From 0fb9a15bb5faf34214689810ff98b23a4295f04e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 15 Jun 2016 11:02:16 +0200 Subject: gnu: grue-hunter: Move to (gnu packages games). * gnu/packages/grue-hunter.scm: Remove. Move contents to... * gnu/packages/games.scm (grue-hunter): ... here. New variable. * gnu/local.mk (GNU_SYSTEM_MODULES): Adjust accordingly. --- gnu/local.mk | 1 - 1 file changed, 1 deletion(-) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 73aef0aa8e..df1e76979c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -154,7 +154,6 @@ GNU_SYSTEM_MODULES = \ %D%/packages/graphviz.scm \ %D%/packages/groff.scm \ %D%/packages/grub.scm \ - %D%/packages/grue-hunter.scm \ %D%/packages/gsasl.scm \ %D%/packages/gstreamer.scm \ %D%/packages/gtk.scm \ -- cgit v1.2.3 From d3a858cb32b68bf2e2ebb97c67dfca97ab59690d Mon Sep 17 00:00:00 2001 From: Hartmut Goebel Date: Tue, 14 Jun 2016 23:14:13 +0200 Subject: gnu: Add teensy-loader-cli. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/flashing-tools.scm (teensy-loader-cli): New variable. * gnu/packages/patches/teensy-loader-cli-help.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Co-authored-by: Ludovic Courtès --- gnu/local.mk | 1 + gnu/packages/flashing-tools.scm | 51 +++++++++++++++++++++++ gnu/packages/patches/teensy-loader-cli-help.patch | 33 +++++++++++++++ 3 files changed, 85 insertions(+) create mode 100644 gnu/packages/patches/teensy-loader-cli-help.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index df1e76979c..834a6e5cee 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -774,6 +774,7 @@ dist_patch_DATA = \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ + %D%/packages/patches/teensy-loader-cli-help.patch \ %D%/packages/patches/texi2html-document-encoding.patch \ %D%/packages/patches/texi2html-i18n.patch \ %D%/packages/patches/tidy-CVE-2015-5522+5523.patch \ diff --git a/gnu/packages/flashing-tools.scm b/gnu/packages/flashing-tools.scm index 37a10726e3..0ab8bc57ee 100644 --- a/gnu/packages/flashing-tools.scm +++ b/gnu/packages/flashing-tools.scm @@ -160,3 +160,54 @@ With dfu-util you are able to download firmware to your device or upload firmware from it.") (home-page "http://dfu-util.sourceforge.net/") (license gpl2+))) + +(define-public teensy-loader-cli + ;; The repo does not tag versions nor does it use releases, but a commit + ;; message says "Importing 2.1", while the sourcce still says "2.0". So pin + ;; to a fixed commit. + (let ((commit "f289b7a2e5627464044249f0e5742830e052e360")) + (package + (name "teensy-loader-cli") + (version (string-append "2.1-1." (string-take commit 7))) + (source + (origin + (method url-fetch) + (uri (string-append "https://github.com/PaulStoffregen/" + "teensy_loader_cli/archive/" commit ".tar.gz")) + (sha256 (base32 "17wqc2q4fa473cy7f5m2yiyb9nq0qw7xal2kzrxzaikgm9rabsw8")) + (file-name (string-append "teensy-loader-cli-" version ".tar.gz" )) + (modules '((guix build utils))) + (snippet + `(begin + ;; Remove example flash files and teensy rebooter flash binaries. + (for-each delete-file (find-files "." "\\.(elf|hex)$")) + ;; Fix the version + (substitute* "teensy_loader_cli.c" + (("Teensy Loader, Command Line, Version 2.0\\\\n") + (string-append "Teensy Loader, Command Line, " ,version "\\n"))) + #t)) + (patches (search-patches "teensy-loader-cli-help.patch")))) + (build-system gnu-build-system) + (arguments + '(#:tests? #f ;; Makefile has no test target + #:make-flags (list "CC=gcc" (string-append "PREFIX=" %output)) + #:phases + (modify-phases %standard-phases + (delete 'configure) + (replace 'install + (lambda* (#:key outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (bin (string-append out "/bin"))) + (install-file "teensy_loader_cli" bin) + #t)))))) + (inputs + `(("libusb-compat" ,libusb-compat))) + (synopsis "Command line firmware uploader for Teensy development boards") + (description + "The Teensy loader program communicates with your Teensy board when the +HalfKay bootloader is running, so you can upload new programs and run them. + +You need to add the udev rules to make the Teensy update available for +non-root users.") + (home-page "https://www.pjrc.com/teensy/loader_cli.html") + (license gpl3)))) diff --git a/gnu/packages/patches/teensy-loader-cli-help.patch b/gnu/packages/patches/teensy-loader-cli-help.patch new file mode 100644 index 0000000000..8b3fda128a --- /dev/null +++ b/gnu/packages/patches/teensy-loader-cli-help.patch @@ -0,0 +1,33 @@ +Add support for '-h' (help). + +https://github.com/PaulStoffregen/teensy_loader_cli/pull/26 + +--- + teensy_loader_cli.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/teensy_loader_cli.c b/teensy_loader_cli.c +index d4a6cc5..0a06209 100644 +--- a/teensy_loader_cli.c ++++ b/teensy_loader_cli.c +@@ -37,7 +37,8 @@ void usage(const char *err) + { + if(err != NULL) fprintf(stderr, "%s\n\n", err); + fprintf(stderr, +- "Usage: teensy_loader_cli --mcu= [-w] [-h] [-n] [-b] [-v] \n" ++ "Usage: teensy_loader_cli --mcu= [-h] [-w] [-n] [-b] [-v] \n" ++ "\t-h : Print this help message\n" + "\t-w : Wait for device to appear\n" + "\t-r : Use hard reboot if device not online\n" + "\t-s : Use soft reboot if device not online (Teensy3.x only)\n" +@@ -1081,6 +1082,7 @@ void parse_flag(char *arg) + int i; + for(i=1; arg[i]; i++) { + switch(arg[i]) { ++ case 'h': usage(NULL); break; + case 'w': wait_for_device_to_appear = 1; break; + case 'r': hard_reboot_device = 1; break; + case 's': soft_reboot_device = 1; break; +-- +2.7.4 + -- cgit v1.2.3 From ce9cf64b787aeb063823f0e9056db5b644ef5f75 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Tue, 14 Jun 2016 14:18:54 +0200 Subject: gnu: Add log4cpp. * gnu/packages/logging.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 1 + gnu/packages/logging.scm | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 gnu/packages/logging.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 834a6e5cee..8036c0ea4b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -211,6 +211,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/lisp.scm \ %D%/packages/llvm.scm \ %D%/packages/lout.scm \ + %D%/packages/logging.scm \ %D%/packages/lsh.scm \ %D%/packages/lsof.scm \ %D%/packages/lua.scm \ diff --git a/gnu/packages/logging.scm b/gnu/packages/logging.scm new file mode 100644 index 0000000000..68af09e08c --- /dev/null +++ b/gnu/packages/logging.scm @@ -0,0 +1,47 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2016 Ricardo Wurmus +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages logging) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix utils) + #:use-module (guix download) + #:use-module (guix build-system gnu) + #:use-module (gnu packages)) + +(define-public log4cpp + (package + (name "log4cpp") + (version "1.1.1") + (source (origin + (method url-fetch) + (uri (string-append "mirror://sourceforge/log4cpp/log4cpp-" + (version-major+minor version) ".x%20%28new%29" + "/log4cpp-" (version-major+minor version) + "/log4cpp-" version ".tar.gz")) + (sha256 + (base32 + "1l5yz5rfzzv6g3ynrj14mxfsk08cp5h1ssr7d74hjs0accrg7arm")))) + (build-system gnu-build-system) + (synopsis "Log library for C++") + (description + "Log4cpp is library of C++ classes for flexible logging to files, syslog, +IDSA and other destinations. It is modeled after the Log4j Java library, +staying as close to their API as is reasonable.") + (home-page "http://log4cpp.sourceforge.net/") + (license license:lgpl2.1+))) -- cgit v1.2.3 From 9c4a8514d621b6e2a19f56fa9b3396c940b968c5 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 13 Jun 2016 16:15:34 -0400 Subject: gnu: openssl: Fix CVE-2016-2177 and CVE-2016-2178. * gnu/packages/patches/openssl-CVE-2016-2177.patch, gnu/packages/patches/openssl-CVE-2016-2178.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/tls.scm (openssl/fixed): Use them. --- gnu/local.mk | 2 + gnu/packages/patches/openssl-CVE-2016-2177.patch | 286 +++++++++++++++++++++++ gnu/packages/patches/openssl-CVE-2016-2178.patch | 112 +++++++++ gnu/packages/tls.scm | 4 +- 4 files changed, 403 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssl-CVE-2016-2177.patch create mode 100644 gnu/packages/patches/openssl-CVE-2016-2178.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8036c0ea4b..83f4218a6e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -686,6 +686,8 @@ dist_patch_DATA = \ %D%/packages/patches/openssh-CVE-2015-8325.patch \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ + %D%/packages/patches/openssl-CVE-2016-2177.patch \ + %D%/packages/patches/openssl-CVE-2016-2178.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ %D%/packages/patches/ots-no-include-missing-file.patch \ %D%/packages/patches/patchelf-page-size.patch \ diff --git a/gnu/packages/patches/openssl-CVE-2016-2177.patch b/gnu/packages/patches/openssl-CVE-2016-2177.patch new file mode 100644 index 0000000000..f6465aeaa7 --- /dev/null +++ b/gnu/packages/patches/openssl-CVE-2016-2177.patch @@ -0,0 +1,286 @@ +Fix CVE-2016-2177. + + + +Source: + + +From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 May 2016 11:10:26 +0100 +Subject: [PATCH] Avoid some undefined pointer arithmetic + +A common idiom in the codebase is: + +if (p + len > limit) +{ + return; /* Too long */ +} + +Where "p" points to some malloc'd data of SIZE bytes and +limit == p + SIZE + +"len" here could be from some externally supplied data (e.g. from a TLS +message). + +The rules of C pointer arithmetic are such that "p + len" is only well +defined where len <= SIZE. Therefore the above idiom is actually +undefined behaviour. + +For example this could cause problems if some malloc implementation +provides an address for "p" such that "p + len" actually overflows for +values of len that are too big and therefore p + len < limit! + +Issue reported by Guido Vranken. + +CVE-2016-2177 + +Reviewed-by: Rich Salz +--- + ssl/s3_srvr.c | 14 +++++++------- + ssl/ssl_sess.c | 2 +- + ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++-------------------------- + 3 files changed, 38 insertions(+), 34 deletions(-) + +diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c +index ab28702..ab7f690 100644 +--- a/ssl/s3_srvr.c ++++ b/ssl/s3_srvr.c +@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) + + session_length = *(p + SSL3_RANDOM_SIZE); + +- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { ++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) + /* get the session-id */ + j = *(p++); + +- if (p + j > d + n) { ++ if ((d + n) - p < j) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) + + if (SSL_IS_DTLS(s)) { + /* cookie stuff */ +- if (p + 1 > d + n) { ++ if ((d + n) - p < 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + cookie_len = *(p++); + +- if (p + cookie_len > d + n) { ++ if ((d + n ) - p < cookie_len) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) + } + } + +- if (p + 2 > d + n) { ++ if ((d + n ) - p < 2) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) + } + + /* i bytes of cipher data + 1 byte for compression length later */ +- if ((p + i + 1) > (d + n)) { ++ if ((d + n) - p < i + 1) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) + + /* compression */ + i = *(p++); +- if ((p + i) > (d + n)) { ++ if ((d + n) - p < i) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index b182998..54ee783 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, + int r; + #endif + +- if (session_id + len > limit) { ++ if (limit - session_id < len) { + fatal = 1; + goto err; + } +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fb64607..cdac011 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + +- if (data >= (limit - 2)) ++ if (limit - data <= 2) + return; + data += 2; + +- if (data > (limit - 4)) ++ if (limit - data < 4) + return; + n2s(data, type); + n2s(data, size); +@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + if (type != TLSEXT_TYPE_server_name) + return; + +- if (data + size > limit) ++ if (limit - data < size) + return; + data += size; + +@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + +- if (data + len1 + len2 != limit) ++ if (limit - data != (int)(len1 + len2)) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; +@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + } else { + const size_t len = sizeof(kSafariExtensionsBlock); + +- if (data + len != limit) ++ if (limit - data != (int)(len)) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; +@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + if (data == limit) + goto ri_check; + +- if (data > (limit - 2)) ++ if (limit - data < 2) + goto err; + + n2s(data, len); + +- if (data + len != limit) ++ if (limit - data != len) + goto err; + +- while (data <= (limit - 4)) { ++ while (limit - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (limit)) ++ if (limit - data < size) + goto err; + # if 0 + fprintf(stderr, "Received extension type %d size %d\n", type, size); +@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, + if (s->hit || s->cert->srv_ext.meths_count == 0) + return 1; + +- if (data >= limit - 2) ++ if (limit - data <= 2) + return 1; + n2s(data, len); + +- if (data > limit - len) ++ if (limit - data < len) + return 1; + +- while (data <= limit - 4) { ++ while (limit - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > limit) ++ if (limit - data < size) + return 1; + if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) + return 0; +@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + # endif + +- if (data >= (d + n - 2)) ++ if ((d + n) - data <= 2) + goto ri_check; + + n2s(data, length); +- if (data + length != d + n) { ++ if ((d + n) - data != length) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + +- while (data <= (d + n - 4)) { ++ while ((d + n) - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (d + n)) ++ if ((d + n) - data < size) + goto ri_check; + + if (s->tlsext_debug_cb) +@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, + /* Skip past DTLS cookie */ + if (SSL_IS_DTLS(s)) { + i = *(p++); +- p += i; +- if (p >= limit) ++ ++ if (limit - p <= i) + return -1; ++ ++ p += i; + } + /* Skip past cipher list */ + n2s(p, i); +- p += i; +- if (p >= limit) ++ if (limit - p <= i) + return -1; ++ p += i; ++ + /* Skip past compression algorithm list */ + i = *(p++); +- p += i; +- if (p > limit) ++ if (limit - p < i) + return -1; ++ p += i; ++ + /* Now at start of extensions */ +- if ((p + 2) >= limit) ++ if (limit - p <= 2) + return 0; + n2s(p, i); +- while ((p + 4) <= limit) { ++ while (limit - p >= 4) { + unsigned short type, size; + n2s(p, type); + n2s(p, size); +- if (p + size > limit) ++ if (limit - p < size) + return 0; + if (type == TLSEXT_TYPE_session_ticket) { + int r; +-- +2.8.4 + diff --git a/gnu/packages/patches/openssl-CVE-2016-2178.patch b/gnu/packages/patches/openssl-CVE-2016-2178.patch new file mode 100644 index 0000000000..37cf2763af --- /dev/null +++ b/gnu/packages/patches/openssl-CVE-2016-2178.patch @@ -0,0 +1,112 @@ +Fix CVE-2016-2178. + + + +Source: + + + +From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001 +From: Cesar Pereida +Date: Mon, 23 May 2016 12:45:25 +0300 +Subject: [PATCH 1/2] Fix DSA, preserve BN_FLG_CONSTTIME + +Operations in the DSA signing algorithm should run in constant time in +order to avoid side channel attacks. A flaw in the OpenSSL DSA +implementation means that a non-constant time codepath is followed for +certain operations. This has been demonstrated through a cache-timing +attack to be sufficient for an attacker to recover the private DSA key. + +CVE-2016-2178 + +Reviewed-by: Richard Levitte +Reviewed-by: Matt Caswell +--- + crypto/dsa/dsa_ossl.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c +index efc4f1b..b29eb4b 100644 +--- a/crypto/dsa/dsa_ossl.c ++++ b/crypto/dsa/dsa_ossl.c +@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + if (!BN_rand_range(&k, dsa->q)) + goto err; + while (BN_is_zero(&k)) ; +- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { +- BN_set_flags(&k, BN_FLG_CONSTTIME); +- } + + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, +@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + } + + K = &kq; ++ ++ BN_set_flags(K, BN_FLG_CONSTTIME); + } else { + K = &k; + } ++ + DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, + dsa->method_mont_p); + if (!BN_mod(r, r, dsa->q, ctx)) +-- +2.8.4 + +From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 7 Jun 2016 09:12:51 +0100 +Subject: [PATCH 2/2] More fix DSA, preserve BN_FLG_CONSTTIME + +The previous "fix" still left "k" exposed to constant time problems in +the later BN_mod_inverse() call. Ensure both k and kq have the +BN_FLG_CONSTTIME flag set at the earliest opportunity after creation. + +CVE-2016-2178 + +Reviewed-by: Rich Salz +--- + crypto/dsa/dsa_ossl.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c +index b29eb4b..58013a4 100644 +--- a/crypto/dsa/dsa_ossl.c ++++ b/crypto/dsa/dsa_ossl.c +@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + do + if (!BN_rand_range(&k, dsa->q)) + goto err; +- while (BN_is_zero(&k)) ; ++ while (BN_is_zero(&k)); ++ ++ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { ++ BN_set_flags(&k, BN_FLG_CONSTTIME); ++ } ++ + + if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { + if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, +@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + if (!BN_copy(&kq, &k)) + goto err; + ++ BN_set_flags(&kq, BN_FLG_CONSTTIME); ++ + /* + * We do not want timing information to leak the length of k, so we + * compute g^k using an equivalent exponent of fixed length. (This +@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + } + + K = &kq; +- +- BN_set_flags(K, BN_FLG_CONSTTIME); + } else { + K = &k; + } +-- +2.8.4 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index e543a7e3fe..513edcc1a6 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -316,7 +316,9 @@ required structures.") (base32 "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x")) (patches (search-patches "openssl-runpath.patch" - "openssl-c-rehash-in.patch"))))))) + "openssl-c-rehash-in.patch" + "openssl-CVE-2016-2177.patch" + "openssl-CVE-2016-2178.patch"))))))) (define-public libressl (package -- cgit v1.2.3 From 03c1662e385bb339bbfe6cc02d7498f5891d0dc1 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 5 Mar 2016 02:33:09 -0500 Subject: gnu: Add gnome-maps. * gnu/packages/geo.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/local.mk | 1 + gnu/packages/geo.scm | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 gnu/packages/geo.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 83f4218a6e..abd05ef01a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -132,6 +132,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/gcc.scm \ %D%/packages/gd.scm \ %D%/packages/gdb.scm \ + %D%/packages/geo.scm \ %D%/packages/geeqie.scm \ %D%/packages/gettext.scm \ %D%/packages/ghostscript.scm \ diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm new file mode 100644 index 0000000000..1ef5eeb487 --- /dev/null +++ b/gnu/packages/geo.scm @@ -0,0 +1,94 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2016 Leo Famulari +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages geo) + #:use-module (guix build-system glib-or-gtk) + #:use-module (guix download) + #:use-module (guix licenses) + #:use-module (guix packages) + #:use-module (guix utils) + #:use-module (gnu packages glib) + #:use-module (gnu packages gnome) + #:use-module (gnu packages gtk) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages webkit) + #:use-module (gnu packages xml)) + +;;; FIXME GNOME Maps only runs within GNOME. On i3, it fails with this error: +;;; (org.gnome.Maps:8568): GLib-GIO-ERROR **: Settings schema +;;; 'org.gnome.desktop.interface' is not installed +(define-public gnome-maps + (package + (name "gnome-maps") + (version "3.18.2") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnome/sources/" name "/" + (version-major+minor version) "/" + name "-" version ".tar.xz")) + (sha256 + (base32 + "0y4jmh5hwskh2mnladh9hxp9k8as7crm8wwwiifvxsjjj9az2gv9")))) + (build-system glib-or-gtk-build-system) + (arguments + `(#:configure-flags ; Ensure that geoclue is referred to by output. + (list (string-append "LDFLAGS=-L" + (assoc-ref %build-inputs "geoclue") "/lib") + (string-append "CFLAGS=-I" + (assoc-ref %build-inputs "geoclue") "/include")) + #:phases + (modify-phases %standard-phases + (add-after + 'install 'wrap + (lambda* (#:key inputs outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out")) + (gi-typelib-path (getenv "GI_TYPELIB_PATH")) + (goa-path (string-append + (assoc-ref inputs "gnome-online-accounts") + "/lib"))) + (wrap-program (string-append out "/bin/gnome-maps") + `("GI_TYPELIB_PATH" ":" prefix (,gi-typelib-path)) + + ;; There seems to be no way to embed the path of libgoa-1.0.so.0. + `("LD_LIBRARY_PATH" ":" prefix (,goa-path))) + #t)))))) + (native-inputs + `(("gobject-introspection" ,gobject-introspection) + ("intltool" ,intltool) + ("pkg-config" ,pkg-config))) + (inputs + `(("folks" ,folks) + ("libchamplain" ,libchamplain) + ("libgee" ,libgee) + ("libxml2" ,libxml2) + ("geoclue" ,geoclue) + ("geocode-glib" ,geocode-glib) + ("gfbgraph" ,gfbgraph) + ("gjs" ,gjs) + ("glib" ,glib) + ("gnome-online-accounts" ,gnome-online-accounts) + ("rest" ,rest) + ("webkitgtk" ,webkitgtk))) + (propagated-inputs + `(("gtk+3" ,gtk+))) + (synopsis "Graphical map viewer and wayfinding program") + (description "GNOME Maps is a graphical map viewer. It uses map data from +the OpenStreetMap project. It can provide directions for walking, bicycling, +and driving.") + (home-page "https://wiki.gnome.org/Apps/Maps") + (license gpl2+))) -- cgit v1.2.3 From 3d1240aa2561792895795315c7783a28bf4412af Mon Sep 17 00:00:00 2001 From: Carlo Zancanaro Date: Wed, 15 Jun 2016 22:15:33 +1000 Subject: gnu: Add awesome. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/wm.scm (awesome): New variable. * gnu/packages/patches/awesome-reproducible-png.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Co-authored-by: Ludovic Courtès --- gnu/local.mk | 1 + .../patches/awesome-reproducible-png.patch | 14 ++++ gnu/packages/wm.scm | 96 ++++++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 gnu/packages/patches/awesome-reproducible-png.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index abd05ef01a..55fea0e855 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -439,6 +439,7 @@ dist_patch_DATA = \ %D%/packages/patches/avahi-localstatedir.patch \ %D%/packages/patches/avidemux-install-to-lib.patch \ %D%/packages/patches/avrdude-fix-libusb.patch \ + %D%/packages/patches/awesome-reproducible-png.patch \ %D%/packages/patches/bash-completion-directories.patch \ %D%/packages/patches/bigloo-gc-shebangs.patch \ %D%/packages/patches/binutils-ld-new-dtags.patch \ diff --git a/gnu/packages/patches/awesome-reproducible-png.patch b/gnu/packages/patches/awesome-reproducible-png.patch new file mode 100644 index 0000000000..0fae65bc71 --- /dev/null +++ b/gnu/packages/patches/awesome-reproducible-png.patch @@ -0,0 +1,14 @@ +Do not introduce timestamps in PNG files (for icons). +See . + +--- awesome-3.4.15/CMakeLists.txt 2013-02-11 14:50:21.000000000 +0100 ++++ awesome-3.4.15/CMakeLists.txt 2016-06-16 13:59:30.528125439 +0200 +@@ -295,7 +295,7 @@ macro(a_icon_convert match replacement i + set(ALL_ICONS ${ALL_ICONS} ${output}) + + add_custom_command( +- COMMAND ${CONVERT_EXECUTABLE} ${input} ${ARGN} ${output} ++ COMMAND ${CONVERT_EXECUTABLE} +set date:create +set date:modify -define png:exclude-chunk=time ${input} ${ARGN} ${output} + OUTPUT ${output} + DEPENDS ${input} + VERBATIM) diff --git a/gnu/packages/wm.scm b/gnu/packages/wm.scm index 5f32fc478d..f385d2b4fb 100644 --- a/gnu/packages/wm.scm +++ b/gnu/packages/wm.scm @@ -7,6 +7,8 @@ ;;; Copyright © 2016 Danny Milosavljevic ;;; Copyright © 2016 Efraim Flashner ;;; Copyright © 2016 Al McElrath +;;; Copyright © 2016 Carlo Zancanaro +;;; Copyright © 2016 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,6 +30,7 @@ #:use-module (guix packages) #:use-module (gnu packages) #:use-module (gnu packages linux) + #:use-module (guix build-system cmake) #:use-module (guix build-system gnu) #:use-module (guix build-system haskell) #:use-module (gnu packages haskell) @@ -49,6 +52,11 @@ #:use-module (gnu packages maths) #:use-module (gnu packages web) #:use-module (gnu packages fontutils) + #:use-module (gnu packages freedesktop) + #:use-module (gnu packages glib) + #:use-module (gnu packages gperf) + #:use-module (gnu packages imagemagick) + #:use-module (gnu packages lua) #:use-module (guix download) #:use-module (guix git-download)) @@ -370,3 +378,91 @@ and easy to handle yet full of features to make an easy and fast desktop experience.") (home-page "http://fluxbox.org/") (license license:expat))) + +(define-public awesome + (package + (name "awesome") + (version "3.4.15") + (source + (origin (method url-fetch) + (uri (string-append + "https://awesome.naquadah.org/download/awesome-" + version ".tar.xz")) + (sha256 + (base32 + "1m910lr7wkw2dgzmirfvz7dasfswhhccdf65l21iiciv24c3w1bb")) + (modules '((guix build utils) + (srfi srfi-19))) + (imported-modules '((guix build utils))) + (snippet + ;; Remove non-reproducible timestamp and use the date of the + ;; source file instead. + '(substitute* "common/version.c" + (("__DATE__ \" \" __TIME__") + (date->string + (time-utc->date + (make-time time-utc 0 + (stat:mtime (stat "awesome.c")))) + "\"~c\"")))) + (patches (search-patches "awesome-reproducible-png.patch")))) + (build-system cmake-build-system) + (native-inputs `(("asciidoc" ,asciidoc) + ("docbook-xsl" ,docbook-xsl) + ("doxygen" ,doxygen) + ("gperf" ,gperf) + ("imagemagick" ,imagemagick) + ("libxml2" ,libxml2) ;for XML_CATALOG_FILES + ("pkg-config" ,pkg-config) + ("xmlto" ,xmlto))) + (inputs `(("cairo" ,cairo) + ("dbus" ,dbus) + ("gdk-pixbuf" ,gdk-pixbuf) + ("glib" ,glib) + ("imlib2" ,imlib2) + ("libev" ,libev) + ("libxcb" ,libxcb) + ("libxcursor" ,libxcursor) + ("libxdg-basedir" ,libxdg-basedir) + ("lua" ,lua-5.1) + ("pango" ,pango) + ("startup-notification" ,startup-notification) + ("xcb-util" ,xcb-util) + ("xcb-util-cursor" ,xcb-util-cursor) + ("xcb-util-image" ,xcb-util-image) + ("xcb-util-keysyms" ,xcb-util-keysyms) + ("xcb-util-renderutil" ,xcb-util-renderutil) + ("xcb-util-wm" ,xcb-util-wm))) + (arguments + `(;; Let compression happen in our 'compress-documentation' phase so that + ;; '--no-name' is used, which removes timestamps from gzip output. + #:configure-flags '("-DCOMPRESS_MANPAGES=off") + + #:phases (modify-phases %standard-phases + (add-before 'build 'xmlto-skip-validation + (lambda _ + ;; We can't download the necessary schema, so so skip + ;; validation and assume they're valid. + (substitute* "../build/CMakeFiles/man.dir/build.make" + (("/xmlto") + (string-append "/xmlto --skip-validation"))) + #t)) + (replace 'check + (lambda _ + ;; There aren't any tests, so just make sure the binary + ;; gets built and can be run successfully. + (zero? (system* "../build/awesome" "-v"))))))) + (synopsis "Highly configurable window manager") + (description + "awesome is a window manager for X. It manages windows in different +layouts, like floating or tiled. Any layout can be applied dynamically, +optimizing the environment for the application in use and the task currently +being performed. + +In a tiled layout, windows are managed in a master and stacking area. In a +floating layout windows can be resized and moved freely. Dialog windows are +always managed as floating, regardless of the layout currently applied. + +Windows are grouped by tags in awesome. Each window can be tagged with one or +more tags. Selecting certain tags displays all windows with these tags.") + (license license:gpl2+) + (home-page "https://awesome.naquadah.org/"))) -- cgit v1.2.3