6 files changed, 49 insertions, 442 deletions
diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch
deleted file mode 100644
index 7c34459a3a..0000000000
--- a/gnu/packages/patches/bluez-CVE-2020-0556.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-Fix CVE-2020-0556:
-
-https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
-
-Patches copied from upstream source repository:
-
-https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
-https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
-
-From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:18 +0000
-Subject: [PATCH] HID accepts bonded device connections only.
-
-This change adds a configuration for platforms to choose a more secure
-posture for the HID profile.  While some older mice are known to not
-support pairing or encryption, some platform may choose a more secure
-posture by requiring the device to be bonded  and require the
-connection to be encrypted when bonding is required.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
----
- profiles/input/device.c   | 23 ++++++++++++++++++++++-
- profiles/input/device.h   |  1 +
- profiles/input/input.conf |  8 ++++++++
- profiles/input/manager.c  | 13 ++++++++++++-
- 4 files changed, 43 insertions(+), 2 deletions(-)
-
-diff --git a/profiles/input/device.c b/profiles/input/device.c
-index 2cb3811c8..d89da2d7c 100644
---- a/profiles/input/device.c
-+++ b/profiles/input/device.c
-@@ -92,6 +92,7 @@ struct input_device {
- 
- static int idle_timeout = 0;
- static bool uhid_enabled = false;
-+static bool classic_bonded_only = false;
- 
- void input_set_idle_timeout(int timeout)
- {
-@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
- 	uhid_enabled = state;
- }
- 
-+void input_set_classic_bonded_only(bool state)
-+{
-+	classic_bonded_only = state;
-+}
-+
- static void input_device_enter_reconnect_mode(struct input_device *idev);
- static int connection_disconnect(struct input_device *idev, uint32_t flags);
- 
-@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
- 	if (device_name_known(idev->device))
- 		device_get_name(idev->device, req->name, sizeof(req->name));
- 
-+	/* Make sure the device is bonded if required */
-+	if (classic_bonded_only && !device_is_bonded(idev->device,
-+				btd_device_get_bdaddr_type(idev->device))) {
-+		error("Rejected connection from !bonded device %s", dst_addr);
-+		goto cleanup;
-+	}
-+
- 	/* Encryption is mandatory for keyboards */
--	if (req->subclass & 0x40) {
-+	/* Some platforms may choose to require encryption for all devices */
-+	/* Note that this only matters for pre 2.1 devices as otherwise the */
-+	/* device is encrypted by default by the lower layers */
-+	if (classic_bonded_only || req->subclass & 0x40) {
- 		if (!bt_io_set(idev->intr_io, &gerr,
- 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
- 					BT_IO_OPT_INVALID)) {
-@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
- 	DBG("path=%s reconnect_mode=%s", idev->path,
- 				reconnect_mode_to_string(idev->reconnect_mode));
- 
-+	/* Make sure the device is bonded if required */
-+	if (classic_bonded_only && !device_is_bonded(idev->device,
-+				btd_device_get_bdaddr_type(idev->device)))
-+		return;
-+
- 	/* Only attempt an auto-reconnect when the device is required to
- 	 * accept reconnections from the host.
- 	 */
-diff --git a/profiles/input/device.h b/profiles/input/device.h
-index 51a9aee18..3044db673 100644
---- a/profiles/input/device.h
-+++ b/profiles/input/device.h
-@@ -29,6 +29,7 @@ struct input_conn;
- 
- void input_set_idle_timeout(int timeout);
- void input_enable_userspace_hid(bool state);
-+void input_set_classic_bonded_only(bool state);
- 
- int input_device_register(struct btd_service *service);
- void input_device_unregister(struct btd_service *service);
-diff --git a/profiles/input/input.conf b/profiles/input/input.conf
-index 3e1d65aae..166aff4a4 100644
---- a/profiles/input/input.conf
-+++ b/profiles/input/input.conf
-@@ -11,3 +11,11 @@
- # Enable HID protocol handling in userspace input profile
- # Defaults to false (HIDP handled in HIDP kernel module)
- #UserspaceHID=true
-+
-+# Limit HID connections to bonded devices
-+# The HID Profile does not specify that devices must be bonded, however some
-+# platforms may want to make sure that input connections only come from bonded
-+# device connections. Several older mice have been known for not supporting
-+# pairing/encryption.
-+# Defaults to false to maximize device compatibility.
-+#ClassicBondedOnly=true
-diff --git a/profiles/input/manager.c b/profiles/input/manager.c
-index 1d31b0652..5cd27b839 100644
---- a/profiles/input/manager.c
-+++ b/profiles/input/manager.c
-@@ -96,7 +96,7 @@ static int input_init(void)
- 	config = load_config_file(CONFIGDIR "/input.conf");
- 	if (config) {
- 		int idle_timeout;
--		gboolean uhid_enabled;
-+		gboolean uhid_enabled, classic_bonded_only;
- 
- 		idle_timeout = g_key_file_get_integer(config, "General",
- 							"IdleTimeout", &err);
-@@ -114,6 +114,17 @@ static int input_init(void)
- 			input_enable_userspace_hid(uhid_enabled);
- 		} else
- 			g_clear_error(&err);
-+
-+		classic_bonded_only = g_key_file_get_boolean(config, "General",
-+						"ClassicBondedOnly", &err);
-+
-+		if (!err) {
-+			DBG("input.conf: ClassicBondedOnly=%s",
-+					classic_bonded_only ? "true" : "false");
-+			input_set_classic_bonded_only(classic_bonded_only);
-+		} else
-+			g_clear_error(&err);
-+
- 	}
- 
- 	btd_profile_register(&input_profile);
--- 
-2.25.1
-
-From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:16 +0000
-Subject: [PATCH] HOGP must only accept data from bonded devices.
-
-HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
----
- profiles/input/hog.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/profiles/input/hog.c b/profiles/input/hog.c
-index 83c017dcb..dfac68921 100644
---- a/profiles/input/hog.c
-+++ b/profiles/input/hog.c
-@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
- 			return -EINVAL;
- 	}
- 
-+	/* HOGP 1.0 Section 6.1 requires bonding */
-+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
-+		return -ECONNREFUSED;
-+
- 	/* TODO: Replace GAttrib with bt_gatt_client */
- 	bt_hog_attach(dev->hog, attrib);
- 
--- 
-2.25.1
-
diff --git a/gnu/packages/patches/kinit-kdeinit-extra_libs.patch b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch
index c3c4ce1161..1271f3df7d 100644
--- a/gnu/packages/patches/kinit-kdeinit-extra_libs.patch
+++ b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch
@@ -42,12 +42,12 @@ pkgs/development/libraries/kde-frameworks/kinit/kdeinit-extra_libs.patch
  extern "C" {
  
      static void secondary_child_handler(int)
-@@ -1689,7 +1693,7 @@
+@@ -1673,7 +1673,7 @@
+ #if defined(Q_OS_UNIX) && !defined(Q_OS_OSX)
      if (!d.suicide && qEnvironmentVariableIsEmpty("KDE_IS_PRELINKED")) {
-         const int extrasCount = sizeof(extra_libs) / sizeof(extra_libs[0]);
-         for (int i = 0; i < extrasCount; i++) {
--            const QString extra = findSharedLib(QString::fromLatin1(extra_libs[i]));
-+            const QString extra = QString::fromLatin1(extra_libs[i]);
+         for (const char *extra_lib : extra_libs) {
+-            const QString extra = findSharedLib(QString::fromLatin1(extra_lib));
++            const QString extra = QString::fromLatin1(extra_lib);
              if (!extra.isEmpty()) {
                  QLibrary l(extra);
                  l.setLoadHints(QLibrary::ExportExternalSymbolsHint);
diff --git a/gnu/packages/patches/libdrm-realpath-virtio.patch b/gnu/packages/patches/libdrm-realpath-virtio.patch
new file mode 100644
index 0000000000..b7d85160b4
--- /dev/null
+++ b/gnu/packages/patches/libdrm-realpath-virtio.patch
@@ -0,0 +1,42 @@
+Only check for for relative path on virtio devices.  Otherwise it could
+break driver loading in some circumstances, notably the IceCat sandbox.
+
+https://gitlab.freedesktop.org/mesa/drm/-/issues/39
+
+Taken from upstream:
+https://gitlab.freedesktop.org/mesa/drm/-/commit/57df07572ce45a1b60bae6fb89770388d3abd6dd
+
+diff --git a/xf86drm.c b/xf86drm.c
+--- a/xf86drm.c
++++ b/xf86drm.c
+@@ -3103,15 +3103,18 @@ static int drmParseSubsystemType(int maj, int min)
+     int subsystem_type;
+ 
+     snprintf(path, sizeof(path), "/sys/dev/char/%d:%d/device", maj, min);
+-    if (!realpath(path, real_path))
+-        return -errno;
+-    snprintf(path, sizeof(path), "%s", real_path);
+ 
+     subsystem_type = get_subsystem_type(path);
++    /* Try to get the parent (underlying) device type */
+     if (subsystem_type == DRM_BUS_VIRTIO) {
++        /* Assume virtio-pci on error */
++        if (!realpath(path, real_path))
++            return DRM_BUS_VIRTIO;
+         strncat(path, "/..", PATH_MAX);
+         subsystem_type = get_subsystem_type(path);
+-    }
++        if (subsystem_type < 0)
++            return DRM_BUS_VIRTIO;
++     }
+     return subsystem_type;
+ #elif defined(__OpenBSD__) || defined(__DragonFly__) || defined(__FreeBSD__)
+     return DRM_BUS_PCI;
+@@ -3920,6 +3923,7 @@ process_device(drmDevicePtr *device, const char *d_name,
+ 
+     switch (subsystem_type) {
+     case DRM_BUS_PCI:
++    case DRM_BUS_VIRTIO:
+         return drmProcessPciDevice(device, node, node_type, maj, min,
+                                    fetch_deviceinfo, flags);
+     case DRM_BUS_USB:
diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch
deleted file mode 100644
index 0a77763a4f..0000000000
--- a/gnu/packages/patches/libdrm-symbol-check.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-Augment the list of expected symbols to fix the symbol-check tests on
-mips64el-linux, armhf-linux and aarch64-linux.
-
---- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig	2015-09-04 11:07:40.000000000 -0400
-+++ libdrm-2.4.65/freedreno/freedreno-symbol-check	2015-10-18 23:57:15.288416229 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_freedreno.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- fd_bo_cpu_fini
- fd_bo_cpu_prep
- fd_bo_del
---- libdrm-2.4.65/nouveau/nouveau-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/nouveau/nouveau-symbol-check	2015-10-18 23:55:26.078327118 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_NOUVEAU_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_nouveau.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- nouveau_bo_map
- nouveau_bo_name_get
- nouveau_bo_name_ref
---- libdrm-2.4.65/libkms/kms-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/libkms/kms-symbol-check	2015-10-18 23:46:10.683869471 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBKMS_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libkms.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- kms_bo_create
- kms_bo_destroy
- kms_bo_get_prop
---- libdrm-2.4.65/intel/intel-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/intel/intel-symbol-check	2015-10-18 23:55:53.309558508 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_INTEL_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_intel.so} | awk '{print $3}' | while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- drm_intel_bo_alloc
- drm_intel_bo_alloc_for_render
- drm_intel_bo_alloc_tiled
---- libdrm-2.4.65/amdgpu/amdgpu-symbol-check.orig	2015-08-17 10:08:11.000000000 -0400
-+++ libdrm-2.4.65/amdgpu/amdgpu-symbol-check	2015-10-18 23:56:10.606917723 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.am/libdrm_amdgpuinclude_HEADERS
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_amdgpu.so} | awk '{print $3}' | while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- amdgpu_bo_alloc
- amdgpu_bo_cpu_map
- amdgpu_bo_cpu_unmap
---- libdrm-2.4.65/exynos/exynos-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/exynos/exynos-symbol-check	2015-10-18 23:56:32.025486153 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.am/libdrm_exynos*_HEADERS
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_exynos.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- exynos_bo_create
- exynos_bo_destroy
- exynos_bo_from_name
---- libdrm-2.4.65/omap/omap-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/omap/omap-symbol-check	2015-10-18 23:56:44.834438626 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.am/libdrm_omap*HEADERS
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_omap.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- omap_bo_cpu_fini
- omap_bo_cpu_prep
- omap_bo_del
---- libdrm-2.4.65/tegra/tegra-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/tegra/tegra-symbol-check	2015-10-18 23:57:00.756759698 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first nine) are taken from tegra.h.
-+# The following symbols (past the first 12) are taken from tegra.h.
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do
- ( grep -q "^$func$" || echo $func )  <<EOF
-@@ -9,6 +9,9 @@
- __bss_start
- __end__
- _bss_end__
-+_fbss
-+_fdata
-+_ftext
- _edata
- _end
- _fini
---- libdrm-2.4.65/radeon/radeon-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/radeon/radeon-symbol-check	2015-10-18 23:57:00.756759698 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_RADEON_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- radeon_bo_debug
- radeon_bo_get_handle
- radeon_bo_get_src_domain
diff --git a/gnu/packages/patches/qtbase-QTBUG-81715.patch b/gnu/packages/patches/qtbase-QTBUG-81715.patch
deleted file mode 100644
index 70b83b97d2..0000000000
--- a/gnu/packages/patches/qtbase-QTBUG-81715.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8a3fde00bf53d99e9e4853e8ab97b0e1bcf74915 Mon Sep 17 00:00:00 2001
-From: Joerg Bornemann <joerg.bornemann@qt.io>
-Date: Wed, 29 Jan 2020 11:06:35 +0100
-Subject: [PATCH] Fix qt5_make_output_file macro for paths containing dots
-
-Commit 89bd5a7e broke CMake projects that use dots in their build
-paths, because the used regular expression matches the directory part
-of the path as well.
-
-The regex wants to achieve the same as get_filename_component(...
-NAME_WLE) which is available since CMake 3.14. Re-implement the
-NAME_WLE functionality for older CMake versions by using multiple
-get_filename_component calls.
-
-Fixes: QTBUG-81715
-Task-number: QTBUG-80295
-Change-Id: I2ef053300948f6e1b2c0c5eafac35105f193d4e6
-Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
----
-
-diff --git a/src/corelib/Qt5CoreMacros.cmake b/src/corelib/Qt5CoreMacros.cmake
-index 7735e51..b3da640 100644
---- a/src/corelib/Qt5CoreMacros.cmake
-+++ b/src/corelib/Qt5CoreMacros.cmake
-@@ -59,7 +59,14 @@
-     set(_outfile "${CMAKE_CURRENT_BINARY_DIR}/${rel}")
-     string(REPLACE ".." "__" _outfile ${_outfile})
-     get_filename_component(outpath ${_outfile} PATH)
--    string(REGEX REPLACE "\\.[^.]*$" "" _outfile ${_outfile})
-+    if(CMAKE_VERSION VERSION_LESS "3.14")
-+        get_filename_component(_outfile_ext ${_outfile} EXT)
-+        get_filename_component(_outfile_ext ${_outfile_ext} NAME_WE)
-+        get_filename_component(_outfile ${_outfile} NAME_WE)
-+        string(APPEND _outfile ${_outfile_ext})
-+    else()
-+        get_filename_component(_outfile ${_outfile} NAME_WLE)
-+    endif()
-     file(MAKE_DIRECTORY ${outpath})
-     set(${outfile} ${outpath}/${prefix}${_outfile}.${ext})
- endmacro()
diff --git a/gnu/packages/patches/qtbase-use-TZDIR.patch b/gnu/packages/patches/qtbase-use-TZDIR.patch
index 11c737d844..b6c377b133 100644
--- a/gnu/packages/patches/qtbase-use-TZDIR.patch
+++ b/gnu/packages/patches/qtbase-use-TZDIR.patch
@@ -4,8 +4,8 @@ important to be able to update it fast.
 
 Based on a patch fron NixOS.
 ===================================================================
---- qtbase-opensource-src-5.9.4.orig/src/corelib/tools/qtimezoneprivate_tz.cpp
-+++ qtbase-opensource-src-5.9.4/src/corelib/tools/qtimezoneprivate_tz.cpp
+--- qtbase-opensource-src-5.14.2.orig/src/corelib/time/qtimezoneprivate_tz.cpp
++++ qtbase-opensource-src-5.15.2/src/corelib/time/qtimezoneprivate_tz.cpp
 @@ -70,7 +70,11 @@
  // Parse zone.tab table, assume lists all installed zones, if not will need to read directories
  static QTzTimeZoneHash loadTzTimeZones()