diff options
Diffstat (limited to 'gnu/packages/patches')
16 files changed, 910 insertions, 101 deletions
diff --git a/gnu/packages/patches/blast+-fix-makefile.patch b/gnu/packages/patches/blast+-fix-makefile.patch new file mode 100644 index 0000000000..bfa46a7e51 --- /dev/null +++ b/gnu/packages/patches/blast+-fix-makefile.patch @@ -0,0 +1,15 @@ +Without this patch, the 'make install' attempts to 'install' a directory, which causes an error. + +diff --git a/c++/src/build-system/Makefile.in.top b/c++/src/build-system/Makefile.in.top +index 1abe44f..d6000b3 100644 +--- a/c++/src/build-system/Makefile.in.top ++++ b/c++/src/build-system/Makefile.in.top +@@ -51,7 +51,7 @@ install-toolkit: + done + cd $(includedir0) && find * -name CVS -prune -o -print |\ + cpio -pd $(pincludedir) +- $(INSTALL) -m 644 $(incdir)/* $(pincludedir) ++ cp -R $(incdir)/* $(pincludedir) + ## set up appropriate build and status directories somewhere under $(libdir)? + + install-gbench: diff --git a/gnu/packages/patches/dblatex-remove-multirow.patch b/gnu/packages/patches/dblatex-remove-multirow.patch new file mode 100644 index 0000000000..62d1c64e08 --- /dev/null +++ b/gnu/packages/patches/dblatex-remove-multirow.patch @@ -0,0 +1,30 @@ +This patch is needed to fix dblatex with newer versions of TeX Live. +It was taken from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840189 + +--- a/latex/style/dbk_table.sty Sun Oct 02 23:21:03 2016 +0200 ++++ b/latex/style/dbk_table.sty Mon Oct 10 21:31:00 2016 +0200 +@@ -9,7 +9,6 @@ + \usepackage{longtable} + \usepackage{lscape} + \usepackage{colortbl} +-\usepackage{multirow} + \usepackage{calc} + \usepackage{hhline} + +@@ -21,16 +20,6 @@ + \expandafter[\expandafter3\expandafter]\expandafter{% + \multicolumn{#1}{#2}{#3}} + +-% Make \@xmultirow long +-\expandafter\long\expandafter\def% +-\expandafter\@xmultirow% +-\expandafter#\expandafter1% +-\expandafter[\expandafter#\expandafter2\expandafter]% +-\expandafter#\expandafter3% +-\expandafter[\expandafter#\expandafter4\expandafter]% +-\expandafter#\expandafter5% +-\expandafter{\@xmultirow{#1}[#2]{#3}[#4]{#5}} +- + % For the newtbl code + \newdimen\newtblstarfactor% + \newdimen\newtblsparewidth% diff --git a/gnu/packages/patches/gajim-CVE-2016-10376.patch b/gnu/packages/patches/gajim-CVE-2016-10376.patch deleted file mode 100644 index 591dd1af21..0000000000 --- a/gnu/packages/patches/gajim-CVE-2016-10376.patch +++ /dev/null @@ -1,57 +0,0 @@ -Fix CVE-2016-10376. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10376 -http://seclists.org/oss-sec/2017/q2/341 -https://dev.gajim.org/gajim/gajim/issues/8378 - -Patch copied from upstream source repository: - -https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc - -(adapted for context in config.py) - -From cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc Mon Sep 17 00:00:00 2001 -From: Philipp Hörist <forenjunkie@chello.at> -Date: Fri, 26 May 2017 23:10:05 +0200 -Subject: [PATCH] Add config option to activate XEP-0146 commands - -Some of the Commands have security implications, thats why we disable them per default -Fixes #8378 ---- - src/common/commands.py | 7 ++++--- - src/common/config.py | 1 + - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/common/commands.py b/src/common/commands.py -index 19d8c13..0eeb57c 100644 ---- a/src/common/commands.py -+++ b/src/common/commands.py -@@ -345,9 +345,10 @@ class ConnectionCommands: - def __init__(self): - # a list of all commands exposed: node -> command class - self.__commands = {} -- for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, -- LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): -- self.__commands[cmdobj.commandnode] = cmdobj -+ if gajim.config.get('remote_commands'): -+ for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, -+ LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): -+ self.__commands[cmdobj.commandnode] = cmdobj - - # a list of sessions; keys are tuples (jid, sessionid, node) - self.__sessions = {} -diff --git a/src/common/config.py b/src/common/config.py -index cde1f81..fe25455 100644 ---- a/src/common/config.py -+++ b/src/common/config.py -@@ -314,6 +314,7 @@ class Config: - 'ignore_incoming_attention': [opt_bool, False, _('If True, Gajim will ignore incoming attention requestd ("wizz").')], - 'remember_opened_chat_controls': [ opt_bool, True, _('If enabled, Gajim will reopen chat windows that were opened last time Gajim was closed.')], - 'positive_184_ack': [ opt_bool, False, _('If enabled, Gajim will show an icon to show that sent message has been received by your contact')], -+ 'remote_commands': [opt_bool, False, _('If True, Gajim will execute XEP-0146 Commands.')], - }, {}) - - __options_per_key = { --- -libgit2 0.24.0 - diff --git a/gnu/packages/patches/gcr-disable-failing-tests.patch b/gnu/packages/patches/gcr-disable-failing-tests.patch new file mode 100644 index 0000000000..862c51faf0 --- /dev/null +++ b/gnu/packages/patches/gcr-disable-failing-tests.patch @@ -0,0 +1,126 @@ +This patch removes a group of tests that fail because /var/lib/dbus/machine-id +is not present in the build environment. + +--- gcr-3.20.0.old/Makefile.in 2017-07-03 18:05:10.742595317 -0400 ++++ gcr-3.20.0/Makefile.in 2017-07-03 18:08:26.379565428 -0400 +@@ -482,8 +482,7 @@ + test-openssh$(EXEEXT) test-secure-memory$(EXEEXT) \ + test-trust$(EXEEXT) test-parser$(EXEEXT) test-record$(EXEEXT) \ + test-memory-icon$(EXEEXT) test-gnupg-key$(EXEEXT) \ +- test-gnupg-collection$(EXEEXT) test-gnupg-process$(EXEEXT) \ +- test-system-prompt$(EXEEXT) ++ test-gnupg-collection$(EXEEXT) test-gnupg-process$(EXEEXT) + @WITH_GTK_TRUE@am__EXEEXT_4 = frob-certificate$(EXEEXT) \ + @WITH_GTK_TRUE@ frob-combo-selector$(EXEEXT) \ + @WITH_GTK_TRUE@ frob-gnupg-selector$(EXEEXT) \ +@@ -882,14 +881,6 @@ + am_test_symkey_OBJECTS = egg/test-symkey.$(OBJEXT) + test_symkey_OBJECTS = $(am_test_symkey_OBJECTS) + test_symkey_DEPENDENCIES = $(am__DEPENDENCIES_4) +-am_test_system_prompt_OBJECTS = \ +- gcr/test_system_prompt-test-system-prompt.$(OBJEXT) +-test_system_prompt_OBJECTS = $(am_test_system_prompt_OBJECTS) +-test_system_prompt_DEPENDENCIES = $(am__DEPENDENCIES_3) +-test_system_prompt_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ +- $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ +- $(test_system_prompt_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ +- $(LDFLAGS) -o $@ + am_test_trust_OBJECTS = gcr/test_trust-test-trust.$(OBJEXT) + test_trust_OBJECTS = $(am_test_trust_OBJECTS) + test_trust_DEPENDENCIES = $(am__DEPENDENCIES_3) +@@ -974,8 +965,7 @@ + $(test_secret_exchange_SOURCES) $(test_secure_memory_SOURCES) \ + $(test_simple_certificate_SOURCES) \ + $(test_subject_public_key_SOURCES) $(test_symkey_SOURCES) \ +- $(test_system_prompt_SOURCES) $(test_trust_SOURCES) \ +- $(test_util_SOURCES) ++ $(test_trust_SOURCES) $(test_util_SOURCES) + DIST_SOURCES = $(libegg_asn1x_la_SOURCES) $(libegg_hex_la_SOURCES) \ + $(libegg_secmem_la_SOURCES) $(libegg_test_la_SOURCES) \ + $(libegg_la_SOURCES) $(libgck_@GCK_MAJOR@_la_SOURCES) \ +@@ -1016,8 +1006,7 @@ + $(test_secret_exchange_SOURCES) $(test_secure_memory_SOURCES) \ + $(test_simple_certificate_SOURCES) \ + $(test_subject_public_key_SOURCES) $(test_symkey_SOURCES) \ +- $(test_system_prompt_SOURCES) $(test_trust_SOURCES) \ +- $(test_util_SOURCES) ++ $(test_trust_SOURCES) $(test_util_SOURCES) + RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ + ctags-recursive dvi-recursive html-recursive info-recursive \ + install-data-recursive install-dvi-recursive \ +@@ -2117,8 +2106,7 @@ + test-memory-icon \ + test-gnupg-key \ + test-gnupg-collection \ +- test-gnupg-process \ +- test-system-prompt ++ test-gnupg-process + + test_certificate_SOURCES = gcr/test-certificate.c + test_certificate_CFLAGS = $(gcr_CFLAGS) +@@ -2171,9 +2159,6 @@ + test_subject_public_key_SOURCES = gcr/test-subject-public-key.c + test_subject_public_key_CFLAGS = $(gcr_CFLAGS) + test_subject_public_key_LDADD = $(gcr_LIBS) +-test_system_prompt_SOURCES = gcr/test-system-prompt.c +-test_system_prompt_CFLAGS = $(gcr_CFLAGS) +-test_system_prompt_LDADD = $(gcr_LIBS) + test_trust_SOURCES = gcr/test-trust.c + test_trust_CFLAGS = $(gcr_CFLAGS) + test_trust_LDADD = $(gcr_LIBS) +@@ -3283,12 +3268,6 @@ + test-symkey$(EXEEXT): $(test_symkey_OBJECTS) $(test_symkey_DEPENDENCIES) $(EXTRA_test_symkey_DEPENDENCIES) + @rm -f test-symkey$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(test_symkey_OBJECTS) $(test_symkey_LDADD) $(LIBS) +-gcr/test_system_prompt-test-system-prompt.$(OBJEXT): \ +- gcr/$(am__dirstamp) gcr/$(DEPDIR)/$(am__dirstamp) +- +-test-system-prompt$(EXEEXT): $(test_system_prompt_OBJECTS) $(test_system_prompt_DEPENDENCIES) $(EXTRA_test_system_prompt_DEPENDENCIES) +- @rm -f test-system-prompt$(EXEEXT) +- $(AM_V_CCLD)$(test_system_prompt_LINK) $(test_system_prompt_OBJECTS) $(test_system_prompt_LDADD) $(LIBS) + gcr/test_trust-test-trust.$(OBJEXT): gcr/$(am__dirstamp) \ + gcr/$(DEPDIR)/$(am__dirstamp) + +@@ -3446,7 +3425,6 @@ + @AMDEP_TRUE@@am__include@ @am__quote@gcr/$(DEPDIR)/test_secure_memory-test-secure-memory.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@gcr/$(DEPDIR)/test_simple_certificate-test-simple-certificate.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@gcr/$(DEPDIR)/test_subject_public_key-test-subject-public-key.Po@am__quote@ +-@AMDEP_TRUE@@am__include@ @am__quote@gcr/$(DEPDIR)/test_system_prompt-test-system-prompt.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@gcr/$(DEPDIR)/test_trust-test-trust.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@gcr/$(DEPDIR)/test_util-test-util.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@ui/$(DEPDIR)/frob_certificate-frob-certificate.Po@am__quote@ +@@ -4968,20 +4946,6 @@ + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_subject_public_key_CFLAGS) $(CFLAGS) -c -o gcr/test_subject_public_key-test-subject-public-key.obj `if test -f 'gcr/test-subject-public-key.c'; then $(CYGPATH_W) 'gcr/test-subject-public-key.c'; else $(CYGPATH_W) '$(srcdir)/gcr/test-subject-public-key.c'; fi` + +-gcr/test_system_prompt-test-system-prompt.o: gcr/test-system-prompt.c +-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_system_prompt_CFLAGS) $(CFLAGS) -MT gcr/test_system_prompt-test-system-prompt.o -MD -MP -MF gcr/$(DEPDIR)/test_system_prompt-test-system-prompt.Tpo -c -o gcr/test_system_prompt-test-system-prompt.o `test -f 'gcr/test-system-prompt.c' || echo '$(srcdir)/'`gcr/test-system-prompt.c +-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) gcr/$(DEPDIR)/test_system_prompt-test-system-prompt.Tpo gcr/$(DEPDIR)/test_system_prompt-test-system-prompt.Po +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gcr/test-system-prompt.c' object='gcr/test_system_prompt-test-system-prompt.o' libtool=no @AMDEPBACKSLASH@ +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_system_prompt_CFLAGS) $(CFLAGS) -c -o gcr/test_system_prompt-test-system-prompt.o `test -f 'gcr/test-system-prompt.c' || echo '$(srcdir)/'`gcr/test-system-prompt.c +- +-gcr/test_system_prompt-test-system-prompt.obj: gcr/test-system-prompt.c +-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_system_prompt_CFLAGS) $(CFLAGS) -MT gcr/test_system_prompt-test-system-prompt.obj -MD -MP -MF gcr/$(DEPDIR)/test_system_prompt-test-system-prompt.Tpo -c -o gcr/test_system_prompt-test-system-prompt.obj `if test -f 'gcr/test-system-prompt.c'; then $(CYGPATH_W) 'gcr/test-system-prompt.c'; else $(CYGPATH_W) '$(srcdir)/gcr/test-system-prompt.c'; fi` +-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) gcr/$(DEPDIR)/test_system_prompt-test-system-prompt.Tpo gcr/$(DEPDIR)/test_system_prompt-test-system-prompt.Po +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gcr/test-system-prompt.c' object='gcr/test_system_prompt-test-system-prompt.obj' libtool=no @AMDEPBACKSLASH@ +-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_system_prompt_CFLAGS) $(CFLAGS) -c -o gcr/test_system_prompt-test-system-prompt.obj `if test -f 'gcr/test-system-prompt.c'; then $(CYGPATH_W) 'gcr/test-system-prompt.c'; else $(CYGPATH_W) '$(srcdir)/gcr/test-system-prompt.c'; fi` +- + gcr/test_trust-test-trust.o: gcr/test-trust.c + @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_trust_CFLAGS) $(CFLAGS) -MT gcr/test_trust-test-trust.o -MD -MP -MF gcr/$(DEPDIR)/test_trust-test-trust.Tpo -c -o gcr/test_trust-test-trust.o `test -f 'gcr/test-trust.c' || echo '$(srcdir)/'`gcr/test-trust.c + @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) gcr/$(DEPDIR)/test_trust-test-trust.Tpo gcr/$(DEPDIR)/test_trust-test-trust.Po +@@ -5808,13 +5772,6 @@ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ +- "$$tst" $(AM_TESTS_FD_REDIRECT) +-test-system-prompt.log: test-system-prompt$(EXEEXT) +- @p='test-system-prompt$(EXEEXT)'; \ +- b='test-system-prompt'; \ +- $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ +- --log-file $$b.log --trs-file $$b.trs \ +- $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) + .test.log: + @p='$<'; \ diff --git a/gnu/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch b/gnu/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch new file mode 100644 index 0000000000..86a8ed1691 --- /dev/null +++ b/gnu/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch @@ -0,0 +1,31 @@ +This patch comes from Debian. + +https://bugzilla.gnome.org/show_bug.cgi?id=771052 +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835737 + +--- gcr-3.20.0.old/gcr/test-gnupg-collection.c 2017-06-29 14:26:33.810838197 -0400 ++++ gcr-3.20.0/gcr/test-gnupg-collection.c 2017-06-30 17:25:09.149383067 -0400 +@@ -115,6 +115,14 @@ + + g_object_unref (test->collection); + ++ /* remove potential gpg 2.1 extras, ignore any errors. */ ++ cmd = g_strdup_printf ("rm -rf %s/*.d", test->directory); ++ system(cmd); ++ g_free(cmd); ++ cmd = g_strdup_printf ("rm -f %s/.gpg-v21-migrated", test->directory); ++ system(cmd); ++ g_free(cmd); ++ + cmd = g_strdup_printf ("rm -f %s/*", test->directory); + g_spawn_check_exit_status (system (cmd), &error); + g_assert_no_error (error); +@@ -202,7 +210,7 @@ + GcrGnupgKey *key; + + _gcr_gnupg_collection_load_async (test->collection, NULL, on_async_ready, test); +- egg_test_wait_until (500); ++ egg_test_wait_until (2500); + g_assert (test->result); + _gcr_gnupg_collection_load_finish (test->collection, test->result, &error); + g_assert_no_error (error); diff --git a/gnu/packages/patches/gemma-intel-compat.patch b/gnu/packages/patches/gemma-intel-compat.patch new file mode 100644 index 0000000000..f12ec56d9b --- /dev/null +++ b/gnu/packages/patches/gemma-intel-compat.patch @@ -0,0 +1,44 @@ +From da1ed24209121f7b0f03f360b1029d7125a38e70 Mon Sep 17 00:00:00 2001 +From: Efraim Flashner <efraim@flashner.co.il> +Date: Tue, 4 Jul 2017 12:44:53 +0300 +Subject: [PATCH] Add NO_INTEL_COMPAT flag to Makefile. + +see also: https://github.com/xiangzhou/GEMMA/pull/47 + +--- + Makefile | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 5bb8748..712b1ad 100644 +--- a/Makefile ++++ b/Makefile +@@ -11,6 +11,7 @@ + SYS = LNX + # Leave blank after "=" to disable; put "= 1" to enable + WITH_LAPACK = 1 ++NO_INTEL_COMPAT = + FORCE_32BIT = + FORCE_DYNAMIC = + DIST_NAME = gemma-0.96 +@@ -64,10 +65,13 @@ endif + HDR += $(SRC_DIR)/lapack.h + endif + +-ifdef FORCE_32BIT +- CPPFLAGS += -m32 +-else +- CPPFLAGS += -m64 ++ifdef NO_INTEL_COMPAT ++ else ++ ifdef FORCE_32BIT ++ CPPFLAGS += -m32 ++ else ++ CPPFLAGS += -m64 ++ endif + endif + + ifdef FORCE_DYNAMIC +-- +2.13.2 + diff --git a/gnu/packages/patches/guile-rsvg-pkgconfig.patch b/gnu/packages/patches/guile-rsvg-pkgconfig.patch index 2272b4e1cd..51483a3472 100644 --- a/gnu/packages/patches/guile-rsvg-pkgconfig.patch +++ b/gnu/packages/patches/guile-rsvg-pkgconfig.patch @@ -9,7 +9,7 @@ and LDFLAGS for Guile would not be captured. +dnl The above macro fails to set the 'GUILE_CFLAGS' and 'GUILE_LIBS' +dnl substitution variables, hence this line. -+PKG_CHECK_MODULES(GUILE, guile-2.0) ++PKG_CHECK_MODULES(GUILE, guile-$GUILE_EFFECTIVE_VERSION) + PKG_CHECK_MODULES(GUILE_CAIRO, guile-cairo >= 1.4.0) AC_SUBST(GUILE_CAIRO_LIBS) diff --git a/gnu/packages/patches/libtiff-CVE-2016-10688.patch b/gnu/packages/patches/libtiff-CVE-2016-10688.patch new file mode 100644 index 0000000000..1630274c61 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10688.patch @@ -0,0 +1,92 @@ +Fix CVE-2017-10688: + +http://bugzilla.maptools.org/show_bug.cgi?id=2712 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688 +https://security-tracker.debian.org/tracker/CVE-2017-10688 + +Patch lifted from upstream source repository (the changes to 'ChangeLog' +don't apply to the libtiff 4.0.8 release tarball). + +3rd party Git reference: + +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 + +2017-06-30 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() + functions associated with LONG8/SLONG8 data type, replace assertion +that + the file is BigTIFF, by a non-fatal error. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 + Reported by team OWL337 + + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1259; previous revision: 1.1258 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- +libtiff/tif_dirwrite.c +new revision: 1.86; previous revision: 1.85 + +Index: libtiff/libtiff/tif_dirwrite.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v +retrieving revision 1.85 +retrieving revision 1.86 +diff -u -r1.85 -r1.86 +--- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85 ++++ libtiff/libtiff/tif_dirwrite.c 30 Jun 2017 17:29:44 -0000 1.86 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */ ++/* $Id: tif_dirwrite.c,v 1.86 2017-06-30 17:29:44 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -2111,7 +2111,10 @@ + { + uint64 m; + assert(sizeof(uint64)==8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + m=value; + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabLong8(&m); +@@ -2124,7 +2127,10 @@ + { + assert(count<0x20000000); + assert(sizeof(uint64)==8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabArrayOfLong8(value,count); + return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); +@@ -2136,7 +2142,10 @@ + { + int64 m; + assert(sizeof(int64)==8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + m=value; + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabLong8((uint64*)(&m)); +@@ -2149,7 +2158,10 @@ + { + assert(count<0x20000000); + assert(sizeof(int64)==8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabArrayOfLong8((uint64*)value,count); + return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value)); diff --git a/gnu/packages/patches/libtiff-CVE-2017-9936.patch b/gnu/packages/patches/libtiff-CVE-2017-9936.patch new file mode 100644 index 0000000000..fbdbcd0f0b --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-9936.patch @@ -0,0 +1,47 @@ +Fix CVE-2017-9936: + +http://bugzilla.maptools.org/show_bug.cgi?id=2706 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936 +https://security-tracker.debian.org/tracker/CVE-2017-9936 + +Patch lifted from upstream source repository (the changes to 'ChangeLog' +don't apply to the libtiff 4.0.8 release tarball). + +3rd party Git reference: + +https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a + +2017-06-26 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jbig.c: fix memory leak in error code path of +JBIGDecode() + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 + Reported by team OWL337 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1254; previous revision: 1.1253 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v <-- libtiff/tif_jbig.c +new revision: 1.16; previous revision: 1.15 + +Index: libtiff/libtiff/tif_jbig.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v +retrieving revision 1.15 +retrieving revision 1.16 +diff -u -r1.15 -r1.16 +--- libtiff/libtiff/tif_jbig.c 10 Mar 2010 18:56:48 -0000 1.15 ++++ libtiff/libtiff/tif_jbig.c 26 Jun 2017 15:20:00 -0000 1.16 +@@ -1,4 +1,4 @@ +-/* $Id: tif_jbig.c,v 1.15 2010-03-10 18:56:48 bfriesen Exp $ */ ++/* $Id: tif_jbig.c,v 1.16 2017-06-26 15:20:00 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -94,6 +94,7 @@ + jbg_strerror(decodeStatus) + #endif + ); ++ jbg_dec_free(&decoder); + return 0; + } + diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch new file mode 100644 index 0000000000..060740d953 --- /dev/null +++ b/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch @@ -0,0 +1,57 @@ +Fix an integer overflow TIFFYCbCrtoRGB(): + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 + +3rd party Git reference: + +https://github.com/vadz/libtiff/commit/02669064e927074819ce1ed39aba0fccaa167717 + +2017-05-29 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid + int32 overflow in TIFFYCbCrtoRGB(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 + Credit to OSS Fuzz + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1241; previous revision: 1.1240 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v <-- libtiff/tif_color.c +new revision: 1.24; previous revision: 1.23 + +Index: libtiff/libtiff/tif_color.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v +retrieving revision 1.23 +retrieving revision 1.24 +diff -u -r1.23 -r1.24 +--- libtiff/libtiff/tif_color.c 13 May 2017 18:17:34 -0000 1.23 ++++ libtiff/libtiff/tif_color.c 29 May 2017 10:12:54 -0000 1.24 +@@ -1,4 +1,4 @@ +-/* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */ ++/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -275,10 +275,10 @@ + for (i = 0, x = -128; i < 256; i++, x++) { + int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F, + refBlackWhite[5] - 128.0F, 127), +- -128.0F * 64, 128.0F * 64); ++ -128.0F * 32, 128.0F * 32); + int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F, + refBlackWhite[3] - 128.0F, 127), +- -128.0F * 64, 128.0F * 64); ++ -128.0F * 32, 128.0F * 32); + + ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT); + ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT); +@@ -286,7 +286,7 @@ + ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF; + ycbcr->Y_tab[i] = + (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255), +- -128.0F * 64, 128.0F * 64); ++ -128.0F * 32, 128.0F * 32); + } + } + diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch new file mode 100644 index 0000000000..a990641a49 --- /dev/null +++ b/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch @@ -0,0 +1,43 @@ +Fix an integer overflow in initYCbCrConversion(): + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 + +3rd party Git reference + +https://github.com/vadz/libtiff/commit/468988860e0dae62ebbf991627c74bcbb4bd256f + + * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion + (when refBlackWhite[0] == 2147483648.f) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 + Credit to OSS Fuzz + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1243; previous revision: 1.1242 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v <-- libtiff/tif_getimage.c +new revision: 1.107; previous revision: 1.106 + +Index: libtiff/libtiff/tif_getimage.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v +retrieving revision 1.106 +retrieving revision 1.107 +diff -u -r1.106 -r1.107 +--- libtiff/libtiff/tif_getimage.c 20 May 2017 11:29:02 -0000 1.106 ++++ libtiff/libtiff/tif_getimage.c 29 May 2017 11:29:06 -0000 1.107 +@@ -1,4 +1,4 @@ +-/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */ ++/* $Id: tif_getimage.c,v 1.107 2017-05-29 11:29:06 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -2241,7 +2241,7 @@ + + static int isInRefBlackWhiteRange(float f) + { +- return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF; ++ return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF; + } + + static int diff --git a/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch b/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch new file mode 100644 index 0000000000..1f1b26801d --- /dev/null +++ b/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch @@ -0,0 +1,200 @@ +Fix CVE-2017-10684 and CVE-2017-10685: + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685 + +Bug reports included proof of concept reproducer inputs: + +https://bugzilla.redhat.com/show_bug.cgi?id=1464684 +https://bugzilla.redhat.com/show_bug.cgi?id=1464685 +https://bugzilla.redhat.com/show_bug.cgi?id=1464686 +https://bugzilla.redhat.com/show_bug.cgi?id=1464687 +https://bugzilla.redhat.com/show_bug.cgi?id=1464688 +https://bugzilla.redhat.com/show_bug.cgi?id=1464691 +https://bugzilla.redhat.com/show_bug.cgi?id=1464692 + +Patches copied from ncurses patch release 20170701: + +ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz + +Excerpt from patch release announcement: + + + add/improve checks in tic's parser to address invalid input + (Redhat #1464684, #1464685, #1464686, #1464691). + + alloc_entry.c, add a check for a null-pointer. + + parse_entry.c, add several checks for valid pointers as well as + one check to ensure that a single character on a line is not + treated as the 2-character termcap short-name. + + the fixes for Redhat #1464685 obscured a problem subsequently + reported in Redhat #1464687; the given test-case was no longer + reproducible. Testing without the fixes for the earlier reports + showed a problem with buffer overflow in dump_entry.c, which is + addressed by reducing the use of a fixed-size buffer. + +https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00001.html + +--- ncurses-6.0-20170624+/ncurses/tinfo/alloc_entry.c 2017-04-09 23:33:51.000000000 +0000 ++++ ncurses-6.0-20170701/ncurses/tinfo/alloc_entry.c 2017-06-27 23:48:55.000000000 +0000 +@@ -96,7 +96,11 @@ + { + char *result = 0; + size_t old_next_free = next_free; +- size_t len = strlen(string) + 1; ++ size_t len; ++ ++ if (string == 0) ++ return _nc_save_str(""); ++ len = strlen(string) + 1; + + if (len == 1 && next_free != 0) { + /* +--- ncurses-6.0-20170624+/ncurses/tinfo/parse_entry.c 2017-06-24 22:59:46.000000000 +0000 ++++ ncurses-6.0-20170701/ncurses/tinfo/parse_entry.c 2017-06-28 00:53:12.000000000 +0000 +@@ -236,13 +236,14 @@ + * implemented it. Note that the resulting terminal type was never the + * 2-character name, but was instead the first alias after that. + */ ++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|') + ptr = _nc_curr_token.tk_name; + if (_nc_syntax == SYN_TERMCAP + #if NCURSES_XNAMES + && !_nc_user_definable + #endif + ) { +- if (ptr[2] == '|') { ++ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) { + ptr += 3; + _nc_curr_token.tk_name[2] = '\0'; + } +@@ -284,9 +285,11 @@ + if (is_use || is_tc) { + entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring); + entryp->uses[entryp->nuses].line = _nc_curr_line; +- entryp->nuses++; +- if (entryp->nuses > 1 && is_tc) { +- BAD_TC_USAGE ++ if (VALID_STRING(entryp->uses[entryp->nuses].name)) { ++ entryp->nuses++; ++ if (entryp->nuses > 1 && is_tc) { ++ BAD_TC_USAGE ++ } + } + } else { + /* normal token lookup */ +@@ -588,7 +591,7 @@ + static void + append_acs(string_desc * dst, int code, char *src) + { +- if (src != 0 && strlen(src) == 1) { ++ if (VALID_STRING(src) && strlen(src) == 1) { + append_acs0(dst, code, *src); + } + } +@@ -849,15 +852,14 @@ + } + + if (tp->Strings[to_ptr->nte_index]) { ++ const char *s = tp->Strings[from_ptr->nte_index]; ++ const char *t = tp->Strings[to_ptr->nte_index]; + /* There's no point in warning about it if it's the same + * string; that's just an inefficiency. + */ +- if (strcmp( +- tp->Strings[from_ptr->nte_index], +- tp->Strings[to_ptr->nte_index]) != 0) ++ if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0) + _nc_warning("%s (%s) already has an explicit value %s, ignoring ko", +- ap->to, ap->from, +- _nc_visbuf(tp->Strings[to_ptr->nte_index])); ++ ap->to, ap->from, t); + continue; + } + +--- ncurses-6.0-20170624+/progs/dump_entry.c 2017-06-23 22:47:43.000000000 +0000 ++++ ncurses-6.0-20170701/progs/dump_entry.c 2017-07-01 11:27:29.000000000 +0000 +@@ -841,9 +841,10 @@ + PredIdx num_strings = 0; + bool outcount = 0; + +-#define WRAP_CONCAT \ +- wrap_concat(buffer); \ +- outcount = TRUE ++#define WRAP_CONCAT1(s) wrap_concat(s); outcount = TRUE ++#define WRAP_CONCAT2(a,b) wrap_concat(a); WRAP_CONCAT1(b) ++#define WRAP_CONCAT3(a,b,c) wrap_concat(a); WRAP_CONCAT2(b,c) ++#define WRAP_CONCAT WRAP_CONCAT1(buffer) + + len = 12; /* terminfo file-header */ + +@@ -1007,9 +1008,9 @@ + set_attributes = save_sgr; + + trimmed_sgr0 = _nc_trim_sgr0(tterm); +- if (strcmp(capability, trimmed_sgr0)) ++ if (strcmp(capability, trimmed_sgr0)) { + capability = trimmed_sgr0; +- else { ++ } else { + if (trimmed_sgr0 != exit_attribute_mode) + free(trimmed_sgr0); + } +@@ -1046,13 +1047,21 @@ + _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) + "%s=!!! %s WILL NOT CONVERT !!!", + name, srccap); ++ WRAP_CONCAT; + } else if (suppress_untranslatable) { + continue; + } else { + char *s = srccap, *d = buffer; +- _nc_SPRINTF(d, _nc_SLIMIT(sizeof(buffer)) "..%s=", name); +- d += strlen(d); ++ WRAP_CONCAT3("..", name, "="); + while ((*d = *s++) != 0) { ++ if ((d - buffer - 1) >= (int) sizeof(buffer)) { ++ fprintf(stderr, ++ "%s: value for %s is too long\n", ++ _nc_progname, ++ name); ++ *d = '\0'; ++ break; ++ } + if (*d == ':') { + *d++ = '\\'; + *d = ':'; +@@ -1061,13 +1070,12 @@ + } + d++; + } ++ WRAP_CONCAT; + } + } else { +- _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer)) +- "%s=%s", name, cv); ++ WRAP_CONCAT3(name, "=", cv); + } + len += (int) strlen(capability) + 1; +- WRAP_CONCAT; + } else { + char *src = _nc_tic_expand(capability, + outform == F_TERMINFO, numbers); +@@ -1083,8 +1091,7 @@ + strcpy_DYN(&tmpbuf, src); + } + len += (int) strlen(capability) + 1; +- wrap_concat(tmpbuf.text); +- outcount = TRUE; ++ WRAP_CONCAT1(tmpbuf.text); + } + } + /* e.g., trimmed_sgr0 */ +@@ -1526,7 +1533,8 @@ + } + if (len > critlen) { + (void) fprintf(stderr, +- "warning: %s entry is %d bytes long\n", ++ "%s: %s entry is %d bytes long\n", ++ _nc_progname, + _nc_first_name(tterm->term_names), + len); + SHOW_WHY("# WARNING: this entry, %d bytes long, may core-dump %s libraries!\n", diff --git a/gnu/packages/patches/python-pyopenssl-17.1.0-test-overflow.patch b/gnu/packages/patches/python-pyopenssl-17.1.0-test-overflow.patch new file mode 100644 index 0000000000..06b2f4fe03 --- /dev/null +++ b/gnu/packages/patches/python-pyopenssl-17.1.0-test-overflow.patch @@ -0,0 +1,36 @@ +Resolves a test failure on 32-bit platforms. + +https://github.com/pyca/pyopenssl/issues/657 + +Patch copied from upstream source repository: + +https://github.com/pyca/pyopenssl/commit/ecc0325479c0d5c5f2ca88b4550e87cdb59d6c95 + +From ecc0325479c0d5c5f2ca88b4550e87cdb59d6c95 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Thu, 6 Jul 2017 22:14:44 -0400 +Subject: [PATCH] Fixed #657 -- handle OverflowErrors on large allocation + requests + +--- + tests/test_rand.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/test_rand.py b/tests/test_rand.py +index bdd3af08..6adf72a1 100644 +--- a/tests/test_rand.py ++++ b/tests/test_rand.py +@@ -32,10 +32,10 @@ def test_bytes_wrong_args(self, args): + + def test_insufficient_memory(self): + """ +- `OpenSSL.rand.bytes` raises `MemoryError` if more bytes are requested +- than will fit in memory. ++ `OpenSSL.rand.bytes` raises `MemoryError` or `OverflowError` if more ++ bytes are requested than will fit in memory. + """ +- with pytest.raises(MemoryError): ++ with pytest.raises((MemoryError, OverflowError)): + rand.bytes(sys.maxsize) + + def test_bytes(self): diff --git a/gnu/packages/patches/python-pyopenssl-skip-network-test.patch b/gnu/packages/patches/python-pyopenssl-skip-network-test.patch deleted file mode 100644 index 1ac7324c8b..0000000000 --- a/gnu/packages/patches/python-pyopenssl-skip-network-test.patch +++ /dev/null @@ -1,43 +0,0 @@ -This test tries connecting to an external server which is not supported -in the build environment. See discussion at: - -https://lists.gnu.org/archive/html/guix-devel/2016-12/msg00650.html - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index ee849fd..60048b8 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -1113,33 +1113,6 @@ class TestContext(object): - reason="set_default_verify_paths appears not to work on Windows. " - "See LP#404343 and LP#404344." - ) -- def test_set_default_verify_paths(self): -- """ -- `Context.set_default_verify_paths` causes the platform-specific CA -- certificate locations to be used for verification purposes. -- """ -- # Testing this requires a server with a certificate signed by one -- # of the CAs in the platform CA location. Getting one of those -- # costs money. Fortunately (or unfortunately, depending on your -- # perspective), it's easy to think of a public server on the -- # internet which has such a certificate. Connecting to the network -- # in a unit test is bad, but it's the only way I can think of to -- # really test this. -exarkun -- -- # Arg, verisign.com doesn't speak anything newer than TLS 1.0 -- context = Context(SSLv23_METHOD) -- context.set_default_verify_paths() -- context.set_verify( -- VERIFY_PEER, -- lambda conn, cert, errno, depth, preverify_ok: preverify_ok) -- -- client = socket() -- client.connect(("encrypted.google.com", 443)) -- clientSSL = Connection(context, client) -- clientSSL.set_connect_state() -- clientSSL.do_handshake() -- clientSSL.send(b"GET / HTTP/1.0\r\n\r\n") -- assert clientSSL.recv(1024) - - def test_add_extra_chain_cert_invalid_cert(self): - """ diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10971.patch b/gnu/packages/patches/xorg-server-CVE-2017-10971.patch new file mode 100644 index 0000000000..2696033e58 --- /dev/null +++ b/gnu/packages/patches/xorg-server-CVE-2017-10971.patch @@ -0,0 +1,153 @@ +From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:40 +0300 +Subject: dix: Disallow GenericEvent in SendEvent request. + +The SendEvent request holds xEvent which is exactly 32 bytes long, no more, +no less. Both ProcSendEvent and SProcSendEvent verify that the received data +exactly match the request size. However nothing stops the client from passing +in event with xEvent::type = GenericEvent and any value of +xGenericEvent::length. + +In the case of ProcSendEvent, the event will be eventually passed to +WriteEventsToClient which will see that it is Generic event and copy the +arbitrary length from the receive buffer (and possibly past it) and send it to +the other client. This allows clients to copy unitialized heap memory out of X +server or to crash it. + +In case of SProcSendEvent, it will attempt to swap the incoming event by +calling a swapping function from the EventSwapVector array. The swapped event +is written to target buffer, which in this case is local xEvent variable. The +xEvent variable is 32 bytes long, but the swapping functions for GenericEvents +expect that the target buffer has size matching the size of the source +GenericEvent. This allows clients to cause stack buffer overflows. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/dix/events.c b/dix/events.c +index 3e3a01e..d3a33ea 100644 +--- a/dix/events.c ++++ b/dix/events.c +@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client) + client->errorValue = stuff->event.u.u.type; + return BadValue; + } ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } + if (stuff->event.u.u.type == ClientMessage && + stuff->event.u.u.detail != 8 && + stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { +diff --git a/dix/swapreq.c b/dix/swapreq.c +index 719e9b8..6785059 100644 +--- a/dix/swapreq.c ++++ b/dix/swapreq.c +@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) + swapl(&stuff->destination); + swapl(&stuff->eventMask); + ++ /* Generic events can have variable size, but SendEvent request holds ++ exactly 32B of event data. */ ++ if (stuff->event.u.u.type == GenericEvent) { ++ client->errorValue = stuff->event.u.u.type; ++ return BadValue; ++ } ++ + /* Swap event */ + proc = EventSwapVector[stuff->event.u.u.type & 0177]; + if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ +-- +cgit v0.10.2 + +From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:41 +0300 +Subject: Xi: Verify all events in ProcXSendExtensionEvent. + +The requirement is that events have type in range +EXTENSION_EVENT_BASE..lastEvent, but it was tested +only for first event of all. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 1cf118a..5e63bfc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) + int + ProcXSendExtensionEvent(ClientPtr client) + { +- int ret; ++ int ret, i; + DeviceIntPtr dev; + xEvent *first; + XEventClass *list; +@@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && +- (first->u.u.type < lastEvent))) { +- client->errorValue = first->u.u.type; +- return BadValue; ++ for (i = 0; i < stuff->num_events; i++) { ++ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && ++ (first[i].u.u.type < lastEvent))) { ++ client->errorValue = first[i].u.u.type; ++ return BadValue; ++ } + } + + list = (XEventClass *) (first + stuff->num_events); +-- +cgit v0.10.2 + +From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:42 +0300 +Subject: Xi: Do not try to swap GenericEvent. + +The SProcXSendExtensionEvent must not attempt to swap GenericEvent because +it is assuming that the event has fixed size and gives the swapping function +xEvent-sized buffer. + +A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 5e63bfc..5c2e0fc 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) + + eventP = (xEvent *) &stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { ++ if (eventP->u.u.type == GenericEvent) { ++ client->errorValue = eventP->u.u.type; ++ return BadValue; ++ } ++ + proc = EventSwapVector[eventP->u.u.type & 0177]; +- if (proc == NotImplemented) /* no swapping proc; invalid event type? */ ++ /* no swapping proc; invalid event type? */ ++ if (proc == NotImplemented) { ++ client->errorValue = eventP->u.u.type; + return BadValue; ++ } + (*proc) (eventP, &eventT); + *eventP = eventT; + } +-- +cgit v0.10.2 + diff --git a/gnu/packages/patches/xorg-server-CVE-2017-10972.patch b/gnu/packages/patches/xorg-server-CVE-2017-10972.patch new file mode 100644 index 0000000000..f24e9c0ae6 --- /dev/null +++ b/gnu/packages/patches/xorg-server-CVE-2017-10972.patch @@ -0,0 +1,35 @@ +From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Wed, 24 May 2017 15:54:39 +0300 +Subject: Xi: Zero target buffer in SProcXSendExtensionEvent. + +Make sure that the xEvent eventT is initialized with zeros, the same way as +in SProcSendEvent. + +Some event swapping functions do not overwrite all 32 bytes of xEvent +structure, for example XSecurityAuthorizationRevoked. Two cooperating +clients, one swapped and the other not, can send +XSecurityAuthorizationRevoked event to each other to retrieve old stack data +from X server. This can be potentialy misused to go around ASLR or +stack-protector. + +Signed-off-by: Michal Srb <msrb@suse.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/sendexev.c b/Xi/sendexev.c +index 11d8202..1cf118a 100644 +--- a/Xi/sendexev.c ++++ b/Xi/sendexev.c +@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client) + { + CARD32 *p; + int i; +- xEvent eventT; ++ xEvent eventT = { .u.u.type = 0 }; + xEvent *eventP; + EventSwapPtr proc; + +-- +cgit v0.10.2 + |