aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/contributing.texi6
-rw-r--r--doc/guix.texi93
-rw-r--r--gnu-system.am2
-rw-r--r--gnu/packages/audio.scm14
-rw-r--r--gnu/packages/bioinformatics.scm48
-rw-r--r--gnu/packages/curl.scm11
-rw-r--r--gnu/packages/databases.scm28
-rw-r--r--gnu/packages/freedesktop.scm3
-rw-r--r--gnu/packages/gdb.scm6
-rw-r--r--gnu/packages/guile.scm4
-rw-r--r--gnu/packages/kde-frameworks.scm23
-rw-r--r--gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch77
-rw-r--r--gnu/packages/patches/libssh-CVE-2014-0017.patch89
-rw-r--r--gnu/packages/ssh.scm50
-rw-r--r--guix/http-client.scm18
-rw-r--r--guix/scripts/publish.scm6
-rw-r--r--guix/scripts/system.scm23
-rw-r--r--guix/store.scm7
-rw-r--r--tests/publish.scm8
19 files changed, 347 insertions, 169 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi
index 54fb23a822..3dbd3dbba6 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -315,6 +315,6 @@ extensions---or to the operating system kernel---e.g., reliance on
@end enumerate
-When posting a patch to the mailing list, use @samp{[PATCH] @dots{}} as a
-subject. You may use your email client or the @command{git send-mail}
-command.
+When posting a patch to the mailing list, use @samp{[PATCH] @dots{}} as
+a subject. You may use your email client or the @command{git
+send-email} command.
diff --git a/doc/guix.texi b/doc/guix.texi
index 15b36f9039..60a46bb32b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -377,19 +377,29 @@ Create the group and user accounts for build users as explained below
(@pxref{Build Environment Setup}).
@item
-Run the daemon:
+Run the daemon, and set it to automatically start on boot.
+
+If your host distro uses the systemd init system, this can be achieved
+with these commands:
@example
-# ~root/.guix-profile/bin/guix-daemon --build-users-group=guixbuild
+# cp ~root/.guix-profile/lib/systemd/system/guix-daemon.service \
+ /etc/systemd/system/
+# systemctl start guix-daemon && systemctl enable guix-daemon
@end example
-On hosts using the systemd init system, drop
-@file{~root/.guix-profile/lib/systemd/system/guix-daemon.service} in
-@file{/etc/systemd/system}.
+If your host distro uses the Upstart init system:
+
+@example
+# cp ~root/.guix-profile/lib/upstart/system/guix-daemon.conf /etc/init/
+# start guix-daemon
+@end example
-Likewise, on hosts using the Upstart init system, drop
-@file{~root/.guix-profile/lib/upstart/system/guix-daemon.conf} in
-@file{/etc/init}.
+Otherwise, you can still start the daemon manually with:
+
+@example
+# ~root/.guix-profile/bin/guix-daemon --build-users-group=guixbuild
+@end example
@item
Make the @command{guix} command available to other users on the machine,
@@ -425,16 +435,25 @@ authorize them:
@end example
@end enumerate
-And that's it! For additional tips and tricks, @pxref{Application
-Setup}.
+This completes root-level install of Guix. Each user will need to
+perform additional steps to make their Guix envionment ready for use,
+@pxref{Application Setup}.
+
+You can confirm that Guix is working by installing a sample package into
+the root profile:
-The @code{guix} package must remain available in @code{root}'s
-profile, or it would become subject to garbage collection---in which
-case you would find yourself badly handicapped by the lack of the
-@command{guix} command.
+@example
+# guix package -i hello
+@end example
-The tarball in question can be (re)produced and verified simply by
-running the following command in the Guix source tree:
+The @code{guix} package must remain available in @code{root}'s profile,
+or it would become subject to garbage collection---in which case you
+would find yourself badly handicapped by the lack of the @command{guix}
+command. In other words, do not remove @code{guix} by running
+@code{guix package -r guix}.
+
+The binary installation tarball can be (re)produced and verified simply
+by running the following command in the Guix source tree:
@example
make guix-binary.@var{system}.tar.xz
@@ -1975,9 +1994,15 @@ On completion, @command{guix package} will use packages and package
versions from this just-retrieved copy of Guix. Not only that, but all
the Guix commands and Scheme modules will also be taken from that latest
version. New @command{guix} sub-commands added by the update also
-become available@footnote{Under the hood, @command{guix pull} updates
-the @file{~/.config/guix/latest} symbolic link to point to the latest
-Guix, and the @command{guix} command loads code from there.}.
+become available.
+
+Any user can update their Guix copy using @command{guix pull}, and the
+effect is limited to the user who run @command{guix pull}. For
+instance, when user @code{root} runs @command{guix pull}, this has no
+effect on the version of Guix that user @code{alice} sees, and vice
+versa@footnote{Under the hood, @command{guix pull} updates the
+@file{~/.config/guix/latest} symbolic link to point to the latest Guix,
+and the @command{guix} command loads code from there.}.
The @command{guix pull} command is usually invoked with no arguments,
but it supports the following options:
@@ -2888,7 +2913,14 @@ Procedures that make RPCs all take a server object as their first
argument.
@deffn {Scheme Procedure} valid-path? @var{server} @var{path}
-Return @code{#t} when @var{path} is a valid store path.
+@cindex invalid store items
+Return @code{#t} when @var{path} designates a valid store item and
+@code{#f} otherwise (an invalid item may exist on disk but still be
+invalid, for instance because it is the result of an aborted or failed
+build.)
+
+A @code{&nix-protocol-error} condition is raised if @var{path} is not
+prefixed by the store directory (@file{/gnu/store}).
@end deffn
@deffn {Scheme Procedure} add-text-to-store @var{server} @var{name} @var{text} [@var{references}]
@@ -6272,7 +6304,12 @@ is interpreted as a partition label name; when it is @code{uuid},
@code{device} is interpreted as a partition unique identifier (UUID).
UUIDs may be converted from their string representation (as shown by the
-@command{tune2fs -l} command) using the @code{uuid} form, like this:
+@command{tune2fs -l} command) using the @code{uuid} form@footnote{The
+@code{uuid} form expects 16-byte UUIDs as defined in
+@uref{https://tools.ietf.org/html/rfc4122, RFC@tie{}4122}. This is the
+form of UUID used by the ext2 family of file systems and others, but it
+is different from ``UUIDs'' found in FAT file systems, for instance.},
+like this:
@example
(file-system
@@ -9340,7 +9377,7 @@ guix system @var{options}@dots{} @var{action} @var{file}
@var{file} must be the name of a file containing an
@code{operating-system} declaration. @var{action} specifies how the
-operating system is instantiate. Currently the following values are
+operating system is instantiated. Currently the following values are
supported:
@table @code
@@ -9806,7 +9843,7 @@ the composition of the extensions.
Udev extensions are composed into a list of rules, but the udev service
value is itself a @code{<udev-configuration>} record. So here, we
-extend that record by appending the list of rules is contains to the
+extend that record by appending the list of rules it contains to the
list of contributed rules.
@end table
@@ -10000,11 +10037,11 @@ extend it by passing it lists of packages to add to the system profile.
@cindex PID 1
@cindex init system
-The @code{(gnu services shepherd)} provides a way to define services
-managed by the GNU@tie{}Shepherd, which is GuixSD initialization
-system---the first process that is started when the system boots,
-aka. PID@tie{}1 (@pxref{Introduction,,, shepherd, The GNU Shepherd
-Manual}).
+The @code{(gnu services shepherd)} module provides a way to define
+services managed by the GNU@tie{}Shepherd, which is the GuixSD
+initialization system---the first process that is started when the
+system boots, aka. PID@tie{}1 (@pxref{Introduction,,, shepherd, The GNU
+Shepherd Manual}).
Services in the Shepherd can depend on each other. For instance, the
SSH daemon may need to be started after the syslog daemon has been
diff --git a/gnu-system.am b/gnu-system.am
index b5f59e3449..431c2b5cd1 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -566,12 +566,12 @@ dist_patch_DATA = \
gnu/packages/patches/libmad-armv7-thumb-pt2.patch \
gnu/packages/patches/libmad-frame-length.patch \
gnu/packages/patches/libmad-mips-newgcc.patch \
+ gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \
gnu/packages/patches/libtheora-config-guess.patch \
gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
gnu/packages/patches/libtiff-oob-accesses-in-decode.patch \
gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch \
gnu/packages/patches/libtool-skip-tests2.patch \
- gnu/packages/patches/libssh-CVE-2014-0017.patch \
gnu/packages/patches/libunwind-CVE-2015-3239.patch \
gnu/packages/patches/libwmf-CAN-2004-0941.patch \
gnu/packages/patches/libwmf-CVE-2006-3376.patch \
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 10f16ddd1f..4c4322d872 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Alex Kost <alezost@gmail.com>
@@ -158,24 +158,24 @@ streams from live audio.")
(define-public ardour
(package
(name "ardour")
- (version "4.4")
+ (version "4.7")
(source (origin
(method git-fetch)
(uri (git-reference
(url "git://git.ardour.org/ardour/ardour.git")
(commit version)))
(snippet
- ;; Ardour expects this file to exist at build time. It can be
- ;; created from a git checkout with:
- ;; ./waf create_stored_revision
+ ;; Ardour expects this file to exist at build time. The revision
+ ;; is the output of
+ ;; git describe HEAD | sed 's/^[A-Za-z]*+//'
'(call-with-output-file
"libs/ardour/revision.cc"
(lambda (port)
(format port "#include \"ardour/revision.h\"
-namespace ARDOUR { const char* revision = \"4.4-210-ga4daf93\" ; }"))))
+namespace ARDOUR { const char* revision = \"4.7-219-g0e36f8e\" ; }"))))
(sha256
(base32
- "1gnrcnq2ksnh7fsa301v1c4p5dqrbqpjylf02rg3za3ab58wxi7l"))
+ "149gswphz77m3pkzsn2nqbm6yvcfa3fva560bcvjzlgb73f64q5l"))
(file-name (string-append name "-" version))))
(build-system waf-build-system)
(arguments
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index c502caf8ec..8958ec502d 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -40,6 +40,8 @@
#:use-module (gnu packages boost)
#:use-module (gnu packages compression)
#:use-module (gnu packages cpio)
+ #:use-module (gnu packages curl)
+ #:use-module (gnu packages doxygen)
#:use-module (gnu packages file)
#:use-module (gnu packages gawk)
#:use-module (gnu packages gcc)
@@ -1081,6 +1083,52 @@ preparation protocols.")
other types of unwanted sequence from high-throughput sequencing reads.")
(license license:expat)))
+(define-public libbigwig
+ (package
+ (name "libbigwig")
+ (version "0.1.4")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/dpryan79/libBigWig/"
+ "archive/" version ".tar.gz"))
+ (file-name (string-append name "-" version ".tar.gz"))
+ (sha256
+ (base32
+ "098rjh35pi4a9q83n8wiwvyzykjqj6l8q189p1xgfw4ghywdlvw1"))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:test-target "test"
+ #:make-flags
+ (list "CC=gcc"
+ (string-append "prefix=" (assoc-ref %outputs "out")))
+ #:phases
+ (modify-phases %standard-phases
+ (delete 'configure)
+ (add-before 'check 'disable-curl-test
+ (lambda _
+ (substitute* "Makefile"
+ (("./test/testRemote.*") ""))
+ #t))
+ ;; This has been fixed with the upstream commit 4ff6959cd8a0, but
+ ;; there has not yet been a release containing this change.
+ (add-before 'install 'create-target-dirs
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((out (assoc-ref outputs "out")))
+ (mkdir-p (string-append out "/lib"))
+ (mkdir-p (string-append out "/include"))
+ #t))))))
+ (inputs
+ `(("zlib" ,zlib)
+ ("curl" ,curl)))
+ (native-inputs
+ `(("doxygen" ,doxygen)))
+ (home-page "https://github.com/dpryan79/libBigWig")
+ (synopsis "C library for handling bigWig files")
+ (description
+ "This package provides a C library for parsing local and remote BigWig
+files.")
+ (license license:expat)))
+
(define-public deeptools
(package
(name "deeptools")
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 222910b655..46e0fa0f16 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -54,7 +54,16 @@
(inputs `(("gnutls" ,gnutls)
("gss" ,gss)
("libidn" ,libidn)
- ("libssh2" ,libssh2)
+
+ ;; XXX libssh2-1.4 is a temporary package for use only by curl,
+ ;; to allow most users of libssh2 to get the security update for
+ ;; CVE-2016-7087 while postponing the large number of rebuilds
+ ;; entailed by updating curl. Soon, curl should be updated to
+ ;; use the latest libssh2 and libssh2-1.4 should be removed.
+
+ ;; XXX libssh2-1.4 is vulnerable to CVE-2016-0787.
+ ("libssh2" ,libssh2-1.4)
+
("openldap" ,openldap)
("zlib" ,zlib)))
(native-inputs
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index b51d96846a..7c30208035 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016 Nils Gillmann <niasterisk@grrlz.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -822,3 +823,30 @@ supports many data structures including strings, hashes, lists, sets, sorted
sets, bitmaps and hyperloglogs.")
(home-page "http://redis.io/")
(license bsd-3)))
+
+(define-public kyotocabinet
+ (package
+ (name "kyotocabinet")
+ (version "1.2.76")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "http://fallabs.com/kyotocabinet/pkg/"
+ name "-" version ".tar.gz"))
+ (sha256
+ (base32
+ "0g6js20x7vnpq4p8ghbw3mh9wpqksya9vwhzdx6dnlf354zjsal1"))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:configure-flags
+ (list
+ (string-append "LDFLAGS=-Wl,-rpath="
+ (assoc-ref %outputs "out") "/lib"))))
+ (inputs `(("zlib" ,zlib)))
+ (home-page "http://fallabs.com/kyotocabinet/")
+ (synopsis
+ "Kyoto Cabinet is a modern implementation of the DBM database")
+ (description
+ "Kyoto Cabinet is a standalone file-based database that supports Hash
+and B+ Tree data storage models. It is a fast key-value lightweight
+database and supports many programming languages. It is a NoSQL database.")
+ (license gpl3+)))
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 7755cb98be..6a28379e95 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -67,6 +67,9 @@
(base32
"1b019d3r1379b60p33d6z44kx589xjgga62ijz9vha95dg8vgbi1"))))
(build-system gnu-build-system)
+ (propagated-inputs
+ `(("xprop" ,xprop) ; for Xfce detecting
+ ("xset", xset))) ; for xdg-screensaver
(arguments
`(#:tests? #f)) ; no check target
(home-page "http://portland.freedesktop.org/")
diff --git a/gnu/packages/gdb.scm b/gnu/packages/gdb.scm
index 81d6a8950d..9065732c78 100644
--- a/gnu/packages/gdb.scm
+++ b/gnu/packages/gdb.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -37,14 +37,14 @@
(define-public gdb
(package
(name "gdb")
- (version "7.10.1")
+ (version "7.11")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/gdb/gdb-"
version ".tar.xz"))
(sha256
(base32
- "1mfnjcwnwm5cg4rc9pncs9v356a0bz6ymjyac56mbj6784yjzir5"))))
+ "1hg5kwwdvi9b9nxzxfjnx8fx3gip75fqyvkp82xpf3b3rcb42hvs"))))
(build-system gnu-build-system)
(arguments
`(#:tests? #f ; FIXME "make check" fails on single-processor systems.
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 2c83f56f40..5349fda081 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -449,14 +449,14 @@ for Guile\".")
(define-public guile-json
(package
(name "guile-json")
- (version "0.4.0")
+ (version "0.5.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://savannah/guile-json/guile-json-"
version ".tar.gz"))
(sha256
(base32
- "0v06272rw4ycwzssjf3fzpk2vhpslvl55hz94q80vc6f74j0d5h6"))
+ "0l8a34l92nrdszy7ykycfvr8y0n0yi5qb3ccliycvpvf9mzk5n8d"))
(modules '((guix build utils)))
(snippet
;; Make sure everything goes under .../site/2.0, like Guile's
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 5e73a6b7fa..ec637e55d1 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -26,7 +27,7 @@
#:use-module (gnu packages qt)
#:use-module (gnu packages xorg))
-(define kde-frameworks-version "5.12.0")
+(define kde-frameworks-version "5.19.0")
(define-public extra-cmake-modules
(package
@@ -39,7 +40,8 @@
(version-major+minor version) "/"
name "-" version ".tar.xz"))
(sha256
- (base32 "14n77sn493m8kzr42wv13mdgxpnbx7x64bvw37ircrx8wmf4002i"))))
+ (base32
+ "1dl3hhbara7iswb5wsc5dp17ar3ljw5f0nrncl8vry9smaz2zl63"))))
;; The package looks for Qt5LinguistTools provided by Qt, but apparently
;; compiles without it; it might be needed for building the
;; documentation, which requires the additional Sphinx package.
@@ -63,18 +65,19 @@ common build settings used in software produced by the KDE community.")
(version-major+minor version) "/"
name "-" version ".tar.xz"))
(sha256
- (base32 "0fjxhf07r186cmp0mjvinrwxg4z90zlyvycqhy0n18fdp67szckl"))))
+ (base32
+ "115xs34r74j9zcsw69glnh8w59iyh764n3gniawwrk23c6yb8fch"))))
(build-system cmake-build-system)
(native-inputs
- `(("pkg-config" ,pkg-config)
- ("xorg-server" ,xorg-server))) ; for the tests
+ `(("pkg-config" ,pkg-config)
+ ("xorg-server" ,xorg-server))) ; for the tests
(inputs
- `(("extra-cmake-modules" ,extra-cmake-modules)
- ("libxrender" ,libxrender)
- ("qt" ,qt)
- ("xcb-utils-keysyms" ,xcb-util-keysyms)))
+ `(("extra-cmake-modules" ,extra-cmake-modules)
+ ("libxrender" ,libxrender)
+ ("qt" ,qt)
+ ("xcb-utils-keysyms" ,xcb-util-keysyms)))
(arguments
- `(#:tests? #f)) ; FIXME: The first seven tests fail with "Exception".
+ `(#:tests? #f)) ; FIXME: The first seven tests fail with "Exception".
(home-page "https://community.kde.org/Frameworks")
(synopsis "KDE access to the windowing system")
(description "KWindowSystem provides information about and allows
diff --git a/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch b/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch
new file mode 100644
index 0000000000..a5fdd7ffff
--- /dev/null
+++ b/gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch
@@ -0,0 +1,77 @@
+Fix CVE-2016-0739 (Weak Diffie-Hellman secret generation in
+dh_generate_x() and dh_generate_y()).
+
+"Due to a byte/bit confusion, the DH secret was too short. This file was
+completely reworked and will be commited in a future version."
+Source:
+https://git.libssh.org/projects/libssh.git/commit/?id=f8d0026c65fc8a55748ae481758e2cf376c26c86
+
+This patch was created by upstream for libssh-0.7.3, but applied without
+modification to libssh-0.6.3 by Debian. In Guix, we apply it without
+modification to libssh-0.6.5.
+
+References:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739
+https://security-tracker.debian.org/tracker/CVE-2016-0739
+
+---
+ src/dh.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/dh.c b/src/dh.c
+index e489a1d..d27b66e 100644
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) {
+ }
+
+ int dh_generate_x(ssh_session session) {
++ int keysize;
++ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
++ keysize = 1023;
++ } else {
++ keysize = 2047;
++ }
+ session->next_crypto->x = bignum_new();
+ if (session->next_crypto->x == NULL) {
+ return -1;
+ }
+
+ #ifdef HAVE_LIBGCRYPT
+- bignum_rand(session->next_crypto->x, 128);
++ bignum_rand(session->next_crypto->x, keysize);
+ #elif defined HAVE_LIBCRYPTO
+- bignum_rand(session->next_crypto->x, 128, 0, -1);
++ bignum_rand(session->next_crypto->x, keysize, -1, 0);
+ #endif
+
+ /* not harder than this */
+@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) {
+
+ /* used by server */
+ int dh_generate_y(ssh_session session) {
+- session->next_crypto->y = bignum_new();
++ int keysize;
++ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
++ keysize = 1023;
++ } else {
++ keysize = 2047;
++ }
++ session->next_crypto->y = bignum_new();
+ if (session->next_crypto->y == NULL) {
+ return -1;
+ }
+
+ #ifdef HAVE_LIBGCRYPT
+- bignum_rand(session->next_crypto->y, 128);
++ bignum_rand(session->next_crypto->y, keysize);
+ #elif defined HAVE_LIBCRYPTO
+- bignum_rand(session->next_crypto->y, 128, 0, -1);
++ bignum_rand(session->next_crypto->y, keysize, -1, 0);
+ #endif
+
+ /* not harder than this */
+--
+cgit v0.12
+
diff --git a/gnu/packages/patches/libssh-CVE-2014-0017.patch b/gnu/packages/patches/libssh-CVE-2014-0017.patch
deleted file mode 100644
index 94d8cc33d2..0000000000
--- a/gnu/packages/patches/libssh-CVE-2014-0017.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-Patch from libssh 0.6, with bind.c hunk adjusted for 0.5.5.
-
-From e99246246b4061f7e71463f8806b9dcad65affa0 Mon Sep 17 00:00:00 2001
-From: Aris Adamantiadis <aris@0xbadc0de.be>
-Date: Wed, 05 Feb 2014 20:24:12 +0000
-Subject: security: fix for vulnerability CVE-2014-0017
-
-When accepting a new connection, a forking server based on libssh forks
-and the child process handles the request. The RAND_bytes() function of
-openssl doesn't reset its state after the fork, but simply adds the
-current process id (getpid) to the PRNG state, which is not guaranteed
-to be unique.
-This can cause several children to end up with same PRNG state which is
-a security issue.
----
-diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h
-index 7374a88..e8ff32c 100644
---- a/include/libssh/wrapper.h
-+++ b/include/libssh/wrapper.h
-@@ -70,5 +70,6 @@ int crypt_set_algorithms_server(ssh_session session);
- struct ssh_crypto_struct *crypto_new(void);
- void crypto_free(struct ssh_crypto_struct *crypto);
-
-+void ssh_reseed(void);
-
- #endif /* WRAPPER_H_ */
-diff --git a/src/bind.c b/src/bind.c
-index 8d82d0d..03d3403 100644
---- a/src/bind.c
-+++ b/src/bind.c
-@@ -375,6 +375,8 @@ int ssh_bind_accept(ssh_bind sshbind, ss
- session->dsa_key = dsa;
- session->rsa_key = rsa;
-
-+ /* force PRNG to change state in case we fork after ssh_bind_accept */
-+ ssh_reseed();
- return SSH_OK;
- }
-
-diff --git a/src/libcrypto.c b/src/libcrypto.c
-index bb1d96a..d8cc795 100644
---- a/src/libcrypto.c
-+++ b/src/libcrypto.c
-@@ -23,6 +23,7 @@
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
-+#include <sys/time.h>
-
- #include "libssh/priv.h"
- #include "libssh/session.h"
-@@ -38,6 +39,8 @@
- #include <openssl/rsa.h>
- #include <openssl/hmac.h>
- #include <openssl/opensslv.h>
-+#include <openssl/rand.h>
-+
- #ifdef HAVE_OPENSSL_AES_H
- #define HAS_AES
- #include <openssl/aes.h>
-@@ -74,6 +77,12 @@ static int alloc_key(struct ssh_cipher_struct *cipher) {
- return 0;
- }
-
-+void ssh_reseed(void){
-+ struct timeval tv;
-+ gettimeofday(&tv, NULL);
-+ RAND_add(&tv, sizeof(tv), 0.0);
-+}
-+
- SHACTX sha1_init(void) {
- SHACTX c = malloc(sizeof(*c));
- if (c == NULL) {
-diff --git a/src/libgcrypt.c b/src/libgcrypt.c
-index 899bccd..4617901 100644
---- a/src/libgcrypt.c
-+++ b/src/libgcrypt.c
-@@ -45,6 +45,9 @@ static int alloc_key(struct ssh_cipher_struct *cipher) {
- return 0;
- }
-
-+void ssh_reseed(void){
-+ }
-+
- SHACTX sha1_init(void) {
- SHACTX ctx = NULL;
- gcry_md_open(&ctx, GCRY_MD_SHA1, 0);
---
-cgit v0.9.1
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 41cb38134f..3c73e47882 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -44,15 +45,15 @@
(define-public libssh
(package
(name "libssh")
- (version "0.6.5")
+ (version "0.7.3")
(source (origin
(method url-fetch)
(uri (string-append
- "https://red.libssh.org/attachments/download/121/libssh-"
+ "https://red.libssh.org/attachments/download/195/libssh-"
version ".tar.xz"))
(sha256
(base32
- "0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g"))))
+ "165g49i4kmm3bfsjm0n8hm21kadv79g9yjqyq09138jxanz4dvr6"))))
(build-system cmake-build-system)
(arguments
'(#:configure-flags '("-DWITH_GCRYPT=ON")
@@ -70,29 +71,32 @@ remote applications.")
(home-page "http://www.libssh.org")
(license license:lgpl2.1+)))
-(define libssh-0.5 ; kept private
+(define libssh-0.6 ; kept private for use in guile-ssh
(package (inherit libssh)
- (version "0.5.5")
+ (version "0.6.5")
(source (origin
(method url-fetch)
- (uri (string-append "https://red.libssh.org/attachments/download/51/libssh-"
- version ".tar.gz"))
+ (uri (string-append "https://red.libssh.org/attachments/"
+ "download/121/libssh-"
+ version ".tar.xz"))
(sha256
(base32
- "17cfdff4hc0ijzrr15biq29fiabafz0bw621zlkbwbc1zh2hzpy0"))
- (patches (list (search-patch "libssh-CVE-2014-0017.patch")))))))
+ "0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g"))
+ (patches (list
+ (search-patch "libssh-0.6.5-CVE-2016-0739.patch")))))))
(define-public libssh2
(package
(name "libssh2")
- (version "1.4.3")
+ (version "1.7.0")
(source (origin
(method url-fetch)
(uri (string-append
- "http://www.libssh2.org/download/libssh2-"
+ "https://www.libssh2.org/download/libssh2-"
version ".tar.gz"))
- (sha256 (base32
- "0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa"))))
+ (sha256
+ (base32
+ "116mh112w48vv9k3f15ggp5kxw5sj4b88dzb5j69llsh7ba1ymp4"))))
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
@@ -108,6 +112,24 @@ a server that supports the SSH-2 protocol.")
(license license:bsd-3)
(home-page "http://www.libssh2.org/")))
+;;; XXX This is a temporary package for use only by curl, to allow most users
+;;; of libssh2 to get the security update sooner while postponing the large
+;;; number of rebuilds entailed by updating curl.
+;;;
+;;; XXX This package is vulnerable to CVE-2016-7087.
+;;;
+;;; https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0787
+(define-public libssh2-1.4
+ (package (inherit libssh2)
+ (version "1.4.3")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://www.libssh2.org/download/libssh2-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa"))))))
+
(define-public openssh
(package
(name "openssh")
@@ -235,7 +257,7 @@ Additionally, various channel-specific options can be negotiated.")
("pkg-config" ,pkg-config)
("which" ,which)))
(inputs `(("guile" ,guile-2.0)
- ("libssh" ,libssh)
+ ("libssh" ,libssh-0.6)
("libgcrypt" ,libgcrypt)))
(synopsis "Guile bindings to libssh")
(description
diff --git a/guix/http-client.scm b/guix/http-client.scm
index 31b511eb1c..2161856c63 100644
--- a/guix/http-client.scm
+++ b/guix/http-client.scm
@@ -33,6 +33,7 @@
#:use-module (guix ui)
#:use-module (guix utils)
#:use-module (guix base64)
+ #:autoload (guix hash) (sha256)
#:use-module ((guix build utils)
#:select (mkdir-p dump-port))
#:use-module ((guix build download)
@@ -280,18 +281,23 @@ Raise an '&http-get-error' condition if downloading fails."
string->number*)
36))))
+(define (cache-file-for-uri uri)
+ "Return the name of the file in the cache corresponding to URI."
+ (let ((digest (sha256 (string->utf8 (uri->string uri)))))
+ ;; Use the "URL" alphabet because it does not contain "/".
+ (string-append (cache-directory) "/http/"
+ (base64-encode digest 0 (bytevector-length digest)
+ #f #f base64url-alphabet))))
+
(define* (http-fetch/cached uri #:key (ttl (%http-cache-ttl)) text?)
"Like 'http-fetch', return an input port, but cache its contents in
~/.cache/guix. The cache remains valid for TTL seconds."
- (let* ((directory (string-append (cache-directory) "/http/"
- (uri-host uri)))
- (file (string-append directory "/"
- (basename (uri-path uri)))))
+ (let ((file (cache-file-for-uri uri)))
(define (update-cache)
;; Update the cache and return an input port.
(let ((port (http-fetch uri #:text? text?)))
- (mkdir-p directory)
- (call-with-output-file file
+ (mkdir-p (dirname file))
+ (with-atomic-file-output file
(cut dump-port port <>))
(close-port port)
(open-input-file file)))
diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm
index 3d197384d6..5306afcf07 100644
--- a/guix/scripts/publish.scm
+++ b/guix/scripts/publish.scm
@@ -208,13 +208,13 @@ References: ~a~%"
(narinfo-string store store-path (force %private-key))
<>)))))
-(define (render-nar request store-item)
+(define (render-nar store request store-item)
"Render archive of the store path corresponding to STORE-ITEM."
(let ((store-path (string-append %store-directory "/" store-item)))
;; The ISO-8859-1 charset *must* be used otherwise HTTP clients will
;; interpret the byte stream as UTF-8 and arbitrarily change invalid byte
;; sequences.
- (if (file-exists? store-path)
+ (if (valid-path? store store-path)
(values '((content-type . (application/x-nix-archive
(charset . "ISO-8859-1"))))
;; XXX: We're not returning the actual contents, deferring
@@ -314,7 +314,7 @@ blocking."
(render-narinfo store request hash))
;; /nar/<store-item>
(("nar" store-item)
- (render-nar request store-item))
+ (render-nar store request store-item))
(_ (not-found request)))
(not-found request))))
diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
index 7279be0c43..401aa8b60a 100644
--- a/guix/scripts/system.scm
+++ b/guix/scripts/system.scm
@@ -211,6 +211,19 @@ the ownership of '~a' may be incorrect!~%")
(lambda ()
(environ env)))))
+(define-syntax-rule (save-load-path-excursion body ...)
+ "Save the current values of '%load-path' and '%load-compiled-path', run
+BODY..., and restore them."
+ (let ((path %load-path)
+ (cpath %load-compiled-path))
+ (dynamic-wind
+ (const #t)
+ (lambda ()
+ body ...)
+ (lambda ()
+ (set! %load-path path)
+ (set! %load-compiled-path cpath)))))
+
(define-syntax-rule (warn-on-system-error body ...)
(catch 'system-error
(lambda ()
@@ -273,6 +286,9 @@ bring the system down."
(info (_ "loading new services:~{ ~a~}...~%") to-load-names)
(mlet %store-monad ((files (mapm %store-monad shepherd-service-file
to-load)))
+ ;; Here we assume that FILES are exactly those that were computed
+ ;; as part of the derivation that built OS, which is normally the
+ ;; case.
(load-services (map derivation->output-path files))
(for-each start-service
@@ -299,7 +315,12 @@ it atomically, and then run OS's activation script."
;; Tell 'activate-current-system' what the new system is.
(setenv "GUIX_NEW_SYSTEM" system)
- (primitive-load (derivation->output-path script)))
+ ;; The activation script may modify '%load-path' & co., so protect
+ ;; against that. This is necessary to ensure that
+ ;; 'upgrade-shepherd-services' gets to see the right modules when it
+ ;; computes derivations with (gexp->derivation #:modules …).
+ (save-load-path-excursion
+ (primitive-load (derivation->output-path script))))
;; Finally, try to update system services.
(upgrade-shepherd-services os))))
diff --git a/guix/store.scm b/guix/store.scm
index 8123407816..3d6cff4c21 100644
--- a/guix/store.scm
+++ b/guix/store.scm
@@ -582,7 +582,12 @@ encoding conversion errors."
(operation (name args ...) docstring return ...)))
(define-operation (valid-path? (string path))
- "Return #t when PATH is a valid store path."
+ "Return #t when PATH designates a valid store item and #f otherwise (an
+invalid item may exist on disk but still be invalid, for instance because it
+is the result of an aborted or failed build.)
+
+A '&nix-protocol-error' condition is raised if PATH is not prefixed by the
+store directory (/gnu/store)."
boolean)
(define-operation (query-path-hash (store-path path))
diff --git a/tests/publish.scm b/tests/publish.scm
index 0b92390900..6c710fe0a7 100644
--- a/tests/publish.scm
+++ b/tests/publish.scm
@@ -112,6 +112,14 @@ References: ~a~%"
(call-with-input-string nar (cut restore-file <> temp)))
(call-with-input-file temp read-string))))
+(test-equal "/nar/invalid"
+ 404
+ (begin
+ (call-with-output-file (string-append (%store-prefix) "/invalid")
+ (lambda (port)
+ (display "This file is not a valid store item." port)))
+ (response-code (http-get (publish-uri (string-append "/nar/invalid"))))))
+
(test-end "publish")