From 2c715a922324e0cd1ab50c5ea0b70f12a33565d5 Mon Sep 17 00:00:00 2001 From: Clément Lassieur Date: Wed, 15 Mar 2017 23:49:32 +0100 Subject: gnu: password-store: Fix compatibility with GnuPG 2.1.19. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/patches/password-store-gnupg-compat.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/password-utils.scm (password-store)[source]: Use it. Signed-off-by: Clément Lassieur --- .../patches/password-store-gnupg-compat.patch | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 gnu/packages/patches/password-store-gnupg-compat.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch new file mode 100644 index 0000000000..c314ba6647 --- /dev/null +++ b/gnu/packages/patches/password-store-gnupg-compat.patch @@ -0,0 +1,53 @@ +Copied from upstream mailing list: +https://lists.zx2c4.com/pipermail/password-store/2017-March/002844.html. + +The patch actually restores compatibility with GnuPG 2.1.19, the '2.2.19' in +the commit message is a typo. + +From 8723d8e8192683891904aff321446b0fac37d1ad Mon Sep 17 00:00:00 2001 +From: Andreas Stieger +Date: Fri, 10 Mar 2017 15:43:26 +0100 +Subject: [PATCH] Fix compatibility with GnuPG 2.2.19 + +GnuPG 2.2.19 added a warning when no command was given. + +* src/password-store.sh (reencrypt_path): Add --decrypt to --list-only +* tests/t0300-reencryption.sh (gpg_keys_from_encrypted_file): same + +https://bugs.gnupg.org/gnupg/msg9873 +http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=810adfd47801fc01e45fb71af9f05c91f7890cdb +https://bugzilla.suse.com/show_bug.cgi?id=1028867 +--- + src/password-store.sh | 2 +- + tests/t0300-reencryption.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/password-store.sh b/src/password-store.sh +index 1ab6fb5..bad8d4f 100755 +--- a/src/password-store.sh ++++ b/src/password-store.sh +@@ -125,7 +125,7 @@ reencrypt_path() { + done + gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" + fi +- current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)" ++ current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)" + + if [[ $gpg_keys != "$current_keys" ]]; then + echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }" +diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh +index 9d46580..6d5811d 100755 +--- a/tests/t0300-reencryption.sh ++++ b/tests/t0300-reencryption.sh +@@ -10,7 +10,7 @@ canonicalize_gpg_keys() { + $GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u + } + gpg_keys_from_encrypted_file() { +- $GPG -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u ++ $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u + } + gpg_keys_from_group() { + local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)" +-- +2.12.0 + -- cgit v1.2.3 From 1e5b8beeff95e0adf767f1c13963c39b794573fe Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 16 Mar 2017 14:13:08 -0400 Subject: gnu: virglrenderer: Fix CVE-2017-6386. * gnu/packages/patches/virglrenderer-CVE-2017-6386.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/spice.scm (virglrenderer)[source]: Use it. --- gnu/local.mk | 1 + .../patches/virglrenderer-CVE-2017-6386.patch | 54 ++++++++++++++++++++++ gnu/packages/spice.scm | 1 + 3 files changed, 56 insertions(+) create mode 100644 gnu/packages/patches/virglrenderer-CVE-2017-6386.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index b3aa79ad90..c1a15e94ff 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -965,6 +965,7 @@ dist_patch_DATA = \ %D%/packages/patches/upower-builddir.patch \ %D%/packages/patches/valgrind-enable-arm.patch \ %D%/packages/patches/vim-CVE-2017-5953.patch \ + %D%/packages/patches/virglrenderer-CVE-2017-6386.patch \ %D%/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch \ %D%/packages/patches/vorbis-tools-CVE-2014-9640.patch \ %D%/packages/patches/vorbis-tools-CVE-2015-6749.patch \ diff --git a/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch new file mode 100644 index 0000000000..bd3bf106bf --- /dev/null +++ b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch @@ -0,0 +1,54 @@ +Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920 + +From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 28 Feb 2017 14:52:09 +1000 +Subject: renderer: fix memory leak in vertex elements state create + +Reported-by: Li Qiang +Free the vertex array in error path. +This was introduced by this commit: +renderer: fix heap overflow in vertex elements state create. + +I rewrote the code to not require the allocation in the first +place if we have an error, seems nicer. + +Signed-off-by: Dave Airlie + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 1bca7ad..e5d9f5c 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx, + unsigned num_elements, + const struct pipe_vertex_element *elements) + { +- struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array); ++ struct vrend_vertex_element_array *v; + const struct util_format_description *desc; + GLenum type; + int i; + uint32_t ret_handle; + +- if (!v) +- return ENOMEM; +- + if (num_elements > PIPE_MAX_ATTRIBS) + return EINVAL; + ++ v = CALLOC_STRUCT(vrend_vertex_element_array); ++ if (!v) ++ return ENOMEM; ++ + v->count = num_elements; + for (i = 0; i < num_elements; i++) { + memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element)); +-- +cgit v0.10.2 + diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm index 363a5e8fc5..838db4b35d 100644 --- a/gnu/packages/spice.scm +++ b/gnu/packages/spice.scm @@ -102,6 +102,7 @@ (uri (string-append "https://www.freedesktop.org/software/virgl/" "virglrenderer-" version ".tar.bz2")) + (patches (search-patches "virglrenderer-CVE-2017-6386.patch")) (sha256 (base32 "06kf0q4l52gzx5p63l8850hff8pmhp7xv1hk8zgx2apbw18y6jd5")))) -- cgit v1.2.3 From 49ac6dbb0ae8386fd7da5d751107ba7a6aab44ad Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 16 Mar 2017 14:58:13 -0400 Subject: gnu: qemu: Fix CVE-2017-{2620,2630}. * gnu/packages/patches/qemu-CVE-2017-2620.patch, gnu/packages/patches/qemu-CVE-2017-2630.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/qemu.scm (qemu)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 ++++++++++++++++++++++++++ gnu/packages/patches/qemu-CVE-2017-2630.patch | 47 +++++++++ gnu/packages/qemu.scm | 2 + 4 files changed, 185 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2017-2620.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-2630.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index c1a15e94ff..2cc5d546b3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -877,6 +877,8 @@ dist_patch_DATA = \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ %D%/packages/patches/qemu-CVE-2016-10155.patch \ %D%/packages/patches/qemu-CVE-2017-2615.patch \ + %D%/packages/patches/qemu-CVE-2017-2620.patch \ + %D%/packages/patches/qemu-CVE-2017-2630.patch \ %D%/packages/patches/qemu-CVE-2017-5525.patch \ %D%/packages/patches/qemu-CVE-2017-5526.patch \ %D%/packages/patches/qemu-CVE-2017-5552.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch new file mode 100644 index 0000000000..d3111827b7 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-2620.patch @@ -0,0 +1,134 @@ +Fix CVE-2017-2620: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620 +https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html + +Both patches copied from upstream source repository: + +Fixes CVE-2017-2620: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298 + +The CVE-2017-2620 bug-fix depends on this earlier patch: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061 + +From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 8 Feb 2017 11:18:36 +0100 +Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo + (CVE-2017-2620) + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 1deb52070a..b9e7cb1df1 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s, true)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); +-- +2.12.0 + +From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Mon, 9 Jan 2017 13:35:20 -0700 +Subject: [PATCH] display: cirrus: ignore source pitch value as needed in + blit_is_unsafe + +Commit 4299b90 added a check which is too broad, given that the source +pitch value is not required to be initialized for solid fill operations. +This patch refines the blit_is_unsafe() check to ignore source pitch in +that case. After applying the above commit as a security patch, we +noticed the SLES 11 SP4 guest gui failed to initialize properly. + +Signed-off-by: Bruce Rogers +Message-id: 20170109203520.5619-1-brogers@suse.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index bdb092ee9d..379910db2d 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + return false; + } + +-static bool blit_is_unsafe(struct CirrusVGAState *s) ++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + { + /* should be the case, see cirrus_bitblt_start */ + assert(s->cirrus_blt_width > 0); +@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) + s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { + return true; + } ++ if (dst_only) { ++ return false; ++ } + if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, + s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { + return true; +@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, + + dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + (*s->cirrus_rop) (s, dst, src, +@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + { + cirrus_fill_t rop_func; + +- if (blit_is_unsafe(s)) { ++ if (blit_is_unsafe(s, true)) { + return 0; + } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; +@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + { +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, +-- +2.12.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch new file mode 100644 index 0000000000..b154d171f1 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-2630.patch @@ -0,0 +1,47 @@ +Fix CVE-2017-2630: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630 +https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85 + +From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 7 Mar 2017 09:16:27 -0600 +Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Comparison symbol is misused. It may lead to memory corruption. +Introduced in commit 7d3123e. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com> +[eblake: add CVE details, update conditional] +Signed-off-by: Eric Blake +Reviewed-by: Marc-André Lureau +Message-Id: <20170307151627.27212-1-eblake@redhat.com> +Signed-off-by: Paolo Bonzini +--- + nbd/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nbd/client.c b/nbd/client.c +index 5c9dee37fa..3dc2564cd0 100644 +--- a/nbd/client.c ++++ b/nbd/client.c +@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) + char small[1024]; + char *buffer; + +- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size)); ++ buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size)); + while (size > 0) { + ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); + +-- +2.12.0 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 3aa4128be0..07ab871fae 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -79,6 +79,8 @@ "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")) (patches (search-patches "qemu-CVE-2016-10155.patch" "qemu-CVE-2017-2615.patch" + "qemu-CVE-2017-2620.patch" + "qemu-CVE-2017-2630.patch" "qemu-CVE-2017-5525.patch" "qemu-CVE-2017-5526.patch" "qemu-CVE-2017-5552.patch" -- cgit v1.2.3 From cbef2796edcd35d63fd5a1eea9390fc98564c7f2 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 17 Mar 2017 11:15:01 +0100 Subject: gnu: ninja: Update to 1.7.2. * gnu/packages/ninja.scm (ninja): Update to 1.7.2. [source]: Remove patch. * gnu/packages/patches/ninja-tests.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/ninja.scm | 7 +++-- gnu/packages/patches/ninja-tests.patch | 48 ---------------------------------- 3 files changed, 3 insertions(+), 53 deletions(-) delete mode 100644 gnu/packages/patches/ninja-tests.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 2cc5d546b3..f2ce6c0a63 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -778,7 +778,6 @@ dist_patch_DATA = \ %D%/packages/patches/netsurf-longer-test-timeout.patch \ %D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ngircd-no-dns-in-tests.patch \ - %D%/packages/patches/ninja-tests.patch \ %D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/node-9077.patch \ %D%/packages/patches/nss-pkgconfig.patch \ diff --git a/gnu/packages/ninja.scm b/gnu/packages/ninja.scm index 8f18eb3560..2a53a3f5b3 100644 --- a/gnu/packages/ninja.scm +++ b/gnu/packages/ninja.scm @@ -29,7 +29,7 @@ (define-public ninja (package (name "ninja") - (version "1.7.1") + (version "1.7.2") (source (origin (method url-fetch) (uri (string-append "https://github.com/martine/ninja/" @@ -37,9 +37,8 @@ (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "06dy2dc1aafm61ynw9gzig88la3km9dsh53bxf4mnw7l7kjisn2i")) - (patches (search-patches "ninja-zero-mtime.patch" - "ninja-tests.patch")))) + "1n8n3g26ppwh7zwrc37n3alkbpbj0wki34ih53s3rkhs8ajs1p9f")) + (patches (search-patches "ninja-zero-mtime.patch")))) (build-system gnu-build-system) (native-inputs `(("python" ,python-2))) (arguments diff --git a/gnu/packages/patches/ninja-tests.patch b/gnu/packages/patches/ninja-tests.patch deleted file mode 100644 index f9b0d9f910..0000000000 --- a/gnu/packages/patches/ninja-tests.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 67d6b9262efad99f8aad63ab81efc8e689748766 Mon Sep 17 00:00:00 2001 -From: Efraim Flashner -Date: Sun, 3 Jul 2016 11:55:43 +0300 -Subject: [PATCH] patch - ---- - src/subprocess_test.cc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/subprocess_test.cc b/src/subprocess_test.cc -index ee16190..a537c11 100644 ---- a/src/subprocess_test.cc -+++ b/src/subprocess_test.cc -@@ -72,6 +72,7 @@ TEST_F(SubprocessTest, NoSuchCommand) { - - #ifndef _WIN32 - -+#if 0 - TEST_F(SubprocessTest, InterruptChild) { - Subprocess* subproc = subprocs_.Add("kill -INT $$"); - ASSERT_NE((Subprocess *) 0, subproc); -@@ -82,6 +83,7 @@ TEST_F(SubprocessTest, InterruptChild) { - - EXPECT_EQ(ExitInterrupted, subproc->Finish()); - } -+#endif - - TEST_F(SubprocessTest, InterruptParent) { - Subprocess* subproc = subprocs_.Add("kill -INT $PPID ; sleep 1"); -@@ -217,6 +219,7 @@ TEST_F(SubprocessTest, SetWithMulti) { - // OS X's process limit is less than 1025 by default - // (|sysctl kern.maxprocperuid| is 709 on 10.7 and 10.8 and less prior to that). - #if !defined(__APPLE__) && !defined(_WIN32) -+#if 0 - TEST_F(SubprocessTest, SetWithLots) { - // Arbitrary big number; needs to be over 1024 to confirm we're no longer - // hostage to pselect. -@@ -245,6 +248,7 @@ TEST_F(SubprocessTest, SetWithLots) { - } - ASSERT_EQ(kNumProcs, subprocs_.finished_.size()); - } -+#endif - #endif // !__APPLE__ && !_WIN32 - - // TODO: this test could work on Windows, just not sure how to simply --- -2.9.0 - -- cgit v1.2.3 From 2a047d59e03100b1cafb8cc235cab75e7e6415c7 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Fri, 17 Mar 2017 20:10:12 +0100 Subject: gnu: libwebp: Update to 0.6.0. * gnu/packages/image.scm (libwebp): Update to 0.6.0. [source]: Remove patch. * gnu/packages/patches/libwebp-CVE-2016-9085.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/image.scm | 5 +- gnu/packages/patches/libwebp-CVE-2016-9085.patch | 144 ----------------------- 3 files changed, 2 insertions(+), 148 deletions(-) delete mode 100644 gnu/packages/patches/libwebp-CVE-2016-9085.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index f2ce6c0a63..48c134ba6e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -714,7 +714,6 @@ dist_patch_DATA = \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ - %D%/packages/patches/libwebp-CVE-2016-9085.patch \ %D%/packages/patches/libwmf-CAN-2004-0941.patch \ %D%/packages/patches/libwmf-CVE-2006-3376.patch \ %D%/packages/patches/libwmf-CVE-2007-0455.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 9b8a3a63da..f2afa988cb 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -805,17 +805,16 @@ multi-dimensional image processing.") (define-public libwebp (package (name "libwebp") - (version "0.5.1") + (version "0.6.0") (source (origin (method url-fetch) (uri (string-append "http://downloads.webmproject.org/releases/webp/libwebp-" version ".tar.gz")) - (patches (search-patches "libwebp-CVE-2016-9085.patch")) (sha256 (base32 - "1pqki1g8nzi8qgciysypd5r38zccv81np1dn43g27830rmpnrmka")))) + "0h1brwkyxc7lb8lc53aacdks5vc1y9hzngqi41gg7y6l56912a69")))) (build-system gnu-build-system) (inputs `(("freeglut" ,freeglut) diff --git a/gnu/packages/patches/libwebp-CVE-2016-9085.patch b/gnu/packages/patches/libwebp-CVE-2016-9085.patch deleted file mode 100644 index e40b353303..0000000000 --- a/gnu/packages/patches/libwebp-CVE-2016-9085.patch +++ /dev/null @@ -1,144 +0,0 @@ -Fix CVE-2016-9085 (several integer overflows): - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9085 -http://seclists.org/oss-sec/2016/q4/253 - -Patch copied from upstream source repository: - -https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 - -From e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 Mon Sep 17 00:00:00 2001 -From: Pascal Massimino -Date: Mon, 10 Oct 2016 11:48:39 +0200 -Subject: [PATCH] fix potential overflow when width * height * 4 >= (1<<32) - -Mostly: avoid doing calculation like: ptr + j * stride -when stride is 'int'. Rather use size_t, or pointer increments (ptr += stride) -when possible. - -BUG=webp:314 - -Change-Id: I81c684b515dd1ec4f601f32d50a6e821c4e46e20 ---- - examples/gifdec.c | 56 +++++++++++++++++++++++++++++++------------------------ - 1 file changed, 32 insertions(+), 24 deletions(-) - -diff --git a/examples/gifdec.c b/examples/gifdec.c -index 83c3d82..7df176f 100644 ---- a/examples/gifdec.c -+++ b/examples/gifdec.c -@@ -20,6 +20,7 @@ - - #include "webp/encode.h" - #include "webp/mux_types.h" -+#include "webp/format_constants.h" - - #define GIF_TRANSPARENT_COLOR 0x00000000 - #define GIF_WHITE_COLOR 0xffffffff -@@ -103,12 +104,19 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index, - const GifImageDesc* const image_desc = &gif->Image; - uint32_t* dst = NULL; - uint8_t* tmp = NULL; -- int ok = 0; -- GIFFrameRect rect = { -+ const GIFFrameRect rect = { - image_desc->Left, image_desc->Top, image_desc->Width, image_desc->Height - }; -+ const uint64_t memory_needed = 4 * rect.width * (uint64_t)rect.height; -+ int ok = 0; - *gif_rect = rect; - -+ if (memory_needed != (size_t)memory_needed || -+ memory_needed > 4 * MAX_IMAGE_AREA) { -+ fprintf(stderr, "Image is too large (%d x %d).", rect.width, rect.height); -+ return 0; -+ } -+ - // Use a view for the sub-picture: - if (!WebPPictureView(picture, rect.x_offset, rect.y_offset, - rect.width, rect.height, &sub_image)) { -@@ -132,15 +140,15 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index, - y += interlace_jumps[pass]) { - if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End; - Remap(gif, tmp, rect.width, transparent_index, -- dst + y * sub_image.argb_stride); -+ dst + y * (size_t)sub_image.argb_stride); - } - } - } else { // Non-interlaced image. - int y; -- for (y = 0; y < rect.height; ++y) { -+ uint32_t* ptr = dst; -+ for (y = 0; y < rect.height; ++y, ptr += sub_image.argb_stride) { - if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End; -- Remap(gif, tmp, rect.width, transparent_index, -- dst + y * sub_image.argb_stride); -+ Remap(gif, tmp, rect.width, transparent_index, ptr); - } - } - ok = 1; -@@ -216,13 +224,11 @@ int GIFReadMetadata(GifFileType* const gif, GifByteType** const buf, - - static void ClearRectangle(WebPPicture* const picture, - int left, int top, int width, int height) { -- int j; -- for (j = top; j < top + height; ++j) { -- uint32_t* const dst = picture->argb + j * picture->argb_stride; -- int i; -- for (i = left; i < left + width; ++i) { -- dst[i] = GIF_TRANSPARENT_COLOR; -- } -+ int i, j; -+ const size_t stride = picture->argb_stride; -+ uint32_t* dst = picture->argb + top * stride + left; -+ for (j = 0; j < height; ++j, dst += stride) { -+ for (i = 0; i < width; ++i) dst[i] = GIF_TRANSPARENT_COLOR; - } - } - -@@ -246,29 +252,31 @@ void GIFDisposeFrame(GIFDisposeMethod dispose, const GIFFrameRect* const rect, - if (dispose == GIF_DISPOSE_BACKGROUND) { - GIFClearPic(curr_canvas, rect); - } else if (dispose == GIF_DISPOSE_RESTORE_PREVIOUS) { -- const int src_stride = prev_canvas->argb_stride; -- const uint32_t* const src = -- prev_canvas->argb + rect->x_offset + rect->y_offset * src_stride; -- const int dst_stride = curr_canvas->argb_stride; -- uint32_t* const dst = -- curr_canvas->argb + rect->x_offset + rect->y_offset * dst_stride; -+ const size_t src_stride = prev_canvas->argb_stride; -+ const uint32_t* const src = prev_canvas->argb + rect->x_offset -+ + rect->y_offset * src_stride; -+ const size_t dst_stride = curr_canvas->argb_stride; -+ uint32_t* const dst = curr_canvas->argb + rect->x_offset -+ + rect->y_offset * dst_stride; - assert(prev_canvas != NULL); -- WebPCopyPlane((uint8_t*)src, 4 * src_stride, (uint8_t*)dst, 4 * dst_stride, -+ WebPCopyPlane((uint8_t*)src, (int)(4 * src_stride), -+ (uint8_t*)dst, (int)(4 * dst_stride), - 4 * rect->width, rect->height); - } - } - - void GIFBlendFrames(const WebPPicture* const src, - const GIFFrameRect* const rect, WebPPicture* const dst) { -- int j; -+ int i, j; -+ const size_t src_stride = src->argb_stride; -+ const size_t dst_stride = dst->argb_stride; - assert(src->width == dst->width && src->height == dst->height); - for (j = rect->y_offset; j < rect->y_offset + rect->height; ++j) { -- int i; - for (i = rect->x_offset; i < rect->x_offset + rect->width; ++i) { -- const uint32_t src_pixel = src->argb[j * src->argb_stride + i]; -+ const uint32_t src_pixel = src->argb[j * src_stride + i]; - const int src_alpha = src_pixel >> 24; - if (src_alpha != 0) { -- dst->argb[j * dst->argb_stride + i] = src_pixel; -+ dst->argb[j * dst_stride + i] = src_pixel; - } - } - } --- -2.10.1 - -- cgit v1.2.3 From 512fc6db7bb900a892810d4b3c8b0e712b8e2379 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sat, 18 Mar 2017 02:29:12 -0400 Subject: gnu: libevent@2.0: Add fix from upstream. This fix was cherry-picked by Mozilla from upstream libevent-2.1 to its bundled copy of libevent-2.0.21 in mozilla-esr45. * gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/libevent.scm (libevent-2.0)[source][patches]: Add it. --- gnu/local.mk | 1 + gnu/packages/libevent.scm | 28 ++++++++-------- ...vent-2.0-evbuffer-add-use-last-with-datap.patch | 38 ++++++++++++++++++++++ 3 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 48c134ba6e..885c1137a5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -677,6 +677,7 @@ dist_patch_DATA = \ %D%/packages/patches/libdrm-symbol-check.patch \ %D%/packages/patches/libepoxy-gl-null-checks.patch \ %D%/packages/patches/libevent-dns-tests.patch \ + %D%/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch \ %D%/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch \ %D%/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch \ %D%/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch \ diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm index dd5f7c4067..6e2ce8f257 100644 --- a/gnu/packages/libevent.scm +++ b/gnu/packages/libevent.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès -;;; Copyright © 2015 Mark H Weaver +;;; Copyright © 2015, 2017 Mark H Weaver ;;; Copyright © 2015 Eric Dvorsak ;;; Copyright © 2016 David Thompson ;;; Copyright © 2017 Marius Bakke @@ -74,18 +74,20 @@ loop.") (inherit libevent) (version "2.0.22") (source (origin - (method url-fetch) - (uri (string-append - "https://github.com/libevent/libevent/releases/download/release-" - version "-stable/libevent-" version "-stable.tar.gz")) - (sha256 - (base32 - "18qz9qfwrkakmazdlwxvjmw8p76g70n3faikwvdwznns1agw9hki")) - (patches (search-patches - "libevent-dns-tests.patch" - "libevent-2.0-evdns-fix-remote-stack-overread.patch" - "libevent-2.0-evutil-fix-buffer-overflow.patch" - "libevent-2.0-evdns-fix-searching-empty-hostnames.patch")))))) + (method url-fetch) + (uri (string-append + "https://github.com/libevent/libevent/releases/download/release-" + version "-stable/libevent-" version "-stable.tar.gz")) + (sha256 + (base32 + "18qz9qfwrkakmazdlwxvjmw8p76g70n3faikwvdwznns1agw9hki")) + (patches + (search-patches + "libevent-dns-tests.patch" + "libevent-2.0-evdns-fix-remote-stack-overread.patch" + "libevent-2.0-evutil-fix-buffer-overflow.patch" + "libevent-2.0-evdns-fix-searching-empty-hostnames.patch" + "libevent-2.0-evbuffer-add-use-last-with-datap.patch")))))) (define-public libev (package diff --git a/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch new file mode 100644 index 0000000000..0253700bf6 --- /dev/null +++ b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch @@ -0,0 +1,38 @@ +From a8769ef12d7e223e33fc47bed03fba2bfa2f3536 Mon Sep 17 00:00:00 2001 +From: Marcus Sundberg +Date: Sat, 26 Mar 2016 20:11:43 +0100 +Subject: [PATCH] evbuffer_add: Use last_with_datap if set, not last. + +evbuffer_add() would always put data in the last chain, even if there +was available space in a previous chain, and in doing so it also +failed to update last_with_datap, causing subsequent calls to other +functions that do look at last_with_datap to add data in the middle +of the evbuffer instead of at the end. + +Fixes the evbuffer_add() part of issue #335, and the evbuffer/add2 and +evbuffer/add3 tests, and also prevents wasting space available in the +chain pointed to by last_with_datap. +--- + buffer.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/buffer.c b/buffer.c +index 7cca0e8a..f378b731 100644 +--- a/buffer.c ++++ b/buffer.c +@@ -1732,7 +1732,11 @@ evbuffer_add(struct evbuffer *buf, const void *data_in, size_t datlen) + goto done; + } + +- chain = buf->last; ++ if (*buf->last_with_datap == NULL) { ++ chain = buf->last; ++ } else { ++ chain = *buf->last_with_datap; ++ } + + /* If there are no chains allocated for this buffer, allocate one + * big enough to hold all the data. */ +-- +2.12.0 + -- cgit v1.2.3