Merge branch 'master' into staging

3 files changed, 260 insertions, 0 deletions

diff --git a/gnu/packages/patches/libcroco-CVE-2017-7960.patch b/gnu/packages/patches/libcroco-CVE-2017-7960.patch
new file mode 100644
index 0000000000..0319c7389f
--- /dev/null
+++ b/gnu/packages/patches/libcroco-CVE-2017-7960.patch
@@ -0,0 +1,66 @@
+Fix CVE-2017-7960:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7960
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
+
+From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:13:43 +0200
+Subject: input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+---
+ src/cr-input.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1..3b63a88 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+                  *we should  free buf here because it's own by CRInput.
+                  *(see the last parameter of cr_input_new_from_buf().
+                  */
+-                buf = NULL ;
++                buf = NULL;
+         }
+ 
+  cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++        gulong nb_bytes_left = 0;
++
+         g_return_val_if_fail (a_this && PRIVATE (a_this)
+                               && a_byte, CR_BAD_PARAM_ERROR);
+ 
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+         if (PRIVATE (a_this)->end_of_input == TRUE)
+                 return CR_END_OF_INPUT_ERROR;
+ 
++        nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++        if (nb_bytes_left < 1) {
++                return CR_END_OF_INPUT_ERROR;
++        }
++
+         *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+ 
+         if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+                 if (*a_char == '\n') {
+                         PRIVATE (a_this)->end_of_line = TRUE;
+                 }
+-
+         }
+ 
+         return status;
+-- 
+cgit v0.12
+
diff --git a/gnu/packages/patches/libcroco-CVE-2017-7961.patch b/gnu/packages/patches/libcroco-CVE-2017-7961.patch
new file mode 100644
index 0000000000..675dbe4f08
--- /dev/null
+++ b/gnu/packages/patches/libcroco-CVE-2017-7961.patch
@@ -0,0 +1,50 @@
+Fix CVE-2017-7961:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7961
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
+
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:56:09 +0200
+Subject: tknzr: support only max long rgb values
+
+This fixes a possible out of bound when reading rgbs which
+are longer than the support MAXLONG
+---
+ src/cr-tknzr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
+index 1a7cfeb..1548c35 100644
+--- a/src/cr-tknzr.c
++++ b/src/cr-tknzr.c
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+         status = cr_tknzr_parse_num (a_this, &num);
+         ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++        if (num->val > G_MAXLONG) {
++                status = CR_PARSING_ERROR;
++                goto error;
++        }
++
+         red = num->val;
+         cr_num_destroy (num);
+         num = NULL;
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+                 status = cr_tknzr_parse_num (a_this, &num);
+                 ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++                if (num->val > G_MAXLONG) {
++                        status = CR_PARSING_ERROR;
++                        goto error;
++                }
++
+                 PEEK_BYTE (a_this, 1, &next_bytes[0]);
+                 if (next_bytes[0] == '%') {
+                         SKIP_CHARS (a_this, 1);
+-- 
+cgit v0.12
+
diff --git a/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch
new file mode 100644
index 0000000000..51d6c3e791
--- /dev/null
+++ b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch
@@ -0,0 +1,144 @@
+This patch comes from Debian and was modified by Kei Kebreau <kei@openmailbox.org>.
+Link: https://anonscm.debian.org/cgit/pkg-wmaker/wmfire.git/plain/debian/patches/gdk_updates.patch?h=debian/1.2.4-2&id=a272234fc5eecdbfc469adb12133196bc62f3059
+
+Description: Update for newer versions of GDK.
+ In particular, the icon window was not receiving enter and leave events from
+ the pointer.  To fix this, we get rid of the second GdkWindow iconwin entirely
+ and set win to be its own icon.
+ .
+ This also removes the need for the "broken window manager" fix, so we remove it
+ and all references to it.
+Author: Doug Torrance <dtorrance@piedmont.edu>
+
+diff -ur wmfire-1.2.4.old/src/wmfire.c wmfire-1.2.4/src/wmfire.c
+--- wmfire-1.2.4.old/src/wmfire.c	2017-04-23 14:26:58.449487117 -0400
++++ wmfire-1.2.4/src/wmfire.c	2017-04-23 14:32:10.785238671 -0400
+@@ -77,7 +77,6 @@
+ typedef struct {
+ 	Display *display;	/* X11 display */
+ 	GdkWindow *win;		/* Main window */
+-	GdkWindow *iconwin;	/* Icon window */
+ 	GdkGC *gc;		/* Drawing GC */
+ 	GdkPixmap *pixmap;	/* Main pixmap */
+ 	GdkBitmap *mask;	/* Dockapp mask */
+@@ -141,7 +140,6 @@
+ int cmap = 0;
+ int lock = 0;
+ int proximity = 0;
+-int broken_wm = 0;
+ 
+ /******************************************/
+ /* Main                                   */
+@@ -262,12 +260,8 @@
+ 		usleep(REFRESH);
+ 
+ 		/* Draw the rgb buffer to screen */
+-		if (!broken_wm)
+-			gdk_draw_rgb_image(bm.iconwin, bm.gc, 4, 4, XMAX, YMAX, GDK_RGB_DITHER_NONE, bm.rgb, XMAX * 3);
+-		else
+-			gdk_draw_rgb_image(bm.win, bm.gc, 4, 4, XMAX, YMAX, GDK_RGB_DITHER_NONE, bm.rgb, XMAX * 3);
++                gdk_draw_rgb_image(bm.win, bm.gc, 4, 4, XMAX, YMAX, GDK_RGB_DITHER_NONE, bm.rgb, XMAX * 3);
+ 	}
+-
+ 	return 0;
+ }
+ 
+@@ -556,9 +550,7 @@
+ #define MASK GDK_BUTTON_PRESS_MASK | GDK_ENTER_NOTIFY_MASK | GDK_LEAVE_NOTIFY_MASK | GDK_POINTER_MOTION_HINT_MASK
+ 
+ 	GdkWindowAttr attr;
+-	GdkWindowAttr attri;
+ 	Window win;
+-	Window iconwin;
+ 
+ 	GdkPixmap *icon;
+ 
+@@ -578,10 +570,6 @@
+ 	attr.wmclass_class = "wmfire";
+ 	attr.window_type = GDK_WINDOW_TOPLEVEL;
+ 
+-	/* Make a copy for the iconwin - parameters are the same */
+-	memcpy(&attri, &attr, sizeof (GdkWindowAttr));
+-	attri.window_type = GDK_WINDOW_CHILD;
+-
+ 	sizehints.flags = USSize;
+ 	sizehints.width = 64;
+ 	sizehints.height = 64;
+@@ -592,18 +580,11 @@
+ 		exit(1);
+ 	}
+ 
+-	bm.iconwin = gdk_window_new(bm.win, &attri, GDK_WA_TITLE | GDK_WA_WMCLASS);
+-	if (!bm.iconwin) {
+-		fprintf(stderr, "FATAL: Cannot make icon window\n");
+-		exit(1);
+-	}
+-
+ 	win = GDK_WINDOW_XWINDOW(bm.win);
+-	iconwin = GDK_WINDOW_XWINDOW(bm.iconwin);
+ 	XSetWMNormalHints(GDK_WINDOW_XDISPLAY(bm.win), win, &sizehints);
+ 
+ 	wmhints.initial_state = WithdrawnState;
+-	wmhints.icon_window = iconwin;
++	wmhints.icon_window = win;
+ 	wmhints.icon_x = 0;
+ 	wmhints.icon_y = 0;
+ 	wmhints.window_group = win;
+@@ -613,10 +594,8 @@
+ 
+ 	bm.pixmap = gdk_pixmap_create_from_xpm_d(bm.win, &(bm.mask), NULL, master_xpm);
+ 	gdk_window_shape_combine_mask(bm.win, bm.mask, 0, 0);
+-	gdk_window_shape_combine_mask(bm.iconwin, bm.mask, 0, 0);
+ 
+ 	gdk_window_set_back_pixmap(bm.win, bm.pixmap, False);
+-	gdk_window_set_back_pixmap(bm.iconwin, bm.pixmap, False);
+ 
+ #if 0
+         gdk_window_set_type_hint(bm.win, GDK_WINDOW_TYPE_HINT_DOCK);
+@@ -626,7 +605,6 @@
+ #endif
+ 
+ 	icon = gdk_pixmap_create_from_xpm_d(bm.win, NULL, NULL, icon_xpm);
+-	gdk_window_set_icon(bm.win, bm.iconwin, icon, NULL);
+ 
+ 	gdk_window_show(bm.win);
+ 
+@@ -721,9 +699,6 @@
+ 		case 'l':
+ 			lock = 1;
+ 			break;
+-		case 'b':
+-			broken_wm = 1;
+-			break;
+ 		case 'h':
+ 		default:
+ 			do_help();
+@@ -766,6 +741,5 @@
+ 	for (i = 0; i < NFLAMES; i++)
+ 		fprintf(stderr, "%d:%s ", i + 1, fire[i].text);
+ 	fprintf(stderr, "\n\t-l\t\t\tlock flame colour and monitor\n");
+-	fprintf(stderr, "\t-b\t\t\tactivate broken window manager fix\n");
+ 	fprintf(stderr, "\t-h\t\t\tprints this help\n");
+ }
+Only in wmfire-1.2.4/src: wmfire.c~
+diff -ur wmfire-1.2.4.old/wmfire.1 wmfire-1.2.4/wmfire.1
+--- wmfire-1.2.4.old/wmfire.1	2017-04-23 14:26:58.449487117 -0400
++++ wmfire-1.2.4/wmfire.1	2017-04-23 14:41:20.697186114 -0400
+@@ -8,7 +8,6 @@
+ 
+ .SH SYNOPSIS
+ .B wmfire
+-[-b]
+ [-c CPU]
+ [-f COLOUR]
+ [-F FILE]
+@@ -54,9 +53,6 @@
+ 
+ .SH OPTIONS
+ .TP
+-.B -b
+-Activate broken window manager fix (if grey box diplayed)
+-.TP
+ .B -c [0..3]
+ .br
+ Monitor SMP CPU number X