From: Jon Coppeard +Date: Tue, 13 Oct 2015 11:09:12 +0200 +Subject: [PATCH] Bug 1208665 - r=Waldo a=abillings a=sylvestre + +--- + js/public/Utility.h | 49 +++++++++++++++++++++++++++++++++++++-------- + js/src/ds/LifoAlloc.h | 13 ++++++------ + js/src/jit/FixedList.h | 10 +++++---- + js/src/jit/JitAllocPolicy.h | 19 ++++++++++-------- + js/src/jit/LIR.cpp | 3 +-- + js/src/jit/MIRGenerator.h | 7 ++++--- + js/src/jit/MIRGraph.cpp | 2 +- + js/src/jsalloc.h | 14 ++++++++++--- + js/src/vm/MallocProvider.h | 39 ++++++++++++++++-------------------- + js/src/vm/Runtime.h | 10 +++++---- + 10 files changed, 105 insertions(+), 61 deletions(-) + +diff --git a/js/public/Utility.h b/js/public/Utility.h +index 40b5d90..6b750c3 100644 +--- a/js/public/Utility.h ++++ b/js/public/Utility.h +@@ -217,6 +217,36 @@ static inline char* js_strdup(const char* s) + + JS_DECLARE_NEW_METHODS(js_new, js_malloc, static MOZ_ALWAYS_INLINE) + ++namespace js { ++ ++/* ++ * Calculate the number of bytes needed to allocate |numElems| contiguous ++ * instances of type |T|. Return false if the calculation overflowed. ++ */ ++template ++MOZ_WARN_UNUSED_RESULT inline bool ++CalculateAllocSize(size_t numElems, size_t* bytesOut) ++{ ++ *bytesOut = numElems * sizeof(T); ++ return (numElems & mozilla::tl::MulOverflowMask::value) == 0; ++} ++ ++/* ++ * Calculate the number of bytes needed to allocate a single instance of type ++ * |T| followed by |numExtra| contiguous instances of type |Extra|. Return ++ * false if the calculation overflowed. ++ */ ++template ++MOZ_WARN_UNUSED_RESULT inline bool ++CalculateAllocSizeWithExtra(size_t numExtra, size_t* bytesOut) ++{ ++ *bytesOut = sizeof(T) + numExtra * sizeof(Extra); ++ return (numExtra & mozilla::tl::MulOverflowMask::value) == 0 && ++ *bytesOut >= sizeof(T); ++} ++ ++} /* namespace js */ ++ + template + static MOZ_ALWAYS_INLINE void + js_delete(T* p) +@@ -242,32 +272,34 @@ template + static MOZ_ALWAYS_INLINE T* + js_pod_malloc() + { +- return (T*)js_malloc(sizeof(T)); ++ return static_cast(js_malloc(sizeof(T))); + } + + template + static MOZ_ALWAYS_INLINE T* + js_pod_calloc() + { +- return (T*)js_calloc(sizeof(T)); ++ return static_cast(js_calloc(sizeof(T))); + } + + template + static MOZ_ALWAYS_INLINE T* + js_pod_malloc(size_t numElems) + { +- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!js::CalculateAllocSize(numElems, &bytes))) + return nullptr; +- return (T*)js_malloc(numElems * sizeof(T)); ++ return static_cast(js_malloc(bytes)); + } + + template + static MOZ_ALWAYS_INLINE T* + js_pod_calloc(size_t numElems) + { +- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!js::CalculateAllocSize(numElems, &bytes))) + return nullptr; +- return (T*)js_calloc(numElems * sizeof(T)); ++ return static_cast(js_calloc(bytes)); + } + + template +@@ -275,9 +307,10 @@ static MOZ_ALWAYS_INLINE T* + js_pod_realloc(T* prior, size_t oldSize, size_t newSize) + { + MOZ_ASSERT(!(oldSize & mozilla::tl::MulOverflowMask::value)); +- if (MOZ_UNLIKELY(newSize & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!js::CalculateAllocSize(newSize, &bytes))) + return nullptr; +- return (T*)js_realloc(prior, newSize * sizeof(T)); ++ return static_cast(js_realloc(prior, bytes)); + } + + namespace js { +diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h +index 9dc68c1..35cdc72 100644 +--- a/js/src/ds/LifoAlloc.h ++++ b/js/src/ds/LifoAlloc.h +@@ -310,9 +310,10 @@ class LifoAlloc + // The caller is responsible for initialization. + template + T* newArrayUninitialized(size_t count) { +- if (MOZ_UNLIKELY(count & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(count, &bytes))) + return nullptr; +- return static_cast(alloc(sizeof(T) * count)); ++ return static_cast(alloc(bytes)); + } + + class Mark { +@@ -527,16 +528,16 @@ class LifoAllocPolicy + {} + template + T* pod_malloc(size_t numElems) { +- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) + return nullptr; +- size_t bytes = numElems * sizeof(T); + void* p = fb == Fallible ? alloc_.alloc(bytes) : alloc_.allocInfallible(bytes); + return static_cast(p); + } + template + T* pod_calloc(size_t numElems) { + T* p = pod_malloc(numElems); +- if (fb == Fallible && !p) ++ if (MOZ_UNLIKELY(!p)) + return nullptr; + memset(p, 0, numElems * sizeof(T)); + return p; +@@ -544,7 +545,7 @@ class LifoAllocPolicy + template + T* pod_realloc(T* p, size_t oldSize, size_t newSize) { + T* n = pod_malloc(newSize); +- if (fb == Fallible && !n) ++ if (MOZ_UNLIKELY(!n)) + return nullptr; + MOZ_ASSERT(!(oldSize & mozilla::tl::MulOverflowMask::value)); + memcpy(n, p, Min(oldSize * sizeof(T), newSize * sizeof(T))); +diff --git a/js/src/jit/FixedList.h b/js/src/jit/FixedList.h +index 9cea3a8..b6b37bb 100644 +--- a/js/src/jit/FixedList.h ++++ b/js/src/jit/FixedList.h +@@ -37,9 +37,10 @@ class FixedList + if (length == 0) + return true; + +- if (MOZ_UNLIKELY(length & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(length, &bytes))) + return false; +- list_ = (T*)alloc.allocate(length * sizeof(T)); ++ list_ = (T*)alloc.allocate(bytes); + return list_ != nullptr; + } + +@@ -60,9 +61,10 @@ class FixedList + size_t newlength = length_ + num; + if (newlength < length_) + return false; +- if (MOZ_UNLIKELY(newlength & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(newlength, &bytes))) + return false; +- T* list = (T*)alloc.allocate((length_ + num) * sizeof(T)); ++ T* list = (T*)alloc.allocate(bytes); + if (MOZ_UNLIKELY(!list)) + return false; + +diff --git a/js/src/jit/JitAllocPolicy.h b/js/src/jit/JitAllocPolicy.h +index 4bbd1a3..fca4b3f 100644 +--- a/js/src/jit/JitAllocPolicy.h ++++ b/js/src/jit/JitAllocPolicy.h +@@ -48,12 +48,13 @@ class TempAllocator + return p; + } + +- template +- void* allocateArray(size_t n) ++ template ++ T* allocateArray(size_t n) + { +- if (MOZ_UNLIKELY(n & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(n, &bytes))) + return nullptr; +- void* p = lifoScope_.alloc().alloc(n * ElemSize); ++ T* p = static_cast(lifoScope_.alloc().alloc(bytes)); + if (MOZ_UNLIKELY(!ensureBallast())) + return nullptr; + return p; +@@ -79,9 +80,10 @@ class JitAllocPolicy + {} + template + T* pod_malloc(size_t numElems) { +- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) + return nullptr; +- return static_cast(alloc_.allocate(numElems * sizeof(T))); ++ return static_cast(alloc_.allocate(bytes)); + } + template + T* pod_calloc(size_t numElems) { +@@ -112,9 +114,10 @@ class OldJitAllocPolicy + {} + template + T* pod_malloc(size_t numElems) { +- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) + return nullptr; +- return static_cast(GetJitContext()->temp->allocate(numElems * sizeof(T))); ++ return static_cast(GetJitContext()->temp->allocate(bytes)); + } + void free_(void* p) { + } +diff --git a/js/src/jit/LIR.cpp b/js/src/jit/LIR.cpp +index 70a3fc0..a76e742 100644 +--- a/js/src/jit/LIR.cpp ++++ b/js/src/jit/LIR.cpp +@@ -105,8 +105,7 @@ LBlock::init(TempAllocator& alloc) + + int numPhis = (phi->type() == MIRType_Value) ? BOX_PIECES : 1; + for (int i = 0; i < numPhis; i++) { +- void* array = alloc.allocateArray(numPreds); +- LAllocation* inputs = static_cast(array); ++ LAllocation* inputs = alloc.allocateArray(numPreds); + if (!inputs) + return false; + +diff --git a/js/src/jit/MIRGenerator.h b/js/src/jit/MIRGenerator.h +index 01de27d..5e6b9ef 100644 +--- a/js/src/jit/MIRGenerator.h ++++ b/js/src/jit/MIRGenerator.h +@@ -60,10 +60,11 @@ class MIRGenerator + } + + template +- T * allocate(size_t count = 1) { +- if (count & mozilla::tl::MulOverflowMask::value) ++ T* allocate(size_t count = 1) { ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(count, &bytes))) + return nullptr; +- return reinterpret_cast(alloc().allocate(sizeof(T) * count)); ++ return static_cast(alloc().allocate(bytes)); + } + + // Set an error state and prints a message. Returns false so errors can be +diff --git a/js/src/jit/MIRGraph.cpp b/js/src/jit/MIRGraph.cpp +index 5d000dca..4c5cf8e 100644 +--- a/js/src/jit/MIRGraph.cpp ++++ b/js/src/jit/MIRGraph.cpp +@@ -297,7 +297,7 @@ MBasicBlock::NewAsmJS(MIRGraph& graph, CompileInfo& info, MBasicBlock* pred, Kin + size_t nphis = block->stackPosition_; + + TempAllocator& alloc = graph.alloc(); +- MPhi* phis = (MPhi*)alloc.allocateArray(nphis); ++ MPhi* phis = alloc.allocateArray(nphis); + if (!phis) + return nullptr; + +diff --git a/js/src/jsalloc.h b/js/src/jsalloc.h +index ce11ade..e20fa5f2 100644 +--- a/js/src/jsalloc.h ++++ b/js/src/jsalloc.h +@@ -53,6 +53,14 @@ class TempAllocPolicy + */ + JS_FRIEND_API(void*) onOutOfMemory(void* p, size_t nbytes); + ++ template ++ T* onOutOfMemoryTyped(void* p, size_t numElems) { ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) ++ return nullptr; ++ return static_cast(onOutOfMemory(p, bytes)); ++ } ++ + public: + MOZ_IMPLICIT TempAllocPolicy(JSContext* cx) : cx_((ContextFriendFields*) cx) {} // :( + MOZ_IMPLICIT TempAllocPolicy(ContextFriendFields* cx) : cx_(cx) {} +@@ -61,7 +69,7 @@ class TempAllocPolicy + T* pod_malloc(size_t numElems) { + T* p = js_pod_malloc(numElems); + if (MOZ_UNLIKELY(!p)) +- p = static_cast(onOutOfMemory(nullptr, numElems * sizeof(T))); ++ p = onOutOfMemoryTyped(nullptr, numElems); + return p; + } + +@@ -69,7 +77,7 @@ class TempAllocPolicy + T* pod_calloc(size_t numElems) { + T* p = js_pod_calloc(numElems); + if (MOZ_UNLIKELY(!p)) +- p = static_cast(onOutOfMemory(reinterpret_cast(1), numElems * sizeof(T))); ++ p = onOutOfMemoryTyped(reinterpret_cast(1), numElems); + return p; + } + +@@ -77,7 +85,7 @@ class TempAllocPolicy + T* pod_realloc(T* prior, size_t oldSize, size_t newSize) { + T* p2 = js_pod_realloc(prior, oldSize, newSize); + if (MOZ_UNLIKELY(!p2)) +- p2 = static_cast(onOutOfMemory(p2, newSize * sizeof(T))); ++ p2 = onOutOfMemoryTyped(p2, newSize); + return p2; + } + +diff --git a/js/src/vm/MallocProvider.h b/js/src/vm/MallocProvider.h +index 1ea4ce2..f334eb1 100644 +--- a/js/src/vm/MallocProvider.h ++++ b/js/src/vm/MallocProvider.h +@@ -64,30 +64,27 @@ struct MallocProvider + client()->updateMallocCounter(numElems * sizeof(T)); + return p; + } +- if (numElems & mozilla::tl::MulOverflowMask::value) { ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) { + client()->reportAllocationOverflow(); + return nullptr; + } +- return (T*)client()->onOutOfMemory(nullptr, numElems * sizeof(T)); ++ return static_cast(client()->onOutOfMemory(nullptr, bytes)); + } + + template + T* pod_malloc_with_extra(size_t numExtra) { +- if (MOZ_UNLIKELY(numExtra & mozilla::tl::MulOverflowMask::value)) { ++ size_t bytes; ++ if (MOZ_UNLIKELY((!CalculateAllocSizeWithExtra(numExtra, &bytes)))) { + client()->reportAllocationOverflow(); + return nullptr; + } +- size_t bytes = sizeof(T) + numExtra * sizeof(U); +- if (MOZ_UNLIKELY(bytes < sizeof(T))) { +- client()->reportAllocationOverflow(); +- return nullptr; +- } +- T* p = reinterpret_cast(js_pod_malloc(bytes)); ++ T* p = static_cast(js_malloc(bytes)); + if (MOZ_LIKELY(p)) { + client()->updateMallocCounter(bytes); + return p; + } +- return (T*)client()->onOutOfMemory(nullptr, bytes); ++ return static_cast(client()->onOutOfMemory(nullptr, bytes)); + } + + template +@@ -108,30 +105,27 @@ struct MallocProvider + client()->updateMallocCounter(numElems * sizeof(T)); + return p; + } +- if (numElems & mozilla::tl::MulOverflowMask::value) { ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) { + client()->reportAllocationOverflow(); + return nullptr; + } +- return (T*)client()->onOutOfMemory(nullptr, numElems * sizeof(T)); ++ return static_cast(client()->onOutOfMemory(nullptr, bytes)); + } + + template + T* pod_calloc_with_extra(size_t numExtra) { +- if (MOZ_UNLIKELY(numExtra & mozilla::tl::MulOverflowMask::value)) { +- client()->reportAllocationOverflow(); +- return nullptr; +- } +- size_t bytes = sizeof(T) + numExtra * sizeof(U); +- if (MOZ_UNLIKELY(bytes < sizeof(T))) { ++ size_t bytes; ++ if (MOZ_UNLIKELY((!CalculateAllocSizeWithExtra(numExtra, &bytes)))) { + client()->reportAllocationOverflow(); + return nullptr; + } +- T* p = reinterpret_cast(js_pod_calloc(bytes)); ++ T* p = static_cast(js_calloc(bytes)); + if (MOZ_LIKELY(p)) { + client()->updateMallocCounter(bytes); + return p; + } +- return (T*)client()->onOutOfMemory(nullptr, bytes); ++ return static_cast(client()->onOutOfMemory(nullptr, bytes)); + } + + template +@@ -151,11 +145,12 @@ struct MallocProvider + client()->updateMallocCounter((newSize - oldSize) * sizeof(T)); + return p; + } +- if (newSize & mozilla::tl::MulOverflowMask::value) { ++ size_t bytes; ++ if (MOZ_UNLIKELY(!CalculateAllocSize(newSize, &bytes))) { + client()->reportAllocationOverflow(); + return nullptr; + } +- return (T*)client()->onOutOfMemory(prior, newSize * sizeof(T)); ++ return static_cast(client()->onOutOfMemory(prior, bytes)); + } + + JS_DECLARE_NEW_METHODS(new_, pod_malloc, MOZ_ALWAYS_INLINE) +diff --git a/js/src/vm/Runtime.h b/js/src/vm/Runtime.h +index 90771d6..24c34d3 100644 +--- a/js/src/vm/Runtime.h ++++ b/js/src/vm/Runtime.h +@@ -1354,11 +1354,12 @@ struct JSRuntime : public JS::shadow::Runtime, + T* p = pod_calloc(numElems); + if (MOZ_LIKELY(!!p)) + return p; +- if (numElems & mozilla::tl::MulOverflowMask::value) { ++ size_t bytes; ++ if (MOZ_UNLIKELY(!js::CalculateAllocSize(numElems, &bytes))) { + reportAllocationOverflow(); + return nullptr; + } +- return (T*)onOutOfMemoryCanGC(reinterpret_cast(1), numElems * sizeof(T)); ++ return static_cast(onOutOfMemoryCanGC(reinterpret_cast(1), bytes)); + } + + template +@@ -1366,11 +1367,12 @@ struct JSRuntime : public JS::shadow::Runtime, + T* p2 = pod_realloc(p, oldSize, newSize); + if (MOZ_LIKELY(!!p2)) + return p2; +- if (newSize & mozilla::tl::MulOverflowMask::value) { ++ size_t bytes; ++ if (MOZ_UNLIKELY(!js::CalculateAllocSize(newSize, &bytes))) { + reportAllocationOverflow(); + return nullptr; + } +- return (T*)onOutOfMemoryCanGC(p, newSize * sizeof(T)); ++ return static_cast(onOutOfMemoryCanGC(p, bytes)); + } + + /* +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch new file mode 100644 index 0000000000..042188ee9c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch @@ -0,0 +1,93 @@ +From 182bcb255e28b536e2d2a1208fde3324a994dbc1 Mon Sep 17 00:00:00 2001 +From: Benjamin Bouvier +Date: Tue, 13 Oct 2015 19:22:47 +0200 +Subject: [PATCH] Bug 1107011: Propagate recovered on bailout flags when + converting float32 to doubles; r=nbp, a=ritu, a=abillings + +--HG-- +extra : commitid : 51QGWZ84Mqx +extra : amend_source : 48bf9cd43b37c95d61dd4d11b184c307e84a56b5 +extra : histedit_source : ae510534e698e680103f508e0029d75f03f4e6e0%2C1d8eb51e63dd3a52898892976f50747cc3907e65 +--- + js/src/jit-test/tests/ion/bug1107011-1.js | 17 +++++++++++++++++ + js/src/jit-test/tests/ion/bug1107011-2.js | 12 ++++++++++++ + js/src/jit/TypePolicy.cpp | 2 ++ + js/src/jit/ValueNumbering.cpp | 6 ++++++ + 4 files changed, 37 insertions(+) + create mode 100644 js/src/jit-test/tests/ion/bug1107011-1.js + create mode 100644 js/src/jit-test/tests/ion/bug1107011-2.js + +diff --git a/js/src/jit-test/tests/ion/bug1107011-1.js b/js/src/jit-test/tests/ion/bug1107011-1.js +new file mode 100644 +index 0000000..458d7dd +--- /dev/null ++++ b/js/src/jit-test/tests/ion/bug1107011-1.js +@@ -0,0 +1,17 @@ ++var f32 = new Float32Array(32); ++function f(n) { ++ var x; ++ if (n > 10000) { ++ x = 4.5; ++ } else { ++ x = f32[0]; ++ } ++ f32[0] = (function() { ++ for(var f=0;f<4;++f) { ++ x=1; ++ } ++ })() < x; ++} ++for (var n = 0; n < 100; n++) ++ f(n); ++ +diff --git a/js/src/jit-test/tests/ion/bug1107011-2.js b/js/src/jit-test/tests/ion/bug1107011-2.js +new file mode 100644 +index 0000000..d59685e +--- /dev/null ++++ b/js/src/jit-test/tests/ion/bug1107011-2.js +@@ -0,0 +1,12 @@ ++function foo() { ++ var x = 0, y = 0, a = new Float32Array(1); ++ function bar() { ++ x = y; ++ y = a[0]; ++ } ++ for (var i = 0; i < 1000; i++) { ++ bar(); ++ } ++} ++for (var i=0; i < 50; i++) ++ foo(); +diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp +index 4cea638..2510d50 100644 +--- a/js/src/jit/TypePolicy.cpp ++++ b/js/src/jit/TypePolicy.cpp +@@ -22,6 +22,8 @@ EnsureOperandNotFloat32(TempAllocator& alloc, MInstruction* def, unsigned op) + if (in->type() == MIRType_Float32) { + MToDouble* replace = MToDouble::New(alloc, in); + def->block()->insertBefore(def, replace); ++ if (def->isRecoveredOnBailout()) ++ replace->setRecoveredOnBailout(); + def->replaceOperand(op, replace); + } + } +diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp +index da3e692..eb367e1 100644 +--- a/js/src/jit/ValueNumbering.cpp ++++ b/js/src/jit/ValueNumbering.cpp +@@ -726,6 +726,12 @@ ValueNumberer::visitDefinition(MDefinition* def) + return true; + } + ++ // Skip optimizations on instructions which are recovered on bailout, to ++ // avoid mixing instructions which are recovered on bailouts with ++ // instructions which are not. ++ if (def->isRecoveredOnBailout()) ++ return true; ++ + // If this instruction has a dependency() into an unreachable block, we'll + // need to update AliasAnalysis. + MInstruction* dep = def->dependency(); +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch new file mode 100644 index 0000000000..6a16b07497 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch @@ -0,0 +1,41 @@ +From 544bc596ac085ee1adc0b3d7ea793bc37d747ce2 Mon Sep 17 00:00:00 2001 +From: Carsten Book +Date: Mon, 19 Oct 2015 08:49:46 +0200 +Subject: [PATCH] Bug 1213979 - h2 paket formats. r=hurley, a=al + +--HG-- +extra : source : 551a28778624d4aff67b698952b1b3e011fc21f7 +extra : intermediate-source : ed67ac61d1c0e4a23888abe3abd3f4636757e038 +--- + netwerk/protocol/http/Http2Stream.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/netwerk/protocol/http/Http2Stream.cpp b/netwerk/protocol/http/Http2Stream.cpp +index 38fc025..340eccf 100644 +--- a/netwerk/protocol/http/Http2Stream.cpp ++++ b/netwerk/protocol/http/Http2Stream.cpp +@@ -629,9 +629,9 @@ Http2Stream::AdjustInitialWindow() + return; + } + +- uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; + EnsureBuffer(mTxInlineFrame, mTxInlineFrameUsed + Http2Session::kFrameHeaderBytes + 4, + mTxInlineFrameUsed, mTxInlineFrameSize); ++ uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; + mTxInlineFrameUsed += Http2Session::kFrameHeaderBytes + 4; + + mSession->CreateFrameHeader(packet, 4, +@@ -661,9 +661,9 @@ Http2Stream::AdjustPushedPriority() + if (mPushSource->RecvdFin() || mPushSource->RecvdReset()) + return; + +- uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; + EnsureBuffer(mTxInlineFrame, mTxInlineFrameUsed + Http2Session::kFrameHeaderBytes + 5, + mTxInlineFrameUsed, mTxInlineFrameSize); ++ uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; + mTxInlineFrameUsed += Http2Session::kFrameHeaderBytes + 5; + + mSession->CreateFrameHeader(packet, 5, +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch new file mode 100644 index 0000000000..687eb0af76 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch @@ -0,0 +1,65 @@ +From ef6298177a8390c01f5084ba89a808015a0b9473 Mon Sep 17 00:00:00 2001 +From: Gerald Squelart +Date: Thu, 22 Oct 2015 10:00:12 +0200 +Subject: [PATCH] Bug 1204580 - Check box ranges for overflow - r=rillian, a=al + +--- + media/libstagefright/binding/Box.cpp | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/media/libstagefright/binding/Box.cpp b/media/libstagefright/binding/Box.cpp +index 71c79ed..2558be0 100644 +--- a/media/libstagefright/binding/Box.cpp ++++ b/media/libstagefright/binding/Box.cpp +@@ -40,6 +40,11 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent) + : mContext(aContext), mParent(aParent) + { + uint8_t header[8]; ++ ++ if (aOffset > INT64_MAX - sizeof(header)) { ++ return; ++ } ++ + MediaByteRange headerRange(aOffset, aOffset + sizeof(header)); + if (mParent && !mParent->mRange.Contains(headerRange)) { + return; +@@ -67,11 +72,14 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent) + uint64_t size = BigEndian::readUint32(header); + if (size == 1) { + uint8_t bigLength[8]; ++ if (aOffset > INT64_MAX - sizeof(header) - sizeof(bigLength)) { ++ return; ++ } + MediaByteRange bigLengthRange(headerRange.mEnd, + headerRange.mEnd + sizeof(bigLength)); + if ((mParent && !mParent->mRange.Contains(bigLengthRange)) || + !byteRange->Contains(bigLengthRange) || +- !mContext->mSource->CachedReadAt(aOffset, bigLength, ++ !mContext->mSource->CachedReadAt(aOffset + sizeof(header), bigLength, + sizeof(bigLength), &bytes) || + bytes != sizeof(bigLength)) { + return; +@@ -82,10 +90,19 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent) + mBodyOffset = headerRange.mEnd; + } + ++ if (size > INT64_MAX) { ++ return; ++ } ++ int64_t end = static_cast(aOffset) + static_cast(size); ++ if (end < static_cast(aOffset)) { ++ // Overflowed. ++ return; ++ } ++ + mType = BigEndian::readUint32(&header[4]); + mChildOffset = mBodyOffset + BoxOffset(mType); + +- MediaByteRange boxRange(aOffset, aOffset + size); ++ MediaByteRange boxRange(aOffset, end); + if (mChildOffset > boxRange.mEnd || + (mParent && !mParent->mRange.Contains(boxRange)) || + !byteRange->Contains(boxRange)) { +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch new file mode 100644 index 0000000000..43dd17786f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch @@ -0,0 +1,110 @@ +From 7b6c571182661cfffa0987c1a88a2cb5a3230bcd Mon Sep 17 00:00:00 2001 +From: Georg Fritzsche +Date: Tue, 18 Aug 2015 19:21:40 +0200 +Subject: [PATCH] Bug 1193038 - Purposely leak StatisticsReport object and + suppress the leak report. r=glandium,mccr8,njn, a=lizzard + +--HG-- +extra : source : 346b9ee524d1a704ea953ef16237f3d0c7ee56d1 +extra : intermediate-source : 48b17faad125691454ebba9bdef0a5def9128f11 +--- + build/valgrind/cross-architecture.sup | 9 +++++++++ + toolkit/xre/nsAppRunner.cpp | 22 +++++++++++++++------- + 2 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/build/valgrind/cross-architecture.sup b/build/valgrind/cross-architecture.sup +index 9215d3b..1e9d7ab 100644 +--- a/build/valgrind/cross-architecture.sup ++++ b/build/valgrind/cross-architecture.sup +@@ -34,6 +34,15 @@ + fun:_ZN13CrashReporter14SetupExtraDataEP7nsIFileRK19nsACString_internal + ... + } ++{ ++ We purposely leak the StatisticsReporter object ++ Memcheck:Leak ++ fun:malloc ++ fun:moz_xmalloc ++ fun:operator new ++ fun:_Z21XRE_CreateStatsObjectv ++ ... ++} + + #################################### + # Leaks in third party libraries # +diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp +index 5334a05..037aeac 100644 +--- a/toolkit/xre/nsAppRunner.cpp ++++ b/toolkit/xre/nsAppRunner.cpp +@@ -20,6 +20,7 @@ + #include "mozilla/Poison.h" + #include "mozilla/Preferences.h" + #include "mozilla/Telemetry.h" ++#include "mozilla/MemoryChecking.h" + + #include "nsAppRunner.h" + #include "mozilla/AppData.h" +@@ -3004,7 +3005,6 @@ public: + + ~XREMain() { + mScopedXPCOM = nullptr; +- mStatisticsRecorder = nullptr; + mAppData = nullptr; + } + +@@ -3023,7 +3023,6 @@ public: + #endif + + UniquePtr mScopedXPCOM; +- UniquePtr mStatisticsRecorder; + nsAutoPtr mAppData; + + nsXREDirProvider mDirProvider; +@@ -4268,10 +4267,6 @@ XREMain::XRE_main(int argc, char* argv[], const nsXREAppData* aAppData) + + NS_ENSURE_TRUE(aAppData, 2); + +- // A initializer to initialize histogram collection, a chromium +- // thing used by Telemetry. +- mStatisticsRecorder = MakeUnique(); +- + mAppData = new ScopedAppData(aAppData); + if (!mAppData) + return 1; +@@ -4345,7 +4340,6 @@ XREMain::XRE_main(int argc, char* argv[], const nsXREAppData* aAppData) + } + + mScopedXPCOM = nullptr; +- mStatisticsRecorder = nullptr; + + // unlock the profile after ScopedXPCOMStartup object (xpcom) + // has gone out of scope. see bug #386739 for more details +@@ -4531,11 +4525,25 @@ XRE_StopLateWriteChecks(void) { + mozilla::StopLateWriteChecks(); + } + ++// Separate stub function to let us specifically suppress it in Valgrind ++void ++XRE_CreateStatsObject() ++{ ++ // A initializer to initialize histogram collection, a chromium ++ // thing used by Telemetry (and effectively a global; it's all static). ++ // Note: purposely leaked ++ base::StatisticsRecorder* statistics_recorder = new base::StatisticsRecorder(); ++ MOZ_LSAN_INTENTIONALLY_LEAK_OBJECT(statistics_recorder); ++ unused << statistics_recorder; ++} ++ + int + XRE_main(int argc, char* argv[], const nsXREAppData* aAppData, uint32_t aFlags) + { + #if !defined(MOZ_METRO) || !defined(XP_WIN) + XREMain main; ++ ++ XRE_CreateStatsObject(); + int result = main.XRE_main(argc, argv, aAppData); + mozilla::RecordShutdownEndTimeStamp(); + return result; +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch new file mode 100644 index 0000000000..c4b326b9ed --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch @@ -0,0 +1,42 @@ +From 72185a2795d4627203970e3c17fd9b3a6944edc6 Mon Sep 17 00:00:00 2001 +From: "Nicolas B. Pierron" +Date: Thu, 15 Oct 2015 10:57:39 +0200 +Subject: [PATCH] Bug 1204700 - ARM: Use a different scratch register for + store32. r=sstangl, a=lizzard + +--HG-- +extra : commitid : 8itRSfm5tEh +extra : source : ebafbc7c1a870499159cdd2ee91573f1b52c728a +--- + js/src/jit/arm/MacroAssembler-arm.cpp | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp +index 7b8c06e..c8030bb 100644 +--- a/js/src/jit/arm/MacroAssembler-arm.cpp ++++ b/js/src/jit/arm/MacroAssembler-arm.cpp +@@ -2487,8 +2487,8 @@ MacroAssemblerARMCompat::store32(Imm32 src, const Address& address) + void + MacroAssemblerARMCompat::store32(Imm32 imm, const BaseIndex& dest) + { +- ma_mov(imm, secondScratchReg_); +- store32(secondScratchReg_, dest); ++ ma_mov(imm, ScratchRegister); ++ store32(ScratchRegister, dest); + } + + void +@@ -2498,8 +2498,8 @@ MacroAssemblerARMCompat::store32(Register src, const BaseIndex& dest) + uint32_t scale = Imm32::ShiftOf(dest.scale).value; + + if (dest.offset != 0) { +- ma_add(base, Imm32(dest.offset), ScratchRegister); +- base = ScratchRegister; ++ ma_add(base, Imm32(dest.offset), secondScratchReg_); ++ base = secondScratchReg_; + } + ma_str(src, DTRAddr(base, DtrRegImmShift(dest.index, LSL, scale))); + } +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7188.patch b/gnu/packages/patches/icecat-CVE-2015-7188.patch new file mode 100644 index 0000000000..15e26e3a6e --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7188.patch @@ -0,0 +1,143 @@ +From 23e5bd6ffab4b6fa17a92d0bc58fbd185e9a7e6e Mon Sep 17 00:00:00 2001 +From: Valentin Gosu +Date: Tue, 13 Oct 2015 11:10:26 +0200 +Subject: [PATCH] Bug 1199430 - Reject hostnames containing @. r=mcmanus, a=al + +--- + docshell/test/unit/test_nsDefaultURIFixup_info.js | 16 ++++++------ + netwerk/base/nsStandardURL.cpp | 30 ++++++++++++++--------- + netwerk/base/nsStandardURL.h | 2 +- + 3 files changed, 27 insertions(+), 21 deletions(-) + +diff --git a/docshell/test/unit/test_nsDefaultURIFixup_info.js b/docshell/test/unit/test_nsDefaultURIFixup_info.js +index b178ea9..dbb55c6 100644 +--- a/docshell/test/unit/test_nsDefaultURIFixup_info.js ++++ b/docshell/test/unit/test_nsDefaultURIFixup_info.js +@@ -199,12 +199,10 @@ let testcases = [ { + protocolChange: true + }, { + input: "[::1][100", +- fixedURI: "http://[::1][100/", +- alternateURI: "http://[::1][100/", ++ fixedURI: null, ++ alternateURI: null, + keywordLookup: true, +- protocolChange: true, +- affectedByWhitelist: true, +- affectedByDNSForSingleHosts: true, ++ protocolChange: true + }, { + input: "[::1]]", + keywordLookup: true, +@@ -514,15 +512,15 @@ if (Services.appinfo.OS.toLowerCase().startsWith("win")) { + input: "//mozilla", + fixedURI: "file:////mozilla", + protocolChange: true, +- }); ++ }); // \ is an invalid character in the hostname until bug 652186 is implemented + testcases.push({ + input: "mozilla\\", +- fixedURI: "http://mozilla\\/", +- alternateURI: "http://www.mozilla/", ++ // fixedURI: "http://mozilla\\/", ++ // alternateURI: "http://www.mozilla/", + keywordLookup: true, + protocolChange: true, + affectedByWhitelist: true, +- affectedByDNSForSingleHosts: true, ++ // affectedByDNSForSingleHosts: true, + }); + } + +diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp +index f5f516f..cff90fc 100644 +--- a/netwerk/base/nsStandardURL.cpp ++++ b/netwerk/base/nsStandardURL.cpp +@@ -427,14 +427,16 @@ nsStandardURL::NormalizeIDN(const nsCSubstring &host, nsCString &result) + } + + bool +-nsStandardURL::ValidIPv6orHostname(const char *host) ++nsStandardURL::ValidIPv6orHostname(const char *host, uint32_t length) + { +- if (!host || !*host) { +- // Should not be NULL or empty string ++ if (!host) { + return false; + } + +- int32_t length = strlen(host); ++ if (length != strlen(host)) { ++ // Embedded null ++ return false; ++ } + + bool openBracket = host[0] == '['; + bool closeBracket = host[length - 1] == ']'; +@@ -448,8 +450,9 @@ nsStandardURL::ValidIPv6orHostname(const char *host) + return false; + } + +- if (PL_strchr(host, ':')) { +- // Hostnames should not contain a colon ++ const char *end = host + length; ++ if (end != net_FindCharInSet(host, end, "\t\n\v\f\r #/:?@[\\]")) { ++ // % is allowed because we don't do hostname percent decoding yet. + return false; + } + +@@ -587,6 +590,11 @@ nsStandardURL::BuildNormalizedSpec(const char *spec) + approxLen += encHost.Length(); + else + approxLen += mHost.mLen; ++ ++ if ((useEncHost && !ValidIPv6orHostname(encHost.BeginReading(), encHost.Length())) || ++ (!useEncHost && !ValidIPv6orHostname(tempHost.BeginReading(), tempHost.Length()))) { ++ return NS_ERROR_MALFORMED_URI; ++ } + } + + // +@@ -1580,14 +1588,10 @@ nsStandardURL::SetHost(const nsACString &input) + if (strchr(host, ' ')) + return NS_ERROR_MALFORMED_URI; + +- if (!ValidIPv6orHostname(host)) { +- return NS_ERROR_MALFORMED_URI; +- } +- + InvalidateCache(); + mHostEncoding = eEncoding_ASCII; + +- int32_t len; ++ uint32_t len; + nsAutoCString hostBuf; + if (NormalizeIDN(flat, hostBuf)) { + host = hostBuf.get(); +@@ -1596,6 +1600,10 @@ nsStandardURL::SetHost(const nsACString &input) + else + len = flat.Length(); + ++ if (!ValidIPv6orHostname(host, len)) { ++ return NS_ERROR_MALFORMED_URI; ++ } ++ + if (mHost.mLen < 0) { + int port_length = 0; + if (mPort != -1) { +diff --git a/netwerk/base/nsStandardURL.h b/netwerk/base/nsStandardURL.h +index 179a618..c56426e 100644 +--- a/netwerk/base/nsStandardURL.h ++++ b/netwerk/base/nsStandardURL.h +@@ -173,7 +173,7 @@ private: + void Clear(); + void InvalidateCache(bool invalidateCachedFile = true); + +- bool ValidIPv6orHostname(const char *host); ++ bool ValidIPv6orHostname(const char *host, uint32_t aLen); + bool NormalizeIDN(const nsCSubstring &host, nsCString &result); + void CoalescePath(netCoalesceFlags coalesceFlag, char *path); + +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7189.patch b/gnu/packages/patches/icecat-CVE-2015-7189.patch new file mode 100644 index 0000000000..329d1b6f1f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7189.patch @@ -0,0 +1,143 @@ +From 377e1cefec0fcf230caafb97b4414c835d27c7fe Mon Sep 17 00:00:00 2001 +From: Milan Sreckovic +Date: Fri, 2 Oct 2015 09:18:26 +0200 +Subject: [PATCH] Bug 1205900 - Compare context and canvas element sizes before + extracting the data. r=gwright, a=al + +--HG-- +extra : source : f6c99c8baa9b0b6a34d6791e5d4031a2de8f2087 +--- + dom/canvas/CanvasRenderingContext2D.cpp | 2 -- + dom/canvas/CanvasRenderingContext2D.h | 7 +++---- + dom/canvas/WebGLContext.cpp | 2 -- + dom/canvas/WebGLContext.h | 3 +-- + dom/canvas/nsICanvasRenderingContextInternal.h | 8 +++----- + dom/html/HTMLCanvasElement.cpp | 13 +++++++------ + 6 files changed, 14 insertions(+), 21 deletions(-) + +diff --git a/dom/canvas/CanvasRenderingContext2D.cpp b/dom/canvas/CanvasRenderingContext2D.cpp +index d9eaf99..a06fbce 100644 +--- a/dom/canvas/CanvasRenderingContext2D.cpp ++++ b/dom/canvas/CanvasRenderingContext2D.cpp +@@ -1418,7 +1418,6 @@ CanvasRenderingContext2D::EnsureTarget(RenderingMode aRenderingMode) + return mode; + } + +-#ifdef DEBUG + int32_t + CanvasRenderingContext2D::GetWidth() const + { +@@ -1430,7 +1429,6 @@ CanvasRenderingContext2D::GetHeight() const + { + return mHeight; + } +-#endif + + NS_IMETHODIMP + CanvasRenderingContext2D::SetDimensions(int32_t width, int32_t height) +diff --git a/dom/canvas/CanvasRenderingContext2D.h b/dom/canvas/CanvasRenderingContext2D.h +index af29c78..e853987 100644 +--- a/dom/canvas/CanvasRenderingContext2D.h ++++ b/dom/canvas/CanvasRenderingContext2D.h +@@ -481,10 +481,9 @@ public: + + nsresult Redraw(); + +-#ifdef DEBUG +- virtual int32_t GetWidth() const override; +- virtual int32_t GetHeight() const override; +-#endif ++ virtual int32_t GetWidth() const override; ++ virtual int32_t GetHeight() const override; ++ + // nsICanvasRenderingContextInternal + /** + * Gets the pres shell from either the canvas element or the doc shell +diff --git a/dom/canvas/WebGLContext.cpp b/dom/canvas/WebGLContext.cpp +index 1c22c27..f2a620a 100644 +--- a/dom/canvas/WebGLContext.cpp ++++ b/dom/canvas/WebGLContext.cpp +@@ -463,7 +463,6 @@ WebGLContext::SetContextOptions(JSContext* cx, JS::Handle options) + return NS_OK; + } + +-#ifdef DEBUG + int32_t + WebGLContext::GetWidth() const + { +@@ -475,7 +474,6 @@ WebGLContext::GetHeight() const + { + return mHeight; + } +-#endif + + /* So there are a number of points of failure here. We might fail based + * on EGL vs. WGL, or we might fail to alloc a too-large size, or we +diff --git a/dom/canvas/WebGLContext.h b/dom/canvas/WebGLContext.h +index 63c4091..210f341 100644 +--- a/dom/canvas/WebGLContext.h ++++ b/dom/canvas/WebGLContext.h +@@ -202,10 +202,9 @@ public: + NS_DECL_NSIDOMWEBGLRENDERINGCONTEXT + + // nsICanvasRenderingContextInternal +-#ifdef DEBUG + virtual int32_t GetWidth() const override; + virtual int32_t GetHeight() const override; +-#endif ++ + NS_IMETHOD SetDimensions(int32_t width, int32_t height) override; + NS_IMETHOD InitializeWithSurface(nsIDocShell*, gfxASurface*, int32_t, + int32_t) override +diff --git a/dom/canvas/nsICanvasRenderingContextInternal.h b/dom/canvas/nsICanvasRenderingContextInternal.h +index 3b1120f..fb1ef7c 100644 +--- a/dom/canvas/nsICanvasRenderingContextInternal.h ++++ b/dom/canvas/nsICanvasRenderingContextInternal.h +@@ -81,11 +81,9 @@ public: + return mCanvasElement; + } + +-#ifdef DEBUG +- // Useful for testing +- virtual int32_t GetWidth() const = 0; +- virtual int32_t GetHeight() const = 0; +-#endif ++ // Dimensions of the canvas, in pixels. ++ virtual int32_t GetWidth() const = 0; ++ virtual int32_t GetHeight() const = 0; + + // Sets the dimensions of the canvas, in pixels. Called + // whenever the size of the element changes. +diff --git a/dom/html/HTMLCanvasElement.cpp b/dom/html/HTMLCanvasElement.cpp +index f326662..68649f5 100644 +--- a/dom/html/HTMLCanvasElement.cpp ++++ b/dom/html/HTMLCanvasElement.cpp +@@ -526,18 +526,19 @@ HTMLCanvasElement::ToBlob(JSContext* aCx, + return; + } + +-#ifdef DEBUG + if (mCurrentContext) { + // We disallow canvases of width or height zero, and set them to 1, so + // we will have a discrepancy with the sizes of the canvas and the context. + // That discrepancy is OK, the rest are not. + nsIntSize elementSize = GetWidthHeight(); +- MOZ_ASSERT(elementSize.width == mCurrentContext->GetWidth() || +- (elementSize.width == 0 && mCurrentContext->GetWidth() == 1)); +- MOZ_ASSERT(elementSize.height == mCurrentContext->GetHeight() || +- (elementSize.height == 0 && mCurrentContext->GetHeight() == 1)); ++ if ((elementSize.width != mCurrentContext->GetWidth() && ++ (elementSize.width != 0 || mCurrentContext->GetWidth() != 1)) || ++ (elementSize.height != mCurrentContext->GetHeight() && ++ (elementSize.height != 0 || mCurrentContext->GetHeight() != 1))) { ++ aRv.Throw(NS_ERROR_FAILURE); ++ return; ++ } + } +-#endif + + uint8_t* imageBuffer = nullptr; + int32_t format = 0; +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7193.patch b/gnu/packages/patches/icecat-CVE-2015-7193.patch new file mode 100644 index 0000000000..798799de9f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7193.patch @@ -0,0 +1,397 @@ +From d135e3b3c48811c577e1632a41c5c50bc55c035c Mon Sep 17 00:00:00 2001 +From: Ehsan Akhgari +Date: Tue, 20 Oct 2015 11:40:12 +0200 +Subject: [PATCH] Bug 1210302 - Add a NS_ParseRequestContentType API; ba=al, + r=mcmanus, r=sicking, a=al + +--HG-- +extra : amend_source : d93021b626709b03f6499029dc3d1813cccba386 +--- + docshell/base/nsDocShell.cpp | 2 +- + dom/base/Navigator.cpp | 4 +-- + dom/base/nsContentUtils.cpp | 2 +- + dom/html/nsHTMLDocument.cpp | 2 +- + dom/manifest/ManifestProcessor.jsm | 6 ++-- + netwerk/base/moz.build | 1 + + netwerk/base/nsINetUtil_ESR_38.idl | 14 +++++++++ + netwerk/base/nsIOService.cpp | 12 ++++++++ + netwerk/base/nsIOService.h | 3 ++ + netwerk/base/nsNetUtil.h | 21 +++++++++++++ + netwerk/base/nsURLHelper.cpp | 60 +++++++++++++++++++++++++++++++++++--- + netwerk/base/nsURLHelper.h | 32 +++++++++++++++----- + 12 files changed, 139 insertions(+), 20 deletions(-) + create mode 100644 netwerk/base/nsINetUtil_ESR_38.idl + +diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp +index bcc205c..4fc7c34 100644 +--- a/docshell/base/nsDocShell.cpp ++++ b/docshell/base/nsDocShell.cpp +@@ -13519,7 +13519,7 @@ nsDocShell::OnLinkClickSync(nsIContent* aContent, + anchor->GetType(typeHint); + NS_ConvertUTF16toUTF8 utf8Hint(typeHint); + nsAutoCString type, dummy; +- NS_ParseContentType(utf8Hint, type, dummy); ++ NS_ParseRequestContentType(utf8Hint, type, dummy); + CopyUTF8toUTF16(type, typeHint); + } + +diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp +index f4ea502..7288420 100644 +--- a/dom/base/Navigator.cpp ++++ b/dom/base/Navigator.cpp +@@ -1221,9 +1221,9 @@ Navigator::SendBeacon(const nsAString& aUrl, + rv = secMan->CheckSameOriginURI(documentURI, uri, false); + bool crossOrigin = NS_FAILED(rv); + nsAutoCString contentType, parsedCharset; +- rv = NS_ParseContentType(mimeType, contentType, parsedCharset); ++ rv = NS_ParseRequestContentType(mimeType, contentType, parsedCharset); + if (crossOrigin && +- contentType.Length() > 0 && ++ mimeType.Length() > 0 && + !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) && + !contentType.Equals(MULTIPART_FORM_DATA) && + !contentType.Equals(TEXT_PLAIN)) { +diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp +index 5e8dbd6..686f7bf 100644 +--- a/dom/base/nsContentUtils.cpp ++++ b/dom/base/nsContentUtils.cpp +@@ -7001,7 +7001,7 @@ nsContentUtils::IsAllowedNonCorsContentType(const nsACString& aHeaderValue) + nsAutoCString contentType; + nsAutoCString unused; + +- nsresult rv = NS_ParseContentType(aHeaderValue, contentType, unused); ++ nsresult rv = NS_ParseRequestContentType(aHeaderValue, contentType, unused); + if (NS_FAILED(rv)) { + return false; + } +diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp +index 7481109..d195792 100644 +--- a/dom/html/nsHTMLDocument.cpp ++++ b/dom/html/nsHTMLDocument.cpp +@@ -1422,7 +1422,7 @@ nsHTMLDocument::Open(JSContext* cx, + nsAutoString type; + nsContentUtils::ASCIIToLower(aType, type); + nsAutoCString actualType, dummy; +- NS_ParseContentType(NS_ConvertUTF16toUTF8(type), actualType, dummy); ++ NS_ParseRequestContentType(NS_ConvertUTF16toUTF8(type), actualType, dummy); + if (!actualType.EqualsLiteral("text/html") && + !type.EqualsLiteral("replace")) { + contentType.AssignLiteral("text/plain"); +diff --git a/dom/manifest/ManifestProcessor.jsm b/dom/manifest/ManifestProcessor.jsm +index b6df920..f16881a 100644 +--- a/dom/manifest/ManifestProcessor.jsm ++++ b/dom/manifest/ManifestProcessor.jsm +@@ -31,7 +31,7 @@ const imports = {}; + Cu.import('resource://gre/modules/Services.jsm', imports); + Cu.importGlobalProperties(['URL']); + const securityManager = imports.Services.scriptSecurityManager; +-const netutil = Cc['@mozilla.org/network/util;1'].getService(Ci.nsINetUtil); ++const netutil = Cc['@mozilla.org/network/util;1'].getService(Ci.nsINetUtil_ESR_38); + const defaultDisplayMode = 'browser'; + const displayModes = new Set([ + 'fullscreen', +@@ -258,7 +258,7 @@ this.ManifestProcessor.prototype.process = function({ + }; + let value = extractValue(obj), + isParsable = (typeof value === 'string' && value.length > 0); +- value = (isParsable) ? netutil.parseContentType(value.trim(), charset, hadCharset) : undefined; ++ value = (isParsable) ? netutil.parseRequestContentType(value.trim(), charset, hadCharset) : undefined; + return (value === '') ? undefined : value; + } + +@@ -354,4 +354,4 @@ this.ManifestProcessor.prototype.process = function({ + }; + processedManifest.scope = processScopeMember(manifest, manifestURL, docURL, processedManifest.start_url); + return processedManifest; +-}; +\ No newline at end of file ++}; +diff --git a/netwerk/base/moz.build b/netwerk/base/moz.build +index 877365b..deedf76 100644 +--- a/netwerk/base/moz.build ++++ b/netwerk/base/moz.build +@@ -59,6 +59,7 @@ XPIDL_SOURCES += [ + 'nsINestedURI.idl', + 'nsINetAddr.idl', + 'nsINetUtil.idl', ++ 'nsINetUtil_ESR_38.idl', + 'nsINetworkInterceptController.idl', + 'nsINetworkLinkService.idl', + 'nsINetworkPredictor.idl', +diff --git a/netwerk/base/nsINetUtil_ESR_38.idl b/netwerk/base/nsINetUtil_ESR_38.idl +new file mode 100644 +index 0000000..7ef40e9 +--- /dev/null ++++ b/netwerk/base/nsINetUtil_ESR_38.idl +@@ -0,0 +1,14 @@ ++/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#include "nsISupports.idl" ++ ++[scriptable, uuid(e82f2b9d-8bac-48bb-ade7-26a7cd4fb894)] ++interface nsINetUtil_ESR_38 : nsISupports ++{ ++ AUTF8String parseRequestContentType(in AUTF8String aTypeHeader, ++ out AUTF8String aCharset, ++ out boolean aHadCharset); ++}; +diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp +index 83db86f..9a17e8b 100644 +--- a/netwerk/base/nsIOService.cpp ++++ b/netwerk/base/nsIOService.cpp +@@ -321,6 +321,7 @@ NS_IMPL_ISUPPORTS(nsIOService, + nsIIOService, + nsIIOService2, + nsINetUtil, ++ nsINetUtil_ESR_38, + nsISpeculativeConnect, + nsIObserver, + nsISupportsWeakReference) +@@ -1280,6 +1281,17 @@ nsIOService::Observe(nsISupports *subject, + + // nsINetUtil interface + NS_IMETHODIMP ++nsIOService::ParseRequestContentType(const nsACString &aTypeHeader, ++ nsACString &aCharset, ++ bool *aHadCharset, ++ nsACString &aContentType) ++{ ++ net_ParseRequestContentType(aTypeHeader, aContentType, aCharset, aHadCharset); ++ return NS_OK; ++} ++ ++// nsINetUtil interface ++NS_IMETHODIMP + nsIOService::ParseContentType(const nsACString &aTypeHeader, + nsACString &aCharset, + bool *aHadCharset, +diff --git a/netwerk/base/nsIOService.h b/netwerk/base/nsIOService.h +index acd501c..b125709 100644 +--- a/netwerk/base/nsIOService.h ++++ b/netwerk/base/nsIOService.h +@@ -14,6 +14,7 @@ + #include "nsIObserver.h" + #include "nsWeakReference.h" + #include "nsINetUtil.h" ++#include "nsINetUtil_ESR_38.h" + #include "nsIChannelEventSink.h" + #include "nsCategoryCache.h" + #include "nsISpeculativeConnect.h" +@@ -47,6 +48,7 @@ namespace net { + class nsIOService final : public nsIIOService2 + , public nsIObserver + , public nsINetUtil ++ , public nsINetUtil_ESR_38 + , public nsISpeculativeConnect + , public nsSupportsWeakReference + { +@@ -56,6 +58,7 @@ public: + NS_DECL_NSIIOSERVICE2 + NS_DECL_NSIOBSERVER + NS_DECL_NSINETUTIL ++ NS_DECL_NSINETUTIL_ESR_38 + NS_DECL_NSISPECULATIVECONNECT + + // Gets the singleton instance of the IO Service, creating it as needed +diff --git a/netwerk/base/nsNetUtil.h b/netwerk/base/nsNetUtil.h +index ec69716..df8874c 100644 +--- a/netwerk/base/nsNetUtil.h ++++ b/netwerk/base/nsNetUtil.h +@@ -56,6 +56,7 @@ + #include "nsISyncStreamListener.h" + #include "nsInterfaceRequestorAgg.h" + #include "nsINetUtil.h" ++#include "nsINetUtil_ESR_38.h" + #include "nsIURIWithPrincipal.h" + #include "nsIAuthPrompt.h" + #include "nsIAuthPrompt2.h" +@@ -1228,6 +1229,26 @@ NS_GetReferrerFromChannel(nsIChannel *channel, + } + + inline nsresult ++NS_ParseRequestContentType(const nsACString &rawContentType, ++ nsCString &contentType, ++ nsCString &contentCharset) ++{ ++ // contentCharset is left untouched if not present in rawContentType ++ nsresult rv; ++ nsCOMPtr util = do_GetNetUtil(&rv); ++ NS_ENSURE_SUCCESS(rv, rv); ++ nsCOMPtr utilESR38 = do_QueryInterface(util, &rv); ++ NS_ENSURE_SUCCESS(rv, rv); ++ nsCString charset; ++ bool hadCharset; ++ rv = utilESR38->ParseRequestContentType(rawContentType, charset, &hadCharset, ++ contentType); ++ if (NS_SUCCEEDED(rv) && hadCharset) ++ contentCharset = charset; ++ return rv; ++} ++ ++inline nsresult + NS_ParseContentType(const nsACString &rawContentType, + nsCString &contentType, + nsCString &contentCharset) +diff --git a/netwerk/base/nsURLHelper.cpp b/netwerk/base/nsURLHelper.cpp +index 10ea849..cdb2120 100644 +--- a/netwerk/base/nsURLHelper.cpp ++++ b/netwerk/base/nsURLHelper.cpp +@@ -803,7 +803,8 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, + int32_t aOffset, + bool *aHadCharset, + int32_t *aCharsetStart, +- int32_t *aCharsetEnd) ++ int32_t *aCharsetEnd, ++ bool aStrict) + { + const nsCString& flatStr = PromiseFlatCString(aMediaTypeStr); + const char* start = flatStr.get(); +@@ -820,6 +821,8 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, + int32_t charsetParamStart = 0; + int32_t charsetParamEnd = 0; + ++ uint32_t consumed = typeEnd - type; ++ + // Iterate over parameters + bool typeHasCharset = false; + uint32_t paramStart = flatStr.FindChar(';', typeEnd - start); +@@ -843,6 +846,7 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, + charsetParamEnd = curParamEnd; + } + ++ consumed = curParamEnd; + curParamStart = curParamEnd + 1; + } while (curParamStart < flatStr.Length()); + } +@@ -872,8 +876,10 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, + // some servers give junk after the charset parameter, which may + // include a comma, so this check makes us a bit more tolerant. + +- if (type != typeEnd && strncmp(type, "*/*", typeEnd - type) != 0 && +- memchr(type, '/', typeEnd - type) != nullptr) { ++ if (type != typeEnd && ++ memchr(type, '/', typeEnd - type) != nullptr && ++ (aStrict ? (net_FindCharNotInSet(start + consumed, end, HTTP_LWS) == end) : ++ (strncmp(type, "*/*", typeEnd - type) != 0))) { + // Common case here is that aContentType is empty + bool eq = !aContentType.IsEmpty() && + aContentType.Equals(Substring(type, typeEnd), +@@ -980,13 +986,59 @@ net_ParseContentType(const nsACString &aHeaderStr, + net_ParseMediaType(Substring(flatStr, curTypeStart, + curTypeEnd - curTypeStart), + aContentType, aContentCharset, curTypeStart, +- aHadCharset, aCharsetStart, aCharsetEnd); ++ aHadCharset, aCharsetStart, aCharsetEnd, false); + + // And let's move on to the next media-type + curTypeStart = curTypeEnd + 1; + } while (curTypeStart < flatStr.Length()); + } + ++void ++net_ParseRequestContentType(const nsACString &aHeaderStr, ++ nsACString &aContentType, ++ nsACString &aContentCharset, ++ bool *aHadCharset) ++{ ++ // ++ // Augmented BNF (from RFC 7231 section 3.1.1.1): ++ // ++ // media-type = type "/" subtype *( OWS ";" OWS parameter ) ++ // type = token ++ // subtype = token ++ // parameter = token "=" ( token / quoted-string ) ++ // ++ // Examples: ++ // ++ // text/html ++ // text/html; charset=ISO-8859-1 ++ // text/html; charset="ISO-8859-1" ++ // application/octet-stream ++ // ++ ++ aContentType.Truncate(); ++ aContentCharset.Truncate(); ++ *aHadCharset = false; ++ const nsCString& flatStr = PromiseFlatCString(aHeaderStr); ++ ++ // At this point curTypeEnd points to the spot where the media-type ++ // starting at curTypeEnd ends. Time to parse that! ++ nsAutoCString contentType, contentCharset; ++ bool hadCharset = false; ++ int32_t dummy1, dummy2; ++ uint32_t typeEnd = net_FindMediaDelimiter(flatStr, 0, ','); ++ if (typeEnd != flatStr.Length()) { ++ // We have some stuff left at the end, so this is not a valid ++ // request Content-Type header. ++ return; ++ } ++ net_ParseMediaType(flatStr, contentType, contentCharset, 0, ++ &hadCharset, &dummy1, &dummy2, true); ++ ++ aContentType = contentType; ++ aContentCharset = contentCharset; ++ *aHadCharset = hadCharset; ++} ++ + bool + net_IsValidHostName(const nsCSubstring &host) + { +diff --git a/netwerk/base/nsURLHelper.h b/netwerk/base/nsURLHelper.h +index 816a3c5..21e17be 100644 +--- a/netwerk/base/nsURLHelper.h ++++ b/netwerk/base/nsURLHelper.h +@@ -172,11 +172,27 @@ char * net_RFindCharNotInSet(const char *str, const char *end, const char *set); + * specified), aHadCharset is set to false. Otherwise, it's set to + * true. Note that aContentCharset can be empty even if aHadCharset + * is true. ++ * ++ * This parsing is suitable for HTTP request. Use net_ParseContentType ++ * for parsing this header in HTTP responses. ++ */ ++void net_ParseRequestContentType(const nsACString &aHeaderStr, ++ nsACString &aContentType, ++ nsACString &aContentCharset, ++ bool* aHadCharset); ++ ++/** ++ * Parses a content-type header and returns the content type and ++ * charset (if any). aCharset is not modified if no charset is ++ * specified in anywhere in aHeaderStr. In that case (no charset ++ * specified), aHadCharset is set to false. Otherwise, it's set to ++ * true. Note that aContentCharset can be empty even if aHadCharset ++ * is true. + */ + void net_ParseContentType(const nsACString &aHeaderStr, +- nsACString &aContentType, +- nsACString &aContentCharset, +- bool* aHadCharset); ++ nsACString &aContentType, ++ nsACString &aContentCharset, ++ bool* aHadCharset); + /** + * As above, but also returns the start and end indexes for the charset + * parameter in aHeaderStr. These are indices for the entire parameter, NOT +@@ -187,11 +203,11 @@ void net_ParseContentType(const nsACString &aHeaderStr, + * *aCharsetStart is nonnegative; this corresponds to charset="". + */ + void net_ParseContentType(const nsACString &aHeaderStr, +- nsACString &aContentType, +- nsACString &aContentCharset, +- bool *aHadCharset, +- int32_t *aCharsetStart, +- int32_t *aCharsetEnd); ++ nsACString &aContentType, ++ nsACString &aContentCharset, ++ bool *aHadCharset, ++ int32_t *aCharsetStart, ++ int32_t *aCharsetEnd); + + /* inline versions */ + +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7194.patch b/gnu/packages/patches/icecat-CVE-2015-7194.patch new file mode 100644 index 0000000000..481da06a7f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7194.patch @@ -0,0 +1,32 @@ +From 382a08fa0b21d46c44c46af39041324f304a9dfa Mon Sep 17 00:00:00 2001 +From: Aaron Klotz +Date: Tue, 13 Oct 2015 12:20:25 -0600 +Subject: [PATCH] Bug 1211262: Ensure that STORED entries in ZIP are considered + corrupt if compressed and uncompressed sizes differ; r=mwu, a=ritu + +--HG-- +extra : source : 673d9f45b802f1fd1ffaaeae19d433622fe68a5e +extra : intermediate-source : db9d3e806685d72a2891830ffbc42ef3cde559ae +--- + modules/libjar/nsZipArchive.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp +index bb1e21b..eaf22ac 100644 +--- a/modules/libjar/nsZipArchive.cpp ++++ b/modules/libjar/nsZipArchive.cpp +@@ -828,8 +828,10 @@ MOZ_WIN_MEM_TRY_BEGIN + // -- check if there is enough source data in the file + if (!offset || + mFd->mLen < aItem->Size() || +- offset > mFd->mLen - aItem->Size()) ++ offset > mFd->mLen - aItem->Size() || ++ (aItem->Compression() == STORED && aItem->Size() != aItem->RealSize())) { + return nullptr; ++ } + + return mFd->mFileData + offset; + MOZ_WIN_MEM_TRY_CATCH(return nullptr) +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7196.patch b/gnu/packages/patches/icecat-CVE-2015-7196.patch new file mode 100644 index 0000000000..6114ebf505 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7196.patch @@ -0,0 +1,27 @@ +From 3ed5c713015536b49dc88d3d4a36b60833ccd09a Mon Sep 17 00:00:00 2001 +From: Jan de Mooij +Date: Tue, 25 Aug 2015 13:11:41 +0200 +Subject: [PATCH] Bug 1140616 - Crash when _releaseobject is called on the + wrong thread. r=bsmedberg, a=sledru, a=lizzard + +--HG-- +extra : source : 6a513309283d06f56cebee8528cfcf134a74f3c4 +--- + dom/plugins/base/nsNPAPIPlugin.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dom/plugins/base/nsNPAPIPlugin.cpp b/dom/plugins/base/nsNPAPIPlugin.cpp +index f0d07fa..9cd2e05 100644 +--- a/dom/plugins/base/nsNPAPIPlugin.cpp ++++ b/dom/plugins/base/nsNPAPIPlugin.cpp +@@ -1413,6 +1413,7 @@ _releaseobject(NPObject* npobj) + { + if (!NS_IsMainThread()) { + NPN_PLUGIN_LOG(PLUGIN_LOG_ALWAYS,("NPN_releaseobject called from the wrong thread\n")); ++ MOZ_CRASH("NPN_releaseobject called from the wrong thread"); + } + if (!npobj) + return; +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7197.patch b/gnu/packages/patches/icecat-CVE-2015-7197.patch new file mode 100644 index 0000000000..1763341ff7 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7197.patch @@ -0,0 +1,70 @@ +From a522e727bff0fb69cb0d34c2d2ad89168d15158d Mon Sep 17 00:00:00 2001 +From: Ehsan Akhgari +Date: Sat, 12 Sep 2015 17:38:51 -0400 +Subject: [PATCH] Bug 1204269 - Use the worker private in order to determine + the origin of the entry settings object for workers; r=smaug a=me + +--- + dom/base/WebSocket.cpp | 46 ++++++++++++++++++++++++++-------------------- + 1 file changed, 26 insertions(+), 20 deletions(-) + +diff --git a/dom/base/WebSocket.cpp b/dom/base/WebSocket.cpp +index ea91232..26b94d0 100644 +--- a/dom/base/WebSocket.cpp ++++ b/dom/base/WebSocket.cpp +@@ -1503,26 +1503,32 @@ WebSocketImpl::Init(JSContext* aCx, + !Preferences::GetBool("network.websocket.allowInsecureFromHTTPS", + false)) { + // Confirmed we are opening plain ws:// and want to prevent this from a +- // secure context (e.g. https). Check the principal's uri to determine if +- // we were loaded from https. +- nsCOMPtr globalObject(GetEntryGlobal()); +- if (globalObject) { +- nsCOMPtr principal(globalObject->PrincipalOrNull()); +- if (principal) { +- nsCOMPtr uri; +- principal->GetURI(getter_AddRefs(uri)); +- if (uri) { +- bool originIsHttps = false; +- aRv = uri->SchemeIs("https", &originIsHttps); +- if (NS_WARN_IF(aRv.Failed())) { +- return; +- } +- +- if (originIsHttps) { +- aRv.Throw(NS_ERROR_DOM_SECURITY_ERR); +- return; +- } +- } ++ // secure context (e.g. https). ++ nsCOMPtr principal; ++ nsCOMPtr originURI; ++ if (mWorkerPrivate) { ++ // For workers, retrieve the URI from the WorkerPrivate ++ principal = mWorkerPrivate->GetPrincipal(); ++ } else { ++ // Check the principal's uri to determine if we were loaded from https. ++ nsCOMPtr globalObject(GetEntryGlobal()); ++ if (globalObject) { ++ principal = globalObject->PrincipalOrNull(); ++ } ++ } ++ ++ if (principal) { ++ principal->GetURI(getter_AddRefs(originURI)); ++ } ++ if (originURI) { ++ bool originIsHttps = false; ++ aRv = originURI->SchemeIs("https", &originIsHttps); ++ if (NS_WARN_IF(aRv.Failed())) { ++ return; ++ } ++ if (originIsHttps) { ++ aRv.Throw(NS_ERROR_DOM_SECURITY_ERR); ++ return; + } + } + } +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7198.patch b/gnu/packages/patches/icecat-CVE-2015-7198.patch new file mode 100644 index 0000000000..2e127897bc --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7198.patch @@ -0,0 +1,27 @@ +From cc2a334ee16e99d376fcb49203239abf9eb2c148 Mon Sep 17 00:00:00 2001 +From: Jeff Gilbert +Date: Wed, 7 Oct 2015 13:27:37 -0700 +Subject: [PATCH] Bug 1188010 - Use MOZ_RELEASE_ASSERT when failure means + overflow. - r=kamidphish, a=abillings + +--- + dom/canvas/WebGLTexture.cpp | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/dom/canvas/WebGLTexture.cpp b/dom/canvas/WebGLTexture.cpp +index 60afc45..d6a6ccd 100644 +--- a/dom/canvas/WebGLTexture.cpp ++++ b/dom/canvas/WebGLTexture.cpp +@@ -651,8 +651,7 @@ WebGLTexture::EnsureNoUninitializedImageData(TexImageTarget imageTarget, + imageInfo.mDepth, + bytespertexel, + mContext->mPixelStoreUnpackAlignment); +- MOZ_ASSERT(checked_byteLength.isValid()); // Should have been checked +- // earlier. ++ MOZ_RELEASE_ASSERT(checked_byteLength.isValid()); // Should have been checked earlier. + + // Infallible for now. + UniquePtr zeros((uint8_t*)moz_xcalloc(1, +-- +2.5.0 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7199.patch b/gnu/packages/patches/icecat-CVE-2015-7199.patch new file mode 100644 index 0000000000..d6b830b8a0 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7199.patch @@ -0,0 +1,84 @@ +From 04741232fa561a4c299f31a5b5fb4603da79d2c5 Mon Sep 17 00:00:00 2001 +From: Robert Longson +Date: Tue, 6 Oct 2015 13:19:03 +0100 +Subject: [PATCH] Bug 1204061 - check return values from some methods + r=dholbert, a=sylvestre + +--HG-- +extra : source : f4c2f277aeae7bf8b05c6b01d1e140cd51b693b4 +--- + dom/svg/SVGPathSegListSMILType.cpp | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/dom/svg/SVGPathSegListSMILType.cpp b/dom/svg/SVGPathSegListSMILType.cpp +index f8b67d0..6df0f53 100644 +--- a/dom/svg/SVGPathSegListSMILType.cpp ++++ b/dom/svg/SVGPathSegListSMILType.cpp +@@ -232,7 +232,7 @@ AddWeightedPathSegs(double aCoeff1, + * identity, in which case we'll grow it to the right + * size. Also allowed to be the same list as aList1. + */ +-static void ++static nsresult + AddWeightedPathSegLists(double aCoeff1, const SVGPathDataAndInfo& aList1, + double aCoeff2, const SVGPathDataAndInfo& aList2, + SVGPathDataAndInfo& aResult) +@@ -263,8 +263,9 @@ AddWeightedPathSegLists(double aCoeff1, const SVGPathDataAndInfo& aList1, + // because in that case, we will have already set iter1 to nullptr above, to + // record that our first operand is an identity value.) + if (aResult.IsIdentity()) { +- DebugOnly success = aResult.SetLength(aList2.Length()); +- MOZ_ASSERT(success, "infallible nsTArray::SetLength should succeed"); ++ if (!aResult.SetLength(aList2.Length())) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + aResult.SetElement(aList2.Element()); // propagate target element info! + } + +@@ -280,6 +281,7 @@ AddWeightedPathSegLists(double aCoeff1, const SVGPathDataAndInfo& aList1, + iter2 == end2 && + resultIter == aResult.end(), + "Very, very bad - path data corrupt"); ++ return NS_OK; + } + + static void +@@ -429,9 +431,7 @@ SVGPathSegListSMILType::Add(nsSMILValue& aDest, + } + } + +- AddWeightedPathSegLists(1.0, dest, aCount, valueToAdd, dest); +- +- return NS_OK; ++ return AddWeightedPathSegLists(1.0, dest, aCount, valueToAdd, dest); + } + + nsresult +@@ -482,8 +482,9 @@ SVGPathSegListSMILType::Interpolate(const nsSMILValue& aStartVal, + if (check == eRequiresConversion) { + // Can't convert |start| in-place, since it's const. Instead, we copy it + // into |result|, converting the types as we go, and use that as our start. +- DebugOnly success = result.SetLength(end.Length()); +- MOZ_ASSERT(success, "infallible nsTArray::SetLength should succeed"); ++ if (!result.SetLength(end.Length())) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + result.SetElement(end.Element()); // propagate target element info! + + ConvertAllPathSegmentData(start.begin(), start.end(), +@@ -492,10 +493,8 @@ SVGPathSegListSMILType::Interpolate(const nsSMILValue& aStartVal, + startListToUse = &result; + } + +- AddWeightedPathSegLists(1.0 - aUnitDistance, *startListToUse, +- aUnitDistance, end, result); +- +- return NS_OK; ++ return AddWeightedPathSegLists(1.0 - aUnitDistance, *startListToUse, ++ aUnitDistance, end, result); + } + + } // namespace mozilla +-- +2.5.0 + -- cgit 1.4.1 From 0f9c1f34000e7fd3f4c6bdb45c568f6416906c3b Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 2 Nov 2015 12:46:42 -0500 Subject: gnu: Build lua-5.2 with a dynamic library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/patches/lua52-liblua-so.patch: New file. * gnu/packages/lua.scm (lua-5.2): Use lua52-liblua-so.patch. Signed-off-by: Ludovic Courtès --- gnu/packages/lua.scm | 3 +- gnu/packages/patches/lua52-liblua-so.patch | 78 ++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/lua52-liblua-so.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/lua.scm b/gnu/packages/lua.scm index 6bedde35c9..d27c024cfb 100644 --- a/gnu/packages/lua.scm +++ b/gnu/packages/lua.scm @@ -37,7 +37,8 @@ version ".tar.gz")) (sha256 (base32 "0b8034v1s82n4dg5rzcn12067ha3nxaylp2vdp8gg08kjsbzphhk")) - (patches (list (search-patch "lua-pkgconfig.patch"))))) + (patches (list (search-patch "lua-pkgconfig.patch") + (search-patch "lua52-liblua-so.patch"))))) (build-system gnu-build-system) (inputs `(("readline", readline))) (arguments diff --git a/gnu/packages/patches/lua52-liblua-so.patch b/gnu/packages/patches/lua52-liblua-so.patch new file mode 100644 index 0000000000..2e6b39ae79 --- /dev/null +++ b/gnu/packages/patches/lua52-liblua-so.patch @@ -0,0 +1,78 @@ +From 7a1b4e0829124976878ca2765a8e546667a92ceb Mon Sep 17 00:00:00 2001 +From: Leo Famulari +Date: Fri, 30 Oct 2015 19:11:31 -0400 +Subject: [PATCH] apply existing non-executable library patch and install + libraries as executable + +--- + Makefile | 6 +++--- + src/Makefile | 8 +++++++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 1aea8e6..bfcfed9 100644 +--- a/Makefile ++++ b/Makefile +@@ -44,7 +44,7 @@ INTERPRETER= lua + COMPILER= luac + TO_BIN= $(INTERPRETER) $(COMPILER) + TO_INC= lua.h luaconf.h lualib.h lauxlib.h lua.hpp +-TO_LIB= liblua.a ++TO_LIB= liblua.a liblua.so liblua.so.${V} + TO_PC= lua-$(V).pc + TO_MAN= lua.1 luac.1 + +@@ -56,7 +56,7 @@ R= $V.3 + all: $(PLAT) + + $(PLATS): +- cd src && $(MAKE) $@ ++ cd src && $(MAKE) $@ V=$(V) R=$(R) + + clean: + cd src && $(MAKE) $@ +@@ -69,7 +69,7 @@ install: dummy $(TO_PC) + cd src && $(MKDIR) $(INSTALL_BIN) $(INSTALL_INC) $(INSTALL_LIB) $(INSTALL_PC) $(INSTALL_MAN) $(INSTALL_LMOD) $(INSTALL_CMOD) + cd src && $(INSTALL_EXEC) $(TO_BIN) $(INSTALL_BIN) + cd src && $(INSTALL_DATA) $(TO_INC) $(INSTALL_INC) +- cd src && $(INSTALL_DATA) $(TO_LIB) $(INSTALL_LIB) ++ cd src && $(INSTALL_EXEC) $(TO_LIB) $(INSTALL_LIB) + cd src && $(INSTALL_DATA) ../$(TO_PC) $(INSTALL_PC) + cd doc && $(INSTALL_DATA) $(TO_MAN) $(INSTALL_MAN) + +diff --git a/src/Makefile b/src/Makefile +index 7b4b2b7..c86476e 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -29,6 +29,7 @@ MYOBJS= + PLATS= aix ansi bsd freebsd generic linux macosx mingw posix solaris + + LUA_A= liblua.a ++LUA_SO= liblua.so + CORE_O= lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o \ + lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o \ + ltm.o lundump.o lvm.o lzio.o +@@ -43,7 +44,7 @@ LUAC_T= luac + LUAC_O= luac.o + + ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O) +-ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) ++ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(LUA_SO) + ALL_A= $(LUA_A) + + # Targets start here. +@@ -55,6 +56,11 @@ o: $(ALL_O) + + a: $(ALL_A) + ++$(LUA_SO): $(CORE_O) $(LIB_O) ++ $(CC) -shared -ldl -Wl,-soname,$(LUA_SO).$(V) -o $@.$(R) $? -lm $(MYLDFLAGS) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO).$(V) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO) ++ + $(LUA_A): $(BASE_O) + $(AR) $@ $(BASE_O) + $(RANLIB) $@ +-- +2.6.1 + -- cgit 1.4.1 From e6974eae1d5d4111c789cf7cb347ba0658802c29 Mon Sep 17 00:00:00 2001 From: Taylan Ulrich Bayırlı/Kammer Date: Mon, 2 Nov 2015 00:39:22 +0100 Subject: gnu: Add mupen64plus-ui-console. * gnu/packages/games.scm (mupen64plus-ui-console): New variable. * gnu/packages/patches/mupen64plus-ui-console-notice.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. --- gnu-system.am | 1 + gnu/packages/games.scm | 66 ++++++++++++++++++++++ .../patches/mupen64plus-ui-console-notice.patch | 34 +++++++++++ 3 files changed, 101 insertions(+) create mode 100644 gnu/packages/patches/mupen64plus-ui-console-notice.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index f3ded69a78..cf99a9a008 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -587,6 +587,7 @@ dist_patch_DATA = \ gnu/packages/patches/mplayer2-theora-fix.patch \ gnu/packages/patches/module-init-tools-moduledir.patch \ gnu/packages/patches/mumps-build-parallelism.patch \ + gnu/packages/patches/mupen64plus-ui-console-notice.patch \ gnu/packages/patches/mupdf-buildsystem-fix.patch \ gnu/packages/patches/mutt-store-references.patch \ gnu/packages/patches/net-tools-bitrot.patch \ diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm index 732b9c6515..2b5d78d618 100644 --- a/gnu/packages/games.scm +++ b/gnu/packages/games.scm @@ -1688,6 +1688,72 @@ which is capable of accurately playing many games. This package contains the Z64 video plugin.") (license license:gpl2+))) +(define-public mupen64plus-ui-console + (package + (name "mupen64plus-ui-console") + (version "2.5") + (source + (origin + (method url-fetch) + (uri (string-append + "https://github.com/mupen64plus/mupen64plus-ui-console/archive/" + version ".tar.gz")) + (file-name (string-append name "-" version ".tar.gz")) + (sha256 + (base32 "04qkpd8ic7xsgnqz7spl00wxdygf79m7d1k8rabbygjk5lg6p8z2")) + (patches + (list (search-patch "mupen64plus-ui-console-notice.patch"))))) + (build-system gnu-build-system) + (native-inputs + `(("pkg-config" ,pkg-config) + ("which" ,which))) + (inputs + `(("sdl2" ,sdl2))) + ;; Mupen64Plus supports a single data directory and a single plugin + ;; directory in its configuration, yet we need data and plugin files from + ;; a variety of packages. The best way to deal with this is to install + ;; all packages from which data and plugin files are needed into one's + ;; profile, and point the configuration there. Hence, propagate the most + ;; important packages here to save the user from the bother. The patch + ;; mupen64plus-ui-console-notice also gives users instructions on what + ;; they need to do in order to point the configuration to their profile. + (propagated-inputs + `(("mupen64plus-core" ,mupen64plus-core) + ("mupen64plus-audio-sdl" ,mupen64plus-audio-sdl) + ("mupen64plus-input-sdl" ,mupen64plus-input-sdl) + ("mupen64plus-rsp-hle" ,mupen64plus-rsp-hle) + ("mupen64plus-video-glide64" ,mupen64plus-video-glide64) + ("mupen64plus-video-glide64mk2" ,mupen64plus-video-glide64mk2) + ("mupen64plus-video-rice" ,mupen64plus-video-rice))) + (arguments + '(#:phases + (modify-phases %standard-phases + ;; The mupen64plus build system has no configure phase. + (delete 'configure) + ;; Makefile is in a subdirectory. + (add-before + 'build 'cd-to-project-dir + (lambda _ + (chdir "projects/unix")))) + #:make-flags + (let ((out (assoc-ref %outputs "out")) + (m64p (assoc-ref %build-inputs "mupen64plus-core"))) + (list "all" + (string-append "PREFIX=" out) + (string-append "APIDIR=" m64p "/include/mupen64plus") + ;; Trailing slash matters here. + (string-append "COREDIR=" m64p "/lib/"))) + ;; There are no tests. + #:tests? #f)) + (home-page "http://www.mupen64plus.org/") + (synopsis "Mupen64Plus SDL input plugin") + (description + "Mupen64Plus is a cross-platform plugin-based Nintendo 64 (N64) emulator +which is capable of accurately playing many games. This package contains the +command line user interface. Installing this package is the easiest way +towards a working Mupen64Plus for casual users.") + (license license:gpl2+))) + (define-public nestopia-ue (package (name "nestopia-ue") diff --git a/gnu/packages/patches/mupen64plus-ui-console-notice.patch b/gnu/packages/patches/mupen64plus-ui-console-notice.patch new file mode 100644 index 0000000000..1d0b4c46bb --- /dev/null +++ b/gnu/packages/patches/mupen64plus-ui-console-notice.patch @@ -0,0 +1,34 @@ +Mupen64Plus supports a single data directory and a single plugin directory in +its configuration, yet we need data and plugin files from a variety of +packages. The best way to deal with this is to install all packages from +which data and plugin files are needed into one's profile, and point the +configuration there. Hence, the ui-console package provides propagated inputs +for packages with the most important data and plugin files, and this patch +provides the user instructions on what needs to be done in order to have +Mupen64Plus find the relevant data and plugins. + +--- a/src/plugin.c ++++ b/src/plugin.c +@@ -122,6 +122,22 @@ m64p_error PluginSearchLoad(m64p_handle ConfigUI) + { + const char *plugindir = (*ConfigGetParamString)(ConfigUI, "PluginDir"); + lib_filelist = osal_library_search(plugindir); ++ /* Guix specific */ ++ if (lib_filelist == NULL) ++ { ++ DebugMessage(M64MSG_ERROR, "No plugins found in PluginDir path: %s", plugindir); ++ DebugMessage(M64MSG_ERROR, ++ "\n\n" ++ "*********************************\n" ++ "*** Notice for GNU Guix users ***\n" ++ "*********************************\n" ++ "\n" ++ "You might want to edit your mupen64plus.cfg (in $XDG_CONFIG_HOME by default)\n" ++ "and set SharedDataPath to /path/to/my_guix_profile/share/mupen64plus and\n" ++ "PluginDir to /path/to/my_guix_profile/lib/mupen64plus so that data and plugins\n" ++ "are found.\n" ++ "\n"); ++ } + } + + /* if still no plugins found, search some common system folders */ -- cgit 1.4.1 From ba583bd2ce887cdd8b99ea55c15b57c5209e4b58 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 10 Nov 2015 18:38:04 +0100 Subject: gnu: torsocks: Upgrade to 2.0.0. * gnu/packages/tor.scm (torsocks): Update to 2.0.0. [source]: Fetch from git.torproject.org. Use 'torsocks-dns-test.patch'. [arguments, native-inputs]: New fields. [license]: Change to GPL2. * gnu/packages/patches/torsocks-dns-test.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. --- gnu-system.am | 1 + gnu/packages/patches/torsocks-dns-test.patch | 18 ++++++++++++++ gnu/packages/tor.scm | 37 ++++++++++++++++++++-------- 3 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 gnu/packages/patches/torsocks-dns-test.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index cf99a9a008..c5b32b290e 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -661,6 +661,7 @@ dist_patch_DATA = \ gnu/packages/patches/texi2html-document-encoding.patch \ gnu/packages/patches/texi2html-i18n.patch \ gnu/packages/patches/tidy-CVE-2015-5522+5523.patch \ + gnu/packages/patches/torsocks-dns-test.patch \ gnu/packages/patches/tvtime-gcc41.patch \ gnu/packages/patches/tvtime-pngoutput.patch \ gnu/packages/patches/tvtime-videodev2.patch \ diff --git a/gnu/packages/patches/torsocks-dns-test.patch b/gnu/packages/patches/torsocks-dns-test.patch new file mode 100644 index 0000000000..ba70ba5933 --- /dev/null +++ b/gnu/packages/patches/torsocks-dns-test.patch @@ -0,0 +1,18 @@ +Skip DNS tests that rely on the ability to look up arbitary +host names. + +--- torsocks/tests/test_dns.c 2015-11-10 18:30:53.955941984 +0100 ++++ torsocks/tests/test_dns.c 2015-11-10 18:31:02.199941892 +0100 +@@ -134,11 +134,8 @@ static void test_getaddrinfo(const struc + int main(int argc, char **argv) + { + /* Libtap call for the number of tests planned. */ +- plan_tests(NUM_TESTS); ++ plan_tests(1); + +- test_getaddrinfo(&tor_check); +- test_gethostbyname(&tor_dir_auth1); +- test_gethostbyaddr(&tor_dir_auth2); + test_getaddrinfo(&tor_localhost); + + return 0; diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm index 3cf45a400e..3b057d422e 100644 --- a/gnu/packages/tor.scm +++ b/gnu/packages/tor.scm @@ -18,13 +18,16 @@ ;;; along with GNU Guix. If not, see . (define-module (gnu packages tor) - #:use-module ((guix licenses) #:select (bsd-3 gpl2+)) + #:use-module ((guix licenses) #:select (bsd-3 gpl2+ gpl2)) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix git-download) #:use-module (guix build-system gnu) + #:use-module (gnu packages) #:use-module (gnu packages libevent) #:use-module (gnu packages compression) #:use-module (gnu packages pcre) + #:use-module (gnu packages perl) #:use-module (gnu packages python) #:use-module (gnu packages autotools) #:use-module (gnu packages tls) @@ -66,22 +69,36 @@ applications based on the TCP protocol.") (define-public torsocks (package (name "torsocks") - (version "1.2") + (version "2.0.0") (source (origin - (method url-fetch) - (uri (string-append "http://torsocks.googlecode.com/files/torsocks-" - version ".tar.gz")) - (sha256 - (base32 - "1m0is5q24sf7jjlkl0icfkdc0m53nbkg0q72s57p48yp4hv7v9dy")))) + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/torsocks.git") + (commit (string-append "v" version)))) + (sha256 + (base32 + "0an2q5ail9z414riyjbkjkm29504hy778j914baz2gn5hlv2cfak")) + (file-name (string-append name "-" version "-checkout")) + (patches (list (search-patch "torsocks-dns-test.patch"))))) (build-system gnu-build-system) - (home-page "http://code.google.com/p/torsocks/") + (arguments + '(#:phases (modify-phases %standard-phases + (add-before 'configure 'bootstrap + (lambda _ + (system* "autoreconf" "-vfi")))))) + (native-inputs `(("autoconf" ,(autoconf-wrapper)) + ("automake" ,automake) + ("libtool" ,libtool) + ("perl-test-harness" ,perl-test-harness))) + (home-page "http://www.torproject.org/") (synopsis "Use socks-friendly applications with Tor") (description "Torsocks allows you to use most socks-friendly applications in a safe way with Tor. It ensures that DNS requests are handled safely and explicitly rejects UDP traffic from the application you're using.") - (license gpl2+))) + + ;; All the files explicitly say "version 2 only". + (license gpl2))) (define-public privoxy (package -- cgit 1.4.1 From 419630e0bec46b9cb33047dea1662df0c400ade3 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 11 Nov 2015 07:43:12 -0500 Subject: gnu: wpa-supplicant: Add fixes for CVE-2015-{5310,5314,5315,5316}. * gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch, gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch, gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch, gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/admin.scm (wpa-supplicant-minimal)[source]: Add patches. --- gnu-system.am | 4 ++ gnu/packages/admin.scm | 7 ++- .../patches/wpa-supplicant-CVE-2015-5310.patch | 32 +++++++++++++ .../patches/wpa-supplicant-CVE-2015-5314.patch | 51 ++++++++++++++++++++ .../patches/wpa-supplicant-CVE-2015-5315.patch | 54 ++++++++++++++++++++++ .../patches/wpa-supplicant-CVE-2015-5316.patch | 34 ++++++++++++++ 6 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch create mode 100644 gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch create mode 100644 gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch create mode 100644 gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index c5b32b290e..e53bb3ecf4 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -692,6 +692,10 @@ dist_patch_DATA = \ gnu/packages/patches/wicd-template-instantiation.patch \ gnu/packages/patches/wicd-urwid-1.3.patch \ gnu/packages/patches/wmctrl-64-fix.patch \ + gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch \ + gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch \ + gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch \ + gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch \ gnu/packages/patches/xf86-video-ark-remove-mibstore.patch \ gnu/packages/patches/xf86-video-ast-remove-mibstore.patch \ gnu/packages/patches/xf86-video-geode-glibc-2.20.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index aba5a51a4c..6aca8570c0 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -716,7 +716,12 @@ commands and their arguments.") ".tar.gz")) (sha256 (base32 - "05mkp5bx1c3z7h5biddsv0p49gkrq9ksany3anp4wdiv92p5prfc")))) + "05mkp5bx1c3z7h5biddsv0p49gkrq9ksany3anp4wdiv92p5prfc")) + (patches + (map search-patch '("wpa-supplicant-CVE-2015-5310.patch" + "wpa-supplicant-CVE-2015-5314.patch" + "wpa-supplicant-CVE-2015-5315.patch" + "wpa-supplicant-CVE-2015-5316.patch"))))) (build-system gnu-build-system) (arguments '(#:phases (alist-replace diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch new file mode 100644 index 0000000000..00e5b7c771 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch @@ -0,0 +1,32 @@ +From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 25 Oct 2015 15:45:50 +0200 +Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no + PMF in use + +WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is +enabled. Verify that PMF is in use before using this field on station +side to avoid accepting unauthenticated key updates. (CVE-2015-5310) + +Signed-off-by: Jouni Malinen +--- + wpa_supplicant/wnm_sta.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c +index 954de67..7d79499 100644 +--- a/wpa_supplicant/wnm_sta.c ++++ b/wpa_supplicant/wnm_sta.c +@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s, + end = ptr + key_len_total; + wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total); + ++ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) { ++ wpa_msg(wpa_s, MSG_INFO, ++ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled"); ++ return; ++ } ++ + while (ptr + 1 < end) { + if (ptr + 2 + ptr[1] > end) { + wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element " diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch new file mode 100644 index 0000000000..bfc4c74e95 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch @@ -0,0 +1,51 @@ +From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 1 Nov 2015 18:24:16 +0200 +Subject: [PATCH] EAP-pwd server: Fix last fragment length validation + +All but the last fragment had their length checked against the remaining +room in the reassembly buffer. This allowed a suitably constructed last +fragment frame to try to add extra data that would go beyond the buffer. +The length validation code in wpabuf_put_data() prevents an actual +buffer write overflow from occurring, but this results in process +termination. (CVE-2015-5314) + +Signed-off-by: Jouni Malinen +--- + src/eap_server/eap_server_pwd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c +index cb83ff7..9f787ab 100644 +--- a/src/eap_server/eap_server_pwd.c ++++ b/src/eap_server/eap_server_pwd.c +@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, + /* + * the first and all intermediate fragments have the M bit set + */ +- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { ++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { + if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) { + wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow " + "attack detected! (%d+%d > %d)", +@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, + } + wpabuf_put_data(data->inbuf, pos, len); + data->in_frag_pos += len; ++ } ++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { + wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment", + (int) len); + return; +@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, + * buffering fragments so that's how we know it's the last) + */ + if (data->in_frag_pos) { +- wpabuf_put_data(data->inbuf, pos, len); +- data->in_frag_pos += len; + pos = wpabuf_head_u8(data->inbuf); + len = data->in_frag_pos; + wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", +-- +1.9.1 + diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch new file mode 100644 index 0000000000..82c26398b6 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch @@ -0,0 +1,54 @@ +From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 1 Nov 2015 18:18:17 +0200 +Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation + +All but the last fragment had their length checked against the remaining +room in the reassembly buffer. This allowed a suitably constructed last +fragment frame to try to add extra data that would go beyond the buffer. +The length validation code in wpabuf_put_data() prevents an actual +buffer write overflow from occurring, but this results in process +termination. (CVE-2015-5315) + +Signed-off-by: Jouni Malinen +--- + src/eap_peer/eap_pwd.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 1f78544..75ceef1 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + /* + * buffer and ACK the fragment + */ +- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { ++ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { + data->in_frag_pos += len; + if (data->in_frag_pos > wpabuf_size(data->inbuf)) { + wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack " +@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + return NULL; + } + wpabuf_put_data(data->inbuf, pos, len); +- ++ } ++ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { + resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, + EAP_PWD_HDR_SIZE, + EAP_CODE_RESPONSE, eap_get_id(reqData)); +@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, + * we're buffering and this is the last fragment + */ + if (data->in_frag_pos) { +- wpabuf_put_data(data->inbuf, pos, len); + wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", + (int) len); +- data->in_frag_pos += len; + pos = wpabuf_head_u8(data->inbuf); + len = data->in_frag_pos; + } +-- +1.9.1 + diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch new file mode 100644 index 0000000000..3088f6a6dc --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch @@ -0,0 +1,34 @@ +From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 1 Nov 2015 19:35:44 +0200 +Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message + +If the Confirm message is received from the server before the Identity +exchange has been completed, the group has not yet been determined and +data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange() +did not take this corner case into account and could end up +dereferencing a NULL pointer and terminating the process if invalid +message sequence is received. (CVE-2015-5316) + +Signed-off-by: Jouni Malinen +--- + src/eap_peer/eap_pwd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 75ceef1..892b590 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); + + fin: +- bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); ++ if (data->grp) ++ bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); + BN_clear_free(x); + BN_clear_free(y); + if (data->outbuf == NULL) { +-- +1.9.1 + -- cgit 1.4.1 From 9715df7fbed076a1073a5d90d81a26f2b8e24df8 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sun, 8 Nov 2015 23:00:28 -0500 Subject: gnu: mit-krb5: Update to 1.13.2. * gnu/packages/mit-krb5.scm (mit-krb5): Update to 1.13.2. [native-inputs]: Remove "patch/init-fix". * gnu/packages/patches/mit-krb5-init-fix.patch: Delete file. * gnu-system.am (dist_patch_DATA): Remove it. --- gnu-system.am | 1 - gnu/packages/mit-krb5.scm | 7 +++---- gnu/packages/patches/mit-krb5-init-fix.patch | 18 ------------------ 3 files changed, 3 insertions(+), 23 deletions(-) delete mode 100644 gnu/packages/patches/mit-krb5-init-fix.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 009ca766d2..6cb37297f7 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -586,7 +586,6 @@ dist_patch_DATA = \ gnu/packages/patches/mcron-install.patch \ gnu/packages/patches/mdadm-gcc-4.9-fix.patch \ gnu/packages/patches/mhash-keygen-test-segfault.patch \ - gnu/packages/patches/mit-krb5-init-fix.patch \ gnu/packages/patches/mpc123-initialize-ao.patch \ gnu/packages/patches/mplayer2-theora-fix.patch \ gnu/packages/patches/module-init-tools-moduledir.patch \ diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm index b79d4d34bc..4327e1da65 100644 --- a/gnu/packages/mit-krb5.scm +++ b/gnu/packages/mit-krb5.scm @@ -29,18 +29,17 @@ (define-public mit-krb5 (package (name "mit-krb5") - (version "1.11.3") + (version "1.13.2") (source (origin (method url-fetch) (uri (string-append "http://web.mit.edu/kerberos/www/dist/krb5/" (string-copy version 0 (string-rindex version #\.)) "/krb5-" version "-signed.tar")) (sha256 (base32 - "1daiaxgkxcryqs37w28v4x1vajqmay4l144d1zd9c2d7jjxr9gcs")))) + "1qbdzyrws7d0q4filsibh28z54pd5l987jr0ygv43iq9085w6a75")))) (build-system gnu-build-system) (native-inputs - `(("patch/init-fix" ,(search-patch "mit-krb5-init-fix.patch")) - ("bison" ,bison) + `(("bison" ,bison) ("perl" ,perl))) (arguments '(#:phases diff --git a/gnu/packages/patches/mit-krb5-init-fix.patch b/gnu/packages/patches/mit-krb5-init-fix.patch deleted file mode 100644 index 13e49c2789..0000000000 --- a/gnu/packages/patches/mit-krb5-init-fix.patch +++ /dev/null @@ -1,18 +0,0 @@ -Fix the early context initialization code to avoid assuming that -arguments will be evaluated from right to left. - -Patch by Mark H Weaver . - ---- src/lib/krb5/krb/t_cc_config.c.orig 2012-12-17 21:47:05.000000000 -0500 -+++ src/lib/krb5/krb/t_cc_config.c 2013-10-29 18:19:16.547994590 -0400 -@@ -117,8 +117,8 @@ - int c; - unsigned int i; - -- bail_on_err(context, "Error initializing Kerberos library", -- krb5_init_context(&context)); -+ ret = krb5_init_context(&context); -+ bail_on_err(context, "Error initializing Kerberos library", ret); - bail_on_err(context, "Error getting location of default ccache", - krb5_cc_default(context, &ccache)); - server = NULL; -- cgit 1.4.1 From ff45a00e798350676ca7a4cf1cac349cc0b4c1f6 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sun, 8 Nov 2015 23:05:11 -0500 Subject: gnu: mit-krb5: Add fixes for CVE-2015-{2695,2696,2697,2698}. * gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch, gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch, gnu/packages/patches/mit-krb5-CVE-2015-2696.patch, gnu/packages/patches/mit-krb5-CVE-2015-2697.patch, gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch, gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/mit-krb5.scm (mit-krb5)[native-inputs]: Add patches. --- gnu-system.am | 6 + gnu/packages/mit-krb5.scm | 14 +- .../patches/mit-krb5-CVE-2015-2695-pt1.patch | 569 ++++++++++++++++ .../patches/mit-krb5-CVE-2015-2695-pt2.patch | 65 ++ gnu/packages/patches/mit-krb5-CVE-2015-2696.patch | 736 +++++++++++++++++++++ gnu/packages/patches/mit-krb5-CVE-2015-2697.patch | 55 ++ .../patches/mit-krb5-CVE-2015-2698-pt1.patch | 43 ++ .../patches/mit-krb5-CVE-2015-2698-pt2.patch | 132 ++++ 8 files changed, 1619 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-2696.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-2697.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch create mode 100644 gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 6cb37297f7..c80f08678d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -586,6 +586,12 @@ dist_patch_DATA = \ gnu/packages/patches/mcron-install.patch \ gnu/packages/patches/mdadm-gcc-4.9-fix.patch \ gnu/packages/patches/mhash-keygen-test-segfault.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-2696.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-2697.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch \ + gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch \ gnu/packages/patches/mpc123-initialize-ao.patch \ gnu/packages/patches/mplayer2-theora-fix.patch \ gnu/packages/patches/module-init-tools-moduledir.patch \ diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm index 76d8b2473e..16bef8d97d 100644 --- a/gnu/packages/mit-krb5.scm +++ b/gnu/packages/mit-krb5.scm @@ -42,7 +42,19 @@ (build-system gnu-build-system) (native-inputs `(("bison" ,bison) - ("perl" ,perl))) + ("perl" ,perl) + + ;; Include the patches as native-inputs. + ,@(map (lambda (label) + (let ((input-name (string-append "patch/" label)) + (file-name (string-append name "-" label ".patch"))) + `(,input-name ,(search-patch file-name)))) + '("CVE-2015-2695-pt1" + "CVE-2015-2695-pt2" + "CVE-2015-2696" + "CVE-2015-2697" + "CVE-2015-2698-pt1" + "CVE-2015-2698-pt2")))) (arguments `(#:modules ((ice-9 ftw) (ice-9 match) diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch new file mode 100644 index 0000000000..0f5603e228 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt1.patch @@ -0,0 +1,569 @@ +Copied from Debian. + +From b813d5811432faed844a2dfd3daecde914978f2c Mon Sep 17 00:00:00 2001 +From: Nicolas Williams +Date: Mon, 14 Sep 2015 12:27:52 -0400 +Subject: Fix SPNEGO context aliasing bugs [CVE-2015-2695] + +The SPNEGO mechanism currently replaces its context handle with the +mechanism context handle upon establishment, under the assumption that +most GSS functions are only called after context establishment. This +assumption is incorrect, and can lead to aliasing violations for some +programs. Maintain the SPNEGO context structure after context +establishment and refer to it in all GSS methods. Add initiate and +opened flags to the SPNEGO context structure for use in +gss_inquire_context() prior to context establishment. + +CVE-2015-2695: + +In MIT krb5 1.5 and later, applications which call +gss_inquire_context() on a partially-established SPNEGO context can +cause the GSS-API library to read from a pointer using the wrong type, +generally causing a process crash. This bug may go unnoticed, because +the most common SPNEGO authentication scenario establishes the context +after just one call to gss_accept_sec_context(). Java server +applications using the native JGSS provider are vulnerable to this +bug. A carefully crafted SPNEGO packet might allow the +gss_inquire_context() call to succeed with attacker-determined +results, but applications should not make access control decisions +based on gss_inquire_context() results prior to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[ghudson@mit.edu: several bugfixes, style changes, and edge-case +behavior changes; commit message and CVE description] + +ticket: 8244 +target_version: 1.14 +tags: pullup + +(cherry picked from commit b51b33f2bc5d1497ddf5bd107f791c101695000d) +Patch-Category: upstream +--- + src/lib/gssapi/spnego/gssapiP_spnego.h | 2 + + src/lib/gssapi/spnego/spnego_mech.c | 254 ++++++++++++++++++++++++--------- + 2 files changed, 192 insertions(+), 64 deletions(-) + +diff --git a/src/lib/gssapi/spnego/gssapiP_spnego.h b/src/lib/gssapi/spnego/gssapiP_spnego.h +index bc23f56..8e05736 100644 +--- a/src/lib/gssapi/spnego/gssapiP_spnego.h ++++ b/src/lib/gssapi/spnego/gssapiP_spnego.h +@@ -102,6 +102,8 @@ typedef struct { + int firstpass; + int mech_complete; + int nego_done; ++ int initiate; ++ int opened; + OM_uint32 ctx_flags; + gss_name_t internal_name; + gss_OID actual_mech; +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index 6e39c37..a1072b0 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -104,7 +104,7 @@ static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t, + gss_cred_usage_t, gss_OID_set *); + static void release_spnego_ctx(spnego_gss_ctx_id_t *); + static void check_spnego_options(spnego_gss_ctx_id_t); +-static spnego_gss_ctx_id_t create_spnego_ctx(void); ++static spnego_gss_ctx_id_t create_spnego_ctx(int); + static int put_mech_set(gss_OID_set mechSet, gss_buffer_t buf); + static int put_input_token(unsigned char **, gss_buffer_t, unsigned int); + static int put_mech_oid(unsigned char **, gss_OID_const, unsigned int); +@@ -442,7 +442,7 @@ check_spnego_options(spnego_gss_ctx_id_t spnego_ctx) + } + + static spnego_gss_ctx_id_t +-create_spnego_ctx(void) ++create_spnego_ctx(int initiate) + { + spnego_gss_ctx_id_t spnego_ctx = NULL; + spnego_ctx = (spnego_gss_ctx_id_t) +@@ -465,6 +465,8 @@ create_spnego_ctx(void) + spnego_ctx->mic_rcvd = 0; + spnego_ctx->mech_complete = 0; + spnego_ctx->nego_done = 0; ++ spnego_ctx->opened = 0; ++ spnego_ctx->initiate = initiate; + spnego_ctx->internal_name = GSS_C_NO_NAME; + spnego_ctx->actual_mech = GSS_C_NO_OID; + +@@ -630,7 +632,7 @@ init_ctx_new(OM_uint32 *minor_status, + OM_uint32 ret; + spnego_gss_ctx_id_t sc = NULL; + +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(1); + if (sc == NULL) + return GSS_S_FAILURE; + +@@ -647,10 +649,7 @@ init_ctx_new(OM_uint32 *minor_status, + ret = GSS_S_FAILURE; + goto cleanup; + } +- /* +- * The actual context is not yet determined, set the output +- * context handle to refer to the spnego context itself. +- */ ++ + sc->ctx_handle = GSS_C_NO_CONTEXT; + *ctx = (gss_ctx_id_t)sc; + sc = NULL; +@@ -1091,16 +1090,11 @@ cleanup: + } + gss_release_buffer(&tmpmin, &mechtok_out); + if (ret == GSS_S_COMPLETE) { +- /* +- * Now, switch the output context to refer to the +- * negotiated mechanism's context. +- */ +- *context_handle = (gss_ctx_id_t)spnego_ctx->ctx_handle; ++ spnego_ctx->opened = 1; + if (actual_mech != NULL) + *actual_mech = spnego_ctx->actual_mech; + if (ret_flags != NULL) + *ret_flags = spnego_ctx->ctx_flags; +- release_spnego_ctx(&spnego_ctx); + } else if (ret != GSS_S_CONTINUE_NEEDED) { + if (spnego_ctx != NULL) { + gss_delete_sec_context(&tmpmin, +@@ -1344,7 +1338,7 @@ acc_ctx_hints(OM_uint32 *minor_status, + if (ret != GSS_S_COMPLETE) + goto cleanup; + +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(0); + if (sc == NULL) { + ret = GSS_S_FAILURE; + goto cleanup; +@@ -1426,7 +1420,7 @@ acc_ctx_new(OM_uint32 *minor_status, + gss_release_buffer(&tmpmin, &sc->DER_mechTypes); + assert(mech_wanted != GSS_C_NO_OID); + } else +- sc = create_spnego_ctx(); ++ sc = create_spnego_ctx(0); + if (sc == NULL) { + ret = GSS_S_FAILURE; + *return_token = NO_TOKEN_SEND; +@@ -1809,13 +1803,12 @@ cleanup: + ret = GSS_S_FAILURE; + } + if (ret == GSS_S_COMPLETE) { +- *context_handle = (gss_ctx_id_t)sc->ctx_handle; ++ sc->opened = 1; + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; + sc->internal_name = GSS_C_NO_NAME; + } +- release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { + if (sc != NULL) { + gss_delete_sec_context(&tmpmin, &sc->ctx_handle, +@@ -2128,8 +2121,13 @@ spnego_gss_unwrap( + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer, + output_message_buffer, + conf_state, +@@ -2149,8 +2147,13 @@ spnego_gss_wrap( + gss_buffer_t output_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + input_message_buffer, +@@ -2167,8 +2170,14 @@ spnego_gss_process_context_token( + const gss_buffer_t token_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ /* SPNEGO doesn't have its own context tokens. */ ++ if (!sc->opened) ++ return (GSS_S_DEFECTIVE_TOKEN); ++ + ret = gss_process_context_token(minor_status, +- context_handle, ++ sc->ctx_handle, + token_buffer); + + return (ret); +@@ -2192,19 +2201,9 @@ spnego_gss_delete_sec_context( + if (*ctx == NULL) + return (GSS_S_COMPLETE); + +- /* +- * If this is still an SPNEGO mech, release it locally. +- */ +- if ((*ctx)->magic_num == SPNEGO_MAGIC_ID) { +- (void) gss_delete_sec_context(minor_status, +- &(*ctx)->ctx_handle, +- output_token); +- (void) release_spnego_ctx(ctx); +- } else { +- ret = gss_delete_sec_context(minor_status, +- context_handle, +- output_token); +- } ++ (void) gss_delete_sec_context(minor_status, &(*ctx)->ctx_handle, ++ output_token); ++ (void) release_spnego_ctx(ctx); + + return (ret); + } +@@ -2216,8 +2215,13 @@ spnego_gss_context_time( + OM_uint32 *time_rec) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_context_time(minor_status, +- context_handle, ++ sc->ctx_handle, + time_rec); + return (ret); + } +@@ -2229,9 +2233,20 @@ spnego_gss_export_sec_context( + gss_buffer_t interprocess_token) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = *(spnego_gss_ctx_id_t *)context_handle; ++ ++ /* We don't currently support exporting partially established ++ * contexts. */ ++ if (!sc->opened) ++ return GSS_S_UNAVAILABLE; ++ + ret = gss_export_sec_context(minor_status, +- context_handle, ++ &sc->ctx_handle, + interprocess_token); ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) { ++ release_spnego_ctx(&sc); ++ *context_handle = GSS_C_NO_CONTEXT; ++ } + return (ret); + } + +@@ -2241,11 +2256,12 @@ spnego_gss_import_sec_context( + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) + { +- OM_uint32 ret; +- ret = gss_import_sec_context(minor_status, +- interprocess_token, +- context_handle); +- return (ret); ++ /* ++ * Until we implement partial context exports, there are no SPNEGO ++ * exported context tokens, only tokens for underlying mechs. So just ++ * return an error for now. ++ */ ++ return GSS_S_UNAVAILABLE; + } + #endif /* LEAN_CLIENT */ + +@@ -2262,16 +2278,48 @@ spnego_gss_inquire_context( + int *opened) + { + OM_uint32 ret = GSS_S_COMPLETE; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ if (targ_name != NULL) ++ *targ_name = GSS_C_NO_NAME; ++ if (lifetime_rec != NULL) ++ *lifetime_rec = 0; ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_spnego; ++ if (ctx_flags != NULL) ++ *ctx_flags = 0; ++ if (locally_initiated != NULL) ++ *locally_initiated = sc->initiate; ++ if (opened != NULL) ++ *opened = sc->opened; ++ ++ if (sc->ctx_handle != GSS_C_NO_CONTEXT) { ++ ret = gss_inquire_context(minor_status, sc->ctx_handle, ++ src_name, targ_name, lifetime_rec, ++ mech_type, ctx_flags, NULL, NULL); ++ } + +- ret = gss_inquire_context(minor_status, +- context_handle, +- src_name, +- targ_name, +- lifetime_rec, +- mech_type, +- ctx_flags, +- locally_initiated, +- opened); ++ if (!sc->opened) { ++ /* ++ * We are still doing SPNEGO negotiation, so report SPNEGO as ++ * the OID. After negotiation is complete we will report the ++ * underlying mechanism OID. ++ */ ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_spnego; ++ ++ /* ++ * Remove flags we don't support with partially-established ++ * contexts. (Change this to keep GSS_C_TRANS_FLAG if we add ++ * support for exporting partial SPNEGO contexts.) ++ */ ++ if (ctx_flags != NULL) { ++ *ctx_flags &= ~GSS_C_PROT_READY_FLAG; ++ *ctx_flags &= ~GSS_C_TRANS_FLAG; ++ } ++ } + + return (ret); + } +@@ -2286,8 +2334,13 @@ spnego_gss_wrap_size_limit( + OM_uint32 *max_input_size) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_size_limit(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + req_output_size, +@@ -2304,8 +2357,13 @@ spnego_gss_get_mic( + gss_buffer_t message_token) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_get_mic(minor_status, +- context_handle, ++ sc->ctx_handle, + qop_req, + message_buffer, + message_token); +@@ -2321,8 +2379,13 @@ spnego_gss_verify_mic( + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_verify_mic(minor_status, +- context_handle, ++ sc->ctx_handle, + msg_buffer, + token_buffer, + qop_state); +@@ -2337,8 +2400,14 @@ spnego_gss_inquire_sec_context_by_oid( + gss_buffer_set_t *data_set) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ /* There are no SPNEGO-specific OIDs for this function. */ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_inquire_sec_context_by_oid(minor_status, +- context_handle, ++ sc->ctx_handle, + desired_object, + data_set); + return (ret); +@@ -2407,8 +2476,15 @@ spnego_gss_set_sec_context_option( + const gss_buffer_t value) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)*context_handle; ++ ++ /* There are no SPNEGO-specific OIDs for this function, and we cannot ++ * construct an empty SPNEGO context with it. */ ++ if (sc == NULL || sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_set_sec_context_option(minor_status, +- context_handle, ++ &sc->ctx_handle, + desired_object, + value); + return (ret); +@@ -2425,8 +2501,13 @@ spnego_gss_wrap_aead(OM_uint32 *minor_status, + gss_buffer_t output_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_aead(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + input_assoc_buffer, +@@ -2447,8 +2528,13 @@ spnego_gss_unwrap_aead(OM_uint32 *minor_status, + gss_qop_t *qop_state) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap_aead(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer, + input_assoc_buffer, + output_payload_buffer, +@@ -2467,8 +2553,13 @@ spnego_gss_wrap_iov(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_iov(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + conf_state, +@@ -2486,8 +2577,13 @@ spnego_gss_unwrap_iov(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_unwrap_iov(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_state, + qop_state, + iov, +@@ -2505,8 +2601,13 @@ spnego_gss_wrap_iov_length(OM_uint32 *minor_status, + int iov_count) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_wrap_iov_length(minor_status, +- context_handle, ++ sc->ctx_handle, + conf_req_flag, + qop_req, + conf_state, +@@ -2523,8 +2624,13 @@ spnego_gss_complete_auth_token( + gss_buffer_t input_message_buffer) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_UNAVAILABLE); ++ + ret = gss_complete_auth_token(minor_status, +- context_handle, ++ sc->ctx_handle, + input_message_buffer); + return (ret); + } +@@ -2776,8 +2882,13 @@ spnego_gss_pseudo_random(OM_uint32 *minor_status, + gss_buffer_t prf_out) + { + OM_uint32 ret; ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ + ret = gss_pseudo_random(minor_status, +- context, ++ sc->ctx_handle, + prf_key, + prf_in, + desired_output_len, +@@ -2918,7 +3029,12 @@ spnego_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t qop_req, gss_iov_buffer_desc *iov, + int iov_count) + { +- return gss_get_mic_iov(minor_status, context_handle, qop_req, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_get_mic_iov(minor_status, sc->ctx_handle, qop_req, iov, + iov_count); + } + +@@ -2927,7 +3043,12 @@ spnego_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, + gss_qop_t *qop_state, gss_iov_buffer_desc *iov, + int iov_count) + { +- return gss_verify_mic_iov(minor_status, context_handle, qop_state, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_verify_mic_iov(minor_status, sc->ctx_handle, qop_state, iov, + iov_count); + } + +@@ -2936,7 +3057,12 @@ spnego_gss_get_mic_iov_length(OM_uint32 *minor_status, + gss_ctx_id_t context_handle, gss_qop_t qop_req, + gss_iov_buffer_desc *iov, int iov_count) + { +- return gss_get_mic_iov_length(minor_status, context_handle, qop_req, iov, ++ spnego_gss_ctx_id_t sc = (spnego_gss_ctx_id_t)context_handle; ++ ++ if (sc->ctx_handle == GSS_C_NO_CONTEXT) ++ return (GSS_S_NO_CONTEXT); ++ ++ return gss_get_mic_iov_length(minor_status, sc->ctx_handle, qop_req, iov, + iov_count); + } + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch new file mode 100644 index 0000000000..aa9fcfa0dd --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2695-pt2.patch @@ -0,0 +1,65 @@ +Copied from Debian. + +From 18c512ebdcc5cacc777e9dbcc6817f83c301ad93 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 4 Nov 2015 21:29:10 -0500 +Subject: Fix SPNEGO context import + +The patches for CVE-2015-2695 did not implement a SPNEGO +gss_import_sec_context() function, under the erroneous belief than an +exported SPNEGO context would be tagged with the underlying context +mechanism. Implement it now to allow SPNEGO contexts to be +successfully exported and imported after establishment. + +ticket: 8273 +(cherry picked from commit fbb565f913c52eba9bea82f1694aba7a8c90e93d) + +Patch-Category: upstream +--- + src/lib/gssapi/spnego/spnego_mech.c | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c +index a1072b0..02284a1 100644 +--- a/src/lib/gssapi/spnego/spnego_mech.c ++++ b/src/lib/gssapi/spnego/spnego_mech.c +@@ -2256,12 +2256,33 @@ spnego_gss_import_sec_context( + const gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle) + { +- /* +- * Until we implement partial context exports, there are no SPNEGO +- * exported context tokens, only tokens for underlying mechs. So just +- * return an error for now. +- */ +- return GSS_S_UNAVAILABLE; ++ OM_uint32 ret, tmpmin; ++ gss_ctx_id_t mctx; ++ spnego_gss_ctx_id_t sc; ++ int initiate, opened; ++ ++ ret = gss_import_sec_context(minor_status, interprocess_token, &mctx); ++ if (ret != GSS_S_COMPLETE) ++ return ret; ++ ++ ret = gss_inquire_context(&tmpmin, mctx, NULL, NULL, NULL, NULL, NULL, ++ &initiate, &opened); ++ if (ret != GSS_S_COMPLETE || !opened) { ++ /* We don't currently support importing partially established ++ * contexts. */ ++ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } ++ ++ sc = create_spnego_ctx(initiate); ++ if (sc == NULL) { ++ (void) gss_delete_sec_context(&tmpmin, &mctx, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } ++ sc->ctx_handle = mctx; ++ sc->opened = 1; ++ *context_handle = (gss_ctx_id_t)sc; ++ return GSS_S_COMPLETE; + } + #endif /* LEAN_CLIENT */ + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch new file mode 100644 index 0000000000..7b4b1d71ab --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2696.patch @@ -0,0 +1,736 @@ +Copied from Debian. + +From ebea85358bc72ec20c53130d83acb93f95853b76 Mon Sep 17 00:00:00 2001 +From: Nicolas Williams +Date: Mon, 14 Sep 2015 12:28:36 -0400 +Subject: Fix IAKERB context aliasing bugs [CVE-2015-2696] + +The IAKERB mechanism currently replaces its context handle with the +krb5 mechanism handle upon establishment, under the assumption that +most GSS functions are only called after context establishment. This +assumption is incorrect, and can lead to aliasing violations for some +programs. Maintain the IAKERB context structure after context +establishment and add new IAKERB entry points to refer to it with that +type. Add initiate and established flags to the IAKERB context +structure for use in gss_inquire_context() prior to context +establishment. + +CVE-2015-2696: + +In MIT krb5 1.9 and later, applications which call +gss_inquire_context() on a partially-established IAKERB context can +cause the GSS-API library to read from a pointer using the wrong type, +generally causing a process crash. Java server applications using the +native JGSS provider are vulnerable to this bug. A carefully crafted +IAKERB packet might allow the gss_inquire_context() call to succeed +with attacker-determined results, but applications should not make +access control decisions based on gss_inquire_context() results prior +to context establishment. + + CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +[ghudson@mit.edu: several bugfixes, style changes, and edge-case +behavior changes; commit message and CVE description] + +ticket: 8244 +target_version: 1.14 +tags: pullup + +(cherry picked from commit e04f0283516e80d2f93366e0d479d13c9b5c8c2a) +Patch-Category: upstream +--- + src/lib/gssapi/krb5/gssapiP_krb5.h | 114 ++++++++++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 105 +++++++++-- + src/lib/gssapi/krb5/iakerb.c | 351 +++++++++++++++++++++++++++++++++---- + 3 files changed, 529 insertions(+), 41 deletions(-) + +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index a0e8625..05dc321 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -620,6 +620,21 @@ OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext + ); + #endif /* LEAN_CLIENT */ + ++OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid ++(OM_uint32*, /* minor_status */ ++ const gss_ctx_id_t, ++ /* context_handle */ ++ const gss_OID, /* desired_object */ ++ gss_buffer_set_t* /* data_set */ ++); ++ ++OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option ++(OM_uint32*, /* minor_status */ ++ gss_ctx_id_t*, /* context_handle */ ++ const gss_OID, /* desired_object */ ++ const gss_buffer_t/* value */ ++); ++ + OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token + (OM_uint32*, /* minor_status */ + gss_ctx_id_t, /* context_handle */ +@@ -1301,6 +1316,105 @@ OM_uint32 KRB5_CALLCONV + krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, + gss_cred_id_t *cred_handle); + ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_process_context_token(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_buffer_t token_buffer); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 *time_rec); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_context(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_name_t *src_name, ++ gss_name_t *targ_name, OM_uint32 *lifetime_rec, ++ gss_OID *mech_type, OM_uint32 *ctx_flags, ++ int *locally_initiated, int *opened); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t message_token); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_iov_buffer_desc *iov, ++ int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_qop_t qop_req, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, ++ int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, ++ gss_qop_t *qop_state); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int *conf_state, gss_qop_t *qop_state, ++ gss_iov_buffer_desc *iov, int iov_count); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, OM_uint32 req_output_size, ++ OM_uint32 *max_input_size); ++ ++#ifndef LEAN_CLIENT ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_export_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token); ++#endif /* LEAN_CLIENT */ ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_OID desired_object, ++ gss_buffer_set_t *data_set); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int prf_key, const gss_buffer_t prf_in, ++ ssize_t desired_output_len, gss_buffer_t prf_out); ++ + /* Magic string to identify exported krb5 GSS credentials. Increment this if + * the format changes. */ + #define CRED_EXPORT_MAGIC "K5C1" +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 77b7fff..9a23656 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -345,7 +345,7 @@ static struct { + } + }; + +-static OM_uint32 KRB5_CALLCONV ++OM_uint32 KRB5_CALLCONV + krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, +@@ -459,7 +459,7 @@ static struct { + }; + #endif + +-static OM_uint32 KRB5_CALLCONV ++OM_uint32 KRB5_CALLCONV + krb5_gss_set_sec_context_option (OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + const gss_OID desired_object, +@@ -904,20 +904,103 @@ static struct gss_config krb5_mechanism = { + krb5_gss_get_mic_iov_length, + }; + ++/* Functions which use security contexts or acquire creds are IAKERB-specific; ++ * other functions can borrow from the krb5 mech. */ ++static struct gss_config iakerb_mechanism = { ++ { GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID }, ++ NULL, ++ iakerb_gss_acquire_cred, ++ krb5_gss_release_cred, ++ iakerb_gss_init_sec_context, ++#ifdef LEAN_CLIENT ++ NULL, ++#else ++ iakerb_gss_accept_sec_context, ++#endif ++ iakerb_gss_process_context_token, ++ iakerb_gss_delete_sec_context, ++ iakerb_gss_context_time, ++ iakerb_gss_get_mic, ++ iakerb_gss_verify_mic, ++#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE) ++ NULL, ++#else ++ iakerb_gss_wrap, ++#endif ++#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE) ++ NULL, ++#else ++ iakerb_gss_unwrap, ++#endif ++ krb5_gss_display_status, ++ krb5_gss_indicate_mechs, ++ krb5_gss_compare_name, ++ krb5_gss_display_name, ++ krb5_gss_import_name, ++ krb5_gss_release_name, ++ krb5_gss_inquire_cred, ++ NULL, /* add_cred */ ++#ifdef LEAN_CLIENT ++ NULL, ++ NULL, ++#else ++ iakerb_gss_export_sec_context, ++ NULL, ++#endif ++ krb5_gss_inquire_cred_by_mech, ++ krb5_gss_inquire_names_for_mech, ++ iakerb_gss_inquire_context, ++ krb5_gss_internal_release_oid, ++ iakerb_gss_wrap_size_limit, ++ krb5_gss_localname, ++ krb5_gss_authorize_localname, ++ krb5_gss_export_name, ++ krb5_gss_duplicate_name, ++ krb5_gss_store_cred, ++ iakerb_gss_inquire_sec_context_by_oid, ++ krb5_gss_inquire_cred_by_oid, ++ iakerb_gss_set_sec_context_option, ++ krb5_gssspi_set_cred_option, ++ krb5_gssspi_mech_invoke, ++ NULL, /* wrap_aead */ ++ NULL, /* unwrap_aead */ ++ iakerb_gss_wrap_iov, ++ iakerb_gss_unwrap_iov, ++ iakerb_gss_wrap_iov_length, ++ NULL, /* complete_auth_token */ ++ NULL, /* acquire_cred_impersonate_name */ ++ NULL, /* add_cred_impersonate_name */ ++ NULL, /* display_name_ext */ ++ krb5_gss_inquire_name, ++ krb5_gss_get_name_attribute, ++ krb5_gss_set_name_attribute, ++ krb5_gss_delete_name_attribute, ++ krb5_gss_export_name_composite, ++ krb5_gss_map_name_to_any, ++ krb5_gss_release_any_name_mapping, ++ iakerb_gss_pseudo_random, ++ NULL, /* set_neg_mechs */ ++ krb5_gss_inquire_saslname_for_mech, ++ krb5_gss_inquire_mech_for_saslname, ++ krb5_gss_inquire_attrs_for_mech, ++ krb5_gss_acquire_cred_from, ++ krb5_gss_store_cred_into, ++ iakerb_gss_acquire_cred_with_password, ++ krb5_gss_export_cred, ++ krb5_gss_import_cred, ++ NULL, /* import_sec_context_by_mech */ ++ NULL, /* import_name_by_mech */ ++ NULL, /* import_cred_by_mech */ ++ iakerb_gss_get_mic_iov, ++ iakerb_gss_verify_mic_iov, ++ iakerb_gss_get_mic_iov_length, ++}; ++ + #ifdef _GSS_STATIC_LINK + #include "mglueP.h" + static int gss_iakerbmechglue_init(void) + { + struct gss_mech_config mech_iakerb; +- struct gss_config iakerb_mechanism = krb5_mechanism; +- +- /* IAKERB mechanism mirrors krb5, but with different context SPIs */ +- iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context; +- iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context; +- iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context; +- iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred; +- iakerb_mechanism.gssspi_acquire_cred_with_password +- = iakerb_gss_acquire_cred_with_password; + + memset(&mech_iakerb, 0, sizeof(mech_iakerb)); + mech_iakerb.mech = &iakerb_mechanism; +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index f30de32..4662bd9 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -47,6 +47,8 @@ struct _iakerb_ctx_id_rec { + gss_ctx_id_t gssc; + krb5_data conv; /* conversation for checksumming */ + unsigned int count; /* number of round trips */ ++ int initiate; ++ int established; + krb5_get_init_creds_opt *gic_opts; + }; + +@@ -695,7 +697,7 @@ cleanup: + * Allocate and initialise an IAKERB context + */ + static krb5_error_code +-iakerb_alloc_context(iakerb_ctx_id_t *pctx) ++iakerb_alloc_context(iakerb_ctx_id_t *pctx, int initiate) + { + iakerb_ctx_id_t ctx; + krb5_error_code code; +@@ -709,6 +711,8 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx) + ctx->magic = KG_IAKERB_CONTEXT; + ctx->state = IAKERB_AS_REQ; + ctx->count = 0; ++ ctx->initiate = initiate; ++ ctx->established = 0; + + code = krb5_gss_init_context(&ctx->k5c); + if (code != 0) +@@ -732,7 +736,7 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t output_token) + { +- OM_uint32 major_status = GSS_S_COMPLETE; ++ iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; + + if (output_token != GSS_C_NO_BUFFER) { + output_token->length = 0; +@@ -740,23 +744,10 @@ iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + } + + *minor_status = 0; ++ *context_handle = GSS_C_NO_CONTEXT; ++ iakerb_release_context(iakerb_ctx); + +- if (*context_handle != GSS_C_NO_CONTEXT) { +- iakerb_ctx_id_t iakerb_ctx = (iakerb_ctx_id_t)*context_handle; +- +- if (iakerb_ctx->magic == KG_IAKERB_CONTEXT) { +- iakerb_release_context(iakerb_ctx); +- *context_handle = GSS_C_NO_CONTEXT; +- } else { +- assert(iakerb_ctx->magic == KG_CONTEXT); +- +- major_status = krb5_gss_delete_sec_context(minor_status, +- context_handle, +- output_token); +- } +- } +- +- return major_status; ++ return GSS_S_COMPLETE; + } + + static krb5_boolean +@@ -802,7 +793,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, + int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); + + if (initialContextToken) { +- code = iakerb_alloc_context(&ctx); ++ code = iakerb_alloc_context(&ctx, 0); + if (code != 0) + goto cleanup; + +@@ -854,11 +845,8 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status, + time_rec, + delegated_cred_handle, + &exts); +- if (major_status == GSS_S_COMPLETE) { +- *context_handle = ctx->gssc; +- ctx->gssc = NULL; +- iakerb_release_context(ctx); +- } ++ if (major_status == GSS_S_COMPLETE) ++ ctx->established = 1; + if (mech_type != NULL) + *mech_type = (gss_OID)gss_mech_krb5; + } +@@ -897,7 +885,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, + int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); + + if (initialContextToken) { +- code = iakerb_alloc_context(&ctx); ++ code = iakerb_alloc_context(&ctx, 1); + if (code != 0) { + *minor_status = code; + goto cleanup; +@@ -983,11 +971,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, + ret_flags, + time_rec, + &exts); +- if (major_status == GSS_S_COMPLETE) { +- *context_handle = ctx->gssc; +- ctx->gssc = GSS_C_NO_CONTEXT; +- iakerb_release_context(ctx); +- } ++ if (major_status == GSS_S_COMPLETE) ++ ctx->established = 1; + if (actual_mech_type != NULL) + *actual_mech_type = (gss_OID)gss_mech_krb5; + } else { +@@ -1010,3 +995,309 @@ cleanup: + + return major_status; + } ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t input_message_buffer, ++ gss_buffer_t output_message_buffer, int *conf_state, ++ gss_qop_t *qop_state) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_unwrap(minor_status, ctx->gssc, input_message_buffer, ++ output_message_buffer, conf_state, qop_state); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, ++ gss_buffer_t input_message_buffer, int *conf_state, ++ gss_buffer_t output_message_buffer) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap(minor_status, ctx->gssc, conf_req_flag, qop_req, ++ input_message_buffer, conf_state, ++ output_message_buffer); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_process_context_token(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_buffer_t token_buffer) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_DEFECTIVE_TOKEN; ++ ++ return krb5_gss_process_context_token(minor_status, ctx->gssc, ++ token_buffer); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ OM_uint32 *time_rec) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_context_time(minor_status, ctx->gssc, time_rec); ++} ++ ++#ifndef LEAN_CLIENT ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_export_sec_context(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ gss_buffer_t interprocess_token) ++{ ++ OM_uint32 maj; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ /* We don't currently support exporting partially established contexts. */ ++ if (!ctx->established) ++ return GSS_S_UNAVAILABLE; ++ ++ maj = krb5_gss_export_sec_context(minor_status, &ctx->gssc, ++ interprocess_token); ++ if (ctx->gssc == GSS_C_NO_CONTEXT) { ++ iakerb_release_context(ctx); ++ *context_handle = GSS_C_NO_CONTEXT; ++ } ++ return maj; ++} ++ ++/* ++ * Until we implement partial context exports, there are no SPNEGO exported ++ * context tokens, only tokens for the underlying krb5 context. So we do not ++ * need to implement an iakerb_gss_import_sec_context() yet; it would be ++ * unreachable except via a manually constructed token. ++ */ ++ ++#endif /* LEAN_CLIENT */ ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_context(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_name_t *src_name, ++ gss_name_t *targ_name, OM_uint32 *lifetime_rec, ++ gss_OID *mech_type, OM_uint32 *ctx_flags, ++ int *initiate, int *opened) ++{ ++ OM_uint32 ret; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (src_name != NULL) ++ *src_name = GSS_C_NO_NAME; ++ if (targ_name != NULL) ++ *targ_name = GSS_C_NO_NAME; ++ if (lifetime_rec != NULL) ++ *lifetime_rec = 0; ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_iakerb; ++ if (ctx_flags != NULL) ++ *ctx_flags = 0; ++ if (initiate != NULL) ++ *initiate = ctx->initiate; ++ if (opened != NULL) ++ *opened = ctx->established; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_COMPLETE; ++ ++ ret = krb5_gss_inquire_context(minor_status, ctx->gssc, src_name, ++ targ_name, lifetime_rec, mech_type, ++ ctx_flags, initiate, opened); ++ ++ if (!ctx->established) { ++ /* Report IAKERB as the mech OID until the context is established. */ ++ if (mech_type != NULL) ++ *mech_type = (gss_OID)gss_mech_iakerb; ++ ++ /* We don't support exporting partially-established contexts. */ ++ if (ctx_flags != NULL) ++ *ctx_flags &= ~GSS_C_TRANS_FLAG; ++ } ++ ++ return ret; ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_size_limit(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, OM_uint32 req_output_size, ++ OM_uint32 *max_input_size) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_size_limit(minor_status, ctx->gssc, conf_req_flag, ++ qop_req, req_output_size, max_input_size); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_buffer_t message_buffer, ++ gss_buffer_t message_token) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic(minor_status, ctx->gssc, qop_req, message_buffer, ++ message_token); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_buffer_t msg_buffer, gss_buffer_t token_buffer, ++ gss_qop_t *qop_state) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_verify_mic(minor_status, ctx->gssc, msg_buffer, ++ token_buffer, qop_state); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status, ++ const gss_ctx_id_t context_handle, ++ const gss_OID desired_object, ++ gss_buffer_set_t *data_set) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_UNAVAILABLE; ++ ++ return krb5_gss_inquire_sec_context_by_oid(minor_status, ctx->gssc, ++ desired_object, data_set); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_set_sec_context_option(OM_uint32 *minor_status, ++ gss_ctx_id_t *context_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; ++ ++ if (ctx == NULL || ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_UNAVAILABLE; ++ ++ return krb5_gss_set_sec_context_option(minor_status, &ctx->gssc, ++ desired_object, value); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int conf_req_flag, gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_iov(minor_status, ctx->gssc, conf_req_flag, qop_req, ++ conf_state, iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int *conf_state, gss_qop_t *qop_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_unwrap_iov(minor_status, ctx->gssc, conf_state, qop_state, ++ iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_wrap_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, int conf_req_flag, ++ gss_qop_t qop_req, int *conf_state, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_wrap_iov_length(minor_status, ctx->gssc, conf_req_flag, ++ qop_req, conf_state, iov, iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ int prf_key, const gss_buffer_t prf_in, ++ ssize_t desired_output_len, gss_buffer_t prf_out) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_pseudo_random(minor_status, ctx->gssc, prf_key, prf_in, ++ desired_output_len, prf_out); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t qop_req, gss_iov_buffer_desc *iov, ++ int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic_iov(minor_status, ctx->gssc, qop_req, iov, ++ iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, ++ gss_qop_t *qop_state, gss_iov_buffer_desc *iov, ++ int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_verify_mic_iov(minor_status, ctx->gssc, qop_state, iov, ++ iov_count); ++} ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status, ++ gss_ctx_id_t context_handle, gss_qop_t qop_req, ++ gss_iov_buffer_desc *iov, int iov_count) ++{ ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ ++ if (ctx->gssc == GSS_C_NO_CONTEXT) ++ return GSS_S_NO_CONTEXT; ++ ++ return krb5_gss_get_mic_iov_length(minor_status, ctx->gssc, qop_req, iov, ++ iov_count); ++} diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch new file mode 100644 index 0000000000..f65ce39623 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2697.patch @@ -0,0 +1,55 @@ +Copied from Debian. + +From fcafb522a0509bfd6f4f6b57e4a1e93c0092eeb0 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 25 Sep 2015 12:51:47 -0400 +Subject: Fix build_principal memory bug [CVE-2015-2697] + +In build_principal_va(), use k5memdup0() instead of strdup() to make a +copy of the realm, to ensure that we allocate the correct number of +bytes and do not read past the end of the input string. This bug +affects krb5_build_principal(), krb5_build_principal_va(), and +krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not +affected. + +CVE-2015-2697: + +In MIT krb5 1.7 and later, an authenticated attacker may be able to +cause a KDC to crash using a TGS request with a large realm field +beginning with a null byte. If the KDC attempts to find a referral to +answer the request, it constructs a principal name for lookup using +krb5_build_principal() with the requested realm. Due to a bug in this +function, the null byte causes only one byte be allocated for the +realm field of the constructed principal, far less than its length. +Subsequent operations on the lookup principal may cause a read beyond +the end of the mapped memory region, causing the KDC process to crash. + +CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +ticket: 8252 (new) +target_version: 1.14 +tags: pullup + +(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789) +Patch-Category: upstream +--- + src/lib/krb5/krb/bld_princ.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c +index ab6fed8..8604268 100644 +--- a/src/lib/krb5/krb/bld_princ.c ++++ b/src/lib/krb5/krb/bld_princ.c +@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, + data = malloc(size * sizeof(krb5_data)); + if (!data) { retval = ENOMEM; } + +- if (!retval) { +- r = strdup(realm); +- if (!r) { retval = ENOMEM; } +- } ++ if (!retval) ++ r = k5memdup0(realm, rlen, &retval); + + while (!retval && (component = va_arg(ap, char *))) { + if (count == size) { diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch new file mode 100644 index 0000000000..67545e4c16 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt1.patch @@ -0,0 +1,43 @@ +Copied from Debian. + +From 1a8bdc6d81dcd7dd8a4d42e8de6d2cacf1dd4408 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 27 Oct 2015 00:44:24 -0400 +Subject: Fix two IAKERB comments + +The comment explaining why there is no iakerb_gss_import_sec_context() +erroneously referenced SPNEGO instead of IAKERB (noticed by Ben +Kaduk). The comment above iakerb_gss_delete_sec_context() is out of +date after the last commit. + +(cherry picked from commit 92d6dd045dfc06cc03d20b327a6ee7a71e6bc24d) + +Patch-Category: upstream +--- + src/lib/gssapi/krb5/iakerb.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index 4662bd9..e25862d 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -727,10 +727,6 @@ cleanup: + return code; + } + +-/* +- * Delete an IAKERB context. This can also accept Kerberos context +- * handles. The heuristic is similar to SPNEGO's delete_sec_context. +- */ + OM_uint32 KRB5_CALLCONV + iakerb_gss_delete_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, +@@ -1077,7 +1073,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + } + + /* +- * Until we implement partial context exports, there are no SPNEGO exported ++ * Until we implement partial context exports, there are no IAKERB exported + * context tokens, only tokens for the underlying krb5 context. So we do not + * need to implement an iakerb_gss_import_sec_context() yet; it would be + * unreachable except via a manually constructed token. diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch new file mode 100644 index 0000000000..8725cd4eed --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-2698-pt2.patch @@ -0,0 +1,132 @@ +Copied from Debian. + +From 4b330d5be1f8048be4d079ac3cb38d60c0e99e69 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 4 Nov 2015 21:28:28 -0500 +Subject: Fix IAKERB context export/import [CVE-2015-2698] + +The patches for CVE-2015-2696 contained a regression in the newly +added IAKERB iakerb_gss_export_sec_context() function, which could +cause it to corrupt memory. Fix the regression by properly +dereferencing the context_handle pointer before casting it. + +Also, the patches did not implement an IAKERB gss_import_sec_context() +function, under the erroneous belief than an exported IAKERB context +would be tagged as a krb5 context. Implement it now to allow IAKERB +contexts to be successfully exported and imported after establishment. + +CVE-2015-2698: + +In any MIT krb5 release with the patches for CVE-2015-2696 applied, an +application which calls gss_export_sec_context() may experience memory +corruption if the context was established using the IAKERB mechanism. +Historically, some vulnerabilities of this nature can be translated +into remote code execution, though the necessary exploits must be +tailored to the individual application and are usually quite +complicated. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C + +ticket: 8273 (new) +target_version: 1.14 +tags: pullup + +(cherry picked from commit d8b31c874c7d1039be7649362ef11c89f4e14c27) + +Patch-Category: upstream +--- + src/lib/gssapi/krb5/gssapiP_krb5.h | 5 +++++ + src/lib/gssapi/krb5/gssapi_krb5.c | 2 +- + src/lib/gssapi/krb5/iakerb.c | 42 +++++++++++++++++++++++++++++++------- + 3 files changed, 41 insertions(+), 8 deletions(-) + +diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h +index 05dc321..ac53662 100644 +--- a/src/lib/gssapi/krb5/gssapiP_krb5.h ++++ b/src/lib/gssapi/krb5/gssapiP_krb5.h +@@ -1396,6 +1396,11 @@ OM_uint32 KRB5_CALLCONV + iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + gss_buffer_t interprocess_token); ++ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ const gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle); + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV +diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c +index 9a23656..d7ba279 100644 +--- a/src/lib/gssapi/krb5/gssapi_krb5.c ++++ b/src/lib/gssapi/krb5/gssapi_krb5.c +@@ -945,7 +945,7 @@ static struct gss_config iakerb_mechanism = { + NULL, + #else + iakerb_gss_export_sec_context, +- NULL, ++ iakerb_gss_import_sec_context, + #endif + krb5_gss_inquire_cred_by_mech, + krb5_gss_inquire_names_for_mech, +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index e25862d..32a341e 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -1057,7 +1057,7 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + gss_buffer_t interprocess_token) + { + OM_uint32 maj; +- iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)context_handle; ++ iakerb_ctx_id_t ctx = (iakerb_ctx_id_t)*context_handle; + + /* We don't currently support exporting partially established contexts. */ + if (!ctx->established) +@@ -1072,13 +1072,41 @@ iakerb_gss_export_sec_context(OM_uint32 *minor_status, + return maj; + } + +-/* +- * Until we implement partial context exports, there are no IAKERB exported +- * context tokens, only tokens for the underlying krb5 context. So we do not +- * need to implement an iakerb_gss_import_sec_context() yet; it would be +- * unreachable except via a manually constructed token. +- */ ++OM_uint32 KRB5_CALLCONV ++iakerb_gss_import_sec_context(OM_uint32 *minor_status, ++ gss_buffer_t interprocess_token, ++ gss_ctx_id_t *context_handle) ++{ ++ OM_uint32 maj, tmpmin; ++ krb5_error_code code; ++ gss_ctx_id_t gssc; ++ krb5_gss_ctx_id_t kctx; ++ iakerb_ctx_id_t ctx; ++ ++ maj = krb5_gss_import_sec_context(minor_status, interprocess_token, &gssc); ++ if (maj != GSS_S_COMPLETE) ++ return maj; ++ kctx = (krb5_gss_ctx_id_t)gssc; ++ ++ if (!kctx->established) { ++ /* We don't currently support importing partially established ++ * contexts. */ ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ return GSS_S_FAILURE; ++ } + ++ code = iakerb_alloc_context(&ctx, kctx->initiate); ++ if (code != 0) { ++ krb5_gss_delete_sec_context(&tmpmin, &gssc, GSS_C_NO_BUFFER); ++ *minor_status = code; ++ return GSS_S_FAILURE; ++ } ++ ++ ctx->gssc = gssc; ++ ctx->established = 1; ++ *context_handle = (gss_ctx_id_t)ctx; ++ return GSS_S_COMPLETE; ++} + #endif /* LEAN_CLIENT */ + + OM_uint32 KRB5_CALLCONV -- cgit 1.4.1 From 3aab2c839fe04f503668029204e21358f901e62f Mon Sep 17 00:00:00 2001 From: David Thompson Date: Sat, 14 Nov 2015 13:56:40 -0500 Subject: gnu: Add devil. * gnu/packages/image.scm (devil): New variable. * gnu/packages/patches/devil-fix-libpng.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. --- gnu-system.am | 1 + gnu/packages/image.scm | 52 +++++++++++++++++++++++++++++ gnu/packages/patches/devil-fix-libpng.patch | 36 ++++++++++++++++++++ 3 files changed, 89 insertions(+) create mode 100644 gnu/packages/patches/devil-fix-libpng.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 75914b7153..ccc1255c5b 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -433,6 +433,7 @@ dist_patch_DATA = \ gnu/packages/patches/cursynth-wave-rand.patch \ gnu/packages/patches/dbus-helper-search-path.patch \ gnu/packages/patches/dealii-p4est-interface.patch \ + gnu/packages/patches/devil-fix-libpng.patch \ gnu/packages/patches/diffutils-gets-undeclared.patch \ gnu/packages/patches/dfu-programmer-fix-libusb.patch \ gnu/packages/patches/doxygen-test.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 1acc5ee973..979d144ca4 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -666,3 +666,55 @@ channels.") (description "Libmng is the MNG (Multiple-image Network Graphics) reference library.") (license license:bsd-3))) + +(define-public devil + (package + (name "devil") + (version "1.7.8") + (source (origin + (method url-fetch) + (uri (string-append "http://downloads.sourceforge.net/openil/" + "DevIL-" version ".tar.gz")) + (sha256 + (base32 + "1zd850nn7nvkkhasrv7kn17kzgslr5ry933v6db62s4lr0zzlbv8")) + ;; Backported from upstream: + ;; https://github.com/DentonW/DevIL/commit/724194d7a9a91221a564579f64bdd6f0abd64219.patch + (patches (list (search-patch "devil-fix-libpng.patch"))) + (modules '((guix build utils))) + (snippet + ;; Fix old lcms include directives and lib flags. + '(substitute* '("configure" "src-IL/src/il_profiles.c") + (("-llcms") "-llcms2") + (("lcms/lcms\\.h") "lcms2/lcms2.h") + (("lcms\\.h") "lcms2.h"))))) + (build-system gnu-build-system) + (arguments + '(#:configure-flags '("--enable-ILUT=yes") ; build utility library + #:phases + (modify-phases %standard-phases + (add-before 'check 'fix-tests + (lambda* (#:key inputs #:allow-other-keys) + ;; Fix hard-coded /bin/bash reference. + (substitute* '("test/Makefile") + (("TESTS_ENVIRONMENT = /bin/bash") + (string-append "TESTS_ENVIRONMENT = " + (assoc-ref inputs "bash") + "/bin/bash"))) + #t))))) + (native-inputs + `(("pkg-config" ,pkg-config))) + (inputs + `(("lcms" ,lcms) + ("libjpeg" ,libjpeg) + ("libmng" ,libmng) + ("libpng" ,libpng) + ("libtiff" ,libtiff) + ("openexr" ,openexr) + ("zlib" ,zlib))) + (synopsis "Library for manipulating many image formats") + (description "Developer's Image Library (DevIL) is a library to develop +applications with support for many types of images. DevIL can load, save, +convert, manipulate, filter and display a wide variety of image formats.") + (home-page "http://openil.sourceforge.net") + (license license:lgpl2.1+))) diff --git a/gnu/packages/patches/devil-fix-libpng.patch b/gnu/packages/patches/devil-fix-libpng.patch new file mode 100644 index 0000000000..a8e90333a3 --- /dev/null +++ b/gnu/packages/patches/devil-fix-libpng.patch @@ -0,0 +1,36 @@ +From 724194d7a9a91221a564579f64bdd6f0abd64219 Mon Sep 17 00:00:00 2001 +From: Noah Mayr +Date: Sun, 1 Mar 2015 10:10:56 +0100 +Subject: [PATCH] Fixed deprecated libpng API usage. + +--- + src-IL/src/il_icon.c | 2 +- + src-IL/src/il_png.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src-IL/src/il_icon.c b/src-IL/src/il_icon.c +index 2ccb1a3..fd9475d 100644 +--- a/src-IL/src/il_icon.c ++++ b/src-IL/src/il_icon.c +@@ -525,7 +525,7 @@ ILboolean ico_readpng_get_image(ICOIMAGE *Icon, ILdouble display_exponent) + + // Expand low-bit-depth grayscale images to 8 bits + if (ico_color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) { +- png_set_gray_1_2_4_to_8(ico_png_ptr); ++ png_set_expand_gray_1_2_4_to_8(ico_png_ptr); + } + + // Expand RGB images with transparency to full alpha channels +diff --git a/src-IL/src/il_png.c b/src-IL/src/il_png.c +index da9517d..2866508 100644 +--- a/src-IL/src/il_png.c ++++ b/src-IL/src/il_png.c +@@ -277,7 +277,7 @@ ILboolean readpng_get_image(ILdouble display_exponent) + + // Expand low-bit-depth grayscale images to 8 bits + if (png_color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) { +- png_set_gray_1_2_4_to_8(png_ptr); ++ png_set_expand_gray_1_2_4_to_8(png_ptr); + } + + // Expand RGB images with transparency to full alpha channels -- cgit 1.4.1 From 3279b7ec47ad33911309d3b58eea60002229458e Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Sat, 14 Nov 2015 22:26:44 +0100 Subject: gnu: Add Scribus. * gnu/packages/scribus.scm: New file * gnu/packages/patches/scribus-qobject.scm: New file. * gnu-system.am (GNU_SYSTEM_MODULES, dist_patch_DATA): Add them. --- gnu-system.am | 2 + gnu/packages/patches/scribus-qobject.patch | 17 +++++++ gnu/packages/scribus.scm | 79 ++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 gnu/packages/patches/scribus-qobject.patch create mode 100644 gnu/packages/scribus.scm (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index ccc1255c5b..60f16bf8fc 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -281,6 +281,7 @@ GNU_SYSTEM_MODULES = \ gnu/packages/scanner.scm \ gnu/packages/scheme.scm \ gnu/packages/screen.scm \ + gnu/packages/scribus.scm \ gnu/packages/sdl.scm \ gnu/packages/search.scm \ gnu/packages/serveez.scm \ @@ -658,6 +659,7 @@ dist_patch_DATA = \ gnu/packages/patches/sed-hurd-path-max.patch \ gnu/packages/patches/scheme48-tests.patch \ gnu/packages/patches/scotch-test-threading.patch \ + gnu/packages/patches/scribus-qobject.patch \ gnu/packages/patches/sdl-libx11-1.6.patch \ gnu/packages/patches/serf-comment-style-fix.patch \ gnu/packages/patches/serf-deflate-buckets-test-fix.patch \ diff --git a/gnu/packages/patches/scribus-qobject.patch b/gnu/packages/patches/scribus-qobject.patch new file mode 100644 index 0000000000..91be932f1b --- /dev/null +++ b/gnu/packages/patches/scribus-qobject.patch @@ -0,0 +1,17 @@ +See upstream bug report: http://bugs.scribus.net/view.php?id=13102 + +scribus/sclayer.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/scribus/sclayer.cpp b/scribus/sclayer.cpp +index 502112b..4da7bd5 100644 +--- a/scribus/sclayer.cpp ++++ b/scribus/sclayer.cpp +@@ -9,6 +9,7 @@ for which a new license (GPL+exception) is in place. + + #include //necessary to avoid msvc warnings induced by SCRIBUS_API on ScLayers + early instanciation of templates + #include //necessary to avoid msvc warnings induced by SCRIBUS_API on ScLayers + early instanciation of templates ++#include + #include + + ScLayer::ScLayer(void) diff --git a/gnu/packages/scribus.scm b/gnu/packages/scribus.scm new file mode 100644 index 0000000000..864e5707d3 --- /dev/null +++ b/gnu/packages/scribus.scm @@ -0,0 +1,79 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2015 Ricardo Wurmus +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages scribus) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix utils) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix build-system cmake) + #:use-module (gnu packages) + #:use-module (gnu packages compression) + #:use-module (gnu packages cups) + #:use-module (gnu packages fontutils) + #:use-module (gnu packages ghostscript) + #:use-module (gnu packages gtk) + #:use-module (gnu packages image) + #:use-module (gnu packages linux) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages python) + #:use-module (gnu packages qt) + #:use-module (gnu packages imagemagick) + #:use-module (gnu packages xml)) + +(define-public scribus + (package + (name "scribus") + (version "1.5.0") + (source (origin + (method url-fetch) + (uri (string-append "mirror://sourceforge/scribus/scribus-devel/" + version "/scribus-" version ".tar.xz")) + (sha256 + (base32 + "0s4f9q2nyqrrv4wc1ddf2admkmf9m33wmwp73ba5b4vi29nydnx3")) + (patches (list (search-patch "scribus-qobject.patch"))))) + (build-system cmake-build-system) + (arguments `(#:tests? #f)) ; no test target + (inputs + `(("cairo" ,cairo) + ("cups" ,cups) + ("graphicsmagick" ,graphicsmagick) + ("lcms" ,lcms) + ("libjpeg" ,libjpeg) + ("libtiff" ,libtiff) + ("libxml2" ,libxml2) + ("python" ,python-2) + ("freetype" ,freetype) + ("qt" ,qt) + ("zlib" ,zlib))) + (native-inputs + `(("util-linux" ,util-linux) + ("pkg-config" ,pkg-config))) + (home-page "http://scribus.net") + (synopsis "Desktop publishing and page layout program") + (description + "Scribus is a @dfn{desktop publishing} (DTP) application and can be used +for many tasks; from brochure design to newspapers, magazines, newsletters and +posters to technical documentation. Scribus supports professional DTP +features, such as CMYK color and a color management system to soft proof +images for high quality color printing, flexible PDF creation options, +Encapsulated PostScript import/export and creation of four color separations, +import of EPS/PS and SVG as native vector graphics, Unicode text including +right to left scripts such as Arabic and Hebrew via freetype.") + (license license:gpl2+))) -- cgit 1.4.1 From ee6bb0cc763507b165674dbe03c6ae5d26c8da5c Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sun, 15 Nov 2015 14:16:57 -0500 Subject: gnu: libxml2: Add fixes for CVE-2015-{1819,7941,7942,8035} and other bugs. * gnu/packages/patches/libxml2-CVE-2015-1819.patch, gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch, gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch, gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch, gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch, gnu/packages/patches/libxml2-CVE-2015-8035.patch, gnu/packages/patches/libxml2-bug-737840.patch, gnu/packages/patches/libxml2-bug-738805.patch, gnu/packages/patches/libxml2-bug-746048.patch, gnu/packages/patches/libxml2-bug-747437.patch, gnu/packages/patches/libxml2-bug-751603.patch, gnu/packages/patches/libxml2-bug-751631.patch, gnu/packages/patches/libxml2-bug-754946.patch, gnu/packages/patches/libxml2-bug-754947.patch, gnu/packages/patches/libxml2-bug-755857.patch, gnu/packages/patches/libxml2-fix-catalog-corruption.patch, gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch, gnu/packages/patches/libxml2-node-sort-order-pt1.patch, gnu/packages/patches/libxml2-node-sort-order-pt2.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/xml.scm (libxml2)[source]: Add patches. --- gnu-system.am | 19 +++ gnu/packages/patches/libxml2-CVE-2015-1819.patch | 176 +++++++++++++++++++++ .../patches/libxml2-CVE-2015-7941-pt1.patch | 32 ++++ .../patches/libxml2-CVE-2015-7941-pt2.patch | 49 ++++++ .../patches/libxml2-CVE-2015-7942-pt1.patch | 32 ++++ .../patches/libxml2-CVE-2015-7942-pt2.patch | 28 ++++ gnu/packages/patches/libxml2-CVE-2015-8035.patch | 31 ++++ gnu/packages/patches/libxml2-bug-737840.patch | 88 +++++++++++ gnu/packages/patches/libxml2-bug-738805.patch | 31 ++++ gnu/packages/patches/libxml2-bug-746048.patch | 65 ++++++++ gnu/packages/patches/libxml2-bug-747437.patch | 46 ++++++ gnu/packages/patches/libxml2-bug-751603.patch | 38 +++++ gnu/packages/patches/libxml2-bug-751631.patch | 35 ++++ gnu/packages/patches/libxml2-bug-754946.patch | 132 ++++++++++++++++ gnu/packages/patches/libxml2-bug-754947.patch | 103 ++++++++++++ gnu/packages/patches/libxml2-bug-755857.patch | 43 +++++ .../patches/libxml2-fix-catalog-corruption.patch | 29 ++++ .../libxml2-id-attrs-in-xmlSetTreeDoc.patch | 36 +++++ .../patches/libxml2-node-sort-order-pt1.patch | 33 ++++ .../patches/libxml2-node-sort-order-pt2.patch | 37 +++++ gnu/packages/xml.scm | 23 ++- 21 files changed, 1105 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libxml2-CVE-2015-1819.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch create mode 100644 gnu/packages/patches/libxml2-CVE-2015-8035.patch create mode 100644 gnu/packages/patches/libxml2-bug-737840.patch create mode 100644 gnu/packages/patches/libxml2-bug-738805.patch create mode 100644 gnu/packages/patches/libxml2-bug-746048.patch create mode 100644 gnu/packages/patches/libxml2-bug-747437.patch create mode 100644 gnu/packages/patches/libxml2-bug-751603.patch create mode 100644 gnu/packages/patches/libxml2-bug-751631.patch create mode 100644 gnu/packages/patches/libxml2-bug-754946.patch create mode 100644 gnu/packages/patches/libxml2-bug-754947.patch create mode 100644 gnu/packages/patches/libxml2-bug-755857.patch create mode 100644 gnu/packages/patches/libxml2-fix-catalog-corruption.patch create mode 100644 gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch create mode 100644 gnu/packages/patches/libxml2-node-sort-order-pt1.patch create mode 100644 gnu/packages/patches/libxml2-node-sort-order-pt2.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 60f16bf8fc..b49ddf0525 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -571,6 +571,25 @@ dist_patch_DATA = \ gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ gnu/packages/patches/libwmf-CVE-2015-4695.patch \ gnu/packages/patches/libwmf-CVE-2015-4696.patch \ + gnu/packages/patches/libxml2-CVE-2015-1819.patch \ + gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch \ + gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch \ + gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch \ + gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch \ + gnu/packages/patches/libxml2-CVE-2015-8035.patch \ + gnu/packages/patches/libxml2-bug-737840.patch \ + gnu/packages/patches/libxml2-bug-738805.patch \ + gnu/packages/patches/libxml2-bug-746048.patch \ + gnu/packages/patches/libxml2-bug-747437.patch \ + gnu/packages/patches/libxml2-bug-751603.patch \ + gnu/packages/patches/libxml2-bug-751631.patch \ + gnu/packages/patches/libxml2-bug-754946.patch \ + gnu/packages/patches/libxml2-bug-754947.patch \ + gnu/packages/patches/libxml2-bug-755857.patch \ + gnu/packages/patches/libxml2-fix-catalog-corruption.patch \ + gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch \ + gnu/packages/patches/libxml2-node-sort-order-pt1.patch \ + gnu/packages/patches/libxml2-node-sort-order-pt2.patch \ gnu/packages/patches/lirc-localstatedir.patch \ gnu/packages/patches/libpthread-glibc-preparation.patch \ gnu/packages/patches/lm-sensors-hwmon-attrs.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2015-1819.patch b/gnu/packages/patches/libxml2-CVE-2015-1819.patch new file mode 100644 index 0000000000..58461c73b2 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-1819.patch @@ -0,0 +1,176 @@ +From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/buf.c b/buf.c +index 6efc7b6..07922ff 100644 +--- a/buf.c ++++ b/buf.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +diff --git a/include/libxml/tree.h b/include/libxml/tree.h +index 2f90717..4a9b3bc 100644 +--- a/include/libxml/tree.h ++++ b/include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +diff --git a/xmlreader.c b/xmlreader.c +index f19e123..471e7e2 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch b/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch new file mode 100644 index 0000000000..4ca49039b2 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch @@ -0,0 +1,32 @@ +From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:17:35 +0800 +Subject: [PATCH] Stop parsing on entities boundaries errors + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +There are times, like on unterminated entities that it's preferable to +stop parsing, even if that means less error reporting. Entities are +feeding the parser on further processing, and if they are ill defined +then it's possible to get the parser to bug. Also do the same on +Conditional Sections if the input is broken, as the structure of +the document can't be guessed. +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index a8d1b67..bbe97eb 100644 +--- a/parser.c ++++ b/parser.c +@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch b/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch new file mode 100644 index 0000000000..30563a46b6 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch @@ -0,0 +1,49 @@ +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: [PATCH] Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index bbe97eb..fe603ac 100644 +--- a/parser.c ++++ b/parser.c +@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch b/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch new file mode 100644 index 0000000000..bd9077d7c4 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch @@ -0,0 +1,32 @@ +From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 23 Oct 2015 19:02:28 +0800 +Subject: [PATCH] Another variation of overflow in Conditional sections + +Which happen after the previous fix to +https://bugzilla.gnome.org/show_bug.cgi?id=756456 + +But stopping the parser and exiting we didn't pop the intermediary entities +and doing the SKIP there applies on an input which may be too small +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a65e4cc..b9217ff 100644 +--- a/parser.c ++++ b/parser.c +@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) < ctxt->input->end)) ++ SKIP(3); + } + } + +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch b/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch new file mode 100644 index 0000000000..115d369ac3 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch @@ -0,0 +1,28 @@ +From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 27 Oct 2015 10:53:44 +0800 +Subject: [PATCH] Fix an error in previous Conditional section patch + +an off by one mistake in the change, led to error on correct +document where the end of the included entity was exactly +the end of the conditional section, leading to regtest failure +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b9217ff..d67b300 100644 +--- a/parser.c ++++ b/parser.c +@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + NULL, NULL); + } + if ((ctxt-> instate != XML_PARSER_EOF) && +- ((ctxt->input->cur + 3) < ctxt->input->end)) ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); + } + } +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-8035.patch b/gnu/packages/patches/libxml2-CVE-2015-8035.patch new file mode 100644 index 0000000000..d29c96228e --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-8035.patch @@ -0,0 +1,31 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index 0dcb9f4..1fab546 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-737840.patch b/gnu/packages/patches/libxml2-bug-737840.patch new file mode 100644 index 0000000000..2a2d62c583 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-737840.patch @@ -0,0 +1,88 @@ +From ef709ce2f7b792d5fb69ed142796d743fb1eb388 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 10 Sep 2015 19:41:41 +0800 +Subject: [PATCH] Fix the spurious ID already defined error + +For https://bugzilla.gnome.org/show_bug.cgi?id=737840 +the fix for 724903 introduced a regression on external entities carrying +IDs, revert that patch in part and add a specific test to avoid readding it +--- + result/valid/737840.xml | 10 ++++++++++ + result/valid/737840.xml.err | 0 + result/valid/737840.xml.err.rdr | 0 + test/valid/737840.xml | 10 ++++++++++ + test/valid/dtds/737840.ent | 1 + + valid.c | 6 ++++-- + 6 files changed, 25 insertions(+), 2 deletions(-) + create mode 100644 result/valid/737840.xml + create mode 100644 result/valid/737840.xml.err + create mode 100644 result/valid/737840.xml.err.rdr + create mode 100644 test/valid/737840.xml + create mode 100644 test/valid/dtds/737840.ent + +diff --git a/result/valid/737840.xml b/result/valid/737840.xml +new file mode 100644 +index 0000000..433c6d6 +--- /dev/null ++++ b/result/valid/737840.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++]> ++ ++ ⌖ ++ +diff --git a/result/valid/737840.xml.err b/result/valid/737840.xml.err +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/valid/737840.xml.err.rdr b/result/valid/737840.xml.err.rdr +new file mode 100644 +index 0000000..e69de29 +diff --git a/test/valid/737840.xml b/test/valid/737840.xml +new file mode 100644 +index 0000000..2d27b73 +--- /dev/null ++++ b/test/valid/737840.xml +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++]> ++ ++ ++ ⌖ ++ +diff --git a/test/valid/dtds/737840.ent b/test/valid/dtds/737840.ent +new file mode 100644 +index 0000000..e972132 +--- /dev/null ++++ b/test/valid/dtds/737840.ent +@@ -0,0 +1 @@ ++ +\ No newline at end of file +diff --git a/valid.c b/valid.c +index 409aa81..45a3f70 100644 +--- a/valid.c ++++ b/valid.c +@@ -2634,8 +2634,10 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, + /* + * The id is already defined in this DTD. + */ +- xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED, +- "ID %s already defined\n", value, NULL, NULL); ++ if (ctxt != NULL) { ++ xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED, ++ "ID %s already defined\n", value, NULL, NULL); ++ } + #endif /* LIBXML_VALID_ENABLED */ + xmlFreeID(ret); + return(NULL); +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-738805.patch b/gnu/packages/patches/libxml2-bug-738805.patch new file mode 100644 index 0000000000..16163bb941 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-738805.patch @@ -0,0 +1,31 @@ +From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 23 Oct 2014 11:35:36 +0800 +Subject: [PATCH] Fix missing entities after CVE-2014-3660 fix + +For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + +The fix for CVE-2014-3660 introduced a regression in some case +where entity substitution is required and the entity is used +first in anotther entity referenced from an attribute value +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 67c9dfd..a8d1b67 100644 +--- a/parser.c ++++ b/parser.c +@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-746048.patch b/gnu/packages/patches/libxml2-bug-746048.patch new file mode 100644 index 0000000000..450b8d3ab3 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-746048.patch @@ -0,0 +1,65 @@ +From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: [PATCH] Fix parsing short unclosed comment uninitialized access + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 19c10c3..bdf7807 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3264,12 +3264,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3300,18 +3305,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n