From e3fc9bcce2cfc26a60747c58f5c8c59cc8400785 Mon Sep 17 00:00:00 2001 From: Timothy Sample Date: Sun, 12 Aug 2018 11:12:38 -0400 Subject: gnu: racket: Ignore bytecode checksums in the store. Fixes . * gnu/packages/patches/racket-store-checksum-override.patch: New file. * gnu/packages/scheme.scm (racket)[sources]: Add it. --- .../patches/racket-store-checksum-override.patch | 42 ++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 gnu/packages/patches/racket-store-checksum-override.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/racket-store-checksum-override.patch b/gnu/packages/patches/racket-store-checksum-override.patch new file mode 100644 index 0000000000..b22facca0d --- /dev/null +++ b/gnu/packages/patches/racket-store-checksum-override.patch @@ -0,0 +1,42 @@ +Racket uses checksums to test if it needs to recompile its source +files to bytecode. If Racket is updated by grafting, the source and +bytecode files get updated, but the checksum stays the same. Since +the checksum no longer matches the source file, Racket tries to +regenerate the bytecode and write it to the store, causing errors +because the store is immutable. This patch makes Racket ignore +checksums for files in the store. + +See for details. + +diff -ruN racket-6.12/collects/compiler/cm.rkt racket-6.12-patched/collects/compiler/cm.rkt +--- racket-6.12/collects/compiler/cm.rkt 1969-12-31 19:00:00.000000000 -0500 ++++ racket-6.12-patched/collects/compiler/cm.rkt 2018-08-12 06:36:46.061142149 -0400 +@@ -7,6 +7,7 @@ + racket/list + racket/path + racket/promise ++ racket/string + openssl/sha1 + racket/place + setup/collects +@@ -627,6 +628,10 @@ + #f + (list src-hash recorded-hash))) + ++(define (store-reference? path) ++ (let ([store-prefix (or (getenv "NIX_STORE") "/gnu/store")]) ++ (string-prefix? (path->string path) store-prefix))) ++ + (define (rkt->ss p) + (if (path-has-extension? p #".rkt") + (path-replace-extension p #".ss") +@@ -679,7 +684,8 @@ + (trace-printf "newer src... ~a > ~a" path-time path-zo-time) + ;; If `sha1-only?', then `maybe-compile-zo' returns a #f or thunk: + (maybe-compile-zo sha1-only? deps path->mode roots path orig-path read-src-syntax up-to-date collection-cache new-seen)] +- [(different-source-sha1-and-dep-recorded path deps) ++ [(and (not (store-reference? path)) ++ (different-source-sha1-and-dep-recorded path deps)) + => (lambda (difference) + (trace-printf "different src hash... ~a" difference) + ;; If `sha1-only?', then `maybe-compile-zo' returns a #f or thunk: -- cgit v1.2.3 From 18e56ad7eba42b23e338dfc77cd057bf8a076f19 Mon Sep 17 00:00:00 2001 From: Björn Höfling Date: Fri, 3 Aug 2018 13:52:13 +0200 Subject: gnu: aegisub: Fix build. * gnu/packages/patches/aegisub-icu59-include-unistr.patch: New file. * gnu/lokal.mk (dist_patch_DATA): Register it. * gnu/packages/video.scm (aegisub)[source]: Use patch. [arguments]: Add CXXFLAGS, Return #t from fix-ldflags phase. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 + gnu/packages/patches/aegisub-icu59-include-unistr.patch | 12 ++++++++++++ gnu/packages/video.scm | 10 +++++++--- 3 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/aegisub-icu59-include-unistr.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index dee36f8b44..53120db7f7 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -566,6 +566,7 @@ dist_patch_DATA = \ %D%/packages/patches/aegis-perl-tempdir2.patch \ %D%/packages/patches/aegis-test-fixup-1.patch \ %D%/packages/patches/aegis-test-fixup-2.patch \ + %D%/packages/patches/aegisub-icu59-include-unistr.patch \ %D%/packages/patches/agg-am_c_prototype.patch \ %D%/packages/patches/amule-crypto-6.patch \ %D%/packages/patches/ansible-wrap-program-hack.patch \ diff --git a/gnu/packages/patches/aegisub-icu59-include-unistr.patch b/gnu/packages/patches/aegisub-icu59-include-unistr.patch new file mode 100644 index 0000000000..78414741be --- /dev/null +++ b/gnu/packages/patches/aegisub-icu59-include-unistr.patch @@ -0,0 +1,12 @@ +This patch adds an include needed since icu59: +Source: https://git.archlinux.org/svntogit/community.git/plain/trunk/icu59.patch?h=packages/aegisub +--- aegisub-3.2.2/src/utils.cpp 2014-12-08 02:07:09.000000000 +0200 ++++ aegisub-3.2.2/src/utils.cpp 2017-04-26 11:11:15.438239182 +0300 +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 2a1391c049..510122ab3b 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -28,6 +28,7 @@ ;;; Copyright © 2018 Leo Famulari ;;; Copyright © 2018 Brendan Tildesley ;;; Copyright © 2018 Arun Isaac +;;; Copyright © 2018 Björn Höfling ;;; ;;; This file is part of GNU Guix. ;;; @@ -2738,21 +2739,24 @@ programmers to access a standard API to open and decompress media files.") name "-" version ".tar.xz")) (sha256 (base32 - "11b83qazc8h0iidyj1rprnnjdivj1lpphvpa08y53n42bfa36pn5")))) + "11b83qazc8h0iidyj1rprnnjdivj1lpphvpa08y53n42bfa36pn5")) + (patches (search-patches "aegisub-icu59-include-unistr.patch")))) (build-system gnu-build-system) (arguments `(#:configure-flags (list "--disable-update-checker" "--without-portaudio" "--without-openal" - "--without-oss") + "--without-oss" + "CXXFLAGS=-DU_USING_ICU_NAMESPACE=1") ;; tests require busted, a lua package we don't have yet #:tests? #f #:phases (modify-phases %standard-phases (add-before 'configure 'fix-ldflags (lambda _ - (setenv "LDFLAGS" "-pthread")))))) + (setenv "LDFLAGS" "-pthread") + #t))))) (inputs `(("boost" ,boost) ("desktop-file-utils" ,desktop-file-utils) -- cgit v1.2.3 From b92302fd6cf78079364b2ba51aeceed62315633e Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Tue, 14 Aug 2018 14:52:45 +0200 Subject: gnu: translate-shell: Update to 0.9.6.8. * gnu/packages/dictionaries.scm (translate-shell): Update to 0.9.6.8. [source]: Remove patch. * gnu/packages/patches/translate-shell-fix-curl-tests.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/dictionaries.scm | 9 ++-- .../patches/translate-shell-fix-curl-tests.patch | 60 ---------------------- 3 files changed, 4 insertions(+), 66 deletions(-) delete mode 100644 gnu/packages/patches/translate-shell-fix-curl-tests.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 53120db7f7..15e7beac6e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1164,7 +1164,6 @@ dist_patch_DATA = \ %D%/packages/patches/tipp10-fix-compiling.patch \ %D%/packages/patches/tipp10-remove-license-code.patch \ %D%/packages/patches/tk-find-library.patch \ - %D%/packages/patches/translate-shell-fix-curl-tests.patch \ %D%/packages/patches/ttf2eot-cstddef.patch \ %D%/packages/patches/ttfautohint-source-date-epoch.patch \ %D%/packages/patches/tophat-build-with-later-seqan.patch \ diff --git a/gnu/packages/dictionaries.scm b/gnu/packages/dictionaries.scm index 42dc291975..9f63223453 100644 --- a/gnu/packages/dictionaries.scm +++ b/gnu/packages/dictionaries.scm @@ -238,7 +238,7 @@ and a Python library.") (define-public translate-shell (package (name "translate-shell") - (version "0.9.6.7") + (version "0.9.6.8") (source (origin (method url-fetch) @@ -246,14 +246,13 @@ and a Python library.") version ".tar.gz")) (sha256 (base32 - "0inv6r3qbihn2ff1sgcly89r04k4vgcbvvyl50ln0mxlapbhpy95")) - (patches (search-patches "translate-shell-fix-curl-tests.patch")) + "17yc2kwk8957wwxyih0jmsai720ai2yqyvmrqrglcncqg6zdbz9w")) (file-name (string-append name "-" version ".tar.gz")))) (build-system gnu-build-system) (arguments `(#:phases (modify-phases %standard-phases - (delete 'configure) ; no configure phase + (delete 'configure) ; no configure phase (add-after 'install 'emacs-install (lambda* (#:key inputs outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out")) @@ -275,7 +274,7 @@ and a Python library.") ("rlwrap" ,rlwrap))) (native-inputs `(("emacs" ,emacs-minimal) - ("util-linux" ,util-linux))) ; hexdump, for the test + ("util-linux" ,util-linux))) ; hexdump, for the test (home-page "https://www.soimort.org/translate-shell/") (synopsis "Translations from the command line") (description diff --git a/gnu/packages/patches/translate-shell-fix-curl-tests.patch b/gnu/packages/patches/translate-shell-fix-curl-tests.patch deleted file mode 100644 index 33731462b8..0000000000 --- a/gnu/packages/patches/translate-shell-fix-curl-tests.patch +++ /dev/null @@ -1,60 +0,0 @@ -This patch fixes Curl related tests for 'translate-shell'. - -Upstream bug URL: - -https://github.com/soimort/translate-shell/issues/221 - -From bb9f32d3145125ba664b6b05bf0a2fd34108e9d2 Mon Sep 17 00:00:00 2001 -From: Mort Yao -Date: Sun, 25 Mar 2018 03:14:33 +0200 -Subject: [PATCH] TestUtils: perform curl-related tests only if NETWORK_ACCESS - is set to yes (#221) - ---- - test/TestUtils.awk | 32 +++++++++++++++++--------------- - 1 file changed, 17 insertions(+), 15 deletions(-) - -diff --git a/test/TestUtils.awk b/test/TestUtils.awk -index 08bb2e9..1c141e5 100644 ---- a/test/TestUtils.awk -+++ b/test/TestUtils.awk -@@ -30,22 +30,24 @@ BEGIN { - assertTrue(newerVersion("2", "1.9.9999")) - } - -- T("curl()", 1) -- { -- delete tokens; delete ast -- tokenize(tokens, curl("https://httpbin.org/get")) -- parseJson(ast, tokens) -- assertEqual(unparameterize(ast[0 SUBSEP "url"]), -- "https://httpbin.org/get") -- } -+ if (yn(ENVIRON["NETWORK_ACCESS"])) { # if network access enabled -+ T("curl()", 1) -+ { -+ delete tokens; delete ast -+ tokenize(tokens, curl("https://httpbin.org/get")) -+ parseJson(ast, tokens) -+ assertEqual(unparameterize(ast[0 SUBSEP "url"]), -+ "https://httpbin.org/get") -+ } - -- T("curlPost()", 1) -- { -- delete tokens; delete ast -- tokenize(tokens, curlPost("https://httpbin.org/post", "fizz=buzz")) -- parseJson(ast, tokens) -- assertEqual(unparameterize(ast[0 SUBSEP "url"]), -- "https://httpbin.org/post") -+ T("curlPost()", 1) -+ { -+ delete tokens; delete ast -+ tokenize(tokens, curlPost("https://httpbin.org/post", "fizz=buzz")) -+ parseJson(ast, tokens) -+ assertEqual(unparameterize(ast[0 SUBSEP "url"]), -+ "https://httpbin.org/post") -+ } - } - - T("dump()", 3) -- cgit v1.2.3 From feccc81013c410494b68894aad75bd7d135f5525 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 14 Aug 2018 14:50:46 -0400 Subject: gnu: gdm: Fix CVE-2018-14424. * gnu/packages/patches/gdm-CVE-2018-14424.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnome.scm (gdm): Use it. --- gnu/local.mk | 1 + gnu/packages/gnome.scm | 1 + gnu/packages/patches/gdm-CVE-2018-14424.patch | 172 ++++++++++++++++++++++++++ 3 files changed, 174 insertions(+) create mode 100644 gnu/packages/patches/gdm-CVE-2018-14424.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 15e7beac6e..f433da46e2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -714,6 +714,7 @@ dist_patch_DATA = \ %D%/packages/patches/gd-CVE-2018-5711.patch \ %D%/packages/patches/gd-fix-tests-on-i686.patch \ %D%/packages/patches/gd-freetype-test-failure.patch \ + %D%/packages/patches/gdm-CVE-2018-14424.patch \ %D%/packages/patches/gemma-intel-compat.patch \ %D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 4ef96ffa50..fe26bc35cc 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -5305,6 +5305,7 @@ libxml2.") (uri (string-append "mirror://gnome/sources/" name "/" (version-major+minor version) "/" name "-" version ".tar.xz")) + (patches (search-patches "gdm-CVE-2018-14424.patch")) (sha256 (base32 "0mxdal6hh345xk2xqmw5192jgpprkbcv1d4bwmnl4arcc00cpp8p")))) diff --git a/gnu/packages/patches/gdm-CVE-2018-14424.patch b/gnu/packages/patches/gdm-CVE-2018-14424.patch new file mode 100644 index 0000000000..88a71f4151 --- /dev/null +++ b/gnu/packages/patches/gdm-CVE-2018-14424.patch @@ -0,0 +1,172 @@ +Fix CVE-2018-14424: + +https://gitlab.gnome.org/GNOME/gdm/issues/401 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14424 + +Patch copied from upstream source repository: + +https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da + +From 1ac1697b3b019f50729a6e992065959586e170da Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Thu, 19 Jul 2018 18:26:05 +0100 +Subject: [PATCH] display-store: Pass the display object rather than the id in + the removed signal + +By the time GdmDisplayStore emits the "display-removed" signal, the display +is no longer in the store and gdm_display_store_lookup will not work in +signal handlers. + +Change the "display-removed" parameter from the display id to the GdmDisplay +object, so that signal handers can perform any cleanup they need to do + +CVE-2018-14424 + +Closes: https://gitlab.gnome.org/GNOME/gdm/issues/401 +--- + daemon/gdm-display-store.c | 11 +++-------- + daemon/gdm-display-store.h | 2 +- + daemon/gdm-local-display-factory.c | 13 +++---------- + daemon/gdm-manager.c | 19 +++++++++---------- + daemon/gdm-manager.h | 3 ++- + 5 files changed, 18 insertions(+), 30 deletions(-) + +diff --git a/daemon/gdm-display-store.c b/daemon/gdm-display-store.c +index af76f519..fd24334e 100644 +--- a/daemon/gdm-display-store.c ++++ b/daemon/gdm-display-store.c +@@ -76,15 +76,10 @@ stored_display_new (GdmDisplayStore *store, + static void + stored_display_free (StoredDisplay *stored_display) + { +- char *id; +- +- gdm_display_get_id (stored_display->display, &id, NULL); +- + g_signal_emit (G_OBJECT (stored_display->store), + signals[DISPLAY_REMOVED], + 0, +- id); +- g_free (id); ++ stored_display->display); + + g_debug ("GdmDisplayStore: Unreffing display: %p", + stored_display->display); +@@ -281,9 +276,9 @@ gdm_display_store_class_init (GdmDisplayStoreClass *klass) + G_STRUCT_OFFSET (GdmDisplayStoreClass, display_removed), + NULL, + NULL, +- g_cclosure_marshal_VOID__STRING, ++ g_cclosure_marshal_VOID__OBJECT, + G_TYPE_NONE, +- 1, G_TYPE_STRING); ++ 1, G_TYPE_OBJECT); + + g_type_class_add_private (klass, sizeof (GdmDisplayStorePrivate)); + } +diff --git a/daemon/gdm-display-store.h b/daemon/gdm-display-store.h +index 28359933..0aff8ee2 100644 +--- a/daemon/gdm-display-store.h ++++ b/daemon/gdm-display-store.h +@@ -49,7 +49,7 @@ typedef struct + void (* display_added) (GdmDisplayStore *display_store, + const char *id); + void (* display_removed) (GdmDisplayStore *display_store, +- const char *id); ++ GdmDisplay *display); + } GdmDisplayStoreClass; + + typedef enum +diff --git a/daemon/gdm-local-display-factory.c b/daemon/gdm-local-display-factory.c +index 5f1ae89e..39f3e30a 100644 +--- a/daemon/gdm-local-display-factory.c ++++ b/daemon/gdm-local-display-factory.c +@@ -805,18 +805,11 @@ on_display_added (GdmDisplayStore *display_store, + + static void + on_display_removed (GdmDisplayStore *display_store, +- const char *id, ++ GdmDisplay *display, + GdmLocalDisplayFactory *factory) + { +- GdmDisplay *display; +- +- display = gdm_display_store_lookup (display_store, id); +- +- if (display != NULL) { +- g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), factory); +- g_object_weak_unref (G_OBJECT (display), (GWeakNotify)on_display_disposed, factory); +- +- } ++ g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), factory); ++ g_object_weak_unref (G_OBJECT (display), (GWeakNotify)on_display_disposed, factory); + } + + static gboolean +diff --git a/daemon/gdm-manager.c b/daemon/gdm-manager.c +index f17bd1a5..f6684a8b 100644 +--- a/daemon/gdm-manager.c ++++ b/daemon/gdm-manager.c +@@ -1541,19 +1541,18 @@ on_display_status_changed (GdmDisplay *display, + + static void + on_display_removed (GdmDisplayStore *display_store, +- const char *id, ++ GdmDisplay *display, + GdmManager *manager) + { +- GdmDisplay *display; ++ char *id; + +- display = gdm_display_store_lookup (display_store, id); +- if (display != NULL) { +- g_dbus_object_manager_server_unexport (manager->priv->object_manager, id); ++ gdm_display_get_id (display, &id, NULL); ++ g_dbus_object_manager_server_unexport (manager->priv->object_manager, id); ++ g_free (id); + +- g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), manager); ++ g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), manager); + +- g_signal_emit (manager, signals[DISPLAY_REMOVED], 0, id); +- } ++ g_signal_emit (manager, signals[DISPLAY_REMOVED], 0, display); + } + + static void +@@ -2535,9 +2534,9 @@ gdm_manager_class_init (GdmManagerClass *klass) + G_STRUCT_OFFSET (GdmManagerClass, display_removed), + NULL, + NULL, +- g_cclosure_marshal_VOID__STRING, ++ g_cclosure_marshal_VOID__OBJECT, + G_TYPE_NONE, +- 1, G_TYPE_STRING); ++ 1, G_TYPE_OBJECT); + + g_object_class_install_property (object_class, + PROP_XDMCP_ENABLED, +diff --git a/daemon/gdm-manager.h b/daemon/gdm-manager.h +index 41c68a7a..c8fb3f22 100644 +--- a/daemon/gdm-manager.h ++++ b/daemon/gdm-manager.h +@@ -24,6 +24,7 @@ + + #include + ++#include "gdm-display.h" + #include "gdm-manager-glue.h" + + G_BEGIN_DECLS +@@ -50,7 +51,7 @@ typedef struct + void (* display_added) (GdmManager *manager, + const char *id); + void (* display_removed) (GdmManager *manager, +- const char *id); ++ GdmDisplay *display); + } GdmManagerClass; + + typedef enum +-- +2.17.1 + -- cgit v1.2.3 From d87e547702bcffdf0eb3948409a94f146538afb8 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 15 Aug 2018 00:24:17 +0200 Subject: gnu: openssl@1.1: Update to 1.1.0i [fix CVE-2018-0737]. Also includes a fix for CVE-2018-0732, and a different approach to fixing CVE-2018-0495. * gnu/packages/tls.scm (openssl-next): Update to 1.1.0i. [sources]: Remove CVE patches. * gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch: Delete... * gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: ...both files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 2 - .../patches/openssl-1.1.0-CVE-2018-0495.patch | 152 --------------------- .../patches/openssl-1.1.0-CVE-2018-0732.patch | 50 ------- gnu/packages/tls.scm | 10 +- 4 files changed, 4 insertions(+), 210 deletions(-) delete mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch delete mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index f433da46e2..e8f1dbe661 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -999,8 +999,6 @@ dist_patch_DATA = \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ - %D%/packages/patches/openssl-1.1.0-CVE-2018-0495.patch \ - %D%/packages/patches/openssl-1.1.0-CVE-2018-0732.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch deleted file mode 100644 index 15dedbcbd0..0000000000 --- a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch +++ /dev/null @@ -1,152 +0,0 @@ -Fix CVE-2018-0495: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 -https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ - -Patch copied from upstream source repository: - -https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a - -From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 25 May 2018 12:10:13 +0100 -Subject: [PATCH] Add blinding to an ECDSA signature - -Keegan Ryan (NCC Group) has demonstrated a side channel attack on an -ECDSA signature operation. During signing the signer calculates: - -s:= k^-1 * (m + r * priv_key) mod order - -The addition operation above provides a sufficient signal for a -flush+reload attack to derive the private key given sufficient signature -operations. - -As a mitigation (based on a suggestion from Keegan) we add blinding to -the operation so that: - -s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order - -Since this attack is a localhost side channel only no CVE is assigned. - -Reviewed-by: Rich Salz ---- - CHANGES | 4 +++ - crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++----- - 2 files changed, 67 insertions(+), 7 deletions(-) - -diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c -index 72e2f0f28b..449be0e92a 100644 ---- a/crypto/ec/ecdsa_ossl.c -+++ b/crypto/ec/ecdsa_ossl.c -@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - EC_KEY *eckey) - { - int ok = 0, i; -- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; -+ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; -+ BIGNUM *blindm = NULL; - const BIGNUM *order, *ckinv; - BN_CTX *ctx = NULL; - const EC_GROUP *group; -@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - } - s = ret->s; - -- if ((ctx = BN_CTX_new()) == NULL || -- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { -+ ctx = BN_CTX_secure_new(); -+ if (ctx == NULL) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ -+ BN_CTX_start(ctx); -+ tmp = BN_CTX_get(ctx); -+ m = BN_CTX_get(ctx); -+ blind = BN_CTX_get(ctx); -+ blindm = BN_CTX_get(ctx); -+ if (blindm == NULL) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); - goto err; - } -@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - } - } - -- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { -+ /* -+ * The normal signature calculation is: -+ * -+ * s := k^-1 * (m + r * priv_key) mod order -+ * -+ * We will blind this to protect against side channel attacks -+ * -+ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order -+ */ -+ -+ /* Generate a blinding value */ -+ do { -+ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, -+ BN_RAND_BOTTOM_ANY)) -+ goto err; -+ } while (BN_is_zero(blind)); -+ BN_set_flags(blind, BN_FLG_CONSTTIME); -+ BN_set_flags(blindm, BN_FLG_CONSTTIME); -+ BN_set_flags(tmp, BN_FLG_CONSTTIME); -+ -+ /* tmp := blind * priv_key * r mod order */ -+ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } -- if (!BN_mod_add_quick(s, tmp, m, order)) { -+ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } -+ -+ /* blindm := blind * m mod order */ -+ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ -+ /* s : = (blind * priv_key * r) + (blind * m) mod order */ -+ if (!BN_mod_add_quick(s, tmp, blindm, order)) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ -+ /* s:= s * blind^-1 mod order */ -+ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ if (!BN_mod_mul(s, s, blind, order, ctx)) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ -+ /* s := s * k^-1 mod order */ - if (!BN_mod_mul(s, s, ckinv, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } -+ - if (BN_is_zero(s)) { - /* - * if kinv and r have been supplied by the caller don't to -@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - ECDSA_SIG_free(ret); - ret = NULL; - } -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); -- BN_clear_free(m); -- BN_clear_free(tmp); - BN_clear_free(kinv); - return ret; - } --- -2.17.1 - diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch deleted file mode 100644 index dfea6e7d06..0000000000 --- a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch +++ /dev/null @@ -1,50 +0,0 @@ -Fix CVE-2018-0732: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732 - -Patch copied from upstream source repository: - -https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4 - -From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 -From: Guido Vranken -Date: Mon, 11 Jun 2018 19:38:54 +0200 -Subject: [PATCH] Reject excessively large primes in DH key generation. - -CVE-2018-0732 - -Signed-off-by: Guido Vranken - -(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) - -Reviewed-by: Tim Hudson -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/6457) ---- - crypto/dh/dh_key.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index fce9ff47f3..58003d7087 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -78,10 +78,15 @@ static int generate_key(DH *dh) - int ok = 0; - int generate_new_key = 0; - unsigned l; -- BN_CTX *ctx; -+ BN_CTX *ctx = NULL; - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; --- -2.17.1 - diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index cafe71bd41..28d2ea5fd5 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -410,7 +410,7 @@ required structures.") (package (inherit openssl) (name "openssl") - (version "1.1.0h") + (version "1.1.0i") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -420,14 +420,12 @@ required structures.") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set:letter) "/" name "-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1.0-c-rehash-in.patch" - "openssl-1.1.0-CVE-2018-0495.patch" - "openssl-1.1.0-CVE-2018-0732.patch")) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) (sha256 (base32 - "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq")))) + "16fgaf113p6s5ixw227sycvihh3zx6f6rf0hvjjhxk68m12cigzb")))) (outputs '("out" - "doc" ;1.3MiB of man3 pages + "doc" ; 1.3MiB of man3 pages "static")) ; 5.5MiB of .a files (arguments (substitute-keyword-arguments (package-arguments openssl) -- cgit v1.2.3 From 7bcc34050b2e1dc4bc3aa832b08ec123129d71be Mon Sep 17 00:00:00 2001 From: Pierre Langlois Date: Tue, 14 Aug 2018 22:17:24 +0100 Subject: gnu: clementine: Fix creating initial database. It seems a recent version of sqlite broke Clementine's first startup. It turns out we can patch clementine to fix the problem instead of providing a different sqlite package: * gnu/packages/databases.scm (sqlite-with-fts3): Remove. * gnu/packages/music.scm (clementine)[inputs]: Replace sqlite-with-fts3 with sqlite. [source]: Add clementine-fix-sqlite.patch. * gnu/packages/patches/clementine-fix-sqlite.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 + gnu/packages/databases.scm | 16 +--------------- gnu/packages/music.scm | 5 +++-- gnu/packages/patches/clementine-fix-sqlite.patch | 23 +++++++++++++++++++++++ 4 files changed, 28 insertions(+), 17 deletions(-) create mode 100644 gnu/packages/patches/clementine-fix-sqlite.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index e8f1dbe661..e14657c2d1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -611,6 +611,7 @@ dist_patch_DATA = \ %D%/packages/patches/clang-runtime-asan-build-fixes.patch \ %D%/packages/patches/clang-runtime-esan-build-fixes.patch \ %D%/packages/patches/classpath-aarch64-support.patch \ + %D%/packages/patches/clementine-fix-sqlite.patch \ %D%/packages/patches/clementine-remove-crypto++-dependency.patch \ %D%/packages/patches/clementine-use-openssl.patch \ %D%/packages/patches/clisp-glibc-2.26.patch \ diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm index 04b9085e50..dc2c85b961 100644 --- a/gnu/packages/databases.scm +++ b/gnu/packages/databases.scm @@ -27,7 +27,7 @@ ;;; Copyright © 2017 Alex Vong ;;; Copyright © 2017, 2018 Ben Woodcroft ;;; Copyright © 2017 Rutger Helling -;;; Copyright © 2017 Pierre Langlois +;;; Copyright © 2017, 2018 Pierre Langlois ;;; Copyright © 2015, 2017, 2018 Ricardo Wurmus ;;; Copyright © 2017 Kristofer Buffington ;;; Copyright © 2018 Amirouche Boubekki @@ -1069,20 +1069,6 @@ is in the public domain.") ((#:configure-flags flags) `(cons "--enable-fts5" ,flags)))))) -;; This is used by Clementine. -(define-public sqlite-with-fts3 - (package (inherit sqlite) - (name "sqlite-with-fts3") - (arguments - (substitute-keyword-arguments (package-arguments sqlite) - ((#:configure-flags flags) - `(list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE " - "-DSQLITE_ENABLE_UNLOCK_NOTIFY " - "-DSQLITE_ENABLE_DBSTAT_VTAB " - "-DSQLITE_ENABLE_FTS3 " - "-DSQLITE_ENABLE_FTS3_PARENTHESIS " - "-DSQLITE_ENABLE_FTS3_TOKENIZER"))))))) - (define-public tdb (package (name "tdb") diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm index cf1e0f82f4..7d4aeff990 100644 --- a/gnu/packages/music.scm +++ b/gnu/packages/music.scm @@ -238,7 +238,8 @@ score, keyboard, guitar, drum and controller views.") "tinysvcmdns")) #t)) (patches (search-patches "clementine-use-openssl.patch" - "clementine-remove-crypto++-dependency.patch")))) + "clementine-remove-crypto++-dependency.patch" + "clementine-fix-sqlite.patch")))) (build-system cmake-build-system) (arguments '(#:test-target "clementine_test" @@ -281,7 +282,7 @@ score, keyboard, guitar, drum and controller views.") ("pulseaudio" ,pulseaudio) ("qtbase" ,qtbase) ("qtx11extras" ,qtx11extras) - ("sqlite" ,sqlite-with-fts3) + ("sqlite" ,sqlite) ("sparsehash" ,sparsehash) ("taglib" ,taglib))) (home-page "http://clementine-player.org") diff --git a/gnu/packages/patches/clementine-fix-sqlite.patch b/gnu/packages/patches/clementine-fix-sqlite.patch new file mode 100644 index 0000000000..f9d44f9074 --- /dev/null +++ b/gnu/packages/patches/clementine-fix-sqlite.patch @@ -0,0 +1,23 @@ +Patch downloaded from https://github.com/clementine-player/Clementine/pull/5669 . + +diff -ruN clementine-1.3.1.565.gd20c2244a.orig/src/core/database.cpp clementine-1.3.1.565.gd20c2244a/src/core/database.cpp +--- clementine-1.3.1.565.gd20c2244a.orig/src/core/database.cpp 2018-07-07 23:59:24.018540126 +0200 ++++ clementine-1.3.1.565.gd20c2244a/src/core/database.cpp 2018-07-08 00:04:47.991551728 +0200 +@@ -265,6 +265,17 @@ + StaticInit(); + + { ++ ++#ifdef SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER ++ // In case sqlite>=3.12 is compiled without -DSQLITE_ENABLE_FTS3_TOKENIZER ++ // (generally a good idea due to security reasons) the fts3 support should be enabled explicitly. ++ QVariant v = db.driver()->handle(); ++ if (v.isValid() && qstrcmp(v.typeName(), "sqlite3*") == 0) { ++ sqlite3 *handle = *static_cast(v.data()); ++ if (handle) sqlite3_db_config(handle, SQLITE_DBCONFIG_ENABLE_FTS3_TOKENIZER, 1, NULL); ++ } ++#endif ++ + QSqlQuery set_fts_tokenizer(db); + set_fts_tokenizer.prepare("SELECT fts3_tokenizer(:name, :pointer)"); + set_fts_tokenizer.bindValue(":name", "unicode"); -- cgit v1.2.3 From 5dc8437fc0ff3dedf75de2183e3bf9d493e4aa81 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 16 Aug 2018 02:38:32 +0200 Subject: gnu: qemu: Update to 3.0.0 [mitigate CVE-2018-3639]. * gnu/packages/virtualization.scm (qemu): Update to 3.0.0. [source]: Remove patch. * gnu/packages/patches/qemu-CVE-2018-11806.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/patches/qemu-CVE-2018-11806.patch | 105 ------------------------- gnu/packages/virtualization.scm | 5 +- 3 files changed, 2 insertions(+), 109 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2018-11806.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index e3ca237d87..606b3ace3c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1097,7 +1097,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ - %D%/packages/patches/qemu-CVE-2018-11806.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtoctave-qt-5.11-fix.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch b/gnu/packages/patches/qemu-CVE-2018-11806.patch deleted file mode 100644 index f021dfa747..0000000000 --- a/gnu/packages/patches/qemu-CVE-2018-11806.patch +++ /dev/null @@ -1,105 +0,0 @@ -Fix CVE-2018-11806: - -https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c - -From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 5 Jun 2018 23:38:35 +0530 -Subject: [PATCH] slirp: correct size computation while concatenating mbuf - -While reassembling incoming fragmented datagrams, 'm_cat' routine -extends the 'mbuf' buffer, if it has insufficient room. It computes -a wrong buffer size, which leads to overwriting adjacent heap buffer -area. Correct this size computation in m_cat. - -Reported-by: ZDI Disclosures -Signed-off-by: Prasad J Pandit -Signed-off-by: Samuel Thibault ---- - slirp/mbuf.c | 11 +++++------ - slirp/mbuf.h | 8 +++----- - 2 files changed, 8 insertions(+), 11 deletions(-) - -diff --git a/slirp/mbuf.c b/slirp/mbuf.c -index 5ff24559fd..18cbf759a7 100644 ---- a/slirp/mbuf.c -+++ b/slirp/mbuf.c -@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n) - * If there's no room, realloc - */ - if (M_FREEROOM(m) < n->m_len) -- m_inc(m,m->m_size+MINCSIZE); -+ m_inc(m, m->m_len + n->m_len); - - memcpy(m->m_data+m->m_len, n->m_data, n->m_len); - m->m_len += n->m_len; -@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n) - } - - --/* make m size bytes large */ -+/* make m 'size' bytes large from m_data */ - void - m_inc(struct mbuf *m, int size) - { -@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size) - - if (m->m_flags & M_EXT) { - datasize = m->m_data - m->m_ext; -- m->m_ext = g_realloc(m->m_ext, size); -+ m->m_ext = g_realloc(m->m_ext, size + datasize); - m->m_data = m->m_ext + datasize; - } else { - char *dat; - datasize = m->m_data - m->m_dat; -- dat = g_malloc(size); -+ dat = g_malloc(size + datasize); - memcpy(dat, m->m_dat, m->m_size); - - m->m_ext = dat; -@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size) - m->m_flags |= M_EXT; - } - -- m->m_size = size; -- -+ m->m_size = size + datasize; - } - - -diff --git a/slirp/mbuf.h b/slirp/mbuf.h -index 893601ff9d..33b84485d6 100644 ---- a/slirp/mbuf.h -+++ b/slirp/mbuf.h -@@ -33,8 +33,6 @@ - #ifndef MBUF_H - #define MBUF_H - --#define MINCSIZE 4096 /* Amount to increase mbuf if too small */ -- - /* - * Macros for type conversion - * mtod(m,t) - convert mbuf pointer to data pointer of correct type -@@ -72,11 +70,11 @@ struct mbuf { - struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ - int m_flags; /* Misc flags */ - -- int m_size; /* Size of data */ -+ int m_size; /* Size of mbuf, from m_dat or m_ext */ - struct socket *m_so; - -- caddr_t m_data; /* Location of data */ -- int m_len; /* Amount of data in this mbuf */ -+ caddr_t m_data; /* Current location of data */ -+ int m_len; /* Amount of data in this mbuf, from m_data */ - - Slirp *slirp; - bool resolution_requested; --- -2.17.1 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 8e7eded5e1..a39f2fa58f 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -94,15 +94,14 @@ (define-public qemu (package (name "qemu") - (version "2.12.1") + (version "3.0.0") (source (origin (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2018-11806.patch")) (sha256 (base32 - "0krnp2wvggpchc7fdlmyasqy7j17baz8asr2g05x0v00w003hn1k")))) + "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: -- cgit v1.2.3