From f813750a4aa07797e0120babdd5efbe17f1d3911 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Thu, 11 Feb 2021 18:57:38 -0800 Subject: gnu: diffoscope: Update to 166. * gnu/packages/diffoscope.scm (diffoscope): Update to 166. [source]: Add patch to use magic.open compatibility interface. * gnu/packages/patches/diffoscope-revert-to-magic-open.patch: New file. * gnu/local.mk [dist_patch_DATA]: New patch. --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8a31bfef64..d098c04308 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -926,6 +926,7 @@ dist_patch_DATA = \ %D%/packages/patches/desmume-gcc6-fixes.patch \ %D%/packages/patches/desmume-gcc7-fixes.patch \ %D%/packages/patches/dfu-programmer-fix-libusb.patch \ + %D%/packages/patches/diffoscope-revert-to-magic-open.patch \ %D%/packages/patches/diffutils-gets-undeclared.patch \ %D%/packages/patches/dkimproxy-add-ipv6-support.patch \ %D%/packages/patches/docbook-xsl-nonrecursive-string-subst.patch \ -- cgit v1.2.3 From db6b9d2f4bc59511904e8c1412d0257675c46095 Mon Sep 17 00:00:00 2001 From: Simon South Date: Sat, 5 Dec 2020 10:27:55 -0500 Subject: services: Add transmission-daemon service. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/file-sharing.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * po/packages/POTFILES.in: Add it. * tests/services/file-sharing.scm: New file. * Makefile.am (SCM_TESTS): Add it. * doc/guix.texi (File-Sharing Services): New section. Signed-off-by: 宋文武 --- Makefile.am | 1 + doc/guix.texi | 799 +++++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/file-sharing.scm | 804 ++++++++++++++++++++++++++++++++++++++++ po/packages/POTFILES.in | 1 + tests/services/file-sharing.scm | 59 +++ 6 files changed, 1665 insertions(+) create mode 100644 gnu/services/file-sharing.scm create mode 100644 tests/services/file-sharing.scm (limited to 'gnu/local.mk') diff --git a/Makefile.am b/Makefile.am index 798808bde6..52537fb53d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -475,6 +475,7 @@ SCM_TESTS = \ tests/scripts.scm \ tests/search-paths.scm \ tests/services.scm \ + tests/services/file-sharing.scm \ tests/services/linux.scm \ tests/sets.scm \ tests/size.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index 8944f5129d..aba8a6b575 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14716,6 +14716,7 @@ declaration. * Mail Services:: IMAP, POP3, SMTP, and all that. * Messaging Services:: Messaging services. * Telephony Services:: Telephony services. +* File-Sharing Services:: File-sharing services. * Monitoring Services:: Monitoring services. * Kerberos Services:: Kerberos services. * LDAP Services:: LDAP services. @@ -22287,6 +22288,804 @@ If it is set your server will be linked by this host name instead. +@node File-Sharing Services +@subsection File-Sharing Services + +The @code{(gnu services file-sharing)} module provides services that +assist with transferring files over peer-to-peer file-sharing networks. + +@subsubheading Transmission Daemon Service + +@uref{https://transmissionbt.com/, Transmission} is a flexible +BitTorrent client that offers a variety of graphical and command-line +interfaces. A @code{transmission-daemon-service-type} service provides +Transmission's headless variant, @command{transmission-daemon}, as a +system service, allowing users to share files via BitTorrent even when +they are not logged in. + +@deffn {Scheme Variable} transmission-daemon-service-type +The service type for the Transmission Daemon BitTorrent client. Its +value must be a @code{transmission-daemon-configuration} object as in +this example: + +@lisp +(service transmission-daemon-service-type + (transmission-daemon-configuration + ;; Restrict access to the RPC ("control") interface + (rpc-authentication-required? #t) + (rpc-username "transmission") + (rpc-password + (transmission-password-hash + "transmission" ; desired password + "uKd1uMs9")) ; arbitrary salt value + + ;; Accept requests from this and other hosts on the + ;; local network + (rpc-whitelist-enabled? #t) + (rpc-whitelist '("::1" "127.0.0.1" "192.168.0.*")) + + ;; Limit bandwidth use during work hours + (alt-speed-down (* 1024 2)) ; 2 MB/s + (alt-speed-up 512) ; 512 kB/s + + (alt-speed-time-enabled? #t) + (alt-speed-time-day 'weekdays) + (alt-speed-time-begin + (+ (* 60 8) 30)) ; 8:30 am + (alt-speed-time-end + (+ (* 60 (+ 12 5)) 30)))) ; 5:30 pm +@end lisp +@end deffn + +Once the service is started, users can interact with the daemon through +its Web interface (at @code{http://localhost:9091/}) or by using the +@command{transmission-remote} command-line tool, available in the +@code{transmission} package. (Emacs users may want to also consider the +@code{emacs-transmission} package.) Both communicate with the daemon +through its remote procedure call (RPC) interface, which by default is +available to all users on the system; you may wish to change this by +assigning values to the @code{rpc-authentication-required?}, +@code{rpc-username} and @code{rpc-password} settings, as shown in the +example above and documented further below. + +The value for @code{rpc-password} must be a password hash of the type +generated and used by Transmission clients. This can be copied verbatim +from an existing @file{settings.json} file, if another Transmission +client is already being used. Otherwise, the +@code{transmission-password-hash} and @code{transmission-random-salt} +procedures provided by this module can be used to obtain a suitable hash +value. + +@deffn {Scheme Procedure} transmission-password-hash @var{password} @var{salt} +Returns a string containing the result of hashing @var{password} +together with @var{salt}, in the format recognized by Transmission +clients for their @code{rpc-password} configuration setting. + +@var{salt} must be an eight-character string. The +@code{transmission-random-salt} procedure can be used to generate a +suitable salt value at random. +@end deffn + +@deffn {Scheme Procedure} transmission-random-salt +Returns a string containing a random, eight-character salt value of the +type generated and used by Transmission clients, suitable for passing to +the @code{transmission-password-hash} procedure. +@end deffn + +These procedures are accessible from within a Guile REPL started with +the @command{guix repl} command (@pxref {Invoking guix repl}). This is +useful for obtaining a random salt value to provide as the second +parameter to `transmission-password-hash`, as in this example session: + +@example +$ guix repl +scheme@@(guix-user)> ,use (gnu services file-sharing) +scheme@@(guix-user)> (transmission-random-salt) +$1 = "uKd1uMs9" +@end example + +Alternatively, a complete password hash can generated in a single step: + +@example +scheme@@(guix-user)> (transmission-password-hash "transmission" +(transmission-random-salt)) +$2 = "@{c8bbc6d1740cd8dc819a6e25563b67812c1c19c9VtFPfdsX" +@end example + +The resulting string can be used as-is for the value of +@code{rpc-password}, allowing the password to be kept hidden even in the +operating-system configuration. + +Torrent files downloaded by the daemon are directly accessible only to +users in the ``transmission'' user group, who receive read-only access +to the directory specified by the @code{download-dir} configuration +setting (and also the directory specified by @code{incomplete-dir}, if +@code{incomplete-dir-enabled?} is @code{#t}). Downloaded files can be +moved to another directory or deleted altogether using +@command{transmission-remote} with its @code{--move} and +@code{--remove-and-delete} options. + +If the @code{watch-dir-enabled?} setting is set to @code{#t}, users in +the ``transmission'' group are able also to place @file{.torrent} files +in the directory specified by @code{watch-dir} to have the corresponding +torrents added by the daemon. (The @code{trash-original-torrent-files?} +setting controls whether the daemon deletes these files after processing +them.) + +Some of the daemon's configuration settings can be changed temporarily +by @command{transmission-remote} and similar tools. To undo these +changes, use the service's @code{reload} action to have the daemon +reload its settings from disk: + +@example +# herd reload transmission-daemon +@end example + +The full set of available configuration settings is defined by the +@code{transmission-daemon-configuration} data type. + +@deftp {Data Type} transmission-daemon-configuration +The data type representing configuration settings for Transmission +Daemon. These correspond directly to the settings recognized by +Transmission clients in their @file{settings.json} file. +@end deftp + +@c The following documentation was initially generated by +@c (generate-transmission-daemon-documentation) in (gnu services +@c file-sharing). Manually maintained documentation is better, so we +@c shouldn't hesitate to edit below as needed. However if the change +@c you want to make to this documentation can be done in an automated +@c way, it's probably easier to change (generate-documentation) than to +@c make it below and have to deal with the churn as Transmission Daemon +@c updates. + +@c %start of fragment + +Available @code{transmission-daemon-configuration} fields are: + +@deftypevr {@code{transmission-daemon-configuration} parameter} package transmission +The Transmission package to use. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer stop-wait-period +The period, in seconds, to wait when stopping the service for +@command{transmission-daemon} to exit before killing its process. This +allows the daemon time to complete its housekeeping and send a final +update to trackers as it shuts down. On slow hosts, or hosts with a +slow network connection, this value may need to be increased. + +Defaults to @samp{10}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string download-dir +The directory to which torrent files are downloaded. + +Defaults to @samp{"/var/lib/transmission-daemon/downloads"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean incomplete-dir-enabled? +If @code{#t}, files will be held in @code{incomplete-dir} while their +torrent is being downloaded, then moved to @code{download-dir} once the +torrent is complete. Otherwise, files for all torrents (including those +still being downloaded) will be placed in @code{download-dir}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string incomplete-dir +The directory in which files from incompletely downloaded torrents will +be held when @code{incomplete-dir-enabled?} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} umask umask +The file mode creation mask used for downloaded files. (See the +@command{umask} man page for more information.) + +Defaults to @samp{18}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rename-partial-files? +When @code{#t}, ``.part'' is appended to the name of partially +downloaded files. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} preallocation-mode preallocation +The mode by which space should be preallocated for downloaded files, one +of @code{none}, @code{fast} (or @code{sparse}) and @code{full}. +Specifying @code{full} will minimize disk fragmentation at a cost to +file-creation speed. + +Defaults to @samp{fast}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean watch-dir-enabled? +If @code{#t}, the directory specified by @code{watch-dir} will be +watched for new @file{.torrent} files and the torrents they describe +added automatically (and the original files removed, if +@code{trash-original-torrent-files?} is @code{#t}). + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string watch-dir +The directory to be watched for @file{.torrent} files indicating new +torrents to be added, when @code{watch-dir-enabled} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean trash-original-torrent-files? +When @code{#t}, @file{.torrent} files will be deleted from the watch +directory once their torrent has been added (see +@code{watch-directory-enabled?}). + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-down-enabled? +When @code{#t}, the daemon's download speed will be limited to the rate +specified by @code{speed-limit-down}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-down +The default global-maximum download speed, in kilobytes per second. + +Defaults to @samp{100}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean speed-limit-up-enabled? +When @code{#t}, the daemon's upload speed will be limited to the rate +specified by @code{speed-limit-up}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer speed-limit-up +The default global-maximum upload speed, in kilobytes per second. + +Defaults to @samp{100}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-enabled? +When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} are used (in place of @code{speed-limit-down} and +@code{speed-limit-up}, if they are enabled) to constrain the daemon's +bandwidth usage. This can be scheduled to occur automatically at +certain times during the week; see @code{alt-speed-time-enabled?}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-down +The alternate global-maximum download speed, in kilobytes per second. + +Defaults to @samp{50}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-up +The alternate global-maximum upload speed, in kilobytes per second. + +Defaults to @samp{50}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean alt-speed-time-enabled? +When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} will be enabled automatically during the periods +specified by @code{alt-speed-time-day}, @code{alt-speed-time-begin} and +@code{alt-time-speed-end}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} day-list alt-speed-time-day +The days of the week on which the alternate-speed schedule should be +used, specified either as a list of days (@code{sunday}, @code{monday}, +and so on) or using one of the symbols @code{weekdays}, @code{weekends} +or @code{all}. + +Defaults to @samp{all}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-begin +The time of day at which to enable the alternate speed limits, expressed +as a number of minutes since midnight. + +Defaults to @samp{540}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer alt-speed-time-end +The time of day at which to disable the alternate speed limits, +expressed as a number of minutes since midnight. + +Defaults to @samp{1020}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv4 +The IP address at which to listen for peer connections, or ``0.0.0.0'' +to listen at all available IP addresses. + +Defaults to @samp{"0.0.0.0"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string bind-address-ipv6 +The IPv6 address at which to listen for peer connections, or ``::'' to +listen at all available IPv6 addresses. + +Defaults to @samp{"::"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean peer-port-random-on-start? +If @code{#t}, when the daemon starts it will select a port at random on +which to listen for peer connections, from the range specified +(inclusively) by @code{peer-port-random-low} and +@code{peer-port-random-high}. Otherwise, it listens on the port +specified by @code{peer-port}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-low +The lowest selectable port number when @code{peer-port-random-on-start?} +is @code{#t}. + +Defaults to @samp{49152}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port-random-high +The highest selectable port number when @code{peer-port-random-on-start} +is @code{#t}. + +Defaults to @samp{65535}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number peer-port +The port on which to listen for peer connections when +@code{peer-port-random-on-start?} is @code{#f}. + +Defaults to @samp{51413}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean port-forwarding-enabled? +If @code{#t}, the daemon will attempt to configure port-forwarding on an +upstream gateway automatically using @acronym{UPnP} and +@acronym{NAT-PMP}. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} encryption-mode encryption +The encryption preference for peer connections, one of +@code{prefer-unencrypted-connections}, +@code{prefer-encrypted-connections} or +@code{require-encrypted-connections}. + +Defaults to @samp{prefer-encrypted-connections}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string peer-congestion-algorithm +The TCP congestion-control algorithm to use for peer connections, +specified using a string recognized by the operating system in calls to +@code{setsockopt} (or set to @code{disabled}, in which case the +operating-system default is used). + +Note that on GNU/Linux systems, the kernel must be configured to allow +processes to use a congestion-control algorithm not in the default set; +otherwise, it will deny these requests with ``Operation not permitted''. +To see which algorithms are available on your system and which are +currently permitted for use, look at the contents of the files +@file{tcp_available_congestion_control} and +@file{tcp_allowed_congestion_control} in the @file{/proc/sys/net/ipv4} +directory. + +As an example, to have Transmission Daemon use +@uref{http://www-ece.rice.edu/networks/TCP-LP/,the TCP Low Priority +congestion-control algorithm}, you'll need to modify your kernel +configuration to build in support for the algorithm, then update your +operating-system configuration to allow its use by adding a +@code{sysctl-service-type} service (or updating the existing one's +configuration) with lines like the following: + +@lisp +(service sysctl-service-type + (sysctl-configuration + (settings + ("net.ipv4.tcp_allowed_congestion_control" . + "reno cubic lp")))) +@end lisp + +The Transmission Daemon configuration can then be updated with + +@lisp +(peer-congestion-algorithm "lp") +@end lisp + +and the system reconfigured to have the changes take effect. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} tcp-type-of-service peer-socket-tos +The type of service to request in outgoing @acronym{TCP} packets, one of +@code{default}, @code{low-cost}, @code{throughput}, @code{low-delay} and +@code{reliability}. + +Defaults to @samp{default}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-global +The global limit on the number of connected peers. + +Defaults to @samp{200}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-limit-per-torrent +The per-torrent limit on the number of connected peers. + +Defaults to @samp{50}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer upload-slots-per-torrent +The maximum number of peers to which the daemon will upload data +simultaneously for each torrent. + +Defaults to @samp{14}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer peer-id-ttl-hours +The maximum lifespan, in hours, of the peer ID associated with each +public torrent before it is regenerated. + +Defaults to @samp{6}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean blocklist-enabled? +When @code{#t}, the daemon will ignore peers mentioned in the blocklist +it has most recently downloaded from @code{blocklist-url}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string blocklist-url +The URL of a peer blocklist (in @acronym{P2P}-plaintext or eMule +@file{.dat} format) to be periodically downloaded and applied when +@code{blocklist-enabled?} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean download-queue-enabled? +If @code{#t}, the daemon will be limited to downloading at most +@code{download-queue-size} non-stalled torrents simultaneously. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer download-queue-size +The size of the daemon's download queue, which limits the number of +non-stalled torrents it will download at any one time when +@code{download-queue-enabled?} is @code{#t}. + +Defaults to @samp{5}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean seed-queue-enabled? +If @code{#t}, the daemon will be limited to seeding at most +@code{seed-queue-size} non-stalled torrents simultaneously. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer seed-queue-size +The size of the daemon's seed queue, which limits the number of +non-stalled torrents it will seed at any one time when +@code{seed-queue-enabled?} is @code{#t}. + +Defaults to @samp{10}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean queue-stalled-enabled? +When @code{#t}, the daemon will consider torrents for which it has not +shared data in the past @code{queue-stalled-minutes} minutes to be +stalled and not count them against its @code{download-queue-size} and +@code{seed-queue-size} limits. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer queue-stalled-minutes +The maximum period, in minutes, a torrent may be idle before it is +considered to be stalled, when @code{queue-stalled-enabled?} is +@code{#t}. + +Defaults to @samp{30}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean ratio-limit-enabled? +When @code{#t}, a torrent being seeded will automatically be paused once +it reaches the ratio specified by @code{ratio-limit}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-rational ratio-limit +The ratio at which a torrent being seeded will be paused, when +@code{ratio-limit-enabled?} is @code{#t}. + +Defaults to @samp{2.0}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean idle-seeding-limit-enabled? +When @code{#t}, a torrent being seeded will automatically be paused once +it has been idle for @code{idle-seeding-limit} minutes. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer idle-seeding-limit +The maximum period, in minutes, a torrent being seeded may be idle +before it is paused, when @code{idle-seeding-limit-enabled?} is +@code{#t}. + +Defaults to @samp{30}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean dht-enabled? +Enable @uref{http://bittorrent.org/beps/bep_0005.html,the distributed +hash table (@acronym{DHT}) protocol}, which supports the use of +trackerless torrents. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean lpd-enabled? +Enable @uref{https://en.wikipedia.org/wiki/Local_Peer_Discovery,local +peer discovery} (@acronym{LPD}), which allows the discovery of peers on +the local network and may reduce the amount of data sent over the public +Internet. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean pex-enabled? +Enable @uref{https://en.wikipedia.org/wiki/Peer_exchange,peer exchange} +(@acronym{PEX}), which reduces the daemon's reliance on external +trackers and may improve its performance. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean utp-enabled? +Enable @uref{http://bittorrent.org/beps/bep_0029.html,the micro +transport protocol} (@acronym{uTP}), which aims to reduce the impact of +BitTorrent traffic on other users of the local network while maintaining +full utilization of the available bandwidth. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-enabled? +If @code{#t}, enable the remote procedure call (@acronym{RPC}) +interface, which allows remote control of the daemon via its Web +interface, the @command{transmission-remote} command-line client, and +similar tools. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-bind-address +The IP address at which to listen for @acronym{RPC} connections, or +``0.0.0.0'' to listen at all available IP addresses. + +Defaults to @samp{"0.0.0.0"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} port-number rpc-port +The port on which to listen for @acronym{RPC} connections. + +Defaults to @samp{9091}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string rpc-url +The path prefix to use in the @acronym{RPC}-endpoint @acronym{URL}. + +Defaults to @samp{"/transmission/"}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-authentication-required? +When @code{#t}, clients must authenticate (see @code{rpc-username} and +@code{rpc-password}) when using the @acronym{RPC} interface. Note this +has the side effect of disabling host-name whitelisting (see +@code{rpc-host-whitelist-enabled?}. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-string rpc-username +The username required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-transmission-password-hash rpc-password +The password required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}. This must be +specified using a password hash in the format recognized by Transmission +clients, either copied from an existing @file{settings.json} file or +generated using the @code{transmission-password-hash} procedure. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-whitelist-enabled? +When @code{#t}, @acronym{RPC} requests will be accepted only when they +originate from an address specified in @code{rpc-whitelist}. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-whitelist +The list of IP and IPv6 addresses from which @acronym{RPC} requests will +be accepted when @code{rpc-whitelist-enabled?} is @code{#t}. Wildcards +may be specified using @samp{*}. + +Defaults to @samp{("127.0.0.1" "::1")}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean rpc-host-whitelist-enabled? +When @code{#t}, @acronym{RPC} requests will be accepted only when they +are addressed to a host named in @code{rpc-host-whitelist}. Note that +requests to ``localhost'' or ``localhost.'', or to a numeric address, +are always accepted regardless of these settings. + +Note also this functionality is disabled when +@code{rpc-authentication-required?} is @code{#t}. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} string-list rpc-host-whitelist +The list of host names recognized by the @acronym{RPC} server when +@code{rpc-host-whitelist-enabled?} is @code{#t}. + +Defaults to @samp{()}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} message-level message-level +The minimum severity level of messages to be logged (to +@file{/var/log/transmission.log}) by the daemon, one of @code{none} (no +logging), @code{error}, @code{info} and @code{debug}. + +Defaults to @samp{info}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean start-added-torrents? +When @code{#t}, torrents are started as soon as they are added; +otherwise, they are added in ``paused'' state. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean script-torrent-done-enabled? +When @code{#t}, the script specified by +@code{script-torrent-done-filename} will be invoked each time a torrent +completes. + +Defaults to @samp{#f}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} maybe-file-object script-torrent-done-filename +A file name or file-like object specifying a script to run each time a +torrent completes, when @code{script-torrent-done-enabled?} is +@code{#t}. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean scrape-paused-torrents-enabled? +When @code{#t}, the daemon will scrape trackers for a torrent even when +the torrent is paused. + +Defaults to @samp{#t}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} non-negative-integer cache-size-mb +The amount of memory, in megabytes, to allocate for the daemon's +in-memory cache. A larger value may increase performance by reducing +the frequency of disk I/O. + +Defaults to @samp{4}. + +@end deftypevr + +@deftypevr {@code{transmission-daemon-configuration} parameter} boolean prefetch-enabled? +When @code{#t}, the daemon will try to improve I/O performance by +hinting to the operating system which data is likely to be read next +from disk to satisfy requests from peers. + +Defaults to @samp{#t}. + +@end deftypevr + + +@c %end of fragment + + + @node Monitoring Services @subsection Monitoring Services diff --git a/gnu/local.mk b/gnu/local.mk index d098c04308..0625c6c5eb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -605,6 +605,7 @@ GNU_SYSTEM_MODULES = \ %D%/services/dns.scm \ %D%/services/docker.scm \ %D%/services/authentication.scm \ + %D%/services/file-sharing.scm \ %D%/services/games.scm \ %D%/services/ganeti.scm \ %D%/services/getmail.scm \ diff --git a/gnu/services/file-sharing.scm b/gnu/services/file-sharing.scm new file mode 100644 index 0000000000..72cd6478d6 --- /dev/null +++ b/gnu/services/file-sharing.scm @@ -0,0 +1,804 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Simon South +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services file-sharing) + #:use-module (gcrypt base16) + #:use-module (gcrypt hash) + #:use-module (gcrypt random) + #:use-module (gnu services) + #:use-module (gnu services admin) + #:use-module (gnu services configuration) + #:use-module (gnu services shepherd) + #:use-module (gnu packages admin) + #:use-module (gnu packages bittorrent) + #:use-module (gnu packages gnupg) + #:use-module (gnu packages guile) + #:use-module (gnu system shadow) + #:use-module (guix diagnostics) + #:use-module (guix gexp) + #:use-module (guix i18n) + #:use-module (guix modules) + #:use-module (guix packages) + #:use-module (guix records) + #:use-module (ice-9 format) + #:use-module (ice-9 match) + #:use-module (rnrs bytevectors) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) + #:export (transmission-daemon-configuration + transmission-daemon-service-type + transmission-password-hash + transmission-random-salt)) + +;;; +;;; Transmission Daemon. +;;; + +(define %transmission-daemon-user "transmission") +(define %transmission-daemon-group "transmission") + +(define %transmission-daemon-configuration-directory + "/var/lib/transmission-daemon") +(define %transmission-daemon-log-file + "/var/log/transmission.log") + +(define %transmission-salt-length 8) + +(define (transmission-password-hash password salt) + "Returns a string containing the result of hashing @var{password} together +with @var{salt}, in the format recognized by Transmission clients for their +@code{rpc-password} configuration setting. + +@var{salt} must be an eight-character string. The +@code{transmission-random-salt} procedure can be used to generate a suitable +salt value at random." + (if (not (and (string? salt) + (eq? (string-length salt) %transmission-salt-length))) + (raise (formatted-message + (G_ "salt value must be a string of ~d characters") + %transmission-salt-length)) + (string-append "{" + (bytevector->base16-string + (sha1 (string->utf8 (string-append password salt)))) + salt))) + +(define (transmission-random-salt) + "Returns a string containing a random, eight-character salt value of the +type generated and used by Transmission clients, suitable for passing to the +@code{transmission-password-hash} procedure." + ;; This implementation matches a portion of Transmission's tr_ssha1 + ;; function. See libtransmission/crypto-utils.c in the Transmission source + ;; distribution. + (let ((salter (string-append "0123456789" + "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "./"))) + (list->string + (map (lambda (u8) + (string-ref salter (modulo u8 (string-length salter)))) + (bytevector->u8-list + (gen-random-bv %transmission-salt-length %gcry-strong-random)))))) + +(define (uglify-field-name field-name) + (string-delete #\? (symbol->string field-name))) + +(define (serialize-field field-name val) + ;; "Serialize" each configuration field as a G-expression containing a + ;; name-value pair, the collection of which will subsequently be serialized + ;; to disk as a JSON object. + #~(#$(uglify-field-name field-name) . #$val)) + +(define serialize-boolean serialize-field) +(define serialize-integer serialize-field) +(define serialize-rational serialize-field) + +(define serialize-string serialize-field) +(define-maybe string) +;; Override the definition of "serialize-maybe-string", as we need to output a +;; name-value pair for the JSON builder. +(set! serialize-maybe-string + (lambda (field-name val) + (serialize-string field-name + (if (and (symbol? val) + (eq? val 'disabled)) + "" + val)))) + +(define (string-list? val) + (and (list? val) + (and-map (lambda (x) + (and (string? x) + (not (string-index x #\,)))) + val))) +(define (serialize-string-list field-name val) + (serialize-field field-name (string-join val ","))) + +(define days + '((sunday . #b0000001) + (monday . #b0000010) + (tuesday . #b0000100) + (wednesday . #b0001000) + (thursday . #b0010000) + (friday . #b0100000) + (saturday . #b1000000))) +(define day-lists + (list (cons 'weekdays '(monday tuesday wednesday thursday friday)) + (cons 'weekends '(saturday sunday)) + (cons 'all (map car days)))) +(define (day-list? val) + (or (and (symbol? val) + (assq val day-lists)) + (and (list? val) + (and-map (lambda (x) + (and (symbol? x) + (assq x days))) + val)))) +(define (serialize-day-list field-name val) + (serialize-integer field-name + (reduce logior + #b0000000 + (map (lambda (day) + (assq-ref days day)) + (if (symbol? val) + (assq-ref day-lists val) + val))))) + +(define encryption-modes + '((prefer-unencrypted-connections . 0) + (prefer-encrypted-connections . 1) + (require-encrypted-connections . 2))) +(define (encryption-mode? val) + (and (symbol? val) + (assq val encryption-modes))) +(define (serialize-encryption-mode field-name val) + (serialize-integer field-name (assq-ref encryption-modes val))) + +(define serialize-file-like serialize-field) + +(define (file-object? val) + (or (string? val) + (file-like? val))) +(define (serialize-file-object field-name val) + (if (file-like? val) + (serialize-file-like field-name val) + (serialize-string field-name val))) +(define-maybe file-object) +(set! serialize-maybe-file-object + (lambda (field-name val) + (if (and (symbol? val) + (eq? val 'disabled)) + (serialize-string field-name "") + (serialize-file-object field-name val)))) + +(define (file-object-list? val) + (and (list? val) + (and-map file-object? val))) +(define serialize-file-object-list serialize-field) + +(define message-levels + '((none . 0) + (error . 1) + (info . 2) + (debug . 3))) +(define (message-level? val) + (and (symbol? val) + (assq val message-levels))) +(define (serialize-message-level field-name val) + (serialize-integer field-name (assq-ref message-levels val))) + +(define (non-negative-integer? val) + (and (integer? val) + (not (negative? val)))) +(define serialize-non-negative-integer serialize-integer) + +(define (non-negative-rational? val) + (and (rational? val) + (not (negative? val)))) +(define serialize-non-negative-rational serialize-rational) + +(define (port-number? val) + (and (integer? val) + (>= val 1) + (<= val 65535))) +(define serialize-port-number serialize-integer) + +(define preallocation-modes + '((none . 0) + (fast . 1) + (sparse . 1) + (full . 2))) +(define (preallocation-mode? val) + (and (symbol? val) + (assq val preallocation-modes))) +(define (serialize-preallocation-mode field-name val) + (serialize-integer field-name (assq-ref preallocation-modes val))) + +(define tcp-types-of-service + '((default . "default") + (low-cost . "lowcost") + (throughput . "throughput") + (low-delay . "lowdelay") + (reliability . "reliability"))) +(define (tcp-type-of-service? val) + (and (symbol? val) + (assq val tcp-types-of-service))) +(define (serialize-tcp-type-of-service field-name val) + (serialize-string field-name (assq-ref tcp-types-of-service val))) + +(define (transmission-password-hash? val) + (and (string? val) + (= (string-length val) 49) + (eqv? (string-ref val 0) #\{) + (string-every char-set:hex-digit val 1 41))) +(define serialize-transmission-password-hash serialize-string) +(define-maybe transmission-password-hash) +(set! serialize-maybe-transmission-password-hash serialize-maybe-string) + +(define (umask? val) + (and (integer? val) + (>= val #o000) + (<= val #o777))) +(define serialize-umask serialize-integer) ; must use decimal representation + +(define-configuration transmission-daemon-configuration + ;; Settings internal to this service definition. + (transmission + (package transmission) + "The Transmission package to use.") + (stop-wait-period + (non-negative-integer 10) + "The period, in seconds, to wait when stopping the service for +@command{transmission-daemon} to exit before killing its process. This allows +the daemon time to complete its housekeeping and send a final update to +trackers as it shuts down. On slow hosts, or hosts with a slow network +connection, this value may need to be increased.") + + ;; Files and directories. + (download-dir + (string (string-append %transmission-daemon-configuration-directory + "/downloads")) + "The directory to which torrent files are downloaded.") + (incomplete-dir-enabled? + (boolean #f) + "If @code{#t}, files will be held in @code{incomplete-dir} while their +torrent is being downloaded, then moved to @code{download-dir} once the +torrent is complete. Otherwise, files for all torrents (including those still +being downloaded) will be placed in @code{download-dir}.") + (incomplete-dir + (maybe-string 'disabled) + "The directory in which files from incompletely downloaded torrents will be +held when @code{incomplete-dir-enabled?} is @code{#t}.") + (umask + (umask #o022) + "The file mode creation mask used for downloaded files. (See the +@command{umask} man page for more information.)") + (rename-partial-files? + (boolean #t) + "When @code{#t}, ``.part'' is appended to the name of partially downloaded +files.") + (preallocation + (preallocation-mode 'fast) + "The mode by which space should be preallocated for downloaded files, one +of @code{none}, @code{fast} (or @code{sparse}) and @code{full}. Specifying +@code{full} will minimize disk fragmentation at a cost to file-creation +speed.") + (watch-dir-enabled? + (boolean #f) + "If @code{#t}, the directory specified by @code{watch-dir} will be watched +for new @file{.torrent} files and the torrents they describe added +automatically (and the original files removed, if +@code{trash-original-torrent-files?} is @code{#t}).") + (watch-dir + (maybe-string 'disabled) + "The directory to be watched for @file{.torrent} files indicating new +torrents to be added, when @code{watch-dir-enabled} is @code{#t}.") + (trash-original-torrent-files? + (boolean #f) + "When @code{#t}, @file{.torrent} files will be deleted from the watch +directory once their torrent has been added (see +@code{watch-directory-enabled?}).") + + ;; Bandwidth limits. + (speed-limit-down-enabled? + (boolean #f) + "When @code{#t}, the daemon's download speed will be limited to the rate +specified by @code{speed-limit-down}.") + (speed-limit-down + (non-negative-integer 100) + "The default global-maximum download speed, in kilobytes per second.") + (speed-limit-up-enabled? + (boolean #f) + "When @code{#t}, the daemon's upload speed will be limited to the rate +specified by @code{speed-limit-up}.") + (speed-limit-up + (non-negative-integer 100) + "The default global-maximum upload speed, in kilobytes per second.") + (alt-speed-enabled? + (boolean #f) + "When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} are used (in place of @code{speed-limit-down} and +@code{speed-limit-up}, if they are enabled) to constrain the daemon's +bandwidth usage. This can be scheduled to occur automatically at certain +times during the week; see @code{alt-speed-time-enabled?}.") + (alt-speed-down + (non-negative-integer 50) + "The alternate global-maximum download speed, in kilobytes per second.") + (alt-speed-up + (non-negative-integer 50) + "The alternate global-maximum upload speed, in kilobytes per second.") + + ;; Bandwidth-limit scheduling. + (alt-speed-time-enabled? + (boolean #f) + "When @code{#t}, the alternate speed limits @code{alt-speed-down} and +@code{alt-speed-up} will be enabled automatically during the periods specified +by @code{alt-speed-time-day}, @code{alt-speed-time-begin} and +@code{alt-time-speed-end}.") + (alt-speed-time-day + (day-list 'all) + "The days of the week on which the alternate-speed schedule should be used, +specified either as a list of days (@code{sunday}, @code{monday}, and so on) +or using one of the symbols @code{weekdays}, @code{weekends} or @code{all}.") + (alt-speed-time-begin + (non-negative-integer 540) + "The time of day at which to enable the alternate speed limits, +expressed as a number of minutes since midnight.") + (alt-speed-time-end + (non-negative-integer 1020) + "The time of day at which to disable the alternate speed limits, +expressed as a number of minutes since midnight.") + + ;; Peer networking. + (bind-address-ipv4 + (string "0.0.0.0") + "The IP address at which to listen for peer connections, or ``0.0.0.0'' to +listen at all available IP addresses.") + (bind-address-ipv6 + (string "::") + "The IPv6 address at which to listen for peer connections, or ``::'' to +listen at all available IPv6 addresses.") + (peer-port-random-on-start? + (boolean #f) + "If @code{#t}, when the daemon starts it will select a port at random on +which to listen for peer connections, from the range specified (inclusively) +by @code{peer-port-random-low} and @code{peer-port-random-high}. Otherwise, +it listens on the port specified by @code{peer-port}.") + (peer-port-random-low + (port-number 49152) + "The lowest selectable port number when @code{peer-port-random-on-start?} +is @code{#t}.") + (peer-port-random-high + (port-number 65535) + "The highest selectable port number when @code{peer-port-random-on-start} +is @code{#t}.") + (peer-port + (port-number 51413) + "The port on which to listen for peer connections when +@code{peer-port-random-on-start?} is @code{#f}.") + (port-forwarding-enabled? + (boolean #t) + "If @code{#t}, the daemon will attempt to configure port-forwarding on an +upstream gateway automatically using @acronym{UPnP} and @acronym{NAT-PMP}.") + (encryption + (encryption-mode 'prefer-encrypted-connections) + "The encryption preference for peer connections, one of +@code{prefer-unencrypted-connections}, @code{prefer-encrypted-connections} or +@code{require-encrypted-connections}.") + (peer-congestion-algorithm + (maybe-string 'disabled) + "The TCP congestion-control algorithm to use for peer connections, +specified using a string recognized by the operating system in calls to +@code{setsockopt} (or set to @code{disabled}, in which case the +operating-system default is used). + +Note that on GNU/Linux systems, the kernel must be configured to allow +processes to use a congestion-control algorithm not in the default set; +otherwise, it will deny these requests with ``Operation not permitted''. To +see which algorithms are available on your system and which are currently +permitted for use, look at the contents of the files +@file{tcp_available_congestion_control} and +@file{tcp_allowed_congestion_control} in the @file{/proc/sys/net/ipv4} +directory. + +As an example, to have Transmission Daemon use +@uref{http://www-ece.rice.edu/networks/TCP-LP/, the TCP Low Priority +congestion-control algorithm}, you'll need to modify your kernel configuration +to build in support for the algorithm, then update your operating-system +configuration to allow its use by adding a @code{sysctl-service-type} +service (or updating the existing one's configuration) with lines like the +following: + +@lisp +(service sysctl-service-type + (sysctl-configuration + (settings + (\"net.ipv4.tcp_allowed_congestion_control\" . + \"reno cubic lp\")))) +@end lisp + +The Transmission Daemon configuration can then be updated with + +@lisp +(peer-congestion-algorithm \"lp\") +@end lisp + +and the system reconfigured to have the changes take effect.") + (peer-socket-tos + (tcp-type-of-service 'default) + "The type of service to request in outgoing @acronym{TCP} packets, +one of @code{default}, @code{low-cost}, @code{throughput}, @code{low-delay} +and @code{reliability}.") + (peer-limit-global + (non-negative-integer 200) + "The global limit on the number of connected peers.") + (peer-limit-per-torrent + (non-negative-integer 50) + "The per-torrent limit on the number of connected peers.") + (upload-slots-per-torrent + (non-negative-integer 14) + "The maximum number of peers to which the daemon will upload data +simultaneously for each torrent.") + (peer-id-ttl-hours + (non-negative-integer 6) + "The maximum lifespan, in hours, of the peer ID associated with each public +torrent before it is regenerated.") + + ;; Peer blocklists. + (blocklist-enabled? + (boolean #f) + "When @code{#t}, the daemon will ignore peers mentioned in the blocklist it +has most recently downloaded from @code{blocklist-url}.") + (blocklist-url + (maybe-string 'disabled) + "The URL of a peer blocklist (in @acronym{P2P}-plaintext or eMule +@file{.dat} format) to be periodically downloaded and applied when +@code{blocklist-enabled?} is @code{#t}.") + + ;; Queueing. + (download-queue-enabled? + (boolean #t) + "If @code{#t}, the daemon will be limited to downloading at most +@code{download-queue-size} non-stalled torrents simultaneously.") + (download-queue-size + (non-negative-integer 5) + "The size of the daemon's download queue, which limits the number of +non-stalled torrents it will download at any one time when +@code{download-queue-enabled?} is @code{#t}.") + (seed-queue-enabled? + (boolean #f) + "If @code{#t}, the daemon will be limited to seeding at most +@code{seed-queue-size} non-stalled torrents simultaneously.") + (seed-queue-size + (non-negative-integer 10) + "The size of the daemon's seed queue, which limits the number of +non-stalled torrents it will seed at any one time when +@code{seed-queue-enabled?} is @code{#t}.") + (queue-stalled-enabled? + (boolean #t) + "When @code{#t}, the daemon will consider torrents for which it has not +shared data in the past @code{queue-stalled-minutes} minutes to be stalled and +not count them against its @code{download-queue-size} and +@code{seed-queue-size} limits.") + (queue-stalled-minutes + (non-negative-integer 30) + "The maximum period, in minutes, a torrent may be idle before it is +considered to be stalled, when @code{queue-stalled-enabled?} is @code{#t}.") + + ;; Seeding limits. + (ratio-limit-enabled? + (boolean #f) + "When @code{#t}, a torrent being seeded will automatically be paused once +it reaches the ratio specified by @code{ratio-limit}.") + (ratio-limit + (non-negative-rational 2.0) + "The ratio at which a torrent being seeded will be paused, when +@code{ratio-limit-enabled?} is @code{#t}.") + (idle-seeding-limit-enabled? + (boolean #f) + "When @code{#t}, a torrent being seeded will automatically be paused once +it has been idle for @code{idle-seeding-limit} minutes.") + (idle-seeding-limit + (non-negative-integer 30) + "The maximum period, in minutes, a torrent being seeded may be idle before +it is paused, when @code{idle-seeding-limit-enabled?} is @code{#t}.") + + ;; BitTorrent extensions. + (dht-enabled? + (boolean #t) + "Enable @uref{http://bittorrent.org/beps/bep_0005.html, the distributed +hash table (@acronym{DHT}) protocol}, which supports the use of trackerless +torrents.") + (lpd-enabled? + (boolean #f) + "Enable @url{https://en.wikipedia.org/wiki/Local_Peer_Discovery, local peer +discovery} (@acronym{LPD}), which allows the discovery of peers on the local +network and may reduce the amount of data sent over the public Internet.") + (pex-enabled? + (boolean #t) + "Enable @url{https://en.wikipedia.org/wiki/Peer_exchange, peer +exchange} (@acronym{PEX}), which reduces the daemon's reliance on external +trackers and may improve its performance.") + (utp-enabled? + (boolean #t) + "Enable @url{http://bittorrent.org/beps/bep_0029.html, the micro transport +protocol} (@acronym{uTP}), which aims to reduce the impact of BitTorrent +traffic on other users of the local network while maintaining full utilization +of the available bandwidth.") + + ;; Remote procedure call (RPC) interface. + (rpc-enabled? + (boolean #t) + "If @code{#t}, enable the remote procedure call (@acronym{RPC}) interface, +which allows remote control of the daemon via its Web interface, the +@command{transmission-remote} command-line client, and similar tools.") + (rpc-bind-address + (string "0.0.0.0") + "The IP address at which to listen for @acronym{RPC} connections, or +``0.0.0.0'' to listen at all available IP addresses.") + (rpc-port + (port-number 9091) + "The port on which to listen for @acronym{RPC} connections.") + (rpc-url + (string "/transmission/") + "The path prefix to use in the @acronym{RPC}-endpoint @acronym{URL}.") + (rpc-authentication-required? + (boolean #f) + "When @code{#t}, clients must authenticate (see @code{rpc-username} and +@code{rpc-password}) when using the @acronym{RPC} interface. Note this has +the side effect of disabling host-name whitelisting (see +@code{rpc-host-whitelist-enabled?}.") + (rpc-username + (maybe-string 'disabled) + "The username required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}.") + (rpc-password + (maybe-transmission-password-hash 'disabled) + "The password required by clients to access the @acronym{RPC} interface +when @code{rpc-authentication-required?} is @code{#t}. This must be specified +using a password hash in the format recognized by Transmission clients, either +copied from an existing @file{settings.json} file or generated using the +@code{transmission-password-hash} procedure.") + (rpc-whitelist-enabled? + (boolean #t) + "When @code{#t}, @acronym{RPC} requests will be accepted only when they +originate from an address specified in @code{rpc-whitelist}.") + (rpc-whitelist + (string-list '("127.0.0.1" "::1")) + "The list of IP and IPv6 addresses from which @acronym{RPC} requests will +be accepted when @code{rpc-whitelist-enabled?} is @code{#t}. Wildcards may be +specified using @samp{*}.") + (rpc-host-whitelist-enabled? + (boolean #t) + "When @code{#t}, @acronym{RPC} requests will be accepted only when they are +addressed to a host named in @code{rpc-host-whitelist}. Note that requests to +``localhost'' or ``localhost.'', or to a numeric address, are always accepted +regardless of these settings. + +Note also this functionality is disabled when +@code{rpc-authentication-required?} is @code{#t}.") + (rpc-host-whitelist + (string-list '()) + "The list of host names recognized by the @acronym{RPC} server when +@code{rpc-host-whitelist-enabled?} is @code{#t}.") + + ;; Miscellaneous. + (message-level + (message-level 'info) + "The minimum severity level of messages to be logged (to +@file{/var/log/transmission.log}) by the daemon, one of @code{none} (no +logging), @code{error}, @code{info} and @code{debug}.") + (start-added-torrents? + (boolean #t) + "When @code{#t}, torrents are started as soon as they are added; otherwise, +they are added in ``paused'' state.") + (script-torrent-done-enabled? + (boolean #f) + "When @code{#t}, the script specified by +@code{script-torrent-done-filename} will be invoked each time a torrent +completes.") + (script-torrent-done-filename + (maybe-file-object 'disabled) + "A file name or file-like object specifying a script to run each time a +torrent completes, when @code{script-torrent-done-enabled?} is @code{#t}.") + (scrape-paused-torrents-enabled? + (boolean #t) + "When @code{#t}, the daemon will scrape trackers for a torrent even when +the torrent is paused.") + (cache-size-mb + (non-negative-integer 4) + "The amount of memory, in megabytes, to allocate for the daemon's in-memory +cache. A larger value may increase performance by reducing the frequency of +disk I/O.") + (prefetch-enabled? + (boolean #t) + "When @code{#t}, the daemon will try to improve I/O performance by hinting +to the operating system which data is likely to be read next from disk to +satisfy requests from peers.")) + +(define (transmission-daemon-shepherd-service config) + "Return a for Transmission Daemon with CONFIG." + (let ((transmission + (transmission-daemon-configuration-transmission config)) + (stop-wait-period + (transmission-daemon-configuration-stop-wait-period config))) + (list + (shepherd-service + (provision '(transmission-daemon transmission bittorrent)) + (requirement '(networking)) + (documentation "Share files using the BitTorrent protocol.") + (start #~(make-forkexec-constructor + '(#$(file-append transmission "/bin/transmission-daemon") + "--config-dir" + #$%transmission-daemon-configuration-directory + "--foreground") + #:user #$%transmission-daemon-user + #:group #$%transmission-daemon-group + #:directory #$%transmission-daemon-configuration-directory + #:log-file #$%transmission-daemon-log-file + #:environment-variables + '("CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"))) + (stop #~(lambda (pid) + (kill pid SIGTERM) + + ;; Transmission Daemon normally needs some time to shut down, + ;; as it will complete some housekeeping and send a final + ;; update to trackers before it exits. + ;; + ;; Wait a reasonable period for it to stop before continuing. + ;; If we don't do this, restarting the service can fail as the + ;; new daemon process finds the old one still running and + ;; attached to the port used for peer connections. + (let wait-before-killing ((period #$stop-wait-period)) + (if (zero? (car (waitpid pid WNOHANG))) + (if (positive? period) + (begin + (sleep 1) + (wait-before-killing (- period 1))) + (begin + (format #t + #$(G_ "Wait period expired; killing \ +transmission-daemon (pid ~a).~%") + pid) + (display #$(G_ "(If you see this message \ +regularly, you may need to increase the value +of 'stop-wait-period' in the service configuration.)\n")) + (kill pid SIGKILL))))) + #f)) + (actions + (list + (shepherd-action + (name 'reload) + (documentation "Reload the settings file from disk.") + (procedure #~(lambda (pid) + (if pid + (begin + (kill pid SIGHUP) + (display #$(G_ "Service transmission-daemon has \ +been asked to reload its settings file."))) + (display #$(G_ "Service transmission-daemon is not \ +running.")))))))))))) + +(define %transmission-daemon-accounts + (list (user-group + (name %transmission-daemon-group) + (system? #t)) + (user-account + (name %transmission-daemon-user) + (group %transmission-daemon-group) + (comment "Transmission Daemon service account") + (home-directory %transmission-daemon-configuration-directory) + (shell (file-append shadow "/sbin/nologin")) + (system? #t)))) + +(define %transmission-daemon-log-rotations + (list (log-rotation + (files (list %transmission-daemon-log-file))))) + +(define (transmission-daemon-computed-settings-file config) + "Return a @code{computed-file} object that, when unquoted in a G-expression, +produces a Transmission settings file (@file{settings.json}) matching CONFIG." + (let ((settings + ;; "Serialize" the configuration settings as a list of G-expressions + ;; containing a name-value pair, which will ultimately be sorted and + ;; serialized to the settings file as a JSON object. + (map + (lambda (field) + ((configuration-field-serializer field) + (configuration-field-name field) + ((configuration-field-getter field) config))) + (filter + (lambda (field) + ;; Omit configuration fields that are used only internally by + ;; this service definition. + (not (memq (configuration-field-name field) + '(transmission stop-wait-period)))) + transmission-daemon-configuration-fields)))) + (computed-file + "settings.json" + (with-extensions (list guile-gcrypt guile-json-4) + (with-imported-modules (source-module-closure '((json builder))) + #~(begin + (use-modules (json builder)) + + (with-output-to-file #$output + (lambda () + (scm->json (sort-list '(#$@settings) + (lambda (x y) + (string<=? (car x) (car y)))) + #:pretty #t))))))))) + +(define (transmission-daemon-activation config) + "Return the Transmission Daemon activation GEXP for CONFIG." + (let ((config-dir %transmission-daemon-configuration-directory) + (incomplete-dir-enabled + (transmission-daemon-configuration-incomplete-dir-enabled? config)) + (incomplete-dir + (transmission-daemon-configuration-incomplete-dir config)) + (watch-dir-enabled + (transmission-daemon-configuration-watch-dir-enabled? config)) + (watch-dir + (transmission-daemon-configuration-watch-dir config))) + (with-imported-modules (source-module-closure '((guix build utils))) + #~(begin + (use-modules (guix build utils)) + + (let ((owner (getpwnam #$%transmission-daemon-user))) + (define (mkdir-p/perms directory perms) + (mkdir-p directory) + (chown directory (passwd:uid owner) (passwd:gid owner)) + (chmod directory perms)) + + ;; Create the directories Transmission Daemon is configured to use + ;; and assign them suitable permissions. + (for-each (lambda (directory-specification) + (apply mkdir-p/perms directory-specification)) + '(#$@(append + `((,config-dir #o750)) + (if incomplete-dir-enabled + `((,incomplete-dir #o750)) + '()) + (if watch-dir-enabled + `((,watch-dir #o770)) + '()))))) + + ;; Generate and activate the daemon's settings file, settings.json. + (activate-special-files + '((#$(string-append config-dir "/settings.json") + #$(transmission-daemon-computed-settings-file config)))))))) + +(define transmission-daemon-service-type + (service-type + (name 'transmission) + (extensions + (list (service-extension shepherd-root-service-type + transmission-daemon-shepherd-service) + (service-extension account-service-type + (const %transmission-daemon-accounts)) + (service-extension rottlog-service-type + (const %transmission-daemon-log-rotations)) + (service-extension activation-service-type + transmission-daemon-activation))) + (default-value (transmission-daemon-configuration)) + (description "Share files using the BitTorrent protocol."))) + +(define (generate-transmission-daemon-documentation) + (generate-documentation + `((transmission-daemon-configuration + ,transmission-daemon-configuration-fields)) + 'transmission-daemon-configuration)) diff --git a/po/packages/POTFILES.in b/po/packages/POTFILES.in index 9a178edfa6..398f9adfdf 100644 --- a/po/packages/POTFILES.in +++ b/po/packages/POTFILES.in @@ -59,5 +59,6 @@ gnu/packages/wordnet.scm gnu/packages/xiph.scm gnu/services/base.scm gnu/services/certbot.scm +gnu/services/file-sharing.scm gnu/services/networking.scm gnu/services/version-control.scm diff --git a/tests/services/file-sharing.scm b/tests/services/file-sharing.scm new file mode 100644 index 0000000000..27bec57325 --- /dev/null +++ b/tests/services/file-sharing.scm @@ -0,0 +1,59 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Simon South +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (tests services file-sharing) + #:use-module (gnu services file-sharing) + #:use-module (srfi srfi-64)) + +;;; Tests for the (gnu services file-sharing) module. + +(test-begin "file-sharing") + + +;;; +;;; Transmission Daemon. +;;; + +(define %transmission-salt-length 8) + +(define (valid-transmission-salt? salt) + (and (string? salt) + (eqv? (string-length salt) %transmission-salt-length))) + +(test-assert "transmission-random-salt" + (valid-transmission-salt? (transmission-random-salt))) + +(test-equal "transmission-password-hash, typical values" + "{ef6fba106cdef3aac64d1410090cae353cbecde53ceVVQO2" + (transmission-password-hash "transmission" "3ceVVQO2")) + +(test-equal "transmission-password-hash, empty password" + "{820f816515d8969d058d07a1de018650619ee7ffCp.I5SWg" + (transmission-password-hash "" "Cp.I5SWg")) + +(test-error "transmission-password-hash, salt value too short" + (transmission-password-hash + "transmission" + (make-string (- %transmission-salt-length 1) #\a))) + +(test-error "transmission-password-hash, salt value too long" + (transmission-password-hash + "transmission" + (make-string (+ %transmission-salt-length 1) #\a))) + +(test-end "file-sharing") -- cgit v1.2.3 From d588cc8fa96e4a4bce56fac2ba3bbaaeaaed0047 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Fri, 12 Feb 2021 15:53:45 -0800 Subject: gnu: diffoscope: Update to use python-magic. Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/238 * gnu/packages/patches/diffoscope-revert-to-magic-open.patch: Remove file. * gnu/local.mk [dist_patch_DATA]: Update. * gnu/packages/diffoscope.scm (diffoscope)[source]: Remove patch. [inputs]: Remove python-file. --- gnu/local.mk | 1 - gnu/packages/diffoscope.scm | 5 +- .../patches/diffoscope-revert-to-magic-open.patch | 70 ---------------------- 3 files changed, 1 insertion(+), 75 deletions(-) delete mode 100644 gnu/packages/patches/diffoscope-revert-to-magic-open.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0625c6c5eb..ad6e02116e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -927,7 +927,6 @@ dist_patch_DATA = \ %D%/packages/patches/desmume-gcc6-fixes.patch \ %D%/packages/patches/desmume-gcc7-fixes.patch \ %D%/packages/patches/dfu-programmer-fix-libusb.patch \ - %D%/packages/patches/diffoscope-revert-to-magic-open.patch \ %D%/packages/patches/diffutils-gets-undeclared.patch \ %D%/packages/patches/dkimproxy-add-ipv6-support.patch \ %D%/packages/patches/docbook-xsl-nonrecursive-string-subst.patch \ diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm index a31ac485c2..feb0324db2 100644 --- a/gnu/packages/diffoscope.scm +++ b/gnu/packages/diffoscope.scm @@ -81,9 +81,7 @@ (file-name (git-file-name name version)) (sha256 (base32 - "0vc4a38ii6b10af4c7cxfkvj4lk4ihx1xs4q5lshnkyg74gmm21b")) - (patches (search-patches - "diffoscope-revert-to-magic-open.patch")))) + "0vc4a38ii6b10af4c7cxfkvj4lk4ihx1xs4q5lshnkyg74gmm21b")))) (build-system python-build-system) (arguments `(#:phases (modify-phases %standard-phases @@ -137,7 +135,6 @@ (install-file "doc/diffoscope.1" man) #t)))))) (inputs `(("rpm" ,rpm) ;for rpm-python - ("python-file" ,python-file) ("python-debian" ,python-debian) ("python-libarchive-c" ,python-libarchive-c) ("python-magic" ,python-magic) diff --git a/gnu/packages/patches/diffoscope-revert-to-magic-open.patch b/gnu/packages/patches/diffoscope-revert-to-magic-open.patch deleted file mode 100644 index d52b26ead5..0000000000 --- a/gnu/packages/patches/diffoscope-revert-to-magic-open.patch +++ /dev/null @@ -1,70 +0,0 @@ -From b658c3a6819ccb9a104b13e973132c66f0965965 Mon Sep 17 00:00:00 2001 -From: Vagrant Cascadian -Date: Thu, 11 Feb 2021 17:28:21 -0800 -Subject: [PATCH] Revert "Prefer to use magic.Magic over the magic.open - compatibility interface. (Closes: reproducible-builds/diffoscope#236)" - -This reverts commit c72c30f29ea3760eb4c785644dc7cd4c26833740. ---- - diffoscope/comparators/utils/file.py | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/diffoscope/comparators/utils/file.py b/diffoscope/comparators/utils/file.py -index fb3b4316..32700f02 100644 ---- a/diffoscope/comparators/utils/file.py -+++ b/diffoscope/comparators/utils/file.py -@@ -65,37 +65,37 @@ def _run_tests(fold, tests): - - - class File(metaclass=abc.ABCMeta): -- if hasattr(magic, "Magic"): # use python-magic -+ if hasattr(magic, "open"): # use Magic-file-extensions from file - - @classmethod - def guess_file_type(cls, path): - if not hasattr(cls, "_mimedb"): -- cls._mimedb = magic.Magic() -- return maybe_decode(cls._mimedb.from_file(path)) -+ cls._mimedb = magic.open(magic.NONE) -+ cls._mimedb.load() -+ return cls._mimedb.file( -+ path.encode("utf-8", errors="surrogateescape") -+ ) - - @classmethod - def guess_encoding(cls, path): - if not hasattr(cls, "_mimedb_encoding"): -- cls._mimedb_encoding = magic.Magic(mime_encoding=True) -- return maybe_decode(cls._mimedb_encoding.from_file(path)) -+ cls._mimedb_encoding = magic.open(magic.MAGIC_MIME_ENCODING) -+ cls._mimedb_encoding.load() -+ return cls._mimedb_encoding.file(path) - -- else: # use Magic-file-extensions from file -+ else: # use python-magic - - @classmethod - def guess_file_type(cls, path): - if not hasattr(cls, "_mimedb"): -- cls._mimedb = magic.open(magic.NONE) -- cls._mimedb.load() -- return cls._mimedb.file( -- path.encode("utf-8", errors="surrogateescape") -- ) -+ cls._mimedb = magic.Magic() -+ return maybe_decode(cls._mimedb.from_file(path)) - - @classmethod - def guess_encoding(cls, path): - if not hasattr(cls, "_mimedb_encoding"): -- cls._mimedb_encoding = magic.open(magic.MAGIC_MIME_ENCODING) -- cls._mimedb_encoding.load() -- return cls._mimedb_encoding.file(path) -+ cls._mimedb_encoding = magic.Magic(mime_encoding=True) -+ return maybe_decode(cls._mimedb_encoding.from_file(path)) - - def __init__(self, container=None): - self._comments = [] --- -2.30.0 - -- cgit v1.2.3 From adae5d75b6029b5d034030cff24e1ba4d8b3144a Mon Sep 17 00:00:00 2001 From: Stefan Reichör Date: Fri, 12 Feb 2021 22:51:54 +0100 Subject: gnu: Add run. * gnu/packages/task-runners.scm (run): New variable. Signed-off-by: Nicolas Goaziou --- gnu/local.mk | 1 + gnu/packages/task-runners.scm | 49 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 gnu/packages/task-runners.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ad6e02116e..250901f6d9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -533,6 +533,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/synergy.scm \ %D%/packages/syndication.scm \ %D%/packages/task-management.scm \ + %D%/packages/task-runners.scm \ %D%/packages/tbb.scm \ %D%/packages/tcl.scm \ %D%/packages/telegram.scm \ diff --git a/gnu/packages/task-runners.scm b/gnu/packages/task-runners.scm new file mode 100644 index 0000000000..49a07fa3bd --- /dev/null +++ b/gnu/packages/task-runners.scm @@ -0,0 +1,49 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Stefan Reichör +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages task-runners) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix git-download) + #:use-module (gnu packages golang) + #:use-module (guix build-system go)) + +(define-public run + (package + (name "run") + (version "0.7.2") + (source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/TekWizely/run") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 "17n11lqhywq4z62w2rakdq80v7mxf83rgln19vj4v4nxpwd2hjjw")))) + (build-system go-build-system) + (propagated-inputs + `(("go-github-com-tekwizely-go-parsing" ,go-github-com-tekwizely-go-parsing))) + (arguments + `(#:import-path "github.com/tekwizely/run")) + (synopsis "Easily manage and invoke small scripts and wrappers") + (description + "Run is a tool to easily manage and invoke small scripts and wrappers by +using a Runfile.") + (home-page "https://github.com/TekWizely/run") + (license license:expat))) -- cgit v1.2.3 From 301d1bacc1f33ed5f2f546488c3a1dbc66cc3f4f Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 17 Feb 2021 16:06:12 +0200 Subject: gnu: ruby-rubocop: Update to 1.10.0. * gnu/packages/ruby.scm (ruby-rubocop): Update to 1.10.0. [source]: Remove patch. [arguments]: Remove custom 'remove-problematic-tests, 'disable-bundler, 'replace-git-ls-files phases. Add custom 'check phase. [native-inputs]: Add ruby-memory-profiler, ruby-rake, ruby-rubocop-minimal, ruby-rubocop-performance-minimal, ruby-rubocop-rspec-minimal, ruby-simplecov, ruby-stackprof. Replace ruby-webmock-2 with ruby-webmock. (ruby-rubocop-minimal, ruby-rubocop-performance-minimal, ruby-rubocop-rspec-minimal): New variables. * gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../ruby-rubocop-break-dependency-cycle.patch | 101 --------------------- gnu/packages/ruby.scm | 78 ++++++++++------ 3 files changed, 49 insertions(+), 131 deletions(-) delete mode 100644 gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 250901f6d9..c3398c62fd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1597,7 +1597,6 @@ dist_patch_DATA = \ %D%/packages/patches/rnp-disable-ruby-rnp-tests.patch \ %D%/packages/patches/rnp-unbundle-googletest.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ - %D%/packages/patches/ruby-rubocop-break-dependency-cycle.patch\ %D%/packages/patches/ruby-sanitize-system-libxml.patch \ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/runc-CVE-2019-5736.patch \ diff --git a/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch b/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch deleted file mode 100644 index 035a98fa33..0000000000 --- a/gnu/packages/patches/ruby-rubocop-break-dependency-cycle.patch +++ /dev/null @@ -1,101 +0,0 @@ -From ff3f00b7f33332ebf1c3c05abc4a781684775b3c Mon Sep 17 00:00:00 2001 -From: Maxim Cournoyer -Date: Tue, 14 Jul 2020 11:50:12 -0400 -Subject: [PATCH] config: Drop rubocop-performance, rubocop-rspec requirements. - -This patch removes Rubocop extensions from Rubocop's closure to break -a dependency cycle with itself. - -* .rubocop.yml: Remove rubocop-performance and rubocop-rspec and their -corresponding directives. -* .rubocop_todo.yml: Likewise. ---- - .rubocop.yml | 15 --------------- - .rubocop_todo.yml | 44 -------------------------------------------- - 2 files changed, 59 deletions(-) - -diff --git a/.rubocop.yml b/.rubocop.yml -index 4f05d5be2..f12ef7c06 100644 ---- a/.rubocop.yml -+++ b/.rubocop.yml -@@ -3,8 +3,6 @@ - inherit_from: .rubocop_todo.yml - require: - - rubocop/cop/internal_affairs -- - rubocop-performance -- - rubocop-rspec - - AllCops: - NewCops: enable -@@ -106,16 +104,3 @@ Metrics/ClassLength: - Metrics/ModuleLength: - Exclude: - - 'spec/**/*.rb' -- --RSpec/FilePath: -- Exclude: -- - spec/rubocop/formatter/junit_formatter_spec.rb -- --RSpec/PredicateMatcher: -- EnforcedStyle: explicit -- --RSpec/MessageSpies: -- EnforcedStyle: receive -- --RSpec/NestedGroups: -- Max: 7 -diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml -index 3f72042d1..fa637cd42 100644 ---- a/.rubocop_todo.yml -+++ b/.rubocop_todo.yml -@@ -24,47 +24,3 @@ Metrics/MethodLength: - # Configuration parameters: CountComments. - Metrics/ModuleLength: - Max: 132 -- --# Offense count: 10 --RSpec/AnyInstance: -- Exclude: -- - 'spec/rubocop/cli_spec.rb' -- - 'spec/rubocop/cop/lint/duplicate_methods_spec.rb' -- - 'spec/rubocop/cop/team_spec.rb' -- - 'spec/rubocop/target_finder_spec.rb' -- --# Offense count: 981 --# Configuration parameters: Prefixes. --# Prefixes: when, with, without --RSpec/ContextWording: -- Enabled: false -- --# Offense count: 3810 --# Configuration parameters: Max. --RSpec/ExampleLength: -- Enabled: false -- --# Offense count: 38 --RSpec/ExpectOutput: -- Exclude: -- - 'spec/rubocop/cli/cli_auto_gen_config_spec.rb' -- - 'spec/rubocop/cli/cli_options_spec.rb' -- - 'spec/rubocop/config_spec.rb' -- - 'spec/rubocop/cop/cop_spec.rb' -- - 'spec/rubocop/formatter/disabled_config_formatter_spec.rb' -- - 'spec/rubocop/formatter/formatter_set_spec.rb' -- - 'spec/rubocop/options_spec.rb' -- - 'spec/rubocop/rake_task_spec.rb' -- - 'spec/rubocop/result_cache_spec.rb' -- - 'spec/rubocop/target_finder_spec.rb' -- --# Offense count: 434 --RSpec/MultipleExpectations: -- Max: 25 -- --# Offense count: 5 --RSpec/SubjectStub: -- Exclude: -- - 'spec/rubocop/config_spec.rb' -- - 'spec/rubocop/formatter/json_formatter_spec.rb' -- - 'spec/rubocop/formatter/progress_formatter_spec.rb' --- -2.27.0 - diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 58614a61ac..6c9583b3cf 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -1584,6 +1584,16 @@ enforcing & linting tool.") (home-page "https://github.com/rubocop-hq/rubocop-rspec") (license license:expat))) +(define-public ruby-rubocop-rspec-minimal + (hidden-package + (package + (inherit ruby-rubocop-rspec) + (arguments + (substitute-keyword-arguments (package-arguments ruby-rubocop-rspec) + ((#:tests? _ #f) #f))) + (propagated-inputs '()) + (native-inputs '())))) + (define-public ruby-rubocop-performance (package (name "ruby-rubocop-performance") @@ -1625,6 +1635,16 @@ for performance optimizations in Ruby code.") (home-page "https://docs.rubocop.org/rubocop-performance/") (license license:expat))) +(define-public ruby-rubocop-performance-minimal + (hidden-package + (package + (inherit ruby-rubocop-performance) + (arguments + (substitute-keyword-arguments (package-arguments ruby-rubocop-performance) + ((#:tests? _ #f) #f))) + (propagated-inputs '()) + (native-inputs '())))) + (define-public ruby-gimme (let ((revision "1") (commit "4e71f0236f1271871916dd403261d26533db34c0")) @@ -7270,7 +7290,7 @@ run.") (define-public ruby-rubocop (package (name "ruby-rubocop") - (version "0.88.0") + (version "1.10.0") (source (origin (method git-fetch) ;no tests in distributed gem @@ -7280,42 +7300,25 @@ run.") (file-name (git-file-name name version)) (sha256 (base32 - "1d06893jp8pd85fvgp5d16vqcf31bafi430v4f4y746ihyvhzz5r")) - (patches (search-patches "ruby-rubocop-break-dependency-cycle.patch")))) + "0wjw9vpzr4f3nf1zf010bag71w4hdi0haybdn7r5rlmw45pmim29")))) (build-system ruby-build-system) (arguments '(#:test-target "default" #:phases (modify-phases %standard-phases - (add-after 'unpack 'remove-problematic-tests - ;; These tests depend on Rubocop extensions, which cannot be - ;; included as they cause a dependency cycle with Rubocop itself. - (lambda _ - (delete-file "spec/rubocop/config_loader_spec.rb") - (substitute* "Gemfile" - ((".*'rubocop-performance'.*") "") - ((".*'rubocop-rspec'.*") "")) - ;; Prevent "Unnecessary disabling of RSpec/* (unknown cop)" - ;; errors. - (substitute* (find-files "spec/rubocop/cop/" "_spec\\.rb$") - (("# (rubocop:(enable|disable) RSpec.*)" _ what) - (string-append "# Disabled: " what))) - #t)) - (add-after 'unpack 'disable-bundler - (lambda _ - (substitute* "Rakefile" - (("Bundler\\.setup.*") "nil\n")) - #t)) - (replace 'replace-git-ls-files - (lambda _ - (substitute* "rubocop.gemspec" - (("`git ls-files(.*)`" _ files) - (format #f "`find ~a -type f| sort`" files))) - #t)) (add-before 'check 'set-home (lambda _ (setenv "HOME" (getcwd)) #t)) + ;; Rubocop depends on itself for tests, directly and indirectly. By + ;; regenerating the TODO list we test rubocop against itself and + ;; forgo adjusting the test suite to our environment each release. + (replace 'check + (lambda* (#:key tests? #:allow-other-keys) + (when tests? + (make-file-writable ".rubocop_todo.yml") + (invoke "./exe/rubocop" "--auto-gen-config")) + #t)) (add-before 'check 'make-adoc-files-writable (lambda _ (let ((adoc-files (find-files "docs/modules/ROOT/pages" @@ -7324,10 +7327,17 @@ run.") #t))))) (native-inputs `(("ruby-bump" ,ruby-bump) + ("ruby-memory-profiler" ,ruby-memory-profiler) ("ruby-pry" ,ruby-pry) + ("ruby-rake" ,ruby-rake) ("ruby-rspec" ,ruby-rspec) + ("ruby-rubocop-minimal" ,ruby-rubocop-minimal) + ("ruby-rubocop-performance-minimal" ,ruby-rubocop-performance-minimal) + ("ruby-rubocop-rspec-minimal" ,ruby-rubocop-rspec-minimal) + ("ruby-simplecov" ,ruby-simplecov) + ("ruby-stackprof" ,ruby-stackprof) ("ruby-test-queue" ,ruby-test-queue) - ("ruby-webmock" ,ruby-webmock-2) + ("ruby-webmock" ,ruby-webmock) ("ruby-yard" ,ruby-yard))) (propagated-inputs `(("ruby-parallel" ,ruby-parallel) @@ -7345,6 +7355,16 @@ the community-driven Ruby Style Guide.") (home-page "https://github.com/rubocop-hq/rubocop") (license license:expat))) +(define-public ruby-rubocop-minimal + (hidden-package + (package + (inherit ruby-rubocop) + (arguments + (substitute-keyword-arguments (package-arguments ruby-rubocop) + ((#:tests? _ #f) #f))) + (propagated-inputs '()) + (native-inputs '())))) + (define-public ruby-contest (package (name "ruby-contest") -- cgit v1.2.3 From f3318fefe42d773297267ad940a2ec5893c5c094 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Fri, 19 Feb 2021 17:56:52 +0100 Subject: gnu: Add perl-math-matrixreal. * gnu/packages/perl-maths.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 1 + gnu/packages/perl-maths.scm | 48 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 gnu/packages/perl-maths.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c3398c62fd..0dd5fc2a29 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -436,6 +436,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/perl.scm \ %D%/packages/perl-check.scm \ %D%/packages/perl-compression.scm \ + %D%/packages/perl-maths.scm \ %D%/packages/perl-web.scm \ %D%/packages/perl6.scm \ %D%/packages/photo.scm \ diff --git a/gnu/packages/perl-maths.scm b/gnu/packages/perl-maths.scm new file mode 100644 index 0000000000..e03458a9c0 --- /dev/null +++ b/gnu/packages/perl-maths.scm @@ -0,0 +1,48 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Ricardo Wurmus +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages perl-maths) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix build-system perl) + #:use-module (gnu packages perl) + #:use-module (gnu packages perl-check)) + +(define-public perl-math-matrixreal + (package + (name "perl-math-matrixreal") + (version "2.13") + (source (origin + (method url-fetch) + (uri (string-append + "mirror://cpan/authors/id/L/LE/LETO/Math-MatrixReal-" + version ".tar.gz")) + (sha256 + (base32 + "1cml5wqd99hm398gl8f147ccsck9v179l7a6vqjj4kfkdnja37sg")))) + (build-system perl-build-system) + (native-inputs + `(("perl-module-build" ,perl-module-build) + ("perl-test-most" ,perl-test-most))) + (home-page "https://metacpan.org/release/Math-MatrixReal") + (synopsis "Manipulate NxN matrices of real numbers") + (description "This package provides the @code{Math::MatrixReal} module. +It implements the data type \"matrix of real numbers\" (and consequently also +\"vector of real numbers\").") + (license license:perl-license))) -- cgit v1.2.3 From f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 Feb 2021 17:45:05 -0500 Subject: gnu: Python 3.9: Fix CVE-2021-3177. * gnu/packages/patches/python-3.9-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-3.9)[source]: Use it. --- gnu/local.mk | 1 + .../patches/python-3.9-CVE-2021-3177.patch | 194 +++++++++++++++++++++ gnu/packages/python.scm | 3 +- 3 files changed, 197 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/python-3.9-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0dd5fc2a29..5588cda2e1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1527,6 +1527,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3-fix-tests.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ + %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ %D%/packages/patches/python-CVE-2020-26116.patch \ %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch \ diff --git a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch b/gnu/packages/patches/python-3.9-CVE-2021-3177.patch new file mode 100644 index 0000000000..155f17deca --- /dev/null +++ b/gnu/packages/patches/python-3.9-CVE-2021-3177.patch @@ -0,0 +1,194 @@ +Fix CVE-2021-3177 for Python 3.9: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from upstream source repository: + +https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932 + +From c347cbe694743cee120457aa6626712f7799a932 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 Jan 2021 13:29:31 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24247) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson + +Co-authored-by: Benjamin Peterson +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +new file mode 100644 +index 0000000000000..7df65a156feab +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index b0a36a30248f7..f2506de54498e 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -489,58 +489,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -549,22 +538,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 27e9b70432..730c371fda 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -11,7 +11,7 @@ ;;; Copyright © 2015, 2016 Christopher Allan Webber ;;; Copyright © 2015 Eric Dvorsak ;;; Copyright © 2015, 2016 David Thompson -;;; Copyright © 2015, 2016, 2017 Leo Famulari +;;; Copyright © 2015, 2016, 2017, 2021 Leo Famulari ;;; Copyright © 2015, 2017 Ben Woodcroft ;;; Copyright © 2015, 2016 Erik Edrosa ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Efraim Flashner @@ -531,6 +531,7 @@ data types.") version "/Python-" version ".tar.xz")) (patches (search-patches "python-3.9-fix-tests.patch" + "python-3.9-CVE-2021-3177.patch" "python-3-deterministic-build-info.patch" "python-3-search-paths.patch")) (sha256 -- cgit v1.2.3 From 51697aab42f3dea316b5b396ebd342b44b65193d Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Fri, 19 Feb 2021 18:46:46 +0100 Subject: gnu: lrzip: Update to 0.640. * gnu/packages/compression.scm (lrzip): Update to 0.640. [source]: Remove obsolete patch 'lrzip-CVE-2017-8842.patch'. [inputs]: Add lz4. * gnu/packages/patches/lrzip-CVE-2017-8842.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 - gnu/packages/compression.scm | 9 +++++---- gnu/packages/patches/lrzip-CVE-2017-8842.patch | 23 ----------------------- 3 files changed, 5 insertions(+), 28 deletions(-) delete mode 100644 gnu/packages/patches/lrzip-CVE-2017-8842.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 5588cda2e1..33da7b979a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1328,7 +1328,6 @@ dist_patch_DATA = \ %D%/packages/patches/llvm-9-fix-scev-miscompilation.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ %D%/packages/patches/lrcalc-includes.patch \ - %D%/packages/patches/lrzip-CVE-2017-8842.patch \ %D%/packages/patches/lsh-fix-x11-forwarding.patch \ %D%/packages/patches/lsof-fatal-test-failures.patch \ %D%/packages/patches/lua-CVE-2014-5461.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 89107141ec..1db8b093a3 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -31,6 +31,7 @@ ;;; Copyright © 2020 Guillaume Le Vaillant ;;; Copyright © 2020 Léo Le Bouter ;;; Copyright © 2021 Antoine Côté +;;; Copyright © 2021 Vincent Legoll ;;; ;;; This file is part of GNU Guix. ;;; @@ -1109,16 +1110,15 @@ human-readable output.") (define-public lrzip (package (name "lrzip") - (version "0.631") + (version "0.640") (source (origin (method url-fetch) (uri (string-append - "http://ck.kolivas.org/apps/lrzip/lrzip-" version ".tar.bz2")) + "http://ck.kolivas.org/apps/lrzip/lrzip-" version ".tar.xz")) (sha256 (base32 - "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d")) - (patches (search-patches "lrzip-CVE-2017-8842.patch")))) + "175466drfpz8rsfr0pzfn5rqrj3wmcmcs3i2sfmw366w2kbjm4j9")))) (build-system gnu-build-system) (native-inputs `(;; nasm is only required when building for 32-bit x86 platforms @@ -1129,6 +1129,7 @@ human-readable output.") ("perl" ,perl))) (inputs `(("bzip2" ,bzip2) + ("lz4" ,lz4) ("lzo" ,lzo) ("zlib" ,zlib))) (home-page "http://ck.kolivas.org/apps/lrzip/") diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch deleted file mode 100644 index 89b4f2f5d9..0000000000 --- a/gnu/packages/patches/lrzip-CVE-2017-8842.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001 -From: Con Kolivas -Date: Fri, 9 Mar 2018 17:39:40 +1100 -Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get - ---- - libzpaq/libzpaq.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h -index 93387da..cbe211d 100644 ---- a/libzpaq/libzpaq.h -+++ b/libzpaq/libzpaq.h -@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader { - - int get() { - if (progress && !(*s_len % 128)) { -- int pct = (total_len - *s_len) * 100 / total_len; -+ int pct = (total_len > 0) ? -+ (total_len - *s_len) * 100 / total_len : 100; - - if (pct / 10 != *last_pct / 10) { - int i; -- cgit v1.2.3 From ae1f36f2a8b78dfac9ee1aaf7d9aa9f0e7ce8e51 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 21 Feb 2021 10:44:15 +0200 Subject: gnu: screen: Patch CVE-2021-26937. * gnu/packages/screen.scm (screen)[source]: Add patch. * gnu/packages/patches/screen-CVE-2021-26937.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/patches/screen-CVE-2021-26937.patch | 66 ++++++++++++++++++++++++ gnu/packages/screen.scm | 5 +- 3 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/screen-CVE-2021-26937.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 33da7b979a..8191c6917a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1619,6 +1619,7 @@ dist_patch_DATA = \ %D%/packages/patches/scheme48-tests.patch \ %D%/packages/patches/scotch-build-parallelism.patch \ %D%/packages/patches/scotch-integer-declarations.patch \ + %D%/packages/patches/screen-CVE-2021-26937.patch \ %D%/packages/patches/screen-hurd-path-max.patch \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seed-webkit.patch \ diff --git a/gnu/packages/patches/screen-CVE-2021-26937.patch b/gnu/packages/patches/screen-CVE-2021-26937.patch new file mode 100644 index 0000000000..d87a54a83f --- /dev/null +++ b/gnu/packages/patches/screen-CVE-2021-26937.patch @@ -0,0 +1,66 @@ +https://salsa.debian.org/debian/screen/-/raw/debian/4.8.0-5/debian/patches/99_CVE-2021-26937.patch + +Description: [CVE-2021-26937] Fix out of bounds array access +Author: Michael Schröder +Bug-Debian: https://bugs.debian.org/982435 +Bug: https://savannah.gnu.org/bugs/?60030 +Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html +Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3 +Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html + +--- a/encoding.c ++++ b/encoding.c +@@ -43,7 +43,7 @@ + # ifdef UTF8 + static int recode_char __P((int, int, int)); + static int recode_char_to_encoding __P((int, int)); +-static void comb_tofront __P((int, int)); ++static void comb_tofront __P((int)); + # ifdef DW_CHARS + static int recode_char_dw __P((int, int *, int, int)); + static int recode_char_dw_to_encoding __P((int, int *, int)); +@@ -1263,6 +1263,8 @@ + {0x30000, 0x3FFFD}, + }; + ++ if (c >= 0xdf00 && c <= 0xdfff) ++ return 1; /* dw combining sequence */ + return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || + (cjkwidth && + bisearch(c, ambiguous, +@@ -1330,11 +1332,12 @@ + } + + static void +-comb_tofront(root, i) +-int root, i; ++comb_tofront(i) ++int i; + { + for (;;) + { ++ int root = i >= 0x700 ? 0x801 : 0x800; + debug1("bring to front: %x\n", i); + combchars[combchars[i]->prev]->next = combchars[i]->next; + combchars[combchars[i]->next]->prev = combchars[i]->prev; +@@ -1396,9 +1399,9 @@ + { + /* full, recycle old entry */ + if (c1 >= 0xd800 && c1 < 0xe000) +- comb_tofront(root, c1 - 0xd800); ++ comb_tofront(c1 - 0xd800); + i = combchars[root]->prev; +- if (c1 == i + 0xd800) ++ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) + { + /* completely full, can't recycle */ + debug("utf8_handle_comp: completely full!\n"); +@@ -1422,7 +1425,7 @@ + mc->font = (i >> 8) + 0xd8; + mc->fontx = 0; + debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); +- comb_tofront(root, i); ++ comb_tofront(i); + } + + #else /* !UTF8 */ diff --git a/gnu/packages/screen.scm b/gnu/packages/screen.scm index 0491731e20..4426d9d562 100644 --- a/gnu/packages/screen.scm +++ b/gnu/packages/screen.scm @@ -2,7 +2,7 @@ ;;; Copyright © 2013 Cyril Roelandt ;;; Copyright © 2014 Mark H Weaver ;;; Copyright © 2015, 2017 Eric Bavier -;;; Copyright © 2016, 2017, 2019, 2020 Efraim Flashner +;;; Copyright © 2016, 2017, 2019, 2020, 2021 Efraim Flashner ;;; Copyright © 2016 Alex Griffin ;;; Copyright © 2017 Mathieu Othacehe ;;; Copyright © 2017, 2018, 2019, 2020 Tobias Geerinckx-Rice @@ -44,7 +44,8 @@ (method url-fetch) (uri (string-append "mirror://gnu/screen/screen-" version ".tar.gz")) - (patches (search-patches "screen-hurd-path-max.patch")) + (patches (search-patches "screen-hurd-path-max.patch" + "screen-CVE-2021-26937.patch")) (sha256 (base32 "18ascpjzsy70h6hk7wpg8zmzjwgdyrdr7c6z4pg5z4l9hhyv24bf")))) (build-system gnu-build-system) -- cgit v1.2.3 From 0c6f1b1a6d78f1a59c030378a25d0346333bd40b Mon Sep 17 00:00:00 2001 From: Nicolas Goaziou Date: Sun, 21 Feb 2021 10:35:43 +0100 Subject: gnu: exiv2-0.26: Remove variable. * gnu/packages/image.scm (exiv2-0.26): Remove variable. * gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch: * gnu/packages/patches/exiv2-CVE-2017-14860.patch: Remove files. * gnu/local.mk (dist_patch_DATA): Apply removal. --- gnu/local.mk | 2 - gnu/packages/image.scm | 28 --------- .../patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 ---------------------- gnu/packages/patches/exiv2-CVE-2017-14860.patch | 48 ---------------- 4 files changed, 144 deletions(-) delete mode 100644 gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch delete mode 100644 gnu/packages/patches/exiv2-CVE-2017-14860.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8191c6917a..95d5835fa4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -972,8 +972,6 @@ dist_patch_DATA = \ %D%/packages/patches/evolution-data-server-locales.patch \ %D%/packages/patches/evolution-data-server-libical-compat.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ - %D%/packages/patches/exiv2-CVE-2017-14860.patch \ - %D%/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch \ %D%/packages/patches/extempore-unbundle-external-dependencies.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/farstream-make.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 68221afff1..2d83313d9e 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -1352,34 +1352,6 @@ and XMP metadata of images in various formats.") ;; . (license license:gpl2+))) -(define-public exiv2-0.26 - (package - (inherit exiv2) - (version "0.26") - (source (origin - (method url-fetch) - (uri (list (string-append "https://www.exiv2.org/builds/exiv2-" - version "-trunk.tar.gz") - (string-append "https://www.exiv2.org/exiv2-" - version ".tar.gz") - (string-append "https://fossies.org/linux/misc/exiv2-" - version ".tar.gz"))) - (patches (search-patches "exiv2-CVE-2017-14860.patch" - "exiv2-CVE-2017-14859-14862-14864.patch")) - (sha256 - (base32 - "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7")))) - (build-system gnu-build-system) - (arguments '(#:tests? #f)) ; no `check' target - (propagated-inputs - `(("expat" ,expat) - ("zlib" ,zlib))) - (native-inputs - `(("intltool" ,intltool))) - - ;; People should rely on the newer version, so don't expose it. - (properties `((hidden? . #t))))) - (define-public devil (package (name "devil") diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch deleted file mode 100644 index 69e65aeb6b..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch +++ /dev/null @@ -1,66 +0,0 @@ -Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607 - -From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= -Date: Sat, 7 Oct 2017 23:08:36 +0200 -Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 - -The invalid memory dereference in -Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() -is caused further up the call-stack, by -v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() -passing an invalid pData pointer (pData points outside of the Tiff -file). pData can be set out of bounds in the (size > 4) branch where -baseOffset() and offset are added to pData_ without checking whether -the result is still in the file. As offset comes from an untrusted -source, an attacker can craft an arbitrarily large offset into the -file. - -This commit adds a check into the problematic branch, whether the -result of the addition would be out of bounds of the Tiff -file. Furthermore the whole operation is checked for possible -overflows. ---- - src/tiffvisitor.cpp | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp -index 4ab733d4..ef13542e 100644 ---- a/src/tiffvisitor.cpp -+++ b/src/tiffvisitor.cpp -@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$") - #include - #include - #include -+#include - - // ***************************************************************************** - namespace { -@@ -1517,7 +1518,19 @@ namespace Exiv2 { - size = 0; - } - if (size > 4) { -+ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, -+ // as offset can be arbitrarily large -+ if ((static_cast(baseOffset()) > std::numeric_limits::max() - static_cast(offset)) -+ || (static_cast(baseOffset() + offset) > std::numeric_limits::max() - reinterpret_cast(pData_))) -+ { -+ throw Error(59); -+ } -+ if (pData_ + static_cast(baseOffset()) + static_cast(offset) > pLast_) { -+ throw Error(58); -+ } - pData = const_cast(pData_) + baseOffset() + offset; -+ -+ // check for size being invalid - if (size > static_cast(pLast_ - pData)) { - #ifndef SUPPRESS_WARNINGS - EXV_ERROR << "Upper boundary of data for " diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch deleted file mode 100644 index 43e6076b71..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14860.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix CVE-2017-14860. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 -https://nvd.nist.gov/vuln/detail/CVE-2017-14860 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce - -From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= -Date: Fri, 6 Oct 2017 23:09:08 +0200 -Subject: [PATCH] Fix for CVE-2017-14860 - -A heap buffer overflow could occur in memcpy when icc.size_ is larger -than data.size_ - pad, as then memcpy would read out of bounds of data. - -This commit adds a sanity check to iccLength (= icc.size_): if it is -larger than data.size_ - pad (i.e. an overflow would be caused) an -exception is thrown. - -This fixes #71. ---- - src/jp2image.cpp | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 747145cf..748d39b5 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -269,10 +269,15 @@ namespace Exiv2 - std::cout << "Exiv2::Jp2Image::readMetadata: " - << "Color data found" << std::endl; - #endif -- long pad = 3 ; // 3 padding bytes 2 0 0 -+ const long pad = 3 ; // 3 padding bytes 2 0 0 - DataBuf data(subBox.length+8); - io_->read(data.pData_,data.size_); -- long iccLength = getULong(data.pData_+pad, bigEndian); -+ const long iccLength = getULong(data.pData_+pad, bigEndian); -+ // subtracting pad from data.size_ is safe: -+ // size_ is at least 8 and pad = 3 -+ if (iccLength > data.size_ - pad) { -+ throw Error(58); -+ } - DataBuf icc(iccLength); - ::memcpy(icc.pData_,data.pData_+pad,icc.size_); - #ifdef DEBUG -- cgit v1.2.3 From 4ac9db0d75edcacb3a0c98659620cfea3c1e1993 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 21 Feb 2021 21:15:05 +0100 Subject: image: Add rock64 support. * gnu/system/images/rock64.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. --- gnu/local.mk | 1 + gnu/system/images/rock64.scm | 64 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 gnu/system/images/rock64.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 95d5835fa4..b8bccc1b7c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -664,6 +664,7 @@ GNU_SYSTEM_MODULES = \ %D%/system/images/novena.scm \ %D%/system/images/pine64.scm \ %D%/system/images/pinebook-pro.scm \ + %D%/system/images/rock64.scm \ \ %D%/machine.scm \ \ diff --git a/gnu/system/images/rock64.scm b/gnu/system/images/rock64.scm new file mode 100644 index 0000000000..3f193e8528 --- /dev/null +++ b/gnu/system/images/rock64.scm @@ -0,0 +1,64 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Marius Bakke +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu system images rock64) + #:use-module (gnu bootloader) + #:use-module (gnu bootloader u-boot) + #:use-module (gnu image) + #:use-module (gnu packages linux) + #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services networking) + #:use-module (gnu system) + #:use-module (gnu system file-systems) + #:use-module (gnu system image) + #:use-module (srfi srfi-26) + #:export (rock64-barebones-os + rock64-image-type + rock64-barebones-raw-image)) + +(define rock64-barebones-os + (operating-system + (host-name "jiehkkevarri") + (timezone "Europe/Oslo") + (locale "en_US.utf8") + (bootloader (bootloader-configuration + (bootloader u-boot-rock64-rk3328-bootloader) + (target "/dev/sda"))) + (initrd-modules '()) + (kernel linux-libre-arm64-generic) + (file-systems (cons (file-system + (device (file-system-label "my-root")) + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (services (append (list (service dhcp-client-service-type)) + %base-services)))) + +(define rock64-image-type + (image-type + (name 'rock64-raw) + (constructor (cut image-with-os (arm64-disk-image (expt 2 24)) <>)))) + +(define rock64-barebones-raw-image + (image + (inherit + (os->image rock64-barebones-os #:type rock64-image-type)) + (name 'rock64-barebones-raw-image))) + +rock64-barebones-raw-image -- cgit v1.2.3 From ebd8e447e99c4847bc5cdb5738ac5413a7278ba2 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 23 Feb 2021 15:15:02 +0200 Subject: gnu: ruby-tzinfo-data: Update to 1.2021.1. * gnu/packages/ruby.scm (ruby-tzinfo-data): Update to 1.2021.1. [source]: Remove patch. [arguments]: Add custom 'patch-source, 'pre-check phases. [native-inputs]: Add IANA timezone data files. * gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../ruby-tzinfo-data-ignore-broken-test.patch | 13 ----- gnu/packages/ruby.scm | 61 +++++++++++++++++++--- 3 files changed, 54 insertions(+), 21 deletions(-) delete mode 100644 gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index b8bccc1b7c..3591295f0c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1598,7 +1598,6 @@ dist_patch_DATA = \ %D%/packages/patches/rnp-unbundle-googletest.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-sanitize-system-libxml.patch \ - %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/runc-CVE-2019-5736.patch \ %D%/packages/patches/rust-1.19-mrustc.patch \ %D%/packages/patches/rust-1.25-accept-more-detailed-gdb-lines.patch \ diff --git a/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch b/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch deleted file mode 100644 index 5d1f04b994..0000000000 --- a/gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/tc_definitions.rb b/test/tc_definitions.rb -index 7b20a3d..75b9798 100644 ---- a/test/tc_definitions.rb -+++ b/test/tc_definitions.rb -@@ -58,7 +58,7 @@ class TCDefinitions < Minitest::Test - identifier = $3.to_sym - is_dst = $4 == '1' - -- if utc && local -+ if utc && local && !line.match(/Sun Oct 25 01:59:59 2037 UT = Sun Oct 25 02:59:59 2037 WEST isdst=1 gmtoff=3600/) - tzi_local = zone.utc_to_local(utc) - tzi_period = zone.period_for_utc(utc) - tzi_identifier = tzi_period.zone_identifier diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index dc38171176..bd25bd5373 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -78,6 +78,7 @@ #:use-module (guix packages) #:use-module (guix download) #:use-module (guix git-download) + #:use-module (guix gexp) #:use-module (guix utils) #:use-module (guix build-system gnu) #:use-module (gnu packages xml) @@ -5817,7 +5818,7 @@ aware transformations between times in different time zones.") (define-public ruby-tzinfo-data (package (name "ruby-tzinfo-data") - (version "1.2017.3") + (version "1.2021.1") (source (origin (method git-fetch) @@ -5829,15 +5830,61 @@ aware transformations between times in different time zones.") (file-name (git-file-name name version)) (sha256 (base32 - "0v3phl5l3jrm6waxcszqmj2dkjhqawxfsxb6mss7vkp1hlckqcdp")) - ;; Remove the known test failure. - ;; https://github.com/tzinfo/tzinfo-data/issues/10 - ;; https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1587128 - (patches (search-patches - "ruby-tzinfo-data-ignore-broken-test.patch")))) + "0yzyr3rf8qaw6kxfc0gwpxsb7gl3rhfpx9g1c2z15vapyminhi60")))) (build-system ruby-build-system) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-after 'unpack 'patch-source + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "Rakefile" + (("https://data.iana.org/time-zones/releases") + (assoc-ref inputs "tzdata"))) + #t)) + (add-before 'check 'pre-check + (lambda _ + (setenv "HOME" (getcwd)) + (substitute* "Rakefile" + ;; Don't need gpg, and it may break after a time. + (("gpg ") "echo ") + ((" sh\\(\\\"make -C" text) + (string-append " sh(\"sed -i 's@/bin/sh@sh@' #{tzdb_combined_path}/Makefile \")\n" + " sh(\"sed -i 's@cc=@cc?=@' #{tzdb_combined_path}/Makefile \")\n" text))) + (setenv "cc" ,(cc-for-target)) + #t))))) (propagated-inputs `(("ruby-tzinfo" ,ruby-tzinfo))) + (native-inputs + `(("tzdata" + ,(file-union "tzdata-for-ruby-tzdata-info" + `(("tzdata2021a.tar.gz" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzdata2021a.tar.gz") + (sha256 + (base32 + "022fn6gkmp7pamlgab04x0dm5hnyn2m2fcnyr3pvm36612xd5rrr")))) + ("tzdata2021a.tar.gz.asc" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzdata2021a.tar.gz.asc") + (sha256 + (base32 + "0n7h2w8ji1lrxpk0d44wyfshlhr7c9jmwj6lqbxlyvqnfi3gbicx")))) + ("tzcode2021a.tar.gz" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzcode2021a.tar.gz") + (sha256 + (base32 + "1l02b0jiwp3fl0xd6227i69d26rmx3yrnq0ssq9vvdmm4jhvyipb")))) + ("tzcode2021a.tar.gz.asc" + ,(origin + (method url-fetch) + (uri "https://data.iana.org/time-zones/releases/tzcode2021a.tar.gz.asc") + (sha256 + (base32 + "1qhlj4lr810s47s1lwcvv1sgvg2sflf98w4sbg1lc8wzv5qxxv7g"))))))))) (synopsis "Data from the IANA Time Zone database") (description "This library provides @code{TZInfo::Data}, which contains data from the -- cgit v1.2.3 From c2fdc528dde477c74a59954b925b69c12a3f208c Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 23 Feb 2021 15:29:13 +0200 Subject: gnu: ruby-rack: Update to 2.2.3. * gnu/packages/ruby.scm (ruby-rack): Update to 2.2.3. [source]: Remove patch. Add snippet. [arguments]: Adjust custom 'fix-tests phase. Remove 'make-files-writable phase. [native-inputs]: Remove ruby-minitest-sprint, which. Add ruby-minitest-global-expectations. [propagated-inputs]: Remove ruby-concurrent. * gnu/packages/patches/ruby-rack-ignore-failing-test.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../patches/ruby-rack-ignore-failing-test.patch | 13 --------- gnu/packages/ruby.scm | 34 +++++++++------------- 3 files changed, 13 insertions(+), 35 deletions(-) delete mode 100644 gnu/packages/patches/ruby-rack-ignore-failing-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3591295f0c..a9294047eb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1596,7 +1596,6 @@ dist_patch_DATA = \ %D%/packages/patches/rnp-add-version.cmake.patch \ %D%/packages/patches/rnp-disable-ruby-rnp-tests.patch \ %D%/packages/patches/rnp-unbundle-googletest.patch \ - %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ %D%/packages/patches/ruby-sanitize-system-libxml.patch \ %D%/packages/patches/runc-CVE-2019-5736.patch \ %D%/packages/patches/rust-1.19-mrustc.patch \ diff --git a/gnu/packages/patches/ruby-rack-ignore-failing-test.patch b/gnu/packages/patches/ruby-rack-ignore-failing-test.patch deleted file mode 100644 index f50d68c9c4..0000000000 --- a/gnu/packages/patches/ruby-rack-ignore-failing-test.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/test/spec_server.rb b/test/spec_server.rb -index a3690bc..16c9536 100644 ---- a/test/spec_server.rb -+++ b/test/spec_server.rb -@@ -161,7 +161,7 @@ describe Rack::Server do - it "check pid file presence and not owned process" do - pidfile = Tempfile.open('pidfile') { |f| f.write(1); break f }.path - server = Rack::Server.new(:pid => pidfile) -- server.send(:pidfile_process_status).must_equal :not_owned -+ #server.send(:pidfile_process_status).must_equal :not_owned - end - - it "not write pid file when it is created after check" do diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 1a86862ebd..8f3166ff31 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -45,7 +45,6 @@ (define-module (gnu packages ruby) #:use-module ((guix licenses) #:prefix license:) #:use-module (gnu packages) - #:use-module (gnu packages base) #:use-module (gnu packages bison) #:use-module (gnu packages c) #:use-module (gnu packages check) @@ -6890,21 +6889,25 @@ generates Ruby program.") (define-public ruby-rack (package (name "ruby-rack") - (version "2.0.6") + (version "2.2.3") (source (origin (method git-fetch) - ;; Download from GitHub so that the patch can be applied. + ;; Download from GitHub so that the snippet can be applied and tests run. (uri (git-reference (url "https://github.com/rack/rack") (commit version))) (file-name (git-file-name name version)) (sha256 (base32 - "1n7z4g1x6yxip096cdc04wq7yk7ywpinq28g2xjb46r4nlv5h0j6")) + "1qrm5z5v586738bnkr9188dvz0s25nryw6sgvx18jjlkizayw1g4")) ;; Ignore test which fails inside the build environment but works ;; outside. - (patches (search-patches "ruby-rack-ignore-failing-test.patch")))) + (modules '((guix build utils))) + (snippet + '(begin (substitute* "test/spec_files.rb" + (("res.body.must_equal expected_body") "")) + #t)))) (build-system ruby-build-system) (arguments '(#:phases @@ -6918,30 +6921,19 @@ generates Ruby program.") ;; "/gnu/store". (let ((size-diff (- (string-length (which "ruby")) (string-length "/usr/bin/env ruby")))) - (substitute* '("test/spec_file.rb") - (("193") - (number->string (+ 193 size-diff))) + (substitute* '("test/spec_files.rb") + (("208" bytes) + (number->string (+ (string->number bytes) size-diff))) (("bytes(.)22-33" all delimiter) (string-append "bytes" delimiter (number->string (+ 22 size-diff)) "-" (number->string (+ 33 size-diff)))))) - #t)) - (add-before 'reset-gzip-timestamps 'make-files-writable - (lambda* (#:key outputs #:allow-other-keys) - ;; Make sure .gz files are writable so that the - ;; 'reset-gzip-timestamps' phase can do its work. - (let ((out (assoc-ref outputs "out"))) - (for-each make-file-writable - (find-files out "\\.gz$")) - #t)))))) + #t))))) (native-inputs `(("ruby-minitest" ,ruby-minitest) - ("ruby-minitest-sprint" ,ruby-minitest-sprint) - ("which" ,which))) - (propagated-inputs - `(("ruby-concurrent" ,ruby-concurrent))) + ("ruby-minitest-global-expectations" ,ruby-minitest-global-expectations))) (synopsis "Unified web application interface for Ruby") (description "Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses, -- cgit v1.2.3 From 84e082e31706411e7f9c3189a83f8ed0b4016fe7 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 19 Feb 2021 18:09:57 -0500 Subject: gnu: Python: Fix CVE-2021-3177. * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-3.8)[replacement]: New field. (python-3.8/fixed): New variable. --- gnu/local.mk | 1 + .../patches/python-3.8-CVE-2021-3177.patch | 194 +++++++++++++++++++++ gnu/packages/python.scm | 9 + 3 files changed, 204 insertions(+) create mode 100644 gnu/packages/patches/python-3.8-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index a9294047eb..ae5a65cfcf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1524,6 +1524,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3-search-paths.patch \ %D%/packages/patches/python-3-fix-tests.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ + %D%/packages/patches/python-3.8-CVE-2021-3177.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ diff --git a/gnu/packages/patches/python-3.8-CVE-2021-3177.patch b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch new file mode 100644 index 0000000000..01f6b52865 --- /dev/null +++ b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch @@ -0,0 +1,194 @@ +Fix CVE-2021-3177 for Python 3.8: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from upstream source repository: + +https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f + +From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 Jan 2021 13:28:52 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24248) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson + +Co-authored-by: Benjamin Peterson +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +#diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#new file mode 100644 +#index 0000000000000..7df65a156feab +#--- /dev/null +#+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#@@ -0,0 +1,2 @@ +#+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and +#+:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index a9b8675cd951b..de75918d49f37 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 730c371fda..5c5be0d78c 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -364,6 +364,7 @@ data types.") (define-public python-3.8 (package (inherit python-2) (name "python") + (replacement python-3.8/fixed) (version "3.8.2") (source (origin (method url-fetch) @@ -521,6 +522,14 @@ data types.") (version-major+minor version) "/site-packages")))))))) +(define python-3.8/fixed + (package + (inherit python-3.8) + (source (origin + (inherit (package-source python-3.8)) + (patches (append (search-patches "python-3.8-CVE-2021-3177.patch") + (origin-patches (package-source python-3.8)))))))) + (define-public python-3.9 (package (inherit python-3.8) (name "python-next") -- cgit v1.2.3 From 66fa2d318a1e4da3679fa1c5a70cd3972dc0efbf Mon Sep 17 00:00:00 2001 From: Jelle Licht Date: Tue, 16 Feb 2021 23:28:58 +0100 Subject: gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287]. Fixes CVE-2020-8287. * gnu/packages/web.scm (http-parser): Update to 2.9.4-1.ec8b5ee. [source]: Add patch to mitigate CVE. * gnu/packages/patches/patches/http-parser-CVE-2020-8287.patch: New file. * gnu/local.mk [dist_patch_DATA]: New patch. --- gnu/local.mk | 1 + .../patches/http-parser-CVE-2020-8287.patch | 75 ++++++++++++ gnu/packages/web.scm | 136 +++++++++++---------- 3 files changed, 146 insertions(+), 66 deletions(-) create mode 100644 gnu/packages/patches/http-parser-CVE-2020-8287.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ae5a65cfcf..ab0c1b0e97 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1164,6 +1164,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/http-parser-CVE-2020-8287.patch \ %D%/packages/patches/http-parser-fix-assertion-on-armhf.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-cross.patch \ diff --git a/gnu/packages/patches/http-parser-CVE-2020-8287.patch b/gnu/packages/patches/http-parser-CVE-2020-8287.patch new file mode 100644 index 0000000000..580f773099 --- /dev/null +++ b/gnu/packages/patches/http-parser-CVE-2020-8287.patch @@ -0,0 +1,75 @@ +From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny +--- + http_parser.c | 7 +++++++ + test.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/http_parser.c b/http_parser.c +index 9be003e7322..e9b2b9e83b9 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +diff --git a/test.c b/test.c +index 3f7c77b3494..2e5a9ebd678 100644 +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ const struct message responses[] = + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index e4ba0d5bf9..010e01debb 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6162,78 +6162,82 @@ into your tests. It automatically starts up a HTTP server in a separate thread (license license:expat))) (define-public http-parser - (package - (name "http-parser") - (version "2.9.4") - (home-page "https://github.com/nodejs/http-parser") - (source - (origin - (method git-fetch) - (uri (git-reference (url home-page) - (commit (string-append "v" version)))) - (sha256 - (base32 "1vda4dp75pjf5fcph73sy0ifm3xrssrmf927qd1x8g3q46z0cv6c")) - (file-name (git-file-name name version)) - (patches - (list - (origin - ;; Treat an empty port (e.g. `http://hostname:/`) when parsing - ;; URLs as if no port were specified. This patch is applied - ;; to Fedora's http-parser and to libgit2's bundled version. - (method url-fetch) - (uri (string-append - "https://src.fedoraproject.org/rpms/http-parser/raw/" - "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" - "f/0001-url-treat-empty-port-as-default.patch")) - (sha256 - (base32 - "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g"))))))) - (build-system gnu-build-system) - (arguments - `(#:test-target "test" - #:make-flags - (list (string-append "PREFIX=" - (assoc-ref %outputs "out")) - "library" - ,@(if (%current-target-system) - '() - '("CC=gcc"))) - #:phases - (modify-phases %standard-phases - ,@(match (%current-system) + (let ((commit "ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d") + (revision "1")) + (package + (name "http-parser") + (version (git-version "2.9.4" revision commit)) + (home-page "https://github.com/nodejs/http-parser") + (source + (origin + (method git-fetch) + (uri (git-reference (url home-page) + (commit commit))) + (sha256 + (base32 "0f297hrbx0kvy3qwgm9rhmbnjww6iljlcz9grsc9d4km1qj1071i")) + (file-name (git-file-name name version)) + (patches + (append + (search-patches "http-parser-CVE-2020-8287.patch") + (list + (origin + ;; Treat an empty port (e.g. `http://hostname:/`) when parsing + ;; URLs as if no port were specified. This patch is applied + ;; to Fedora's http-parser and to libgit2's bundled version. + (method url-fetch) + (uri (string-append + "https://src.fedoraproject.org/rpms/http-parser/raw/" + "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" + "f/0001-url-treat-empty-port-as-default.patch")) + (sha256 + (base32 + "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))) + (build-system gnu-build-system) + (arguments + `(#:test-target "test" + #:make-flags + (list (string-append "PREFIX=" + (assoc-ref %outputs "out")) + "library" + ,@(if (%current-target-system) + '() + '("CC=gcc"))) + #:phases + (modify-phases %standard-phases + ,@(match (%current-system) + ("armhf-linux" + '((add-before 'check 'apply-assertion.patch + (lambda* (#:key inputs #:allow-other-keys) + (let ((patch (assoc-ref inputs "assertion.patch"))) + (invoke "patch" "-p1" "-i" patch) + #t))))) + (_ '())) + ,@(if (%current-target-system) + '((replace 'configure + (lambda* (#:key target #:allow-other-keys) + (substitute* (find-files "." "Makefile") + (("CC\\?=.*$") + (string-append "CC=" target "-gcc\n")) + (("AR\\?=.*$") + (string-append "AR=" target "-ar\n"))) + #t))) + '((delete 'configure)))))) + (native-inputs + `(,@(match (%current-system) ("armhf-linux" - '((add-before 'check 'apply-assertion.patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "assertion.patch"))) - (invoke "patch" "-p1" "-i" patch) - #t))))) - (_ '())) - ,@(if (%current-target-system) - '((replace 'configure - (lambda* (#:key target #:allow-other-keys) - (substitute* (find-files "." "Makefile") - (("CC\\?=.*$") - (string-append "CC=" target "-gcc\n")) - (("AR\\?=.*$") - (string-append "AR=" target "-ar\n"))) - #t))) - '((delete 'configure)))))) - (native-inputs - `(,@(match (%current-system) - ("armhf-linux" - ;; A fix for which in turn - ;; breaks i686-linux builds. - `(("assertion.patch" - ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) - (_ '())))) - (synopsis "HTTP request/response parser for C") - (description "This is a parser for HTTP messages written in C. It parses + ;; A fix for which in turn + ;; breaks i686-linux builds. + `(("assertion.patch" + ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) + (_ '())))) + (synopsis "HTTP request/response parser for C") + (description "This is a parser for HTTP messages written in C. It parses both requests and responses. The parser is designed to be used in high-performance HTTP applications. It does not make any syscalls nor allocations, it does not buffer data, it can be interrupted at anytime. Depending on your architecture, it only requires about 40 bytes of data per message stream (in a web server that is per connection).") - (license license:expat))) + (license license:expat)))) (define-public python-httpretty (package -- cgit v1.2.3 From b5586c666e13988ce7ec983907ffb06a564f1d4f Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Wed, 24 Feb 2021 16:33:18 +0100 Subject: gnu: http-server: Fix build on i686-linux. * gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch: Remove it. * gnu/local.mk (dist_patch_DATA): Update it. * gnu/packages/web.scm (http-parser)[source]: Remove a test assertion failing on i686-linux. [arguments]: Remove the "assertion.patch" that is merged upstream. [native-inputs]: Ditto. [synopsis]: Wrap it. --- gnu/local.mk | 1 - .../http-parser-fix-assertion-on-armhf.patch | 39 ---------------------- gnu/packages/web.scm | 30 ++++++----------- 3 files changed, 11 insertions(+), 59 deletions(-) delete mode 100644 gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ab0c1b0e97..8d46cda639 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1165,7 +1165,6 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ %D%/packages/patches/http-parser-CVE-2020-8287.patch \ - %D%/packages/patches/http-parser-fix-assertion-on-armhf.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-cross.patch \ %D%/packages/patches/hurd-xattr.patch \ diff --git a/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch b/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch deleted file mode 100644 index 79bd3e8dbc..0000000000 --- a/gnu/packages/patches/http-parser-fix-assertion-on-armhf.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Tobias Geerinckx-Rice -Date: Wed, 20 May 2020 19:17:13 +0200 -Subject: [PATCH] gnu: http-client: Fix assertion on armhf-linux. - -Copied verbatim from [0] to fix guix pull[1] on ARM systems. - -[0]: https://github.com/nodejs/http-parser/pull/510 -[1]: https://issues.guix.gnu.org/40604 - -From 0e5868aebb9eb92b078d27bb2774c2154dc167e2 Mon Sep 17 00:00:00 2001 -From: Ben Noordhuis -Date: Thu, 30 Apr 2020 11:22:50 +0200 -Subject: [PATCH] Fix sizeof(http_parser) assert - -The result should be 32 on both 32 bits and 64 bits architectures -because of struct padding. - -Fixes: https://github.com/nodejs/http-parser/issues/507 ---- - test.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/test.c b/test.c -index 7983424..f60a84f 100644 ---- a/test.c -+++ b/test.c -@@ -4220,8 +4220,11 @@ main (void) - patch = version & 255; - printf("http_parser v%u.%u.%u (0x%06lx)\n", major, minor, patch, version); - -+ /* Should be 32 on both 32 bits and 64 bits architectures because of -+ * struct padding, see https://github.com/nodejs/http-parser/issues/507. -+ */ - printf("sizeof(http_parser) = %u\n", (unsigned int)sizeof(http_parser)); -- assert(sizeof(http_parser) == 4 + 4 + 8 + 2 + 2 + 4 + sizeof(void *)); -+ assert(sizeof(http_parser) == 32); - - //// API - test_preserve_data(); diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index b3c0831ac4..e9a17f3b78 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6191,7 +6191,15 @@ into your tests. It automatically starts up a HTTP server in a separate thread "f/0001-url-treat-empty-port-as-default.patch")) (sha256 (base32 - "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))) + "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))) + (modules '((guix build utils))) + (snippet + '(begin + ;; This assertion fails when building for i686-linux. + (substitute* "test.c" + (("assert\\(sizeof\\(http_parser\\) == 32\\);") + "assert(1);")) + #t)))) (build-system gnu-build-system) (arguments `(#:test-target "test" @@ -6204,14 +6212,6 @@ into your tests. It automatically starts up a HTTP server in a separate thread '("CC=gcc"))) #:phases (modify-phases %standard-phases - ,@(match (%current-system) - ("armhf-linux" - '((add-before 'check 'apply-assertion.patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "assertion.patch"))) - (invoke "patch" "-p1" "-i" patch) - #t))))) - (_ '())) ,@(if (%current-target-system) '((replace 'configure (lambda* (#:key target #:allow-other-keys) @@ -6222,17 +6222,9 @@ into your tests. It automatically starts up a HTTP server in a separate thread (string-append "AR=" target "-ar\n"))) #t))) '((delete 'configure)))))) - (native-inputs - `(,@(match (%current-system) - ("armhf-linux" - ;; A fix for which in turn - ;; breaks i686-linux builds. - `(("assertion.patch" - ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) - (_ '())))) (synopsis "HTTP request/response parser for C") - (description "This is a parser for HTTP messages written in C. It parses -both requests and responses. The parser is designed to be used in + (description "This is a parser for HTTP messages written in C. It +parses both requests and responses. The parser is designed to be used in high-performance HTTP applications. It does not make any syscalls nor allocations, it does not buffer data, it can be interrupted at anytime. Depending on your architecture, it only requires about 40 bytes of data per -- cgit v1.2.3 From 10b909a0249fd53d589890b357232db4165690f5 Mon Sep 17 00:00:00 2001 From: Greg Hogan Date: Wed, 24 Feb 2021 14:12:28 +0000 Subject: gnu: Python 3.9: Update to 3.9.2. * gnu/packages/python.scm (python-3.9): Update to 3.9.2. [source]: Remove obsolete patch. * gnu/packages/patches/python-3.9-CVE-2021-3177.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 - .../patches/python-3.9-CVE-2021-3177.patch | 194 --------------------- gnu/packages/python.scm | 6 +- 3 files changed, 3 insertions(+), 198 deletions(-) delete mode 100644 gnu/packages/patches/python-3.9-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8d46cda639..8d1465158a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1526,7 +1526,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-3.8-fix-tests.patch \ %D%/packages/patches/python-3.8-CVE-2021-3177.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ - %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ %D%/packages/patches/python-CVE-2020-26116.patch \ %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch \ diff --git a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch b/gnu/packages/patches/python-3.9-CVE-2021-3177.patch deleted file mode 100644 index 155f17deca..0000000000 --- a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch +++ /dev/null @@ -1,194 +0,0 @@ -Fix CVE-2021-3177 for Python 3.9: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 - -Patch copied from upstream source repository: - -https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932 - -From c347cbe694743cee120457aa6626712f7799a932 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 18 Jan 2021 13:29:31 -0800 -Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode - formatting in ctypes param reprs. (GH-24247) - -(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) - -Co-authored-by: Benjamin Peterson - -Co-authored-by: Benjamin Peterson ---- - Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ - .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + - Modules/_ctypes/callproc.c | 51 +++++++------------ - 3 files changed, 64 insertions(+), 32 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst - -diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py -index e4c25fd880cef..531894fdec838 100644 ---- a/Lib/ctypes/test/test_parameters.py -+++ b/Lib/ctypes/test/test_parameters.py -@@ -201,6 +201,49 @@ def __dict__(self): - with self.assertRaises(ZeroDivisionError): - WorseStruct().__setstate__({}, b'foo') - -+ def test_parameter_repr(self): -+ from ctypes import ( -+ c_bool, -+ c_char, -+ c_wchar, -+ c_byte, -+ c_ubyte, -+ c_short, -+ c_ushort, -+ c_int, -+ c_uint, -+ c_long, -+ c_ulong, -+ c_longlong, -+ c_ulonglong, -+ c_float, -+ c_double, -+ c_longdouble, -+ c_char_p, -+ c_wchar_p, -+ c_void_p, -+ ) -+ self.assertRegex(repr(c_bool.from_param(True)), r"^$") -+ self.assertEqual(repr(c_char.from_param(97)), "") -+ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") -+ self.assertEqual(repr(c_byte.from_param(98)), "") -+ self.assertEqual(repr(c_ubyte.from_param(98)), "") -+ self.assertEqual(repr(c_short.from_param(511)), "") -+ self.assertEqual(repr(c_ushort.from_param(511)), "") -+ self.assertRegex(repr(c_int.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_long.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") -+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") -+ self.assertEqual(repr(c_float.from_param(1.5)), "") -+ self.assertEqual(repr(c_double.from_param(1.5)), "") -+ self.assertEqual(repr(c_double.from_param(1e300)), "") -+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") -+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") -+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") -+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") -+ - ################################################################ - - if __name__ == '__main__': -diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -new file mode 100644 -index 0000000000000..7df65a156feab ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -@@ -0,0 +1,2 @@ -+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and -+:class:`ctypes.c_longdouble` values. -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index b0a36a30248f7..f2506de54498e 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -489,58 +489,47 @@ is_literal_char(unsigned char c) - static PyObject * - PyCArg_repr(PyCArgObject *self) - { -- char buffer[256]; - switch(self->tag) { - case 'b': - case 'B': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.b); -- break; - case 'h': - case 'H': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.h); -- break; - case 'i': - case 'I': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.i); -- break; - case 'l': - case 'L': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.l); -- break; - - case 'q': - case 'Q': -- sprintf(buffer, --#ifdef MS_WIN32 -- "", --#else -- "", --#endif -+ return PyUnicode_FromFormat("", - self->tag, self->value.q); -- break; - case 'd': -- sprintf(buffer, "", -- self->tag, self->value.d); -- break; -- case 'f': -- sprintf(buffer, "", -- self->tag, self->value.f); -- break; -- -+ case 'f': { -+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); -+ if (f == NULL) { -+ return NULL; -+ } -+ PyObject *result = PyUnicode_FromFormat("", self->tag, f); -+ Py_DECREF(f); -+ return result; -+ } - case 'c': - if (is_literal_char((unsigned char)self->value.c)) { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.c); - } - else { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, (unsigned char)self->value.c); - } -- break; - - /* Hm, are these 'z' and 'Z' codes useful at all? - Shouldn't they be replaced by the functionality of c_string -@@ -549,22 +538,20 @@ PyCArg_repr(PyCArgObject *self) - case 'z': - case 'Z': - case 'P': -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - self->tag, self->value.p); - break; - - default: - if (is_literal_char((unsigned char)self->tag)) { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - (unsigned char)self->tag, (void *)self); - } - else { -- sprintf(buffer, "", -+ return PyUnicode_FromFormat("", - (unsigned char)self->tag, (void *)self); - } -- break; - } -- return PyUnicode_FromString(buffer); - } - - static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 5c5be0d78c..9d97050c66 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -59,6 +59,7 @@ ;;; Copyright © 2018 Vagrant Cascadian ;;; Copyright © 2019 Tanguy Le Carrour ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen +;;; Copyright © 2021 Greg Hogan ;;; ;;; This file is part of GNU Guix. ;;; @@ -533,19 +534,18 @@ data types.") (define-public python-3.9 (package (inherit python-3.8) (name "python-next") - (version "3.9.1") + (version "3.9.2") (source (origin (method url-fetch) (uri (string-append "https://www.python.org/ftp/python/" version "/Python-" version ".tar.xz")) (patches (search-patches "python-3.9-fix-tests.patch" - "python-3.9-CVE-2021-3177.patch" "python-3-deterministic-build-info.patch" "python-3-search-paths.patch")) (sha256 (base32 - "1zq3k4ymify5ig739zyvx9s2ainvchxb1zpy139z74krr653y74r")) + "0z94vv5qhlwvcgc4sy9sdiqs0220s84wx3b62vslh5419z2k881w")) (modules '((guix build utils))) (snippet '(begin -- cgit v1.2.3 From 83a614b6c3dfebee653e656c62635e65faf9e15a Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Sun, 28 Feb 2021 03:03:39 +0100 Subject: gnu: wpa-supplicant, hostapd: Fix CVE-2021-27803. See . * gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/admin.scm (wpa-supplicant-minimal, hostapd): Apply it. --- gnu/local.mk | 1 + gnu/packages/admin.scm | 8 +++- .../patches/wpa-supplicant-CVE-2021-27803.patch | 50 ++++++++++++++++++++++ 3 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8d1465158a..f8ff065242 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1730,6 +1730,7 @@ dist_patch_DATA = \ %D%/packages/patches/wordnet-CVE-2008-2149.patch \ %D%/packages/patches/wordnet-CVE-2008-3908-pt1.patch \ %D%/packages/patches/wordnet-CVE-2008-3908-pt2.patch \ + %D%/packages/patches/wpa-supplicant-CVE-2021-27803.patch \ %D%/packages/patches/x265-arm-flags.patch \ %D%/packages/patches/xf86-video-ark-remove-mibstore.patch \ %D%/packages/patches/xf86-video-mach64-glibc-2.20.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index cf27eea084..2ca99774b8 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -1656,7 +1656,9 @@ features of sudo with a fraction of the codebase.") ;; Disable D-Bus to save ~14MiB on the closure size. (("^CONFIG_CTRL_IFACE_DBUS" line _) (string-append "#" line))) - #t)))) + #t)) + (patches + (search-patches "wpa-supplicant-CVE-2021-27803.patch")))) (build-system gnu-build-system) (arguments `(#:phases @@ -1820,7 +1822,9 @@ command.") ".tar.gz")) (sha256 (base32 - "1mrbvg4v7vm7mknf0n29mf88k3s4a4qj6r4d51wq8hmjj1m7s7c8")))) + "1mrbvg4v7vm7mknf0n29mf88k3s4a4qj6r4d51wq8hmjj1m7s7c8")) + (patches + (search-patches "wpa-supplicant-CVE-2021-27803.patch")))) (build-system gnu-build-system) (arguments `(#:phases diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch b/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch new file mode 100644 index 0000000000..1942bb3d55 --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2021-27803.patch @@ -0,0 +1,50 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f86b..05fd593494ef 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.25.1 + -- cgit v1.2.3 From 9c30f26b8dca1be5b0cdaeea04a3484905cfd4f2 Mon Sep 17 00:00:00 2001 From: 宋文武 Date: Wed, 17 Feb 2021 19:50:33 +0800 Subject: gnu: retroarch: Update to 1.9.0. * gnu/packages/emulators.scm (retroarch): Update to 1.9.0. [source]: Remove 'retroarch-disable-online-updater.patch' and snippet. Add 'retroarch-LIBRETRO_DIRECTORY.patch'. [native-search-paths]: New field. * gnu/packages/patches/retroarch-disable-online-updater.patch: Remove file. * gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. --- gnu/local.mk | 2 +- gnu/packages/emulators.scm | 24 ++++++------- .../patches/retroarch-LIBRETRO_DIRECTORY.patch | 32 +++++++++++++++++ .../patches/retroarch-disable-online-updater.patch | 41 ---------------------- 4 files changed, 44 insertions(+), 55 deletions(-) create mode 100644 gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch delete mode 100644 gnu/packages/patches/retroarch-disable-online-updater.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index f8ff065242..76bb7ef1f0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1592,7 +1592,7 @@ dist_patch_DATA = \ %D%/packages/patches/rtags-separate-rct.patch \ %D%/packages/patches/racket-store-checksum-override.patch \ %D%/packages/patches/remake-impure-dirs.patch \ - %D%/packages/patches/retroarch-disable-online-updater.patch \ + %D%/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch \ %D%/packages/patches/rnp-add-version.cmake.patch \ %D%/packages/patches/rnp-disable-ruby-rnp-tests.patch \ %D%/packages/patches/rnp-unbundle-googletest.patch \ diff --git a/gnu/packages/emulators.scm b/gnu/packages/emulators.scm index 6c044e3397..dcbffa0a28 100644 --- a/gnu/packages/emulators.scm +++ b/gnu/packages/emulators.scm @@ -1273,7 +1273,7 @@ as RetroArch.") (define-public retroarch (package (name "retroarch") - (version "1.8.1") + (version "1.9.0") (source (origin (method git-fetch) @@ -1282,18 +1282,9 @@ as RetroArch.") (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 - (base32 "0y7rcpz7psf8k3agsrq277jdm651vbnn9xpqvmj2in1a786idya7")) + (base32 "1n0dcv85vqrdr79psnf009hi4r2mvsgsjbghrrc9pm5g7ywwwcvp")) (patches - (search-patches "retroarch-disable-online-updater.patch")) - (modules '((guix build utils))) - (snippet - '(begin - ;; Don't suggest using the Online Updater if available: it never - ;; is. This disables translation of this particular message. - (substitute* (find-files "menu/drivers" "\\.c$") - (("msg_hash_to_str\\(MSG_MISSING_ASSETS\\)") - "\"Warning: Missing assets, go get some\"")) - #t)))) + (search-patches "retroarch-LIBRETRO_DIRECTORY.patch")))) (build-system gnu-build-system) (arguments `(#:tests? #f ; no tests @@ -1328,7 +1319,9 @@ as RetroArch.") '("--enable-neon" "--enable-floathard") '()) (string-append "--prefix=" out) - (string-append "--global-config-dir=" etc) + ;; Non-free software are available through the core updater, + ;; disable it. See . + "--disable-update_cores" "--disable-builtinminiupnpc"))))))) (inputs `(("alsa-lib" ,alsa-lib) @@ -1354,6 +1347,11 @@ as RetroArch.") `(("pkg-config" ,pkg-config) ("wayland-protocols" ,wayland-protocols) ("which" ,which))) + (native-search-paths + (list (search-path-specification + (variable "LIBRETRO_DIRECTORY") + (separator #f) ; single entry + (files '("lib/libretro"))))) (home-page "https://www.libretro.com/") (synopsis "Reference frontend for the libretro API") (description diff --git a/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch b/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch new file mode 100644 index 0000000000..30515cbe48 --- /dev/null +++ b/gnu/packages/patches/retroarch-LIBRETRO_DIRECTORY.patch @@ -0,0 +1,32 @@ +From f308dc91660954ab88bb41868c0b9809592923e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= +Date: Sat, 20 Feb 2021 20:37:39 +0800 +Subject: [PATCH] Allow set libretro_directory via environment variable + +--- + retroarch.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/retroarch.c b/retroarch.c +index 6a88c3108e..6807c12b5b 100644 +--- a/retroarch.c ++++ b/retroarch.c +@@ -36038,6 +36038,15 @@ static void retroarch_parse_input_and_config( + #endif + config_load(&p_rarch->g_extern); + ++ /* Override settings via environment variables */ ++ if (getenv("LIBRETRO_DIRECTORY")) { ++ settings_t *settings = p_rarch->configuration_settings; ++ retroarch_override_setting_set(RARCH_OVERRIDE_SETTING_LIBRETRO_DIRECTORY, NULL); ++ configuration_set_string(settings, ++ settings->paths.directory_libretro, ++ getenv("LIBRETRO_DIRECTORY")); ++ } ++ + /* Second pass: All other arguments override the config file */ + optind = 1; + +-- +2.30.0 + diff --git a/gnu/packages/patches/retroarch-disable-online-updater.patch b/gnu/packages/patches/retroarch-disable-online-updater.patch deleted file mode 100644 index ea74cc5409..0000000000 --- a/gnu/packages/patches/retroarch-disable-online-updater.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Tobias Geerinckx-Rice -Date: Fri, 29 Nov 2019 20:32:54 +0100 -Subject: [PATCH]: gnu: retroarch: Disable the on-line updater. - -This disables the entire ‘Online Updater’ sub-menu to address -. Perhaps that is more than is -necessary. - -diff -Naur a/menu/menu_displaylist.c b/menu/menu_displaylist.c ---- a/menu/menu_displaylist.c 1970-01-01 01:00:01.000000000 +0100 -+++ b/menu/menu_displaylist.c 2019-11-29 18:35:27.467948854 +0100 -@@ -8444,11 +8444,6 @@ - MENU_ENUM_LABEL_NETPLAY, - PARSE_ACTION, false) == 0) - count++; -- if (settings->bools.menu_show_online_updater) -- if (menu_displaylist_parse_settings_enum(info->list, -- MENU_ENUM_LABEL_ONLINE_UPDATER, -- PARSE_ACTION, false) == 0) -- count++; - if (menu_displaylist_parse_settings_enum(info->list, - MENU_ENUM_LABEL_SETTINGS, PARSE_ACTION, false) == 0) - count++; -diff -Naur retroarch.a/menu/menu_setting.c retroarch.c/menu/menu_setting.c ---- a/menu/menu_setting.c 1970-01-01 01:00:01.000000000 +0100 -+++ b/menu/menu_setting.c 2019-11-29 18:35:35.753957312 +0100 -@@ -7291,14 +7291,6 @@ - &group_info, - &subgroup_info, - parent_group); -- -- CONFIG_ACTION( -- list, list_info, -- MENU_ENUM_LABEL_ONLINE_UPDATER, -- MENU_ENUM_LABEL_VALUE_ONLINE_UPDATER, -- &group_info, -- &subgroup_info, -- parent_group); - #endif - - CONFIG_ACTION( -- cgit v1.2.3 From e05c0b334d55d1399303ce097f70eaa2ca3ad7df Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Sun, 28 Feb 2021 04:40:05 +0100 Subject: gnu: qemu: Fix CVE-2021-20203. * gnu/packages/patches/qemu-CVE-2021-20203.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/virtualization.scm (qemu): Apply it. --- gnu/local.mk | 1 + gnu/packages/patches/qemu-CVE-2021-20203.patch | 172 +++++++++++++++++++++++++ gnu/packages/virtualization.scm | 3 +- 3 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/qemu-CVE-2021-20203.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 76bb7ef1f0..83753e6b4e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1561,6 +1561,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/pypy3-7.3.1-fix-tests.patch \ %D%/packages/patches/qemu-build-info-manual.patch \ + %D%/packages/patches/qemu-CVE-2021-20203.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ %D%/packages/patches/qpdfview-qt515-compat.patch \ %D%/packages/patches/qrcodegen-cpp-make-install.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2021-20203.patch b/gnu/packages/patches/qemu-CVE-2021-20203.patch new file mode 100644 index 0000000000..9d2ceaa649 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2021-20203.patch @@ -0,0 +1,172 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_INVALID, + DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, + MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY, + URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 87556C433E0 + for ; Sat, 30 Jan 2021 13:20:40 +0000 (UTC) +Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) + (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) + (No client certificate requested) + by mail.kernel.org (Postfix) with ESMTPS id EF26964DE1 + for ; Sat, 30 Jan 2021 13:20:39 +0000 (UTC) +DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EF26964DE1 +Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com +Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Received: from localhost ([::1]:42488 helo=lists1p.gnu.org) + by lists.gnu.org with esmtp (Exim 4.90_1) + (envelope-from ) + id 1l5qB3-0008CX-02 + for qemu-devel@archiver.kernel.org; Sat, 30 Jan 2021 08:20:37 -0500 +Received: from eggs.gnu.org ([2001:470:142:3::10]:45174) + by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) + (Exim 4.90_1) (envelope-from ) + id 1l5q9q-0007ld-1c + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:22 -0500 +Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:42898) + by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) + (Exim 4.90_1) (envelope-from ) + id 1l5q9k-0007Ia-TV + for qemu-devel@nongnu.org; Sat, 30 Jan 2021 08:19:21 -0500 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; + s=mimecast20190719; t=1612012753; + h=from:from:reply-to:subject:subject:date:date:message-id:message-id: + to:to:cc:cc:mime-version:mime-version:content-type:content-type: + content-transfer-encoding:content-transfer-encoding; + bh=7vu4z8M+bFjhFzEuAYsQG4i3APx7aMqv7tFxRRO5+8Q=; + b=egCsTdgVBnRlHnVN84HsSpNOUl/NkqEnGuv9rRdG2AZ1Fee5ZatpJm5zJ7YUW2HvzB4rtO + EaDIKaN1wzf/yHf0CsJ60TPGG3DqQSC/EsTSr2l/GNGq4prDYTXVrS3rXFu9ofByUVvzwU + q9Iy1X1Bh3S21m7jXY0AYx4Tu9Ikq9w= +Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com + [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id + us-mta-588-1JF7mzMfP1KpRpNKj4cAWQ-1; Sat, 30 Jan 2021 08:19:08 -0500 +X-MC-Unique: 1JF7mzMfP1KpRpNKj4cAWQ-1 +Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com + [10.5.11.22]) + (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) + (No client certificate requested) + by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8F0F439380; + Sat, 30 Jan 2021 13:19:07 +0000 (UTC) +Received: from localhost.localdomain (unknown [10.33.36.2]) + by smtp.corp.redhat.com (Postfix) with ESMTPS id 17D581002C11; + Sat, 30 Jan 2021 13:19:04 +0000 (UTC) +From: P J P +To: Dmitry Fleytman +Subject: [PATCH] net: vmxnet3: validate configuration values during activate + (CVE-2021-20203) +Date: Sat, 30 Jan 2021 18:46:52 +0530 +Message-Id: <20210130131652.954143-1-ppandit@redhat.com> +MIME-Version: 1.0 +X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 +Authentication-Results: relay.mimecast.com; + auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=ppandit@redhat.com +X-Mimecast-Spam-Score: 0 +X-Mimecast-Originator: redhat.com +Content-Transfer-Encoding: 8bit +Content-Type: text/plain; charset="US-ASCII" +Received-SPF: pass client-ip=63.128.21.124; envelope-from=ppandit@redhat.com; + helo=us-smtp-delivery-124.mimecast.com +X-Spam_score_int: -30 +X-Spam_score: -3.1 +X-Spam_bar: --- +X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.255, + DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, + RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, + SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no +X-Spam_action: no action +X-BeenThere: qemu-devel@nongnu.org +X-Mailman-Version: 2.1.23 +Precedence: list +List-Id: +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Cc: Gaoning Pan , QEMU Developers , + Prasad J Pandit +Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org +Sender: "Qemu-devel" + +Archived-At: +List-Archive: + +From: Prasad J Pandit + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit +--- + hw/net/vmxnet3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index eff299f629..4a910ca971 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); +-- +2.29.2 + + + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 8da57cf6ab..1f8c3beea0 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -141,7 +141,8 @@ (sha256 (base32 "1rd41wwlvp0vpialjp2czs6i3lsc338xc72l3zkbb7ixjfslw5y9")) - (patches (search-patches "qemu-build-info-manual.patch")) + (patches (search-patches "qemu-build-info-manual.patch" + "qemu-CVE-2021-20203.patch")) (modules '((guix build utils))) (snippet '(begin -- cgit v1.2.3 From 3505d86502c80fa390d2c6db103697307d596b0e Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Mon, 1 Mar 2021 02:56:51 +0100 Subject: gnu: openscad: Update to 2021.01 [maybe fixes TALOS-2020-1222, TALOS-2020-1223]. TALOS-2020-1222 has yet to be disclosed and has no known CVE number. TALOS-2020-1223 has CVE-2020-28599 assigned. * gnu/packages/engineering.scm (openscad): Update to 2021.01. [patches]: Remove. Boost 1.72 is supported now upstream. [arguments]: In replacement 'check phase, disable some tests requiring experimental "lazy-union" feature. Also disable PDF-related tests requiring ghostscript and failing either way. * gnu/local.mk (dist_patch_DATA): Remove patch. * gnu/packages/patches/openscad-parser-boost-1.72.patch: Ditto. --- gnu/local.mk | 1 - gnu/packages/engineering.scm | 18 ++++++++++----- .../patches/openscad-parser-boost-1.72.patch | 26 ---------------------- 3 files changed, 13 insertions(+), 32 deletions(-) delete mode 100644 gnu/packages/patches/openscad-parser-boost-1.72.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 83753e6b4e..0954158d4c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1429,7 +1429,6 @@ dist_patch_DATA = \ %D%/packages/patches/openssh-fix-ssh-copy-id.patch \ %D%/packages/patches/openssh-hurd.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ - %D%/packages/patches/openscad-parser-boost-1.72.patch \ %D%/packages/patches/opensles-add-license-file.patch \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.1-c-rehash-in.patch \ diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm index fb6895f911..8517d2abde 100644 --- a/gnu/packages/engineering.scm +++ b/gnu/packages/engineering.scm @@ -2476,7 +2476,7 @@ specification can be downloaded at @url{http://3mf.io/specification/}.") (define-public openscad (package (name "openscad") - (version "2019.05") + (version "2021.01") (source (origin (method url-fetch) @@ -2484,9 +2484,7 @@ specification can be downloaded at @url{http://3mf.io/specification/}.") ".src.tar.gz")) (sha256 (base32 - "0nbgk5q5pgnw53la0kccdcpz2f4xf6d6076rkn0q08z57hkc85ha")) - (patches (search-patches - "openscad-parser-boost-1.72.patch")))) + "0n83szr88h8snccjrslr96mgw3f65x3sq726n6x5vxp5wybw4f6r")))) (build-system cmake-build-system) (inputs `(("boost" ,boost) @@ -2529,7 +2527,17 @@ specification can be downloaded at @url{http://3mf.io/specification/}.") (with-directory-excursion "tests" (invoke "cmake" ".") (invoke "make") - (invoke "ctest")) + (invoke "ctest" "--exclude-regex" + (string-join + (list + "astdumptest_allexpressions" + "echotest_function-literal-compare" + "echotest_function-literal-tests" + "echotest_allexpressions" + "lazyunion-*" + "pdfexporttest_centered" + "pdfexporttest_simple-pdf") + "|"))) ;; strip python test files since lib dir ends up in out/share (for-each delete-file (find-files "libraries/MCAD" ".*\\.py")) diff --git a/gnu/packages/patches/openscad-parser-boost-1.72.patch b/gnu/packages/patches/openscad-parser-boost-1.72.patch deleted file mode 100644 index 35311e6173..0000000000 --- a/gnu/packages/patches/openscad-parser-boost-1.72.patch +++ /dev/null @@ -1,26 +0,0 @@ -https://github.com/openscad/openscad/commit/b6c170cc5d.patch - -From b6c170cc5dd1bc677176ee732cdb0ddae57e5cf0 Mon Sep 17 00:00:00 2001 -From: Jan Beich -Date: Fri, 25 Oct 2019 15:10:26 +0000 -Subject: [PATCH] Add missing header bootlegged by Boost < 1.72 - -src/parser.y:76:6: error: no template named 'stack' in namespace 'std' -std::stack scope_stack; -~~~~~^ ---- - src/parser.y | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/parser.y b/src/parser.y -index 7f4fd56ca7..4c77c989ea 100644 ---- a/src/parser.y -+++ b/src/parser.y -@@ -46,6 +46,7 @@ - #include "printutils.h" - #include "memory.h" - #include -+#include - #include - #include "boost-utils.h" - #include "feature.h" -- cgit v1.2.3 From c48c69194fee468d2ac16ccc25f012312083bf89 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Tue, 2 Mar 2021 18:08:27 +0100 Subject: gnu: python-matplotlib: Fix running under Wayland with GTK3. * gnu/packages/python-xyz.scm (python-matplotlib)[source]: Add patch. * gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../python-matplotlib-run-under-wayland-gtk3.patch | 31 ++++++++++++++++++++++ gnu/packages/python-xyz.scm | 5 ++-- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0954158d4c..81ca759503 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1539,6 +1539,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-pyfakefs-remove-bad-test.patch \ %D%/packages/patches/python-flint-includes.patch \ %D%/packages/patches/python-libxml2-utf8.patch \ + %D%/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch \ %D%/packages/patches/python-mediafile-wavpack.patch \ %D%/packages/patches/python-memcached-syntax-warnings.patch \ %D%/packages/patches/python-mox3-python3.6-compat.patch \ diff --git a/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch b/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch new file mode 100644 index 0000000000..6f067763b5 --- /dev/null +++ b/gnu/packages/patches/python-matplotlib-run-under-wayland-gtk3.patch @@ -0,0 +1,31 @@ +From: Tobias Geerinckx-Rice +Date: Tue, 02 Mar 2021 18:04:33 +0100 +Subject: [PATCH] gnu: python-matplotlib: Run under Wayland with GTK3. + +Adopted from upstream's fix[0] for +. + +[0]: https://github.com/liuyun88/matplotlib/commit/3d5000463bd23cb046681220f5511f07743f7d82 + +--- +diff -Naur a/lib/matplotlib/backends/backend_gtk3.py b/lib/matplotlib/backends/backend_gtk3.py +--- a/lib/matplotlib/backends/backend_gtk3.py 2019-11-21 23:47:05.000000000 +0100 ++++ b/lib/matplotlib/backends/backend_gtk3.py 2021-03-02 18:00:57.479929766 +0100 +@@ -42,11 +42,12 @@ + + try: ++ _display = Gdk.Display.get_default() + cursord = { +- cursors.MOVE : Gdk.Cursor.new(Gdk.CursorType.FLEUR), +- cursors.HAND : Gdk.Cursor.new(Gdk.CursorType.HAND2), +- cursors.POINTER : Gdk.Cursor.new(Gdk.CursorType.LEFT_PTR), +- cursors.SELECT_REGION : Gdk.Cursor.new(Gdk.CursorType.TCROSS), +- cursors.WAIT : Gdk.Cursor.new(Gdk.CursorType.WATCH), ++ cursors.MOVE : Gdk.Cursor.new_from_name(_display, "move"), ++ cursors.HAND : Gdk.Cursor.new_from_name(_display, "pointer"), ++ cursors.POINTER : Gdk.Cursor.new_from_name(_display, "default"), ++ cursors.SELECT_REGION : Gdk.Cursor.new_from_name(_display, "crosshair"), ++ cursors.WAIT : Gdk.Cursor.new_from_name(_display, "wait"), + } + except TypeError as exc: + # Happens when running headless. Convert to ImportError to cooperate with diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm index 01f1e66258..456cfea5c6 100644 --- a/gnu/packages/python-xyz.scm +++ b/gnu/packages/python-xyz.scm @@ -5131,8 +5131,9 @@ convert between colorspaces like sRGB, XYZ, CIEL*a*b*, CIECAM02, CAM02-UCS, etc. (method url-fetch) (uri (pypi-uri "matplotlib" version)) (sha256 - (base32 - "1nmshfqh7wyg15i16hx1yiylcvzkws29ivn66n3i0wyqwcpjr3lf")))) + (base32 "1nmshfqh7wyg15i16hx1yiylcvzkws29ivn66n3i0wyqwcpjr3lf")) + (patches + (search-patches "python-matplotlib-run-under-wayland-gtk3.patch")))) (build-system python-build-system) (propagated-inputs ; the following packages are all needed at run time `(("python-cycler" ,python-cycler) -- cgit v1.2.3 From 3905580180d8f8ed1eec07baa307b4bff0d726d6 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 1 Mar 2021 13:35:19 -0500 Subject: gnu: Python 2: Fix CVE-2021-3177. * gnu/packages/patches/python-2.7-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-2.7)[replacement]: New field. (python-2.7/fixed): New variable. --- gnu/local.mk | 1 + .../patches/python-2.7-CVE-2021-3177.patch | 157 +++++++++++++++++++++ gnu/packages/python.scm | 9 ++ 3 files changed, 167 insertions(+) create mode 100644 gnu/packages/patches/python-2.7-CVE-2021-3177.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 81ca759503..47294d6e23 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1518,6 +1518,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-2.7-search-paths.patch \ %D%/packages/patches/python-2.7-site-prefixes.patch \ %D%/packages/patches/python-2.7-source-date-epoch.patch \ + %D%/packages/patches/python-2.7-CVE-2021-3177.patch \ %D%/packages/patches/python-3-arm-alignment.patch \ %D%/packages/patches/python-3-deterministic-build-info.patch \ %D%/packages/patches/python-3-search-paths.patch \ diff --git a/gnu/packages/patches/python-2.7-CVE-2021-3177.patch b/gnu/packages/patches/python-2.7-CVE-2021-3177.patch new file mode 100644 index 0000000000..9f2032ad4a --- /dev/null +++ b/gnu/packages/patches/python-2.7-CVE-2021-3177.patch @@ -0,0 +1,157 @@ +Fix CVE-2021-3177 for Python 2.7: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from Debian: + +https://salsa.debian.org/cpython-team/python2/-/blob/e54f3303884f1362f3311ec36f070b40603dd76e/debian/patches/CVE-2021-3177.diff + +bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -206,6 +206,49 @@ class SimpleTypesTestCase(unittest.TestC + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param('a')), "") ++ self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -460,50 +460,53 @@ PyCArg_dealloc(PyCArgObject *self) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.l); +- break; + + #ifdef HAVE_LONG_LONG + case 'q': + case 'Q': +- sprintf(buffer, +- "", ++ return PyString_FromFormat("", + self->tag, self->value.q); +- break; + #endif + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *r = PyObject_Repr(f); ++ Py_DECREF(f); ++ if (r == NULL) { ++ return NULL; ++ } ++ char *value = PyString_AsString(r); ++ if (value == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyString_FromFormat("", self->tag, value); ++ Py_DECREF(r); ++ return result; ++ } + + case 'c': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.c); +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -512,16 +515,13 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.p); +- break; + + default: +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self); +- break; + } +- return PyString_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 9d97050c66..e05c91b3d0 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -107,6 +107,7 @@ (define-public python-2.7 (package (name "python2") + (replacement python-2.7/fixed) (version "2.7.17") (source (origin @@ -350,6 +351,14 @@ data types.") (properties '((cpe-name . "python"))) (license license:psfl))) +(define python-2.7/fixed + (package + (inherit python-2.7) + (source (origin + (inherit (package-source python-2.7)) + (patches (append (search-patches "python-2.7-CVE-2021-3177.patch") + (origin-patches (package-source python-2.7)))))))) + ;; Current 2.x version. (define-public python-2 python-2.7) -- cgit v1.2.3 From 759a526f5fdd49b9136a639269afd77e2599dcb6 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Wed, 3 Mar 2021 06:39:37 +0100 Subject: gnu: openssh: Update to 8.5p1. * gnu/packages/patches/openssh-fix-ssh-copy-id.patch: Remove patch. * gnu/local.mk (dist_patch_DATA): Also unregister it. * gnu/packages/ssh.scm (openssh): Update to 8.5p1. --- gnu/local.mk | 1 - gnu/packages/patches/openssh-fix-ssh-copy-id.patch | 38 ---------------------- gnu/packages/ssh.scm | 7 ++-- 3 files changed, 3 insertions(+), 43 deletions(-) delete mode 100644 gnu/packages/patches/openssh-fix-ssh-copy-id.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 47294d6e23..3557d9f429 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1426,7 +1426,6 @@ dist_patch_DATA = \ %D%/packages/patches/openfoam-4.1-cleanup.patch \ %D%/packages/patches/openjdk-10-idlj-reproducibility.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ - %D%/packages/patches/openssh-fix-ssh-copy-id.patch \ %D%/packages/patches/openssh-hurd.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ %D%/packages/patches/opensles-add-license-file.patch \ diff --git a/gnu/packages/patches/openssh-fix-ssh-copy-id.patch b/gnu/packages/patches/openssh-fix-ssh-copy-id.patch deleted file mode 100644 index 6adba639a3..0000000000 --- a/gnu/packages/patches/openssh-fix-ssh-copy-id.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fix a bug where ssh-copy-id would fail with "EOF: command not found": - -https://github.com/openssh/openssh-portable/pull/206 - -Patch copied from upstream source repository: - -https://github.com/openssh/openssh-portable/commit/d9e727dcc04a52caaac87543ea1d230e9e6b5604 - -From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001 -From: Oleg -Date: Thu, 1 Oct 2020 12:09:08 +0300 -Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id - ---- - contrib/ssh-copy-id | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -index 392f64f94..a76907717 100644 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -247,7 +247,7 @@ installkeys_sh() { - # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing - # the cat adds the keys we're getting via STDIN - # and if available restorecon is used to restore the SELinux context -- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) -+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF - cd; - umask 077; - mkdir -p $(dirname "${AUTH_KEY_FILE}") && -@@ -258,6 +258,7 @@ installkeys_sh() { - restorecon -F .ssh ${AUTH_KEY_FILE}; - fi - EOF -+ ) - - # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index c94631036b..b73e9633ea 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -186,16 +186,15 @@ a server that supports the SSH-2 protocol.") (define-public openssh (package (name "openssh") - (version "8.4p1") + (version "8.5p1") (source (origin (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" "openssh-" version ".tar.gz")) - (patches (search-patches "openssh-hurd.patch" - "openssh-fix-ssh-copy-id.patch")) + (patches (search-patches "openssh-hurd.patch")) (sha256 (base32 - "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as")))) + "09gc8rv7728chxraab85dzkdikaw4aph1wlcwcc9kai9si0kybzm")))) (build-system gnu-build-system) (native-inputs `(("groff" ,groff) ("pkg-config" ,pkg-config))) -- cgit v1.2.3 From 6891f95739c733df217ceaf5d0787cbed380ec1c Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Thu, 4 Mar 2021 19:43:17 -0500 Subject: gnu: mupdf: Fix CVE-2021-3407. * gnu/packages/pdf.scm (mupdf)[source]: Add patch. * gnu/packages/patches/mupdf-CVE-2021-3407.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/patches/mupdf-CVE-2021-3407.patch | 51 ++++++++++++++++++++++++++ gnu/packages/pdf.scm | 3 +- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2021-3407.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 3557d9f429..25afb99618 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1382,6 +1382,7 @@ dist_patch_DATA = \ %D%/packages/patches/mumps-shared-mumps.patch \ %D%/packages/patches/mumps-shared-pord.patch \ %D%/packages/patches/mupdf-fix-linkage.patch \ + %D%/packages/patches/mupdf-CVE-2021-3407.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/mupen64plus-video-z64-glew-correct-path.patch \ %D%/packages/patches/musl-cross-locale.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2021-3407.patch b/gnu/packages/patches/mupdf-CVE-2021-3407.patch new file mode 100644 index 0000000000..9f901517c5 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2021-3407.patch @@ -0,0 +1,51 @@ +This patch came from https://git.ghostscript.com/?p=mupdf.git;a=patch;h=cee7cefc610d42fd383b3c80c12cbc675443176a +and fixes CVE-2021-3407. + +From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Fri, 22 Jan 2021 17:05:15 +0000 +Subject: [PATCH] Bug 703366: Fix double free of object during linearization. + +This appears to happen because we parse an illegal object from +a broken file and assign it to object 0, which is defined to +be free. + +Here, we fix the parsing code so this can't happen. +--- + source/pdf/pdf-parse.c | 6 ++++++ + source/pdf/pdf-xref.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c +index 7abc8c3d4..5761c3351 100644 +--- a/source/pdf/pdf-parse.c ++++ b/source/pdf/pdf-parse.c +@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, + fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); + } + gen = buf->i; ++ if (gen < 0 || gen >= 65536) ++ { ++ if (try_repair) ++ *try_repair = 1; ++ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); ++ } + + tok = pdf_lex(ctx, file, buf); + if (tok != PDF_TOK_OBJ) +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 1b2bdcd59..30197b4b8 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + { + ofs = fz_tell(ctx, doc->file); + trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); ++ if (num == 0) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); + } + fz_catch(ctx) + { +-- +2.17.1 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index daea7ee8ad..e81c3caf87 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -724,7 +724,8 @@ extracting content or merging files.") "mupdf-" version "-source.tar.xz")) (sha256 (base32 "16m5sksil22sshxy70xkslsb2qhvcqb1d95i9savnhds1xn4ybar")) - (patches (search-patches "mupdf-fix-linkage.patch")) + (patches (search-patches "mupdf-fix-linkage.patch" + "mupdf-CVE-2021-3407.patch")) (modules '((guix build utils))) (snippet '(begin -- cgit v1.2.3