From 33ec536b90549488379a3dc80b5e23337cc9fac2 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 16 May 2017 15:09:57 +0200 Subject: gnu: guix: Update snapshot. * gnu/packages/package-management.scm (guix): Update to ce92d26. --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu/packages') diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 8ebf6b0578..ceaf51b676 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -73,8 +73,8 @@ ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "0.12.0") - (commit "ba2260dbbc5a3c915e2cbd54d93f2f3af2a864c3") - (revision 10)) + (commit "ce92d269fea0a2bfac0ac20414f77127d2f07500") + (revision 11)) (package (name "guix") @@ -90,7 +90,7 @@ (commit commit))) (sha256 (base32 - "0nkwbblsnl7kv2n8jf8c6rl3a7dynaqxizhhni18vbnmvza35c79")) + "17l9r2mdzzv8vfxb3bc5zkdqkl472q979iwsarp7lcqss1jxys7w")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments -- cgit 1.4.1 From ed5e3ab8abe994d584465afdfe9102fc74ef7e85 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 16 May 2017 22:26:22 +0300 Subject: gnu: tor: Update to 0.3.0.7. * gnu/packages/tor.scm (tor): Update to 0.3.0.7. --- gnu/packages/tor.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu/packages') diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm index 83e49a1536..b31b58a26f 100644 --- a/gnu/packages/tor.scm +++ b/gnu/packages/tor.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès ;;; Copyright © 2014, 2015 Mark H Weaver -;;; Copyright © 2016 Efraim Flashner +;;; Copyright © 2016, 2017 Efraim Flashner ;;; Copyright © 2016, 2017 ng0 ;;; Copyright © 2017 Tobias Geerinckx-Rice ;;; Copyright © 2017 Eric Bavier @@ -43,14 +43,14 @@ (define-public tor (package (name "tor") - (version "0.3.0.6") + (version "0.3.0.7") (source (origin (method url-fetch) (uri (string-append "https://dist.torproject.org/tor-" version ".tar.gz")) (sha256 (base32 - "057vq8wagppmrlg85dgbsrk1v67yqpbi9n87s8gn0mdm7kli5rd3")))) + "00kxa83bn0axh7479fynp6r8znq5wy26kvb8ghixgjpkir2c8h4n")))) (build-system gnu-build-system) (arguments `(#:configure-flags (list "--enable-expensive-hardening" -- cgit 1.4.1 From 5d6e38a6c37eced3f545a5afdcba3db20ec95869 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Tue, 16 May 2017 21:59:18 +0200 Subject: gnu: glibc/hurd: Use modify-phases syntax. * gnu/packages/base.scm (glibc/hurd)[arguments]: Use modify-phases syntax. --- gnu/packages/base.scm | 56 +++++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 29 deletions(-) (limited to 'gnu/packages') diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 59a9acd67e..8a48cadf7b 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -778,35 +778,33 @@ with the Linux kernel.") ((#:phases original-phases) ;; Add libmachuser.so and libhurduser.so to libc.so's search path. ;; See . - `(alist-cons-after - 'install 'augment-libc.so - (lambda* (#:key outputs #:allow-other-keys) - (let* ((out (assoc-ref outputs "out"))) - (substitute* (string-append out "/lib/libc.so") - (("/[^ ]+/lib/libc.so.0.3") - (string-append out "/lib/libc.so.0.3" " libmachuser.so" " libhurduser.so")))) - #t) - (alist-cons-after - 'pre-configure 'pre-configure-set-pwd - (lambda _ - ;; Use the right 'pwd'. - (substitute* "configure" - (("/bin/pwd") "pwd"))) - (alist-replace - 'build - (lambda _ - ;; Force mach/hurd/libpthread subdirs to build first in order to avoid - ;; linking errors. - ;; See - (let ((-j (list "-j" (number->string (parallel-job-count))))) - (let-syntax ((make (syntax-rules () - ((_ target) - (zero? (apply system* "make" target -j)))))) - (and (make "mach/subdir_lib") - (make "hurd/subdir_lib") - (make "libpthread/subdir_lib") - (zero? (apply system* "make" -j)))))) - ,original-phases)))) + `(modify-phases ,original-phases + (add-after 'install 'augment-libc.so + (lambda* (#:key outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out"))) + (substitute* (string-append out "/lib/libc.so") + (("/[^ ]+/lib/libc.so.0.3") + (string-append out "/lib/libc.so.0.3" " libmachuser.so" " libhurduser.so")))) + #t)) + (add-after 'pre-configure 'pre-configure-set-pwd + (lambda _ + ;; Use the right 'pwd'. + (substitute* "configure" + (("/bin/pwd") "pwd")) + #t)) + (replace 'build + (lambda _ + ;; Force mach/hurd/libpthread subdirs to build first in order to avoid + ;; linking errors. + ;; See + (let ((-j (list "-j" (number->string (parallel-job-count))))) + (let-syntax ((make (syntax-rules () + ((_ target) + (zero? (apply system* "make" target -j)))))) + (and (make "mach/subdir_lib") + (make "hurd/subdir_lib") + (make "libpthread/subdir_lib") + (zero? (apply system* "make" -j))))))))) ((#:configure-flags original-configure-flags) `(append (list "--host=i586-pc-gnu" -- cgit 1.4.1 From d03b34cf190b5790ee1884ae551634f5f736f4f1 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Tue, 16 May 2017 22:11:41 +0200 Subject: gnu: glibc/hurd: Do not apply i686 patch. This is a follow-up to commit c2e4f14ac8cd3e1ce7f46a192ad0c9acc084b210. * gnu/packages/base.scm (glibc/hurd)[arguments]: Override pre-configure phase with a copy that does not include the patch application. --- gnu/packages/base.scm | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) (limited to 'gnu/packages') diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 8a48cadf7b..d135a18bf8 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -779,6 +779,71 @@ with the Linux kernel.") ;; Add libmachuser.so and libhurduser.so to libc.so's search path. ;; See . `(modify-phases ,original-phases + ;; TODO: This is almost an exact copy of the phase of the same name + ;; in glibc/linux. The only difference is that the i686 patch is + ;; not applied here. In the next update cycle the patch moves to + ;; the patches field and this overwritten phase won't be needed any + ;; more. + (replace 'pre-configure + (lambda* (#:key inputs native-inputs outputs + #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (bin (string-append out "/bin")) + ;; FIXME: Normally we would look it up only in INPUTS + ;; but cross-base uses it as a native input. + (bash (or (assoc-ref inputs "static-bash") + (assoc-ref native-inputs "static-bash")))) + ;; Install the rpc data base file under `$out/etc/rpc'. + ;; FIXME: Use installFlags = [ "sysconfdir=$(out)/etc" ]; + (substitute* "sunrpc/Makefile" + (("^\\$\\(inst_sysconfdir\\)/rpc(.*)$" _ suffix) + (string-append out "/etc/rpc" suffix "\n")) + (("^install-others =.*$") + (string-append "install-others = " out "/etc/rpc\n"))) + + (substitute* "Makeconfig" + ;; According to + ;; , + ;; linking against libgcc_s is not needed with GCC + ;; 4.7.1. + ((" -lgcc_s") "")) + + ;; Have `system' use that Bash. + (substitute* "sysdeps/posix/system.c" + (("#define[[:blank:]]+SHELL_PATH.*$") + (format #f "#define SHELL_PATH \"~a/bin/bash\"\n" + bash))) + + ;; Same for `popen'. + (substitute* "libio/iopopen.c" + (("/bin/sh") + (string-append bash "/bin/sh"))) + + ;; Same for the shell used by the 'exec' functions for + ;; scripts that lack a shebang. + (substitute* (find-files "." "^paths\\.h$") + (("#define[[:blank:]]+_PATH_BSHELL[[:blank:]].*$") + (string-append "#define _PATH_BSHELL \"" + bash "/bin/sh\"\n"))) + + ;; Nscd uses __DATE__ and __TIME__ to create a string to + ;; make sure the client and server come from the same + ;; libc. Use something deterministic instead. + (substitute* "nscd/nscd_stat.c" + (("static const char compilation\\[21\\] =.*$") + (string-append + "static const char compilation[21] = \"" + (string-take (basename out) 20) "\";\n"))) + + ;; Make sure we don't retain a reference to the + ;; bootstrap Perl. + (substitute* "malloc/mtrace.pl" + (("^#!.*") + ;; The shebang can be omitted, because there's the + ;; "bilingual" eval/exec magic at the top of the file. + "") + (("exec @PERL@") + "exec perl"))))) (add-after 'install 'augment-libc.so (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out"))) -- cgit 1.4.1 From c90fd5564cf67f75e28276129d37a0d9128cadda Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 17 May 2017 07:28:09 -0400 Subject: gnu: qemu: Fix CVE-2017-7493. * gnu/packages/patches/qemu-CVE-2017-7493.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/qemu.scm (qemu)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/qemu-CVE-2017-7493.patch | 182 ++++++++++++++++++++++++++ gnu/packages/qemu.scm | 1 + 3 files changed, 184 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2017-7493.patch (limited to 'gnu/packages') diff --git a/gnu/local.mk b/gnu/local.mk index c560c71725..2da002b379 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -939,6 +939,7 @@ dist_patch_DATA = \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ + %D%/packages/patches/qemu-CVE-2017-7493.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-7493.patch b/gnu/packages/patches/qemu-CVE-2017-7493.patch new file mode 100644 index 0000000000..67b26fad81 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-7493.patch @@ -0,0 +1,182 @@ +Fix CVE-2017-7493: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7493 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commit;h=7a95434e0ca8a037fd8aa1a2e2461f92585eb77b + +From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 5 May 2017 14:48:08 +0200 +Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) + +When using the mapped-file security mode, we shouldn't let the client mess +with the metadata. The current code already tries to hide the metadata dir +from the client by skipping it in local_readdir(). But the client can still +access or modify it through several other operations. This can be used to +escalate privileges in the guest. + +Affected backend operations are: +- local_mknod() +- local_mkdir() +- local_open2() +- local_symlink() +- local_link() +- local_unlinkat() +- local_renameat() +- local_rename() +- local_name_to_path() + +Other operations are safe because they are only passed a fid path, which +is computed internally in local_name_to_path(). + +This patch converts all the functions listed above to fail and return +EINVAL when being passed the name of the metadata dir. This may look +like a poor choice for errno, but there's no such thing as an illegal +path name on Linux and I could not think of anything better. + +This fixes CVE-2017-7493. + +Reported-by: Leo Gaspard +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +--- + hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 56 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index f3ebca4f7a..a2486566af 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs) + return telldir(fs->dir.stream); + } + ++static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name) ++{ ++ return !strcmp(name, VIRTFS_META_DIR); ++} ++ + static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) + { + struct dirent *entry; +@@ -465,8 +470,8 @@ again: + if (ctx->export_flags & V9FS_SM_MAPPED) { + entry->d_type = DT_UNKNOWN; + } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { +- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { +- /* skp the meta data directory */ ++ if (local_is_mapped_file_metadata(ctx, entry->d_name)) { ++ /* skip the meta data directory */ + goto again; + } + entry->d_type = DT_UNKNOWN; +@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + /* + * Mark all the open to not follow symlinks + */ +@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, + int ret = -1; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, odirpath); + if (odirfd == -1) { + goto out; +@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path, + static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, + const char *name, V9fsPath *target) + { ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + if (dir_path) { + v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); + } else if (strcmp(name, "/")) { +@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir, + int ret; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ (local_is_mapped_file_metadata(ctx, old_name) || ++ local_is_mapped_file_metadata(ctx, new_name))) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, olddir->data); + if (odirfd == -1) { + return -1; +@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir, + int ret; + int dirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(ctx, dir->data); + if (dirfd == -1) { + return -1; +-- +2.13.0 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 30b9908aa0..0734b6d0f7 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -74,6 +74,7 @@ (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2017-7493.patch")) (sha256 (base32 "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h")))) -- cgit 1.4.1 From 56a03975eb287796128e80feb6799bc07f4b8185 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 17 May 2017 16:10:48 +0200 Subject: gnu: aspell: 'dict-dir' set to ~/.guix-profile/lib/aspell or $ASPELL_DICT_DIR. See for background. * gnu/packages/patches/aspell-default-dict-dir.patch: New file. * gnu/packages/aspell.scm (aspell)[source](patches): New field. [native-search-paths]: New field. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/aspell.scm | 18 +++++++++++++++--- gnu/packages/patches/aspell-default-dict-dir.patch | 20 ++++++++++++++++++++ 3 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/aspell-default-dict-dir.patch (limited to 'gnu/packages') diff --git a/gnu/local.mk b/gnu/local.mk index 2da002b379..ca26bcd812 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -499,6 +499,7 @@ dist_patch_DATA = \ %D%/packages/patches/antiword-CVE-2014-8123.patch \ %D%/packages/patches/apr-skip-getservbyname-test.patch \ %D%/packages/patches/artanis-fix-Makefile.in.patch \ + %D%/packages/patches/aspell-default-dict-dir.patch \ %D%/packages/patches/ath9k-htc-firmware-binutils.patch \ %D%/packages/patches/ath9k-htc-firmware-gcc.patch \ %D%/packages/patches/ath9k-htc-firmware-objcopy.patch \ diff --git a/gnu/packages/aspell.scm b/gnu/packages/aspell.scm index 06ba2ce472..509d428f64 100644 --- a/gnu/packages/aspell.scm +++ b/gnu/packages/aspell.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès ;;; Copyright © 2015, 2016 Alex Kost ;;; Copyright © 2016 John Darrington ;;; Copyright © 2016 Efraim Flashner @@ -26,6 +26,7 @@ #:use-module (guix download) #:use-module (guix build-system gnu) #:use-module (guix licenses) + #:use-module (gnu packages) #:use-module (gnu packages perl) #:use-module (gnu packages base)) @@ -40,7 +41,8 @@ version ".tar.gz")) (sha256 (base32 - "1qgn5psfyhbrnap275xjfrzppf5a83fb67gpql0kfqv37al869gm")))) + "1qgn5psfyhbrnap275xjfrzppf5a83fb67gpql0kfqv37al869gm")) + (patches (search-patches "aspell-default-dict-dir.patch")))) (build-system gnu-build-system) (arguments `(#:phases @@ -53,6 +55,15 @@ '("ASPELL_CONF" "" = ("${ASPELL_CONF:-\"dict-dir ${GUIX_PROFILE:-$HOME/.guix-profile}/lib/aspell\"}"))))))))) (inputs `(("perl" ,perl))) + + (native-search-paths + ;; This is a Guix-specific environment variable that takes a single + ;; entry, not an actual search path. + (list (search-path-specification + (variable "ASPELL_DICT_DIR") + (separator #f) + (files '("lib/aspell"))))) + (home-page "http://aspell.net/") (synopsis "Spell checker") (description @@ -66,7 +77,8 @@ dictionaries, including personal ones.") ;;; Dictionaries. ;;; ;;; Use 'export ASPELL_CONF="dict-dir $HOME/.guix-profile/lib/aspell"' to use -;;; them. +;;; them, or set the Guix-specific 'ASPELL_DICT_DIR', or just do nothing (as +;;; long as 'HOME' is set, that's fine!). ;;; (define* (aspell-dictionary dict-name full-name diff --git a/gnu/packages/patches/aspell-default-dict-dir.patch b/gnu/packages/patches/aspell-default-dict-dir.patch new file mode 100644 index 0000000000..17a6ff606f --- /dev/null +++ b/gnu/packages/patches/aspell-default-dict-dir.patch @@ -0,0 +1,20 @@ +This patch changes the default value of 'dict-dir' to correspond +to ~/.guix-profile/lib/aspell rather than $prefix/lib/aspell-X.Y. + +This is not strictly necessary for the 'aspell' program itself since +one can simply set "ASPELL_CONF=dict-dir $HOME/.guix-profile/lib/aspell". +However it is necessary for applications that use libaspell since +'ASPELL_CONF' is not honored in this case. See . + +--- a/common/config.cpp ++++ b/common/config.cpp +@@ -1349,6 +1349,9 @@ namespace acommon { + # define REPL ".aspell..prepl" + #endif + ++#undef DICT_DIR ++#define DICT_DIR "<$ASPELL_DICT_DIR|home-dir/.guix-profile/lib/aspell>" ++ + static const KeyInfo config_keys[] = { + // the description should be under 50 chars + {"actual-dict-dir", KeyInfoString, "", 0} -- cgit 1.4.1 From c383dc520f4b71bcb99115768bfafa00df85f9d1 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 19 May 2017 10:50:20 +0200 Subject: gnu: guile-ssh: Fix potential double-free/use-after-free issue. Fixes . Reported by Mark H Weaver . * gnu/packages/patches/guile-ssh-double-free.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/ssh.scm (guile-ssh)[source](patches): Add it. --- gnu/local.mk | 1 + gnu/packages/patches/guile-ssh-double-free.patch | 37 ++++++++++++++++++++++++ gnu/packages/ssh.scm | 3 +- 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/guile-ssh-double-free.patch (limited to 'gnu/packages') diff --git a/gnu/local.mk b/gnu/local.mk index ca26bcd812..f1a3cf6dba 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -651,6 +651,7 @@ dist_patch_DATA = \ %D%/packages/patches/guile-relocatable.patch \ %D%/packages/patches/guile-rsvg-pkgconfig.patch \ %D%/packages/patches/guile-ssh-rexec-bug.patch \ + %D%/packages/patches/guile-ssh-double-free.patch \ %D%/packages/patches/gtk2-respect-GUIX_GTK2_PATH.patch \ %D%/packages/patches/gtk2-respect-GUIX_GTK2_IM_MODULE_FILE.patch \ %D%/packages/patches/gtk2-theme-paths.patch \ diff --git a/gnu/packages/patches/guile-ssh-double-free.patch b/gnu/packages/patches/guile-ssh-double-free.patch new file mode 100644 index 0000000000..9692b81d39 --- /dev/null +++ b/gnu/packages/patches/guile-ssh-double-free.patch @@ -0,0 +1,37 @@ +Fix a double-free or use-after-free issue with Guile-SSH used +with Guile 2.2. See . + +diff --git a/libguile-ssh/channel-type.c b/libguile-ssh/channel-type.c +index 3dd641f..0839854 100644 +--- a/libguile-ssh/channel-type.c ++++ b/libguile-ssh/channel-type.c +@@ -229,10 +229,11 @@ ptob_close (SCM channel) + ssh_channel_free (ch->ssh_channel); + } + ++ SCM_SETSTREAM (channel, NULL); ++ + #if USING_GUILE_BEFORE_2_2 + scm_gc_free (pt->write_buf, pt->write_buf_size, "port write buffer"); + scm_gc_free (pt->read_buf, pt->read_buf_size, "port read buffer"); +- SCM_SETSTREAM (channel, NULL); + + return 0; + #endif +diff --git a/libguile-ssh/sftp-file-type.c b/libguile-ssh/sftp-file-type.c +index 8879924..f87cf03 100644 +--- a/libguile-ssh/sftp-file-type.c ++++ b/libguile-ssh/sftp-file-type.c +@@ -224,10 +224,11 @@ ptob_close (SCM sftp_file) + sftp_close (fd->file); + } + ++ SCM_SETSTREAM (sftp_file, NULL); ++ + #if USING_GUILE_BEFORE_2_2 + scm_gc_free (pt->write_buf, pt->write_buf_size, "port write buffer"); + scm_gc_free (pt->read_buf, pt->read_buf_size, "port read buffer"); +- SCM_SETSTREAM (sftp_file, NULL); + + return 1; + #endif diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 6a074d10fa..bb1898774b 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -226,7 +226,8 @@ Additionally, various channel-specific options can be negotiated.") (sha256 (base32 "0r261i8kc3avbmbwgyzak2vnqwssjlgz37g2y2fwm80w9bmn2m7j")) - (patches (search-patches "guile-ssh-rexec-bug.patch")) + (patches (search-patches "guile-ssh-rexec-bug.patch" + "guile-ssh-double-free.patch")) (modules '((guix build utils))) (snippet ;; 'configure.ac' mistakenly tries to link files from examples/ -- cgit 1.4.1 From 6a9defd7474f0e8b0f9030de60b1241a551ad403 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 May 2017 20:26:58 -0400 Subject: gnu: dropbear: Update to 2017.75 [fixes CVE-2017-{9078,9079}]. * gnu/packages/ssh.scm (dropbear): Update to 2017.75. --- gnu/packages/ssh.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages') diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index bb1898774b..b01a94f871 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -380,7 +380,7 @@ especially over Wi-Fi, cellular, and long-distance links.") (define-public dropbear (package (name "dropbear") - (version "2016.74") + (version "2017.75") (source (origin (method url-fetch) (uri (string-append @@ -388,7 +388,7 @@ especially over Wi-Fi, cellular, and long-distance links.") name "-" version ".tar.bz2")) (sha256 (base32 - "14c8f4gzixf0j9fkx68jgl85q7b05852kk0vf09gi6h0xmafl817")))) + "1309cm2aw62n9m3h38prvgsqr8bj85hfasgnvwkd42cp3k5ivg3c")))) (build-system gnu-build-system) (arguments `(#:tests? #f)) ; There is no "make check" or anything similar (inputs `(("zlib" ,zlib))) -- cgit 1.4.1 From 7dccad95b62871af048dd2d337579424f07595f2 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 May 2017 18:31:48 -0400 Subject: gnu: icedtea@2: Update to 2.6.10 [security fixes]. Fixes CVE-2017-{3509,3511,3512,3514,3526,3533,3539,3544}. * gnu/packages/java.scm (icedtea-7): Update to 2.6.10. --- gnu/packages/java.scm | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'gnu/packages') diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm index 4a381b6a1c..85f2bb975f 100644 --- a/gnu/packages/java.scm +++ b/gnu/packages/java.scm @@ -341,12 +341,12 @@ build process and its dependencies, whereas Make uses Makefile format.") (license license:asl2.0))) (define-public icedtea-7 - (let* ((version "2.6.9") + (let* ((version "2.6.10") (drop (lambda (name hash) (origin (method url-fetch) (uri (string-append - "http://icedtea.classpath.org/download/drops/" + "http://icedtea.classpath.org/download/drops" "/icedtea7/" version "/" name ".tar.bz2")) (sha256 (base32 hash)))))) (package @@ -359,7 +359,7 @@ build process and its dependencies, whereas Make uses Makefile format.") version ".tar.xz")) (sha256 (base32 - "1slmajiakq7sk137vgqq9c93r5s620a46lw2jwbnzxhysjw3wkwf")) + "0am945k2zqrka2xn7lb5grmkad4lwncnhnwk8iq6f269birzsj8w")) (modules '((guix build utils))) (snippet '(substitute* "Makefile.in" @@ -770,25 +770,25 @@ build process and its dependencies, whereas Make uses Makefile format.") (native-inputs `(("openjdk-src" ,(drop "openjdk" - "08a4d1sg5m9l99lc7gafc7dmzmf4d8jvij5pffxv8rf6pk7psk24")) + "02klsxp9hlf5sial6mxpiq53hmrhlrg6x774j7bjjfhb7hpdvadh")) ("corba-drop" ,(drop "corba" - "12br49cfrqgvms0bnaij7fvnakvb6q8dlpqja64rg5q5r3x4gps8")) + "1vbly6khri241xda05gnwkpf2fk41d96ls96ximi084mx0a3w5rd")) ("jaxp-drop" ,(drop "jaxp" - "07v2y3pll6z2wma94qilgffwyn2n4jna01mrhqwkb27whfpjfkmz")) + "0s8zln64vdwdxwlw1vpfzm8xbpyhgsv3nqjmnv7y36qpsszg27a5")) ("jaxws-drop" ,(drop "jaxws" - "18rw64jjpq14v56d0q1xvz8knl0kf02rcday7fvlaxrbbj19km55")) + "0myd66bv8ib8krzgqv754bc564rd8xwpwabvf7my1apyb86vap3n")) ("jdk-drop" ,(drop "jdk" - "1ig7xipi3vzm6cphy5fdraxi72p27xsg2qb51yqx9qwsmlrv1zj4")) + "10b4lfv10vba07zblw0wii7mhrfhf32pf7410x5nz2q0smgszl2h")) ("langtools-drop" ,(drop "langtools" - "0sn9qv9nnhaan2smbhrv54lfhwsjhgd3b3h736p5d2hzpw8kicry")) + "0lvncxb5qzrlqkflrnd0l8vwy155cwj1jb07rkq10z2vx0bq7lq2")) ("hotspot-drop" ,(drop "hotspot" - "16ijxy8br8dla339m4i90wr9xpf7s8z3nrhfyxm7jahr8injpzyl")) + "0q6mdgbbd3681y3n0z1v783irdjhhi73z6sn5csczpyhjm318axb")) ("ant" ,ant) ("attr" ,attr) ("autoconf" ,autoconf) -- cgit 1.4.1 From 324499184a13e8f27d9805d5db2b133380e69bfe Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 21 May 2017 01:07:17 +0200 Subject: gnu: unionfs-fuse-static: Remove 'unionfsctl' executable. This avoids pulling in glibc & co. Fixes a regression introduced in 2f861edf5cf5118ad560737343312c9a5efe5b2f (the 'unionfsctl' executable did not exist in unionfs-fuse 0.26). * gnu/packages/linux.scm (unionfs-fuse/static)[arguments] : Remove 'unionfsctl' binary. --- gnu/packages/linux.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'gnu/packages') diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 7bb26c72f5..cd2c833e39 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1568,7 +1568,12 @@ UnionFS-FUSE additionally supports copy-on-write.") (exe (string-append out "/bin/unionfs"))) ;; By default, 'unionfs' keeps references to ;; $glibc/share/locale and similar stuff. Remove them. - (remove-store-references exe))) + (remove-store-references exe) + + ;; 'unionfsctl' has references to glibc as well. Since + ;; we don't need it, remove it. + (delete-file (string-append out "/bin/unionfsctl")) + #t)) %standard-phases))) (inputs `(("fuse" ,fuse-static))))) -- cgit 1.4.1 From a6d728b7aaee09892b0b420d07ed2dbb7de5e63f Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 21 May 2017 16:58:53 +0200 Subject: gnu: guix: Update to 0.13.0. --- gnu/packages/package-management.scm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'gnu/packages') diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index ceaf51b676..76dc9adf2e 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -72,9 +72,9 @@ ;; Latest version of Guix, which may or may not correspond to a release. ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. - (let ((version "0.12.0") - (commit "ce92d269fea0a2bfac0ac20414f77127d2f07500") - (revision 11)) + (let ((version "0.13.0") + (commit "df671177f854da26bb171d9d5e9a6990024107a0") + (revision 0)) (package (name "guix") @@ -90,7 +90,7 @@ (commit commit))) (sha256 (base32 - "17l9r2mdzzv8vfxb3bc5zkdqkl472q979iwsarp7lcqss1jxys7w")) + "1j4b2aki7sc28bl7nahcmb02dmj4wa5g6myvc68p03rgv25cqw1d")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments -- cgit 1.4.1 From e9c53359e71f23e24acbb0637b58c70a73289c61 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 21 May 2017 16:59:04 +0200 Subject: gnu: guix: Update to a6d728b. --- gnu/packages/package-management.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'gnu/packages') diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm index 76dc9adf2e..246d2539d6 100644 --- a/gnu/packages/package-management.scm +++ b/gnu/packages/package-management.scm @@ -73,8 +73,8 @@ ;; Note: the 'update-guix-package.scm' script expects this definition to ;; start precisely like this. (let ((version "0.13.0") - (commit "df671177f854da26bb171d9d5e9a6990024107a0") - (revision 0)) + (commit "a6d728b7aaee09892b0b420d07ed2dbb7de5e63f") + (revision 1)) (package (name "guix") @@ -90,7 +90,7 @@ (commit commit))) (sha256 (base32 - "1j4b2aki7sc28bl7nahcmb02dmj4wa5g6myvc68p03rgv25cqw1d")) + "1nrskyk8z6w5i9cdfh5zxfgsrqf744sb30ssqi2g5xhijwagr1yq")) (file-name (string-append "guix-" version "-checkout")))) (build-system gnu-build-system) (arguments -- cgit 1.4.1