From 323841bda4e5b8f9b30626ab768aaf711ee6aabf Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Thu, 12 Mar 2020 01:51:12 +0100 Subject: gnu: Add nvme-cli * gnu/packages/linux.scm (nvme-cli): New variable. Signed-off-by: Leo Famulari --- gnu/packages/linux.scm | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'gnu/packages/linux.scm') diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 688d9eefaf..f1bc5798ab 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -3577,6 +3577,36 @@ IDE driver subsystem. Many external USB drive enclosures with SCSI-ATA Command Translation (@dfn{SAT}) are also supported.") (license (license:non-copyleft "file://LICENSE.TXT")))) +(define-public nvme-cli + (package + (name "nvme-cli") + (version "1.10.1") + (home-page "https://github.com/linux-nvme/nvme-cli") + (source (origin + (method git-fetch) + (uri (git-reference + (url home-page) + (commit (string-append "v" version)))) + (sha256 + (base32 "12wp2wxmsw2v8m9bhvwvdbhdgx1md8iilhbl19sfzz2araiwi2x8")) + (file-name (git-file-name name version)))) + (build-system gnu-build-system) + (arguments + `(#:make-flags (list "CC=gcc") + #:phases (modify-phases %standard-phases + (delete 'configure) ; No ./configure script + (replace 'install + (lambda _ + (invoke "make" "install-spec" "PREFIX=" + (string-append "DESTDIR=" %output))))) + #:tests? #f)) ; The tests require sysfs, which is not accessible from + ; the build environment + (synopsis "NVM-Express user space tooling for Linux") + (description "Nvme-cli is a utility to provide standards compliant tooling +for NVM-Express drives. It was made specifically for Linux as it relies on the +IOCTLs defined by the mainline kernel driver.") + (license license:gpl2+))) + (define-public rfkill (package (name "rfkill") -- cgit v1.2.3 From f24aaa81de8c709adfda2e89271c562a5ca8d959 Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Sun, 15 Mar 2020 19:07:57 +0100 Subject: gnu: BlueZ: Update to 5.54. * gnu/packages/linux.scm (bluez): Update to 5.54. [replacement]: Remove field. (bluez/fixed): Remove variable. * gnu/packages/patches/bluez-CVE-2020-0556.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 - gnu/packages/linux.scm | 13 +- gnu/packages/patches/bluez-CVE-2020-0556.patch | 180 ------------------------- 3 files changed, 2 insertions(+), 192 deletions(-) delete mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch (limited to 'gnu/packages/linux.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 3be54b2627..b628bbee0c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,7 +764,6 @@ dist_patch_DATA = \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ - %D%/packages/patches/bluez-CVE-2020-0556.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-bs4.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index f1bc5798ab..fda7570d89 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -4039,8 +4039,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") - (replacement bluez/fixed) - (version "5.53") + (version "5.54") (source (origin (method url-fetch) (uri (string-append @@ -4048,7 +4047,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") version ".tar.xz")) (sha256 (base32 - "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq")))) + "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8")))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -4105,14 +4104,6 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) -(define bluez/fixed - (package - (inherit bluez) - (source (origin - (inherit (package-source bluez)) - (patches (append (origin-patches (package-source bluez)) - (search-patches "bluez-CVE-2020-0556.patch"))))))) - (define-public fuse-exfat (package (name "fuse-exfat") diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch deleted file mode 100644 index 7c34459a3a..0000000000 --- a/gnu/packages/patches/bluez-CVE-2020-0556.patch +++ /dev/null @@ -1,180 +0,0 @@ -Fix CVE-2020-0556: - -https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 - -Patches copied from upstream source repository: - -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 - -From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:18 +0000 -Subject: [PATCH] HID accepts bonded device connections only. - -This change adds a configuration for platforms to choose a more secure -posture for the HID profile. While some older mice are known to not -support pairing or encryption, some platform may choose a more secure -posture by requiring the device to be bonded and require the -connection to be encrypted when bonding is required. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html ---- - profiles/input/device.c | 23 ++++++++++++++++++++++- - profiles/input/device.h | 1 + - profiles/input/input.conf | 8 ++++++++ - profiles/input/manager.c | 13 ++++++++++++- - 4 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/profiles/input/device.c b/profiles/input/device.c -index 2cb3811c8..d89da2d7c 100644 ---- a/profiles/input/device.c -+++ b/profiles/input/device.c -@@ -92,6 +92,7 @@ struct input_device { - - static int idle_timeout = 0; - static bool uhid_enabled = false; -+static bool classic_bonded_only = false; - - void input_set_idle_timeout(int timeout) - { -@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) - uhid_enabled = state; - } - -+void input_set_classic_bonded_only(bool state) -+{ -+ classic_bonded_only = state; -+} -+ - static void input_device_enter_reconnect_mode(struct input_device *idev); - static int connection_disconnect(struct input_device *idev, uint32_t flags); - -@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) - if (device_name_known(idev->device)) - device_get_name(idev->device, req->name, sizeof(req->name)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) { -+ error("Rejected connection from !bonded device %s", dst_addr); -+ goto cleanup; -+ } -+ - /* Encryption is mandatory for keyboards */ -- if (req->subclass & 0x40) { -+ /* Some platforms may choose to require encryption for all devices */ -+ /* Note that this only matters for pre 2.1 devices as otherwise the */ -+ /* device is encrypted by default by the lower layers */ -+ if (classic_bonded_only || req->subclass & 0x40) { - if (!bt_io_set(idev->intr_io, &gerr, - BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, - BT_IO_OPT_INVALID)) { -@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) - DBG("path=%s reconnect_mode=%s", idev->path, - reconnect_mode_to_string(idev->reconnect_mode)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) -+ return; -+ - /* Only attempt an auto-reconnect when the device is required to - * accept reconnections from the host. - */ -diff --git a/profiles/input/device.h b/profiles/input/device.h -index 51a9aee18..3044db673 100644 ---- a/profiles/input/device.h -+++ b/profiles/input/device.h -@@ -29,6 +29,7 @@ struct input_conn; - - void input_set_idle_timeout(int timeout); - void input_enable_userspace_hid(bool state); -+void input_set_classic_bonded_only(bool state); - - int input_device_register(struct btd_service *service); - void input_device_unregister(struct btd_service *service); -diff --git a/profiles/input/input.conf b/profiles/input/input.conf -index 3e1d65aae..166aff4a4 100644 ---- a/profiles/input/input.conf -+++ b/profiles/input/input.conf -@@ -11,3 +11,11 @@ - # Enable HID protocol handling in userspace input profile - # Defaults to false (HIDP handled in HIDP kernel module) - #UserspaceHID=true -+ -+# Limit HID connections to bonded devices -+# The HID Profile does not specify that devices must be bonded, however some -+# platforms may want to make sure that input connections only come from bonded -+# device connections. Several older mice have been known for not supporting -+# pairing/encryption. -+# Defaults to false to maximize device compatibility. -+#ClassicBondedOnly=true -diff --git a/profiles/input/manager.c b/profiles/input/manager.c -index 1d31b0652..5cd27b839 100644 ---- a/profiles/input/manager.c -+++ b/profiles/input/manager.c -@@ -96,7 +96,7 @@ static int input_init(void) - config = load_config_file(CONFIGDIR "/input.conf"); - if (config) { - int idle_timeout; -- gboolean uhid_enabled; -+ gboolean uhid_enabled, classic_bonded_only; - - idle_timeout = g_key_file_get_integer(config, "General", - "IdleTimeout", &err); -@@ -114,6 +114,17 @@ static int input_init(void) - input_enable_userspace_hid(uhid_enabled); - } else - g_clear_error(&err); -+ -+ classic_bonded_only = g_key_file_get_boolean(config, "General", -+ "ClassicBondedOnly", &err); -+ -+ if (!err) { -+ DBG("input.conf: ClassicBondedOnly=%s", -+ classic_bonded_only ? "true" : "false"); -+ input_set_classic_bonded_only(classic_bonded_only); -+ } else -+ g_clear_error(&err); -+ - } - - btd_profile_register(&input_profile); --- -2.25.1 - -From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:16 +0000 -Subject: [PATCH] HOGP must only accept data from bonded devices. - -HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm ---- - profiles/input/hog.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index 83c017dcb..dfac68921 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) - return -EINVAL; - } - -+ /* HOGP 1.0 Section 6.1 requires bonding */ -+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) -+ return -ECONNREFUSED; -+ - /* TODO: Replace GAttrib with bt_gatt_client */ - bt_hog_attach(dev->hog, attrib); - --- -2.25.1 - -- cgit v1.2.3 From 8bbbbb39350eb559951972abae2622195393b51e Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 15 Mar 2020 21:03:39 -0400 Subject: Revert "gnu: BlueZ: Update to 5.54." This reverts commit f24aaa81de8c709adfda2e89271c562a5ca8d959. This change caused too many rebuilds for the master branch. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 13 +- gnu/packages/patches/bluez-CVE-2020-0556.patch | 180 +++++++++++++++++++++++++ 3 files changed, 192 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch (limited to 'gnu/packages/linux.scm') diff --git a/gnu/local.mk b/gnu/local.mk index b628bbee0c..3be54b2627 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,6 +764,7 @@ dist_patch_DATA = \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ + %D%/packages/patches/bluez-CVE-2020-0556.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-bs4.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index fda7570d89..f1bc5798ab 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -4039,7 +4039,8 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") - (version "5.54") + (replacement bluez/fixed) + (version "5.53") (source (origin (method url-fetch) (uri (string-append @@ -4047,7 +4048,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") version ".tar.xz")) (sha256 (base32 - "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8")))) + "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq")))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -4104,6 +4105,14 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) +(define bluez/fixed + (package + (inherit bluez) + (source (origin + (inherit (package-source bluez)) + (patches (append (origin-patches (package-source bluez)) + (search-patches "bluez-CVE-2020-0556.patch"))))))) + (define-public fuse-exfat (package (name "fuse-exfat") diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch new file mode 100644 index 0000000000..7c34459a3a --- /dev/null +++ b/gnu/packages/patches/bluez-CVE-2020-0556.patch @@ -0,0 +1,180 @@ +Fix CVE-2020-0556: + +https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 + +Patches copied from upstream source repository: + +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 +https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 + +From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:18 +0000 +Subject: [PATCH] HID accepts bonded device connections only. + +This change adds a configuration for platforms to choose a more secure +posture for the HID profile. While some older mice are known to not +support pairing or encryption, some platform may choose a more secure +posture by requiring the device to be bonded and require the +connection to be encrypted when bonding is required. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html +--- + profiles/input/device.c | 23 ++++++++++++++++++++++- + profiles/input/device.h | 1 + + profiles/input/input.conf | 8 ++++++++ + profiles/input/manager.c | 13 ++++++++++++- + 4 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/profiles/input/device.c b/profiles/input/device.c +index 2cb3811c8..d89da2d7c 100644 +--- a/profiles/input/device.c ++++ b/profiles/input/device.c +@@ -92,6 +92,7 @@ struct input_device { + + static int idle_timeout = 0; + static bool uhid_enabled = false; ++static bool classic_bonded_only = false; + + void input_set_idle_timeout(int timeout) + { +@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) + uhid_enabled = state; + } + ++void input_set_classic_bonded_only(bool state) ++{ ++ classic_bonded_only = state; ++} ++ + static void input_device_enter_reconnect_mode(struct input_device *idev); + static int connection_disconnect(struct input_device *idev, uint32_t flags); + +@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) + if (device_name_known(idev->device)) + device_get_name(idev->device, req->name, sizeof(req->name)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) { ++ error("Rejected connection from !bonded device %s", dst_addr); ++ goto cleanup; ++ } ++ + /* Encryption is mandatory for keyboards */ +- if (req->subclass & 0x40) { ++ /* Some platforms may choose to require encryption for all devices */ ++ /* Note that this only matters for pre 2.1 devices as otherwise the */ ++ /* device is encrypted by default by the lower layers */ ++ if (classic_bonded_only || req->subclass & 0x40) { + if (!bt_io_set(idev->intr_io, &gerr, + BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, + BT_IO_OPT_INVALID)) { +@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) + DBG("path=%s reconnect_mode=%s", idev->path, + reconnect_mode_to_string(idev->reconnect_mode)); + ++ /* Make sure the device is bonded if required */ ++ if (classic_bonded_only && !device_is_bonded(idev->device, ++ btd_device_get_bdaddr_type(idev->device))) ++ return; ++ + /* Only attempt an auto-reconnect when the device is required to + * accept reconnections from the host. + */ +diff --git a/profiles/input/device.h b/profiles/input/device.h +index 51a9aee18..3044db673 100644 +--- a/profiles/input/device.h ++++ b/profiles/input/device.h +@@ -29,6 +29,7 @@ struct input_conn; + + void input_set_idle_timeout(int timeout); + void input_enable_userspace_hid(bool state); ++void input_set_classic_bonded_only(bool state); + + int input_device_register(struct btd_service *service); + void input_device_unregister(struct btd_service *service); +diff --git a/profiles/input/input.conf b/profiles/input/input.conf +index 3e1d65aae..166aff4a4 100644 +--- a/profiles/input/input.conf ++++ b/profiles/input/input.conf +@@ -11,3 +11,11 @@ + # Enable HID protocol handling in userspace input profile + # Defaults to false (HIDP handled in HIDP kernel module) + #UserspaceHID=true ++ ++# Limit HID connections to bonded devices ++# The HID Profile does not specify that devices must be bonded, however some ++# platforms may want to make sure that input connections only come from bonded ++# device connections. Several older mice have been known for not supporting ++# pairing/encryption. ++# Defaults to false to maximize device compatibility. ++#ClassicBondedOnly=true +diff --git a/profiles/input/manager.c b/profiles/input/manager.c +index 1d31b0652..5cd27b839 100644 +--- a/profiles/input/manager.c ++++ b/profiles/input/manager.c +@@ -96,7 +96,7 @@ static int input_init(void) + config = load_config_file(CONFIGDIR "/input.conf"); + if (config) { + int idle_timeout; +- gboolean uhid_enabled; ++ gboolean uhid_enabled, classic_bonded_only; + + idle_timeout = g_key_file_get_integer(config, "General", + "IdleTimeout", &err); +@@ -114,6 +114,17 @@ static int input_init(void) + input_enable_userspace_hid(uhid_enabled); + } else + g_clear_error(&err); ++ ++ classic_bonded_only = g_key_file_get_boolean(config, "General", ++ "ClassicBondedOnly", &err); ++ ++ if (!err) { ++ DBG("input.conf: ClassicBondedOnly=%s", ++ classic_bonded_only ? "true" : "false"); ++ input_set_classic_bonded_only(classic_bonded_only); ++ } else ++ g_clear_error(&err); ++ + } + + btd_profile_register(&input_profile); +-- +2.25.1 + +From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 +From: Alain Michaud +Date: Tue, 10 Mar 2020 02:35:16 +0000 +Subject: [PATCH] HOGP must only accept data from bonded devices. + +HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. + +Reference: +https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm +--- + profiles/input/hog.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/profiles/input/hog.c b/profiles/input/hog.c +index 83c017dcb..dfac68921 100644 +--- a/profiles/input/hog.c ++++ b/profiles/input/hog.c +@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) + return -EINVAL; + } + ++ /* HOGP 1.0 Section 6.1 requires bonding */ ++ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) ++ return -ECONNREFUSED; ++ + /* TODO: Replace GAttrib with bt_gatt_client */ + bt_hog_attach(dev->hog, attrib); + +-- +2.25.1 + -- cgit v1.2.3 From 34ad1a550c935e98aac2588f02dbfbfb7b5fad0c Mon Sep 17 00:00:00 2001 From: Vincent Legoll Date: Sun, 15 Mar 2020 19:07:57 +0100 Subject: gnu: BlueZ: Update to 5.54. * gnu/packages/linux.scm (bluez): Update to 5.54. [replacement]: Remove field. (bluez/fixed): Remove variable. * gnu/packages/patches/bluez-CVE-2020-0556.patch: Remove file. * gnu/local.mk (dist_patch_DATA): Remove it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 - gnu/packages/linux.scm | 13 +- gnu/packages/patches/bluez-CVE-2020-0556.patch | 180 ------------------------- 3 files changed, 2 insertions(+), 192 deletions(-) delete mode 100644 gnu/packages/patches/bluez-CVE-2020-0556.patch (limited to 'gnu/packages/linux.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 3be54b2627..b628bbee0c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -764,7 +764,6 @@ dist_patch_DATA = \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ - %D%/packages/patches/bluez-CVE-2020-0556.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-bs4.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index f1bc5798ab..fda7570d89 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -4039,8 +4039,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") - (replacement bluez/fixed) - (version "5.53") + (version "5.54") (source (origin (method url-fetch) (uri (string-append @@ -4048,7 +4047,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") version ".tar.xz")) (sha256 (base32 - "1g1qg6dz6hl3csrmz75ixr12lwv836hq3ckb259svvrg62l2vaiq")))) + "1p2ncvjz6alr9n3l5wvq2arqgc7xjs6dqyar1l9jp0z8cfgapkb8")))) (build-system gnu-build-system) (arguments `(#:configure-flags @@ -4105,14 +4104,6 @@ Bluetooth audio output devices like headphones or loudspeakers.") is flexible, efficient and uses a modular implementation.") (license license:gpl2+))) -(define bluez/fixed - (package - (inherit bluez) - (source (origin - (inherit (package-source bluez)) - (patches (append (origin-patches (package-source bluez)) - (search-patches "bluez-CVE-2020-0556.patch"))))))) - (define-public fuse-exfat (package (name "fuse-exfat") diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch deleted file mode 100644 index 7c34459a3a..0000000000 --- a/gnu/packages/patches/bluez-CVE-2020-0556.patch +++ /dev/null @@ -1,180 +0,0 @@ -Fix CVE-2020-0556: - -https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/ -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 - -Patches copied from upstream source repository: - -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787 -https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1 - -From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:18 +0000 -Subject: [PATCH] HID accepts bonded device connections only. - -This change adds a configuration for platforms to choose a more secure -posture for the HID profile. While some older mice are known to not -support pairing or encryption, some platform may choose a more secure -posture by requiring the device to be bonded and require the -connection to be encrypted when bonding is required. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html ---- - profiles/input/device.c | 23 ++++++++++++++++++++++- - profiles/input/device.h | 1 + - profiles/input/input.conf | 8 ++++++++ - profiles/input/manager.c | 13 ++++++++++++- - 4 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/profiles/input/device.c b/profiles/input/device.c -index 2cb3811c8..d89da2d7c 100644 ---- a/profiles/input/device.c -+++ b/profiles/input/device.c -@@ -92,6 +92,7 @@ struct input_device { - - static int idle_timeout = 0; - static bool uhid_enabled = false; -+static bool classic_bonded_only = false; - - void input_set_idle_timeout(int timeout) - { -@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state) - uhid_enabled = state; - } - -+void input_set_classic_bonded_only(bool state) -+{ -+ classic_bonded_only = state; -+} -+ - static void input_device_enter_reconnect_mode(struct input_device *idev); - static int connection_disconnect(struct input_device *idev, uint32_t flags); - -@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev) - if (device_name_known(idev->device)) - device_get_name(idev->device, req->name, sizeof(req->name)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) { -+ error("Rejected connection from !bonded device %s", dst_addr); -+ goto cleanup; -+ } -+ - /* Encryption is mandatory for keyboards */ -- if (req->subclass & 0x40) { -+ /* Some platforms may choose to require encryption for all devices */ -+ /* Note that this only matters for pre 2.1 devices as otherwise the */ -+ /* device is encrypted by default by the lower layers */ -+ if (classic_bonded_only || req->subclass & 0x40) { - if (!bt_io_set(idev->intr_io, &gerr, - BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM, - BT_IO_OPT_INVALID)) { -@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev) - DBG("path=%s reconnect_mode=%s", idev->path, - reconnect_mode_to_string(idev->reconnect_mode)); - -+ /* Make sure the device is bonded if required */ -+ if (classic_bonded_only && !device_is_bonded(idev->device, -+ btd_device_get_bdaddr_type(idev->device))) -+ return; -+ - /* Only attempt an auto-reconnect when the device is required to - * accept reconnections from the host. - */ -diff --git a/profiles/input/device.h b/profiles/input/device.h -index 51a9aee18..3044db673 100644 ---- a/profiles/input/device.h -+++ b/profiles/input/device.h -@@ -29,6 +29,7 @@ struct input_conn; - - void input_set_idle_timeout(int timeout); - void input_enable_userspace_hid(bool state); -+void input_set_classic_bonded_only(bool state); - - int input_device_register(struct btd_service *service); - void input_device_unregister(struct btd_service *service); -diff --git a/profiles/input/input.conf b/profiles/input/input.conf -index 3e1d65aae..166aff4a4 100644 ---- a/profiles/input/input.conf -+++ b/profiles/input/input.conf -@@ -11,3 +11,11 @@ - # Enable HID protocol handling in userspace input profile - # Defaults to false (HIDP handled in HIDP kernel module) - #UserspaceHID=true -+ -+# Limit HID connections to bonded devices -+# The HID Profile does not specify that devices must be bonded, however some -+# platforms may want to make sure that input connections only come from bonded -+# device connections. Several older mice have been known for not supporting -+# pairing/encryption. -+# Defaults to false to maximize device compatibility. -+#ClassicBondedOnly=true -diff --git a/profiles/input/manager.c b/profiles/input/manager.c -index 1d31b0652..5cd27b839 100644 ---- a/profiles/input/manager.c -+++ b/profiles/input/manager.c -@@ -96,7 +96,7 @@ static int input_init(void) - config = load_config_file(CONFIGDIR "/input.conf"); - if (config) { - int idle_timeout; -- gboolean uhid_enabled; -+ gboolean uhid_enabled, classic_bonded_only; - - idle_timeout = g_key_file_get_integer(config, "General", - "IdleTimeout", &err); -@@ -114,6 +114,17 @@ static int input_init(void) - input_enable_userspace_hid(uhid_enabled); - } else - g_clear_error(&err); -+ -+ classic_bonded_only = g_key_file_get_boolean(config, "General", -+ "ClassicBondedOnly", &err); -+ -+ if (!err) { -+ DBG("input.conf: ClassicBondedOnly=%s", -+ classic_bonded_only ? "true" : "false"); -+ input_set_classic_bonded_only(classic_bonded_only); -+ } else -+ g_clear_error(&err); -+ - } - - btd_profile_register(&input_profile); --- -2.25.1 - -From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001 -From: Alain Michaud -Date: Tue, 10 Mar 2020 02:35:16 +0000 -Subject: [PATCH] HOGP must only accept data from bonded devices. - -HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding. - -Reference: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm ---- - profiles/input/hog.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/profiles/input/hog.c b/profiles/input/hog.c -index 83c017dcb..dfac68921 100644 ---- a/profiles/input/hog.c -+++ b/profiles/input/hog.c -@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service) - return -EINVAL; - } - -+ /* HOGP 1.0 Section 6.1 requires bonding */ -+ if (!device_is_bonded(device, btd_device_get_bdaddr_type(device))) -+ return -ECONNREFUSED; -+ - /* TODO: Replace GAttrib with bt_gatt_client */ - bt_hog_attach(dev->hog, attrib); - --- -2.25.1 - -- cgit v1.2.3 From ddcfc467968d8367e62cb24cbc9e89bb5af0fe6d Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Sat, 4 Apr 2020 09:05:21 +0200 Subject: gnu: kmod: Update to 27. * gnu/packages/linux.scm (kmod): Update to version 27. [native-inputs]: Add 'automake' and 'autoconf'. [arguments]: Add phase 'disable-tests'. Add configure flag '--disable-test-modules'. Enable tests. --- gnu/packages/linux.scm | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'gnu/packages/linux.scm') diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 22249e1cf1..fb1ed8d5b7 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -43,6 +43,7 @@ ;;; Copyright © 2020 Chris Marusich ;;; Copyright © 2020 Vincent Legoll ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen +;;; Copyright © 2020 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -2937,7 +2938,7 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.") (define-public kmod (package (name "kmod") - (version "26") + (version "27") (source (origin (method url-fetch) (uri @@ -2945,19 +2946,29 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.") "kmod-" version ".tar.xz")) (sha256 (base32 - "17dvrls70nr3b3x1wm8pwbqy4r8a5c20m0dhys8mjhsnpg425fsp")) + "035wzfzjx4nwidk747p8n085mgkvy531ppn16krrajx2dkqzply1")) (patches (search-patches "kmod-module-directory.patch")))) (build-system gnu-build-system) (native-inputs - `(("pkg-config" ,pkg-config))) + `(("automake" ,automake) + ("autoconf" ,autoconf) + ("pkg-config" ,pkg-config))) (inputs `(("xz" ,xz) ("zlib" ,zlib))) (arguments - `(#:tests? #f ; FIXME: Investigate test failures - #:configure-flags '("--with-xz" "--with-zlib") + `(#:configure-flags '("--with-xz" "--with-zlib" + "--disable-test-modules") #:phases (modify-phases %standard-phases + (add-after 'unpack 'disable-tests + (lambda _ + ;; XXX: These tests need '--sysconfdir=/etc' to pass. + (substitute* "Makefile.am" + (("testsuite/test-modprobe") "") + (("testsuite/test-depmod") "") + (("testsuite/test-blacklist") "")) + #t)) (add-after 'install 'install-modprobe&co (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out")) -- cgit v1.2.3 From 312d9a332053118ca002f4d1e3aa43ea588e593c Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 15 May 2020 01:26:59 +0200 Subject: gnu: kmod: Disable tests in 'Makefile.in' instead of 'Makefile.am'. This avoids a build failure because the package was bootstrapped with an older version of Automake. By substituting the .in file we avoid triggering the Autoconf machinery. * gnu/packages/linux.scm (kmod)[arguments]: Change the 'disable-tests' phase to substitute "Makefile.in" instead of "Makefile.am". [native-inputs]: Remove AUTOMAKE and AUTOCONF. --- gnu/packages/linux.scm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'gnu/packages/linux.scm') diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index fb1ed8d5b7..3fd902e340 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -2950,9 +2950,7 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.") (patches (search-patches "kmod-module-directory.patch")))) (build-system gnu-build-system) (native-inputs - `(("automake" ,automake) - ("autoconf" ,autoconf) - ("pkg-config" ,pkg-config))) + `(("pkg-config" ,pkg-config))) (inputs `(("xz" ,xz) ("zlib" ,zlib))) @@ -2964,7 +2962,7 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.") (add-after 'unpack 'disable-tests (lambda _ ;; XXX: These tests need '--sysconfdir=/etc' to pass. - (substitute* "Makefile.am" + (substitute* "Makefile.in" (("testsuite/test-modprobe") "") (("testsuite/test-depmod") "") (("testsuite/test-blacklist") "")) -- cgit v1.2.3 From beec29da921345c2e46852c531161fb5ddd3076f Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Thu, 14 May 2020 22:54:27 +0200 Subject: gnu: json-c: Update to 0.14. * gnu/packages/web.scm (json-c): Update to 0.14. [source](modules, snippet): Remove. [build-system]: Change to CMAKE-BUILD-SYSTEM. (json-c-0.13): New public variable. (json-c-0.12): Inherit from JSON-C-0.13. * gnu/packages/cryptsetup.scm (cryptsetup-static)[inputs]: Stick with JSON-C-0.13. * gnu/packages/linux.scm (multipath-tools)[inputs]: Likewise. * gnu/packages/security-token.scm (yubikey-personalization, libu2f-host, libu2f-server)[inputs]: Likewise. * gnu/packages/syndication.scm (newsboat)[inputs]: Likewise. --- gnu/packages/cryptsetup.scm | 4 ++-- gnu/packages/linux.scm | 2 +- gnu/packages/security-token.scm | 6 +++--- gnu/packages/syndication.scm | 2 +- gnu/packages/web.scm | 39 ++++++++++++++++++++++++++------------- 5 files changed, 33 insertions(+), 20 deletions(-) (limited to 'gnu/packages/linux.scm') diff --git a/gnu/packages/cryptsetup.scm b/gnu/packages/cryptsetup.scm index d4c039ac04..bd6e046452 100644 --- a/gnu/packages/cryptsetup.scm +++ b/gnu/packages/cryptsetup.scm @@ -58,7 +58,7 @@ `(("pkg-config" ,pkg-config))) (inputs `(("argon2" ,argon2) - ("json-c" ,json-c) + ("json-c" ,json-c-0.13) ;XXX update this for cryptsetup >= 2.3 ("libgcrypt" ,libgcrypt) ("lvm2" ,lvm2) ; device-mapper ("popt" ,popt) @@ -138,7 +138,7 @@ files). This assumes LIBRARY uses Libtool." (inherit (static-library libgcrypt)) (propagated-inputs `(("libgpg-error-host" ,(static-library libgpg-error))))))) - `(("json-c" ,json-c) + `(("json-c" ,json-c-0.13) ("libgcrypt" ,libgcrypt-static) ("lvm2" ,lvm2-static) ("util-linux" ,util-linux "static") diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 3fd902e340..b45b3725d4 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -4243,7 +4243,7 @@ arrays when needed.") ("pkg-config" ,pkg-config) ("valgrind" ,valgrind))) (inputs - `(("json-c" ,json-c) + `(("json-c" ,json-c-0.13) ("libaio" ,libaio) ("liburcu" ,liburcu) ("lvm2" ,lvm2) diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm index 2ab8a85702..d742c6255c 100644 --- a/gnu/packages/security-token.scm +++ b/gnu/packages/security-token.scm @@ -357,7 +357,7 @@ and other operations. It includes a library and a command-line tool.") (assoc-ref %outputs "out") "/lib/udev/rules.d")))) (inputs - `(("json-c" ,json-c) + `(("json-c" ,json-c-0.13) ("libusb" ,libusb) ;; The library "libyubikey" is also known as "yubico-c". ("libyubikey" ,libyubikey))) @@ -457,7 +457,7 @@ PCSC API Python wrapper module.") "/xml/dtd/docbook/docbookx.dtd"))) #t))))) (inputs - `(("json-c" ,json-c) + `(("json-c" ,json-c-0.13) ("hidapi" ,hidapi))) (native-inputs `(("help2man" ,help2man) @@ -497,7 +497,7 @@ operations.") (list "--enable-gtk-doc" "--enable-tests"))) (inputs - `(("json-c" ,json-c) + `(("json-c" ,json-c-0.13) ("libressl" ,libressl))) (native-inputs `(("autoconf" ,autoconf) diff --git a/gnu/packages/syndication.scm b/gnu/packages/syndication.scm index 5bc3d19a92..658050c54d 100644 --- a/gnu/packages/syndication.scm +++ b/gnu/packages/syndication.scm @@ -57,7 +57,7 @@ ("asciidoc" ,asciidoc))) (inputs `(("curl" ,curl) - ("json-c" ,json-c) + ("json-c" ,json-c-0.13) ("libxml2" ,libxml2) ("ncurses" ,ncurses) ("stfl" ,stfl) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index eabc3c0197..1ccab7777b 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -768,7 +768,7 @@ data.") (define-public json-c (package (name "json-c") - (version "0.13.1") + (version "0.14") (source (origin (method url-fetch) (uri (string-append @@ -776,7 +776,29 @@ data.") version ".tar.gz")) (sha256 (base32 - "0ws8dz9nk8q2c0gbf66kg2r6mrkl7kamd3gpdv9zsyrz9n6n0zmq")) + "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk")))) + (build-system cmake-build-system) + (home-page "https://github.com/json-c/json-c/wiki") + (synopsis "JSON implementation in C") + (description + "JSON-C implements a reference counting object model that allows you to +easily construct JSON objects in C, output them as JSON-formatted strings and +parse JSON-formatted strings back into the C representation of JSON objects. +It aims to conform to RFC 7159.") + (license license:x11))) + +;; TODO: Remove these old versions when all dependents have been updated. +(define-public json-c-0.13 + (package + (inherit json-c) + (version "0.13.1") + (source (origin + (method url-fetch) + (uri (string-append + "https://s3.amazonaws.com/json-c_releases/releases/json-c-" + version ".tar.gz")) + (sha256 + (base32 "0ws8dz9nk8q2c0gbf66kg2r6mrkl7kamd3gpdv9zsyrz9n6n0zmq")) (modules '((guix build utils))) (snippet '(begin @@ -786,20 +808,11 @@ data.") (set-file-time "config.h.in" (stat "aclocal.m4")) #t)))) - (build-system gnu-build-system) - (home-page "https://github.com/json-c/json-c/wiki") - (synopsis "JSON implementation in C") - (description - "JSON-C implements a reference counting object model that allows you to -easily construct JSON objects in C, output them as JSON-formatted strings and -parse JSON-formatted strings back into the C representation of JSON objects. -It aims to conform to RFC 7159.") - (license license:x11))) + (build-system gnu-build-system))) -;; TODO: remove this old version when all dependents have been updated. (define-public json-c-0.12 (package - (inherit json-c) + (inherit json-c-0.13) (version "0.12.1") (source (origin (method url-fetch) -- cgit v1.2.3