diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2017-01-23 22:33:10 +0100 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2017-01-23 22:33:10 +0100 |
| commit | 58ea4d407c2e4adbe51b2d7b71dc8bef095677c7 (patch) | |
| tree | 0fd70c0cb82d7980a7ff82500dec7bfd0d535d3f /gnu/packages/patches | |
| parent | fcd75bdbfa99d14363b905afbf914eec20e69df8 (diff) | |
| parent | 84b60a7cdfca1421a478894e279104a0c18a7c6d (diff) | |
| download | guix-58ea4d407c2e4adbe51b2d7b71dc8bef095677c7.tar guix-58ea4d407c2e4adbe51b2d7b71dc8bef095677c7.tar.gz | |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
35 files changed, 2347 insertions, 163 deletions
diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch new file mode 100644 index 0000000000..b1c990f282 --- /dev/null +++ b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch @@ -0,0 +1,39 @@ +Fix buffer overflow processing long words in Mangle(). + +Patch adpated from upstream commit, omitting changes to 'NEWS': + +https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb + +From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001 +From: Jan Dittberner <jan@dittberner.info> +Date: Thu, 25 Aug 2016 17:17:53 +0200 +Subject: [PATCH] Fix a buffer overflow processing long words + +A buffer overflow processing long words has been discovered. This commit +applies the patch from +https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch +by Howard Guo. + +See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and +http://www.openwall.com/lists/oss-security/2016/08/23/8 +--- + src/NEWS | 1 + + src/lib/rules.c | 5 ++--- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/lib/rules.c b/src/lib/rules.c +index d193cc0..3a2aa46 100644 +--- a/lib/rules.c ++++ b/lib/rules.c +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */ + { + int limit; + register char *ptr; +- static char area[STRINGSIZE]; +- char area2[STRINGSIZE]; +- area[0] = '\0'; ++ static char area[STRINGSIZE * 2] = {0}; ++ char area2[STRINGSIZE * 2] = {0}; + strcpy(area, input); + + for (ptr = control; *ptr; ptr++) diff --git a/gnu/packages/patches/duplicity-piped-password.patch b/gnu/packages/patches/duplicity-piped-password.patch deleted file mode 100644 index db50f5df32..0000000000 --- a/gnu/packages/patches/duplicity-piped-password.patch +++ /dev/null @@ -1,20 +0,0 @@ -This test, on three occasions, is failing with the error: - - EOF: End Of File (EOF) in read_nonblocking(). Braindead platform. - ---- duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:14:52.146001614 -0500 -+++ duplicity-0.6.24/testing/functional/test_final.py 2014-09-28 13:13:20.333546342 -0500 -@@ -156,13 +156,6 @@ - self.run_duplicity(options=["remove-older-than", "50000", "--force", self.backend_url]) - self.assertEqual(self.get_backend_files(), second_chain) - -- def test_piped_password(self): -- """Make sure that prompting for a password works""" -- self.set_environ("PASSPHRASE", None) -- self.backup("full", "testfiles/empty_dir", -- passphrase_input=[self.sign_passphrase, self.sign_passphrase]) -- self.restore(passphrase_input=[self.sign_passphrase]) -- - - class OldFilenamesFinalTest(FinalTest): - diff --git a/gnu/packages/patches/duplicity-test_selection-tmp.patch b/gnu/packages/patches/duplicity-test_selection-tmp.patch deleted file mode 100644 index 8f66be4dcc..0000000000 --- a/gnu/packages/patches/duplicity-test_selection-tmp.patch +++ /dev/null @@ -1,18 +0,0 @@ -Reported upstream at https://bugs.launchpad.net/duplicity/+bug/1375019 - ---- duplicity-0.6.24/testing/unit/test_selection.py 2014-05-09 08:27:40.000000000 -0500 -+++ duplicity-0.6.24/testing/unit/test_selection.py 2014-09-28 12:28:53.932324380 -0500 -@@ -431,10 +431,10 @@ - [(), ('1',), ('1', '1'), ('1', '2'), ('1', '3')]) - - self.root = Path("/") -- self.ParseTest([("--exclude", "/home/*"), -- ("--include", "/home"), -+ self.ParseTest([("--exclude", "/tmp/*"), -+ ("--include", "/tmp"), - ("--exclude", "/")], -- [(), ("home",)]) -+ [(), ("tmp",)]) - - if __name__ == "__main__": - unittest.main() diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch new file mode 100644 index 0000000000..d9f7ac6a36 --- /dev/null +++ b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch @@ -0,0 +1,34 @@ +Fix an out-of-bounds heap read in Type_MLU_Read(): + +http://seclists.org/oss-sec/2016/q3/288 +https://bugzilla.redhat.com/show_bug.cgi?id=1367357 + +Patch copied from upstream source repository: + +https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2 + +From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 +From: Marti <marti.maria@tktbrainpower.com> +Date: Mon, 15 Aug 2016 23:31:39 +0200 +Subject: [PATCH] Added an extra check to MLU bounds + +Thanks to Ibrahim el-sayed for spotting the bug +--- + src/cmstypes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cmstypes.c b/src/cmstypes.c +index cb61860..c7328b9 100644 +--- a/src/cmstypes.c ++++ b/src/cmstypes.c +@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU + + // Check for overflow + if (Offset < (SizeOfHeader + 8)) goto Error; ++ if ((Offset + Len) > SizeOfTag + 8) goto Error; + + // True begin of the string + BeginOfThisString = Offset - SizeOfHeader - 8; +-- +2.11.0 + diff --git a/gnu/packages/patches/libtiff-CVE-2016-10092.patch b/gnu/packages/patches/libtiff-CVE-2016-10092.patch new file mode 100644 index 0000000000..d5fd796169 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10092.patch @@ -0,0 +1,42 @@ +Fix CVE-2016-10092: + +http://bugzilla.maptools.org/show_bug.cgi?id=2620 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092 +https://security-tracker.debian.org/tracker/CVE-2016-10092 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) + mode so that the output buffer is correctly incremented to avoid write + outside bounds. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1178; previous revision: 1.1177 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.47; previous revision: 1.46 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.46 +retrieving revision 1.47 +diff -u -r1.46 -r1.47 +--- libtiff/tools/tiffcrop.c 18 Nov 2016 14:58:46 -0000 1.46 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -3698,7 +3698,7 @@ + (unsigned long) strip, (unsigned long)rows); + return 0; + } +- bufp += bytes_read; ++ bufp += stripsize; + } + + return 1; diff --git a/gnu/packages/patches/libtiff-CVE-2016-10093.patch b/gnu/packages/patches/libtiff-CVE-2016-10093.patch new file mode 100644 index 0000000000..5897ec1029 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10093.patch @@ -0,0 +1,53 @@ +Fix CVE-2016-10093: + +http://bugzilla.maptools.org/show_bug.cgi?id=2610 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093 +https://security-tracker.debian.org/tracker/CVE-2016-10093 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: fix uint32 underflow/overflow that can cause + heap-based buffer overflow. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1187; previous revision: 1.1186 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.59; previous revision: 1.58 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.58 +retrieving revision 1.59 +diff -u -r1.58 -r1.59 +--- libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 +@@ -1163,7 +1163,7 @@ + + static void + cpStripToTile(uint8* out, uint8* in, +- uint32 rows, uint32 cols, int outskew, int inskew) ++ uint32 rows, uint32 cols, int outskew, int64 inskew) + { + while (rows-- > 0) { + uint32 j = cols; +@@ -1320,7 +1320,7 @@ + tdata_t tilebuf; + uint32 imagew = TIFFScanlineSize(in); + uint32 tilew = TIFFTileRowSize(in); +- int iskew = imagew - tilew; ++ int64 iskew = (int64)imagew - (int64)tilew; + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +@@ -1348,7 +1348,7 @@ + status = 0; + goto done; + } +- if (colb + tilew > imagew) { ++ if (colb > iskew) { + uint32 width = imagew - colb; + uint32 oskew = tilew - width; + cpStripToTile(bufp + colb, diff --git a/gnu/packages/patches/libtiff-CVE-2016-10094.patch b/gnu/packages/patches/libtiff-CVE-2016-10094.patch new file mode 100644 index 0000000000..9018773565 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2016-10094.patch @@ -0,0 +1,34 @@ +Fix CVE-2016-10094: + +http://bugzilla.maptools.org/show_bug.cgi?id=2640 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094 +https://security-tracker.debian.org/tracker/CVE-2016-10094 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1199; previous revision: 1.1198 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.101; previous revision: 1.100 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.100 +retrieving revision 1.101 +diff -u -r1.100 -r1.101 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:28:17 -0000 1.101 +@@ -2895,7 +2895,7 @@ + return(0); + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { +- if (count >= 4) { ++ if (count > 4) { + int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch b/gnu/packages/patches/libtiff-CVE-2017-5225.patch new file mode 100644 index 0000000000..3158b49360 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-5225.patch @@ -0,0 +1,86 @@ +Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp): + +http://bugzilla.maptools.org/show_bug.cgi?id=2656 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 +https://security-tracker.debian.org/tracker/CVE-2017-5225 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based +overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + + +less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1210; previous revision: 1.1209 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.61; previous revision: 1.60 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.60 +retrieving revision 1.61 +diff -u -r1.60 -r1.61 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 ++++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61 +#@@ -1,4 +1,4 @@ +#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */ +#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */ +# +# /* +# * Copyright (c) 1988-1997 Sam Leffler +@@ -591,7 +591,7 @@ + static int + tiffcp(TIFF* in, TIFF* out) + { +- uint16 bitspersample, samplesperpixel = 1; ++ uint16 bitspersample = 1, samplesperpixel = 1; + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; + copyFunc cf; + uint32 width, length; +@@ -1067,6 +1067,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpContig2SeparateByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1120,6 +1130,16 @@ + register uint32 n; + uint32 row; + tsample_t s; ++ uint16 bps = 0; ++ ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps != 8 ) ++ { ++ TIFFError(TIFFFileName(in), ++ "Error, can only handle BitsPerSample=8 in %s", ++ "cpSeparate2ContigByRow"); ++ return 0; ++ } + + inbuf = _TIFFmalloc(scanlinesizein); + outbuf = _TIFFmalloc(scanlinesizeout); +@@ -1784,7 +1804,7 @@ + uint32 w, l, tw, tl; + int bychunk; + +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { + fprintf(stderr, + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", diff --git a/gnu/packages/patches/libtiff-assertion-failure.patch b/gnu/packages/patches/libtiff-assertion-failure.patch new file mode 100644 index 0000000000..ef747fbdd7 --- /dev/null +++ b/gnu/packages/patches/libtiff-assertion-failure.patch @@ -0,0 +1,60 @@ +Fix assertion failure in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert +check. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1188; previous revision: 1.1187 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.60; previous revision: 1.59 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.59 +retrieving revision 1.60 +diff -u -r1.59 -r1.60 +--- libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 +@@ -45,7 +45,6 @@ + #include <string.h> + + #include <ctype.h> +-#include <assert.h> + + #ifdef HAVE_UNISTD_H + # include <unistd.h> +@@ -1393,7 +1392,12 @@ + status = 0; + goto done; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ status = 0; ++ goto done; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { +@@ -1584,7 +1588,12 @@ + _TIFFfree(obuf); + return 0; + } +- assert( bps % 8 == 0 ); ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } + bytes_per_sample = bps/8; + + for (row = 0; row < imagelength; row += tl) { diff --git a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch new file mode 100644 index 0000000000..2a96b68521 --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch @@ -0,0 +1,63 @@ +Fix divide-by-zero in OJPEGDecodeRaw(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure +in + OJPEGPreDecode(). This will avoid a divide by zero, and potential other +issues. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1177; previous revision: 1.1176 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c +new revision: 1.66; previous revision: 1.65 + +Index: libtiff/libtiff/tif_ojpeg.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v +retrieving revision 1.65 +retrieving revision 1.66 +diff -u -r1.65 -r1.66 +--- libtiff/libtiff/tif_ojpeg.c 4 Sep 2016 21:32:56 -0000 1.65 ++++ libtiff/libtiff/tif_ojpeg.c 3 Dec 2016 11:15:18 -0000 1.66 +@@ -1,4 +1,4 @@ +-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ + + /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 + specification is now totally obsolete and deprecated for new applications and +@@ -244,6 +244,7 @@ + + typedef struct { + TIFF* tif; ++ int decoder_ok; + #ifndef LIBJPEG_ENCAP_EXTERNAL + JMP_BUF exit_jmpbuf; + #endif +@@ -722,6 +723,7 @@ + } + sp->write_curstrile++; + } ++ sp->decoder_ok = 1; + return(1); + } + +@@ -784,8 +786,14 @@ + static int + OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) + { ++ static const char module[]="OJPEGDecode"; + OJPEGState* sp=(OJPEGState*)tif->tif_data; + (void)s; ++ if( !sp->decoder_ok ) ++ { ++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); ++ return 0; ++ } + if (sp->libjpeg_jpeg_query_style==0) + { + if (OJPEGDecodeRaw(tif,buf,cc)==0) diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch new file mode 100644 index 0000000000..d3f1c2b60e --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch @@ -0,0 +1,104 @@ +Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2597 +http://bugzilla.maptools.org/show_bug.cgi?id=2607 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1183; previous revision: 1.1182 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.57; previous revision: 1.56 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.56 +retrieving revision 1.57 +diff -u -r1.56 -r1.57 +--- libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1378,7 +1378,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tw, tl; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + tilebuf = _TIFFmalloc(tilesize); + if (tilebuf == 0) +@@ -1387,6 +1387,12 @@ + (void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample"); ++ status = 0; ++ goto done; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples +tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1186; previous revision: 1.1185 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.58; previous revision: 1.57 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.57 +retrieving revision 1.58 +diff -u -r1.57 -r1.58 +--- libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 ++++ libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -1569,7 +1569,7 @@ + uint8* bufp = (uint8*) buf; + uint32 tl, tw; + uint32 row; +- uint16 bps, bytes_per_sample; ++ uint16 bps = 0, bytes_per_sample; + + obuf = _TIFFmalloc(TIFFTileSize(out)); + if (obuf == NULL) +@@ -1578,6 +1578,12 @@ + (void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); + (void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } + assert( bps % 8 == 0 ); + bytes_per_sample = bps/8; + diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch new file mode 100644 index 0000000000..823293f1cf --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch @@ -0,0 +1,57 @@ +Fix divide-by-zero in readSeparateStripsIntoBuffer(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is +missing. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1180; previous revision: 1.1179 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 13:00:04 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -1164,7 +1164,7 @@ + tdata_t obuf; + + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps); + bytes_per_sample = (bps + 7) / 8; + if( width == 0 || + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || +@@ -4760,7 +4760,7 @@ + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32 j; + int32 bytes_read = 0; +- uint16 bps, planar; ++ uint16 bps = 0, planar; + uint32 nstrips; + uint32 strips_per_sample; + uint32 src_rowsize, dst_rowsize, rows_processed, rps; +@@ -4780,7 +4780,7 @@ + } + + memset (srcbuffs, '\0', sizeof(srcbuffs)); +- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); ++ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar); + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); + if (rps > length) diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch new file mode 100644 index 0000000000..6dbd4666cd --- /dev/null +++ b/gnu/packages/patches/libtiff-divide-by-zero.patch @@ -0,0 +1,67 @@ +Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero: + +http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by zero. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1173; previous revision: 1.1172 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c +new revision: 1.50; previous revision: 1.49 +/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h +new revision: 1.90; previous revision: 1.89 + +Index: libtiff/libtiff/tif_read.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v +retrieving revision 1.49 +retrieving revision 1.50 +diff -u -r1.49 -r1.50 +--- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49 ++++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 +@@ -1,4 +1,4 @@ +-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */ ++/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -346,7 +346,7 @@ + rowsperstrip=td->td_rowsperstrip; + if (rowsperstrip>td->td_imagelength) + rowsperstrip=td->td_imagelength; +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); + stripinplane=(strip%stripsperplane); + plane=(uint16)(strip/stripsperplane); + rows=td->td_imagelength-stripinplane*rowsperstrip; +Index: libtiff/libtiff/tiffiop.h +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v +retrieving revision 1.89 +retrieving revision 1.90 +diff -u -r1.89 -r1.90 +--- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89 ++++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90 +@@ -1,4 +1,4 @@ +-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */ ++/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -250,6 +250,10 @@ + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ + 0U) ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ ++#define TIFFhowmany_32_maxuint_compat(x, y) \ ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) diff --git a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch new file mode 100644 index 0000000000..2d5e23586d --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch @@ -0,0 +1,131 @@ +Fix heap-based buffer overflow in _TIFFmemcpy(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. + The fix for LUV has not been tested, but suffers from the same kind + of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1175; previous revision: 1.1174 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v <-- libtiff/tif_luv.c +new revision: 1.44; previous revision: 1.43 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v <-- +libtiff/tif_pixarlog.c +new revision: 1.49; previous revision: 1.48 + +Index: libtiff/libtiff/tif_luv.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v +retrieving revision 1.43 +retrieving revision 1.44 +diff -u -r1.43 -r1.44 +--- libtiff/libtiff/tif_luv.c 4 Sep 2016 21:32:56 -0000 1.43 ++++ libtiff/libtiff/tif_luv.c 2 Dec 2016 23:05:51 -0000 1.44 +@@ -1,4 +1,4 @@ +-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */ ++/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1997 Greg Ward Larson +@@ -158,6 +158,7 @@ + typedef struct logLuvState LogLuvState; + + struct logLuvState { ++ int encoder_state; /* 1 if encoder correctly initialized */ + int user_datafmt; /* user data format */ + int encode_meth; /* encoding method */ + int pixel_size; /* bytes per pixel */ +@@ -1552,6 +1553,7 @@ + td->td_photometric, "must be either LogLUV or LogL"); + break; + } ++ sp->encoder_state = 1; + return (1); + notsupported: + TIFFErrorExt(tif->tif_clientdata, module, +@@ -1563,19 +1565,27 @@ + static void + LogLuvClose(TIFF* tif) + { ++ LogLuvState* sp = (LogLuvState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* + * For consistency, we always want to write out the same + * bitspersample and sampleformat for our TIFF file, + * regardless of the data format being used by the application. + * Since this routine is called after tags have been set but + * before they have been recorded in the file, we reset them here. ++ * Note: this is really a nasty approach. See PixarLogClose + */ +- td->td_samplesperpixel = +- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; +- td->td_bitspersample = 16; +- td->td_sampleformat = SAMPLEFORMAT_INT; ++ if( sp->encoder_state ) ++ { ++ /* See PixarLogClose. Might avoid issues with tags whose size depends ++ * on those below, but not completely sure this is enough. */ ++ td->td_samplesperpixel = ++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; ++ td->td_bitspersample = 16; ++ td->td_sampleformat = SAMPLEFORMAT_INT; ++ } + } + + static void +Index: libtiff/libtiff/tif_pixarlog.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v +retrieving revision 1.48 +retrieving revision 1.49 +diff -u -r1.48 -r1.49 +--- libtiff/libtiff/tif_pixarlog.c 23 Sep 2016 22:12:18 -0000 1.48 ++++ libtiff/libtiff/tif_pixarlog.c 2 Dec 2016 23:05:51 -0000 1.49 +@@ -1,4 +1,4 @@ +-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ ++/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */ + + /* + * Copyright (c) 1996-1997 Sam Leffler +@@ -1233,8 +1233,10 @@ + static void + PixarLogClose(TIFF* tif) + { ++ PixarLogState* sp = (PixarLogState*) tif->tif_data; + TIFFDirectory *td = &tif->tif_dir; + ++ assert(sp != 0); + /* In a really sneaky (and really incorrect, and untruthful, and + * troublesome, and error-prone) maneuver that completely goes against + * the spirit of TIFF, and breaks TIFF, on close, we covertly +@@ -1243,8 +1245,19 @@ + * readers that don't know about PixarLog, or how to set + * the PIXARLOGDATFMT pseudo-tag. + */ +- td->td_bitspersample = 8; +- td->td_sampleformat = SAMPLEFORMAT_UINT; ++ ++ if (sp->state&PLSTATE_INIT) { ++ /* We test the state to avoid an issue such as in ++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 ++ * What appends in that case is that the bitspersample is 1 and ++ * a TransferFunction is set. The size of the TransferFunction ++ * depends on 1<<bitspersample. So if we increase it, an access ++ * out of the buffer will happen at directory flushing. ++ * Another option would be to clear those targs. ++ */ ++ td->td_bitspersample = 8; ++ td->td_sampleformat = SAMPLEFORMAT_UINT; ++ } + } + + static void diff --git a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch new file mode 100644 index 0000000000..68889b121b --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch @@ -0,0 +1,132 @@ +Fix heap-based buffer overflow in TIFFFillStrip(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2608 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to + instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, +rowsperstrip), + instead of a logic based on the total size of data. Which is faulty is + the total size of data is not sufficient to fill the whole image, and +thus + results in reading outside of the StripByCounts/StripOffsets arrays +when + using TIFFReadScanline(). + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + + * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done + for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 +since + the above change is a better fix that makes it unnecessary. + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1176; previous revision: 1.1175 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- +libtiff/tif_dirread.c +new revision: 1.205; previous revision: 1.204 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c +new revision: 1.38; previous revision: 1.37 + +Index: libtiff/libtiff/tif_dirread.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v +retrieving revision 1.204 +retrieving revision 1.205 +diff -u -r1.204 -r1.205 +--- libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204 ++++ libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ ++/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -5502,8 +5502,7 @@ + uint64 rowblockbytes; + uint64 stripbytes; + uint32 strip; +- uint64 nstrips64; +- uint32 nstrips32; ++ uint32 nstrips; + uint32 rowsperstrip; + uint64* newcounts; + uint64* newoffsets; +@@ -5534,18 +5533,17 @@ + return; + + /* +- * never increase the number of strips in an image ++ * never increase the number of rows per strip + */ + if (rowsperstrip >= td->td_rowsperstrip) + return; +- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); +- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ +- return; +- nstrips32 = (uint32)nstrips64; ++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); ++ if( nstrips == 0 ) ++ return; + +- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); +- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), ++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripOffsets\" array"); + if (newcounts == NULL || newoffsets == NULL) { + /* +@@ -5562,18 +5560,18 @@ + * Fill the strip information arrays with new bytecounts and offsets + * that reflect the broken-up format. + */ +- for (strip = 0; strip < nstrips32; strip++) { ++ for (strip = 0; strip < nstrips; strip++) { + if (stripbytes > bytecount) + stripbytes = bytecount; + newcounts[strip] = stripbytes; +- newoffsets[strip] = offset; ++ newoffsets[strip] = stripbytes ? offset : 0; + offset += stripbytes; + bytecount -= stripbytes; + } + /* + * Replace old single strip info with multi-strip info. + */ +- td->td_stripsperimage = td->td_nstrips = nstrips32; ++ td->td_stripsperimage = td->td_nstrips = nstrips; + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + + _TIFFfree(td->td_stripbytecount); +Index: libtiff/libtiff/tif_strip.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v +retrieving revision 1.37 +retrieving revision 1.38 +diff -u -r1.37 -r1.38 +--- libtiff/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37 ++++ libtiff/libtiff/tif_strip.c 3 Dec 2016 11:02:15 -0000 1.38 +@@ -1,4 +1,4 @@ +-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */ ++/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */ + + /* + * Copyright (c) 1991-1997 Sam Leffler +@@ -63,15 +63,6 @@ + TIFFDirectory *td = &tif->tif_dir; + uint32 nstrips; + +- /* If the value was already computed and store in td_nstrips, then return it, +- since ChopUpSingleUncompressedStrip might have altered and resized the +- since the td_stripbytecount and td_stripoffset arrays to the new value +- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in +- tif_dirread.c ~line 3612. +- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ +- if( td->td_nstrips ) +- return td->td_nstrips; +- + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : + TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch new file mode 100644 index 0000000000..f0fef08bf3 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch @@ -0,0 +1,67 @@ +Fix heap buffer overflow in tiffcp when parsing number of inks: + +http://bugzilla.maptools.org/show_bug.cgi?id=2599 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is +called, + limit the return number of inks to SamplesPerPixel, so that code that +parses + ink names doesn't go past the end of the buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1184; previous revision: 1.1183 +/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c +new revision: 1.128; previous revision: 1.127 + +Index: libtiff/libtiff/tif_dir.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v +retrieving revision 1.127 +retrieving revision 1.128 +diff -u -r1.127 -r1.128 +--- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127 ++++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 +@@ -1,4 +1,4 @@ +-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */ ++/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -854,6 +854,32 @@ + if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ + return 0; + ++ if( tag == TIFFTAG_NUMBEROFINKS ) ++ { ++ int i; ++ for (i = 0; i < td->td_customValueCount; i++) { ++ uint16 val; ++ TIFFTagValue *tv = td->td_customValues + i; ++ if (tv->info->field_tag != tag) ++ continue; ++ val = *(uint16 *)tv->value; ++ /* Truncate to SamplesPerPixel, since the */ ++ /* setting code for INKNAMES assume that there are SamplesPerPixel */ ++ /* inknames. */ ++ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ ++ if( val > td->td_samplesperpixel ) ++ { ++ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", ++ "Truncating NumberOfInks from %u to %u", ++ val, td->td_samplesperpixel); ++ val = td->td_samplesperpixel; ++ } ++ *va_arg(ap, uint16*) = val; ++ return 1; ++ } ++ return 0; ++ } ++ + /* + * We want to force the custom code to be used for custom + * fields even if the tag happens to match a well known diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch new file mode 100644 index 0000000000..8166c55758 --- /dev/null +++ b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch @@ -0,0 +1,60 @@ +Fix heap-based buffer overflow in combineSeparateSamples16bits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap allocated +buffer. + Reported by Agostina Sarubo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1179; previous revision: 1.1178 +/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c +new revision: 1.48; previous revision: 1.47 + +Index: libtiff/tools/tiffcrop.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v +retrieving revision 1.47 +retrieving revision 1.48 +diff -u -r1.47 -r1.48 +--- libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 ++++ libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ ++/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ + + /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of + * the image data through additional options listed below +@@ -4815,10 +4815,17 @@ + nstrips = TIFFNumberOfStrips(in); + strips_per_sample = nstrips /spp; + ++ /* Add 3 padding bytes for combineSeparateSamples32bits */ ++ if( (size_t) stripsize > 0xFFFFFFFFU - 3U ) ++ { ++ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size."); ++ exit(-1); ++ } ++ + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + srcbuffs[s] = NULL; +- buff = _TIFFmalloc(stripsize); ++ buff = _TIFFmalloc(stripsize + 3); + if (!buff) + { + TIFFError ("readSeparateStripsIntoBuffer", +@@ -4827,6 +4834,9 @@ + _TIFFfree (srcbuffs[i]); + return 0; + } ++ buff[stripsize] = 0; ++ buff[stripsize+1] = 0; ++ buff[stripsize+2] = 0; + srcbuffs[s] = buff; + } + diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch new file mode 100644 index 0000000000..92742d8757 --- /dev/null +++ b/gnu/packages/patches/libtiff-invalid-read.patch @@ -0,0 +1,64 @@ +Fix invalid read in t2p_writeproc(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2639 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1198; previous revision: 1.1197 +/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c +new revision: 1.100; previous revision: 1.99 + +Index: libtiff/tools/tiff2pdf.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v +retrieving revision 1.99 +retrieving revision 1.100 +diff -u -r1.99 -r1.100 +--- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:13:26 -0000 1.99 ++++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 +@@ -2896,6 +2896,7 @@ + } + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { + if (count >= 4) { ++ int retTIFFReadRawTile; + /* Ignore EOI marker of JpegTables */ + _TIFFmemcpy(buffer, jpt, count - 2); + bufferoffset += count - 2; +@@ -2903,22 +2904,23 @@ + table_end[0] = buffer[bufferoffset-2]; + table_end[1] = buffer[bufferoffset-1]; + xuint32 = bufferoffset; +- bufferoffset -= 2; +- bufferoffset += TIFFReadRawTile( ++ bufferoffset -= 2; ++ retTIFFReadRawTile= TIFFReadRawTile( + input, + tile, + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), + -1); ++ if( retTIFFReadRawTile < 0 ) ++ { ++ _TIFFfree(buffer); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return(0); ++ } ++ bufferoffset += retTIFFReadRawTile; + /* Overwrite SOI marker of image scan with previously */ + /* saved end of JpegTables */ + buffer[xuint32-2]=table_end[0]; + buffer[xuint32-1]=table_end[1]; +- } else { +- bufferoffset += TIFFReadRawTile( +- input, +- tile, +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), +- -1); + } + } + t2pWriteFile(output, (tdata_t) buffer, bufferoffset); diff --git a/gnu/packages/patches/libtiff-null-dereference.patch b/gnu/packages/patches/libtiff-null-dereference.patch new file mode 100644 index 0000000000..8c6345b804 --- /dev/null +++ b/gnu/packages/patches/libtiff-null-dereference.patch @@ -0,0 +1,42 @@ +Fix NULL pointer dereference in TIFFReadRawData(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2594 + + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffinfo.c: fix null pointer dereference in -r mode when + * the +image has + no StripByteCount tag. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1182; previous revision: 1.1181 +/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v <-- tools/tiffinfo.c +new revision: 1.26; previous revision: 1.25 + +Index: libtiff/tools/tiffinfo.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v +retrieving revision 1.25 +retrieving revision 1.26 +diff -u -r1.25 -r1.26 +--- libtiff/tools/tiffinfo.c 12 Nov 2016 20:06:05 -0000 1.25 ++++ libtiff/tools/tiffinfo.c 3 Dec 2016 14:18:49 -0000 1.26 +@@ -1,4 +1,4 @@ +-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */ ++/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -417,7 +417,7 @@ + uint64* stripbc=NULL; + + TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc); +- if (nstrips > 0) { ++ if (stripbc != NULL && nstrips > 0) { + uint32 bufsize = (uint32) stripbc[0]; + tdata_t buf = _TIFFmalloc(bufsize); + tstrip_t s; diff --git a/gnu/packages/patches/libtiff-tiffcp-underflow.patch b/gnu/packages/patches/libtiff-tiffcp-underflow.patch new file mode 100644 index 0000000000..5615cbb3e1 --- /dev/null +++ b/gnu/packages/patches/libtiff-tiffcp-underflow.patch @@ -0,0 +1,41 @@ +Fix a integer underflow in tiffcp that led to heap overflows in +TIFFReverseBits(): + +http://bugzilla.maptools.org/show_bug.cgi?id=2598 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that + can cause various issues, such as buffer overflows in the library. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 + + +/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog +new revision: 1.1174; previous revision: 1.1173 +/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c +new revision: 1.56; previous revision: 1.55 + +Index: libtiff/tools/tiffcp.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v +retrieving revision 1.55 +retrieving revision 1.56 +diff -u -r1.55 -r1.56 +--- libtiff/tools/tiffcp.c 8 Oct 2016 15:54:57 -0000 1.55 ++++ libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 +@@ -1,4 +1,4 @@ +-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */ ++/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ + + /* + * Copyright (c) 1988-1997 Sam Leffler +@@ -985,7 +985,7 @@ + tstrip_t s, ns = TIFFNumberOfStrips(in); + uint32 row = 0; + _TIFFmemset(buf, 0, stripsize); +- for (s = 0; s < ns; s++) { ++ for (s = 0; s < ns && row < imagelength; s++) { + tsize_t cc = (row + rowsperstrip > imagelength) ? + TIFFVStripSize(in, imagelength - row) : stripsize; + if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 diff --git a/gnu/packages/patches/libxt-guix-search-paths.patch b/gnu/packages/patches/libxt-guix-search-paths.patch new file mode 100644 index 0000000000..c618f48da5 --- /dev/null +++ b/gnu/packages/patches/libxt-guix-search-paths.patch @@ -0,0 +1,126 @@ +--- libXt-1.1.5/src/Intrinsic.c 2015-05-01 07:36:20.000000000 +0200 ++++ Intrinsic.c 2016-12-12 00:42:16.567388450 +0100 +@@ -1303,21 +1303,101 @@ + } else (void) strcpy(*rest, string); + } + +-/* +- * default path used if environment variable XFILESEARCHPATH +- * is not defined. Also substitued for %D. +- * The exact value should be documented in the implementation +- * notes for any Xt implementation. ++ ++ ++/* ++ Return the default search path for the function ++ XtResolvePathname to use if XFILESEARCHPATH is ++ not defined. ++ ++ It returns the combination the set of values which are the 6 "stems" below, ++ prepended with "/run/current-system/profile", and $GUIX_PROFILE and ++ "$HOME/.guix-profile" ++ ++ These values provide the default paths where Guix/GuixSD can expect ++ to find resources for installed packages. + */ +-static const char *implementation_default_path(void) ++static const char *guix_default_path(void) + { +-#if defined(WIN32) +- static char xfilesearchpath[] = ""; +- +- return xfilesearchpath; +-#else +- return XFILESEARCHPATHDEFAULT; +-#endif ++ static const char *search_path_default_stem[] = { ++ "/lib/X11/%L/%T/%N%C%S", ++ "/lib/X11/%l/%T/%N%C%S", ++ "/lib/X11/%T/%N%C%S", ++ "/lib/X11/%L/%T/%N%S", ++ "/lib/X11/%l/%T/%N%S", ++ "/lib/X11/%T/%N%S" ++ }; ++ ++#define SIZEOF_STEMS (strlen (search_path_default_stem[0]) \ ++ + strlen (search_path_default_stem[1]) \ ++ + strlen (search_path_default_stem[2]) \ ++ + strlen (search_path_default_stem[3]) \ ++ + strlen (search_path_default_stem[4]) \ ++ + strlen (search_path_default_stem[5])) ++ ++ ++ int i; ++ const char *current_profile = "/run/current-system/profile"; ++ char *home = getenv ("HOME"); ++ char *guix_profile = getenv ("GUIX_PROFILE"); ++ ++ size_t bytesAllocd = SIZEOF_STEMS + 1; ++ ++ /* This function is evaluated multiple times and the calling ++ code assumes that it is idempotent. So we must not allow ++ (say) a changed environment variable to cause it to return ++ something different. */ ++ static char *path = NULL; ++ if (path) ++ return path; ++ ++ bytesAllocd += 6 * (1 + strlen (current_profile)); ++ ++ if (guix_profile != NULL) ++ { ++ bytesAllocd += SIZEOF_STEMS; ++ bytesAllocd += 6 * (1 + strlen (guix_profile)); ++ } ++ ++ if (home != NULL) ++ { ++ bytesAllocd += SIZEOF_STEMS; ++ bytesAllocd += 6 * (1 + strlen(home) + strlen ("/.guix-profile")); ++ } ++ ++ path = XtMalloc(bytesAllocd); ++ if (path == NULL) _XtAllocError(NULL); ++ ++ memset (path, 0, bytesAllocd); ++ ++ for (i = 0 ; i < 6 ; ++i) ++ { ++ strcat (path, current_profile); ++ strcat (path, search_path_default_stem[i]); ++ strcat (path, ":"); ++ } ++ ++ if (guix_profile != NULL) ++ for (i = 0 ; i < 6 ; ++i) ++ { ++ strcat (path, guix_profile); ++ strcat (path, search_path_default_stem[i]); ++ strcat (path, ":"); ++ } ++ ++ if (home != NULL) ++ for (i = 0 ; i < 6 ; ++i) ++ { ++ strcat (path, home); ++ strcat (path, "/.guix-profile"); ++ strcat (path, search_path_default_stem[i]); ++ strcat (path, ":"); ++ } ++ ++ /* Remove final : */ ++ path[strlen(path) - 1] = '\0'; ++ ++ return path; + } + + +@@ -1345,7 +1425,7 @@ + { + XtPerDisplay pd; + static const char *defaultPath = NULL; +- const char *impl_default = implementation_default_path(); ++ const char *impl_default = guix_default_path(); + int idef_len = strlen(impl_default); + char *massagedPath; + int bytesAllocd, bytesLeft; diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch new file mode 100644 index 0000000000..e752e57ec5 --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch @@ -0,0 +1,188 @@ +Fix CVE-2016-10132: + +https://bugs.ghostscript.com/show_bug.cgi?id=697381 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10132 + +Patch lifted from upstream source repository: + +http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569 + +From fd003eceda531e13fbdd1aeb6e9c73156496e569 Mon Sep 17 00:00:00 2001 +From: Tor Andersson <tor@ccxvii.net> +Date: Fri, 2 Dec 2016 14:56:20 -0500 +Subject: [PATCH] Fix 697381: check allocation when compiling regular + expressions. + +Also use allocator callback function. +--- + thirdparty/mujs/jsgc.c | 2 +- + thirdparty/mujs/jsregexp.c | 2 +- + thirdparty/mujs/jsstate.c | 6 ------ + thirdparty/mujs/regexp.c | 45 +++++++++++++++++++++++++++++++++++---------- + thirdparty/mujs/regexp.h | 7 +++++++ + 5 files changed, 44 insertions(+), 18 deletions(-) + +diff --git a/thirdparty/mujs/jsgc.c b/thirdparty/mujs/jsgc.c +index 4f7e7dc..f80111e 100644 +--- a/thirdparty/mujs/jsgc.c ++++ b/thirdparty/mujs/jsgc.c +@@ -46,7 +46,7 @@ static void jsG_freeobject(js_State *J, js_Object *obj) + jsG_freeproperty(J, obj->head); + if (obj->type == JS_CREGEXP) { + js_free(J, obj->u.r.source); +- js_regfree(obj->u.r.prog); ++ js_regfreex(J->alloc, J->actx, obj->u.r.prog); + } + if (obj->type == JS_CITERATOR) + jsG_freeiterator(J, obj->u.iter.head); +diff --git a/thirdparty/mujs/jsregexp.c b/thirdparty/mujs/jsregexp.c +index a2d5156..7b09c06 100644 +--- a/thirdparty/mujs/jsregexp.c ++++ b/thirdparty/mujs/jsregexp.c +@@ -16,7 +16,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags) + if (flags & JS_REGEXP_I) opts |= REG_ICASE; + if (flags & JS_REGEXP_M) opts |= REG_NEWLINE; + +- prog = js_regcomp(pattern, opts, &error); ++ prog = js_regcompx(J->alloc, J->actx, pattern, opts, &error); + if (!prog) + js_syntaxerror(J, "regular expression: %s", error); + +diff --git a/thirdparty/mujs/jsstate.c b/thirdparty/mujs/jsstate.c +index 638cab3..fd5bcf6 100644 +--- a/thirdparty/mujs/jsstate.c ++++ b/thirdparty/mujs/jsstate.c +@@ -9,12 +9,6 @@ + + static void *js_defaultalloc(void *actx, void *ptr, int size) + { +- if (size == 0) { +- free(ptr); +- return NULL; +- } +- if (!ptr) +- return malloc((size_t)size); + return realloc(ptr, (size_t)size); + } + +diff --git a/thirdparty/mujs/regexp.c b/thirdparty/mujs/regexp.c +index 9852be2..01c18a3 100644 +--- a/thirdparty/mujs/regexp.c ++++ b/thirdparty/mujs/regexp.c +@@ -807,23 +807,31 @@ static void dumpprog(Reprog *prog) + } + #endif + +-Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp) + { + struct cstate g; + Renode *node; + Reinst *split, *jump; + int i; + +- g.prog = malloc(sizeof (Reprog)); +- g.pstart = g.pend = malloc(sizeof (Renode) * strlen(pattern) * 2); ++ g.pstart = NULL; ++ g.prog = NULL; + + if (setjmp(g.kaboom)) { + if (errorp) *errorp = g.error; +- free(g.pstart); +- free(g.prog); ++ alloc(ctx, g.pstart, 0); ++ alloc(ctx, g.prog, 0); + return NULL; + } + ++ g.prog = alloc(ctx, NULL, sizeof (Reprog)); ++ if (!g.prog) ++ die(&g, "cannot allocate regular expression"); ++ g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * strlen(pattern) * 2); ++ if (!g.pstart) ++ die(&g, "cannot allocate regular expression parse list"); ++ + g.source = pattern; + g.ncclass = 0; + g.nsub = 1; +@@ -840,7 +848,9 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) + die(&g, "syntax error"); + + g.prog->nsub = g.nsub; +- g.prog->start = g.prog->end = malloc((count(node) + 6) * sizeof (Reinst)); ++ g.prog->start = g.prog->end = alloc(ctx, NULL, (count(node) + 6) * sizeof (Reinst)); ++ if (!g.prog->start) ++ die(&g, "cannot allocate regular expression instruction list"); + + split = emit(g.prog, I_SPLIT); + split->x = split + 3; +@@ -859,20 +869,35 @@ Reprog *regcomp(const char *pattern, int cflags, const char **errorp) + dumpprog(g.prog); + #endif + +- free(g.pstart); ++ alloc(ctx, g.pstart, 0); + + if (errorp) *errorp = NULL; + return g.prog; + } + +-void regfree(Reprog *prog) ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, Reprog *prog) + { + if (prog) { +- free(prog->start); +- free(prog); ++ alloc(ctx, prog->start, 0); ++ alloc(ctx, prog, 0); + } + } + ++static void *default_alloc(void *ctx, void *p, int n) ++{ ++ return realloc(p, (size_t)n); ++} ++ ++Reprog *regcomp(const char *pattern, int cflags, const char **errorp) ++{ ++ return regcompx(default_alloc, NULL, pattern, cflags, errorp); ++} ++ ++void regfree(Reprog *prog) ++{ ++ regfreex(default_alloc, NULL, prog); ++} ++ + /* Match */ + + static int isnewline(int c) +diff --git a/thirdparty/mujs/regexp.h b/thirdparty/mujs/regexp.h +index 4bb4615..6bb73e8 100644 +--- a/thirdparty/mujs/regexp.h ++++ b/thirdparty/mujs/regexp.h +@@ -1,6 +1,8 @@ + #ifndef regexp_h + #define regexp_h + ++#define regcompx js_regcompx ++#define regfreex js_regfreex + #define regcomp js_regcomp + #define regexec js_regexec + #define regfree js_regfree +@@ -8,6 +10,11 @@ + typedef struct Reprog Reprog; + typedef struct Resub Resub; + ++Reprog *regcompx(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ const char *pattern, int cflags, const char **errorp); ++void regfreex(void *(*alloc)(void *ctx, void *p, int n), void *ctx, ++ Reprog *prog); ++ + Reprog *regcomp(const char *pattern, int cflags, const char **errorp); + int regexec(Reprog *prog, const char *string, Resub *sub, int eflags); + void regfree(Reprog *prog); +-- +2.9.1 + diff --git a/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch new file mode 100644 index 0000000000..d73849262c --- /dev/null +++ b/gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch @@ -0,0 +1,36 @@ +Fix CVE-2016-10133: + +https://bugs.ghostscript.com/show_bug.cgi?id=697401 +http://seclists.org/oss-sec/2017/q1/74 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10133 + +Patch lifted from upstream source repository: + +https://git.ghostscript.com/?p=mujs.git;h=77ab465f1c394bb77f00966cd950650f3f53cb24 + +From 77ab465f1c394bb77f00966cd950650f3f53cb24 Mon Sep 17 00:00:00 2001 +From: Tor Andersson <tor.andersson@gmail.com> +Date: Thu, 12 Jan 2017 14:47:01 +0100 +Subject: [PATCH] Fix 697401: Error when dropping extra arguments to + lightweight functions. + +--- + thirdparty/mujs/jsrun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/thirdparty/mujs/jsrun.c b/thirdparty/mujs/jsrun.c +index ee80845..782a6f9 100644 +--- a/thirdparty/mujs/jsrun.c ++++ b/thirdparty/mujs/jsrun.c +@@ -937,7 +937,7 @@ static void jsR_calllwfunction(js_State *J, int n, js_Function *F, js_Environmen + jsR_savescope(J, scope); + + if (n > F->numparams) { +- js_pop(J, F->numparams - n); ++ js_pop(J, n - F->numparams); + n = F->numparams; + } + for (i = n; i < F->varlen; ++i) +-- +2.9.1 + diff --git a/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch new file mode 100644 index 0000000000..1f7a4cadb7 --- /dev/null +++ b/gnu/packages/patches/python-pygpgme-fix-pinentry-tests.patch @@ -0,0 +1,69 @@ +Fix test failure of test_XXX caused by upgrade of gpgme from 1.6.0 to +1.8.0: + +====================================================================== +FAIL: test_encrypt_to_signonly (tests.test_encrypt_decrypt.EncryptDecryptTestCase) +---------------------------------------------------------------------- +Traceback (most recent call last): + File "/tmp/guix-build-python2-pygpgme-0.3.drv-0/pygpgme-0.3/tests/test_encrypt_decrypt.py", line 185, in test_encrypt_to_signonly + self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN) +AssertionError: 7 != 0 + +---------------------------------------------------------------------- + +Patch copied from the Debian package pygpgme-0.3-1.2: + +https://sources.debian.net/src/pygpgme/0.3-1.2/debian/patches/0005-Fix-test-failures-with-pinentry.patch/ + +From: "Dr. Tobias Quathamer" <toddy@debian.org> +Date: Thu, 24 Nov 2016 12:20:54 +0100 +Subject: Fix test failures with pinentry + +--- + tests/test_encrypt_decrypt.py | 5 +++-- + tests/test_passphrase.py | 2 ++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tests/test_encrypt_decrypt.py b/tests/test_encrypt_decrypt.py +index 21ae83e..05707e1 100644 +--- a/tests/test_encrypt_decrypt.py ++++ b/tests/test_encrypt_decrypt.py +@@ -132,6 +132,7 @@ class EncryptDecryptTestCase(GpgHomeTestCase): + os.write(fd, b'Symmetric passphrase\n') + ctx = gpgme.Context() + ctx.armor = True ++ ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK + ctx.passphrase_cb = passphrase + ctx.encrypt(None, 0, plaintext, ciphertext) + self.assertTrue( +@@ -182,8 +183,8 @@ class EncryptDecryptTestCase(GpgHomeTestCase): + ctx.encrypt([recipient], gpgme.ENCRYPT_ALWAYS_TRUST, + plaintext, ciphertext) + except gpgme.GpgmeError as exc: +- self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_UNKNOWN) +- self.assertEqual(exc.args[1], gpgme.ERR_GENERAL) ++ self.assertEqual(exc.args[0], gpgme.ERR_SOURCE_GPGME) ++ self.assertEqual(exc.args[1], gpgme.ERR_UNUSABLE_PUBKEY) + else: + self.fail('gpgme.GpgmeError not raised') + +diff --git a/tests/test_passphrase.py b/tests/test_passphrase.py +index 35b3c59..05e6811 100644 +--- a/tests/test_passphrase.py ++++ b/tests/test_passphrase.py +@@ -34,6 +34,7 @@ class PassphraseTestCase(GpgHomeTestCase): + ctx = gpgme.Context() + key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3') + ctx.signers = [key] ++ ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK + plaintext = BytesIO(b'Hello World\n') + signature = BytesIO() + +@@ -55,6 +56,7 @@ class PassphraseTestCase(GpgHomeTestCase): + ctx = gpgme.Context() + key = ctx.get_key('EFB052B4230BBBC51914BCBB54DCBBC8DBFB9EB3') + ctx.signers = [key] ++ ctx.pinentry_mode = gpgme.PINENTRY_MODE_LOOPBACK + ctx.passphrase_cb = self.passphrase_cb + plaintext = BytesIO(b'Hello World\n') + signature = BytesIO() diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch new file mode 100644 index 0000000000..825edaa815 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-10155.patch @@ -0,0 +1,49 @@ +From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Mon, 28 Nov 2016 17:49:04 -0800 +Subject: [PATCH] watchdog: 6300esb: add exit function + +When the Intel 6300ESB watchdog is hot unplug. The timer allocated +in realize isn't freed thus leaking memory leak. This patch avoid +this through adding the exit function. + +http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e +this patch is from qemu-git. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/watchdog/wdt_i6300esb.c | 9 +++++++++ + 1 files changed, 9 insertions(+), 0 deletions(-) + +diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c +index a83d951..49b3cd1 100644 +--- a/hw/watchdog/wdt_i6300esb.c ++++ b/hw/watchdog/wdt_i6300esb.c +@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) + /* qemu_register_coalesced_mmio (addr, 0x10); ? */ + } + ++static void i6300esb_exit(PCIDevice *dev) ++{ ++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); ++ ++ timer_del(d->timer); ++ timer_free(d->timer); ++} ++ + static WatchdogTimerModel model = { + .wdt_name = "i6300esb", + .wdt_description = "Intel 6300ESB", +@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) + k->config_read = i6300esb_config_read; + k->config_write = i6300esb_config_write; + k->realize = i6300esb_realize; ++ k->exit = i6300esb_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; + k->class_id = PCI_CLASS_SYSTEM_OTHER; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch new file mode 100644 index 0000000000..d0c0c82a4a --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5525.patch @@ -0,0 +1,55 @@ +From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Wed, 14 Dec 2016 18:30:21 -0800 +Subject: [PATCH] audio: ac97: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401 +this patch is from qemu-git + +Currently the ac97 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/audio/ac97.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c +index cbd959e..c306575 100644 +--- a/hw/audio/ac97.c ++++ b/hw/audio/ac97.c +@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) + ac97_on_reset (&s->dev.qdev); + } + ++static void ac97_exit(PCIDevice *dev) ++{ ++ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); ++ ++ AUD_close_in(&s->card, s->voice_pi); ++ AUD_close_out(&s->card, s->voice_po); ++ AUD_close_in(&s->card, s->voice_mc); ++ AUD_remove_card(&s->card); ++} ++ + static int ac97_init (PCIBus *bus) + { + pci_create_simple (bus, -1, "AC97"); +@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = ac97_realize; ++ k->exit = ac97_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; + k->revision = 0x01; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch new file mode 100644 index 0000000000..5a6d796458 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5526.patch @@ -0,0 +1,58 @@ +From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Wed, 14 Dec 2016 18:32:22 -0800 +Subject: [PATCH] audio: es1370: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da +this patch is from qemu-git. + +Currently the es1370 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/audio/es1370.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+), 0 deletions(-) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 8449b5f..883ec69 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) + es1370_reset (s); + } + ++static void es1370_exit(PCIDevice *dev) ++{ ++ ES1370State *s = ES1370(dev); ++ int i; ++ ++ for (i = 0; i < 2; ++i) { ++ AUD_close_out(&s->card, s->dac_voice[i]); ++ } ++ ++ AUD_close_in(&s->card, s->adc_voice); ++ AUD_remove_card(&s->card); ++} ++ + static int es1370_init (PCIBus *bus) + { + pci_create_simple (bus, -1, TYPE_ES1370); +@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = es1370_realize; ++ k->exit = es1370_exit; + k->vendor_id = PCI_VENDOR_ID_ENSONIQ; + k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; + k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch new file mode 100644 index 0000000000..50911f4f36 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5552.patch @@ -0,0 +1,44 @@ +From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@gmail.com> +Date: Thu, 29 Dec 2016 03:11:26 -0500 +Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the virgl_renderer_resource_attach_iov function fails the +'res_iovs' will be leaked. Add check of the return value to +free the 'res_iovs' when failing. + +http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689 +this patch is from qemu-git. + +Signed-off-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/virtio-gpu-3d.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index e29f099..b13ced3 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, +- res_iovs, att_rb.nr_entries); ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ res_iovs, att_rb.nr_entries); ++ ++ if (ret != 0) ++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); + } + + static void virgl_resource_detach_backing(VirtIOGPU *g, +-- +1.7.0.4 + diff --git a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch b/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch deleted file mode 100644 index f592f5cd51..0000000000 --- a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch +++ /dev/null @@ -1,17 +0,0 @@ -The tests currently fail due to use of 'skip' rather than 'pending' to skip a -test usually not skipped by upstream. This patch has been proposed upstream -at https://github.com/lsegal/yard/pull/1033 - -diff --git a/spec/templates/helpers/html_helper_spec.rb b/spec/templates/helpers/html_helper_spec.rb -index 84624c3..9c4fc2b 100644 ---- a/spec/templates/helpers/html_helper_spec.rb -+++ b/spec/templates/helpers/html_helper_spec.rb -@@ -184,7 +184,7 @@ describe YARD::Templates::Helpers::HtmlHelper do - it "creates tables (markdown specific)" do - log.enter_level(Logger::FATAL) do - unless markup_class(:markdown).to_s == "RedcarpetCompat" -- skip "This test depends on a markdown engine that supports tables" -+ pending "This test depends on a markdown engine that supports tables" - end - end - diff --git a/gnu/packages/patches/tipp10-fix-compiling.patch b/gnu/packages/patches/tipp10-fix-compiling.patch new file mode 100644 index 0000000000..4c206d4d83 --- /dev/null +++ b/gnu/packages/patches/tipp10-fix-compiling.patch @@ -0,0 +1,213 @@ +Description: Debian patches to make tipp10 compile +Author: Christoph Martin <chrism@debian.org> +Last-Update: 2016-07-20 + +https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0001-FixCompiling + +--- a/widget/tickerboard.cpp ++++ b/widget/tickerboard.cpp +@@ -97,7 +97,8 @@ void TickerBoard::startTicker(bool wasPa +
+ if (tickerSpeed == 50) {
+ scrollOffset = 290;
+- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-290, 0, qr); //contentsRect());
+ }
+
+ startFlag = true;
+@@ -153,7 +154,8 @@ void TickerBoard::changeChar() { + scrollOffset = 0;
+ } else {
+ scrollOffset = 290;
+- scroll(-290, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-290, 0, qr); //contentsRect());
+ }
+ splitLesson();
+ }
+@@ -242,7 +244,8 @@ void TickerBoard::progress() { +
+ // Move ticker 1 pixel to left
+ scrollOffset++;
+- scroll(-1, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-1, 0, qr); //contentsRect());
+
+ if ((lessonOffset - scrollOffset) <= 30) {
+ setSpeed(tickerSpeed);
+@@ -265,14 +268,16 @@ void TickerBoard::progress() { + // 160 pixels overage (because the user must see at least the next word)
+ if ((lessonOffset - scrollOffset) > 200) {
+ scrollOffset += (lessonOffset - scrollOffset) - 200;
+- scroll(-((lessonOffset - scrollOffset) - 200), 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-((lessonOffset - scrollOffset) - 200), 0, qr); //contentsRect());
+ }
+ } else {
+ // If the user types faster than the ticker, move ticker faster after
+ // 160 pixels overage (because the user must see at least the next word)
+ if ((lessonOffset - scrollOffset) > 280) {
+ scrollOffset += 570;
+- scroll(-570, 0, QRect::QRect(10, 15, 590, 35)); //contentsRect());
++ const QRect qr = QRect(10, 15, 590, 35);
++ scroll(-570, 0, qr); //contentsRect());
+ }
+
+ }
+--- a/widget/settingspages.cpp ++++ b/widget/settingspages.cpp +@@ -501,7 +501,7 @@ void DatabasePage::writeSettings() { + QSettings settings;
+ #endif
+ settings.beginGroup("database");
+- settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString::QString(APP_USER_DB));
++ settings.setValue("pathpro", lineDatabasePath->text() + "/" + QString(APP_USER_DB));
+ settings.endGroup();
+ }
+
+--- a/widget/lessondialog.cpp ++++ b/widget/lessondialog.cpp +@@ -89,7 +89,7 @@ void LessonDialog::updateContent() { + *lessonData = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts);
+ // Delete empty lines
+ for (int i = 0; i < lessonData->size(); i++) {
+- if (QString::QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") {
++ if (QString(lessonData->at(i).toLocal8Bit().constData()).simplified() == "") {
+ lessonData->removeAt(i);
+ }
+ }
+@@ -259,7 +259,7 @@ void LessonDialog::clickSave() { + contentList = lineLessonContent->toPlainText().split("\n", QString::SkipEmptyParts);
+ // Delete empty lines
+ for (i = 0; i < contentList.size(); i++) {
+- if (QString::QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") {
++ if (QString(contentList.at(i).toLocal8Bit().constData()).simplified() == "") {
+ contentList.removeAt(i);
+ }
+ }
+--- a/sql/chartablesql.cpp ++++ b/sql/chartablesql.cpp +@@ -57,7 +57,7 @@ QVariant CharSqlModel::data(const QModel + // Read the unicode value
+ unicode = value.toInt();
+ // Convert unicode to a char
+- unicodeToChar = QString::QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'";
++ unicodeToChar = QString(QChar(unicode)); //"\'" + QString::QString(QChar(unicode)) + "\'";
+ return unicodeToChar;
+ } else {
+ // Last column (error weight)
+--- a/sql/startsql.cpp ++++ b/sql/startsql.cpp +@@ -344,7 +344,7 @@ bool StartSql::updateOwnLesson(QString l + for (i = 0; i < content.size(); i++) {
+ //simplifiedContent = QString::QString(
+ // content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive).simplified();
+- simplifiedContent = trim(QString::QString(
++ simplifiedContent = trim(QString(
+ content.at(i)).replace(QChar(0x27), "''", Qt::CaseSensitive));
+
+ if (!query.exec("INSERT INTO own_content VALUES(NULL,'" +
+--- a/def/defines.h ++++ b/def/defines.h +@@ -27,9 +27,9 @@ Foundation, Inc., 51 Franklin Street, Fi + #define DEFINES_H
+
+ // OS constants
+-#define APP_WIN true
++#define APP_WIN false
+ #define APP_MAC false
+-#define APP_X11 false
++#define APP_X11 true
+ #define APP_PORTABLE false //at least one of the 3 OS must be true too!
+
+ // Languages
+@@ -47,6 +47,7 @@ Foundation, Inc., 51 Franklin Street, Fi + #define APP_URL "http://www.tipp10.com"
+ #define APP_DB "tipp10v2.template"
+ #define APP_USER_DB "tipp10v2.db"
++#define APP_SHARE_DIR "/usr/share/tipp10"
+
+ // Update constants
+ #define UPDATE_URL "www.tipp10.com"
+--- a/tipp10.pro ++++ b/tipp10.pro +@@ -88,3 +88,15 @@ SOURCES += main.cpp \ + sql/startsql.cpp \
+ games/abcrainwidget.cpp \
+ games/charball.cpp
++
++target.path = /usr/bin/
++INSTALLS += target
++share.path = /usr/share/tipp10/
++share.files = release/* *wav
++INSTALLS += share
++desktop.path = /usr/share/applications/
++desktop.files = tipp10.desktop
++INSTALLS += desktop
++pixmap.path = /usr/share/pixmaps/
++pixmap.files = tipp10.png
++INSTALLS += pixmap
+--- a/sql/connection.h ++++ b/sql/connection.h +@@ -179,11 +179,13 @@ static bool createConnection() { + CANCEL_NO, "Betroffener Pfad:\n" + dbPath);*/
+ // Try to create new databae in user path
+ // Exist a database in the program dir?
+- if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) {
++ // if (QFile::exists(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate)) {
++ if (QFile::exists(QString(APP_SHARE_DIR) + "/" + dbNameTemplate)) {
+ //if (QFile::exists(":/" + dbNameTemplate)) {
+ // A database exist in the program dir
+ // -> copy database to user home dir
+- QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate);
++ // QFile file(QCoreApplication::applicationDirPath() + "/" + dbNameTemplate);
++ QFile file(QString(APP_SHARE_DIR) + "/" + dbNameTemplate);
+ //QFile file(":/" + dbNameTemplate);
+ if (file.copy(dbPath)) {
+ QFile::setPermissions(dbPath, QFile::permissions(dbPath) | QFile::WriteUser);
+@@ -229,7 +231,8 @@ static bool createConnection() { + // Exist a database in user's home dir?
+ if (!QFile::exists(dbPath)) {
+ // Exist a database template in the program dir?
+- dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate;
++ // dbPath = QCoreApplication::applicationDirPath() + "/" + dbNameTemplate;
++ dbPath = QString(APP_SHARE_DIR) + "/" + dbNameTemplate;
+ //dbPath = ":/" + dbNameTemplate;
+ if (QFile::exists(dbPath)) {
+ // A database template exist in the program dir
+--- a/widget/helpbrowser.cpp ++++ b/widget/helpbrowser.cpp +@@ -52,13 +52,15 @@ HelpBrowser::HelpBrowser(QString link, Q + textBrowser->setOpenExternalLinks(true);
+
+ textBrowser->setSource(QString("file:///") +
+- QCoreApplication::applicationDirPath() +
++ // QCoreApplication::applicationDirPath() +
++ APP_SHARE_DIR +
+ QString("/help/") + language + QString("/index.html"));
+
+ if (link != "") {
+
+ textBrowser->setSource(QString("file:///") +
+- QCoreApplication::applicationDirPath() +
++ // QCoreApplication::applicationDirPath() +
++ APP_SHARE_DIR +
+ QString("/help/") + language + QString("/content/") + link);
+
+ }
+--- a/tipp10.desktop ++++ b/tipp10.desktop +@@ -1,10 +1,10 @@ + [Desktop Entry] +-Encoding=UTF-8 + Name=TIPP10 + Comment=Touch Typing Tutor + Comment[de]=10-Finger-Schreibtrainer +-Exec=tipp10 ++Exec=/usr/bin/tipp10 + Icon=tipp10.png + Terminal=false + Type=Application + Categories=Education; ++Keywords=learning;touchtyping diff --git a/gnu/packages/patches/tipp10-remove-license-code.patch b/gnu/packages/patches/tipp10-remove-license-code.patch new file mode 100644 index 0000000000..4b7487e726 --- /dev/null +++ b/gnu/packages/patches/tipp10-remove-license-code.patch @@ -0,0 +1,332 @@ +Description: Remove license dialog and license key checking + +https://sources.debian.net/data/main/t/tipp10/2.1.0-2/debian/patches/0002-RemoveLicenseCode + +--- a/main.cpp ++++ b/main.cpp +@@ -33,7 +33,6 @@ Foundation, Inc., 51 Franklin Street, Fi + #include "def/defines.h"
+ #include "sql/connection.h"
+ #include "widget/mainwindow.h"
+-#include "widget/licensedialog.h"
+ #include "widget/illustrationdialog.h"
+
+ int main(int argc, char *argv[]) {
+@@ -59,7 +58,7 @@ int main(int argc, char *argv[]) { + QSettings settings;
+ #endif
+
+- // Read/write language, license key and show illustration flag
++ // Read/write language and show illustration flag
+ settings.beginGroup("general");
+ QString languageGui = settings.value("language_gui",
+ QLocale::system().name()).toString();
+@@ -101,7 +100,6 @@ int main(int argc, char *argv[]) { + QString languageLesson = settings.value("language_lesson",
+ "").toString();
+
+- QString licenseKey = settings.value("licensekey", "").toString();
+ bool showIllustration = settings.value("check_illustration", true).toBool();
+ bool useNativeStyle = settings.value("check_native_style", false).toBool();
+ settings.endGroup();
+--- a/tipp10.pro ++++ b/tipp10.pro +@@ -43,7 +43,6 @@ HEADERS += def/defines.h \ + widget/helpbrowser.h \
+ widget/companylogo.h \
+ widget/errormessage.h \
+- widget/licensedialog.h \
+ widget/txtmessagedialog.h \
+ widget/checkversion.h \
+ sql/connection.h \
+@@ -78,7 +77,6 @@ SOURCES += main.cpp \ + widget/helpbrowser.cpp \
+ widget/companylogo.cpp \
+ widget/errormessage.cpp \
+- widget/licensedialog.cpp \
+ widget/txtmessagedialog.cpp \
+ widget/checkversion.cpp \
+ sql/lessontablesql.cpp \
+--- a/widget/licensedialog.cpp ++++ /dev/null +@@ -1,168 +0,0 @@ +-/*
+-Copyright (c) 2006-2009, Tom Thielicke IT Solutions
+-
+-This program is free software; you can redistribute it and/or
+-modify it under the terms of the GNU General Public License
+-as published by the Free Software Foundation; either version 2
+-of the License.
+-
+-This program is distributed in the hope that it will be useful,
+-but WITHOUT ANY WARRANTY; without even the implied warranty of
+-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-GNU General Public License for more details.
+-
+-You should have received a copy of the GNU General Public License
+-along with this program; if not, write to the Free Software
+-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+-02110-1301, USA.
+-*/
+-
+-/****************************************************************
+-**
+-** Implementation of the LicenseDialog class
+-** File name: licensedialog.cpp
+-**
+-****************************************************************/
+-
+-#include <QHBoxLayout>
+-#include <QVBoxLayout>
+-#include <QMessageBox>
+-#include <QSettings>
+-#include <QCoreApplication>
+-
+-#include "licensedialog.h"
+-#include "def/defines.h"
+-
+-LicenseDialog::LicenseDialog(QWidget *parent) : QDialog(parent) {
+-
+- setWindowFlags(windowFlags() ^ Qt::WindowContextHelpButtonHint);
+-
+- setWindowTitle(tr("Lizenznummer"));
+- setWindowIcon(QIcon(":/img/" + QString(ICON_FILENAME)));
+-
+- // Create texbox
+- createLineEdit();
+-
+- // Create buttons
+- createButtons();
+-
+- // Set the layout of all widgets created above
+- createLayout();
+-
+- lineLicensing->setFocus();
+-}
+-
+-void LicenseDialog::createButtons() {
+- //Buttons
+- buttonOk = new QPushButton(this);
+- buttonDemo = new QPushButton(this);
+-
+- buttonOk->setText(tr("&Ok"));
+- buttonDemo->setText(tr("&Demo starten"));
+- buttonDemo->setToolTip(tr("Im Demo-Modus koennen pro Lektion nur\n"
+- "10 Schriftzeichen eingegeben werden"));
+-
+- buttonOk->setDefault(true);
+- // Widget connections
+- connect(buttonOk, SIGNAL(clicked()), this, SLOT(clickOk()));
+- connect(buttonDemo, SIGNAL(clicked()), this, SLOT(clickDemo()));
+-}
+-
+-void LicenseDialog::createLineEdit() {
+-
+- lineLicensing = new QLineEdit();
+- lineLicensing->setInputMask(">NNNNNNNNNNNNNN");
+-
+- labelLicensing = new QLabel(tr("Bitte geben Sie Ihre Lizenznummer "
+- "(ohne Leerzeichen) ein, "
+- "die Sie im Arbeitsbuch (Schulbuch) auf Seite 3 finden:"));
+-
+- labelLicensing->setWordWrap(true);
+-}
+-
+-void LicenseDialog::createLayout() {
+- // Button layout horizontal
+- QHBoxLayout *buttonLayoutHorizontal = new QHBoxLayout;
+- buttonLayoutHorizontal->addStretch(1);
+- buttonLayoutHorizontal->addWidget(buttonDemo);
+- buttonLayoutHorizontal->addWidget(buttonOk);
+- // Full layout of all widgets vertical
+- QVBoxLayout *mainLayout = new QVBoxLayout;
+- mainLayout->addSpacing(1);
+- mainLayout->addWidget(labelLicensing);
+- mainLayout->addSpacing(1);
+- mainLayout->addWidget(lineLicensing);
+- mainLayout->addSpacing(1);
+- mainLayout->addLayout(buttonLayoutHorizontal);
+- mainLayout->setMargin(15);
+- mainLayout->setSpacing(15);
+- // Pass layout to parent widget (this)
+- this->setLayout(mainLayout);
+-}
+-
+-void LicenseDialog::clickOk() {
+-
+- // Check license key
+- if (!checkLicenseKey(lineLicensing->text())) {
+-
+- // License key is wrong
+-
+- // Message to the user
+- QMessageBox::information(0, APP_NAME,
+- tr("Die eingegebene Lizenznummer ist leider nicht "
+- "korrekt.\nBitte ueberpruefen Sie die Schreibweise."));
+-
+- lineLicensing->setFocus();
+-
+- } else {
+-
+- // License key is ok
+- writeSettings();
+- accept();
+- }
+-}
+-
+-void LicenseDialog::clickDemo() {
+- accept();
+-}
+-
+-bool LicenseDialog::checkLicenseKey(QString licenseKey) {
+- if (licenseKey.size() == 14 &&
+- licenseKey[0].isLetter() &&
+- licenseKey[1].isLetter() &&
+- (licenseKey.mid(2, 2) == "39" ||
+- licenseKey.mid(2, 2) == "41" ||
+- licenseKey.mid(2, 2) == "43" ||
+- licenseKey.mid(2, 2) == "49" ||
+- licenseKey.mid(2, 2) == "99") &&
+- licenseKey[4].isDigit() &&
+- licenseKey[5].isDigit() &&
+- licenseKey[6].isDigit() &&
+- licenseKey[7].isLetter() &&
+- licenseKey[8].isDigit() &&
+- licenseKey[9].isDigit() &&
+- licenseKey[10].isDigit() &&
+- licenseKey[11].isDigit() &&
+- licenseKey[12].isLetter() &&
+- licenseKey[13].isLetter()) {
+-
+- return true;
+- }
+- return false;
+-}
+-
+-void LicenseDialog::writeSettings() {
+- // Saves settings of the startwiget
+- // (uses the default constructor of QSettings, passing
+- // the application and company name see main function)
+- #if APP_PORTABLE
+- QSettings settings(QCoreApplication::applicationDirPath() +
+- "/portable/settings.ini", QSettings::IniFormat);
+- #else
+- QSettings settings;
+- #endif
+-
+- settings.beginGroup("general");
+- settings.setValue("licensekey", lineLicensing->text());
+- settings.endGroup();
+-}
+--- a/widget/licensedialog.h ++++ /dev/null +@@ -1,85 +0,0 @@ +-/*
+-Copyright (c) 2006-2009, Tom Thielicke IT Solutions
+-
+-This program is free software; you can redistribute it and/or
+-modify it under the terms of the GNU General Public License
+-as published by the Free Software Foundation; either version 2
+-of the License.
+-
+-This program is distributed in the hope that it will be useful,
+-but WITHOUT ANY WARRANTY; without even the implied warranty of
+-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-GNU General Public License for more details.
+-
+-You should have received a copy of the GNU General Public License
+-along with this program; if not, write to the Free Software
+-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+-02110-1301, USA.
+-*/
+-
+-/****************************************************************
+-**
+-** Definition of the LicenseDialog class
+-** File name: licensedialog.h
+-**
+-****************************************************************/
+-
+-#ifndef LICENSEDIALOG_H
+-#define LICENSEDIALOG_H
+-
+-#include <QDialog>
+-#include <QWidget>
+-#include <QPushButton>
+-#include <QLabel>
+-#include <QLineEdit>
+-#include <QString>
+-
+-//! The LicenseDialog class provides a license input widget.
+-/*!
+- The LicenseDialog class shows a dialog to enter a license key.
+-
+- @author Tom Thielicke, s712715
+- @version 0.0.1
+- @date 09.09.2008
+-*/
+-class LicenseDialog : public QDialog {
+- Q_OBJECT
+-
+- public:
+-
+- //! Constructor, creates two table objects and provide it in two tabs.
+- LicenseDialog(QWidget *parent = 0);
+-
+- bool checkLicenseKey(QString licenseKey);
+-
+- public slots:
+-
+- private slots:
+-
+- //! Start button pressed
+- void clickOk();
+-
+- //! Demo button pressed
+- void clickDemo();
+-
+- private:
+-
+- //! Creates a cancel and a ok button.
+- void createButtons();
+-
+- //! Creates a textbox.
+- void createLineEdit();
+-
+- //! Creates the layout of the complete class.
+- void createLayout();
+-
+- //! Writes user settings
+- void writeSettings();
+-
+- QPushButton *buttonOk;
+- QPushButton *buttonDemo;
+- QLabel *labelLicensing;
+- QLineEdit *lineLicensing;
+-};
+-
+-#endif //LICENSEDIALOG_H
+--- a/widget/mainwindow.cpp ++++ b/widget/mainwindow.cpp +@@ -116,11 +116,6 @@ void MainWindow::closeEvent(QCloseEvent + }
+ }
+
+-bool MainWindow::checkLicenseKey(QString licenseKey) {
+-
+- return false;
+-}
+-
+ void MainWindow::createMenu() {
+ //Mac-Version:
+ //-----------
+--- a/widget/mainwindow.h ++++ b/widget/mainwindow.h +@@ -39,7 +39,6 @@ Foundation, Inc., 51 Franklin Street, Fi + #include "trainingwidget.h"
+ #include "evaluationwidget.h"
+ #include "illustrationdialog.h"
+-#include "licensedialog.h"
+ #include "games/abcrainwidget.h"
+ #include "helpbrowser.h"
+
diff --git a/gnu/packages/patches/totem-debug-format-fix.patch b/gnu/packages/patches/totem-debug-format-fix.patch deleted file mode 100644 index 7ddd31ee10..0000000000 --- a/gnu/packages/patches/totem-debug-format-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- totem-3.20.1/src/backend/bacon-video-widget.c.orig 2016-03-22 12:45:32.000000000 -0400 -+++ totem-3.20.1/src/backend/bacon-video-widget.c 2016-05-11 02:49:55.299109551 -0400 -@@ -2334,7 +2334,7 @@ - if (!gst_toc_entry_get_start_stop_times (entry, &start, &stop)) { - GST_DEBUG ("Chapter #%d (couldn't get times)", i); - } else { -- GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, start, stop); -+ GST_DEBUG ("Chapter #%d (start: %li stop: %li)", i, (long) start, (long) stop); - } - } - diff --git a/gnu/packages/patches/upower-builddir.patch b/gnu/packages/patches/upower-builddir.patch index 13cef5876a..d59d4364b8 100644 --- a/gnu/packages/patches/upower-builddir.patch +++ b/gnu/packages/patches/upower-builddir.patch @@ -37,7 +37,7 @@ Patch by Andy Wingo <wingo@igalia.com> - if (g_file_test ("../etc/UPower.conf", G_FILE_TEST_EXISTS)) - g_setenv ("UPOWER_CONF_FILE_NAME", "../etc/UPower.conf", TRUE); - else -- g_setenv ("UPOWER_CONF_FILE_NAME", "../../etc/UPower.conf", TRUE); +- g_setenv ("UPOWER_CONF_FILE_NAME", "../../../etc/UPower.conf", TRUE); - /* tests go here */ g_test_add_func ("/power/backend", up_test_backend_func); diff --git a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch b/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch deleted file mode 100644 index 969ed7e41e..0000000000 --- a/gnu/packages/patches/xf86-video-glint-remove-mibstore.patch +++ /dev/null @@ -1,24 +0,0 @@ -Removes references to mibstore.h and miInitializeBackingStore, which -have been removed from xorg-server. Zack Rusin <zackr@vmware.com> -wrote: "It was a noop for at least 5 years and it has been removed." -See: http://patches.openembedded.org/patch/46133/ - ---- xf86-video-glint-1.2.8/src/glint_driver.c.~1~ 2012-07-15 22:50:47.000000000 -0400 -+++ xf86-video-glint-1.2.8/src/glint_driver.c 2014-12-19 00:42:39.162714279 -0500 -@@ -52,8 +52,6 @@ - #include "compiler.h" - #include "mipointer.h" - --#include "mibstore.h" -- - #include "pm3_regs.h" - #include "glint_regs.h" - #include "IBM.h" -@@ -2904,7 +2902,6 @@ - } - } - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - diff --git a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch b/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch deleted file mode 100644 index 48588ed0e4..0000000000 --- a/gnu/packages/patches/xf86-video-nv-remove-mibstore.patch +++ /dev/null @@ -1,72 +0,0 @@ -Removes references to mibstore.h and miInitializeBackingStore, which -have been removed from xorg-server. Zack Rusin <zackr@vmware.com> -wrote: "It was a noop for at least 5 years and it has been removed." -See: http://patches.openembedded.org/patch/46133/ - -diff -ru xf86-video-nv-2.1.20.orig/src/g80_driver.c xf86-video-nv-2.1.20/src/g80_driver.c ---- xf86-video-nv-2.1.20.orig/src/g80_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/g80_driver.c 2014-12-17 10:11:42.197579082 -0500 -@@ -34,7 +34,6 @@ - #include <xf86Resources.h> - #endif - #include <mipointer.h> --#include <mibstore.h> - #include <micmap.h> - #include <xf86cmap.h> - #include <fb.h> -@@ -833,7 +832,6 @@ - } - } - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/nv_driver.c xf86-video-nv-2.1.20/src/nv_driver.c ---- xf86-video-nv-2.1.20.orig/src/nv_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/nv_driver.c 2014-12-17 10:11:39.037563413 -0500 -@@ -2550,7 +2550,6 @@ - if (!pNv->NoAccel) - NVAccelInit(pScreen); - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/nv_include.h xf86-video-nv-2.1.20/src/nv_include.h ---- xf86-video-nv-2.1.20.orig/src/nv_include.h 2012-07-17 02:48:19.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/nv_include.h 2014-12-17 10:11:22.089479372 -0500 -@@ -24,9 +24,6 @@ - /* All drivers initialising the SW cursor need this */ - #include "mipointer.h" - --/* All drivers implementing backing store need this */ --#include "mibstore.h" -- - #include "micmap.h" - - #include "xf86DDC.h" -diff -ru xf86-video-nv-2.1.20.orig/src/riva_driver.c xf86-video-nv-2.1.20/src/riva_driver.c ---- xf86-video-nv-2.1.20.orig/src/riva_driver.c 2012-07-17 02:47:02.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/riva_driver.c 2014-12-17 10:11:31.101524060 -0500 -@@ -1168,7 +1168,6 @@ - if (!pRiva->NoAccel) - RivaAccelInit(pScreen); - -- miInitializeBackingStore(pScreen); - xf86SetBackingStore(pScreen); - xf86SetSilkenMouse(pScreen); - -diff -ru xf86-video-nv-2.1.20.orig/src/riva_include.h xf86-video-nv-2.1.20/src/riva_include.h ---- xf86-video-nv-2.1.20.orig/src/riva_include.h 2012-07-17 02:48:45.000000000 -0400 -+++ xf86-video-nv-2.1.20/src/riva_include.h 2014-12-17 10:11:12.229430478 -0500 -@@ -22,9 +22,6 @@ - /* All drivers initialising the SW cursor need this */ - #include "mipointer.h" - --/* All drivers implementing backing store need this */ --#include "mibstore.h" -- - #include "micmap.h" - - #include "xf86DDC.h" |