Package: guix-patches;
Reported by: Zheng Junjie <z572 <at> z572.online>
Date: Fri, 9 May 2025 16:32:02 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 78337 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#78337; Package guix-patches.
(Fri, 09 May 2025 16:32:02 GMT) Full text and rfc822 format available.Zheng Junjie <z572 <at> z572.online>:guix-patches <at> gnu.org.
(Fri, 09 May 2025 16:32:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: guix-patches <at> gnu.org Subject: [PATCH core-packages-team 0/4] ungraft curl, cups, libarchive and expat. Date: Sat, 10 May 2025 00:30:57 +0800
Zheng Junjie (4): gnu: curl: Ungraft. gnu: cups-minimal: Ungraft. gnu: libarchive: Update to 3.7.7. gnu: expat: Update to 2.7.1. gnu/local.mk | 4 -- gnu/packages/backup.scm | 22 +-------- gnu/packages/cups.scm | 13 +---- gnu/packages/curl.scm | 14 +----- .../patches/expat-CVE-2024-45490.patch | 34 -------------- .../patches/expat-CVE-2024-45491.patch | 34 -------------- .../patches/expat-CVE-2024-45492.patch | 33 ------------- ...libarchive-remove-potential-backdoor.patch | 47 ------------------- gnu/packages/xml.scm | 16 +------ 9 files changed, 8 insertions(+), 209 deletions(-) delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch delete mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch base-commit: 397db982843779f37d540c05d390c059ab9b2549 -- 2.49.0
guix-patches <at> gnu.org:bug#78337; Package guix-patches.
(Fri, 09 May 2025 16:52:02 GMT) Full text and rfc822 format available.Message #8 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 1/4] gnu: curl: Ungraft. Date: Sat, 10 May 2025 00:50:52 +0800
* gnu/packages/curl.scm (curl)[replacement]: Remove it.
[source]: Add curl-CVE-2024-8096.patch.
* gnu/packages/curl.scm (curl/fixed): Remove it.
Change-Id: I43e6c1c0c97bc86ce0e4801559eead53a1a07d12
---
gnu/packages/curl.scm | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 3e9cd517a2..ded616a052 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -69,7 +69,6 @@ (define-public curl
(package
(name "curl")
(version "8.6.0")
- (replacement curl/fixed)
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
@@ -77,7 +76,8 @@ (define-public curl
(sha256
(base32
"05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
- (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+ (patches (search-patches "curl-use-ssl-cert-env.patch"
+ "curl-CVE-2024-8096.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
(build-system gnu-build-system)
@@ -179,16 +179,6 @@ (define-public curl
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
-(define-public curl/fixed
- (hidden-package
- (package
- (inherit curl)
- (replacement curl/fixed)
- (source (origin
- (inherit (package-source curl))
- (patches (append (origin-patches (package-source curl))
- (search-patches "curl-CVE-2024-8096.patch"))))))))
-
(define-public gnurl (deprecated-package "gnurl" curl))
(define-public curl-ssh
--
2.49.0
guix-patches <at> gnu.org:bug#78337; Package guix-patches.
(Fri, 09 May 2025 16:52:02 GMT) Full text and rfc822 format available.Message #11 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 2/4] gnu: cups-minimal: Ungraft. Date: Sat, 10 May 2025 00:50:53 +0800
* gnu/packages/cups.scm (cups-minimal)[replacement]: Remove it.
[source]: Add cups-minimal-Address-PPD-injection-issues.patch.
* gnu/packages/cups.scm (cups-minimal/fixed): Remove it.
Change-Id: Icb5295af42b5a84741a73ed4b662bc8736ab6b2b
---
gnu/packages/cups.scm | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 5eb45b97b5..2ef1a56b2f 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -266,7 +266,6 @@ (define-public cups-minimal
(package
(name "cups-minimal")
(version "2.4.9")
- (replacement cups-minimal/fixed)
(source
(origin
(method git-fetch)
@@ -276,7 +275,8 @@ (define-public cups-minimal
;; Avoid NAME confusion: these are the complete CUPS sources.
(file-name (git-file-name "cups" version))
(sha256
- (base32 "08wjd1flyaslhnwvxl39403qi3g675rk532ysiyk6cda4r8ks1g1"))))
+ (base32 "08wjd1flyaslhnwvxl39403qi3g675rk532ysiyk6cda4r8ks1g1"))
+ (patches (search-patches "cups-minimal-Address-PPD-injection-issues.patch"))))
(build-system gnu-build-system)
(arguments
(list #:configure-flags
@@ -356,15 +356,6 @@ (define-public cups-minimal
;; CUPS is Apache 2.0 with exceptions, see the NOTICE file.
(license license:asl2.0)))
-(define cups-minimal/fixed
- (package
- (inherit cups-minimal)
- (source
- (origin
- (inherit (package-source cups-minimal))
- (patches
- (search-patches "cups-minimal-Address-PPD-injection-issues.patch"))))))
-
(define-public cups
(package/inherit cups-minimal
(name "cups")
--
2.49.0
guix-patches <at> gnu.org:bug#78337; Package guix-patches.
(Fri, 09 May 2025 16:52:03 GMT) Full text and rfc822 format available.Message #14 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 3/4] gnu: libarchive: Update to 3.7.7. Date: Sat, 10 May 2025 00:50:54 +0800
* gnu/packages/backup.scm (libarchive): Update to 3.7.7.
* gnu/packages/backup.scm (libarchive/fixed): Delete variable.
* gnu/packages/patches/libarchive-remove-potential-backdoor.patch: Remove it
* gnu/local.mk (dist_patch_DATA): Unregister it.
Change-Id: Ia6474f9dae9a3d1a707d94fcace9bd50b2e3ac4c
---
gnu/local.mk | 1 -
gnu/packages/backup.scm | 22 +--------
...libarchive-remove-potential-backdoor.patch | 47 -------------------
3 files changed, 2 insertions(+), 68 deletions(-)
delete mode 100644 gnu/packages/patches/libarchive-remove-potential-backdoor.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 67a41bdbf4..831939f72e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1718,7 +1718,6 @@ dist_patch_DATA = \
%D%/packages/patches/liba52-use-mtune-not-mcpu.patch \
%D%/packages/patches/libaio-32bit-test.patch \
%D%/packages/patches/libaio-riscv-test5.patch \
- %D%/packages/patches/libarchive-remove-potential-backdoor.patch \
%D%/packages/patches/libbase-fix-includes.patch \
%D%/packages/patches/libbase-use-own-logging.patch \
%D%/packages/patches/libbonobo-activation-test-race.patch \
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index b4aca86774..876167898b 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -263,8 +263,7 @@ (define-public hdup
(define-public libarchive
(package
(name "libarchive")
- (replacement libarchive/fixed)
- (version "3.6.1")
+ (version "3.7.7")
(source
(origin
(method url-fetch)
@@ -273,10 +272,9 @@ (define-public libarchive
(string-append "https://github.com/libarchive/libarchive"
"/releases/download/v" version "/libarchive-"
version ".tar.xz")))
- (patches (search-patches "libarchive-remove-potential-backdoor.patch"))
(sha256
(base32
- "1rj8q5v26lxxr8x4b4nqbrj7p06qvl91hb8cdxi3xx3qp771lhas"))))
+ "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))
(build-system gnu-build-system)
(inputs
(list bzip2
@@ -353,22 +351,6 @@ (define-public libarchive
@command{bsdcat}, @command{bsdcpio} and @command{bsdtar} commands.")
(license license:bsd-2)))
-(define libarchive/fixed
- (package
- (inherit libarchive)
- (version "3.7.7")
- (source
- (origin
- (method url-fetch)
- (uri (list (string-append "https://libarchive.org/downloads/libarchive-"
- version ".tar.xz")
- (string-append "https://github.com/libarchive/libarchive"
- "/releases/download/v" version "/libarchive-"
- version ".tar.xz")))
- (sha256
- (base32
- "1vps57mrpqmrk4zayh5g5amqfq7031s5zzkkxsm7r71rqf1wv6l7"))))))
-
(define-public rdup
(package
(name "rdup")
diff --git a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch b/gnu/packages/patches/libarchive-remove-potential-backdoor.patch
deleted file mode 100644
index 2b9a9e2ffe..0000000000
--- a/gnu/packages/patches/libarchive-remove-potential-backdoor.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Remove code added by 'JiaT75', the malicious actor that backdoored `xz`:
-
-https://github.com/libarchive/libarchive/pull/2101
-
-At libarchive, they are reviewing all code contributed by this actor:
-
-https://github.com/libarchive/libarchive/issues/2103
-
-See the original disclosure and subsequent discussion for more
-information about this incident:
-
-https://seclists.org/oss-sec/2024/q1/268
-
-Patch copied from upstream source repository:
-
-https://github.com/libarchive/libarchive/pull/2101/commits/e200fd8abfb4cf895a1cab4d89b67e6eefe83942
-
-From 6110e9c82d8ba830c3440f36b990483ceaaea52c Mon Sep 17 00:00:00 2001
-From: Ed Maste <emaste <at> freebsd.org>
-Date: Fri, 29 Mar 2024 18:02:06 -0400
-Subject: [PATCH] tar: make error reporting more robust and use correct errno
- (#2101)
-
-As discussed in #1609.
----
- tar/read.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/tar/read.c b/tar/read.c
-index af3d3f42..a7f14a07 100644
---- a/tar/read.c
-+++ b/tar/read.c
-@@ -371,8 +371,9 @@ read_archive(struct bsdtar *bsdtar, char mode, struct archive *writer)
- if (r != ARCHIVE_OK) {
- if (!bsdtar->verbose)
- safe_fprintf(stderr, "%s", archive_entry_pathname(entry));
-- fprintf(stderr, ": %s: ", archive_error_string(a));
-- fprintf(stderr, "%s", strerror(errno));
-+ safe_fprintf(stderr, ": %s: %s",
-+ archive_error_string(a),
-+ strerror(archive_errno(a)));
- if (!bsdtar->verbose)
- fprintf(stderr, "\n");
- bsdtar->return_value = 1;
---
-2.41.0
-
--
2.49.0
guix-patches <at> gnu.org:bug#78337; Package guix-patches.
(Fri, 09 May 2025 16:52:03 GMT) Full text and rfc822 format available.Message #17 received at 78337 <at> debbugs.gnu.org (full text, mbox):
From: Zheng Junjie <z572 <at> z572.online> To: 78337 <at> debbugs.gnu.org Subject: [PATCH core-packages-team 4/4] gnu: expat: Update to 2.7.1. Date: Sat, 10 May 2025 00:50:55 +0800
* gnu/packages/xml.scm (expat): Update to 2.7.1.
(expat/fixed): Remove it.
* gnu/packages/patches/expat-CVE-2024-45490.patch: Remove it.
* gnu/packages/patches/expat-CVE-2024-45491.patch: Remove it.
* gnu/packages/patches/expat-CVE-2024-45492.patch: Remove it.
* gnu/local.mk (dist_patch_DATA): Unregister them.
Change-Id: Ia0bc5da202afba0636032e4f4e10051778214944
---
gnu/local.mk | 3 --
.../patches/expat-CVE-2024-45490.patch | 34 -------------------
.../patches/expat-CVE-2024-45491.patch | 34 -------------------
.../patches/expat-CVE-2024-45492.patch | 33 ------------------
gnu/packages/xml.scm | 16 ++-------
5 files changed, 2 insertions(+), 118 deletions(-)
delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch
delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch
delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 831939f72e..c15ef425ca 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1258,9 +1258,6 @@ dist_patch_DATA = \
%D%/packages/patches/esmini-use-pkgconfig.patch \
%D%/packages/patches/esmtp-add-lesmtp.patch \
%D%/packages/patches/exercism-disable-self-update.patch \
- %D%/packages/patches/expat-CVE-2024-45490.patch \
- %D%/packages/patches/expat-CVE-2024-45491.patch \
- %D%/packages/patches/expat-CVE-2024-45492.patch \
%D%/packages/patches/extempore-unbundle-external-dependencies.patch \
%D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
%D%/packages/patches/fail2ban-paths-guix-conf.patch \
diff --git a/gnu/packages/patches/expat-CVE-2024-45490.patch b/gnu/packages/patches/expat-CVE-2024-45490.patch
deleted file mode 100644
index f876e78651..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45490.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch
-Fixed in 2.6.3.
-Takes only 1 of the 3 patches from
-https://github.com/libexpat/libexpat/pull/890 to take the fix and not the
-tests because that part doesn't apply cleanly.
-
-From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian <at> pipping.org>
-Date: Mon, 19 Aug 2024 22:26:07 +0200
-Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
-
-Reported by TaiYou
-
----
- expat/lib/xmlparse.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..ba1038119 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
-
- if (parser == NULL)
- return XML_STATUS_ERROR;
-+
-+ if (len < 0) {
-+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
-+ return XML_STATUS_ERROR;
-+ }
-+
- switch (parser->m_parsingStatus.parsing) {
- case XML_SUSPENDED:
- parser->m_errorCode = XML_ERROR_SUSPENDED;
diff --git a/gnu/packages/patches/expat-CVE-2024-45491.patch b/gnu/packages/patches/expat-CVE-2024-45491.patch
deleted file mode 100644
index 8ff10559bf..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45491.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch
-Fixed in 2.6.3.
-
-From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian <at> pipping.org>
-Date: Mon, 19 Aug 2024 22:34:13 +0200
-Subject: [PATCH] lib: Detect integer overflow in dtdCopy
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..e2327bdcf 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
- if (! newE)
- return 0;
- if (oldE->nDefaultAtts) {
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if ((size_t)oldE->nDefaultAtts
-+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
-+ return 0;
-+ }
-+#endif
- newE->defaultAtts
- = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
- if (! newE->defaultAtts) {
diff --git a/gnu/packages/patches/expat-CVE-2024-45492.patch b/gnu/packages/patches/expat-CVE-2024-45492.patch
deleted file mode 100644
index 852a9b3f59..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45492.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch
-Fixed in 2.6.3.
-
-From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian <at> pipping.org>
-Date: Mon, 19 Aug 2024 22:37:16 +0200
-Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..f737575ea 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
- int next;
-
- if (! dtd->scaffIndex) {
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
-+ return -1;
-+ }
-+#endif
- dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
- if (! dtd->scaffIndex)
- return -1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index f29d5d2adc..5eb9be68c7 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -127,8 +127,7 @@ (define-public libxmlb
(define-public expat
(package
(name "expat")
- (version "2.5.0")
- (replacement expat/fixed)
+ (version "2.7.1")
(source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
(origin
(method url-fetch)
@@ -140,7 +139,7 @@ (define-public expat
"/expat-" version ".tar.xz")))
(sha256
(base32
- "1gnwihpfz4x18rwd6cbrdggmfqjzwsdfh1gpmc0ph21c4gq2097g")))))
+ "0c3w446jrrnss3ccgx9z590lpwbpxiqdbxv2a0p036cg9da54i9m")))))
(build-system gnu-build-system)
(arguments
'(#:phases (modify-phases %standard-phases
@@ -164,17 +163,6 @@ (define-public expat
things the parser might find in the XML document (like start tags).")
(license license:expat)))
-(define-public expat/fixed
- (hidden-package
- (package
- (inherit expat)
- (replacement expat/fixed)
- (source (origin
- (inherit (package-source expat))
- (patches (search-patches "expat-CVE-2024-45490.patch"
- "expat-CVE-2024-45491.patch"
- "expat-CVE-2024-45492.patch")))))))
-
(define-public libebml
(package
(name "libebml")
--
2.49.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.