From 53d26163c6ec1a1c48a1ec775e67b739b9005270 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 29 Nov 2017 23:05:54 +0100 Subject: gnu: libgit2: Avoid dependency on cURL. This reduces the closure size from 225 MiB to 80 MiB, while still supporting HTTP(S) access. * gnu/packages/version-control.scm (libgit2)[source](modules, snippet): New fields. [inputs]: Remove CURL; add HTTP-PARSER. --- gnu/packages/version-control.scm | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'gnu/packages/version-control.scm') diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 9de660f090..21ea90be72 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -370,7 +370,11 @@ everything from small to very large projects with speed and efficiency.") (sha256 (base32 "1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka")) - (patches (search-patches "libgit2-0.25.1-mtime-0.patch")))) + (patches (search-patches "libgit2-0.25.1-mtime-0.patch")) + + ;; Remove bundled software. + (snippet '(delete-file-recursively "deps")) + (modules '((guix build utils))))) (build-system cmake-build-system) (outputs '("out" "debug")) (arguments @@ -390,7 +394,7 @@ everything from small to very large projects with speed and efficiency.") (lambda _ (zero? (system* "./libgit2_clar" "-v" "-Q"))))))) (inputs `(("libssh2" ,libssh2) - ("libcurl" ,curl) + ("http-parser" ,http-parser) ("python" ,python-wrapper))) (native-inputs `(("pkg-config" ,pkg-config))) -- cgit v1.2.3 From c03ba83c17c91e34e811a909fae0f63aab701ff9 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 1 Dec 2017 10:45:39 +0100 Subject: gnu: git: Run tests sequentially. Fixes . Reported by George myglc2 Clemmer . * gnu/packages/version-control.scm (git)[arguments]: Add #:parallel-tests?. --- gnu/packages/version-control.scm | 3 +++ 1 file changed, 3 insertions(+) (limited to 'gnu/packages/version-control.scm') diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 21ea90be72..22b296f4a0 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -188,6 +188,9 @@ as well as the classic centralized workflow.") "NO_INSTALL_HARDLINKS=indeed") #:test-target "test" + ;; Tests fail randomly when parallel: . + #:parallel-tests? #f + ;; The explicit --with-tcltk forces the build system to hardcode the ;; absolute file name to 'wish'. #:configure-flags (list (string-append "--with-tcltk=" -- cgit v1.2.3 From 3d0ffa6cae4dd66e0994888c9510fef5652aeb96 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 2 Dec 2017 15:46:40 +0100 Subject: gnu: git: Update to 2.15.1. * gnu/packages/version-control.scm (git): Update to 2.15.1. --- gnu/packages/version-control.scm | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'gnu/packages/version-control.scm') diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 22b296f4a0..f7550cb5c8 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -130,14 +130,14 @@ as well as the classic centralized workflow.") (name "git") ;; XXX When updating Git, check if the special 'git:src' input to cgit needs ;; to be updated as well. - (version "2.15.0") + (version "2.15.1") (source (origin (method url-fetch) (uri (string-append "mirror://kernel.org/software/scm/git/git-" version ".tar.xz")) (sha256 (base32 - "0siyxg1ppg6szjp8xp37zfq1fj97kbdxpigi3asmidqhkx41cw8h")))) + "0p04linqdywdf7m1hqa904fzqvgzplsxlzdqrn96j1j5gpyr174r")))) (build-system gnu-build-system) (native-inputs `(("native-perl" ,perl) @@ -149,9 +149,8 @@ as well as the classic centralized workflow.") "mirror://kernel.org/software/scm/git/git-manpages-" version ".tar.xz")) (sha256 - (base32 - "0xqwfg9xz5nw3ifaki87ahbz0xk5zmkgqs0ig357pxwh2i20kb92")))))) + "0mi609plzqqwx271hr9m5j4syggqx255bbzml6ca9j5fadywysvc")))))) (inputs `(("curl" ,curl) ("expat" ,expat) -- cgit v1.2.3 From c7699ebeb4233d81f294ff7e8b8eb3676119ae4a Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 4 Dec 2017 16:33:59 +0100 Subject: gnu: git: Remove unreliable git-svn tests. Reported in by Mark H Weaver . * gnu/packages/version-control.scm (git)[arguments]: In 'patch-tests' phase, delete three git-svn tests. --- gnu/packages/version-control.scm | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'gnu/packages/version-control.scm') diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index f7550cb5c8..ba985f6078 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -245,6 +245,13 @@ as well as the classic centralized workflow.") ;; FIXME: Some hooks fail with "basename: command not found". ;; See 't/trash directory.t9164.../svn-hook.log'. (delete-file "t/t9164-git-svn-dcommit-concurrent.sh") + + ;; XXX: These tests fail intermittently for unknown reasons: + ;; . + (for-each delete-file + '("t/t9128-git-svn-cmd-branch.sh" + "t/t9167-git-svn-cmd-branch-subproject.sh" + "t/t9141-git-svn-multiple-branches.sh")) #t)) (add-after 'install 'install-shell-completion (lambda* (#:key outputs #:allow-other-keys) -- cgit v1.2.3 From 982caeab6f33ac7956e97c86426177b5d90cf180 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 1 Dec 2017 13:13:18 -0500 Subject: gnu: bazaar: Fix CVE-2017-14176. * gnu/packages/patches/bazaar-CVE-2017-14176.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (bazaar)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/bazaar-CVE-2017-14176.patch | 166 +++++++++++++++++++++++ gnu/packages/version-control.scm | 1 + 3 files changed, 168 insertions(+) create mode 100644 gnu/packages/patches/bazaar-CVE-2017-14176.patch (limited to 'gnu/packages/version-control.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 434bbb016a..36bee31d83 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -552,6 +552,7 @@ dist_patch_DATA = \ %D%/packages/patches/awesome-reproducible-png.patch \ %D%/packages/patches/azr3.patch \ %D%/packages/patches/bash-completion-directories.patch \ + %D%/packages/patches/bazaar-CVE-2017-14176.patch \ %D%/packages/patches/bcftools-regidx-unsigned-char.patch \ %D%/packages/patches/binutils-ld-new-dtags.patch \ %D%/packages/patches/binutils-loongson-workaround.patch \ diff --git a/gnu/packages/patches/bazaar-CVE-2017-14176.patch b/gnu/packages/patches/bazaar-CVE-2017-14176.patch new file mode 100644 index 0000000000..0e9083b97d --- /dev/null +++ b/gnu/packages/patches/bazaar-CVE-2017-14176.patch @@ -0,0 +1,166 @@ +Fix CVE-2017-14176: + +https://bugs.launchpad.net/bzr/+bug/1710979 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176 + +Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1: + +https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204 + +Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs +Bug: https://bugs.launchpad.net/brz/+bug/1710979 +Bug-Debian: https://bugs.debian.org/874429 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176 +Forwarded: no +Author: Jelmer Vernooij +Last-Update: 2017-11-26 + +=== modified file 'bzrlib/tests/test_ssh_transport.py' +--- old/bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000 ++++ new/bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000 +@@ -22,6 +22,7 @@ + SSHCorpSubprocessVendor, + LSHSubprocessVendor, + SSHVendorManager, ++ StrangeHostname, + ) + + +@@ -161,6 +162,19 @@ + + class SubprocessVendorsTests(TestCase): + ++ def test_openssh_command_tricked(self): ++ vendor = OpenSSHSubprocessVendor() ++ self.assertEqual( ++ vendor._get_vendor_specific_argv( ++ "user", "-oProxyCommand=blah", 100, command=["bzr"]), ++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no", ++ "-oClearAllForwardings=yes", ++ "-oNoHostAuthenticationForLocalhost=yes", ++ "-p", "100", ++ "-l", "user", ++ "--", ++ "-oProxyCommand=blah", "bzr"]) ++ + def test_openssh_command_arguments(self): + vendor = OpenSSHSubprocessVendor() + self.assertEqual( +@@ -171,6 +185,7 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", ++ "--", + "host", "bzr"] + ) + +@@ -184,9 +199,16 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", +- "-s", "host", "sftp"] ++ "-s", "--", "host", "sftp"] + ) + ++ def test_openssh_command_tricked(self): ++ vendor = SSHCorpSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_sshcorp_command_arguments(self): + vendor = SSHCorpSubprocessVendor() + self.assertEqual( +@@ -209,6 +231,13 @@ + "-s", "sftp", "host"] + ) + ++ def test_lsh_command_tricked(self): ++ vendor = LSHSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_lsh_command_arguments(self): + vendor = LSHSubprocessVendor() + self.assertEqual( +@@ -231,6 +260,13 @@ + "--subsystem", "sftp", "host"] + ) + ++ def test_plink_command_tricked(self): ++ vendor = PLinkSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_plink_command_arguments(self): + vendor = PLinkSubprocessVendor() + self.assertEqual( + +=== modified file 'bzrlib/transport/ssh.py' +--- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000 ++++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000 +@@ -46,6 +46,10 @@ + from paramiko.sftp_client import SFTPClient + + ++class StrangeHostname(errors.BzrError): ++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s" ++ ++ + SYSTEM_HOSTKEYS = {} + BZR_HOSTKEYS = {} + +@@ -360,6 +364,11 @@ + # tests, but beware of using PIPE which may hang due to not being read. + _stderr_target = None + ++ @staticmethod ++ def _check_hostname(arg): ++ if arg.startswith('-'): ++ raise StrangeHostname(hostname=arg) ++ + def _connect(self, argv): + # Attempt to make a socketpair to use as stdin/stdout for the SSH + # subprocess. We prefer sockets to pipes because they support +@@ -424,9 +433,9 @@ + if username is not None: + args.extend(['-l', username]) + if subsystem is not None: +- args.extend(['-s', host, subsystem]) ++ args.extend(['-s', '--', host, subsystem]) + else: +- args.extend([host] + command) ++ args.extend(['--', host] + command) + return args + + register_ssh_vendor('openssh', OpenSSHSubprocessVendor()) +@@ -439,6 +448,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x'] + if port is not None: + args.extend(['-p', str(port)]) +@@ -460,6 +470,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path] + if port is not None: + args.extend(['-p', str(port)]) +@@ -481,6 +492,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch'] + if port is not None: + args.extend(['-P', str(port)]) + diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index ba985f6078..a41ddf8da3 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -98,6 +98,7 @@ (uri (string-append "https://launchpad.net/bzr/" (version-major+minor version) "/" version "/+download/bzr-" version ".tar.gz")) + (patches (search-patches "bazaar-CVE-2017-14176.patch")) (sha256 (base32 "1cysix5k3wa6y7jjck3ckq3abls4gvz570s0v0hxv805nwki4i8d")))) -- cgit v1.2.3