diff options
Diffstat (limited to 'gnu/packages/patches')
19 files changed, 828 insertions, 408 deletions
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch deleted file mode 100644 index 69e65aeb6b..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch +++ /dev/null @@ -1,66 +0,0 @@ -Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607 - -From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> -Date: Sat, 7 Oct 2017 23:08:36 +0200 -Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 - -The invalid memory dereference in -Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() -is caused further up the call-stack, by -v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() -passing an invalid pData pointer (pData points outside of the Tiff -file). pData can be set out of bounds in the (size > 4) branch where -baseOffset() and offset are added to pData_ without checking whether -the result is still in the file. As offset comes from an untrusted -source, an attacker can craft an arbitrarily large offset into the -file. - -This commit adds a check into the problematic branch, whether the -result of the addition would be out of bounds of the Tiff -file. Furthermore the whole operation is checked for possible -overflows. ---- - src/tiffvisitor.cpp | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp -index 4ab733d4..ef13542e 100644 ---- a/src/tiffvisitor.cpp -+++ b/src/tiffvisitor.cpp -@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$") - #include <iostream> - #include <iomanip> - #include <cassert> -+#include <limits> - - // ***************************************************************************** - namespace { -@@ -1517,7 +1518,19 @@ namespace Exiv2 { - size = 0; - } - if (size > 4) { -+ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, -+ // as offset can be arbitrarily large -+ if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset)) -+ || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_))) -+ { -+ throw Error(59); -+ } -+ if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) { -+ throw Error(58); -+ } - pData = const_cast<byte*>(pData_) + baseOffset() + offset; -+ -+ // check for size being invalid - if (size > static_cast<uint32_t>(pLast_ - pData)) { - #ifndef SUPPRESS_WARNINGS - EXV_ERROR << "Upper boundary of data for " diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch deleted file mode 100644 index 43e6076b71..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14860.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix CVE-2017-14860. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 -https://nvd.nist.gov/vuln/detail/CVE-2017-14860 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce - -From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> -Date: Fri, 6 Oct 2017 23:09:08 +0200 -Subject: [PATCH] Fix for CVE-2017-14860 - -A heap buffer overflow could occur in memcpy when icc.size_ is larger -than data.size_ - pad, as then memcpy would read out of bounds of data. - -This commit adds a sanity check to iccLength (= icc.size_): if it is -larger than data.size_ - pad (i.e. an overflow would be caused) an -exception is thrown. - -This fixes #71. ---- - src/jp2image.cpp | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 747145cf..748d39b5 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -269,10 +269,15 @@ namespace Exiv2 - std::cout << "Exiv2::Jp2Image::readMetadata: " - << "Color data found" << std::endl; - #endif -- long pad = 3 ; // 3 padding bytes 2 0 0 -+ const long pad = 3 ; // 3 padding bytes 2 0 0 - DataBuf data(subBox.length+8); - io_->read(data.pData_,data.size_); -- long iccLength = getULong(data.pData_+pad, bigEndian); -+ const long iccLength = getULong(data.pData_+pad, bigEndian); -+ // subtracting pad from data.size_ is safe: -+ // size_ is at least 8 and pad = 3 -+ if (iccLength > data.size_ - pad) { -+ throw Error(58); -+ } - DataBuf icc(iccLength); - ::memcpy(icc.pData_,data.pData_+pad,icc.size_); - #ifdef DEBUG diff --git a/gnu/packages/patches/http-parser-CVE-2020-8287.patch b/gnu/packages/patches/http-parser-CVE-2020-8287.patch new file mode 100644 index 0000000000..580f773099 --- /dev/null +++ b/gnu/packages/patches/http-parser-CVE-2020-8287.patch @@ -0,0 +1,75 @@ +From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 +From: Fedor Indutny <fedor@indutny.com> +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> +--- + http_parser.c | 7 +++++++ + test.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/http_parser.c b/http_parser.c +index 9be003e7322..e9b2b9e83b9 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +diff --git a/test.c b/test.c +index 3f7c77b3494..2e5a9ebd678 100644 +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ const struct message responses[] = + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff --git a/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch b/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch deleted file mode 100644 index 79bd3e8dbc..0000000000 --- a/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Tobias Geerinckx-Rice <me@tobias.gr> -Date: Wed, 20 May 2020 19:17:13 +0200 -Subject: [PATCH] gnu: http-client: Fix assertion on armhf-linux. - -Copied verbatim from [0] to fix guix pull[1] on ARM systems. - -[0]: https://github.com/nodejs/http-parser/pull/510 -[1]: https://issues.guix.gnu.org/40604 - -From 0e5868aebb9eb92b078d27bb2774c2154dc167e2 Mon Sep 17 00:00:00 2001 -From: Ben Noordhuis <info@bnoordhuis.nl> -Date: Thu, 30 Apr 2020 11:22:50 +0200 -Subject: [PATCH] Fix sizeof(http_parser) assert - -The result should be 32 on both 32 bits and 64 bits architectures -because of struct padding. - -Fixes: https://github.com/nodejs/http-parser/issues/507 ---- - test.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/test.c b/test.c -index 7983424..f60a84f 100644 ---- a/test.c -+++ b/test.c -@@ -4220,8 +4220,11 @@ main (void) - patch = version & 255; - printf("http_parser v%u.%u.%u (0x%06lx)\n", major, minor, patch, version); - -+ /* Should be 32 on both 32 bits and 64 bits architectures because of -+ * struct padding, see https://github.com/nodejs/http-parser/issues/507. -+ */ - printf("sizeof(http_parser) = %u\n", (unsigned int)sizeof(http_parser)); -- assert(sizeof(http_parser) == 4 + 4 + 8 + 2 + 2 + 4 + sizeof(void *)); -+ assert(sizeof(http_parser) == 32); - - //// API - test_preserve_data(); diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch deleted file mode 100644 index 89b4f2f5d9..0000000000 --- a/gnu/packages/patches/lrzip-CVE-2017-8842.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001 -From: Con Kolivas <kernel@kolivas.org> -Date: Fri, 9 Mar 2018 17:39:40 +1100 -Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get - ---- - libzpaq/libzpaq.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h -index 93387da..cbe211d 100644 ---- a/libzpaq/libzpaq.h -+++ b/libzpaq/libzpaq.h -@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader { - - int get() { - if (progress && !(*s_len % 128)) { -- int pct = (total_len - *s_len) * 100 / total_len; -+ int pct = (total_len > 0) ? -+ (total_len - *s_len) * 100 / total_len : 100; - - if (pct / 10 != *last_pct / 10) { - int i; diff --git a/gnu/packages/patches/mupdf-CVE-2021-3407.patch b/gnu/packages/patches/mupdf-CVE-2021-3407.patch new file mode 100644 index 0000000000..9f901517c5 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2021-3407.patch @@ -0,0 +1,51 @@ +This patch came from https://git.ghostscript.com/?p=mupdf.git;a=patch;h=cee7cefc610d42fd383b3c80c12cbc675443176a +and fixes CVE-2021-3407. + +From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001 +From: Robin Watts <Robin.Watts@artifex.com> +Date: Fri, 22 Jan 2021 17:05:15 +0000 +Subject: [PATCH] Bug 703366: Fix double free of object during linearization. + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. +--- + source/pdf/pdf-parse.c | 6 ++++++ + source/pdf/pdf-xref.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d4..5761c3351 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59..30197b4b8 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { +-- +2.17.1 + diff --git a/gnu/packages/patches/openscad-parser-boost-1.72.patch b/gnu/packages/patches/openscad-parser-boost-1.72.patch deleted file mode 100644 index 35311e6173..0000000000 --- a/gnu/packages/patches/openscad-parser-boost-1.72.patch +++ /dev/null @@ -1,26 +0,0 @@ -https://github.com/openscad/openscad/commit/b6c170cc5d.patch - -From b6c170cc5dd1bc677176ee732cdb0ddae57e5cf0 Mon Sep 17 00:00:00 2001 -From: Jan Beich <jbeich@FreeBSD.org> -Date: Fri, 25 Oct 2019 15:10:26 +0000 -Subject: [PATCH] Add missing header bootlegged by Boost < 1.72 - -src/parser.y:76:6: error: no template named 'stack' in namespace 'std' -std::stack<LocalScope *> scope_stack; -~~~~~^ ---- - src/parser.y | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/parser.y b/src/parser.y -index 7f4fd56ca7..4c77c989ea 100644 ---- a/src/parser.y -+++ b/src/parser.y -@@ -46,6 +46,7 @@ - #include "printutils.h" - #include "memory.h" - #include <sstream> -+#include <stack> - #include <boost/filesystem.hpp> - #include "boost-utils.h" - #include "feature.h" diff --git a/gnu/packages/patches/openssh-fix-ssh-copy-id.patch b/gnu/packages/patches/openssh-fix-ssh-copy-id.patch deleted file mode 100644 index 6adba639a3..0000000000 --- a/gnu/packages/patches/openssh-fix-ssh-copy-id.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fix a bug where ssh-copy-id would fail with "EOF: command not found": - -https://github.com/openssh/openssh-portable/pull/206 - -Patch copied from upstream source repository: - -https://github.com/openssh/openssh-portable/commit/d9e727dcc04a52caaac87543ea1d230e9e6b5604 - -From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001 -From: Oleg <Fallmay@users.noreply.github.com> -Date: Thu, 1 Oct 2020 12:09:08 +0300 -Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id - ---- - contrib/ssh-copy-id | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -index 392f64f94..a76907717 100644 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -247,7 +247,7 @@ installkeys_sh() { - # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing - # the cat adds the keys we're getting via STDIN - # and if available restorecon is used to restore the SELinux context -- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) -+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF - cd; - umask 077; - mkdir -p $(dirname "${AUTH_KEY_FILE}") && -@@ -258,6 +258,7 @@ installkeys_sh() { - restorecon -F .ssh ${AUTH_KEY_FILE}; - fi - EOF -+ ) - - # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" diff --git a/gnu/packages/patches/python-2.7-CVE-2021-3177.patch b/gnu/packages/patches/python-2.7-CVE-2021-3177.patch new file mode 100644 index 0000000000..9f2032ad4a --- /dev/null +++ b/gnu/packages/patches/python-2.7-CVE-2021-3177.patch @@ -0,0 +1,157 @@ +Fix CVE-2021-3177 for Python 2.7: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from Debian: + +https://salsa.debian.org/cpython-team/python2/-/blob/e54f3303884f1362f3311ec36f070b40603dd76e/debian/patches/CVE-2021-3177.diff + +bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -206,6 +206,49 @@ class SimpleTypesTestCase(unittest.TestC + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_char.from_param('a')), "<cparam 'c' (a)>") ++ self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") ++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") ++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") ++ self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") ++ self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") ++ self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") ++ self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") ++ + ################################################################ + + if __name__ == '__main__': +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -460,50 +460,53 @@ PyCArg_dealloc(PyCArgObject *self) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyString_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyString_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyString_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "<cparam '%c' (%ld)>", ++ return PyString_FromFormat("<cparam '%c' (%ld)>", + self->tag, self->value.l); +- break; + + #ifdef HAVE_LONG_LONG + case 'q': + case 'Q': +- sprintf(buffer, +- "<cparam '%c' (%" PY_FORMAT_LONG_LONG "d)>", ++ return PyString_FromFormat("<cparam '%c' (%" PY_FORMAT_LONG_LONG "d)>", + self->tag, self->value.q); +- break; + #endif + case 'd': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.f); +- break; ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *r = PyObject_Repr(f); ++ Py_DECREF(f); ++ if (r == NULL) { ++ return NULL; ++ } ++ char *value = PyString_AsString(r); ++ if (value == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyString_FromFormat("<cparam '%c' (%s)>", self->tag, value); ++ Py_DECREF(r); ++ return result; ++ } + + case 'c': +- sprintf(buffer, "<cparam '%c' (%c)>", ++ return PyString_FromFormat("<cparam '%c' (%c)>", + self->tag, self->value.c); +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -512,16 +515,13 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "<cparam '%c' (%p)>", ++ return PyString_FromFormat("<cparam '%c' (%p)>", + self->tag, self->value.p); +- break; + + default: +- sprintf(buffer, "<cparam '%c' at %p>", ++ return PyString_FromFormat("<cparam '%c' at %p>", + self->tag, self); +- break; + } +- return PyString_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/patches/python-3.8-CVE-2021-3177.patch b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch new file mode 100644 index 0000000000..01f6b52865 --- /dev/null +++ b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch @@ -0,0 +1,194 @@ +Fix CVE-2021-3177 for Python 3.8: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from upstream source repository: + +https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f + +From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 Jan 2021 13:28:52 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24248) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson <benjamin@python.org> + +Co-authored-by: Benjamin Peterson <benjamin@python.org> +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") ++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") ++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") ++ + ################################################################ + + if __name__ == '__main__': +#diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#new file mode 100644 +#index 0000000000000..7df65a156feab +#--- /dev/null +#+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#@@ -0,0 +1,2 @@ +#+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and +#+:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index a9b8675cd951b..de75918d49f37 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "<cparam '%c' (%ld)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "<cparam '%c' (%I64d)>", +-#else +- "<cparam '%c' (%lld)>", +-#endif ++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "<cparam '%c' ('%c')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "<cparam '%c' (%p)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%p)>", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "<cparam '%c' at %p>", ++ return PyUnicode_FromFormat("<cparam '%c' at %p>", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "<cparam 0x%02x at %p>", ++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch b/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch new file mode 100644 index 0000000000..6f067763b5 --- /dev/null +++ b/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch @@ -0,0 +1,31 @@ +From: Tobias Geerinckx-Rice <me@tobias.gr> +Date: Tue, 02 Mar 2021 18:04:33 +0100 +Subject: [PATCH] gnu: python-matplotlib: Run under Wayland with GTK3. + +Adopted from upstream's fix[0] for +<https://github.com/matplotlib/matplotlib/issues/19405>. + +[0]: https://github.com/liuyun88/matplotlib/commit/3d5000463bd23cb046681220f5511f07743f7d82 + +--- +diff -Naur a/lib/matplotlib/backends/backend_gtk3.py b/lib/matplotlib/backends/backend_gtk3.py +--- a/lib/matplotlib/backends/backend_gtk3.py 2019-11-21 23:47:05.000000000 +0100 ++++ b/lib/matplotlib/backends/backend_gtk3.py 2021-03-02 18:00:57.479929766 +0100 +@@ -42,11 +42,12 @@ + + try: ++ _display = Gdk.Display.get_default() + cursord = { +- cursors.MOVE : Gdk.Cursor.new(Gdk.CursorType.FLEUR), +- cursors.HAND : Gdk.Cursor.new(Gdk.CursorType.HAND2), +- cursors.POINTER : Gdk.Cursor.new(Gdk.CursorType.LEFT_PTR), +- cursors.SELECT_REGION : Gdk.Cursor.new(Gdk.CursorType.TCROSS), +- cursors.WAIT : Gdk.Cursor.new(Gdk.CursorType.WATCH), ++ cursors.MOVE : Gdk.Cursor.new_from_name(_display, "move"), ++ cursors.HAND : Gdk.Cursor.new_from_name(_display, "pointer"), ++ cursors.POINTER : Gdk.Cursor.new_from_name(_display, "default"), ++ cursors.SELECT_REGION : Gdk.Cursor.new_from_name(_display, "crosshair"), ++ cursors.WAIT : Gdk.Cursor.new_from_name(_display, "wait"), + } + except TypeError as exc: + # Happens when running headless. Convert to ImportError to cooperate with diff --git a/gnu/packages/patches/qemu-CVE-2021-20203.patch b/gnu/packages/patches/qemu-CVE-2021-20203.patch new file mode 100644 index 0000000000..9d2ceaa649 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2021-20203.patch @@ -0,0 +1,172 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: <SRS0=i+5i=HB=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_INVALID, + DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, + MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, + URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 87556C433E0 + for <qemu-devel@archiver.kernel.org>; Sat, 30 Jan 2021 13:20:40 +0000 (UTC) +Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by mail.kernel.org (Postfix) with ESMTPS id EF26964DE1 + for <qemu-devel@archiver.kernel.org>; Sat, 30 Jan 2021 13:20:39 +0000 (UTC) +DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EF26964DE1 +Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com +Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Received: from localhost ([::1]:42488 helo=lists1p.gnu.org) + by lists.gnu.org with esmtp (Exim 4.90_1) + (envelope-from <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>) + id 1l5qB3-0008CX-02 + for qemu-devel@archiver.kernel.org; Sat, 30 Jan 2021 08:20:37 -0500 +Received: from eggs.gnu.org ([2001:470:142:3::10]:45174) + by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) + (Exim 4.90_1) (envelope-from <ppandit@redhat.com>) + id 1l5q9q-0007ld-1c + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:22 -0500 +Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:42898) + by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) + (Exim 4.90_1) (envelope-from <ppandit@redhat.com>) + id 1l5q9k-0007Ia-TV + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:21 -0500 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; + s=mimecast20190719; t=1612012753; + h=from:from:reply-to:subject:subject:date:date:message-id:message-id: + to:to:cc:cc:mime-version:mime-version:content-type:content-type: + content-transfer-encoding:content-transfer-encoding; + bh=7vu4z8M+bFjhFzEuAYsQG4i3APx7aMqv7tFxRRO5+8Q=; + b=egCsTdgVBnRlHnVN84HsSpNOUl/NkqEnGuv9rRdG2AZ1Fee5ZatpJm5zJ7YUW2HvzB4rtO + EaDIKaN1wzf/yHf0CsJ60TPGG3DqQSC/EsTSr2l/GNGq4prDYTXVrS3rXFu9ofByUVvzwU + q9Iy1X1Bh3S21m7jXY0AYx4Tu9Ikq9w= +Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com + [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id + us-mta-588-1JF7mzMfP1KpRpNKj4cAWQ-1; Sat, 30 Jan 2021 08:19:08 -0500 +X-MC-Unique: 1JF7mzMfP1KpRpNKj4cAWQ-1 +Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com + [10.5.11.22]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8F0F439380; + Sat, 30 Jan 2021 13:19:07 +0000 (UTC) +Received: from localhost.localdomain (unknown [10.33.36.2]) + by smtp.corp.redhat.com (Postfix) with ESMTPS id 17D581002C11; + Sat, 30 Jan 2021 13:19:04 +0000 (UTC) +From: P J P <ppandit@redhat.com> +To: Dmitry Fleytman <dmitry.fleytman@gmail.com> +Subject: [PATCH] net: vmxnet3: validate configuration values during activate + (CVE-2021-20203) +Date: Sat, 30 Jan 2021 18:46:52 +0530 +Message-Id: <20210130131652.954143-1-ppandit@redhat.com> +MIME-Version: 1.0 +X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 +Authentication-Results: relay.mimecast.com; + auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ppandit@redhat.com +X-Mimecast-Spam-Score: 0 +X-Mimecast-Originator: redhat.com +Content-Transfer-Encoding: 8bit +Content-Type: text/plain; charset="US-ASCII" +Received-SPF: pass client-ip=63.128.21.124; envelope-from=ppandit@redhat.com; + helo=us-smtp-delivery-124.mimecast.com +X-Spam_score_int: -30 +X-Spam_score: -3.1 +X-Spam_bar: --- +X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.255, + DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, + RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, + SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no +X-Spam_action: no action +X-BeenThere: qemu-devel@nongnu.org +X-Mailman-Version: 2.1.23 +Precedence: list +List-Id: <qemu-devel.nongnu.org> +List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>, + <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe> +List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel> +List-Post: <mailto:qemu-devel@nongnu.org> +List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help> +List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>, + <mailto:qemu-devel-request@nongnu.org?subject=subscribe> +Cc: Gaoning Pan <pgn@zju.edu.cn>, QEMU Developers <qemu-devel@nongnu.org>, + Prasad J Pandit <pjp@fedoraproject.org> +Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Sender: "Qemu-devel" + <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org> +Archived-At: <https://lore.kernel.org/qemu-devel/20210130131652.954143-1-ppandit@redhat.com/> +List-Archive: <https://lore.kernel.org/qemu-devel/> + +From: Prasad J Pandit <pjp@fedoraproject.org> + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +--- + hw/net/vmxnet3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index eff299f629..4a910ca971 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); +-- +2.29.2 + + + diff --git a/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch b/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch new file mode 100644 index 0000000000..30515cbe48 --- /dev/null +++ b/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch @@ -0,0 +1,32 @@ +From f308dc91660954ab88bb41868c0b9809592923e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@member.fsf.org> +Date: Sat, 20 Feb 2021 20:37:39 +0800 +Subject: [PATCH] Allow set libretro_directory via environment variable + +--- + retroarch.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/retroarch.c b/retroarch.c +index 6a88c3108e..6807c12b5b 100644 +--- a/retroarch.c ++++ b/retroarch.c +@@ -36038,6 +36038,15 @@ static void retroarch_parse_input_and_config( + #endif + config_load(&p_rarch->g_extern); + ++ /* Override settings via environment variables */ ++ if (getenv("LIBRETRO_DIRECTORY")) { ++ settings_t *settings = p_rarch->configuration_settings; ++ retroarch_override_setting_set(RARCH_OVERRIDE_SETTING_LIBRETRO_DIRECTORY, NULL); ++ configuration_set_string(settings, ++ settings->paths.directory_libretro, ++ getenv("LIBRETRO_DIRECTORY")); ++ } ++ + /* Second pass: All other arguments override the config file */ + optind = 1; + +-- +2.30.0 + diff --git a/gnu/packages/patches/retroarch-disable-online-updater.patch b/gnu/packages/patches/retroarch-disable-online-updater.patch deleted file mode 100644 index ea74cc5409..0000000000 --- a/gnu/packages/patches/retroarch-disable-online-updater.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Tobias Geerinckx-Rice <me@tobias.gr> -Date: Fri, 29 Nov 2019 20:32:54 +0100 -Subject: [PATCH]: gnu: retroarch: Disable the on-line updater. - -This disables the entire ‘Online Updater’ sub-menu to address -<http://issues.guix.gnu.org/issue/38360>. Perhaps that is more than is -necessary. - -diff -Naur a/menu/menu_displaylist.c b/menu/menu_displaylist.c ---- a/menu/menu_displaylist.c 1970-01-01 01:00:01.000000000 +0100 -+++ b/menu/menu_displaylist.c 2019-11-29 18:35:27.467948854 +0100 -@@ -8444,11 +8444,6 @@ - MENU_ENUM_LABEL_NETPLAY, - PARSE_ACTION, false) == 0) - count++; -- if (settings->bools.menu_show_online_updater) -- if (menu_displaylist_parse_settings_enum(info->list, -- MENU_ENUM_LABEL_ONLINE_UPDATER, -- PARSE_ACTION, false) == 0) -- count++; - if (menu_displaylist_parse_settings_enum(info->list, - MENU_ENUM_LABEL_SETTINGS, PARSE_ACTION, false) == 0) - count++; -diff -Naur retroarch.a/menu/menu_setting.c retroarch.c/menu/menu_setting.c ---- a/menu/menu_setting.c 1970-01-01 01:00:01.000000000 +0100 -+++ b/menu/menu_setting.c 2019-11-29 18:35:35.753957312 +0100 -@@ -7291,14 +7291,6 @@ - &group_info, - &subgroup_info, - parent_group); -- -- CONFIG_ACTION( -- list, list_info, -- MENU_ENUM_LABEL_ONLINE_UPDATER, -- MENU_ENUM_LABEL_VALUE_ONLINE_UPDATER, -- &group_info, -- &subgroup_info, -- parent_group); - #endif - - CONFIG_ACTION( diff --git a/gnu/packages/patches/ruby-rack-ignore-failing-test.patch b/gnu/packages/patches/ruby-rack-ignore-failing-test.patch deleted file mode 100644 index f50d68c9c4..0000000000 --- a/gnu/packages/patches/ruby-rack-ignore-failing-test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/spec_server.rb b/test/spec_server.rb -index a3690bc..16c9536 100644 ---- a/test/spec_server.rb -+++ b/test/spec_server.rb -@@ -161,7 +161,7 @@ describe Rack::Server do - it "check pid file presence and not owned process" do - pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path - server = Rack::Server.new(:pid => pidfile) -- server.send(:pidfile_process_status).must_equal :not_owned -+ #server.send(:pidfile_process_status).must_equal :not_owned - end - - it "not write pid file when it is created after check" do diff --git a/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch b/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch deleted file mode 100644 index 035a98fa33..0000000000 --- a/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch +++ /dev/null @@ -1,101 +0,0 @@ -From ff3f00b7f33332ebf1c3c05abc4a781684775b3c Mon Sep 17 00:00:00 2001 -From: Maxim Cournoyer <maxim.cournoyer@gmail.com> -Date: Tue, 14 Jul 2020 11:50:12 -0400 -Subject: [PATCH] config: Drop rubocop-performance, rubocop-rspec requirements. - -This patch removes Rubocop extensions from Rubocop's closure to break -a dependency cycle with itself. - -* .rubocop.yml: Remove rubocop-performance and rubocop-rspec and their -corresponding directives. -* .rubocop_todo.yml: Likewise. ---- - .rubocop.yml | 15 --------------- - .rubocop_todo.yml | 44 -------------------------------------------- - 2 files changed, 59 deletions(-) - -diff --git a/.rubocop.yml b/.rubocop.yml -index 4f05d5be2..f12ef7c06 100644 ---- a/.rubocop.yml -+++ b/.rubocop.yml -@@ -3,8 +3,6 @@ - inherit_from: .rubocop_todo.yml - require: - - rubocop/cop/internal_affairs -- - rubocop-performance -- - rubocop-rspec - - AllCops: - NewCops: enable -@@ -106,16 +104,3 @@ Metrics/ClassLength: - Metrics/ModuleLength: - Exclude: - - 'spec/**/*.rb' -- --RSpec/FilePath: -- Exclude: -- - spec/rubocop/formatter/junit_formatter_spec.rb -- --RSpec/PredicateMatcher: -- EnforcedStyle: explicit -- --RSpec/MessageSpies: -- EnforcedStyle: receive -- --RSpec/NestedGroups: -- Max: 7 -diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml -index 3f72042d1..fa637cd42 100644 ---- a/.rubocop_todo.yml -+++ b/.rubocop_todo.yml -@@ -24,47 +24,3 @@ Metrics/MethodLength: - # Configuration parameters: CountComments. - Metrics/ModuleLength: - Max: 132 -- --# Offense count: 10 --RSpec/AnyInstance: -- Exclude: -- - 'spec/rubocop/cli_spec.rb' -- - 'spec/rubocop/cop/lint/duplicate_methods_spec.rb' -- - 'spec/rubocop/cop/team_spec.rb' -- - 'spec/rubocop/target_finder_spec.rb' -- --# Offense count: 981 --# Configuration parameters: Prefixes. --# Prefixes: when, with, without --RSpec/ContextWording: -- Enabled: false -- --# Offense count: 3810 --# Configuration parameters: Max. --RSpec/ExampleLength: -- Enabled: false -- --# Offense count: 38 --RSpec/ExpectOutput: -- Exclude: -- - 'spec/rubocop/cli/cli_auto_gen_config_spec.rb' -- - 'spec/rubocop/cli/cli_options_spec.rb' -- - 'spec/rubocop/config_spec.rb' -- - 'spec/rubocop/cop/cop_spec.rb' -- - 'spec/rubocop/formatter/disabled_config_formatter_spec.rb' -- - 'spec/rubocop/formatter/formatter_set_spec.rb' -- - 'spec/rubocop/options_spec.rb' -- - 'spec/rubocop/rake_task_spec.rb' -- - 'spec/rubocop/result_cache_spec.rb' -- - 'spec/rubocop/target_finder_spec.rb' -- --# Offense count: 434 --RSpec/MultipleExpectations: -- Max: 25 -- --# Offense count: 5 --RSpec/SubjectStub: -- Exclude: -- - 'spec/rubocop/config_spec.rb' -- - 'spec/rubocop/formatter/json_formatter_spec.rb' -- - 'spec/rubocop/formatter/progress_formatter_spec.rb' --- -2.27.0 - diff --git a/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch b/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch deleted file mode 100644 index 5d1f04b994..0000000000 --- a/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/tc_definitions.rb b/test/tc_definitions.rb -index 7b20a3d..75b9798 100644 ---- a/test/tc_definitions.rb -+++ b/test/tc_definitions.rb -@@ -58,7 +58,7 @@ class TCDefinitions < Minitest::Test - identifier = $3.to_sym - is_dst = $4 == '1' - -- if utc && local -+ if utc && local && !line.match(/Sun Oct 25 01:59:59 2037 UT = Sun Oct 25 02:59:59 2037 WEST isdst=1 gmtoff=3600/) - tzi_local = zone.utc_to_local(utc) - tzi_period = zone.period_for_utc(utc) - tzi_identifier = tzi_period.zone_identifier diff --git a/gnu/packages/patches/screen-CVE-2021-26937.patch b/gnu/packages/patches/screen-CVE-2021-26937.patch new file mode 100644 index 0000000000..d87a54a83f --- /dev/null +++ b/gnu/packages/patches/screen-CVE-2021-26937.patch @@ -0,0 +1,66 @@ +https://salsa.debian.org/debian/screen/-/raw/debian/4.8.0-5/debian/patches/99_CVE-2021-26937.patch + +Description: [CVE-2021-26937] Fix out of bounds array access +Author: Michael Schröder <mls@suse.de> +Bug-Debian: https://bugs.debian.org/982435 +Bug: https://savannah.gnu.org/bugs/?60030 +Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html +Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3 +Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html + +--- a/encoding.c ++++ b/encoding.c +@@ -43,7 +43,7 @@ + # ifdef UTF8 + static int recode_char __P((int, int, int)); + static int recode_char_to_encoding __P((int, int)); +-static void comb_tofront __P((int, int)); ++static void comb_tofront __P((int)); + # ifdef DW_CHARS + static int recode_char_dw __P((int, int *, int, int)); + static int recode_char_dw_to_encoding __P((int, int *, int)); +@@ -1263,6 +1263,8 @@ + {0x30000, 0x3FFFD}, + }; + ++ if (c >= 0xdf00 && c <= 0xdfff) ++ return 1; /* dw combining sequence */ + return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || + (cjkwidth && + bisearch(c, ambiguous, +@@ -1330,11 +1332,12 @@ + } + + static void +-comb_tofront(root, i) +-int root, i; ++comb_tofront(i) ++int i; + { + for (;;) + { ++ int root = i >= 0x700 ? 0x801 : 0x800; + debug1("bring to front: %x\n", i); + combchars[combchars[i]->prev]->next = combchars[i]->next; + combchars[combchars[i]->next]->prev = combchars[i]->prev; +@@ -1396,9 +1399,9 @@ + { + /* full, recycle old entry */ + if (c1 >= 0xd800 && c1 < 0xe000) +- comb_tofront(root, c1 - 0xd800); ++ comb_tofront(c1 - 0xd800); + i = combchars[root]->prev; +- if (c1 == i + 0xd800) ++ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) + { + /* completely full, can't recycle */ + debug("utf8_handle_comp: completely full!\n"); +@@ -1422,7 +1425,7 @@ + mc->font = (i >> 8) + 0xd8; + mc->fontx = 0; + debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); +- comb_tofront(root, i); ++ comb_tofront(i); + } + + #else /* !UTF8 */ diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch b/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch new file mode 100644 index 0000000000..1942bb3d55 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch @@ -0,0 +1,50 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f86b..05fd593494ef 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.25.1 + |