From 684f97f8c903b1133658943c7f6c0e1eb4f1b3de Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 30 Dec 2018 19:35:46 +0200 Subject: gnu: vinagre: Update package for newer freerdp. * gnu/packages/gnome.scm (vinagre)[source]: Update patches. [arguments]: Add custom phase to replace 'freerdp' with 'freerdp2'. Remove configure flags. * gnu/packages/patches/vinagre-revert-1.patch, gnu/packages/patches/vinagre-revert-2.patch: Remove files. * gnu/packages/patches/vinagre-newer-freerdp.patch, gnu/packages/patches/vinagre-newer-rdp-parameters.patch: New files. * gnu/local.mk (dist_patch_DATA): Register changes. --- gnu/local.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 925d955a66..0bb0203354 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1227,8 +1227,8 @@ dist_patch_DATA = \ %D%/packages/patches/upx-fix-CVE-2017-15056.patch \ %D%/packages/patches/valgrind-enable-arm.patch \ %D%/packages/patches/valgrind-glibc-compat.patch \ - %D%/packages/patches/vinagre-revert-1.patch \ - %D%/packages/patches/vinagre-revert-2.patch \ + %D%/packages/patches/vinagre-newer-freerdp.patch \ + %D%/packages/patches/vinagre-newer-rdp-parameters.patch \ %D%/packages/patches/virglrenderer-CVE-2017-6386.patch \ %D%/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch \ %D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \ -- cgit v1.2.3 From 707efe171a4e0e542a7d969c130195fa94b5d615 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Wed, 2 Jan 2019 15:11:06 -0500 Subject: gnu: gnucash: Fix test failure. Fixes issue #32057 (see: https://issues.guix.info/issue/32057). * gnu/packages/patches/gnucash-fix-test-transaction-failure.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/gnucash.scm (gnucash): Use it. --- gnu/local.mk | 1 + gnu/packages/gnucash.scm | 3 +- .../gnucash-fix-test-transaction-failure.patch | 54 ++++++++++++++++++++++ 3 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/gnucash-fix-test-transaction-failure.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0bb0203354..5f3a4b00d8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -776,6 +776,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-tweak-tool-search-paths.patch \ %D%/packages/patches/gnucash-price-quotes-perl.patch \ %D%/packages/patches/gnucash-disable-failing-tests.patch \ + %D%/packages/patches/gnucash-fix-test-transaction-failure.patch \ %D%/packages/patches/gnutls-skip-trust-store-test.patch \ %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ diff --git a/gnu/packages/gnucash.scm b/gnu/packages/gnucash.scm index 4e68f20866..b546233873 100644 --- a/gnu/packages/gnucash.scm +++ b/gnu/packages/gnucash.scm @@ -61,7 +61,8 @@ (base32 "0grr5qi5rn1xvr7qx5d7mcxa2mcgycy2b325ry73bb485a6yv5l3")) (patches (search-patches "gnucash-price-quotes-perl.patch" - "gnucash-disable-failing-tests.patch")))) + "gnucash-disable-failing-tests.patch" + "gnucash-fix-test-transaction-failure.patch")))) (build-system cmake-build-system) (inputs `(("guile" ,guile-2.2) diff --git a/gnu/packages/patches/gnucash-fix-test-transaction-failure.patch b/gnu/packages/patches/gnucash-fix-test-transaction-failure.patch new file mode 100644 index 0000000000..7b1b29f06c --- /dev/null +++ b/gnu/packages/patches/gnucash-fix-test-transaction-failure.patch @@ -0,0 +1,54 @@ +# This patch was submitted upstream to: https://bugs.gnucash.org/show_bug.cgi?id=797008. +From c20d74bebca516d0e391724202aad511967fe109 Mon Sep 17 00:00:00 2001 +From: Maxim Cournoyer +Date: Wed, 2 Jan 2019 14:46:28 -0500 +Subject: [PATCH] tests: Fix a test failure in test-transaction.scm. + +With the New Year upon us, a test which was hard-coded to use 2018 now +failed. + +Fixes issue #797008 (see: +https://bugs.gnucash.org/show_bug.cgi?id=797008). + +* gnucash/report/standard-reports/test/test-transaction.scm: +(trep-tests): Use the current year in the test string instead of a +static one. +--- + gnucash/report/standard-reports/test/test-transaction.scm | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/gnucash/report/standard-reports/test/test-transaction.scm b/gnucash/report/standard-reports/test/test-transaction.scm +index 755aba298..ae3fbd5c1 100644 +--- a/gnucash/report/standard-reports/test/test-transaction.scm ++++ b/gnucash/report/standard-reports/test/test-transaction.scm +@@ -5,6 +5,7 @@ + (use-modules (gnucash report stylesheets)) + (use-modules (gnucash report report-system)) + (use-modules (gnucash report report-system test test-extras)) ++(use-modules (srfi srfi-19)) + (use-modules (srfi srfi-64)) + (use-modules (gnucash engine test srfi64-extras)) + (use-modules (sxml simple)) +@@ -643,7 +644,8 @@ + (set-option! options "General" "Show original currency amount" #t) + (set-option! options "Sorting" "Primary Key" 'date) + (set-option! options "Sorting" "Primary Subtotal for Date Key" 'none) +- (let* ((sxml (options->sxml options "dual columns"))) ++ (let* ((sxml (options->sxml options "dual columns")) ++ (current-year (date->string (current-date) "~y"))) + (test-equal "dual amount column, with original currency headers" + (list "Date" "Num" "Description" "Memo/Notes" "Account" + "Debit (USD)" "Credit (USD)" "Debit" "Credit") +@@ -652,7 +654,8 @@ + (list "Grand Total" "$2,280.00" "$2,280.00") + (get-row-col sxml -1 #f)) + (test-equal "dual amount column, first transaction correct" +- (list "01/03/18" "$103 income" "Root.Asset.Bank" "$103.00" "$103.00") ++ (list (string-append "01/03/" current-year) "$103 income" ++ "Root.Asset.Bank" "$103.00" "$103.00") + (get-row-col sxml 1 #f))) + ) + +-- +2.19.0 + -- cgit v1.2.3 From b634b5c253cb3351eb074c64be838f72aa83f54d Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Sun, 30 Dec 2018 09:46:29 -0500 Subject: gnu: vboot-utils: Fix building on armhf-linux. * gnu/packages/bootloaders.scm (vboot-utils)[source]: Add patches. [arguments]: Conditionally add "HOST_ARCH=arm" to #:make-flags. * gnu/packages/patches/vboot-utils-fix-format-load-address.patch, gnu/packages/patches/vboot-utils-fix-tests-show-contents.patch, gnu/packages/patches/vboot-utils-skip-test-workbuf.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 3 + gnu/packages/bootloaders.scm | 17 ++- .../vboot-utils-fix-format-load-address.patch | 33 +++++ .../vboot-utils-fix-tests-show-contents.patch | 142 +++++++++++++++++++++ .../patches/vboot-utils-skip-test-workbuf.patch | 21 +++ 5 files changed, 215 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/vboot-utils-fix-format-load-address.patch create mode 100644 gnu/packages/patches/vboot-utils-fix-tests-show-contents.patch create mode 100644 gnu/packages/patches/vboot-utils-skip-test-workbuf.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5f3a4b00d8..d50e217849 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1228,6 +1228,9 @@ dist_patch_DATA = \ %D%/packages/patches/upx-fix-CVE-2017-15056.patch \ %D%/packages/patches/valgrind-enable-arm.patch \ %D%/packages/patches/valgrind-glibc-compat.patch \ + %D%/packages/patches/vboot-utils-fix-format-load-address.patch \ + %D%/packages/patches/vboot-utils-fix-tests-show-contents.patch \ + %D%/packages/patches/vboot-utils-skip-test-workbuf.patch \ %D%/packages/patches/vinagre-newer-freerdp.patch \ %D%/packages/patches/vinagre-newer-rdp-parameters.patch \ %D%/packages/patches/virglrenderer-CVE-2017-6386.patch \ diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm index 2a595fafab..69b4a904be 100644 --- a/gnu/packages/bootloaders.scm +++ b/gnu/packages/bootloaders.scm @@ -673,10 +673,25 @@ board-independent tools."))) (file-name (string-append name "-" version "-checkout")) (sha256 (base32 - "0h0m3l69vp9dr6xrs1p6y7ilkq3jq8jraw2z20kqfv7lvc9l1lxj")))) + "0h0m3l69vp9dr6xrs1p6y7ilkq3jq8jraw2z20kqfv7lvc9l1lxj")) + (patches + (search-patches "vboot-utils-skip-test-workbuf.patch" + "vboot-utils-fix-tests-show-contents.patch" + "vboot-utils-fix-format-load-address.patch")))) (build-system gnu-build-system) (arguments `(#:make-flags (list "CC=gcc" + ;; On ARM, we must pass "HOST_ARCH=arm" so that the + ;; ${HOST_ARCH} and ${ARCH} variables in the makefile + ;; match. Otherwise, ${HOST_ARCH} will be assigned + ;; "armv7l", the value of `uname -m`, and will not + ;; match ${ARCH}, which will make the tests require + ;; QEMU for testing. + ,@(if (string-prefix? "arm" + (or (%current-target-system) + (%current-system))) + '("HOST_ARCH=arm") + '()) (string-append "DESTDIR=" (assoc-ref %outputs "out"))) #:phases (modify-phases %standard-phases (add-after 'unpack 'patch-hard-coded-paths diff --git a/gnu/packages/patches/vboot-utils-fix-format-load-address.patch b/gnu/packages/patches/vboot-utils-fix-format-load-address.patch new file mode 100644 index 0000000000..899531e40e --- /dev/null +++ b/gnu/packages/patches/vboot-utils-fix-format-load-address.patch @@ -0,0 +1,33 @@ +This patch was copied from Debian. + +Description: Fix format load_address for 32 bits architectures + The offset and load_address are 64bits integers + On 32bits we have to use strtoull (instead of strtoul) to parse number + into 64bits unsigned integers. Without this the parsed numbers are + truncated to 2^32-1. +Author: Sophie Brun +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881997 +Forwarded: https://bugs.chromium.org/p/chromium/issues/detail?id=786969 +Last-Update: 2017-11-20 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/futility/cmd_bdb.c ++++ b/futility/cmd_bdb.c +@@ -637,7 +637,7 @@ static int do_bdb(int argc, char *argv[] + } + break; + case OPT_OFFSET: +- offset = strtoul(optarg, &e, 0); ++ offset = strtoull(optarg, &e, 0); + if (!*optarg || (e && *e)) { + fprintf(stderr, "Invalid --offset\n"); + parse_error = 1; +@@ -658,7 +658,7 @@ static int do_bdb(int argc, char *argv[] + } + break; + case OPT_LOAD_ADDRESS: +- load_address = strtoul(optarg, &e, 0); ++ load_address = strtoull(optarg, &e, 0); + if (!*optarg || (e && *e)) { + fprintf(stderr, "Invalid --load_address\n"); + parse_error = 1; diff --git a/gnu/packages/patches/vboot-utils-fix-tests-show-contents.patch b/gnu/packages/patches/vboot-utils-fix-tests-show-contents.patch new file mode 100644 index 0000000000..8e0c691a22 --- /dev/null +++ b/gnu/packages/patches/vboot-utils-fix-tests-show-contents.patch @@ -0,0 +1,142 @@ +This patch was copied from Debian. + +Description: Fix tests/futility/test_show_contents.sh + Tests compare generated files containing the file path and upstream files + ("expected output") containing path like + "/mnt/host/source/src/platform/vboot_reference/tests/". They can't + match. Drop these lines mentioning paths in the generated files and in + the upstream provided files to avoid failures. +Author: Sophie Brun +Last-Update: 2017-11-14 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock ++++ b/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock +@@ -1,4 +1,3 @@ +-Key block: /mnt/host/source/src/platform/vboot_reference/tests/devkeys/kernel.keyblock + Signature: ignored + Size: 0x4b8 + Flags: 7 !DEV DEV !REC +--- a/tests/futility/expect_output/show.tests_devkeys_root_key.vbprivk ++++ b/tests/futility/expect_output/show.tests_devkeys_root_key.vbprivk +@@ -1,4 +1,3 @@ +-Private Key file: /mnt/host/source/src/platform/vboot_reference/tests/devkeys/root_key.vbprivk + Vboot API: 1.0 + Algorithm: 11 RSA8192 SHA512 + Key sha1sum: b11d74edd286c144e1135b49e7f0bc20cf041f10 +--- a/tests/futility/expect_output/show.tests_devkeys_root_key.vbpubk ++++ b/tests/futility/expect_output/show.tests_devkeys_root_key.vbpubk +@@ -1,4 +1,3 @@ +-Public Key file: /mnt/host/source/src/platform/vboot_reference/tests/devkeys/root_key.vbpubk + Vboot API: 1.0 + Algorithm: 11 RSA8192 SHA512 + Key Version: 1 +--- a/tests/futility/expect_output/show.tests_futility_data_bios_mario_mp.bin ++++ b/tests/futility/expect_output/show.tests_futility_data_bios_mario_mp.bin +@@ -1,4 +1,3 @@ +-BIOS: /mnt/host/source/src/platform/vboot_reference/tests/futility/data/bios_mario_mp.bin + GBB header: GBB Area + Version: 1.0 + Flags: 0x00000000 +--- a/tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin ++++ b/tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin +@@ -1,4 +1,3 @@ +-BIOS: /mnt/host/source/src/platform/vboot_reference/tests/futility/data/bios_zgb_mp.bin + GBB header: GBB + Version: 1.0 + Flags: 0x00000000 +--- a/tests/futility/expect_output/show.tests_futility_data_fw_gbb.bin ++++ b/tests/futility/expect_output/show.tests_futility_data_fw_gbb.bin +@@ -1,4 +1,3 @@ +-GBB header: /mnt/host/source/src/platform/vboot_reference/tests/futility/data/fw_gbb.bin + Version: 1.1 + Flags: 0x00000039 + Regions: offset size +--- a/tests/futility/expect_output/show.tests_futility_data_fw_vblock.bin ++++ b/tests/futility/expect_output/show.tests_futility_data_fw_vblock.bin +@@ -1,4 +1,3 @@ +-Key block: /mnt/host/source/src/platform/vboot_reference/tests/futility/data/fw_vblock.bin + Signature: ignored + Size: 0x8b8 + Flags: 7 !DEV DEV !REC +--- a/tests/futility/expect_output/show.tests_futility_data_kern_preamble.bin ++++ b/tests/futility/expect_output/show.tests_futility_data_kern_preamble.bin +@@ -1,4 +1,3 @@ +-Kernel partition: /mnt/host/source/src/platform/vboot_reference/tests/futility/data/kern_preamble.bin + Key block: + Signature: ignored + Size: 0x5b8 +--- a/tests/futility/expect_output/show.tests_futility_data_sample.vbprik2 ++++ b/tests/futility/expect_output/show.tests_futility_data_sample.vbprik2 +@@ -1,4 +1,3 @@ +-Private key file: /mnt/host/source/src/platform/vboot_reference/tests/futility/data/sample.vbprik2 + Vboot API: 2.1 + Desc: "sample vb21 keypair" + Signature Algorithm: 5 RSA8192 +--- a/tests/futility/expect_output/show.tests_futility_data_sample.vbpubk2 ++++ b/tests/futility/expect_output/show.tests_futility_data_sample.vbpubk2 +@@ -1,4 +1,3 @@ +-Public Key file: /mnt/host/source/src/platform/vboot_reference/tests/futility/data/sample.vbpubk2 + Vboot API: 2.1 + Desc: "sample vb21 keypair" + Signature Algorithm: 5 RSA8192 +--- a/tests/futility/expect_output/show.tests_testkeys_key_rsa2048.pem ++++ b/tests/futility/expect_output/show.tests_testkeys_key_rsa2048.pem +@@ -1,3 +1,2 @@ +-Private Key file: /mnt/host/source/src/platform/vboot_reference/tests/testkeys/key_rsa2048.pem + Key length: 2048 + Key sha1sum: bfb2fa9188a87bf766dd7c313ea6802553b646b6 +--- a/tests/futility/expect_output/show.tests_testkeys_key_rsa8192.pub.pem ++++ b/tests/futility/expect_output/show.tests_testkeys_key_rsa8192.pub.pem +@@ -1,3 +1,2 @@ +-Public Key file: /mnt/host/source/src/platform/vboot_reference/tests/testkeys/key_rsa8192.pub.pem + Key length: 8192 + Key sha1sum: f1afa44a1aed0d0e9ff630579df920a725e9de5e +--- a/tests/futility/test_show_contents.sh ++++ b/tests/futility/test_show_contents.sh +@@ -29,7 +29,7 @@ for file in $SHOW_FILES; do + outfile="show.${file//\//_}" + gotfile="${OUTDIR}/${outfile}" + wantfile="${SRCDIR}/tests/futility/expect_output/${outfile}" +- ${FUTILITY} show "${SRCDIR}/${file}" | tee "${gotfile}" ++ ${FUTILITY} show "${SRCDIR}/${file}" | grep -v "tests/" | tee "${gotfile}" + + # Uncomment this to update the expected output + #cp ${gotfile} ${wantfile} +@@ -48,7 +48,7 @@ for file in $VBUTIL_KEY_FILES; do + outfile="vbutil_key.${file//\//_}" + gotfile="${OUTDIR}/${outfile}" + wantfile="${SRCDIR}/tests/futility/expect_output/${outfile}" +- ${FUTILITY} vbutil_key --unpack "${SRCDIR}/${file}" | tee "${gotfile}" ++ ${FUTILITY} vbutil_key --unpack "${SRCDIR}/${file}" | grep -v "tests/" | tee "${gotfile}" + + # Uncomment this to update the expected output + #cp ${gotfile} ${wantfile} +@@ -64,7 +64,7 @@ gotfile="${OUTDIR}/${outfile}" + wantfile="${SRCDIR}/tests/futility/expect_output/${outfile}" + ${FUTILITY} vbutil_keyblock --unpack "${SRCDIR}/${file}" \ + --signpubkey "${SRCDIR}/tests/devkeys/kernel_subkey.vbpubk" \ +- | tee "${gotfile}" ++ | grep -v "tests/" | tee "${gotfile}" + + # Uncomment this to update the expected output + #cp ${gotfile} ${wantfile} +--- a/tests/futility/expect_output/vbutil_key.tests_devkeys_root_key.vbprivk ++++ b/tests/futility/expect_output/vbutil_key.tests_devkeys_root_key.vbprivk +@@ -1,2 +1 @@ +-Private Key file: /mnt/host/source/src/platform/vboot_reference/tests/devkeys/root_key.vbprivk + Algorithm: 11 RSA8192 SHA512 +--- a/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock ++++ b/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock +@@ -1,4 +1,3 @@ +-Key block file: /mnt/host/source/src/platform/vboot_reference/tests/devkeys/kernel.keyblock + Signature valid + Flags: 7 !DEV DEV !REC + Data key algorithm: 4 RSA2048 SHA256 +--- a/tests/futility/expect_output/vbutil_key.tests_devkeys_root_key.vbpubk ++++ b/tests/futility/expect_output/vbutil_key.tests_devkeys_root_key.vbpubk +@@ -1,4 +1,3 @@ +-Public Key file: /mnt/host/source/src/platform/vboot_reference/tests/devkeys/root_key.vbpubk + Algorithm: 11 RSA8192 SHA512 + Key Version: 1 + Key sha1sum: b11d74edd286c144e1135b49e7f0bc20cf041f10 diff --git a/gnu/packages/patches/vboot-utils-skip-test-workbuf.patch b/gnu/packages/patches/vboot-utils-skip-test-workbuf.patch new file mode 100644 index 0000000000..9618c76f83 --- /dev/null +++ b/gnu/packages/patches/vboot-utils-skip-test-workbuf.patch @@ -0,0 +1,21 @@ +This patch was copied from Debian. + +Description: skip the workbuf test if VB2_WORKBUF_ALIGN different from 16 +Author: Sophie Brun +Last-Update: 2015-12-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/tests/vb2_common_tests.c ++++ b/tests/vb2_common_tests.c +@@ -70,6 +70,11 @@ static void test_workbuf(void) + /* NOTE: There are several magic numbers below which assume that + * VB2_WORKBUF_ALIGN == 16 */ + ++ /* Skip the tests if VB2_WORKBUF_ALIGN != 16 */ ++ if (VB2_WORKBUF_ALIGN != 16) { ++ return; ++ } ++ + /* Init */ + vb2_workbuf_init(&wb, p0, 64); + TEST_EQ(vb2_offset_of(p0, wb.buf), 0, "Workbuf init aligned"); -- cgit v1.2.3 From 8f36c8e9eabc06e1fff740e149bbd5008e53fe18 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Mon, 31 Dec 2018 06:50:48 +0800 Subject: gnu: libextractor: Fix CVE-2018-{20430,20431}. * gnu/packages/patches/libextractor-CVE-2018-20430.patch, gnu/packages/patches/libextractor-CVE-2018-20431.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gnunet.scm (libextractor)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/gnunet.scm | 2 + .../patches/libextractor-CVE-2018-20430.patch | 60 ++++++++++++++++++++++ .../patches/libextractor-CVE-2018-20431.patch | 53 +++++++++++++++++++ 4 files changed, 117 insertions(+) create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20430.patch create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20431.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index d50e217849..362f934e99 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -889,6 +889,8 @@ dist_patch_DATA = \ %D%/packages/patches/libevent-2.1-skip-failing-test.patch \ %D%/packages/patches/libexif-CVE-2016-6328.patch \ %D%/packages/patches/libexif-CVE-2017-7544.patch \ + %D%/packages/patches/libextractor-CVE-2018-20430.patch \ + %D%/packages/patches/libextractor-CVE-2018-20431.patch \ %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch \ %D%/packages/patches/libgit2-mtime-0.patch \ %D%/packages/patches/libgit2-oom-test.patch \ diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm index 4a69520762..d9e903734d 100644 --- a/gnu/packages/gnunet.scm +++ b/gnu/packages/gnunet.scm @@ -73,6 +73,8 @@ (method url-fetch) (uri (string-append "mirror://gnu/libextractor/libextractor-" version ".tar.gz")) + (patches (search-patches "libextractor-CVE-2018-20430.patch" + "libextractor-CVE-2018-20431.patch")) (sha256 (base32 "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2")))) diff --git a/gnu/packages/patches/libextractor-CVE-2018-20430.patch b/gnu/packages/patches/libextractor-CVE-2018-20430.patch new file mode 100644 index 0000000000..570cd7c006 --- /dev/null +++ b/gnu/packages/patches/libextractor-CVE-2018-20430.patch @@ -0,0 +1,60 @@ +Fix CVE-2018-20430: + +https://gnunet.org/bugs/view.php?id=5493 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20430 +https://security-tracker.debian.org/tracker/CVE-2018-20430 + +Patch copied from upstream source repository: + +https://gnunet.org/git/libextractor.git/commit/?id=b405d707b36e0654900cba78e89f49779efea110 + +From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001 +From: Christian Grothoff +Date: Thu, 20 Dec 2018 22:47:53 +0100 +Subject: [PATCH] fix #5493 (out of bounds read) + +--- + src/common/convert.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/common/convert.c b/src/common/convert.c +index c0edf21..2be2108 100644 +--- a/src/common/convert.c ++++ b/src/common/convert.c +@@ -36,8 +36,8 @@ + * string is returned. + */ + char * +-EXTRACTOR_common_convert_to_utf8 (const char *input, +- size_t len, ++EXTRACTOR_common_convert_to_utf8 (const char *input, ++ size_t len, + const char *charset) + { + #if HAVE_ICONV +@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input, + i = input; + cd = iconv_open ("UTF-8", charset); + if (cd == (iconv_t) - 1) +- return strdup (i); ++ return strndup (i, len); + if (len > 1024 * 1024) + { + iconv_close (cd); +@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input, + } + itmp = tmp; + finSize = tmpSize; +- if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX) ++ if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1)) + { + iconv_close (cd); + free (tmp); +- return strdup (i); ++ return strndup (i, len); + } + ret = malloc (tmpSize - finSize + 1); + if (ret == NULL) +-- +2.20.1 + diff --git a/gnu/packages/patches/libextractor-CVE-2018-20431.patch b/gnu/packages/patches/libextractor-CVE-2018-20431.patch new file mode 100644 index 0000000000..855c5ba64b --- /dev/null +++ b/gnu/packages/patches/libextractor-CVE-2018-20431.patch @@ -0,0 +1,53 @@ +Fix CVE-2018-20431: + +https://gnunet.org/bugs/view.php?id=5494 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431 +https://security-tracker.debian.org/tracker/CVE-2018-20431 + +Patch copied from upstream source repository: + +https://gnunet.org/git/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7 + +To apply the patch to libextractor 1.8 release tarball, +hunk #1 which patches ChangeLog is removed. + +From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001 +From: Christian Grothoff +Date: Thu, 20 Dec 2018 23:02:28 +0100 +Subject: [PATCH] fix #5494 + +--- + ChangeLog | 3 ++- + src/plugins/ole2_extractor.c | 9 +++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c +index 53fa1b9..a48b726 100644 +--- a/src/plugins/ole2_extractor.c ++++ b/src/plugins/ole2_extractor.c +@@ -173,7 +173,7 @@ struct ProcContext + EXTRACTOR_MetaDataProcessor proc; + + /** +- * Closure for 'proc'. ++ * Closure for @e proc. + */ + void *proc_cls; + +@@ -213,7 +213,12 @@ process_metadata (gpointer key, + + if (G_VALUE_TYPE(gval) == G_TYPE_STRING) + { +- contents = strdup (g_value_get_string (gval)); ++ const char *gvals; ++ ++ gvals = g_value_get_string (gval); ++ if (NULL == gvals) ++ return; ++ contents = strdup (gvals); + } + else + { +-- +2.20.1 + -- cgit v1.2.3 From a6e532815d5022d005a00f8323e46084cfa66221 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Sun, 22 Oct 2017 17:17:57 +0200 Subject: gnu: kio: Search 'smbd' on $PATH. Transfer the remaining NixOS patch for kio as of 2018-02-17. * gnu/packages/patches/kio-search-smbd-on-PATH.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/kde-frameworks.scm(kio): Use it. --- gnu/local.mk | 1 + gnu/packages/kde-frameworks.scm | 6 ++--- gnu/packages/patches/kio-search-smbd-on-PATH.patch | 30 ++++++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/kio-search-smbd-on-PATH.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 362f934e99..a7e6a06e8b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -855,6 +855,7 @@ dist_patch_DATA = \ %D%/packages/patches/kiki-makefile.patch \ %D%/packages/patches/kiki-missing-includes.patch \ %D%/packages/patches/kiki-portability-64bit.patch \ + %D%/packages/patches/kio-search-smbd-on-PATH.patch \ %D%/packages/patches/kmod-module-directory.patch \ %D%/packages/patches/kobodeluxe-paths.patch \ %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch \ diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm index e270035b21..98c920aaa7 100644 --- a/gnu/packages/kde-frameworks.scm +++ b/gnu/packages/kde-frameworks.scm @@ -2573,7 +2573,8 @@ makes starting KDE applications faster and reduces memory consumption.") name "-" version ".tar.xz")) (sha256 (base32 - "0rrsg3g1b204cdp58vxd5dig1ggwyvk1382p1c86vn6w8qbrq27k")))) + "0rrsg3g1b204cdp58vxd5dig1ggwyvk1382p1c86vn6w8qbrq27k")) + (patches (search-patches "kio-search-smbd-on-PATH.patch")))) (build-system cmake-build-system) (propagated-inputs `(("kbookmarks" ,kbookmarks) @@ -2616,11 +2617,10 @@ makes starting KDE applications faster and reduces memory consumption.") (modify-phases %standard-phases (add-after 'unpack 'patch (lambda _ - ;; Better error message (taken from nix) + ;; Better error message (taken from NixOS) (substitute* "src/kiod/kiod_main.cpp" (("(^\\s*qCWarning(KIOD_CATEGORY) << \"Error loading plugin:\")( << loader.errorString();)" _ a b) (string-append a "<< name" b))) - ;; TODO: samba-search-path.patch from nix: search smbd on $PATH #t)) (add-before 'check 'check-setup (lambda _ diff --git a/gnu/packages/patches/kio-search-smbd-on-PATH.patch b/gnu/packages/patches/kio-search-smbd-on-PATH.patch new file mode 100644 index 0000000000..47e20cfc0b --- /dev/null +++ b/gnu/packages/patches/kio-search-smbd-on-PATH.patch @@ -0,0 +1,30 @@ +Adopted from NixOS +pkgs/development/libraries/kde-frameworks/kio/samba-search-path.patch + +=================================================================== +--- kio-5.17.0.orig/src/core/ksambashare.cpp ++++ kio-5.17.0/src/core/ksambashare.cpp +@@ -67,13 +67,18 @@ KSambaSharePrivate::~KSambaSharePrivate( + + bool KSambaSharePrivate::isSambaInstalled() + { +- if (QFile::exists(QStringLiteral("/usr/sbin/smbd")) +- || QFile::exists(QStringLiteral("/usr/local/sbin/smbd"))) { +- return true; ++ const QByteArray pathEnv = qgetenv("PATH"); ++ if (!pathEnv.isEmpty()) { ++ QLatin1Char pathSep(':'); ++ QStringList paths = QFile::decodeName(pathEnv).split(pathSep, QString::SkipEmptyParts); ++ for (QStringList::iterator it = paths.begin(); it != paths.end(); ++it) { ++ it->append("/smbd"); ++ if (QFile::exists(*it)) { ++ return true; ++ } ++ } + } + +- //qDebug() << "Samba is not installed!"; +- + return false; + } + -- cgit v1.2.3 From f8a0f3ac708359a72ca136e1c76dfc241a20ea90 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Sun, 22 Oct 2017 21:25:36 +0200 Subject: gnu: kinit: Use the store paths for dynamically loaded libs. Transfer the NixOS "kdeinit-extra_libs" patch for kinit as of 2018-02-17. * gnu/packages/patches/kinit-kdeinit-extra_libs.patch: New filee. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/kde-frameworks.scm (kinit)[source]: Use it. : New phase. [inputs]: Add kparts, plasma-framework. --- gnu/local.mk | 1 + gnu/packages/kde-frameworks.scm | 18 ++++++- .../patches/kinit-kdeinit-extra_libs.patch | 55 ++++++++++++++++++++++ 3 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/kinit-kdeinit-extra_libs.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index a7e6a06e8b..5b983c64bb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -855,6 +855,7 @@ dist_patch_DATA = \ %D%/packages/patches/kiki-makefile.patch \ %D%/packages/patches/kiki-missing-includes.patch \ %D%/packages/patches/kiki-portability-64bit.patch \ + %D%/packages/patches/kinit-kdeinit-extra_libs.patch \ %D%/packages/patches/kio-search-smbd-on-PATH.patch \ %D%/packages/patches/kmod-module-directory.patch \ %D%/packages/patches/kobodeluxe-paths.patch \ diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm index 98c920aaa7..7aae50f4bc 100644 --- a/gnu/packages/kde-frameworks.scm +++ b/gnu/packages/kde-frameworks.scm @@ -2526,8 +2526,22 @@ in applications using the KDE Frameworks.") name "-" version ".tar.xz")) (sha256 (base32 - "1rq9b59gdgcpvwd694l8h55sqahpdaky0n7ag5psjlfn5myf1d95")))) + "1rq9b59gdgcpvwd694l8h55sqahpdaky0n7ag5psjlfn5myf1d95")) + ;; Use the store paths for other packages and dynamically loaded + ;; libs + (patches (search-patches "kinit-kdeinit-extra_libs.patch")))) (build-system cmake-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-after 'unpack 'patch-paths + (lambda* (#:key inputs outputs #:allow-other-keys) + ;; Set patched-in values: + (substitute* "src/kdeinit/kinit.cpp" + (("GUIX_PKGS_KF5_KIO") (assoc-ref inputs "kio")) + (("GUIX_PKGS_KF5_PARTS") (assoc-ref inputs "kparts")) + (("GUIX_PKGS_KF5_PLASMA") (assoc-ref inputs "plasma-framework"))) + #t))))) (native-inputs `(("extra-cmake-modules" ,extra-cmake-modules) ("pkg-config" ,pkg-config))) @@ -2545,11 +2559,13 @@ in applications using the KDE Frameworks.") ("kitemviews" ,kitemviews) ("ki18n" ,ki18n) ("kjobwidgets" ,kjobwidgets) + ("kparts" ,kparts) ("kservice" ,kservice) ("kwidgetsaddons" ,kwidgetsaddons) ("kwindowsystem" ,kwindowsystem) ("kxmlgui" ,kxmlgui) ("libcap" ,libcap) ; to install start_kdeinit with CAP_SYS_RESOURCE + ("plasma-framework" ,plasma-framework) ("qtbase" ,qtbase) ("solid" ,solid))) (home-page "https://community.kde.org/Frameworks") diff --git a/gnu/packages/patches/kinit-kdeinit-extra_libs.patch b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch new file mode 100644 index 0000000000..8dcd4d3e95 --- /dev/null +++ b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch @@ -0,0 +1,55 @@ +Search the "extra libs" in GUIX_KF5INIT_LIB_PATH (which basically is a +collection of all /lib directories). We can not hard-code the full path to the +libsKF5Plasam, since adding palse-workspace + +Adopted from NixOS +pkgs/development/libraries/kde-frameworks/kinit/kdeinit-extra_libs.patch + +=================================================================== +--- kinit-5.32.0/src/kdeinit/kinit-5.32.0/src/kdeinit/.orig ++++ kinit-5.32.0/src/kdeinit/kinit.cpp +@@ -96,11 +96,9 @@ + "libKF5Parts.5.dylib", + "libKF5Plasma.5.dylib" + #else +- "libKF5KIOCore.so.5", +- "libKF5Parts.so.5", +-//#ifdef __KDE_HAVE_GCC_VISIBILITY // Removed for KF5, we'll see. +- "libKF5Plasma.so.5" +-//#endif ++ "GUIX_PKGS_KF5_KIO/lib/libKF5KIOCore.so.5", ++ "GUIX_PKGS_KF5_PARTS/lib/libKF5Parts.so.5", ++ "GUIX_PKGS_KF5_PLASMA/lib/libKF5Plasma.so.5" + #endif + }; + #endif +@@ -1533,20 +1531,6 @@ static int initXconnection() + } + #endif + +-#ifndef Q_OS_OSX +-// Find a shared lib in the lib dir, e.g. libkio.so. +-// Completely unrelated to plugins. +-static QString findSharedLib(const QString &lib) +-{ +- QString path = QFile::decodeName(CMAKE_INSTALL_PREFIX "/" LIB_INSTALL_DIR "/") + lib; +- if (QFile::exists(path)) { +- return path; +- } +- // We could also look in LD_LIBRARY_PATH, but really, who installs the main libs in different prefixes? +- return QString(); +-} +-#endif +- + extern "C" { + + static void secondary_child_handler(int) +@@ -1689,7 +1693,7 @@ + if (!d.suicide && qEnvironmentVariableIsEmpty("KDE_IS_PRELINKED")) { + const int extrasCount = sizeof(extra_libs) / sizeof(extra_libs[0]); + for (int i = 0; i < extrasCount; i++) { +- const QString extra = findSharedLib(QString::fromLatin1(extra_libs[i])); ++ const QString extra = QString::fromLatin1(extra_libs[i]); + if (!extra.isEmpty()) { + QLibrary l(extra); + l.setLoadHints(QLibrary::ExportExternalSymbolsHint); -- cgit v1.2.3 From 16b8aff85bcdb9799496c4a27257210cd45158e5 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Thu, 1 Mar 2018 23:08:44 +0100 Subject: gnu: kinit: Use LIBRARY_PATH to search for dynamically loaded libs. Transfer the NixOS "kdeinit-libpath" patch for kinit as of 2018-02-17. * gnu/packages/patches/kinit-kdeinit-libpath.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/kde-frameworks.scm (kinit)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/kde-frameworks.scm | 3 +- gnu/packages/patches/kinit-kdeinit-libpath.patch | 37 ++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/kinit-kdeinit-libpath.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5b983c64bb..2fed38f6b9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -856,6 +856,7 @@ dist_patch_DATA = \ %D%/packages/patches/kiki-missing-includes.patch \ %D%/packages/patches/kiki-portability-64bit.patch \ %D%/packages/patches/kinit-kdeinit-extra_libs.patch \ + %D%/packages/patches/kinit-kdeinit-libpath.patch \ %D%/packages/patches/kio-search-smbd-on-PATH.patch \ %D%/packages/patches/kmod-module-directory.patch \ %D%/packages/patches/kobodeluxe-paths.patch \ diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm index 7aae50f4bc..2d48661a44 100644 --- a/gnu/packages/kde-frameworks.scm +++ b/gnu/packages/kde-frameworks.scm @@ -2529,7 +2529,8 @@ in applications using the KDE Frameworks.") "1rq9b59gdgcpvwd694l8h55sqahpdaky0n7ag5psjlfn5myf1d95")) ;; Use the store paths for other packages and dynamically loaded ;; libs - (patches (search-patches "kinit-kdeinit-extra_libs.patch")))) + (patches (search-patches "kinit-kdeinit-extra_libs.patch" + "kinit-kdeinit-libpath.patch")))) (build-system cmake-build-system) (arguments `(#:phases diff --git a/gnu/packages/patches/kinit-kdeinit-libpath.patch b/gnu/packages/patches/kinit-kdeinit-libpath.patch new file mode 100644 index 0000000000..89cf1a941d --- /dev/null +++ b/gnu/packages/patches/kinit-kdeinit-libpath.patch @@ -0,0 +1,37 @@ +Search libraries in GUIX_KF5INIT_LIB_PATH. + +Based on an idea by NixOs +pkgs/development/libraries/kde-frameworks/kinit/kinit-libpath.patch + +=================================================================== +--- kinit-5.32.0/src/kdeinit/kinit.cpp.orig 2017-10-22 21:02:20.908765455 +0200 ++++ kinit-5.32.0/src/kdeinit/kinit.cpp 2017-10-22 21:03:25.312818248 +0200 +@@ -623,20 +623,18 @@ + if (libpath_relative) { + // NB: Because Qt makes the actual dlopen() call, the + // RUNPATH of kdeinit is *not* respected - see + // https://sourceware.org/bugzilla/show_bug.cgi?id=13945 + // - so we try hacking it in ourselves +- QString install_lib_dir = QFile::decodeName( +- CMAKE_INSTALL_PREFIX "/" LIB_INSTALL_DIR "/"); +- QString orig_libpath = libpath; +- libpath = install_lib_dir + libpath; +- l.setFileName(libpath); +- if (!l.load()) { +- libpath = orig_libpath; +- l.setFileName(libpath); +- l.load(); +- } ++ // Try to load the library relative to the active profiles. ++ QByteArrayList profiles = qgetenv("LIBRARY_PATH").split(':'); ++ for (const QByteArray &profile: profiles) { ++ if (!profile.isEmpty()) { ++ l.setFileName(QFile::decodeName(profile) + QStringLiteral("/") + libpath); ++ if (l.load()) break; ++ } ++ } + } else { + l.load(); + } + if (!l.isLoaded()) { + QString ltdlError(l.errorString()); -- cgit v1.2.3 From 0fd6138175cb6099e2e5f3d112c3188c84b31561 Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Mon, 23 Oct 2017 12:55:22 +0200 Subject: gnu: kpackage: Transfer patches from NixOS. Transfer the NixOS patches for kpackage as of 2018-02-17: - Allow external paths. - Make QDirIterator follow symlinks. Decided to use a patch for one of the "allow external paths" changes since 'substitute*' seems not to be robust enough. * gnu/packages/patches/kpackage-allow-external-paths.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/kde-frameworks.scm(kpackage)[source]: Use it. : New phase. --- gnu/local.mk | 1 + gnu/packages/kde-frameworks.scm | 15 ++++++++++++++- gnu/packages/patches/kpackage-allow-external-paths.patch | 13 +++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/kpackage-allow-external-paths.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 2fed38f6b9..6d4159e167 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -859,6 +859,7 @@ dist_patch_DATA = \ %D%/packages/patches/kinit-kdeinit-libpath.patch \ %D%/packages/patches/kio-search-smbd-on-PATH.patch \ %D%/packages/patches/kmod-module-directory.patch \ + %D%/packages/patches/kpackage-allow-external-paths.patch \ %D%/packages/patches/kobodeluxe-paths.patch \ %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch \ %D%/packages/patches/kobodeluxe-const-charp-conversion.patch \ diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm index 2d48661a44..89d52874b8 100644 --- a/gnu/packages/kde-frameworks.scm +++ b/gnu/packages/kde-frameworks.scm @@ -1825,7 +1825,10 @@ covers feedback and persistent events.") name "-" version ".tar.xz")) (sha256 (base32 - "1xbfjwxb4gff8gg0hs5m9s0jcnzqk27rs2jr71g5ckhvs5psnkcd")))) + "1xbfjwxb4gff8gg0hs5m9s0jcnzqk27rs2jr71g5ckhvs5psnkcd")) + ;; Default to: external paths/symlinks can be followed by a + ;; package + (patches (search-patches "kpackage-allow-external-paths.patch")))) (build-system cmake-build-system) (native-inputs `(("extra-cmake-modules" ,extra-cmake-modules))) @@ -1840,6 +1843,16 @@ covers feedback and persistent events.") `(#:tests? #f ; FIXME: 3/9 tests fail. #:phases (modify-phases %standard-phases + (add-after 'unpack 'patch + (lambda _ + ;; Make QDirIterator follow symlinks + (substitute* '("src/kpackage/packageloader.cpp" + "src/kpackage/private/packagejobthread.cpp") + (("^\\s*(const QDirIterator::IteratorFlags flags = QDirIterator::Subdirectories)(;)" _ a b) + (string-append a " | QDirIterator::FollowSymlinks" b)) + (("^\\s*(QDirIterator it\\(.*, QDirIterator::Subdirectories)(\\);)" _ a b) + (string-append a " | QDirIterator::FollowSymlinks" b))) + #t)) (add-before 'check 'check-setup (lambda _ (setenv "HOME" (getcwd)) diff --git a/gnu/packages/patches/kpackage-allow-external-paths.patch b/gnu/packages/patches/kpackage-allow-external-paths.patch new file mode 100644 index 0000000000..c1c9efde7f --- /dev/null +++ b/gnu/packages/patches/kpackage-allow-external-paths.patch @@ -0,0 +1,13 @@ +diff --git a/src/kpackage/package.cpp b/src/kpackage/package.cpp +index 5aec9fd..b15c933 100644 +--- a/src/kpackage/package.cpp ++++ b/src/kpackage/package.cpp +@@ -820,7 +820,7 @@ PackagePrivate::PackagePrivate() + : QSharedData(), + fallbackPackage(nullptr), + metadata(nullptr), +- externalPaths(false), ++ externalPaths(true), + valid(false), + checkedValid(false) + { -- cgit v1.2.3 From 87fd7a35c2c8af364fe783947a2232a646d009cb Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sat, 5 Jan 2019 22:04:24 +0200 Subject: gnu: streamlink: Fix build. * gnu/packages/video.scm (streamlink)[source]: Add patch. * gnu/packages/patches/streamlink-update-test.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/patches/streamlink-update-test.patch | 70 +++++++++++++++++++++++ gnu/packages/video.scm | 5 +- 3 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/streamlink-update-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 6d4159e167..7ccef8a75b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1175,6 +1175,7 @@ dist_patch_DATA = \ %D%/packages/patches/soundtouch-CVE-2018-14044-14045.patch \ %D%/packages/patches/soundtouch-CVE-2018-1000223.patch \ %D%/packages/patches/steghide-fixes.patch \ + %D%/packages/patches/streamlink-update-test.patch \ %D%/packages/patches/superlu-dist-scotchmetis.patch \ %D%/packages/patches/swig-guile-gc.patch \ %D%/packages/patches/swish-e-search.patch \ diff --git a/gnu/packages/patches/streamlink-update-test.patch b/gnu/packages/patches/streamlink-update-test.patch new file mode 100644 index 0000000000..2d90009192 --- /dev/null +++ b/gnu/packages/patches/streamlink-update-test.patch @@ -0,0 +1,70 @@ +https://github.com/streamlink/streamlink/commit/a3123346824ee7b9c461110f292ea6987ea9a78d.patch +This is taken from upstream, and can be removed at the next release + +From c6f3994e177a42792238f2edd07ba9053c10abc9 Mon Sep 17 00:00:00 2001 +From: back-to +Date: Sat, 21 Jul 2018 14:30:51 +0200 +Subject: [PATCH] tests.localization: use en_CA instead of en_US for + test_equivalent + +**python-iso3166** got an update which breaks the Streamlink tests. +https://pypi.org/project/iso3166/#history + +**python-iso3166** and **pycountry** have now a different `name` for _the United States of America_ + +> python-iso3166: United States of America +https://github.com/deactivated/python-iso3166/commit/e5f8b37f18b01fcb5fa0e8130d8296fc7a7b5a9f + +> pycountry: United States +https://bitbucket.org/flyingcircus/pycountry/src/5aa4bb47e33798cb631a81521b7b5b18f7d6c919/src/pycountry/databases/iso3166-1.json?at=default&fileviewer=file-view-default#iso3166-1.json-1572:1578 + +https://www.iso.org/obp/ui/#iso:code:3166:US + +--- + +use **en_CA** instead of **en_US** for backwards compatibility, +as changing the **US** name would fail with older versions of **python-iso3166** / **pycountry** +--- + tests/test_localization.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/tests/test_localization.py b/tests/test_localization.py +index 0b81ae591..90bb3ac31 100644 +--- a/tests/test_localization.py ++++ b/tests/test_localization.py +@@ -32,11 +32,12 @@ def test_bad_language_code(self): + self.assertRaises(LookupError, l10n.Localization, "enUS") + + def test_equivalent(self): +- l = l10n.Localization("en_US") ++ l = l10n.Localization("en_CA") + self.assertTrue(l.equivalent(language="eng")) + self.assertTrue(l.equivalent(language="en")) +- self.assertTrue(l.equivalent(language="en", country="US")) +- self.assertTrue(l.equivalent(language="en", country="United States")) ++ self.assertTrue(l.equivalent(language="en", country="CA")) ++ self.assertTrue(l.equivalent(language="en", country="CAN")) ++ self.assertTrue(l.equivalent(language="en", country="Canada")) + + def test_equivalent_remap(self): + l = l10n.Localization("fr_FR") +@@ -48,7 +49,7 @@ def test_not_equivalent(self): + self.assertFalse(l.equivalent(language="eng")) + self.assertFalse(l.equivalent(language="en")) + self.assertFalse(l.equivalent(language="en", country="US")) +- self.assertFalse(l.equivalent(language="en", country="United States")) ++ self.assertFalse(l.equivalent(language="en", country="Canada")) + self.assertFalse(l.equivalent(language="en", country="ES")) + self.assertFalse(l.equivalent(language="en", country="Spain")) + +@@ -71,8 +72,8 @@ def test_get_country(self): + l10n.Localization.get_country("USA").alpha2) + self.assertEqual("GB", + l10n.Localization.get_country("GB").alpha2) +- self.assertEqual("United States", +- l10n.Localization.get_country("United States").name) ++ self.assertEqual("Canada", ++ l10n.Localization.get_country("Canada").name) + + def test_get_country_miss(self): + self.assertRaises(LookupError, l10n.Localization.get_country, "XE") diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index b8ac09d4ad..52facebe42 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2014, 2015, 2016 David Thompson ;;; Copyright © 2014, 2015, 2016, 2018 Mark H Weaver ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer -;;; Copyright © 2015, 2016, 2017, 2018 Efraim Flashner +;;; Copyright © 2015, 2016, 2017, 2018, 2019 Efraim Flashner ;;; Copyright © 2015 Andy Patterson ;;; Copyright © 2015, 2018 Ricardo Wurmus ;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong @@ -1924,7 +1924,8 @@ and custom quantization matrices.") (uri (pypi-uri "streamlink" version)) (sha256 (base32 - "0l2145fd60i76afjisfxd48cwhwyir07i7s3bnimdq5db2kzkix8")))) + "0l2145fd60i76afjisfxd48cwhwyir07i7s3bnimdq5db2kzkix8")) + (patches (search-patches "streamlink-update-test.patch")))) (build-system python-build-system) (home-page "https://github.com/streamlink/streamlink") (native-inputs -- cgit v1.2.3 From 30e06c2cee92fa9a9b9e86bb8bf9c3e8d458ef9b Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 6 Jan 2019 14:32:39 +0200 Subject: gnu: unrtf: Update to 0.21.10. * gnu/packages/unrtf.scm (unrtf): Update to 0.21.10. [source]: Remove patch, remove snippet. [license]: Update to gpl3+. * gnu/packages/patches/unrtf-CVE-2016-10091.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/patches/unrtf-CVE-2016-10091.patch | 189 ------------------------ gnu/packages/unrtf.scm | 30 +--- 3 files changed, 4 insertions(+), 216 deletions(-) delete mode 100644 gnu/packages/patches/unrtf-CVE-2016-10091.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 7ccef8a75b..cd0414b41d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1215,7 +1215,6 @@ dist_patch_DATA = \ %D%/packages/patches/u-boot-pinebook-dts.patch \ %D%/packages/patches/u-boot-pinebook-syscon-node.patch \ %D%/packages/patches/u-boot-pinebook-video-bridge.patch \ - %D%/packages/patches/unrtf-CVE-2016-10091.patch \ %D%/packages/patches/unzip-CVE-2014-8139.patch \ %D%/packages/patches/unzip-CVE-2014-8140.patch \ %D%/packages/patches/unzip-CVE-2014-8141.patch \ diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch deleted file mode 100644 index badd1b8ed6..0000000000 --- a/gnu/packages/patches/unrtf-CVE-2016-10091.patch +++ /dev/null @@ -1,189 +0,0 @@ -Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions): - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091 -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705 -http://seclists.org/oss-sec/2016/q4/787 - -Patch adapted from Debian: - -https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8 - -The Debian patch adapts this upstream commit so that it can be applied -to the 0.21.9 release tarball: - -http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 - -From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001 -From: Willi Mann -Date: Sat, 31 Dec 2016 20:31:38 +0100 -Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer - overflow in various cmd_ functions) - -diff --git a/src/attr.c b/src/attr.c -index 02b5c81..e2951ea 100644 ---- a/src/attr.c -+++ b/src/attr.c -@@ -746,7 +746,7 @@ char * - assemble_string(char *string, int nr) - { - -- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */ -+ char *s, tmp[20]; - int i = 0, j = 0; - - if (string == NULL) -@@ -762,7 +762,7 @@ assemble_string(char *string, int nr) - } - - if (string[i] != '\0') { -- sprintf(tmp, "%d", nr); -+ snprintf(tmp, 20, "%d", nr); - strcpy(&s[j], tmp); - j = j + strlen(tmp); - } -diff --git a/src/convert.c b/src/convert.c -index c76d7d6..8eacdcb 100644 ---- a/src/convert.c -+++ b/src/convert.c -@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm) - } - - // Translate code page to encoding name hopefully suitable as iconv input --static char *cptoencoding(parm) -+static char *cptoencoding(int parm) - { - // Note that CP0 is supposed to mean current system default, which does - // not make any sense as a stored value, we don't handle it. -@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num) - } - else - { -- sprintf(str,"#%02x%02x%02x", -+ snprintf(str, 40, "#%02x%02x%02x", - color_table[num].r, - color_table[num].g, - color_table[num].b); -@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num) - } - else - { -- sprintf(str,"#%02x%02x%02x", -+ snprintf(str, 40, "#%02x%02x%02x", - color_table[num].r, - color_table[num].g, - color_table[num].b); -@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) { - /* Note, fs20 means 10pt */ - points /= 2; - -- sprintf(str,"%d",points); -+ snprintf(str, 20, "%d", points); - attr_push(ATTR_FONTSIZE,str); - - return FALSE; -@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num) - { - // TOBEDONE: WHAT'S THIS ??? - name = my_malloc(12); -- sprintf(name, "%d", num); -+ snprintf(name, 12, "%d", num); - } - - /* we are going to output entities, so should not output font */ -@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num) - } - else - { -- sprintf(str,"#%02x%02x%02x", -+ snprintf(str, 40, "#%02x%02x%02x", - color_table[num].r, - color_table[num].g, - color_table[num].b); -@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) { - - static int - cmd_expand (Word *w, int align, char has_param, int param) { -- char str[10]; -+ char str[20]; - if (has_param) { -- sprintf(str, "%d", param/4); -+ snprintf(str, 20, "%d", param / 4); - if (!param) - attr_pop(ATTR_EXPAND); - else -@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) { - - static int - cmd_emboss (Word *w, int align, char has_param, int param) { -- char str[10]; -+ char str[20]; - if (has_param && !param) - #ifdef SUPPORT_UNNESTED - attr_find_pop(ATTR_EMBOSS); -@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) { - #endif - else - { -- sprintf(str, "%d", param); -+ snprintf(str, 20, "%d", param); - attr_push(ATTR_EMBOSS, str); - } - return FALSE; -@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) { - - static int - cmd_engrave (Word *w, int align, char has_param, int param) { -- char str[10]; -+ char str[20]; - if (has_param && !param) - attr_pop(ATTR_ENGRAVE); - else - { -- sprintf(str, "%d", param); -+ snprintf(str, 20, "%d", param); - attr_push(ATTR_ENGRAVE, str); - } - return FALSE; -@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { - - short done=0; - long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */ -- char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ -+ char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ - const char *alias; - #define DEBUG 0 - #if DEBUG -@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { - /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */ - unicode_number += 65536; - } -- sprintf(tmp, "%ld", unicode_number); -+ snprintf(tmp, 20, "%ld", unicode_number); - - if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print"); - done++; -diff --git a/src/output.c b/src/output.c -index 86d8b5c..4cdbfa6 100644 ---- a/src/output.c -+++ b/src/output.c -@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size) - if (!found_std_expr) { - if (op->fontsize_begin) { - char expr[16]; -- sprintf (expr, "%d", size); -+ snprintf(expr, 16, "%d", size); - if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin"); - } else { - /* If we cannot write out a change for the exact -@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size) - if (!found_std_expr) { - if (op->fontsize_end) { - char expr[16]; -- sprintf (expr, "%d", size); -+ snprintf(expr, 16, "%d", size); - if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end"); - } else { - /* If we cannot write out a change for the exact -- -.11.0 - diff --git a/gnu/packages/unrtf.scm b/gnu/packages/unrtf.scm index 1d21a81a0e..de5ecf944a 100644 --- a/gnu/packages/unrtf.scm +++ b/gnu/packages/unrtf.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2015 Ludovic Courtès ;;; Copyright © 2015 Andreas Enge +;;; Copyright © 2019 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -31,37 +32,14 @@ (define-public unrtf (package (name "unrtf") - (version "0.21.9") + (version "0.21.10") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/unrtf/unrtf-" version ".tar.gz")) - (patches (search-patches "unrtf-CVE-2016-10091.patch")) (sha256 (base32 - "1pcdzf2h1prn393dkvg93v80vh38q0v817xnbwrlwxbdz4k7i8r2")) - (modules '((guix build utils))) - (snippet - #~(begin - ;; The tarball includes site-specific generated files. - ;; Remove them. - (for-each delete-file '("config.log" "config.h")) - (for-each delete-file - (find-files "." "^Makefile$")) - - ;; The config/ directory contains dangling symlinks to - ;; /usr/share/automake. - (for-each delete-file (find-files "config")) - - ;; Regenerate the whole thing. - (setenv "PATH" - (string-append #$autoconf "/bin:" - #$automake "/bin:" - #$m4 "/bin:" - #$grep "/bin:" #$sed "/bin:" - #$coreutils "/bin:" - (getenv "PATH"))) - (invoke "autoreconf" "-vfi"))))) + "1bil6z4niydz9gqm2j861dkxmqnpc8m7hvidsjbzz7x63whj17xl")))) (build-system gnu-build-system) (home-page "https://www.gnu.org/software/unrtf/") (synopsis "Convert Rich Text Format documents to other formats") @@ -69,4 +47,4 @@ "GNU UnRTF converts text documents from RTF to HTML, LaTeX, or troff. It supports changes in font characteristics, underlines and strikethroughs, superscripts and subscripts, and more.") - (license gpl2+))) + (license gpl3+))) -- cgit v1.2.3 From 59fb5c1cdb6fa5d6d1dbeca58e33f4a01a7d98f8 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 26 Nov 2018 12:22:47 +0100 Subject: hydra: Move job definitions to (gnu ci). * build-aux/hydra/gnu-system.scm: Move code to... * gnu/ci.scm: ... here. New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- build-aux/hydra/gnu-system.scm | 407 +------------------------------------- gnu/ci.scm | 434 +++++++++++++++++++++++++++++++++++++++++ gnu/local.mk | 4 +- 3 files changed, 440 insertions(+), 405 deletions(-) create mode 100644 gnu/ci.scm (limited to 'gnu/local.mk') diff --git a/build-aux/hydra/gnu-system.scm b/build-aux/hydra/gnu-system.scm index b225c02077..150c2bdf4f 100644 --- a/build-aux/hydra/gnu-system.scm +++ b/build-aux/hydra/gnu-system.scm @@ -50,413 +50,12 @@ dir) (set! %load-path (cons dir %load-path)))))) -(use-modules (guix config) - (guix store) - (guix grafts) - (guix profiles) - (guix packages) - (guix derivations) - (guix monads) - (guix ui) - ((guix licenses) #:select (gpl3+)) - ((guix utils) #:select (%current-system)) - ((guix scripts system) #:select (read-operating-system)) - ((guix scripts pack) - #:select (lookup-compressor self-contained-tarball)) - (gnu bootloader) - (gnu bootloader u-boot) - (gnu packages) - (gnu packages gcc) - (gnu packages base) - (gnu packages gawk) - (gnu packages guile) - (gnu packages gettext) - (gnu packages compression) - (gnu packages multiprecision) - (gnu packages make-bootstrap) - (gnu packages package-management) - (gnu system) - (gnu system vm) - (gnu system install) - (gnu tests) - (srfi srfi-1) - (srfi srfi-26) - (ice-9 match)) +(use-modules (gnu ci)) ;; XXX: Debugging hack: since `hydra-eval-guile-jobs' redirects the output ;; port to the bit bucket, let us write to the error port instead. (setvbuf (current-error-port) _IOLBF) (set-current-output-port (current-error-port)) -(define* (package->alist store package system - #:optional (package-derivation package-derivation)) - "Convert PACKAGE to an alist suitable for Hydra." - (parameterize ((%graft? #f)) - `((derivation . ,(derivation-file-name - (package-derivation store package system - #:graft? #f))) - (description . ,(package-synopsis package)) - (long-description . ,(package-description package)) - (license . ,(package-license package)) - (home-page . ,(package-home-page package)) - (maintainers . ("bug-guix@gnu.org")) - (max-silent-time . ,(or (assoc-ref (package-properties package) - 'max-silent-time) - 3600)) ;1 hour by default - (timeout . ,(or (assoc-ref (package-properties package) 'timeout) - 72000))))) ;20 hours by default - -(define (package-job store job-name package system) - "Return a job called JOB-NAME that builds PACKAGE on SYSTEM." - (let ((job-name (symbol-append job-name (string->symbol ".") - (string->symbol system)))) - `(,job-name . ,(cut package->alist store package system)))) - -(define (package-cross-job store job-name package target system) - "Return a job called TARGET.JOB-NAME that cross-builds PACKAGE for TARGET on -SYSTEM." - `(,(symbol-append (string->symbol target) (string->symbol ".") job-name - (string->symbol ".") (string->symbol system)) . - ,(cute package->alist store package system - (lambda* (store package system #:key graft?) - (package-cross-derivation store package target system - #:graft? graft?))))) - -(define %core-packages - ;; Note: Don't put the '-final' package variants because (1) that's - ;; implicit, and (2) they cannot be cross-built (due to the explicit input - ;; chain.) - (list gcc-4.8 gcc-4.9 gcc-5 glibc binutils - gmp mpfr mpc coreutils findutils diffutils patch sed grep - gawk gnu-gettext hello guile-2.0 guile-2.2 zlib gzip xz - %bootstrap-binaries-tarball - %binutils-bootstrap-tarball - (%glibc-bootstrap-tarball) - %gcc-bootstrap-tarball - %guile-bootstrap-tarball - %bootstrap-tarballs)) - -(define %packages-to-cross-build - %core-packages) - -(define %cross-targets - '("mips64el-linux-gnu" - "mips64el-linux-gnuabi64" - "arm-linux-gnueabihf" - "aarch64-linux-gnu" - "powerpc-linux-gnu" - "i586-pc-gnu" ;aka. GNU/Hurd - "i686-w64-mingw32")) - -(define %guixsd-supported-systems - '("x86_64-linux" "i686-linux" "armhf-linux")) - -(define %u-boot-systems - '("armhf-linux")) - -(define (qemu-jobs store system) - "Return a list of jobs that build QEMU images for SYSTEM." - (define (->alist drv) - `((derivation . ,(derivation-file-name drv)) - (description . "Stand-alone QEMU image of the GNU system") - (long-description . "This is a demo stand-alone QEMU image of the GNU -system.") - (license . ,gpl3+) - (max-silent-time . 600) - (timeout . 3600) - (home-page . ,%guix-home-page-url) - (maintainers . ("bug-guix@gnu.org")))) - - (define (->job name drv) - (let ((name (symbol-append name (string->symbol ".") - (string->symbol system)))) - `(,name . ,(lambda () - (parameterize ((%graft? #f)) - (->alist drv)))))) - - (define MiB - (expt 2 20)) - - (if (member system %guixsd-supported-systems) - (if (member system %u-boot-systems) - (list (->job 'flash-image - (run-with-store store - (mbegin %store-monad - (set-guile-for-build (default-guile)) - (system-disk-image - (operating-system (inherit installation-os) - (bootloader (bootloader-configuration - (bootloader u-boot-bootloader) - (target #f)))) - #:disk-image-size - (* 1500 MiB)))))) - (list (->job 'usb-image - (run-with-store store - (mbegin %store-monad - (set-guile-for-build (default-guile)) - (system-disk-image installation-os - #:disk-image-size - (* 1500 MiB))))) - (->job 'iso9660-image - (run-with-store store - (mbegin %store-monad - (set-guile-for-build (default-guile)) - (system-disk-image installation-os - #:file-system-type - "iso9660")))))) - '())) - -(define (system-test-jobs store system) - "Return a list of jobs for the system tests." - (define (test->thunk test) - (lambda () - (define drv - (run-with-store store - (mbegin %store-monad - (set-current-system system) - (set-grafting #f) - (set-guile-for-build (default-guile)) - (system-test-value test)))) - - `((derivation . ,(derivation-file-name drv)) - (description . ,(format #f "GuixSD '~a' system test" - (system-test-name test))) - (long-description . ,(system-test-description test)) - (license . ,gpl3+) - (max-silent-time . 600) - (timeout . 3600) - (home-page . ,%guix-home-page-url) - (maintainers . ("bug-guix@gnu.org"))))) - - (define (->job test) - (let ((name (string->symbol - (string-append "test." (system-test-name test) - "." system)))) - (cons name (test->thunk test)))) - - (if (member system %guixsd-supported-systems) - (map ->job (all-system-tests)) - '())) - -(define (tarball-jobs store system) - "Return Hydra jobs to build the self-contained Guix binary tarball." - (define (->alist drv) - `((derivation . ,(derivation-file-name drv)) - (description . "Stand-alone binary Guix tarball") - (long-description . "This is a tarball containing binaries of Guix and -all its dependencies, and ready to be installed on non-GuixSD distributions.") - (license . ,gpl3+) - (home-page . ,%guix-home-page-url) - (maintainers . ("bug-guix@gnu.org")))) - - (define (->job name drv) - (let ((name (symbol-append name (string->symbol ".") - (string->symbol system)))) - `(,name . ,(lambda () - (parameterize ((%graft? #f)) - (->alist drv)))))) - - ;; XXX: Add a job for the stable Guix? - (list (->job 'binary-tarball - (run-with-store store - (mbegin %store-monad - (set-guile-for-build (default-guile)) - (>>= (profile-derivation (packages->manifest (list guix))) - (lambda (profile) - (self-contained-tarball "guix-binary" profile - #:localstatedir? #t - #:compressor - (lookup-compressor "xz"))))) - #:system system)))) - -(define job-name - ;; Return the name of a package's job. - (compose string->symbol - (cut package-full-name <> "-"))) - -(define package->job - (let ((base-packages - (delete-duplicates - (append-map (match-lambda - ((_ package _ ...) - (match (package-transitive-inputs package) - (((_ inputs _ ...) ...) - inputs)))) - (%final-inputs))))) - (lambda (store package system) - "Return a job for PACKAGE on SYSTEM, or #f if this combination is not -valid." - (cond ((member package base-packages) - (package-job store (symbol-append 'base. (job-name package)) - package system)) - ((supported-package? package system) - (let ((drv (package-derivation store package system - #:graft? #f))) - (and (substitutable-derivation? drv) - (package-job store (job-name package) - package system)))) - (else - #f))))) - -(define (all-packages) - "Return the list of packages to build." - (define (adjust package result) - (cond ((package-replacement package) - (cons* package ;build both - (package-replacement package) - result)) - ((package-superseded package) - result) ;don't build it - (else - (cons package result)))) - - (fold-packages adjust - (fold adjust '() ;include base packages - (match (%final-inputs) - (((labels packages _ ...) ...) - packages))) - #:select? (const #t))) ;include hidden packages - -(define (arguments->manifests arguments) - "Return the list of manifests extracted from ARGUMENTS." - (map (match-lambda - ((input-name . relative-path) - (let* ((checkout (assq-ref arguments (string->symbol input-name))) - (base (assq-ref checkout 'file-name))) - (in-vicinity base relative-path)))) - (assq-ref arguments 'manifests))) - -(define (manifests->packages store manifests) - "Return the list of packages found in MANIFESTS." - (define (load-manifest manifest) - (save-module-excursion - (lambda () - (set-current-module (make-user-module '((guix profiles) (gnu)))) - (primitive-load manifest)))) - - (delete-duplicates! - (map manifest-entry-item - (append-map (compose manifest-entries - load-manifest) - manifests)))) - - -;;; -;;; Hydra entry point. -;;; - -(define (hydra-jobs store arguments) - "Return Hydra jobs." - (define subset - (match (assoc-ref arguments 'subset) - ("core" 'core) ; only build core packages - ("hello" 'hello) ; only build hello - (((? string?) (? string?) ...) 'list) ; only build selected list of packages - ("manifests" 'manifests) ; only build packages in the list of manifests - (_ 'all))) ; build everything - - (define systems - (match (assoc-ref arguments 'systems) - (#f %hydra-supported-systems) - ((lst ...) lst) - ((? string? str) (call-with-input-string str read)))) - - (define (cross-jobs system) - (define (from-32-to-64? target) - ;; Return true if SYSTEM is 32-bit and TARGET is 64-bit. This hack - ;; prevents known-to-fail cross-builds from i686-linux or armhf-linux to - ;; mips64el-linux-gnuabi64. - (and (or (string-prefix? "i686-" system) - (string-prefix? "i586-" system) - (string-prefix? "armhf-" system)) - (string-contains target "64"))) ;x86_64, mips64el, aarch64, etc. - - (define (same? target) - ;; Return true if SYSTEM and TARGET are the same thing. This is so we - ;; don't try to cross-compile to 'mips64el-linux-gnu' from - ;; 'mips64el-linux'. - (or (string-contains target system) - (and (string-prefix? "armhf" system) ;armhf-linux - (string-prefix? "arm" target)))) ;arm-linux-gnueabihf - - (define (pointless? target) - ;; Return #t if it makes no sense to cross-build to TARGET from SYSTEM. - (match system - ((or "x86_64-linux" "i686-linux") - (if (string-contains target "mingw") - (not (string=? "x86_64-linux" system)) - #f)) - (_ - ;; Don't try to cross-compile from non-Intel platforms: this isn't - ;; very useful and these are often brittle configurations. - #t))) - - (define (either proc1 proc2 proc3) - (lambda (x) - (or (proc1 x) (proc2 x) (proc3 x)))) - - (append-map (lambda (target) - (map (lambda (package) - (package-cross-job store (job-name package) - package target system)) - %packages-to-cross-build)) - (remove (either from-32-to-64? same? pointless?) - %cross-targets))) - - ;; Turn off grafts. Grafting is meant to happen on the user's machines. - (parameterize ((%graft? #f)) - ;; Return one job for each package, except bootstrap packages. - (append-map (lambda (system) - (format (current-error-port) - "evaluating for '~a' (heap size: ~a MiB)...~%" - system - (round - (/ (assoc-ref (gc-stats) 'heap-size) - (expt 2. 20)))) - (invalidate-derivation-caches!) - (case subset - ((all) - ;; Build everything, including replacements. - (let ((all (all-packages)) - (job (lambda (package) - (package->job store package - system)))) - (append (filter-map job all) - (qemu-jobs store system) - (system-test-jobs store system) - (tarball-jobs store system) - (cross-jobs system)))) - ((core) - ;; Build core packages only. - (append (map (lambda (package) - (package-job store (job-name package) - package system)) - %core-packages) - (cross-jobs system))) - ((hello) - ;; Build hello package only. - (if (string=? system (%current-system)) - (let ((hello (specification->package "hello"))) - (list (package-job store (job-name hello) hello system))) - '())) - ((list) - ;; Build selected list of packages only. - (if (string=? system (%current-system)) - (let* ((names (assoc-ref arguments 'subset)) - (packages (map specification->package names))) - (map (lambda (package) - (package-job store (job-name package) - package system)) - packages)) - '())) - ((manifests) - ;; Build packages in the list of manifests. - (let* ((manifests (arguments->manifests arguments)) - (packages (manifests->packages store manifests))) - (map (lambda (package) - (package-job store (job-name package) - package system)) - packages))) - (else - (error "unknown subset" subset)))) - systems))) +;; Return the procedure from (gnu ci). +hydra-jobs diff --git a/gnu/ci.scm b/gnu/ci.scm new file mode 100644 index 0000000000..7db7e6062f --- /dev/null +++ b/gnu/ci.scm @@ -0,0 +1,434 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès +;;; Copyright © 2017 Jan Nieuwenhuizen +;;; Copyright © 2018 Clément Lassieur +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu ci) + #:use-module (guix config) + #:use-module (guix store) + #:use-module (guix grafts) + #:use-module (guix profiles) + #:use-module (guix packages) + #:use-module (guix derivations) + #:use-module (guix monads) + #:use-module (guix ui) + #:use-module ((guix licenses) #:select (gpl3+)) + #:use-module ((guix utils) #:select (%current-system)) + #:use-module ((guix scripts system) #:select (read-operating-system)) + #:use-module ((guix scripts pack) + #:select (lookup-compressor self-contained-tarball)) + #:use-module (gnu bootloader) + #:use-module (gnu bootloader u-boot) + #:use-module (gnu packages) + #:use-module (gnu packages gcc) + #:use-module (gnu packages base) + #:use-module (gnu packages gawk) + #:use-module (gnu packages guile) + #:use-module (gnu packages gettext) + #:use-module (gnu packages compression) + #:use-module (gnu packages multiprecision) + #:use-module (gnu packages make-bootstrap) + #:use-module (gnu packages package-management) + #:use-module (gnu system) + #:use-module (gnu system vm) + #:use-module (gnu system install) + #:use-module (gnu tests) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-26) + #:use-module (ice-9 match) + #:export (hydra-jobs)) + +;;; Commentary: +;;; +;;; This file defines build jobs for the Hydra and Cuirass continuation +;;; integration tools. +;;; +;;; Code: + +(define* (package->alist store package system + #:optional (package-derivation package-derivation)) + "Convert PACKAGE to an alist suitable for Hydra." + (parameterize ((%graft? #f)) + `((derivation . ,(derivation-file-name + (package-derivation store package system + #:graft? #f))) + (description . ,(package-synopsis package)) + (long-description . ,(package-description package)) + (license . ,(package-license package)) + (home-page . ,(package-home-page package)) + (maintainers . ("bug-guix@gnu.org")) + (max-silent-time . ,(or (assoc-ref (package-properties package) + 'max-silent-time) + 3600)) ;1 hour by default + (timeout . ,(or (assoc-ref (package-properties package) 'timeout) + 72000))))) ;20 hours by default + +(define (package-job store job-name package system) + "Return a job called JOB-NAME that builds PACKAGE on SYSTEM." + (let ((job-name (symbol-append job-name (string->symbol ".") + (string->symbol system)))) + `(,job-name . ,(cut package->alist store package system)))) + +(define (package-cross-job store job-name package target system) + "Return a job called TARGET.JOB-NAME that cross-builds PACKAGE for TARGET on +SYSTEM." + `(,(symbol-append (string->symbol target) (string->symbol ".") job-name + (string->symbol ".") (string->symbol system)) . + ,(cute package->alist store package system + (lambda* (store package system #:key graft?) + (package-cross-derivation store package target system + #:graft? graft?))))) + +(define %core-packages + ;; Note: Don't put the '-final' package variants because (1) that's + ;; implicit, and (2) they cannot be cross-built (due to the explicit input + ;; chain.) + (list gcc-4.8 gcc-4.9 gcc-5 glibc binutils + gmp mpfr mpc coreutils findutils diffutils patch sed grep + gawk gnu-gettext hello guile-2.0 guile-2.2 zlib gzip xz + %bootstrap-binaries-tarball + %binutils-bootstrap-tarball + (%glibc-bootstrap-tarball) + %gcc-bootstrap-tarball + %guile-bootstrap-tarball + %bootstrap-tarballs)) + +(define %packages-to-cross-build + %core-packages) + +(define %cross-targets + '("mips64el-linux-gnu" + "mips64el-linux-gnuabi64" + "arm-linux-gnueabihf" + "aarch64-linux-gnu" + "powerpc-linux-gnu" + "i586-pc-gnu" ;aka. GNU/Hurd + "i686-w64-mingw32")) + +(define %guixsd-supported-systems + '("x86_64-linux" "i686-linux" "armhf-linux")) + +(define %u-boot-systems + '("armhf-linux")) + +(define (qemu-jobs store system) + "Return a list of jobs that build QEMU images for SYSTEM." + (define (->alist drv) + `((derivation . ,(derivation-file-name drv)) + (description . "Stand-alone QEMU image of the GNU system") + (long-description . "This is a demo stand-alone QEMU image of the GNU +system.") + (license . ,gpl3+) + (max-silent-time . 600) + (timeout . 3600) + (home-page . ,%guix-home-page-url) + (maintainers . ("bug-guix@gnu.org")))) + + (define (->job name drv) + (let ((name (symbol-append name (string->symbol ".") + (string->symbol system)))) + `(,name . ,(lambda () + (parameterize ((%graft? #f)) + (->alist drv)))))) + + (define MiB + (expt 2 20)) + + (if (member system %guixsd-supported-systems) + (if (member system %u-boot-systems) + (list (->job 'flash-image + (run-with-store store + (mbegin %store-monad + (set-guile-for-build (default-guile)) + (system-disk-image + (operating-system (inherit installation-os) + (bootloader (bootloader-configuration + (bootloader u-boot-bootloader) + (target #f)))) + #:disk-image-size + (* 1500 MiB)))))) + (list (->job 'usb-image + (run-with-store store + (mbegin %store-monad + (set-guile-for-build (default-guile)) + (system-disk-image installation-os + #:disk-image-size + (* 1500 MiB))))) + (->job 'iso9660-image + (run-with-store store + (mbegin %store-monad + (set-guile-for-build (default-guile)) + (system-disk-image installation-os + #:file-system-type + "iso9660")))))) + '())) + +(define (system-test-jobs store system) + "Return a list of jobs for the system tests." + (define (test->thunk test) + (lambda () + (define drv + (run-with-store store + (mbegin %store-monad + (set-current-system system) + (set-grafting #f) + (set-guile-for-build (default-guile)) + (system-test-value test)))) + + `((derivation . ,(derivation-file-name drv)) + (description . ,(format #f "GuixSD '~a' system test" + (system-test-name test))) + (long-description . ,(system-test-description test)) + (license . ,gpl3+) + (max-silent-time . 600) + (timeout . 3600) + (home-page . ,%guix-home-page-url) + (maintainers . ("bug-guix@gnu.org"))))) + + (define (->job test) + (let ((name (string->symbol + (string-append "test." (system-test-name test) + "." system)))) + (cons name (test->thunk test)))) + + (if (member system %guixsd-supported-systems) + (map ->job (all-system-tests)) + '())) + +(define (tarball-jobs store system) + "Return Hydra jobs to build the self-contained Guix binary tarball." + (define (->alist drv) + `((derivation . ,(derivation-file-name drv)) + (description . "Stand-alone binary Guix tarball") + (long-description . "This is a tarball containing binaries of Guix and +all its dependencies, and ready to be installed on non-GuixSD distributions.") + (license . ,gpl3+) + (home-page . ,%guix-home-page-url) + (maintainers . ("bug-guix@gnu.org")))) + + (define (->job name drv) + (let ((name (symbol-append name (string->symbol ".") + (string->symbol system)))) + `(,name . ,(lambda () + (parameterize ((%graft? #f)) + (->alist drv)))))) + + ;; XXX: Add a job for the stable Guix? + (list (->job 'binary-tarball + (run-with-store store + (mbegin %store-monad + (set-guile-for-build (default-guile)) + (>>= (profile-derivation (packages->manifest (list guix))) + (lambda (profile) + (self-contained-tarball "guix-binary" profile + #:localstatedir? #t + #:compressor + (lookup-compressor "xz"))))) + #:system system)))) + +(define job-name + ;; Return the name of a package's job. + (compose string->symbol + (cut package-full-name <> "-"))) + +(define package->job + (let ((base-packages + (delete-duplicates + (append-map (match-lambda + ((_ package _ ...) + (match (package-transitive-inputs package) + (((_ inputs _ ...) ...) + inputs)))) + (%final-inputs))))) + (lambda (store package system) + "Return a job for PACKAGE on SYSTEM, or #f if this combination is not +valid." + (cond ((member package base-packages) + (package-job store (symbol-append 'base. (job-name package)) + package system)) + ((supported-package? package system) + (let ((drv (package-derivation store package system + #:graft? #f))) + (and (substitutable-derivation? drv) + (package-job store (job-name package) + package system)))) + (else + #f))))) + +(define (all-packages) + "Return the list of packages to build." + (define (adjust package result) + (cond ((package-replacement package) + (cons* package ;build both + (package-replacement package) + result)) + ((package-superseded package) + result) ;don't build it + (else + (cons package result)))) + + (fold-packages adjust + (fold adjust '() ;include base packages + (match (%final-inputs) + (((labels packages _ ...) ...) + packages))) + #:select? (const #t))) ;include hidden packages + +(define (arguments->manifests arguments) + "Return the list of manifests extracted from ARGUMENTS." + (map (match-lambda + ((input-name . relative-path) + (let* ((checkout (assq-ref arguments (string->symbol input-name))) + (base (assq-ref checkout 'file-name))) + (in-vicinity base relative-path)))) + (assq-ref arguments 'manifests))) + +(define (manifests->packages store manifests) + "Return the list of packages found in MANIFESTS." + (define (load-manifest manifest) + (save-module-excursion + (lambda () + (set-current-module (make-user-module '((guix profiles) (gnu)))) + (primitive-load manifest)))) + + (delete-duplicates! + (map manifest-entry-item + (append-map (compose manifest-entries + load-manifest) + manifests)))) + + +;;; +;;; Hydra entry point. +;;; + +(define (hydra-jobs store arguments) + "Return Hydra jobs." + (define subset + (match (assoc-ref arguments 'subset) + ("core" 'core) ; only build core packages + ("hello" 'hello) ; only build hello + (((? string?) (? string?) ...) 'list) ; only build selected list of packages + ("manifests" 'manifests) ; only build packages in the list of manifests + (_ 'all))) ; build everything + + (define systems + (match (assoc-ref arguments 'systems) + (#f %hydra-supported-systems) + ((lst ...) lst) + ((? string? str) (call-with-input-string str read)))) + + (define (cross-jobs system) + (define (from-32-to-64? target) + ;; Return true if SYSTEM is 32-bit and TARGET is 64-bit. This hack + ;; prevents known-to-fail cross-builds from i686-linux or armhf-linux to + ;; mips64el-linux-gnuabi64. + (and (or (string-prefix? "i686-" system) + (string-prefix? "i586-" system) + (string-prefix? "armhf-" system)) + (string-contains target "64"))) ;x86_64, mips64el, aarch64, etc. + + (define (same? target) + ;; Return true if SYSTEM and TARGET are the same thing. This is so we + ;; don't try to cross-compile to 'mips64el-linux-gnu' from + ;; 'mips64el-linux'. + (or (string-contains target system) + (and (string-prefix? "armhf" system) ;armhf-linux + (string-prefix? "arm" target)))) ;arm-linux-gnueabihf + + (define (pointless? target) + ;; Return #t if it makes no sense to cross-build to TARGET from SYSTEM. + (match system + ((or "x86_64-linux" "i686-linux") + (if (string-contains target "mingw") + (not (string=? "x86_64-linux" system)) + #f)) + (_ + ;; Don't try to cross-compile from non-Intel platforms: this isn't + ;; very useful and these are often brittle configurations. + #t))) + + (define (either proc1 proc2 proc3) + (lambda (x) + (or (proc1 x) (proc2 x) (proc3 x)))) + + (append-map (lambda (target) + (map (lambda (package) + (package-cross-job store (job-name package) + package target system)) + %packages-to-cross-build)) + (remove (either from-32-to-64? same? pointless?) + %cross-targets))) + + ;; Turn off grafts. Grafting is meant to happen on the user's machines. + (parameterize ((%graft? #f)) + ;; Return one job for each package, except bootstrap packages. + (append-map (lambda (system) + (format (current-error-port) + "evaluating for '~a' (heap size: ~a MiB)...~%" + system + (round + (/ (assoc-ref (gc-stats) 'heap-size) + (expt 2. 20)))) + (invalidate-derivation-caches!) + (case subset + ((all) + ;; Build everything, including replacements. + (let ((all (all-packages)) + (job (lambda (package) + (package->job store package + system)))) + (append (filter-map job all) + (qemu-jobs store system) + (system-test-jobs store system) + (tarball-jobs store system) + (cross-jobs system)))) + ((core) + ;; Build core packages only. + (append (map (lambda (package) + (package-job store (job-name package) + package system)) + %core-packages) + (cross-jobs system))) + ((hello) + ;; Build hello package only. + (if (string=? system (%current-system)) + (let ((hello (specification->package "hello"))) + (list (package-job store (job-name hello) hello system))) + '())) + ((list) + ;; Build selected list of packages only. + (if (string=? system (%current-system)) + (let* ((names (assoc-ref arguments 'subset)) + (packages (map specification->package names))) + (map (lambda (package) + (package-job store (job-name package) + package system)) + packages)) + '())) + ((manifests) + ;; Build packages in the list of manifests. + (let* ((manifests (arguments->manifests arguments)) + (packages (manifests->packages store manifests))) + (map (lambda (package) + (package-job store (job-name package) + package system)) + packages))) + (else + (error "unknown subset" subset)))) + systems))) diff --git a/gnu/local.mk b/gnu/local.mk index cd0414b41d..6b57f36552 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -551,7 +551,9 @@ GNU_SYSTEM_MODULES = \ %D%/tests/ssh.scm \ %D%/tests/version-control.scm \ %D%/tests/virtualization.scm \ - %D%/tests/web.scm + %D%/tests/web.scm \ + \ + %D%/ci.scm # Modules that do not need to be compiled. MODULES_NOT_COMPILED += \ -- cgit v1.2.3 From c824dedf711dc4aa33e005fa291a3aec58a9e2e2 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Sat, 5 Jan 2019 23:20:41 +0800 Subject: gnu: libarchive: Replace with libarchive 3.3.3 and fix CVE-2018-{1000877,1000878,1000880}. * gnu/packages/backup.scm (libarchive)[source, home-page]: Use HTTPS. [replacement]: New field. (libarchive-3.3.3): New variable. * gnu/packages/patches/libarchive-CVE-2018-1000877.patch, gnu/packages/patches/libarchive-CVE-2018-1000878.patch, gnu/packages/patches/libarchive-CVE-2018-1000880.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 5 +- gnu/packages/backup.scm | 22 +++++- .../patches/libarchive-CVE-2018-1000877.patch | 45 +++++++++++ .../patches/libarchive-CVE-2018-1000878.patch | 86 ++++++++++++++++++++++ .../patches/libarchive-CVE-2018-1000880.patch | 51 +++++++++++++ 5 files changed, 206 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/libarchive-CVE-2018-1000877.patch create mode 100644 gnu/packages/patches/libarchive-CVE-2018-1000878.patch create mode 100644 gnu/packages/patches/libarchive-CVE-2018-1000880.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 6b57f36552..36d0ca541b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -9,7 +9,7 @@ # Copyright © 2016 Adonay "adfeno" Felipe Nogueira # Copyright © 2016, 2017, 2018 Ricardo Wurmus # Copyright © 2016 Ben Woodcroft -# Copyright © 2016, 2017, 2018 Alex Vong +# Copyright © 2016, 2017, 2018, 2019 Alex Vong # Copyright © 2016, 2017 Efraim Flashner # Copyright © 2016, 2017 Jan Nieuwenhuizen # Copyright © 2017 Tobias Geerinckx-Rice @@ -879,6 +879,9 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libarchive-CVE-2017-14166.patch \ %D%/packages/patches/libarchive-CVE-2017-14502.patch \ + %D%/packages/patches/libarchive-CVE-2018-1000877.patch \ + %D%/packages/patches/libarchive-CVE-2018-1000878.patch \ + %D%/packages/patches/libarchive-CVE-2018-1000880.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index a9d8286702..4a8355f2b1 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2018 Mark H Weaver ;;; Copyright © 2018 Oleg Pykhalov ;;; Copyright © 2018 Ricardo Wurmus +;;; Copyright © 2019 Alex Vong ;;; ;;; This file is part of GNU Guix. ;;; @@ -194,11 +195,12 @@ backups (called chunks) to allow easy burning to CD/DVD.") (define-public libarchive (package (name "libarchive") + (replacement libarchive-3.3.3) (version "3.3.2") (source (origin (method url-fetch) - (uri (string-append "http://libarchive.org/downloads/libarchive-" + (uri (string-append "https://libarchive.org/downloads/libarchive-" version ".tar.gz")) (patches (search-patches "libarchive-CVE-2017-14166.patch" "libarchive-CVE-2017-14502.patch")) @@ -258,7 +260,7 @@ backups (called chunks) to allow easy burning to CD/DVD.") ;; libarchive/test/test_write_format_gnutar_filenames.c needs to be ;; compiled with C99 or C11 or a gnu variant. #:configure-flags '("CFLAGS=-O2 -g -std=c99"))) - (home-page "http://libarchive.org/") + (home-page "https://libarchive.org/") (synopsis "Multi-format archive and compression library") (description "Libarchive provides a flexible interface for reading and writing @@ -270,6 +272,22 @@ archive. In particular, note that there is currently no built-in support for random access nor for in-place modification.") (license license:bsd-2))) +(define-public libarchive-3.3.3 + (package + (inherit libarchive) + (version "3.3.3") + (source + (origin + (method url-fetch) + (uri (string-append "https://libarchive.org/downloads/libarchive-" + version ".tar.gz")) + (patches (search-patches "libarchive-CVE-2018-1000877.patch" + "libarchive-CVE-2018-1000878.patch" + "libarchive-CVE-2018-1000880.patch")) + (sha256 + (base32 + "0bhfncid058p7n1n8v29l6wxm3mhdqfassscihbsxfwz3iwb2zms")))))) + (define-public rdup (package (name "rdup") diff --git a/gnu/packages/patches/libarchive-CVE-2018-1000877.patch b/gnu/packages/patches/libarchive-CVE-2018-1000877.patch new file mode 100644 index 0000000000..5b68884a0f --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2018-1000877.patch @@ -0,0 +1,45 @@ +Fix CVE-2018-1000877: + +https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 +https://github.com/libarchive/libarchive/pull/1105 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877 +https://security-tracker.debian.org/tracker/CVE-2018-1000877 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/021efa522ad729ff0f5806c4ce53e4a6cc1daa31 + +From 021efa522ad729ff0f5806c4ce53e4a6cc1daa31 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 20 Nov 2018 17:56:29 +1100 +Subject: [PATCH] Avoid a double-free when a window size of 0 is specified + +new_size can be 0 with a malicious or corrupted RAR archive. + +realloc(area, 0) is equivalent to free(area), so the region would +be free()d here and the free()d again in the cleanup function. + +Found with a setup running AFL, afl-rb, and qsym. +--- + libarchive/archive_read_support_format_rar.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 23452222..6f419c27 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2300,6 +2300,11 @@ parse_codes(struct archive_read *a) + new_size = DICTIONARY_MAX_SIZE; + else + new_size = rar_fls((unsigned int)rar->unp_size) << 1; ++ if (new_size == 0) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Zero window size is invalid."); ++ return (ARCHIVE_FATAL); ++ } + new_window = realloc(rar->lzss.window, new_size); + if (new_window == NULL) { + archive_set_error(&a->archive, ENOMEM, +-- +2.20.1 + diff --git a/gnu/packages/patches/libarchive-CVE-2018-1000878.patch b/gnu/packages/patches/libarchive-CVE-2018-1000878.patch new file mode 100644 index 0000000000..fef0881320 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2018-1000878.patch @@ -0,0 +1,86 @@ +Fix CVE-2018-1000878: + +https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 +https://github.com/libarchive/libarchive/pull/1105 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878 +https://security-tracker.debian.org/tracker/CVE-2018-1000878 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 + +From bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 4 Dec 2018 00:55:22 +1100 +Subject: [PATCH] rar: file split across multi-part archives must match + +Fuzzing uncovered some UAF and memory overrun bugs where a file in a +single file archive reported that it was split across multiple +volumes. This was caused by ppmd7 operations calling +rar_br_fillup. This would invoke rar_read_ahead, which would in some +situations invoke archive_read_format_rar_read_header. That would +check the new file name against the old file name, and if they didn't +match up it would free the ppmd7 buffer and allocate a new +one. However, because the ppmd7 decoder wasn't actually done with the +buffer, it would continue to used the freed buffer. Both reads and +writes to the freed region can be observed. + +This is quite tricky to solve: once the buffer has been freed it is +too late, as the ppmd7 decoder functions almost universally assume +success - there's no way for ppmd_read to signal error, nor are there +good ways for functions like Range_Normalise to propagate them. So we +can't detect after the fact that we're in an invalid state - e.g. by +checking rar->cursor, we have to prevent ourselves from ever ending up +there. So, when we are in the dangerous part or rar_read_ahead that +assumes a valid split, we set a flag force read_header to either go +down the path for split files or bail. This means that the ppmd7 +decoder keeps a valid buffer and just runs out of data. + +Found with a combination of AFL, afl-rb and qsym. +--- + libarchive/archive_read_support_format_rar.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 6f419c27..a8cc5c94 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -258,6 +258,7 @@ struct rar + struct data_block_offsets *dbo; + unsigned int cursor; + unsigned int nodes; ++ char filename_must_match; + + /* LZSS members */ + struct huffman_code maincode; +@@ -1560,6 +1561,12 @@ read_header(struct archive_read *a, struct archive_entry *entry, + } + return ret; + } ++ else if (rar->filename_must_match) ++ { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Mismatch of file parts split across multi-volume archive"); ++ return (ARCHIVE_FATAL); ++ } + + rar->filename_save = (char*)realloc(rar->filename_save, + filename_size + 1); +@@ -2933,12 +2940,14 @@ rar_read_ahead(struct archive_read *a, size_t min, ssize_t *avail) + else if (*avail == 0 && rar->main_flags & MHD_VOLUME && + rar->file_flags & FHD_SPLIT_AFTER) + { ++ rar->filename_must_match = 1; + ret = archive_read_format_rar_read_header(a, a->entry); + if (ret == (ARCHIVE_EOF)) + { + rar->has_endarc_header = 1; + ret = archive_read_format_rar_read_header(a, a->entry); + } ++ rar->filename_must_match = 0; + if (ret != (ARCHIVE_OK)) + return NULL; + return rar_read_ahead(a, min, avail); +-- +2.20.1 + diff --git a/gnu/packages/patches/libarchive-CVE-2018-1000880.patch b/gnu/packages/patches/libarchive-CVE-2018-1000880.patch new file mode 100644 index 0000000000..6834cabda0 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2018-1000880.patch @@ -0,0 +1,51 @@ +Fix CVE-2018-1000880: + +https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 +https://github.com/libarchive/libarchive/pull/1105 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000880 +https://security-tracker.debian.org/tracker/CVE-2018-1000880 + +Patch copied from upstream source repository: + +https://github.com/libarchive/libarchive/commit/9c84b7426660c09c18cc349f6d70b5f8168b5680 + +From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 4 Dec 2018 16:33:42 +1100 +Subject: [PATCH] warc: consume data once read + +The warc decoder only used read ahead, it wouldn't actually consume +data that had previously been printed. This means that if you specify +an invalid content length, it will just reprint the same data over +and over and over again until it hits the desired length. + +This means that a WARC resource with e.g. +Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665 +but only a few hundred bytes of data, causes a quasi-infinite loop. + +Consume data in subsequent calls to _warc_read. + +Found with an AFL + afl-rb + qsym setup. +--- + libarchive/archive_read_support_format_warc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c +index e8753853..e8fc8428 100644 +--- a/libarchive/archive_read_support_format_warc.c ++++ b/libarchive/archive_read_support_format_warc.c +@@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off) + return (ARCHIVE_EOF); + } + ++ if (w->unconsumed) { ++ __archive_read_consume(a, w->unconsumed); ++ w->unconsumed = 0U; ++ } ++ + rab = __archive_read_ahead(a, 1U, &nrd); + if (nrd < 0) { + *bsz = 0U; +-- +2.20.1 + -- cgit v1.2.3 From 4d674b4143b91834554809e5f43edfe117dee79b Mon Sep 17 00:00:00 2001 From: Manolis Ragkousis Date: Fri, 4 Jan 2019 21:37:04 +0200 Subject: gnu: Add jose. * gnu/packages/jose.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 1 + gnu/packages/jose.scm | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 gnu/packages/jose.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 36d0ca541b..9dabacb3de 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -244,6 +244,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/javascript.scm \ %D%/packages/jemalloc.scm \ %D%/packages/jrnl.scm \ + %D%/packages/jose.scm \ %D%/packages/julia.scm \ %D%/packages/kde.scm \ %D%/packages/kde-frameworks.scm \ diff --git a/gnu/packages/jose.scm b/gnu/packages/jose.scm new file mode 100644 index 0000000000..52f1fc80ec --- /dev/null +++ b/gnu/packages/jose.scm @@ -0,0 +1,51 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2018 Manolis Fragkiskos Ragkousis +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages jose) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix utils) + #:use-module (guix build-system gnu) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages web) + #:use-module (gnu packages compression) + #:use-module (gnu packages tls)) + +(define-public jose + (package + (name "jose") + (version "10") + (source (origin + (method url-fetch) + (uri + (string-append "https://github.com/latchset/jose/releases/download/v10/jose-" + version ".tar.bz2")) + (sha256 + (base32 + "0wndxz3jqxfxnv5396da3kc1say7442m7mwk2dw9ykawagxxr72w")))) + (native-inputs `(("pkg-config" ,pkg-config))) + (inputs `(("jansson" ,jansson) + ("zlib" ,zlib) + ("libcrypto" ,openssl))) + (build-system gnu-build-system) + (home-page "https://github.com/latchset/jose") + (synopsis "Object Signing and Encryption") + (description "C-language implementation of Javascript Object Signing and +Encryption") + (license license:asl2.0))) -- cgit v1.2.3 From 41a010875ba4108e666f11fc111cf5bb5dcf5464 Mon Sep 17 00:00:00 2001 From: Jelle Licht Date: Mon, 7 Jan 2019 15:27:39 +0100 Subject: gnu: biber: Update to 2.12. * gnu/packages/tex.scm (biber): Update to 2.12. [source]: Use 'git-fetch'. Add patch. [inputs]: Add perl-file-slurper. Remove perl-file-slurp. * gnu/packages/patches/biber-fix-encoding-write.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/biber-fix-encoding-write.patch | 31 ++++++++++++++++++++++ gnu/packages/tex.scm | 18 ++++++++----- 3 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 gnu/packages/patches/biber-fix-encoding-write.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 9dabacb3de..bc54b61c21 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -604,6 +604,7 @@ dist_patch_DATA = \ %D%/packages/patches/bazaar-CVE-2017-14176.patch \ %D%/packages/patches/beets-python-3.7-fix.patch \ %D%/packages/patches/beignet-correct-file-names.patch \ + %D%/packages/patches/biber-fix-encoding-write.patch \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blast+-fix-makefile.patch \ %D%/packages/patches/blender-newer-ffmpeg.patch \ diff --git a/gnu/packages/patches/biber-fix-encoding-write.patch b/gnu/packages/patches/biber-fix-encoding-write.patch new file mode 100644 index 0000000000..56cd11212e --- /dev/null +++ b/gnu/packages/patches/biber-fix-encoding-write.patch @@ -0,0 +1,31 @@ +From 2a9b15aefb842a734637f3d230936ea1b7c60096 Mon Sep 17 00:00:00 2001 +From: Philip Kime +Date: Thu, 8 Nov 2018 22:02:09 +0100 +Subject: [PATCH] Fix to address #239 + +--- + lib/Biber.pm | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/Biber.pm b/lib/Biber.pm +index 8b1f80a5..d97fca29 100644 +--- a/lib/Biber.pm ++++ b/lib/Biber.pm +@@ -311,6 +311,8 @@ sub parse_ctrlfile { + unless (eval {$checkbuf = File::Slurper::read_text($ctrl_file_path, 'latin1')}) { + biber_error("$ctrl_file_path is not UTF-8 or even latin1, how horrible."); + } ++ # Write ctrl file as UTF-8 ++ File::Slurper::write_text($ctrl_file_path, NFC($checkbuf));# Unicode NFC boundary + } + + $checkbuf = NFD($checkbuf);# Unicode NFD boundary +@@ -319,8 +321,6 @@ sub parse_ctrlfile { + unlink($output) unless $output eq '-';# ignore deletion of STDOUT marker + biber_error("$ctrl_file_path is malformed, last biblatex run probably failed. Deleted $output"); + } +- # Write ctrl file as UTF-8 +- File::Slurper::write_text($ctrl_file_path, NFC($checkbuf));# Unicode NFC boundary + + # Validate if asked to + if (Biber::Config->getoption('validate_control')) { diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm index 765f6aa849..3bfde1d714 100644 --- a/gnu/packages/tex.scm +++ b/gnu/packages/tex.scm @@ -4219,15 +4219,19 @@ values (strings, macros, or numbers) pasted together.") (define-public biber (package (name "biber") - (version "2.7") + (version "2.12") (source (origin - (method url-fetch) - (uri (string-append "https://github.com/plk/biber/archive/v" - version ".tar.gz")) - (file-name (string-append name "-" version ".tar.gz")) + (method git-fetch) + (uri (git-reference + (url "https://github.com/plk/biber/") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + ;; TODO: Patch awaiting inclusion upstream (see: + ;; https://github.com/plk/biber/issues/239). + (patches (search-patches "biber-fix-encoding-write.patch")) (sha256 (base32 - "17wd80jg98qyddhvz4cin8779ycvppaf2va77r1lyvymjz6w9bx0")))) + "1g1hi6zvf2hmrjly1sidjaxy5440gfqm4p7p3n7kayshnjsmlskx")))) (build-system perl-build-system) (arguments `(#:phases @@ -4249,7 +4253,7 @@ values (strings, macros, or numbers) pasted together.") ("perl-data-uniqid" ,perl-data-uniqid) ("perl-datetime-format-builder" ,perl-datetime-format-builder) ("perl-datetime-calendar-julian" ,perl-datetime-calendar-julian) - ("perl-file-slurp" ,perl-file-slurp) + ("perl-file-slurper" ,perl-file-slurper) ("perl-ipc-cmd" ,perl-ipc-cmd) ("perl-ipc-run3" ,perl-ipc-run3) ("perl-list-allutils" ,perl-list-allutils) -- cgit v1.2.3