diff options
author | Marius Bakke <mbakke@fastmail.com> | 2018-06-18 15:29:38 +0200 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2018-06-18 15:29:38 +0200 |
commit | 6969c4de445a390eaa05de22bc5a537a76a76169 (patch) | |
tree | 9df3bdde497fdce705ae4eb66972f93a9ae111d9 /gnu/packages/patches | |
parent | 73d18915b597f2a386d6ae42930b49a13c8813b0 (diff) | |
parent | 32eb44240db23b2320a68a3ab17370531945587f (diff) | |
download | gnu-guix-6969c4de445a390eaa05de22bc5a537a76a76169.tar gnu-guix-6969c4de445a390eaa05de22bc5a537a76a76169.tar.gz |
Merge branch 'master' into staging
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/bind-CVE-2018-5738.patch | 100 | ||||
-rw-r--r-- | gnu/packages/patches/binutils-aarch64-symbol-relocation.patch | 36 | ||||
-rw-r--r-- | gnu/packages/patches/elixir-disable-failing-tests.patch | 284 | ||||
-rw-r--r-- | gnu/packages/patches/flann-cmake-3.11.patch | 84 | ||||
-rw-r--r-- | gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch | 50 | ||||
-rw-r--r-- | gnu/packages/patches/password-store-gnupg-compat.patch | 28 | ||||
-rw-r--r-- | gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch | 36 | ||||
-rw-r--r-- | gnu/packages/patches/python-nose-timer-drop-ordereddict.patch | 44 | ||||
-rw-r--r-- | gnu/packages/patches/strace-kernel-4.16.patch | 92 | ||||
-rw-r--r-- | gnu/packages/patches/upx-fix-CVE-2017-15056.patch | 96 |
10 files changed, 352 insertions, 498 deletions
diff --git a/gnu/packages/patches/bind-CVE-2018-5738.patch b/gnu/packages/patches/bind-CVE-2018-5738.patch new file mode 100644 index 0000000000..ddef014651 --- /dev/null +++ b/gnu/packages/patches/bind-CVE-2018-5738.patch @@ -0,0 +1,100 @@ +Fix CVE-2018-5738: + +https://kb.isc.org/article/AA-01616/0/CVE-2018-5738 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738 + +diff --git a/bin/named/server.c b/bin/named/server.c +index f63554e..847c4ff 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + CHECKM(named_config_getport(config, &port), "port"); + dns_view_setdstport(view, port); + +- CHECK(configure_view_acl(vconfig, config, named_g_config, +- "allow-query", NULL, actx, +- named_g_mctx, &view->queryacl)); +- + /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. +@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + "allow-query-cache-on", NULL, actx, + named_g_mctx, &view->cacheonacl)); + /* +- * Set "allow-query-cache", "allow-recursion", and +- * "allow-recursion-on" acls if configured in named.conf. +- * (Ignore the global defaults for now, because these ACLs +- * can inherit from each other when only some of them set at +- * the options/view level.) ++ * Set the "allow-query", "allow-query-cache", "allow-recursion", ++ * and "allow-recursion-on" ACLs if configured in named.conf, but ++ * NOT from the global defaults. This is done by leaving the third ++ * argument to configure_view_acl() NULL. ++ * ++ * We ignore the global defaults here because these ACLs ++ * can inherit from each other. If any are still unset after ++ * applying the inheritance rules, we'll look up the defaults at ++ * that time. + */ +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", +- NULL, actx, named_g_mctx, &view->cacheacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query", NULL, actx, ++ named_g_mctx, &view->queryacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query-cache", NULL, actx, ++ named_g_mctx, &view->cacheacl)); + + if (strcmp(view->name, "_bind") != 0 && + view->rdclass != dns_rdataclass_chaos) + { ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion", NULL, actx, + named_g_mctx, &view->recursionacl)); ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion-on", NULL, actx, + named_g_mctx, &view->recursiononacl)); +@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + * the global config. + */ + if (view->recursionacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion", NULL, + actx, named_g_mctx, + &view->recursionacl)); + } + if (view->recursiononacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion-on", NULL, + actx, named_g_mctx, + &view->recursiononacl)); + } + if (view->cacheacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-query-cache", NULL, + actx, named_g_mctx, +@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, + CHECK(dns_acl_none(mctx, &view->cacheacl)); + } + ++ if (view->queryacl == NULL) { ++ /* global default only */ ++ CHECK(configure_view_acl(NULL, NULL, named_g_config, ++ "allow-query", NULL, ++ actx, named_g_mctx, ++ &view->queryacl)); ++ } ++ + /* + * Ignore case when compressing responses to the specified + * clients. This causes case not always to be preserved, diff --git a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch new file mode 100644 index 0000000000..fbd596862b --- /dev/null +++ b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch @@ -0,0 +1,36 @@ +Fix a regression in Binutils 2.30 where some symbols are incorrectly assumed +to be addresses: + +https://sourceware.org/bugzilla/show_bug.cgi?id=22764 + +Patch taken from upstream (with ChangeLog entries and tests omitted): + +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=279b2f94168ee91e02ccd070d27c983fc001fe12 + +diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c +index af448f9..2737773 100644 +--- a/bfd/elfnn-aarch64.c ++++ b/bfd/elfnn-aarch64.c +@@ -7189,10 +7189,19 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info, + #if ARCH_SIZE == 64 + case BFD_RELOC_AARCH64_32: + #endif +- if (bfd_link_pic (info) +- && (sec->flags & SEC_ALLOC) != 0 +- && (sec->flags & SEC_READONLY) != 0) ++ if (bfd_link_pic (info) && (sec->flags & SEC_ALLOC) != 0) + { ++ if (h != NULL ++ /* This is an absolute symbol. It represents a value instead ++ of an address. */ ++ && ((h->root.type == bfd_link_hash_defined ++ && bfd_is_abs_section (h->root.u.def.section)) ++ /* This is an undefined symbol. */ ++ || h->root.type == bfd_link_hash_undefined)) ++ break; ++ ++ /* For local symbols, defined global symbols in a non-ABS section, ++ it is assumed that the value is an address. */ + int howto_index = bfd_r_type - BFD_RELOC_AARCH64_RELOC_START; + _bfd_error_handler + /* xgettext:c-format */ diff --git a/gnu/packages/patches/elixir-disable-failing-tests.patch b/gnu/packages/patches/elixir-disable-failing-tests.patch deleted file mode 100644 index 547598b292..0000000000 --- a/gnu/packages/patches/elixir-disable-failing-tests.patch +++ /dev/null @@ -1,284 +0,0 @@ -Most of these tests fail for unknown reasons when run in the chroot -environment of a Guix build process. - -Common failures are: - - * Mix.Shell.cmd() fails with error 130 - * The git_repo fixture cannot be found - * Communication with spawned processes fails with EPIPE - * Failure to copy files - - -diff --git a/lib/elixir/test/elixir/kernel/cli_test.exs b/lib/elixir/test/elixir/kernel/cli_test.exs -index 3ffd56c..1232d19 100644 ---- a/lib/elixir/test/elixir/kernel/cli_test.exs -+++ b/lib/elixir/test/elixir/kernel/cli_test.exs -@@ -39,6 +39,7 @@ end - defmodule Kernel.CLI.OptionParsingTest do - use ExUnit.Case, async: true - -+ @tag :skip - test "properly parses paths" do - root = fixture_path("../../..") |> to_charlist - list = elixir('-pa "#{root}/*" -pz "#{root}/lib/*" -e "IO.inspect(:code.get_path, limit: :infinity)"') -@@ -57,6 +58,7 @@ end - defmodule Kernel.CLI.AtExitTest do - use ExUnit.Case, async: true - -+ @tag :skip - test "invokes at_exit callbacks" do - assert elixir(fixture_path("at_exit.exs") |> to_charlist) == - 'goodbye cruel world with status 1\n' -@@ -66,6 +68,7 @@ end - defmodule Kernel.CLI.ErrorTest do - use ExUnit.Case, async: true - -+ @tag :skip - test "properly format errors" do - assert :string.str('** (throw) 1', elixir('-e "throw 1"')) == 0 - assert :string.str('** (ErlangError) erlang error: 1', elixir('-e "error 1"')) == 0 -@@ -86,6 +89,7 @@ defmodule Kernel.CLI.CompileTest do - {:ok, [tmp_dir_path: tmp_dir_path, beam_file_path: beam_file_path, fixture: fixture]} - end - -+ @tag :skip - test "compiles code", context do - assert elixirc('#{context[:fixture]} -o #{context[:tmp_dir_path]}') == '' - assert File.regular?(context[:beam_file_path]) -@@ -96,6 +100,7 @@ defmodule Kernel.CLI.CompileTest do - Code.delete_path context[:tmp_dir_path] - end - -+ @tag :skip - test "fails on missing patterns", context do - output = elixirc('#{context[:fixture]} non_existing.ex -o #{context[:tmp_dir_path]}') - assert :string.str(output, 'non_existing.ex') > 0, "expected non_existing.ex to be mentioned" -@@ -103,6 +108,7 @@ defmodule Kernel.CLI.CompileTest do - refute File.exists?(context[:beam_file_path]), "expected the sample to not be compiled" - end - -+ @tag :skip - test "fails on missing write access to .beam file", context do - compilation_args = '#{context[:fixture]} -o #{context[:tmp_dir_path]}' - -diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -index 801d852..40fc5bc 100644 ---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs -+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -@@ -60,16 +60,19 @@ defmodule Kernel.DialyzerTest do - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on rewrites", context do - copy_beam! context, Dialyzer.Rewrite - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on raise", context do - copy_beam! context, Dialyzer.Raise - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on macrocallback", context do - copy_beam! context, Dialyzer.Macrocallback - copy_beam! context, Dialyzer.Macrocallback.Impl -diff --git a/lib/elixir/test/elixir/system_test.exs b/lib/elixir/test/elixir/system_test.exs -index aafa559..0f9c178 100644 ---- a/lib/elixir/test/elixir/system_test.exs -+++ b/lib/elixir/test/elixir/system_test.exs -@@ -53,7 +53,8 @@ defmodule SystemTest do - assert System.endianness in [:little, :big] - assert System.endianness == System.compiled_endianness - end -- -+ -+ @tag :skip - test "argv/0" do - list = elixir('-e "IO.inspect System.argv" -- -o opt arg1 arg2 --long-opt 10') - {args, _} = Code.eval_string list, [] -diff --git a/lib/mix/test/mix/dep_test.exs b/lib/mix/test/mix/dep_test.exs -index fff3351..d6ed1b3 100644 ---- a/lib/mix/test/mix/dep_test.exs -+++ b/lib/mix/test/mix/dep_test.exs -@@ -244,6 +244,7 @@ defmodule Mix.DepTest do - end - end - -+ @tag :skip - test "remote converger" do - deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"}, - {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo")}] -@@ -301,6 +302,7 @@ defmodule Mix.DepTest do - end - end - -+ @tag :skip - test "remote converger is not invoked if deps diverge" do - deps = [{:deps_repo, "0.1.0", path: "custom/deps_repo"}, - {:git_repo, "0.2.0", git: MixTest.Case.fixture_path("git_repo"), only: :test}] - -diff --git a/lib/mix/test/mix/shell/io_test.exs b/lib/mix/test/mix/shell/io_test.exs -index 9bfb6b4..d982ef3 100644 ---- a/lib/mix/test/mix/shell/io_test.exs -+++ b/lib/mix/test/mix/shell/io_test.exs -@@ -29,6 +29,7 @@ defmodule Mix.Shell.IOTest do - assert capture_io("", fn -> refute yes?("Ok?") end) - end - -+ @tag :skip - test "runs a given command" do - assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == "hello\n" - -diff --git a/lib/mix/test/mix/shell/quiet_test.exs b/lib/mix/test/mix/shell/quiet_test.exs -index 626429b..99fab35 100644 ---- a/lib/mix/test/mix/shell/quiet_test.exs -+++ b/lib/mix/test/mix/shell/quiet_test.exs -@@ -29,6 +29,7 @@ defmodule Mix.Shell.QuietTest do - assert capture_io("", fn -> refute yes?("Ok?") end) - end - -+ @tag :skip - test "runs a given command" do - assert capture_io("", fn -> assert cmd("echo hello") == 0 end) == "" - -diff --git a/lib/mix/test/mix/tasks/cmd_test.exs b/lib/mix/test/mix/tasks/cmd_test.exs -index db4bf06..4d441f7 100644 ---- a/lib/mix/test/mix/tasks/cmd_test.exs -+++ b/lib/mix/test/mix/tasks/cmd_test.exs -@@ -3,6 +3,7 @@ Code.require_file "../../test_helper.exs", __DIR__ - defmodule Mix.Tasks.CmdTest do - use MixTest.Case - -+ @tag :skip - test "runs the command for each app" do - in_fixture "umbrella_dep/deps/umbrella", fn -> - Mix.Project.in_project(:umbrella, ".", fn _ -> -diff --git a/lib/mix/test/mix/tasks/deps.tree_test.exs b/lib/mix/test/mix/tasks/deps.tree_test.exs -index 4f09ff3..c371997 100644 ---- a/lib/mix/test/mix/tasks/deps.tree_test.exs -+++ b/lib/mix/test/mix/tasks/deps.tree_test.exs -@@ -29,6 +29,7 @@ defmodule Mix.Tasks.Deps.TreeTest do - end - end - -+ @tag :skip - test "shows the dependency tree", context do - Mix.Project.push ConvergedDepsApp - -@@ -109,6 +110,7 @@ defmodule Mix.Tasks.Deps.TreeTest do - end - end - -+ @tag :skip - test "shows the dependency tree in DOT graph format", context do - Mix.Project.push ConvergedDepsApp - -diff --git a/lib/mix/test/mix/tasks/deps_test.exs b/lib/mix/test/mix/tasks/deps_test.exs -index b061777..cc45cf8 100644 ---- a/lib/mix/test/mix/tasks/deps_test.exs -+++ b/lib/mix/test/mix/tasks/deps_test.exs -@@ -96,6 +96,7 @@ - end - end - -+ @tag :skip - test "prints list of dependencies and their lock status" do - Mix.Project.push DepsApp - -@@ -409,6 +409,7 @@ defmodule Mix.Tasks.DepsTest do - end - end - -+ @tag :skip - test "fails on diverged dependencies by requirement" do - Mix.Project.push ConvergedDepsApp - -@@ -440,6 +441,7 @@ defmodule Mix.Tasks.DepsTest do - end - end - -+ @tag :skip - test "fails on diverged dependencies even when optional" do - Mix.Project.push ConvergedDepsApp - -@@ -469,6 +471,7 @@ defmodule Mix.Tasks.DepsTest do - end - end - -+ @tag :skip - test "works with converged dependencies" do - Mix.Project.push ConvergedDepsApp - -@@ -491,6 +494,7 @@ defmodule Mix.Tasks.DepsTest do - purge [GitRepo, GitRepo.Mixfile] - end - -+ @tag :skip - test "works with overridden dependencies" do - Mix.Project.push OverriddenDepsApp - -diff --git a/lib/mix/test/mix/umbrella_test.exs b/lib/mix/test/mix/umbrella_test.exs -index 69f9428..406668a 100644 ---- a/lib/mix/test/mix/umbrella_test.exs -+++ b/lib/mix/test/mix/umbrella_test.exs -@@ -98,6 +98,7 @@ defmodule Mix.UmbrellaTest do - end - end - -+ @tag :skip - test "loads umbrella child dependencies in all environments" do - in_fixture "umbrella_dep/deps/umbrella", fn -> - Mix.Project.in_project :umbrella, ".", fn _ -> - -diff --git a/lib/elixir/test/elixir/kernel/dialyzer_test.exs b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -index 792222c..e90beb9 100644 ---- a/lib/elixir/test/elixir/kernel/dialyzer_test.exs -+++ b/lib/elixir/test/elixir/kernel/dialyzer_test.exs -@@ -54,6 +54,7 @@ defmodule Kernel.DialyzerTest do - {:ok, [outdir: dir, dialyzer: dialyzer]} - end - -+ @tag :skip - test "no warnings on valid remote calls", context do - copy_beam! context, Dialyzer.RemoteCall - assert_dialyze_no_warnings! context -@@ -78,11 +79,13 @@ defmodule Kernel.DialyzerTest do - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on struct update", context do - copy_beam! context, Dialyzer.StructUpdate - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on protocol calls with opaque types", context do - copy_beam! context, Dialyzer.ProtocolOpaque - copy_beam! context, Dialyzer.ProtocolOpaque.Entity -@@ -90,6 +93,7 @@ defmodule Kernel.DialyzerTest do - assert_dialyze_no_warnings! context - end - -+ @tag :skip - test "no warnings on and/2 and or/2", context do - copy_beam! context, Dialyzer.BooleanCheck - assert_dialyze_no_warnings! context - -diff --git a/Makefile b/Makefile -index 2fc4f9a..aef8366 100644 ---- a/Makefile -+++ b/Makefile -@@ -201,7 +201,7 @@ $(TEST_EBIN)/%.beam: $(TEST_ERL)/%.erl - $(Q) mkdir -p $(TEST_EBIN) - $(Q) $(ERLC) -o $(TEST_EBIN) $< - --test_elixir: test_stdlib test_ex_unit test_logger test_mix test_eex test_iex -+test_elixir: test_stdlib test_ex_unit test_logger test_eex test_iex - - test_stdlib: compile - @ echo "==> elixir (exunit)" - diff --git a/gnu/packages/patches/flann-cmake-3.11.patch b/gnu/packages/patches/flann-cmake-3.11.patch new file mode 100644 index 0000000000..1fb76eca0a --- /dev/null +++ b/gnu/packages/patches/flann-cmake-3.11.patch @@ -0,0 +1,84 @@ +Fixes this issue: + <https://github.com/mariusmuja/flann/issues/369>. +Patch from Buildroot: + <https://github.com/buildroot/buildroot/commit/45a39b3e2ba42b72d19bfcef30db1b8da9ead51a>. + +From fa5ec96a94646492a3f908e12905b3e48a8e800b Mon Sep 17 00:00:00 2001 +From: Romain Naour <romain.naour@gmail.com> +Date: Wed, 18 Apr 2018 20:24:13 +0200 +Subject: [PATCH] src/cpp: fix cmake >= 3.11 build + +CMake < 3.11 doesn't support add_library() without any source file +(i.e add_library(foo SHARED)). But flann CMake use a trick that use +an empty string "" as source list (i.e add_library(foo SHARED "")). +This look like a bug in CMake < 3.11. + +With CMake >= 3.11, the new behaviour of add_library() break the +existing flann CMake code. + +From CMake Changelog [1]: +"add_library() and add_executable() commands can now be called without + any sources and will not complain as long as sources are added later + via the target_sources() command." + +Note: flann CMake code doesn't use target_sources() since no source file +are provided intentionally since the flann shared library is created by +linking with the flann_cpp_s static library with this line: + +target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive) + +If you try to use "add_library(flann_cpp SHARED ${CPP_SOURCES})" (as it should +be normally done), the link fail due to already defined symbol. + +They are building the shared version using the static library "to speedup the +build time" [3] + +This issue is already reported upstream [2] with a proposed solution. + +Upstream status: Pending + +Fixes: +http://autobuild.buildroot.net/results/b2f/b2febfaf8c44ce477b3e4a5b9b976fd25e8d7454 + +[1] https://cmake.org/cmake/help/v3.11/release/3.11.html +[2] https://github.com/mariusmuja/flann/issues/369 +[3] https://github.com/mariusmuja/flann/commit/0fd62b43be2fbb0b8d791ee36290791224dc030c + +Signed-off-by: Romain Naour <romain.naour@gmail.com> +--- + src/cpp/CMakeLists.txt | 4 ++-- + src/cpp/empty.cpp | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + create mode 100644 src/cpp/empty.cpp + +diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt +index b44a735..a816863 100644 +--- a/src/cpp/CMakeLists.txt ++++ b/src/cpp/CMakeLists.txt +@@ -29,7 +29,7 @@ if (BUILD_CUDA_LIB) + endif() + + if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC) +- add_library(flann_cpp SHARED "") ++ add_library(flann_cpp SHARED "empty.cpp") + set_target_properties(flann_cpp PROPERTIES LINKER_LANGUAGE CXX) + target_link_libraries(flann_cpp -Wl,-whole-archive flann_cpp_s -Wl,-no-whole-archive) + +@@ -85,7 +85,7 @@ if (BUILD_C_BINDINGS) + set_property(TARGET flann_s PROPERTY COMPILE_DEFINITIONS FLANN_STATIC) + + if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_COMPILER_IS_GNUCC) +- add_library(flann SHARED "") ++ add_library(flann SHARED "empty.cpp") + set_target_properties(flann PROPERTIES LINKER_LANGUAGE CXX) + target_link_libraries(flann -Wl,-whole-archive flann_s -Wl,-no-whole-archive) + else() +diff --git a/src/cpp/empty.cpp b/src/cpp/empty.cpp +new file mode 100644 +index 0000000..40a8c17 +--- /dev/null ++++ b/src/cpp/empty.cpp +@@ -0,0 +1 @@ ++/* empty */ +-- +2.14.3 diff --git a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch b/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch deleted file mode 100644 index 306d4d348b..0000000000 --- a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch +++ /dev/null @@ -1,50 +0,0 @@ -Fix CVE-2018-12020: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 -https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html - -Patch copied from upstream source repository: - -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac - -From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001 -From: Werner Koch <wk@gnupg.org> -Date: Fri, 8 Jun 2018 10:45:21 +0200 -Subject: [PATCH] gpg: Sanitize diagnostic with the original file name. - -* g10/mainproc.c (proc_plaintext): Sanitize verbose output. --- - -This fixes a forgotten sanitation of user supplied data in a verbose -mode diagnostic. The mention CVE is about using this to inject -status-fd lines into the stderr output. Other harm good as well be -done. Note that GPGME based applications are not affected because -GPGME does not fold status output into stderr. - -CVE-id: CVE-2018-12020 -GnuPG-bug-id: 4012 -(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b) ---- - g10/mainproc.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/g10/mainproc.c b/g10/mainproc.c -index 33a654b34..ffa7ef6d8 100644 ---- a/g10/mainproc.c -+++ b/g10/mainproc.c -@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt ) - if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) - log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); - else if( opt.verbose ) -- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name); -+ { -+ char *tmp = make_printable_string (pt->name, pt->namelen, 0); -+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); -+ xfree (tmp); -+ } - free_md_filter_context( &c->mfx ); - c->mfx.md = md_open( 0, 0); - /* fixme: we may need to push the textfilter if we have sigclass 1 --- -2.17.1 - diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch deleted file mode 100644 index 75c6362021..0000000000 --- a/gnu/packages/patches/password-store-gnupg-compat.patch +++ /dev/null @@ -1,28 +0,0 @@ -Copied from upstream mailing list: -https://lists.zx2c4.com/pipermail/password-store/2018-February/003216.html. - -From 9b0c86159d754cc88dd3642564eed527153dfb7f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org> -Date: Sat, 24 Feb 2018 12:05:46 +0100 -Subject: [PATCH] tests: fix compatibility with GnuPG 2.2.5 - ---- - tests/t0300-reencryption.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh -index 6d5811d..6d15364 100755 ---- a/tests/t0300-reencryption.sh -+++ b/tests/t0300-reencryption.sh -@@ -10,7 +10,7 @@ canonicalize_gpg_keys() { - $GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u - } - gpg_keys_from_encrypted_file() { -- $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u -+ $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | grep "public key is" | cut -d ' ' -f 5 | LC_ALL=C sort -u - } - gpg_keys_from_group() { - local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)" --- -2.16.2 - diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch new file mode 100644 index 0000000000..6460cf5855 --- /dev/null +++ b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch @@ -0,0 +1,36 @@ +Fix CVE-2018-12015: + +https://security-tracker.debian.org/tracker/CVE-2018-12015 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015 +https://rt.cpan.org/Ticket/Display.html?id=125523 + +Patch taken from this upstream commit and adapted to apply to +the bundled copy in the Perl distribution: + +https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5 + +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm +index 6244369..a83975f 100644 +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm +@@ -845,6 +845,20 @@ sub _extract_file { + return; + } + ++ ### If a file system already contains a block device with the same name as ++ ### the being extracted regular file, we would write the file's content ++ ### to the block device. So remove the existing file (block device) now. ++ ### If an archive contains multiple same-named entries, the last one ++ ### should replace the previous ones. So remove the old file now. ++ ### If the old entry is a symlink to a file outside of the CWD, the new ++ ### entry would create a file there. This is CVE-2018-12015 ++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. ++ if (-l $full || -e _) { ++ if (!unlink $full) { ++ $self->_error( qq[Could not remove old file '$full': $!] ); ++ return; ++ } ++ } + if( length $entry->type && $entry->is_file ) { + my $fh = IO::File->new; + $fh->open( $full, '>' ) or ( diff --git a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch b/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch deleted file mode 100644 index e1e71a332a..0000000000 --- a/gnu/packages/patches/python-nose-timer-drop-ordereddict.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 700076019b5aff72aac7651cc830aaef21ee9a47 Mon Sep 17 00:00:00 2001 -From: jakirkham <jakirkham@gmail.com> -Date: Fri, 7 Jul 2017 05:57:56 -0400 -Subject: [PATCH] Drop ordereddict requirement (#84) - -* Drop ordereddict requirement - -As Python 2.7 is the minimum Python supported, every version of Python -should have `ordereddict` preincluded in the standard library one way or -another. So we can drop this dependency and just handle the differences -between Python 2 and Python 3. ---- - nosetimer/plugin.py | 5 +---- - setup.py | 1 - - 2 files changed, 1 insertion(+), 5 deletions(-) - -diff --git a/nosetimer/plugin.py b/nosetimer/plugin.py -index ef28e11..d093a51 100644 ---- a/nosetimer/plugin.py -+++ b/nosetimer/plugin.py -@@ -12,10 +12,7 @@ - except ImportError: - import queue as Queue - --try: -- from collections import OrderedDict --except ImportError: -- from ordereddict import OrderedDict -+from collections import OrderedDict - - - # define constants -diff --git a/setup.py b/setup.py -index 6a55b82..d249325 100755 ---- a/setup.py -+++ b/setup.py -@@ -27,7 +27,6 @@ - install_requires=[ - 'nose', - 'termcolor', -- 'ordereddict', - ], - license='MIT', - entry_points={ diff --git a/gnu/packages/patches/strace-kernel-4.16.patch b/gnu/packages/patches/strace-kernel-4.16.patch deleted file mode 100644 index e86d3be439..0000000000 --- a/gnu/packages/patches/strace-kernel-4.16.patch +++ /dev/null @@ -1,92 +0,0 @@ -Fix test failure when using Linux-Libre >= 4.16. - -Taken from upstream: -https://github.com/strace/strace/commit/bcff87c31c0f27c678a43d6b7f67dab363a974fa - -From bcff87c31c0f27c678a43d6b7f67dab363a974fa Mon Sep 17 00:00:00 2001 -From: Masatake YAMATO <yamato@redhat.com> -Date: Wed, 2 May 2018 17:11:07 +0900 -Subject: [PATCH] tests/ioctl_kvm_run.c: handle cpuid at the end of vcpu dentry - -Since Linux 4.16, kernel appends the cpuid as suffix to the entry -for a kvm vcpu in /proc/$pid/fd like: - - anon_inode:kvm-vcpu:0 - -That was - - anon_inode:kvm-vcpu - -This kernel change causes the test case failure on newer kernels. -Update the test to deal with the new name as well as the old one. - -* tests/ioctl_kvm_run.c: Include unistd.h for using readlink(2). -(vcpu_dev_should_have_cpuid): New function for detecting whether -a proc entry for given fd has the cpuid suffix or not. -(main): Trim vcpu_dev to remove the cpuid suffix if needed. -(vcpu_dev): Remove const modifier. ---- - tests/ioctl_kvm_run.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/tests/ioctl_kvm_run.c b/tests/ioctl_kvm_run.c -index 179461430..e1bef5796 100644 ---- a/tests/ioctl_kvm_run.c -+++ b/tests/ioctl_kvm_run.c -@@ -40,6 +40,7 @@ - # include <string.h> - # include <sys/ioctl.h> - # include <sys/mman.h> -+# include <unistd.h> - # include <linux/kvm.h> - - static int -@@ -56,7 +57,7 @@ kvm_ioctl(int fd, unsigned long cmd, const char *cmd_str, void *arg) - - static const char dev[] = "/dev/kvm"; - static const char vm_dev[] = "anon_inode:kvm-vm"; --static const char vcpu_dev[] = "anon_inode:kvm-vcpu"; -+static char vcpu_dev[] = "anon_inode:kvm-vcpu:0"; - static size_t page_size; - - extern const char code[]; -@@ -165,6 +166,23 @@ run_kvm(const int vcpu_fd, struct kvm_run *const run, const size_t mmap_size, - } - } - -+static int -+vcpu_dev_should_have_cpuid(int fd) -+{ -+ int r = 0; -+ char *filename = NULL; -+ char buf[sizeof(vcpu_dev)]; -+ -+ if (asprintf(&filename, "/proc/%d/fd/%d", getpid(), fd) < 0) -+ error_msg_and_fail("asprintf"); -+ -+ if (readlink(filename, buf, sizeof(buf)) == sizeof(buf) - 1 -+ && (memcmp(buf, vcpu_dev, sizeof(buf) - 1) == 0)) -+ r = 1; -+ free(filename); -+ return r; -+} -+ - int - main(void) - { -@@ -208,6 +226,15 @@ main(void) - (unsigned long) page_size, (unsigned long) page_size, mem); - - int vcpu_fd = KVM_IOCTL(vm_fd, KVM_CREATE_VCPU, NULL); -+ if (!vcpu_dev_should_have_cpuid(vcpu_fd)) -+ /* -+ * This is an older kernel that doesn't place a cpuid -+ * at the end of the dentry associated with vcpu_fd. -+ * Trim the cpuid part of vcpu_dev like: -+ * "anon_inode:kvm-vcpu:0" -> "anon_inode:kvm-vcpu" -+ */ -+ vcpu_dev[strlen (vcpu_dev) - 2] = '\0'; -+ - printf("ioctl(%d<%s>, KVM_CREATE_VCPU, 0) = %d<%s>\n", - vm_fd, vm_dev, vcpu_fd, vcpu_dev); - diff --git a/gnu/packages/patches/upx-fix-CVE-2017-15056.patch b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch new file mode 100644 index 0000000000..525980e73e --- /dev/null +++ b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch @@ -0,0 +1,96 @@ +From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001 +From: Pierre Neidhardt <ambrevar@gmail.com> +Date: Sat, 16 Jun 2018 16:35:00 +0200 +Subject: [PATCH] Protect against bad crafted input + +Also check for wrap-around when checking oversize involving e_shoff and e_shnum. + +raised by https://github.com/upx/upx/pull/190 + modified: p_lx_elf.cpp +--- + src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp +index 822a7652..41e805ee 100644 +--- a/src/p_lx_elf.cpp ++++ b/src/p_lx_elf.cpp +@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f) + sz_phdrs = 0; + return; + } ++ if (0==e_phnum) throwCantUnpack("0==e_phnum"); + e_phoff = get_te32(&ehdri.e_phoff); ++ unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr); ++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { ++ throwCantUnpack("bad e_phoff"); ++ } + e_shoff = get_te32(&ehdri.e_shoff); ++ unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr); ++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { ++ throwCantUnpack("bad e_shoff"); ++ } + sz_phdrs = e_phnum * e_phentsize; + + if (f && Elf32_Ehdr::ET_DYN!=e_type) { +@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f) + sz_phdrs = 0; + return; + } ++ if (0==e_phnum) throwCantUnpack("0==e_phnum"); + e_phoff = get_te64(&ehdri.e_phoff); ++ upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr); ++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { ++ throwCantUnpack("bad e_phoff"); ++ } + e_shoff = get_te64(&ehdri.e_shoff); ++ upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr); ++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { ++ throwCantUnpack("bad e_shoff"); ++ } + sz_phdrs = e_phnum * e_phentsize; + + if (f && Elf64_Ehdr::ET_DYN!=e_type) { +@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft) + + void PackLinuxElf64::unpack(OutputFile *fo) + { ++ if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr ++ throwCantUnpack("bad e_phoff"); ++ } + unsigned const c_phnum = get_te16(&ehdri.e_phnum); + upx_uint64_t old_data_off = 0; + upx_uint64_t old_data_len = 0; +@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo) + unsigned total_out = 0; + unsigned c_adler = upx_adler32(NULL, 0); + unsigned u_adler = upx_adler32(NULL, 0); ++ if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) { ++ throwCantUnpack("bad compressed e_phnum"); ++ } + + // Packed ET_EXE has no PT_DYNAMIC. + // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. +@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const + + void PackLinuxElf32::unpack(OutputFile *fo) + { ++ if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr ++ throwCantUnpack("bad e_phoff"); ++ } + unsigned const c_phnum = get_te16(&ehdri.e_phnum); + unsigned old_data_off = 0; + unsigned old_data_len = 0; +@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo) + unsigned total_out = 0; + unsigned c_adler = upx_adler32(NULL, 0); + unsigned u_adler = upx_adler32(NULL, 0); ++ if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) { ++ throwCantUnpack("bad compressed e_phnum"); ++ } + + // Packed ET_EXE has no PT_DYNAMIC. + // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. +-- +2.17.0 + |