Package: guix-patches;
Reported by: Zheng Junjie <z572 <at> z572.online>
Date: Fri, 9 May 2025 16:32:02 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 78337 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Fri, 09 May 2025 16:32:02 GMT) Full text and rfc822 format available.Zheng Junjie <z572 <at> z572.online>
:guix-patches <at> gnu.org
.
(Fri, 09 May 2025 16:32:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: guix-patches <at> gnu.org Subject: [PATCH core-packages-team 0/4] ungraft curl, cups, libarchive and expat. Date: Sat, 10 May 2025 00:30:57 +0800
Zheng Junjie (4): gnu: curl: Ungraft. gnu: cups-minimal: Ungraft. gnu: libarchive: Update to 3.7.7. gnu: expat: Update to 2.7.1. gnu/local.mk | 4 -- gnu/packages/backup.scm | 22 +-------- gnu/packages/cups.scm | 13 +---- gnu/packages/curl.scm | 14 +----- .../patches/expat-CVE-2024-45490.patch | 34 -------------- .../patches/expat-CVE-2024-45491.patch | 34 -------------- .../patches/expat-CVE-2024-45492.patch | 33 ------------- ...libarchive-remove-potential-backdoor.patch | 47 ------------------- gnu/packages/xml.scm | 16 +------ 9 files changed, 8 insertions(+), 209 deletions(-) delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch delete mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch base-commit: 397db982843779f37d540c05d390c059ab9b2549 -- 2.49.0
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Fri, 09 May 2025 16:52:02 GMT) Full text and rfc822 format available.Message #8 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 1/4] gnu: curl: Ungraft. Date: Sat, 10 May 2025 00:50:52 +0800
* gnu/packages/curl.scm (curl)[replacement]: Remove it. [source]: Add curl-CVE-2024-8096.patch. * gnu/packages/curl.scm (curl/fixed): Remove it. Change-Id: I43e6c1c0c97bc86ce0e4801559eead53a1a07d12 --- gnu/packages/curl.scm | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 3e9cd517a2..ded616a052 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -69,7 +69,6 @@ (define-public curl (package (name "curl") (version "8.6.0") - (replacement curl/fixed) (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" @@ -77,7 +76,8 @@ (define-public curl (sha256 (base32 "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) - (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (patches (search-patches "curl-use-ssl-cert-env.patch" + "curl-CVE-2024-8096.patch")))) (outputs '("out" "doc")) ;1.2 MiB of man3 pages (build-system gnu-build-system) @@ -179,16 +179,6 @@ (define-public curl (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")))) -(define-public curl/fixed - (hidden-package - (package - (inherit curl) - (replacement curl/fixed) - (source (origin - (inherit (package-source curl)) - (patches (append (origin-patches (package-source curl)) - (search-patches "curl-CVE-2024-8096.patch")))))))) - (define-public gnurl (deprecated-package "gnurl" curl)) (define-public curl-ssh -- 2.49.0
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Fri, 09 May 2025 16:52:02 GMT) Full text and rfc822 format available.Message #11 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 2/4] gnu: cups-minimal: Ungraft. Date: Sat, 10 May 2025 00:50:53 +0800
* gnu/packages/cups.scm (cups-minimal)[replacement]: Remove it. [source]: Add cups-minimal-Address-PPD-injection-issues.patch. * gnu/packages/cups.scm (cups-minimal/fixed): Remove it. Change-Id: Icb5295af42b5a84741a73ed4b662bc8736ab6b2b --- gnu/packages/cups.scm | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm index 5eb45b97b5..2ef1a56b2f 100644 --- a/gnu/packages/cups.scm +++ b/gnu/packages/cups.scm @@ -266,7 +266,6 @@ (define-public cups-minimal (package (name "cups-minimal") (version "2.4.9") - (replacement cups-minimal/fixed) (source (origin (method git-fetch) @@ -276,7 +275,8 @@ (define-public cups-minimal ;; Avoid NAME confusion: these are the complete CUPS sources. (file-name (git-file-name "cups" version)) (sha256 - (base32 "08wjd1flyaslhnwvxl39403qi3g675rk532ysiyk6cda4r8ks1g1")))) + (base32 "08wjd1flyaslhnwvxl39403qi3g675rk532ysiyk6cda4r8ks1g1")) + (patches (search-patches "cups-minimal-Address-PPD-injection-issues.patch")))) (build-system gnu-build-system) (arguments (list #:configure-flags @@ -356,15 +356,6 @@ (define-public cups-minimal ;; CUPS is Apache 2.0 with exceptions, see the NOTICE file. (license license:asl2.0))) -(define cups-minimal/fixed - (package - (inherit cups-minimal) - (source - (origin - (inherit (package-source cups-minimal)) - (patches - (search-patches "cups-minimal-Address-PPD-injection-issues.patch")))))) - (define-public cups (package/inherit cups-minimal (name "cups") -- 2.49.0
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Fri, 09 May 2025 16:52:03 GMT) Full text and rfc822 format available.Message #14 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 3/4] gnu: libarchive: Update to 3.7.7. Date: Sat, 10 May 2025 00:50:54 +0800
* gnu/packages/backup.scm (libarchive): Update to 3.7.7. * gnu/packages/backup.scm (libarchive/fixed): Delete variable. * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: Remove it * gnu/local.mk (dist_patch_DATA): Unregister it. Change-Id: Ia6474f9dae9a3d1a707d94fcace9bd50b2e3ac4c --- gnu/local.mk | 1 - gnu/packages/backup.scm | 22 +-------- ...libarchive-remove-potential-backdoor.patch | 47 ------------------- 3 files changed, 2 insertions(+), 68 deletions(-) delete mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch diff --git a/gnu/local.mk b/gnu/local.mk index 67a41bdbf4..831939f72e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1718,7 +1718,6 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libaio-32bit-test.patch \ %D%/packages/patches/libaio-riscv-test5.patch \ - %D%/packages/patches/libarchive-remove-potential-backdoor.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index b4aca86774..876167898b 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -263,8 +263,7 @@ (define-public hdup (define-public libarchive (package (name "libarchive") - (replacement libarchive/fixed) - (version "3.6.1") + (version "3.7.7") (source (origin (method url-fetch) @@ -273,10 +272,9 @@ (define-public libarchive (string-append "https://github.com/libarchive/libarchive" "/releases/download/v" version "/libarchive-" version ".tar.xz"))) - (patches (search-patches "libarchive-remove-potential-backdoor.patch")) (sha256 (base32 - "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas")))) + "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7")))) (build-system gnu-build-system) (inputs (list bzip2 @@ -353,22 +351,6 @@ (define-public libarchive @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.") (license license:bsd-2))) -(define libarchive/fixed - (package - (inherit libarchive) - (version "3.7.7") - (source - (origin - (method url-fetch) - (uri (list (string-append "https://libarchive.org/downloads/libarchive-" - version ".tar.xz") - (string-append "https://github.com/libarchive/libarchive" - "/releases/download/v" version "/libarchive-" - version ".tar.xz"))) - (sha256 - (base32 - "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7")))))) - (define-public rdup (package (name "rdup") diff --git a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch deleted file mode 100644 index 2b9a9e2ffe..0000000000 --- a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch +++ /dev/null @@ -1,47 +0,0 @@ -Remove code added by 'JiaT75', the malicious actor that backdoored `xz`: - -https://github.com/libarchive/libarchive/pull/2101 - -At libarchive, they are reviewing all code contributed by this actor: - -https://github.com/libarchive/libarchive/issues/2103 - -See the original disclosure and subsequent discussion for more -information about this incident: - -https://seclists.org/oss-sec/2024/q1/268 - -Patch copied from upstream source repository: - -https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942 - -From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001 -From: Ed Maste <emaste <at> freebsd.org> -Date: Fri, 29 Mar 2024 18:02:06 -0400 -Subject: [PATCH] tar: make error reporting more robust and use correct errno - (#2101) - -As discussed in #1609. ---- - tar/read.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/tar/read.c b/tar/read.c -index af3d3f42..a7f14a07 100644 ---- a/tar/read.c -+++ b/tar/read.c -@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer) - if (r != ARCHIVE_OK) { - if (!bsdtar->verbose) - safe_fprintf(stderr, "%s", archive_entry_pathname(entry)); -- fprintf(stderr, ": %s: ", archive_error_string(a)); -- fprintf(stderr, "%s", strerror(errno)); -+ safe_fprintf(stderr, ": %s: %s", -+ archive_error_string(a), -+ strerror(archive_errno(a))); - if (!bsdtar->verbose) - fprintf(stderr, "\n"); - bsdtar->return_value = 1; --- -2.41.0 - -- 2.49.0
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Fri, 09 May 2025 16:52:03 GMT) Full text and rfc822 format available.Message #17 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 4/4] gnu: expat: Update to 2.7.1. Date: Sat, 10 May 2025 00:50:55 +0800
* gnu/packages/xml.scm (expat): Update to 2.7.1. (expat/fixed): Remove it. * gnu/packages/patches/expat-CVE-2024-45490.patch: Remove it. * gnu/packages/patches/expat-CVE-2024-45491.patch: Remove it. * gnu/packages/patches/expat-CVE-2024-45492.patch: Remove it. * gnu/local.mk (dist_patch_DATA): Unregister them. Change-Id: Ia0bc5da202afba0636032e4f4e10051778214944 --- gnu/local.mk | 3 -- .../patches/expat-CVE-2024-45490.patch | 34 ------------------- .../patches/expat-CVE-2024-45491.patch | 34 ------------------- .../patches/expat-CVE-2024-45492.patch | 33 ------------------ gnu/packages/xml.scm | 16 ++------- 5 files changed, 2 insertions(+), 118 deletions(-) delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch diff --git a/gnu/local.mk b/gnu/local.mk index 831939f72e..c15ef425ca 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1258,9 +1258,6 @@ dist_patch_DATA = \ %D%/packages/patches/esmini-use-pkgconfig.patch \ %D%/packages/patches/esmtp-add-lesmtp.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ - %D%/packages/patches/expat-CVE-2024-45490.patch \ - %D%/packages/patches/expat-CVE-2024-45491.patch \ - %D%/packages/patches/expat-CVE-2024-45492.patch \ %D%/packages/patches/extempore-unbundle-external-dependencies.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/fail2ban-paths-guix-conf.patch \ diff --git a/gnu/packages/patches/expat-CVE-2024-45490.patch b/gnu/packages/patches/expat-CVE-2024-45490.patch deleted file mode 100644 index f876e78651..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45490.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch -Fixed in 2.6.3. -Takes only 1 of the 3 patches from -https://github.com/libexpat/libexpat/pull/890 to take the fix and not the -tests because that part doesn't apply cleanly. - -From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian <at> pipping.org> -Date: Mon, 19 Aug 2024 22:26:07 +0200 -Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer - -Reported by TaiYou - ---- - expat/lib/xmlparse.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..ba1038119 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { - - if (parser == NULL) - return XML_STATUS_ERROR; -+ -+ if (len < 0) { -+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; -+ return XML_STATUS_ERROR; -+ } -+ - switch (parser->m_parsingStatus.parsing) { - case XML_SUSPENDED: - parser->m_errorCode = XML_ERROR_SUSPENDED; diff --git a/gnu/packages/patches/expat-CVE-2024-45491.patch b/gnu/packages/patches/expat-CVE-2024-45491.patch deleted file mode 100644 index 8ff10559bf..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45491.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch -Fixed in 2.6.3. - -From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian <at> pipping.org> -Date: Mon, 19 Aug 2024 22:34:13 +0200 -Subject: [PATCH] lib: Detect integer overflow in dtdCopy - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..e2327bdcf 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, - if (! newE) - return 0; - if (oldE->nDefaultAtts) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if ((size_t)oldE->nDefaultAtts -+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { -+ return 0; -+ } -+#endif - newE->defaultAtts - = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); - if (! newE->defaultAtts) { diff --git a/gnu/packages/patches/expat-CVE-2024-45492.patch b/gnu/packages/patches/expat-CVE-2024-45492.patch deleted file mode 100644 index 852a9b3f59..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45492.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch -Fixed in 2.6.3. - -From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian <at> pipping.org> -Date: Mon, 19 Aug 2024 22:37:16 +0200 -Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..f737575ea 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { - int next; - - if (! dtd->scaffIndex) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { -+ return -1; -+ } -+#endif - dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); - if (! dtd->scaffIndex) - return -1; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index f29d5d2adc..5eb9be68c7 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -127,8 +127,7 @@ (define-public libxmlb (define-public expat (package (name "expat") - (version "2.5.0") - (replacement expat/fixed) + (version "2.7.1") (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin (method url-fetch) @@ -140,7 +139,7 @@ (define-public expat "/expat-" version ".tar.xz"))) (sha256 (base32 - "1gnwihpfz4x18rwd6cbrdggmfqjzwsdfh1gpmc0ph21c4gq2097g"))))) + "0c3w446jrrnss3ccgx9z590lpwbpxiqdbxv2a0p036cg9da54i9m"))))) (build-system gnu-build-system) (arguments '(#:phases (modify-phases %standard-phases @@ -164,17 +163,6 @@ (define-public expat things the parser might find in the XML document (like start tags).") (license license:expat))) -(define-public expat/fixed - (hidden-package - (package - (inherit expat) - (replacement expat/fixed) - (source (origin - (inherit (package-source expat)) - (patches (search-patches "expat-CVE-2024-45490.patch" - "expat-CVE-2024-45491.patch" - "expat-CVE-2024-45492.patch"))))))) - (define-public libebml (package (name "libebml") -- 2.49.0
z572 <at> z572.online, guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Tue, 20 May 2025 02:59:02 GMT) Full text and rfc822 format available.Message #20 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 78337 <at> debbugs.gnu.org Cc: Zheng Junjie <z572 <at> z572.online>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v2 1/6] gnu: curl: Ungraft. Date: Tue, 20 May 2025 11:58:11 +0900
From: Zheng Junjie <z572 <at> z572.online> * gnu/packages/curl.scm (curl)[replacement]: Remove it. [source]: Add curl-CVE-2024-8096.patch. * gnu/packages/curl.scm (curl/fixed): Remove it. Change-Id: I43e6c1c0c97bc86ce0e4801559eead53a1a07d12 Signed-off-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> --- gnu/packages/curl.scm | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 3e9cd517a2..ded616a052 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -69,7 +69,6 @@ (define-public curl (package (name "curl") (version "8.6.0") - (replacement curl/fixed) (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" @@ -77,7 +76,8 @@ (define-public curl (sha256 (base32 "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) - (patches (search-patches "curl-use-ssl-cert-env.patch")))) + (patches (search-patches "curl-use-ssl-cert-env.patch" + "curl-CVE-2024-8096.patch")))) (outputs '("out" "doc")) ;1.2 MiB of man3 pages (build-system gnu-build-system) @@ -179,16 +179,6 @@ (define-public curl (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")))) -(define-public curl/fixed - (hidden-package - (package - (inherit curl) - (replacement curl/fixed) - (source (origin - (inherit (package-source curl)) - (patches (append (origin-patches (package-source curl)) - (search-patches "curl-CVE-2024-8096.patch")))))))) - (define-public gnurl (deprecated-package "gnurl" curl)) (define-public curl-ssh base-commit: e7d73a08d569904f8a71db5b84f5fafaf0dff188 -- 2.49.0
z572 <at> z572.online, guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Tue, 20 May 2025 02:59:02 GMT) Full text and rfc822 format available.Message #23 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 78337 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v2 3/6] gnu: curl: Enable zstd support. Date: Tue, 20 May 2025 11:58:13 +0900
* gnu/packages/curl.scm [inputs]: Add zstd:lib. Change-Id: I48e1099c3a445bcbdeaf16c5a79d956bd1b51307 --- gnu/packages/curl.scm | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index caeefd9168..2b90759bf4 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -152,9 +152,19 @@ (define-public curl (close port))))) #~())))) (native-inputs - (list nghttp2 perl pkg-config python-minimal-wrapper)) + (list nghttp2 + perl + pkg-config + python-minimal-wrapper)) (inputs - (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib)) + (list gnutls + libidn + libpsl + libssh2 + mit-krb5 + `(,nghttp2 "lib") + zlib + `(,zstd "lib"))) (native-search-paths ;; These variables are introduced by curl-use-ssl-cert-env.patch. (list $SSL_CERT_DIR -- 2.49.0
z572 <at> z572.online, guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Tue, 20 May 2025 02:59:03 GMT) Full text and rfc822 format available.Message #26 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 78337 <at> debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v2 2/6] gnu: curl: Update to 8.13.0 and ungraft [fixes CVE-2025-0725]. Date: Tue, 20 May 2025 11:58:12 +0900
* gnu/packages/curl.scm (curl): Update to 8.13.0. [replacement]: Delete field. [arguments] <#:configure-flags>: Add --with-libssh2. <#:phases>: Streamline check phase override, and newly skip a few new tests. [native-inputs]: Add libssh2. (curl/fixed): Delete variable. * gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file. * gnu/local.mk (dist_patch_DATA): De-register it. Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404 --- gnu/local.mk | 1 - gnu/packages/curl.scm | 39 ++-- gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------ 3 files changed, 20 insertions(+), 220 deletions(-) delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch diff --git a/gnu/local.mk b/gnu/local.mk index 3730d272ea..0cbe521c73 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1158,7 +1158,6 @@ dist_patch_DATA = \ %D%/packages/patches/csvkit-set-locale-for-tests.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \ - %D%/packages/patches/curl-CVE-2024-8096.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \ %D%/packages/patches/curlftpfs-fix-file-names.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index ded616a052..caeefd9168 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -17,6 +17,7 @@ ;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus <at> gmail.com> ;;; Copyright © 2023 John Kehayias <john.kehayias <at> protonmail.com> ;;; Copyright © 2024 Ashish SHUKLA <ashish.is <at> lostca.se> +;;; Copyright © 2024, 2025 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -68,21 +69,22 @@ (define-module (gnu packages curl) (define-public curl (package (name "curl") - (version "8.6.0") + (version "8.13.0") (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" version ".tar.xz")) (sha256 (base32 - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) - (patches (search-patches "curl-use-ssl-cert-env.patch" - "curl-CVE-2024-8096.patch")))) + "09902ng7lbydbsm6yb03g0p7y03i4yilj1f0zgi2vl62ldwkj2aa")) + (patches (search-patches "curl-use-ssl-cert-env.patch")))) (outputs '("out" "doc")) ;1.2 MiB of man3 pages (build-system gnu-build-system) (arguments (list + #:modules `((ice-9 format) + ,@%default-gnu-modules) #:disallowed-references '("doc") #:configure-flags #~(list "--with-gnutls" @@ -90,6 +92,7 @@ (define-public curl (dirname (dirname (search-input-file %build-inputs "lib/libgssrpc.so")))) + "--with-libssh2" "--disable-static") #:test-target "test-nonflaky" ;avoid tests marked as "flaky" #:phases @@ -116,20 +119,18 @@ (define-public curl (if parallel-tests? (number->string (parallel-job-count)) "1"))) - ;; Ignore test 1477 due to a missing file in the 8.5.0 - ;; release. See - ;; <https://github.com/curl/curl/issues/12462>. - (arguments `("-C" "tests" "test" - ,@make-flags - ,(if #$(or (system-hurd?) - (target-arm32?) - (target-aarch64?)) - ;; protocol FAIL - (string-append "TFLAGS=~1474 " - "!1477 " - job-count) - (string-append "TFLAGS=\"~1477 " - job-count "\""))))) + (failing-tests + '( 962 963 964 965 966 967 1474 ;protocol FAIL + ;; Unknown reason. + 165 1448 2046 2047 + ;; Mismatch in expected output, perhaps + ;; caused by different nginx version used. + 1700 1701 1702 2402 2403 2404 2405)) + (arguments + `("-C" "tests" "test" + ,@make-flags + ,(format #f "TFLAGS=~a ~{~~~a ~}" + job-count failing-tests)))) ;; The top-level "make check" does "make -C tests quiet-test", which ;; is too quiet. Use the "test" target instead, which is more ;; verbose. @@ -153,7 +154,7 @@ (define-public curl (native-inputs (list nghttp2 perl pkg-config python-minimal-wrapper)) (inputs - (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib)) + (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib)) (native-search-paths ;; These variables are introduced by curl-use-ssl-cert-env.patch. (list $SSL_CERT_DIR diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch deleted file mode 100644 index 0f780f08c3..0000000000 --- a/gnu/packages/patches/curl-CVE-2024-8096.patch +++ /dev/null @@ -1,200 +0,0 @@ -From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel <at> haxx.se> -Date: Tue, 20 Aug 2024 16:14:39 +0200 -Subject: [PATCH] gtls: fix OCSP stapling management - -Reported-by: Hiroki Kurosawa -Closes #14642 ---- - lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------ - 1 file changed, 73 insertions(+), 73 deletions(-) - -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 03d6fcc038aac3..c7589d9d39bc81 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, - init_flags |= GNUTLS_NO_TICKETS; - #endif - -+#if defined(GNUTLS_NO_STATUS_REQUEST) -+ if(!config->verifystatus) -+ /* Disable the "status_request" TLS extension, enabled by default since -+ GnuTLS 3.8.0. */ -+ init_flags |= GNUTLS_NO_STATUS_REQUEST; -+#endif -+ - rc = gnutls_init(>ls->session, init_flags); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_init() failed: %d", rc); -@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - infof(data, " server certificate verification SKIPPED"); - - if(config->verifystatus) { -- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { -- gnutls_datum_t status_request; -- gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_datum_t status_request; -+ gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_ocsp_cert_status_t status; -+ gnutls_x509_crl_reason_t reason; - -- gnutls_ocsp_cert_status_t status; -- gnutls_x509_crl_reason_t reason; -+ rc = gnutls_ocsp_status_request_get(session, &status_request); - -- rc = gnutls_ocsp_status_request_get(session, &status_request); -+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -+ failf(data, "No OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- infof(data, " server certificate status verification FAILED"); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -- failf(data, "No OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ gnutls_ocsp_resp_init(&ocsp_resp); - -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- gnutls_ocsp_resp_init(&ocsp_resp); -+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -+ &status, NULL, NULL, NULL, &reason); - -- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ switch(status) { -+ case GNUTLS_OCSP_CERT_GOOD: -+ break; - -- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -- &status, NULL, NULL, NULL, &reason); -+ case GNUTLS_OCSP_CERT_REVOKED: { -+ const char *crl_reason; - -- switch(status) { -- case GNUTLS_OCSP_CERT_GOOD: -+ switch(reason) { -+ default: -+ case GNUTLS_X509_CRLREASON_UNSPECIFIED: -+ crl_reason = "unspecified reason"; - break; - -- case GNUTLS_OCSP_CERT_REVOKED: { -- const char *crl_reason; -- -- switch(reason) { -- default: -- case GNUTLS_X509_CRLREASON_UNSPECIFIED: -- crl_reason = "unspecified reason"; -- break; -- -- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -- crl_reason = "private key compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_CACOMPROMISE: -- crl_reason = "CA compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -- crl_reason = "affiliation has changed"; -- break; -+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -+ crl_reason = "private key compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_SUPERSEDED: -- crl_reason = "certificate superseded"; -- break; -+ case GNUTLS_X509_CRLREASON_CACOMPROMISE: -+ crl_reason = "CA compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -- crl_reason = "operation has ceased"; -- break; -+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -+ crl_reason = "affiliation has changed"; -+ break; - -- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -- crl_reason = "certificate is on hold"; -- break; -+ case GNUTLS_X509_CRLREASON_SUPERSEDED: -+ crl_reason = "certificate superseded"; -+ break; - -- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -- crl_reason = "will be removed from delta CRL"; -- break; -+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -+ crl_reason = "operation has ceased"; -+ break; - -- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -- crl_reason = "privilege withdrawn"; -- break; -+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -+ crl_reason = "certificate is on hold"; -+ break; - -- case GNUTLS_X509_CRLREASON_AACOMPROMISE: -- crl_reason = "AA compromised"; -- break; -- } -+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -+ crl_reason = "will be removed from delta CRL"; -+ break; - -- failf(data, "Server certificate was revoked: %s", crl_reason); -+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -+ crl_reason = "privilege withdrawn"; - break; -- } - -- default: -- case GNUTLS_OCSP_CERT_UNKNOWN: -- failf(data, "Server certificate status is unknown"); -+ case GNUTLS_X509_CRLREASON_AACOMPROMISE: -+ crl_reason = "AA compromised"; - break; - } - -- gnutls_ocsp_resp_deinit(ocsp_resp); -+ failf(data, "Server certificate was revoked: %s", crl_reason); -+ break; -+ } - -- return CURLE_SSL_INVALIDCERTSTATUS; -+ default: -+ case GNUTLS_OCSP_CERT_UNKNOWN: -+ failf(data, "Server certificate status is unknown"); -+ break; - } -- else -- infof(data, " server certificate status verification OK"); -+ -+ gnutls_ocsp_resp_deinit(ocsp_resp); -+ if(status != GNUTLS_OCSP_CERT_GOOD) -+ return CURLE_SSL_INVALIDCERTSTATUS; - } - else - infof(data, " server certificate status verification SKIPPED"); -- 2.49.0
z572 <at> z572.online, guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Tue, 20 May 2025 02:59:03 GMT) Full text and rfc822 format available.Message #29 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 78337 <at> debbugs.gnu.org Cc: Zheng Junjie <z572 <at> z572.online>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v2 4/6] gnu: cups-minimal: Ungraft. Date: Tue, 20 May 2025 11:58:14 +0900
From: Zheng Junjie <z572 <at> z572.online> * gnu/packages/cups.scm (cups-minimal)[replacement]: Remove it. [source]: Add cups-minimal-Address-PPD-injection-issues.patch. * gnu/packages/cups.scm (cups-minimal/fixed): Remove it. Change-Id: Icb5295af42b5a84741a73ed4b662bc8736ab6b2b Signed-off-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> --- gnu/packages/cups.scm | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm index 41c3f0af45..847fc29a9a 100644 --- a/gnu/packages/cups.scm +++ b/gnu/packages/cups.scm @@ -265,7 +265,6 @@ (define-public cups-minimal (package (name "cups-minimal") (version "2.4.9") - (replacement cups-minimal/fixed) (source (origin (method git-fetch) @@ -275,7 +274,8 @@ (define-public cups-minimal ;; Avoid NAME confusion: these are the complete CUPS sources. (file-name (git-file-name "cups" version)) (sha256 - (base32 "08wjd1flyaslhnwvxl39403qi3g675rk532ysiyk6cda4r8ks1g1")))) + (base32 "08wjd1flyaslhnwvxl39403qi3g675rk532ysiyk6cda4r8ks1g1")) + (patches (search-patches "cups-minimal-Address-PPD-injection-issues.patch")))) (build-system gnu-build-system) (arguments (list #:configure-flags @@ -355,15 +355,6 @@ (define-public cups-minimal ;; CUPS is Apache 2.0 with exceptions, see the NOTICE file. (license license:asl2.0))) -(define cups-minimal/fixed - (package - (inherit cups-minimal) - (source - (origin - (inherit (package-source cups-minimal)) - (patches - (search-patches "cups-minimal-Address-PPD-injection-issues.patch")))))) - (define-public cups (package/inherit cups-minimal (name "cups") -- 2.49.0
z572 <at> z572.online, guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Tue, 20 May 2025 02:59:04 GMT) Full text and rfc822 format available.Message #32 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 78337 <at> debbugs.gnu.org Cc: Zheng Junjie <z572 <at> z572.online>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v2 5/6] gnu: libarchive: Update to 3.7.7. Date: Tue, 20 May 2025 11:58:15 +0900
From: Zheng Junjie <z572 <at> z572.online> * gnu/packages/backup.scm (libarchive): Update to 3.7.7. * gnu/packages/backup.scm (libarchive/fixed): Delete variable. * gnu/packages/patches/libarchive-remove-potential-backdoor.patch: Remove it * gnu/local.mk (dist_patch_DATA): Unregister it. Change-Id: Ia6474f9dae9a3d1a707d94fcace9bd50b2e3ac4c Signed-off-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> --- gnu/local.mk | 1 - gnu/packages/backup.scm | 22 +-------- ...libarchive-remove-potential-backdoor.patch | 47 ------------------- 3 files changed, 2 insertions(+), 68 deletions(-) delete mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0cbe521c73..d561d5ea5d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1719,7 +1719,6 @@ dist_patch_DATA = \ %D%/packages/patches/liba52-use-mtune-not-mcpu.patch \ %D%/packages/patches/libaio-32bit-test.patch \ %D%/packages/patches/libaio-riscv-test5.patch \ - %D%/packages/patches/libarchive-remove-potential-backdoor.patch \ %D%/packages/patches/libbase-fix-includes.patch \ %D%/packages/patches/libbase-use-own-logging.patch \ %D%/packages/patches/libbonobo-activation-test-race.patch \ diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm index b4aca86774..876167898b 100644 --- a/gnu/packages/backup.scm +++ b/gnu/packages/backup.scm @@ -263,8 +263,7 @@ (define-public hdup (define-public libarchive (package (name "libarchive") - (replacement libarchive/fixed) - (version "3.6.1") + (version "3.7.7") (source (origin (method url-fetch) @@ -273,10 +272,9 @@ (define-public libarchive (string-append "https://github.com/libarchive/libarchive" "/releases/download/v" version "/libarchive-" version ".tar.xz"))) - (patches (search-patches "libarchive-remove-potential-backdoor.patch")) (sha256 (base32 - "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas")))) + "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7")))) (build-system gnu-build-system) (inputs (list bzip2 @@ -353,22 +351,6 @@ (define-public libarchive @command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.") (license license:bsd-2))) -(define libarchive/fixed - (package - (inherit libarchive) - (version "3.7.7") - (source - (origin - (method url-fetch) - (uri (list (string-append "https://libarchive.org/downloads/libarchive-" - version ".tar.xz") - (string-append "https://github.com/libarchive/libarchive" - "/releases/download/v" version "/libarchive-" - version ".tar.xz"))) - (sha256 - (base32 - "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7")))))) - (define-public rdup (package (name "rdup") diff --git a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch deleted file mode 100644 index 2b9a9e2ffe..0000000000 --- a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch +++ /dev/null @@ -1,47 +0,0 @@ -Remove code added by 'JiaT75', the malicious actor that backdoored `xz`: - -https://github.com/libarchive/libarchive/pull/2101 - -At libarchive, they are reviewing all code contributed by this actor: - -https://github.com/libarchive/libarchive/issues/2103 - -See the original disclosure and subsequent discussion for more -information about this incident: - -https://seclists.org/oss-sec/2024/q1/268 - -Patch copied from upstream source repository: - -https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942 - -From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001 -From: Ed Maste <emaste <at> freebsd.org> -Date: Fri, 29 Mar 2024 18:02:06 -0400 -Subject: [PATCH] tar: make error reporting more robust and use correct errno - (#2101) - -As discussed in #1609. ---- - tar/read.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/tar/read.c b/tar/read.c -index af3d3f42..a7f14a07 100644 ---- a/tar/read.c -+++ b/tar/read.c -@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer) - if (r != ARCHIVE_OK) { - if (!bsdtar->verbose) - safe_fprintf(stderr, "%s", archive_entry_pathname(entry)); -- fprintf(stderr, ": %s: ", archive_error_string(a)); -- fprintf(stderr, "%s", strerror(errno)); -+ safe_fprintf(stderr, ": %s: %s", -+ archive_error_string(a), -+ strerror(archive_errno(a))); - if (!bsdtar->verbose) - fprintf(stderr, "\n"); - bsdtar->return_value = 1; --- -2.41.0 - -- 2.49.0
z572 <at> z572.online, guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Tue, 20 May 2025 02:59:04 GMT) Full text and rfc822 format available.Message #35 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 78337 <at> debbugs.gnu.org Cc: Zheng Junjie <z572 <at> z572.online>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: [PATCH v2 6/6] gnu: expat: Update to 2.7.1. Date: Tue, 20 May 2025 11:58:16 +0900
From: Zheng Junjie <z572 <at> z572.online> * gnu/packages/xml.scm (expat): Update to 2.7.1. (expat/fixed): Remove it. * gnu/packages/patches/expat-CVE-2024-45490.patch: Remove it. * gnu/packages/patches/expat-CVE-2024-45491.patch: Remove it. * gnu/packages/patches/expat-CVE-2024-45492.patch: Remove it. * gnu/local.mk (dist_patch_DATA): Unregister them. Change-Id: Ia0bc5da202afba0636032e4f4e10051778214944 Signed-off-by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> --- gnu/local.mk | 3 -- .../patches/expat-CVE-2024-45490.patch | 34 ------------------- .../patches/expat-CVE-2024-45491.patch | 34 ------------------- .../patches/expat-CVE-2024-45492.patch | 33 ------------------ gnu/packages/xml.scm | 16 ++------- 5 files changed, 2 insertions(+), 118 deletions(-) delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch diff --git a/gnu/local.mk b/gnu/local.mk index d561d5ea5d..c9b70349ce 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1256,9 +1256,6 @@ dist_patch_DATA = \ %D%/packages/patches/esmini-use-pkgconfig.patch \ %D%/packages/patches/esmtp-add-lesmtp.patch \ %D%/packages/patches/exercism-disable-self-update.patch \ - %D%/packages/patches/expat-CVE-2024-45490.patch \ - %D%/packages/patches/expat-CVE-2024-45491.patch \ - %D%/packages/patches/expat-CVE-2024-45492.patch \ %D%/packages/patches/extempore-unbundle-external-dependencies.patch \ %D%/packages/patches/extundelete-e2fsprogs-1.44.patch \ %D%/packages/patches/fail2ban-paths-guix-conf.patch \ diff --git a/gnu/packages/patches/expat-CVE-2024-45490.patch b/gnu/packages/patches/expat-CVE-2024-45490.patch deleted file mode 100644 index f876e78651..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45490.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch -Fixed in 2.6.3. -Takes only 1 of the 3 patches from -https://github.com/libexpat/libexpat/pull/890 to take the fix and not the -tests because that part doesn't apply cleanly. - -From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian <at> pipping.org> -Date: Mon, 19 Aug 2024 22:26:07 +0200 -Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer - -Reported by TaiYou - ---- - expat/lib/xmlparse.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..ba1038119 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { - - if (parser == NULL) - return XML_STATUS_ERROR; -+ -+ if (len < 0) { -+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; -+ return XML_STATUS_ERROR; -+ } -+ - switch (parser->m_parsingStatus.parsing) { - case XML_SUSPENDED: - parser->m_errorCode = XML_ERROR_SUSPENDED; diff --git a/gnu/packages/patches/expat-CVE-2024-45491.patch b/gnu/packages/patches/expat-CVE-2024-45491.patch deleted file mode 100644 index 8ff10559bf..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45491.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch -Fixed in 2.6.3. - -From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian <at> pipping.org> -Date: Mon, 19 Aug 2024 22:34:13 +0200 -Subject: [PATCH] lib: Detect integer overflow in dtdCopy - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..e2327bdcf 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, - if (! newE) - return 0; - if (oldE->nDefaultAtts) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if ((size_t)oldE->nDefaultAtts -+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { -+ return 0; -+ } -+#endif - newE->defaultAtts - = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); - if (! newE->defaultAtts) { diff --git a/gnu/packages/patches/expat-CVE-2024-45492.patch b/gnu/packages/patches/expat-CVE-2024-45492.patch deleted file mode 100644 index 852a9b3f59..0000000000 --- a/gnu/packages/patches/expat-CVE-2024-45492.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch -Fixed in 2.6.3. - -From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian <at> pipping.org> -Date: Mon, 19 Aug 2024 22:37:16 +0200 -Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart - -Reported by TaiYou ---- - expat/lib/xmlparse.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 91682c188..f737575ea 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { - int next; - - if (! dtd->scaffIndex) { -+ /* Detect and prevent integer overflow. -+ * The preprocessor guard addresses the "always false" warning -+ * from -Wtype-limits on platforms where -+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ -+#if UINT_MAX >= SIZE_MAX -+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { -+ return -1; -+ } -+#endif - dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); - if (! dtd->scaffIndex) - return -1; diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 10cd6d98fa..33c409212f 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -127,8 +127,7 @@ (define-public libxmlb (define-public expat (package (name "expat") - (version "2.5.0") - (replacement expat/fixed) + (version "2.7.1") (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c)))) (origin (method url-fetch) @@ -140,7 +139,7 @@ (define-public expat "/expat-" version ".tar.xz"))) (sha256 (base32 - "1gnwihpfz4x18rwd6cbrdggmfqjzwsdfh1gpmc0ph21c4gq2097g"))))) + "0c3w446jrrnss3ccgx9z590lpwbpxiqdbxv2a0p036cg9da54i9m"))))) (build-system gnu-build-system) (arguments '(#:phases (modify-phases %standard-phases @@ -164,17 +163,6 @@ (define-public expat things the parser might find in the XML document (like start tags).") (license license:expat))) -(define-public expat/fixed - (hidden-package - (package - (inherit expat) - (replacement expat/fixed) - (source (origin - (inherit (package-source expat)) - (patches (search-patches "expat-CVE-2024-45490.patch" - "expat-CVE-2024-45491.patch" - "expat-CVE-2024-45492.patch"))))))) - (define-public libebml (package (name "libebml") -- 2.49.0
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Tue, 20 May 2025 03:27:02 GMT) Full text and rfc822 format available.Message #38 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 78337 <at> debbugs.gnu.org Cc: hako <at> ultrarare.space, steve <at> futurile.net, efraim <at> flashner.co.il, divya <at> subvertising.org Subject: Re: [PATCH v2 2/6] gnu: curl: Update to 8.13.0 and ungraft [fixes CVE-2025-0725]. Date: Tue, 20 May 2025 12:26:30 +0900
Hi, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > * gnu/packages/curl.scm (curl): Update to 8.13.0. A note: this breaks rust-1.82, which fails to detect curl. Apparently that happens via one of its bundled crates (curl-sys), so I suppose we'd need to patch it with a fresher one. I'm not sure what is the right approach or how to do that, so I'm adding the rust team in CC for input. -- Thanks, Maxim
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Wed, 21 May 2025 05:22:01 GMT) Full text and rfc822 format available.Message #41 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Efraim Flashner <efraim <at> flashner.co.il> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: hako <at> ultrarare.space, steve <at> futurile.net, 78337 <at> debbugs.gnu.org, divya <at> subvertising.org Subject: Re: [PATCH v2 2/6] gnu: curl: Update to 8.13.0 and ungraft [fixes CVE-2025-0725]. Date: Wed, 21 May 2025 08:21:39 +0300
[Message part 1 (text/plain, inline)]
On Tue, May 20, 2025 at 12:26:30PM +0900, Maxim Cournoyer wrote: > Hi, > > Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > > > * gnu/packages/curl.scm (curl): Update to 8.13.0. > > A note: this breaks rust-1.82, which fails to detect curl. Apparently > that happens via one of its bundled crates (curl-sys), so I suppose we'd > need to patch it with a fresher one. I'm not sure what is the right > approach or how to do that, so I'm adding the rust team in CC for input. > > -- > Thanks, > Maxim Still building out to rust on core-packages-team branch. I fixed some problems in commencement.scm on aarch64 in the meanwhile. We can probably just get away with patching the curl-sys crate since we always have newer rust versions coming. -- Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Wed, 21 May 2025 08:23:02 GMT) Full text and rfc822 format available.Message #44 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Efraim Flashner <efraim <at> flashner.co.il> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: hako <at> ultrarare.space, steve <at> futurile.net, 78337 <at> debbugs.gnu.org, divya <at> subvertising.org Subject: Re: [PATCH v2 2/6] gnu: curl: Update to 8.13.0 and ungraft [fixes CVE-2025-0725]. Date: Wed, 21 May 2025 11:22:45 +0300
[Message part 1 (text/plain, inline)]
On Tue, May 20, 2025 at 12:26:30PM +0900, Maxim Cournoyer wrote: > Hi, > > Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > > > * gnu/packages/curl.scm (curl): Update to 8.13.0. > > A note: this breaks rust-1.82, which fails to detect curl. Apparently > that happens via one of its bundled crates (curl-sys), so I suppose we'd > need to patch it with a fresher one. I'm not sure what is the right > approach or how to do that, so I'm adding the rust team in CC for input. > I'm currently unable to build cmake-bootstrap-3.24.2 with this patch applied. Am I missing some patches? -- Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Wed, 21 May 2025 09:12:02 GMT) Full text and rfc822 format available.Message #47 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Efraim Flashner <efraim <at> flashner.co.il> Cc: hako <at> ultrarare.space, steve <at> futurile.net, 78337 <at> debbugs.gnu.org, divya <at> subvertising.org Subject: Re: [PATCH v2 2/6] gnu: curl: Update to 8.13.0 and ungraft [fixes CVE-2025-0725]. Date: Wed, 21 May 2025 18:11:44 +0900
Hi, Efraim Flashner <efraim <at> flashner.co.il> writes: > On Tue, May 20, 2025 at 12:26:30PM +0900, Maxim Cournoyer wrote: >> Hi, >> >> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: >> >> > * gnu/packages/curl.scm (curl): Update to 8.13.0. >> >> A note: this breaks rust-1.82, which fails to detect curl. Apparently >> that happens via one of its bundled crates (curl-sys), so I suppose we'd >> need to patch it with a fresher one. I'm not sure what is the right >> approach or how to do that, so I'm adding the rust team in CC for input. >> > > I'm currently unable to build cmake-bootstrap-3.24.2 with this patch > applied. Am I missing some patches? I've taken this from a branch that had a couple other commits, but I don't see what would impact cmake. What does the build error say? -- Thanks, Maxim
guix-patches <at> gnu.org
:bug#78337
; Package guix-patches
.
(Wed, 21 May 2025 09:16:02 GMT) Full text and rfc822 format available.Message #50 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Efraim Flashner <efraim <at> flashner.co.il> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: hako <at> ultrarare.space, steve <at> futurile.net, 78337 <at> debbugs.gnu.org, divya <at> subvertising.org Subject: Re: [PATCH v2 2/6] gnu: curl: Update to 8.13.0 and ungraft [fixes CVE-2025-0725]. Date: Wed, 21 May 2025 12:15:24 +0300
[Message part 1 (text/plain, inline)]
On Wed, May 21, 2025 at 06:11:44PM +0900, Maxim Cournoyer wrote: > Hi, > > Efraim Flashner <efraim <at> flashner.co.il> writes: > > > On Tue, May 20, 2025 at 12:26:30PM +0900, Maxim Cournoyer wrote: > >> Hi, > >> > >> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > >> > >> > * gnu/packages/curl.scm (curl): Update to 8.13.0. > >> > >> A note: this breaks rust-1.82, which fails to detect curl. Apparently > >> that happens via one of its bundled crates (curl-sys), so I suppose we'd > >> need to patch it with a fresher one. I'm not sure what is the right > >> approach or how to do that, so I'm adding the rust team in CC for input. > >> > > > > I'm currently unable to build cmake-bootstrap-3.24.2 with this patch > > applied. Am I missing some patches? > > I've taken this from a branch that had a couple other commits, but I don't see what would > impact cmake. What does the build error say? This is with just this patch and the curl+zstd:lib patch on core-packages-team. [ 25%] Building CXX object Source/CMakeFiles/CMakeLib.dir/cmDocumentation.cxx.o cd /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source && /gnu/store/1an62gxdvfx7sg8wh5hhvp0j1pg0k0w5-gcc-14.2.0/bin/g++ -I/tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source -I/tmp/guix-build-cmake-bootstrap-3.2 4.2.drv-0/cmake-3.24.2/Source/LexerParser -I/tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/CTest -I/tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/CPack -isystem /tmp/guix-build-cmake-bootstrap-3.24.2.drv -0/cmake-3.24.2/Utilities/std -isystem /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Utilities -O3 -DNDEBUG -Wno-deprecated-declarations -std=c++17 -MD -MT Source/CMakeFiles/CMakeLib.dir/cmDocumentation.cxx.o -MF CMakeFiles/CMa keLib.dir/cmDocumentation.cxx.o.d -o CMakeFiles/CMakeLib.dir/cmDocumentation.cxx.o -c /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/cmDocumentation.cxx In file included from /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Utilities/cm3p/curl/curl.h:8, from /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/cmCurl.h:9, from /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/cmCurl.cxx:3: /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/cmCurl.cxx: In function ‘std::string cmCurlSetNETRCOption(CURL*, const std::string&, const std::string&)’: /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/cmCurl.cxx:86:26: error: invalid conversion from ‘long int’ to ‘CURL_NETRC_OPTION’ [-fpermissive] 86 | curl_netrc_level = CURL_NETRC_OPTIONAL; | ^~~~~~~~~~~~~~~~~~~ | | | long int /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/cmCurl.cxx:88:26: error: invalid conversion from ‘long int’ to ‘CURL_NETRC_OPTION’ [-fpermissive] 88 | curl_netrc_level = CURL_NETRC_REQUIRED; | ^~~~~~~~~~~~~~~~~~~ | | | long int /tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2/Source/cmCurl.cxx:90:26: error: invalid conversion from ‘long int’ to ‘CURL_NETRC_OPTION’ [-fpermissive] 90 | curl_netrc_level = CURL_NETRC_IGNORED; | ^~~~~~~~~~~~~~~~~~ | | | long int make[2]: Leaving directory '/tmp/guix-build-cmake-bootstrap-3.24.2.drv-0/cmake-3.24.2' -- Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.