diff options
-rw-r--r-- | gnu-system.am | 4 | ||||
-rw-r--r-- | gnu/packages/acl.scm | 4 | ||||
-rw-r--r-- | gnu/packages/admin.scm | 13 | ||||
-rw-r--r-- | gnu/packages/base.scm | 23 | ||||
-rw-r--r-- | gnu/packages/bdw-gc.scm | 11 | ||||
-rw-r--r-- | gnu/packages/commencement.scm | 12 | ||||
-rw-r--r-- | gnu/packages/file.scm | 8 | ||||
-rw-r--r-- | gnu/packages/gawk.scm | 9 | ||||
-rw-r--r-- | gnu/packages/gnutls.scm | 8 | ||||
-rw-r--r-- | gnu/packages/guile.scm | 6 | ||||
-rw-r--r-- | gnu/packages/image.scm | 12 | ||||
-rw-r--r-- | gnu/packages/libffi.scm | 7 | ||||
-rw-r--r-- | gnu/packages/mc.scm | 11 | ||||
-rw-r--r-- | gnu/packages/mcrypt.scm | 7 | ||||
-rw-r--r-- | gnu/packages/patches/coreutils-dummy-man.patch | 10 | ||||
-rw-r--r-- | gnu/packages/patches/coreutils-skip-nohup.patch | 28 | ||||
-rw-r--r-- | gnu/packages/patches/file-CVE-2014-3587.patch | 16 | ||||
-rw-r--r-- | gnu/packages/patches/glibc-CVE-2014-5119.patch | 212 | ||||
-rw-r--r-- | gnu/packages/patches/libffi-mips-n32-fix.patch | 21 | ||||
-rw-r--r-- | gnu/packages/pretty-print.scm | 112 | ||||
-rw-r--r-- | guix/build/gnu-build-system.scm | 30 | ||||
-rw-r--r-- | guix/build/utils.scm | 5 |
22 files changed, 361 insertions, 208 deletions
diff --git a/gnu-system.am b/gnu-system.am index 9328d13083..510a217b98 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -302,7 +302,6 @@ dist_patch_DATA = \ gnu/packages/patches/clucene-pkgconfig.patch \ gnu/packages/patches/cmake-fix-tests.patch \ gnu/packages/patches/coreutils-dummy-man.patch \ - gnu/packages/patches/coreutils-skip-nohup.patch \ gnu/packages/patches/cpio-gets-undeclared.patch \ gnu/packages/patches/cssc-gets-undeclared.patch \ gnu/packages/patches/cssc-missing-include.patch \ @@ -312,6 +311,7 @@ dist_patch_DATA = \ gnu/packages/patches/doxygen-test.patch \ gnu/packages/patches/doxygen-tmake.patch \ gnu/packages/patches/emacs-configure-sh.patch \ + gnu/packages/patches/file-CVE-2014-3587.patch \ gnu/packages/patches/findutils-absolute-paths.patch \ gnu/packages/patches/flashrom-use-libftdi1.patch \ gnu/packages/patches/flex-bison-tests.patch \ @@ -323,6 +323,7 @@ dist_patch_DATA = \ gnu/packages/patches/glib-tests-prlimit.patch \ gnu/packages/patches/glib-tests-timer.patch \ gnu/packages/patches/glibc-bootstrap-system.patch \ + gnu/packages/patches/glibc-CVE-2014-5119.patch \ gnu/packages/patches/glibc-ldd-x86_64.patch \ gnu/packages/patches/gnunet-fix-scheduler.patch \ gnu/packages/patches/gnunet-fix-tests.patch \ @@ -343,7 +344,6 @@ dist_patch_DATA = \ gnu/packages/patches/kmod-module-directory.patch \ gnu/packages/patches/libbonobo-activation-test-race.patch \ gnu/packages/patches/libevent-dns-tests.patch \ - gnu/packages/patches/libffi-mips-n32-fix.patch \ gnu/packages/patches/liboop-mips64-deplibs-fix.patch \ gnu/packages/patches/libmad-mips-newgcc.patch \ gnu/packages/patches/libtheora-config-guess.patch \ diff --git a/gnu/packages/acl.scm b/gnu/packages/acl.scm index 37c0b71dc9..ef15022566 100644 --- a/gnu/packages/acl.scm +++ b/gnu/packages/acl.scm @@ -28,7 +28,7 @@ (define-public acl (package (name "acl") - (version "2.2.51") + (version "2.2.52") (source (origin (method url-fetch) @@ -36,7 +36,7 @@ version ".src.tar.gz")) (sha256 (base32 - "09aj30m49ivycl3irram8c3givc0crivjm3ymw0nhfaxrwhlb186")))) + "08qd9s3wfhv0ajswsylnfwr5h0d7j9d4rgip855nrh400nxp940p")))) (build-system gnu-build-system) (arguments `(#:phases diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index c2599746d8..4d60c17989 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -648,18 +648,7 @@ system administrator.") "") (("^install: (.*)install-sudoers(.*)" _ before after) ;; Don't try to create /etc/sudoers. - (string-append "install: " before after "\n"))) - - ;; XXX FIXME sudo 1.8.10p3 was bootstrapped with a - ;; prerelease libtool, which fails on MIPS in the absence - ;; of /usr/bin/file. As a temporary workaround, we patch - ;; the configure script to hardcode use of the little - ;; endian N32 ABI on MIPS. - ,@(if (equal? "mips64el-linux" (or (%current-target-system) - (%current-system))) - '((substitute* "configure" - (("\\$emul") "elf32ltsmipn32"))) - '())) + (string-append "install: " before after "\n")))) %standard-phases) ;; XXX: The 'testsudoers' test series expects user 'root' to exist, but diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 49a2c83dd5..cbe115f8a8 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -25,6 +25,7 @@ #:use-module (gnu packages) #:use-module (gnu packages acl) #:use-module (gnu packages bash) + #:use-module (gnu packages ed) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) #:use-module (gnu packages perl) @@ -122,14 +123,14 @@ implementation offers several extensions over the standard utility.") (define-public tar (package (name "tar") - (version "1.27.1") + (version "1.28") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/tar/tar-" - version ".tar.bz2")) + version ".tar.xz")) (sha256 (base32 - "1iip0fk0wqhxb0jcwphz43r4fxkx1y7mznnhmlvr618jhp7b63wv")))) + "1wi2zwm4c9r3h3b8y4w0nm0qq897kn8kyj9k22ba0iqvxj48vvk4")))) (build-system gnu-build-system) (synopsis "Managing tar archives") (description @@ -154,12 +155,9 @@ standard utility.") (base32 "1sqckf560pzwgniy00vcpdv2c9c11s4cmhlm14yqgg8avd3bl94i")))) (build-system gnu-build-system) - (native-inputs '()) ; FIXME: needs `ed' for the tests - (arguments - '(#:tests? #f) + (native-inputs `(("ed", ed))) ;; TODO: When cross-compiling, add this: ;; '(#:configure-flags '("ac_cv_func_strnlen_working=yes")) - ) (synopsis "Apply differences to originals, with optional backups") (description "Patch is a program that applies changes to files based on differences @@ -225,17 +223,15 @@ used to apply commands with arbitrarily long arguments.") (define-public coreutils (package (name "coreutils") - (version "8.22") + (version "8.23") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/coreutils/coreutils-" version ".tar.xz")) (sha256 (base32 - "04hjzzv434fb8ak3hh3dyhdvg3hqjjwvjmjxqzk1gh2jh6cr8gjv")) - (patches (list (search-patch "coreutils-dummy-man.patch") - ;; TODO: remove this patch for >= 8.23 - (search-patch "coreutils-skip-nohup.patch"))))) + "0bdq6yggyl7nkc2pbl6pxhhyx15nyqhz3ds6rfn448n6rxdwlhzc")) + (patches (list (search-patch "coreutils-dummy-man.patch"))))) (build-system gnu-build-system) (inputs `(("acl" ,acl) ; TODO: add SELinux ("gmp" ,gmp))) @@ -377,7 +373,8 @@ library for working with executable and object formats is also included.") (("use_ldconfig=yes") "use_ldconfig=no"))) (modules '((guix build utils))) - (patches (list (search-patch "glibc-ldd-x86_64.patch"))))) + (patches (list (search-patch "glibc-CVE-2014-5119.patch") + (search-patch "glibc-ldd-x86_64.patch"))))) (build-system gnu-build-system) ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm index ebb02b1d74..66158912d7 100644 --- a/gnu/packages/bdw-gc.scm +++ b/gnu/packages/bdw-gc.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2014 Mark H Weaver <mhw@netris.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,15 +65,15 @@ C or C++ programs, though that is not its primary goal.") (define-public libatomic-ops (package (name "libatomic-ops") - (version "7.4.0") + (version "7.4.2") (source (origin (method url-fetch) (uri (string-append - "http://www.hboehm.info/gc/gc_source/libatomic_ops-" + "http://www.ivmaisoft.com/_bin/atomic_ops/libatomic_ops-" version ".tar.gz")) (sha256 (base32 - "0njv3n63zw6v45k68z6dz14g2hpk5p230ncwmdfkglsljb1cqx98")))) + "1pdm0h1y7bgkczr8byg20r6bq15m5072cqm5pny4f9crc9gn3yh4")))) (build-system gnu-build-system) (outputs '("out" "debug")) (synopsis "Accessing hardware atomic memory update operations") @@ -88,14 +89,14 @@ lock-free code, experiment with thread programming paradigms, etc.") (define-public libgc (package (inherit libgc-7.2) - (version "7.4.0") + (version "7.4.2") (source (origin (method url-fetch) (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-" version ".tar.gz")) (sha256 (base32 - "10z2nph62ilab063wygg2lv0jxlsbcf2az9w1lx01jzqj5lzry31")))) + "18mg28rr6kwr5clc65k4l4hkyy4kd16amx831sjf8q2lqkbhlck3")))) ;; New dependencies. (native-inputs `(("pkg-config" ,pkg-config))) diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm index a1d2fcaaed..79c22a5974 100644 --- a/gnu/packages/commencement.scm +++ b/gnu/packages/commencement.scm @@ -26,6 +26,8 @@ #:use-module (gnu packages base) #:use-module (gnu packages bash) #:use-module (gnu packages gcc) + #:use-module (gnu packages ed) + #:use-module (gnu packages file) #:use-module (gnu packages gawk) #:use-module (gnu packages guile) #:use-module (gnu packages multiprecision) @@ -106,11 +108,20 @@ (current-source-location) #:guile %bootstrap-guile))) +(define file-boot0 + (package-with-bootstrap-guile + (package-with-explicit-inputs file + `(("make" ,gnu-make-boot0) + ,@%bootstrap-inputs) + (current-source-location) + #:guile %bootstrap-guile))) + (define %boot0-inputs `(("make" ,gnu-make-boot0) ("diffutils" ,diffutils-boot0) ("findutils" ,findutils-boot0) + ("file" ,file-boot0) ,@%bootstrap-inputs)) (define* (nix-system->gnu-triplet @@ -663,6 +674,7 @@ store.") ("gzip" ,gzip) ("bzip2" ,bzip2) ("xz" ,xz) + ("file" ,file) ("diffutils" ,diffutils) ("patch" ,patch) ("sed" ,sed) diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm index f53c22f4cd..601b158128 100644 --- a/gnu/packages/file.scm +++ b/gnu/packages/file.scm @@ -27,17 +27,15 @@ (define-public file (package (name "file") - (version "5.18") + (version "5.19") (source (origin (method url-fetch) (uri (string-append "ftp://ftp.astron.com/pub/file/file-" version ".tar.gz")) (sha256 (base32 - "01xz106biz6x4h5ilymg5v3367djvgnfp4lm87132cjqdmqgn6b5")))) + "0z1sgrcfy6d285kj5izy1yypf371bjl3247plh9ppk0svaxv714l")) + (patches (list (search-patch "file-CVE-2014-3587.patch"))))) (build-system gnu-build-system) - (native-inputs - ;; This package depends upon a native install of itself. - (if (%current-target-system) `(("file" ,file)) '() )) (synopsis "file, a file type guesser") (description "The file command is a file type guesser, a command-line tool that tells diff --git a/gnu/packages/gawk.scm b/gnu/packages/gawk.scm index 6185409fb7..84b5bd17a7 100644 --- a/gnu/packages/gawk.scm +++ b/gnu/packages/gawk.scm @@ -57,15 +57,12 @@ (string-append "### " match)))) '()) - ;; XXX FIXME gawk 4.1.1 was bootstrapped with a prerelease - ;; libtool, which fails on MIPS in the absence of - ;; /usr/bin/file. As a temporary workaround, we patch - ;; the configure script to hardcode use of the little - ;; endian N32 ABI on MIPS. + ;; XXX FIXME prerelease libtool fails on MIPS in the + ;; absence of /usr/bin/file. ,@(if (equal? "mips64el-linux" (or (%current-target-system) (%current-system))) '((substitute* "extension/configure" - (("\\$emul") "elf32ltsmipn32"))) + (("/usr/bin/file") (which "file")))) '()))) %standard-phases))) (inputs `(("libsigsegv" ,libsigsegv) diff --git a/gnu/packages/gnutls.scm b/gnu/packages/gnutls.scm index 917dfdd228..89fc86d6ad 100644 --- a/gnu/packages/gnutls.scm +++ b/gnu/packages/gnutls.scm @@ -63,7 +63,7 @@ specifications.") (define-public gnutls (package (name "gnutls") - (version "3.2.15") + (version "3.2.16") (source (origin (method url-fetch) (uri @@ -75,12 +75,8 @@ specifications.") "/gnutls-" version ".tar.xz")) (sha256 (base32 - "1fbpr9r1r2y803s3avwjpy1higqsz85dyb302kvmh0i29frwgg9h")))) + "1bmwhg8y3mz5w2klclf5dz9502477kaj8r8db7k45fwb9ah3c63q")))) (build-system gnu-build-system) - (arguments - ;; Work around build issue reported at - ;; <https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00027.html>. - '(#:make-flags '("CPPFLAGS=-DENABLE_RSA_EXPORT"))) (native-inputs `(("pkg-config" ,pkg-config))) (inputs diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm index cb14f0e6c7..1169158113 100644 --- a/gnu/packages/guile.scm +++ b/gnu/packages/guile.scm @@ -122,11 +122,7 @@ without requiring the source code to be rewritten.") (native-inputs `(("pkgconfig" ,pkg-config))) (inputs `(("libffi" ,libffi) ("readline" ,readline) - - ;; TODO: On next core-updates, make Bash input unconditional. - ,@(if (%current-target-system) - `(("bash" ,bash)) - '()))) + ("bash" ,bash))) (propagated-inputs `( ;; These ones aren't normally needed here, but since `libguile-2.0.la' diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 014266cbb0..06f62715c4 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -19,7 +19,6 @@ (define-module (gnu packages image) #:use-module (gnu packages) #:use-module (gnu packages compression) - #:use-module (gnu packages file) #:use-module ((guix licenses) #:renamer (symbol-prefix-proc 'license:)) #:use-module (guix packages) #:use-module (guix download) @@ -97,20 +96,11 @@ image files in PBMPLUS PPM/PGM, GIF, BMP, and Targa file formats.") (inputs `(("zlib" ,zlib) ("libjpeg-8" ,libjpeg-8))) ;; currently does not compile with libjpeg version 9 - (native-inputs `(("file" ,file))) (arguments `(#:configure-flags (list (string-append "--with-jpeg-include-dir=" (assoc-ref %build-inputs "libjpeg-8") - "/include")) - #:phases - (alist-cons-before - 'configure 'patch-configure - (lambda _ - (substitute* "configure" - (("`/usr/bin/file") - (string-append "`" (which "file"))))) - %standard-phases))) + "/include")))) (synopsis "Libtiff, a library for handling TIFF files") (description "Libtiff provides support for the Tag Image File Format (TIFF), a format diff --git a/gnu/packages/libffi.scm b/gnu/packages/libffi.scm index c5e265087e..33e10d6fc2 100644 --- a/gnu/packages/libffi.scm +++ b/gnu/packages/libffi.scm @@ -29,11 +29,11 @@ ;; available in $includedir where some users expect them. '(lambda* (#:key outputs #:allow-other-keys) (define out (assoc-ref outputs "out")) - (symlink (string-append out "/lib/libffi-3.0.13/include") + (symlink (string-append out "/lib/libffi-3.1/include") (string-append out "/include"))))) (package (name "libffi") - (version "3.0.13") + (version "3.1") (source (origin (method url-fetch) (uri @@ -41,8 +41,7 @@ name "-" version ".tar.gz")) (sha256 (base32 - "077ibkf84bvcd6rw1m6jb107br63i2pp301rkmsbgg6300adxp8x")) - (patches (list (search-patch "libffi-mips-n32-fix.patch"))))) + "1sznmrhcswwbyqla9y2ximlkzbxks59wjfs3lh7qf8ayranyxzlp")))) (build-system gnu-build-system) (arguments `(#:phases (alist-cons-after 'install 'post-install ,post-install-phase diff --git a/gnu/packages/mc.scm b/gnu/packages/mc.scm index aba14d59ac..6e3747c943 100644 --- a/gnu/packages/mc.scm +++ b/gnu/packages/mc.scm @@ -28,7 +28,6 @@ #:use-module (gnu packages ssh) #:use-module (gnu packages pkg-config) #:use-module (gnu packages check) - #:use-module (gnu packages file) #:use-module (gnu packages perl)) (define-public mc @@ -46,7 +45,6 @@ (patches (list (search-patch "mc-fix-ncurses-build.patch"))))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config) - ("file" ,file) ("perl" ,perl))) (inputs `(("aspell" ,aspell) ("ncurses" ,ncurses) @@ -55,14 +53,7 @@ ("check" ,check))) (arguments `(#:configure-flags - '("--with-screen=ncurses" "--enable-aspell") - #:phases - (alist-cons-before - 'configure 'patch-configure - (lambda _ - (substitute* "configure" - (("/usr/bin/file") (which "file")))) - %standard-phases))) + '("--with-screen=ncurses" "--enable-aspell"))) (home-page "http://www.midnight-commander.org") (synopsis "Graphical file manager") (description diff --git a/gnu/packages/mcrypt.scm b/gnu/packages/mcrypt.scm index eac8c72c5e..12a4827224 100644 --- a/gnu/packages/mcrypt.scm +++ b/gnu/packages/mcrypt.scm @@ -23,8 +23,7 @@ #:use-module (guix build-system gnu) #:use-module (gnu packages) #:use-module (gnu packages compression) - #:use-module (gnu packages perl) - #:use-module (gnu packages file)) + #:use-module (gnu packages perl)) (define-public mcrypt (package @@ -68,7 +67,6 @@ them.") (base32 "0gipgb939vy9m66d3k8il98rvvwczyaw2ixr8yn6icds9c3nrsz4")))) (build-system gnu-build-system) - (native-inputs `(("file" ,file))) (home-page "http://mcrypt.sourceforge.net/") (synopsis "Encryption algorithm library") (description @@ -95,8 +93,7 @@ XTEA, 3WAY, TWOFISH, BLOWFISH, ARCFOUR, WAKE and more.") (patches (list (search-patch "mhash-keygen-test-segfault.patch"))))) (build-system gnu-build-system) (native-inputs - `(("file" ,file) - ("perl" ,perl))) ;for tests + `(("perl" ,perl))) ;for tests (home-page "http://mhash.sourceforge.net/") (synopsis "Thread-safe hash library") (description diff --git a/gnu/packages/patches/coreutils-dummy-man.patch b/gnu/packages/patches/coreutils-dummy-man.patch index f6a6a31002..a43cfc47c3 100644 --- a/gnu/packages/patches/coreutils-dummy-man.patch +++ b/gnu/packages/patches/coreutils-dummy-man.patch @@ -7,15 +7,15 @@ would appear when compiling: dummy-man: too many non-option arguments ---- coreutils-8.22/Makefile.in 2013-12-13 16:20:00.000000000 +0100 -+++ coreutils-8.22/Makefile.in 2014-02-28 10:53:27.000000000 +0100 -@@ -9977,8 +9977,8 @@ man/yes.1: src/yes +--- coreutils-8.23/Makefile.in 2014-07-18 18:22:24.000000000 -0400 ++++ coreutils-8.23/Makefile.in 2014-08-03 20:21:10.849158313 -0400 +@@ -14076,8 +14076,8 @@ && $(run_help2man) \ --source='$(PACKAGE_STRING)' \ --include=$(srcdir)/man/$$name.x \ -- --output=$$t/$$name.1 $$t/$$name \ +- --output=$$t/$$name.1 $$t/$$argv \ --info-page='coreutils \(aq'$$name' invocation\(aq' \ -+ --output=$$t/$$name.1 $$t/$$name \ ++ --output=$$t/$$name.1 $$t/$$argv \ && sed \ -e 's|$*\.td/||g' \ -e '/For complete documentation/d' \ diff --git a/gnu/packages/patches/coreutils-skip-nohup.patch b/gnu/packages/patches/coreutils-skip-nohup.patch deleted file mode 100644 index f5283a6b21..0000000000 --- a/gnu/packages/patches/coreutils-skip-nohup.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 5dce6bdfafc930dfd17d5d16aea7d1add3472066 -Author: Pádraig Brady <P@draigBrady.com> -Date: Wed Mar 5 15:14:07 2014 +0000 - - tests: fix false failure in nohup.sh in non tty builds - - * tests/misc/nohup.sh: When running tests without a controlling tty, - an exec failure is triggered in a subshell, which causes POSIX - shells to immediately exit the subshell. This was brought - to notice by the newly conforming bash 4.3. - Fixes http:/bugs.gnu.org/16940 - -diff --git a/tests/misc/nohup.sh b/tests/misc/nohup.sh -index 6d2b515..2328b43 100755 ---- a/tests/misc/nohup.sh -+++ b/tests/misc/nohup.sh -@@ -63,6 +63,11 @@ rm -f nohup.out err - # to stderr must be fatal. Requires stdout to be terminal. - if test -w /dev/full && test -c /dev/full; then - ( -+ # POSIX shells immediately exit the subshell on exec error. -+ # So check we can write to /dev/tty before the exec, which -+ # isn't possible if we've no controlling tty for example. -+ test -c /dev/tty && >/dev/tty || exit 0 -+ - exec >/dev/tty - test -t 1 || exit 0 - nohup echo hi 2> /dev/full diff --git a/gnu/packages/patches/file-CVE-2014-3587.patch b/gnu/packages/patches/file-CVE-2014-3587.patch new file mode 100644 index 0000000000..cf88bf5f3e --- /dev/null +++ b/gnu/packages/patches/file-CVE-2014-3587.patch @@ -0,0 +1,16 @@ +Fixes CVE-2014-3587. Copied from upstream commit +0641e56be1af003aa02c7c6b0184466540637233. + +--- file-5.19/src/cdf.c.orig 2014-06-09 09:04:37.000000000 -0400 ++++ file-5.19/src/cdf.c 2014-08-26 11:55:23.887118898 -0400 +@@ -824,6 +824,10 @@ + q = (const uint8_t *)(const void *) + ((const char *)(const void *)p + ofs + - 2 * sizeof(uint32_t)); ++ if (q < p) { ++ DPRINTF(("Wrapped around %p < %p\n", q, p)); ++ goto out; ++ } + if (q > e) { + DPRINTF(("Ran of the end %p > %p\n", q, e)); + goto out; diff --git a/gnu/packages/patches/glibc-CVE-2014-5119.patch b/gnu/packages/patches/glibc-CVE-2014-5119.patch new file mode 100644 index 0000000000..de063a2da5 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2014-5119.patch @@ -0,0 +1,212 @@ +Remove support for loadable gconv transliteration modules. +The support for transliteration modules has been non-functional for +over a decade, and the removal is prompted by security defects. The +normal gconv conversion modules are still supported. Transliteration +with //TRANSLIT is still possible, and the //IGNORE specifier +continues to be supported. (CVE-2014-5119) + +Based on upstream commits a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 +and f9df71e895d3552d557e783fdb9d133328195645 +by Florian Weimer <fweimer@redhat.com>. + +--- glibc-2.19/ChangeLog.orig 2014-02-07 04:04:38.000000000 -0500 ++++ glibc-2.19/ChangeLog 2014-08-26 14:35:12.368861387 -0400 +@@ -1,3 +1,10 @@ ++2014-08-26 Florian Weimer <fweimer@redhat.com> ++ ++ [BZ #17187] ++ * iconv/gconv_trans.c (struct known_trans, search_tree, lock, ++ trans_compare, open_translit, __gconv_translit_find): ++ Remove module loading code. ++ + 2014-02-06 Carlos O'Donell <carlos@redhat.com> + + [BZ #16529] +--- glibc-2.19/iconv/gconv_trans.c.orig 2014-02-07 04:04:38.000000000 -0500 ++++ glibc-2.19/iconv/gconv_trans.c 2014-08-26 14:37:26.269525364 -0400 +@@ -238,181 +238,12 @@ + return __GCONV_ILLEGAL_INPUT; + } + +- +-/* Structure to represent results of found (or not) transliteration +- modules. */ +-struct known_trans +-{ +- /* This structure must remain the first member. */ +- struct trans_struct info; +- +- char *fname; +- void *handle; +- int open_count; +-}; +- +- +-/* Tree with results of previous calls to __gconv_translit_find. */ +-static void *search_tree; +- +-/* We modify global data. */ +-__libc_lock_define_initialized (static, lock); +- +- +-/* Compare two transliteration entries. */ +-static int +-trans_compare (const void *p1, const void *p2) +-{ +- const struct known_trans *s1 = (const struct known_trans *) p1; +- const struct known_trans *s2 = (const struct known_trans *) p2; +- +- return strcmp (s1->info.name, s2->info.name); +-} +- +- +-/* Open (maybe reopen) the module named in the struct. Get the function +- and data structure pointers we need. */ +-static int +-open_translit (struct known_trans *trans) +-{ +- __gconv_trans_query_fct queryfct; +- +- trans->handle = __libc_dlopen (trans->fname); +- if (trans->handle == NULL) +- /* Not available. */ +- return 1; +- +- /* Find the required symbol. */ +- queryfct = __libc_dlsym (trans->handle, "gconv_trans_context"); +- if (queryfct == NULL) +- { +- /* We cannot live with that. */ +- close_and_out: +- __libc_dlclose (trans->handle); +- trans->handle = NULL; +- return 1; +- } +- +- /* Get the context. */ +- if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames) +- != 0) +- goto close_and_out; +- +- /* Of course we also have to have the actual function. */ +- trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans"); +- if (trans->info.trans_fct == NULL) +- goto close_and_out; +- +- /* Now the optional functions. */ +- trans->info.trans_init_fct = +- __libc_dlsym (trans->handle, "gconv_trans_init"); +- trans->info.trans_context_fct = +- __libc_dlsym (trans->handle, "gconv_trans_context"); +- trans->info.trans_end_fct = +- __libc_dlsym (trans->handle, "gconv_trans_end"); +- +- trans->open_count = 1; +- +- return 0; +-} +- +- + int + internal_function + __gconv_translit_find (struct trans_struct *trans) + { +- struct known_trans **found; +- const struct path_elem *runp; +- int res = 1; +- +- /* We have to have a name. */ +- assert (trans->name != NULL); +- +- /* Acquire the lock. */ +- __libc_lock_lock (lock); +- +- /* See whether we know this module already. */ +- found = __tfind (trans, &search_tree, trans_compare); +- if (found != NULL) +- { +- /* Is this module available? */ +- if ((*found)->handle != NULL) +- { +- /* Maybe we have to reopen the file. */ +- if ((*found)->handle != (void *) -1) +- /* The object is not unloaded. */ +- res = 0; +- else if (open_translit (*found) == 0) +- { +- /* Copy the data. */ +- *trans = (*found)->info; +- (*found)->open_count++; +- res = 0; +- } +- } +- } +- else +- { +- size_t name_len = strlen (trans->name) + 1; +- int need_so = 0; +- struct known_trans *newp; +- +- /* We have to continue looking for the module. */ +- if (__gconv_path_elem == NULL) +- __gconv_get_path (); +- +- /* See whether we have to append .so. */ +- if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0) +- need_so = 1; +- +- /* Create a new entry. */ +- newp = (struct known_trans *) malloc (sizeof (struct known_trans) +- + (__gconv_max_path_elem_len +- + name_len + 3) +- + name_len); +- if (newp != NULL) +- { +- char *cp; +- +- /* Clear the struct. */ +- memset (newp, '\0', sizeof (struct known_trans)); +- +- /* Store a copy of the module name. */ +- newp->info.name = cp = (char *) (newp + 1); +- cp = __mempcpy (cp, trans->name, name_len); +- +- newp->fname = cp; +- +- /* Search in all the directories. */ +- for (runp = __gconv_path_elem; runp->name != NULL; ++runp) +- { +- cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name), +- trans->name, name_len); +- if (need_so) +- memcpy (cp, ".so", sizeof (".so")); +- +- if (open_translit (newp) == 0) +- { +- /* We found a module. */ +- res = 0; +- break; +- } +- } +- +- if (res) +- newp->fname = NULL; +- +- /* In any case we'll add the entry to our search tree. */ +- if (__tsearch (newp, &search_tree, trans_compare) == NULL) +- { +- /* Yickes, this should not happen. Unload the object. */ +- res = 1; +- /* XXX unload here. */ +- } +- } +- } +- +- __libc_lock_unlock (lock); +- +- return res; ++ /* Transliteration module loading has been removed because it never ++ worked as intended and suffered from a security vulnerability. ++ Consequently, this function always fails. */ ++ return 1; + } diff --git a/gnu/packages/patches/libffi-mips-n32-fix.patch b/gnu/packages/patches/libffi-mips-n32-fix.patch deleted file mode 100644 index 87ec48f883..0000000000 --- a/gnu/packages/patches/libffi-mips-n32-fix.patch +++ /dev/null @@ -1,21 +0,0 @@ -Fix handling of uint32_t arguments on the MIPS N32 ABI. - -Patch by Mark H Weaver <mhw@netris.org>. - ---- libffi/src/mips/ffi.c.orig 2013-03-16 07:19:39.000000000 -0400 -+++ libffi/src/mips/ffi.c 2013-10-22 01:11:03.111985247 -0400 -@@ -170,7 +170,14 @@ - break; - - case FFI_TYPE_UINT32: -+#ifdef FFI_MIPS_N32 -+ /* The N32 ABI requires that 32-bit integers -+ be sign-extended to 64-bits, regardless of -+ whether they are signed or unsigned. */ -+ *(ffi_arg *)argp = *(SINT32 *)(* p_argv); -+#else - *(ffi_arg *)argp = *(UINT32 *)(* p_argv); -+#endif - break; - - /* This can only happen with 64bit slots. */ diff --git a/gnu/packages/pretty-print.scm b/gnu/packages/pretty-print.scm index 8c51b54f18..07837eb1ac 100644 --- a/gnu/packages/pretty-print.scm +++ b/gnu/packages/pretty-print.scm @@ -30,8 +30,7 @@ #:use-module (gnu packages bison) #:use-module (gnu packages flex) #:use-module (gnu packages gperf) - #:use-module (gnu packages perl) - #:use-module (gnu packages file)) + #:use-module (gnu packages perl)) (define-public a2ps (package @@ -53,45 +52,39 @@ ("imagemagick" ,imagemagick))) (native-inputs `(("gperf" ,gperf) - ("perl" ,perl) - ("file" ,file))) + ("perl" ,perl))) (arguments '(#:phases (alist-cons-before - 'configure 'patch-configure + 'build 'patch-scripts (lambda _ - (substitute* "configure" - (("/usr/bin/file") (which "file")))) + (substitute* + '("afm/make_fonts_map.sh" + "tests/defs" + "tests/backup.tst" + "tests/styles.tst") + (("/bin/rm") (which "rm")))) (alist-cons-before - 'build 'patch-scripts - (lambda _ - (substitute* - '("afm/make_fonts_map.sh" - "tests/defs" - "tests/backup.tst" - "tests/styles.tst") - (("/bin/rm") (which "rm")))) - (alist-cons-before - 'check 'patch-test-files - ;; Alternatively, we could unpatch the shebangs in tstfiles - (lambda* (#:key inputs #:allow-other-keys) - (let ((perl (assoc-ref inputs "perl"))) - (substitute* '("tests/ps-ref/includeres.ps" - "tests/gps-ref/includeres.ps") - (("/usr/local/bin/perl") - (string-append perl "/bin/perl")))) - ;; Some of the reference postscript contain a 'version 3' - ;; string that in inconsistent with the source text in the - ;; tstfiles directory. Erroneous search-and-replace? - (substitute* '("tests/ps-ref/InsertBlock.ps" - "tests/gps-ref/InsertBlock.ps" - "tests/ps-ref/bookie.ps" - "tests/gps-ref/bookie.ps") - (("version 3") "version 2")) - (substitute* '("tests/ps-ref/psmandup.ps" - "tests/gps-ref/psmandup.ps") - (("#! */bin/sh") (string-append - "#!" (which "sh"))))) - %standard-phases))))) + 'check 'patch-test-files + ;; Alternatively, we could unpatch the shebangs in tstfiles + (lambda* (#:key inputs #:allow-other-keys) + (let ((perl (assoc-ref inputs "perl"))) + (substitute* '("tests/ps-ref/includeres.ps" + "tests/gps-ref/includeres.ps") + (("/usr/local/bin/perl") + (string-append perl "/bin/perl")))) + ;; Some of the reference postscript contain a 'version 3' + ;; string that in inconsistent with the source text in the + ;; tstfiles directory. Erroneous search-and-replace? + (substitute* '("tests/ps-ref/InsertBlock.ps" + "tests/gps-ref/InsertBlock.ps" + "tests/ps-ref/bookie.ps" + "tests/gps-ref/bookie.ps") + (("version 3") "version 2")) + (substitute* '("tests/ps-ref/psmandup.ps" + "tests/gps-ref/psmandup.ps") + (("#! */bin/sh") (string-append + "#!" (which "sh"))))) + %standard-phases)))) (home-page "http://www.gnu.org/software/a2ps") (synopsis "Any file to PostScript, including pretty-printing") (description @@ -115,16 +108,9 @@ special cases, such as pretty-printing \"--help\" output.") (base32 "13rkc0fga10xyf56yy9dnq95zndnfadkhxflnp24skszj21y8jqh")))) (build-system gnu-build-system) - (native-inputs `(("file" ,file))) (arguments ;; Must define DIFF_CMD for tests to pass - '(#:configure-flags '("CPPFLAGS=-DDIFF_CMD=\\\"diff\\\"") - #:phases (alist-cons-before - 'configure 'patch-configure - (lambda _ - (substitute* "configure" - (("/usr/bin/file") (which "file")))) - %standard-phases))) + '(#:configure-flags '("CPPFLAGS=-DDIFF_CMD=\\\"diff\\\""))) (home-page "http://www.gnu.org/software/trueprint") (synopsis "Pretty-print C sources and other plain text to PostScript") (description @@ -178,34 +164,28 @@ different programming languages.") `(("boost" ,boost))) (native-inputs `(("bison" ,bison) - ("flex" ,flex) - ("file" ,file))) + ("flex" ,flex))) (arguments `(#:configure-flags (list (string-append "--with-boost=" (assoc-ref %build-inputs "boost"))) #:parallel-tests? #f ;There appear to be race conditions #:phases (alist-cons-before - 'configure 'patch-configure + 'check 'patch-test-files (lambda _ - (substitute* "configure" - (("/usr/bin/file") (which "file")))) - (alist-cons-before - 'check 'patch-test-files - (lambda _ - ;; Unpatch shebangs in test input so that source-highlight - ;; is still able to infer input language - (substitute* '("tests/test.sh" - "tests/test2.sh" - "tests/test.tcl") - (((string-append "#! *" (which "sh"))) "#!/bin/sh")) - ;; Initial patching unrecoverably removes whitespace, so - ;; remove it also in the comparison output. - (substitute* '("tests/test.sh.html" - "tests/test2.sh.html" - "tests/test.tcl.html") - (("#! */bin/sh") "#!/bin/sh"))) - %standard-phases)))) + ;; Unpatch shebangs in test input so that source-highlight + ;; is still able to infer input language + (substitute* '("tests/test.sh" + "tests/test2.sh" + "tests/test.tcl") + (((string-append "#! *" (which "sh"))) "#!/bin/sh")) + ;; Initial patching unrecoverably removes whitespace, so + ;; remove it also in the comparison output. + (substitute* '("tests/test.sh.html" + "tests/test2.sh.html" + "tests/test.tcl.html") + (("#! */bin/sh") "#!/bin/sh"))) + %standard-phases))) (home-page "http://www.gnu.org/software/src-highlite") (synopsis "Produce a document with syntax highlighting from a source file") (description diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm index 8636931ed9..17fa7afd8d 100644 --- a/guix/build/gnu-build-system.scm +++ b/guix/build/gnu-build-system.scm @@ -106,6 +106,35 @@ working directory." (and (zero? (system* "tar" "xvf" source)) (chdir (first-subdirectory "."))))) +;; See <http://bugs.gnu.org/17840>. +(define* (patch-usr-bin-file #:key native-inputs inputs + (patch-/usr/bin/file? #t) + #:allow-other-keys) + "Patch occurrences of /usr/bin/file in configure, if present." + (when patch-/usr/bin/file? + (let ((file "configure") + (file-command (or (and=> (assoc-ref (or native-inputs inputs) "file") + (cut string-append <> "/bin/file")) + (which "file")))) + (cond ((not (file-exists? file)) + (format (current-error-port) + "patch-usr-bin-file: warning: `~a' not found~%" + file)) + ((not file-command) + (format (current-error-port) + "patch-usr-bin-file: warning: `file' not found in PATH~%")) + (else + (let ((st (stat file))) + (substitute* file + (("/usr/bin/file") + (begin + (format (current-error-port) + "patch-usr-bin-file: ~a: changing `~a' to `~a'~%" + file "/usr/bin/file" file-command) + file-command))) + (set-file-time file st)))))) + #t) + (define* (patch-source-shebangs #:key source #:allow-other-keys) "Patch shebangs in all source files; this includes non-executable files such as `.in' templates. Most scripts honor $SHELL and @@ -353,6 +382,7 @@ makefiles." (let-syntax ((phases (syntax-rules () ((_ p ...) `((p . ,p) ...))))) (phases set-paths unpack + patch-usr-bin-file patch-source-shebangs configure patch-generated-file-shebangs build check install patch-shebangs strip))) diff --git a/guix/build/utils.scm b/guix/build/utils.scm index 2f3dc9cad0..d169053c7b 100644 --- a/guix/build/utils.scm +++ b/guix/build/utils.scm @@ -582,14 +582,15 @@ When KEEP-MTIME? is true, the atime/mtime of FILE are kept unchanged." (let ((st (stat file))) (substitute* file - (("^ *SHELL[[:blank:]]*=[[:blank:]]*([[:graph:]]*/)([[:graph:]]+)[[:blank:]]*" _ dir shell) + (("^ *SHELL[[:blank:]]*=[[:blank:]]*([[:graph:]]*/)([[:graph:]]+)(.*)$" + _ dir shell args) (let* ((old (string-append dir shell)) (new (or (find-shell shell) old))) (unless (string=? new old) (format (current-error-port) "patch-makefile-SHELL: ~a: changing `SHELL' from `~a' to `~a'~%" file old new)) - (string-append "SHELL = " new "\n")))) + (string-append "SHELL = " new args)))) (when keep-mtime? (set-file-time file st)))) |