diff options
| author | Mark H Weaver <mhw@netris.org> | 2016-08-04 08:16:38 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2016-08-04 08:16:38 -0400 |
| commit | 0832787e5c463c713d8f24fdec0f52900ff1c2bd (patch) | |
| tree | 5ce20bef711d0d85a22cd041758278d7c176b0f3 /gnu/packages/patches | |
| parent | 5b098cc4b937c05d6f685772c66e2aa04490710a (diff) | |
Revert "Merge branch 'core-updates'"
This reverts commit 455859a50f88f625d13fc2f304111f02369b366b.
Diffstat (limited to 'gnu/packages/patches')
24 files changed, 2014 insertions, 353 deletions
diff --git a/gnu/packages/patches/automake-test-gzip-warning.patch b/gnu/packages/patches/automake-test-gzip-warning.patch deleted file mode 100644 index bcc9c207ae..0000000000 --- a/gnu/packages/patches/automake-test-gzip-warning.patch +++ /dev/null @@ -1,17 +0,0 @@ -Adjust test to ignore gzip 1.8+ warnings. - ---- automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh 2016-06-14 00:36:26.554218552 +0200 -+++ automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh 2016-06-14 00:37:52.903157770 +0200 -@@ -49,7 +49,11 @@ grep "cannot find sources.* in foobar" s - - ./configure - run_make -E -O distcheck --test ! -s stderr -+ -+# Gzip 1.8+ emits warnings like "gzip: warning: GZIP environment -+# variable is deprecated"; filter them out. -+test `grep -v '^gzip: warning' stderr | wc -l` -eq 0 -+ - # Sanity check: the flags have been actually seen. - $PERL -e 'undef $/; $_ = <>; s/ \\\n/ /g; print;' <stdout >t - grep '/configure .* --srcdir am-src' t || exit 99 diff --git a/gnu/packages/patches/dealii-p4est-interface.patch b/gnu/packages/patches/dealii-p4est-interface.patch new file mode 100644 index 0000000000..4c4125d16c --- /dev/null +++ b/gnu/packages/patches/dealii-p4est-interface.patch @@ -0,0 +1,62 @@ +From upstream commit f764598c. + +The p4est_connectivity_load function used to take an unsigned long as argument, +but this has been changed to size_t in p4est 1.0. This makes no difference on +64 bit systems, but leads to compiler errors on 32 bit systems. Fix this. + +--- a/source/distributed/tria.cc ++++ b/source/distributed/tria.cc +@@ -204,7 +204,11 @@ namespace internal + static + int (&connectivity_is_valid) (types<2>::connectivity *connectivity); + +-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3) ++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0) ++ static ++ types<2>::connectivity *(&connectivity_load) (const char *filename, ++ size_t *length); ++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3) + static + types<2>::connectivity *(&connectivity_load) (const char *filename, + long unsigned *length); +@@ -384,7 +388,12 @@ namespace internal + *connectivity) + = p4est_connectivity_is_valid; + +-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3) ++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0) ++ types<2>::connectivity * ++ (&functions<2>::connectivity_load) (const char *filename, ++ size_t *length) ++ = p4est_connectivity_load; ++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3) + types<2>::connectivity * + (&functions<2>::connectivity_load) (const char *filename, + long unsigned *length) +@@ -564,7 +573,11 @@ namespace internal + static + int (&connectivity_is_valid) (types<3>::connectivity *connectivity); + +-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3) ++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0) ++ static ++ types<3>::connectivity *(&connectivity_load) (const char *filename, ++ size_t *length); ++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3) + static + types<3>::connectivity *(&connectivity_load) (const char *filename, + long unsigned *length); +@@ -747,7 +760,12 @@ namespace internal + *connectivity) + = p8est_connectivity_is_valid; + +-#if DEAL_II_P4EST_VERSION_GTE(0,3,4,3) ++#if DEAL_II_P4EST_VERSION_GTE(1,0,0,0) ++ types<3>::connectivity * ++ (&functions<3>::connectivity_load) (const char *filename, ++ size_t *length) ++ = p8est_connectivity_load; ++#elif DEAL_II_P4EST_VERSION_GTE(0,3,4,3) + types<3>::connectivity * + (&functions<3>::connectivity_load) (const char *filename, + long unsigned *length) diff --git a/gnu/packages/patches/dico-idxgcide-bug.patch b/gnu/packages/patches/dico-idxgcide-bug.patch deleted file mode 100644 index 28cc8a6a08..0000000000 --- a/gnu/packages/patches/dico-idxgcide-bug.patch +++ /dev/null @@ -1,21 +0,0 @@ -Reported at <http://mail.gnu.org.ua/archives/bug-dico/2016-07/msg00000.html>. -Patch the .c file to avoid depending on Flex. - -commit 4599abbda3b5979367138ea098e435c919fe93fc -Author: Sergey Poznyakoff <gray@gnu.org> -Date: Thu Jul 28 14:09:58 2016 +0300 - - Bugfix - - * modules/gcide/idxgcide.l (main): Initialize ipg_header. - ---- dico-2.2/modules/gcide/idxgcide.c 2016-07-28 14:15:07.823587004 +0200 -+++ dico-2.2/modules/gcide/idxgcide.c 2016-07-28 14:15:09.435600549 +0200 -@@ -2497,6 +2497,7 @@ main(int argc, char **argv) - dico_log(L_ERR, 0, _("not enough memory")); - exit(EX_UNAVAILABLE); - } -+ idx_page->ipg_header.hdr.phdr_numentries = 0; - idx_page->ipg_header.hdr.phdr_text_offset = idx_header.ihdr_pagesize / 2; - - idx_header.ihdr_maxpageref = idx_header.ihdr_pagesize / 2 / diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch index fc8d6291f5..af5e3bcc3e 100644 --- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch +++ b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch @@ -1,39 +1,42 @@ -Follow-up upstream fix for CVE-2015-1283 to not rely on undefined -behavior. +Update previous fix for CVE-2015-1283 to not rely on undefined behavior. -Adapted from a patch from Debian (found in Debian package version -2.1.0-6+deb8u2) to apply to upstream code: +Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2. https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/ +From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001 +From: Pascal Cuoq <cuoq@trust-in-soft.com> +Date: Sun, 15 May 2016 09:05:46 +0200 +Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. + --- - lib/xmlparse.c | 6 ++++-- + expat/lib/xmlparse.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 0f6f4cd..5c70c17 100644 +index 13e080d..cdb12ef 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c -@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len) +@@ -1695,7 +1695,8 @@ XML_GetBuffer(XML_Parser parser, int len } if (len > bufferLim - bufferEnd) { - int neededSize = len + (int)(bufferEnd - bufferPtr); + /* Do not invoke signed arithmetic overflow: */ + int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); + /* BEGIN MOZILLA CHANGE (sanity check neededSize) */ if (neededSize < 0) { errorCode = XML_ERROR_NO_MEMORY; - return NULL; -@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len) +@@ -1729,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { - bufferSize *= 2; + /* Do not invoke signed arithmetic overflow: */ + bufferSize = (int) (2U * (unsigned) bufferSize); + /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ } while (bufferSize < neededSize && bufferSize > 0); - if (bufferSize <= 0) { - errorCode = XML_ERROR_NO_MEMORY; + /* END MOZILLA CHANGE */ -- -2.8.3 +2.8.2 diff --git a/gnu/packages/patches/expat-CVE-2015-1283.patch b/gnu/packages/patches/expat-CVE-2015-1283.patch new file mode 100644 index 0000000000..f9065bea16 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2015-1283.patch @@ -0,0 +1,89 @@ +Copied from Debian. + +Description: fix multiple integer overflows in the XML_GetBuffer function + Multiple integer overflows in the XML_GetBuffer function in Expat through + 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, + allow remote attackers to cause a denial of service (heap-based buffer + overflow) or possibly have unspecified other impact via crafted XML data, + a related issue to CVE-2015-2716. +Origin: Mozilla, https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c +Author: Eric Rahm <erahm@mozilla.com> +Forwarded: not-needed +Last-Update: 2015-07-24 + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1673,29 +1673,40 @@ XML_ParseBuffer(XML_Parser parser, int l + XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position); + positionPtr = bufferPtr; + return result; + } + + void * XMLCALL + XML_GetBuffer(XML_Parser parser, int len) + { ++/* BEGIN MOZILLA CHANGE (sanity check len) */ ++ if (len < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + switch (ps_parsing) { + case XML_SUSPENDED: + errorCode = XML_ERROR_SUSPENDED; + return NULL; + case XML_FINISHED: + errorCode = XML_ERROR_FINISHED; + return NULL; + default: ; + } + + if (len > bufferLim - bufferEnd) { +- /* FIXME avoid integer overflow */ + int neededSize = len + (int)(bufferEnd - bufferPtr); ++/* BEGIN MOZILLA CHANGE (sanity check neededSize) */ ++ if (neededSize < 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + #ifdef XML_CONTEXT_BYTES + int keep = (int)(bufferPtr - buffer); + + if (keep > XML_CONTEXT_BYTES) + keep = XML_CONTEXT_BYTES; + neededSize += keep; + #endif /* defined XML_CONTEXT_BYTES */ + if (neededSize <= bufferLim - buffer) { +@@ -1714,17 +1725,25 @@ XML_GetBuffer(XML_Parser parser, int len + } + else { + char *newBuf; + int bufferSize = (int)(bufferLim - bufferPtr); + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { + bufferSize *= 2; +- } while (bufferSize < neededSize); ++/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */ ++ } while (bufferSize < neededSize && bufferSize > 0); ++/* END MOZILLA CHANGE */ ++/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */ ++ if (bufferSize <= 0) { ++ errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } ++/* END MOZILLA CHANGE */ + newBuf = (char *)MALLOC(bufferSize); + if (newBuf == 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } + bufferLim = newBuf + bufferSize; + #ifdef XML_CONTEXT_BYTES + if (bufferPtr) { + + + + diff --git a/gnu/packages/patches/glibc-CVE-2015-7547.patch b/gnu/packages/patches/glibc-CVE-2015-7547.patch new file mode 100644 index 0000000000..9a0909af74 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2015-7547.patch @@ -0,0 +1,559 @@ +Copied from Fedora: +http://pkgs.fedoraproject.org/cgit/rpms/glibc.git/tree/glibc-CVE-2015-7547.patch?h=f23&id=9f1734eb6ce3257b788d6e9203572e8204c6c584 + +Adapted to apply cleanly to glibc-2.22. + +Index: b/resolv/nss_dns/dns-host.c +=================================================================== +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an + int h_namelen = 0; + + if (ancount == 0) +- return NSS_STATUS_NOTFOUND; ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } + + while (ancount-- > 0 && cp < end_of_message && had_error == 0) + { +@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an + /* Special case here: if the resolver sent a result but it only + contains a CNAME while we are looking for a T_A or T_AAAA record, + we fail with NOTFOUND instead of TRYAGAIN. */ +- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; ++ if (canon != NULL) ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } ++ ++ *h_errnop = NETDB_INTERNAL; ++ return NSS_STATUS_TRYAGAIN; + } + + +@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, + + enum nss_status status = NSS_STATUS_NOTFOUND; + ++ /* Combining the NSS status of two distinct queries requires some ++ compromise and attention to symmetry (A or AAAA queries can be ++ returned in any order). What follows is a breakdown of how this ++ code is expected to work and why. We discuss only SUCCESS, ++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns ++ that apply (though RETURN and MERGE exist). We make a distinction ++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). ++ A recoverable TRYAGAIN is almost always due to buffer size issues ++ and returns ERANGE in errno and the caller is expected to retry ++ with a larger buffer. ++ ++ Lastly, you may be tempted to make significant changes to the ++ conditions in this code to bring about symmetry between responses. ++ Please don't change anything without due consideration for ++ expected application behaviour. Some of the synthesized responses ++ aren't very well thought out and sometimes appear to imply that ++ IPv4 responses are always answer 1, and IPv6 responses are always ++ answer 2, but that's not true (see the implemetnation of send_dg ++ and send_vc to see response can arrive in any order, particlarly ++ for UDP). However, we expect it holds roughly enough of the time ++ that this code works, but certainly needs to be fixed to make this ++ a more robust implementation. ++ ++ ---------------------------------------------- ++ | Answer 1 Status / | Synthesized | Reason | ++ | Answer 2 Status | Status | | ++ |--------------------------------------------| ++ | SUCCESS/SUCCESS | SUCCESS | [1] | ++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] | ++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] | ++ | SUCCESS/NOTFOUND | SUCCESS | [1] | ++ | SUCCESS/UNAVAIL | SUCCESS | [1] | ++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] | ++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] | ++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] | ++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] | ++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] | ++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] | ++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] | ++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] | ++ | NOTFOUND/SUCCESS | SUCCESS | [3] | ++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] | ++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] | ++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] | ++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] | ++ | UNAVAIL/SUCCESS | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] | ++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] | ++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] | ++ ---------------------------------------------- ++ ++ [1] If the first response is a success we return success. ++ This ignores the state of the second answer and in fact ++ incorrectly sets errno and h_errno to that of the second ++ answer. However because the response is a success we ignore ++ *errnop and *h_errnop (though that means you touched errno on ++ success). We are being conservative here and returning the ++ likely IPv4 response in the first answer as a success. ++ ++ [2] If the first response is a recoverable TRYAGAIN we return ++ that instead of looking at the second response. The ++ expectation here is that we have failed to get an IPv4 response ++ and should retry both queries. ++ ++ [3] If the first response was not a SUCCESS and the second ++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN, ++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the ++ result from the second response, otherwise the first responses ++ status is used. Again we have some odd side-effects when the ++ second response is NOTFOUND because we overwrite *errnop and ++ *h_errnop that means that a first answer of NOTFOUND might see ++ its *errnop and *h_errnop values altered. Whether it matters ++ in practice that a first response NOTFOUND has the wrong ++ *errnop and *h_errnop is undecided. ++ ++ [4] If the first response is UNAVAIL we return that instead of ++ looking at the second response. The expectation here is that ++ it will have failed similarly e.g. configuration failure. ++ ++ [5] Testing this code is complicated by the fact that truncated ++ second response buffers might be returned as SUCCESS if the ++ first answer is a SUCCESS. To fix this we add symmetry to ++ TRYAGAIN with the second response. If the second response ++ is a recoverable error we now return TRYAGIN even if the first ++ response was SUCCESS. */ ++ + if (anslen1 > 0) + status = gaih_getanswer_slice(answer1, anslen1, qname, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ + if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND + || (status == NSS_STATUS_TRYAGAIN + /* We want to look at the second answer in case of an +@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ /* Use the second response status in some cases. */ + if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) + status = status2; ++ /* Do not return a truncated second response (unless it was ++ unavoidable e.g. unrecoverable TRYAGAIN). */ ++ if (status == NSS_STATUS_SUCCESS ++ && (status2 == NSS_STATUS_TRYAGAIN ++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) ++ status = NSS_STATUS_TRYAGAIN; + } + + return status; +Index: b/resolv/res_query.c +=================================================================== +--- a/resolv/res_query.c ++++ b/resolv/res_query.c +@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + } +@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + +@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + if (saved_herrno != -1) +Index: b/resolv/res_send.c +=================================================================== +--- a/resolv/res_send.c ++++ b/resolv/res_send.c +@@ -1,3 +1,20 @@ ++/* Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ + /* + * Copyright (c) 1985, 1989, 1993 + * The Regents of the University of California. All rights reserved. +@@ -361,6 +378,8 @@ __libc_res_nsend(res_state statp, const + #ifdef USE_HOOKS + if (__glibc_unlikely (statp->qhook || statp->rhook)) { + if (anssiz < MAXPACKET && ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *buf = malloc (MAXPACKET); + if (buf == NULL) + return (-1); +@@ -660,6 +679,77 @@ libresolv_hidden_def (res_nsend) + + /* Private */ + ++/* The send_vc function is responsible for sending a DNS query over TCP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and ++ IPv6 queries at the same serially on the same socket. ++ ++ Please note that for TCP there is no way to disable sending both ++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP ++ and sends the queries serially and waits for the result after each ++ sent query. This implemetnation should be corrected to honour these ++ options. ++ ++ Please also note that for TCP we send both queries over the same ++ socket one after another. This technically violates best practice ++ since the server is allowed to read the first query, respond, and ++ then close the socket (to service another client). If the server ++ does this, then the remaining second query in the socket data buffer ++ will cause the server to send the client an RST which will arrive ++ asynchronously and the client's OS will likely tear down the socket ++ receive buffer resulting in a potentially short read and lost ++ response data. This will force the client to retry the query again, ++ and this process may repeat until all servers and connection resets ++ are exhausted and then the query will fail. It's not known if this ++ happens with any frequency in real DNS server implementations. This ++ implementation should be corrected to use two sockets by default for ++ parallel queries. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ serially on the same socket. ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header feild TC will bet set to 1, indicating a truncated ++ message and the rest of the socket data will be read and discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_vc(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -669,11 +759,7 @@ send_vc(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; +- // XXX REMOVE +- // int anssiz = *anssizp; +- HEADER *anhp = (HEADER *) ans; ++ HEADER *anhp = (HEADER *) *ansp; + struct sockaddr *nsap = get_nsaddr (statp, ns); + int truncating, connreset, n; + /* On some architectures compiler might emit a warning indicating +@@ -766,6 +852,8 @@ send_vc(res_state statp, + * Receive length & response + */ + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + uint16_t rlen16; + read_len: +@@ -802,40 +890,14 @@ send_vc(res_state statp, + u_char **thisansp; + int *thisresplenp; + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if __GNUC_PREREQ (4, 7) +- DIAG_PUSH_NEEDS_COMMENT; +- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); +-#endif +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +-#if __GNUC_PREREQ (4, 7) +- DIAG_POP_NEEDS_COMMENT; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; +@@ -843,10 +905,14 @@ send_vc(res_state statp, + anhp = (HEADER *) *thisansp; + + *thisresplenp = rlen; +- if (rlen > *thisanssizp) { +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- if (__glibc_likely (anscp != NULL)) { ++ /* Is the answer buffer too small? */ ++ if (*thisanssizp < rlen) { ++ /* If the current buffer is non-NULL and it's not ++ pointing at the static user-supplied buffer then ++ we can reallocate it. */ ++ if (thisansp != NULL && thisansp != ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp == NULL) { + *terrno = ENOMEM; +@@ -858,6 +924,9 @@ send_vc(res_state statp, + if (thisansp == ansp2) + *ansp2_malloced = 1; + anhp = (HEADER *) newp; ++ /* A uint16_t can't be larger than MAXPACKET ++ thus it's safe to allocate MAXPACKET but ++ read RLEN bytes instead. */ + len = rlen; + } else { + Dprint(statp->options & RES_DEBUG, +@@ -1021,6 +1090,66 @@ reopen (res_state statp, int *terrno, in + return 1; + } + ++/* The send_dg function is responsible for sending a DNS query over UDP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries ++ along with the ability to send the query in parallel for both stacks ++ (default) or serially (RES_SINGLKUP). It also supports serial lookup ++ with a close and reopen of the socket used to talk to the server ++ (RES_SNGLKUPREOP) to work around broken name servers. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP). ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header feild TC will bet set to 1, indicating a truncated ++ message, while the rest of the UDP packet is discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If an answer is truncated because of UDP datagram DNS limits then ++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to ++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1 ++ if any progress was made reading a response from the nameserver and ++ is used by the caller to distinguish between ECONNREFUSED and ++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1). ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_dg(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -1030,8 +1159,6 @@ send_dg(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; + struct timespec now, timeout, finish; + struct pollfd pfd[1]; + int ptimeout; +@@ -1064,6 +1191,8 @@ send_dg(res_state statp, + int need_recompute = 0; + int nwritten = 0; + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + pfd[0].fd = EXT(statp).nssocks[ns]; + pfd[0].events = POLLOUT; +@@ -1227,55 +1356,56 @@ send_dg(res_state statp, + int *thisresplenp; + + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; + } + + if (*thisanssizp < MAXPACKET +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- && anscp ++ /* If the current buffer is non-NULL and it's not ++ pointing at the static user-supplied buffer then ++ we can reallocate it. */ ++ && (thisansp != NULL && thisansp != ansp) + #ifdef FIONREAD ++ /* Is the size too small? */ + && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 + || *thisanssizp < *thisresplenp) + #endif + ) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp != NULL) { +- *anssizp = MAXPACKET; +- *thisansp = ans = newp; ++ *thisanssizp = MAXPACKET; ++ *thisansp = newp; + if (thisansp == ansp2) + *ansp2_malloced = 1; + } + } ++ /* We could end up with truncation if anscp was NULL ++ (not allowed to change caller's buffer) and the ++ response buffer size is too small. This isn't a ++ reliable way to detect truncation because the ioctl ++ may be an inaccurate report of the UDP message size. ++ Therefore we use this only to issue debug output. ++ To do truncation accurately with UDP we need ++ MSG_TRUNC which is only available on Linux. We ++ can abstract out the Linux-specific feature in the ++ future to detect truncation. */ ++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { ++ Dprint(statp->options & RES_DEBUG, ++ (stdout, ";; response may be truncated (UDP)\n") ++ ); ++ } ++ + HEADER *anhp = (HEADER *) *thisansp; + socklen_t fromlen = sizeof(struct sockaddr_in6); + assert (sizeof(from) <= fromlen); diff --git a/gnu/packages/patches/glibc-hurd-extern-inline.patch b/gnu/packages/patches/glibc-hurd-extern-inline.patch new file mode 100644 index 0000000000..a609b1f54a --- /dev/null +++ b/gnu/packages/patches/glibc-hurd-extern-inline.patch @@ -0,0 +1,35 @@ +This changes the way _EXTERN_INLINE is defined so we can +avoid external definition errors. +https://lists.gnu.org/archive/html/bug-hurd/2014-04/msg00002.html + +diff --git a/signal/sigsetops.c b/signal/sigsetops.c +index 0317662..b92c296 100644 +--- a/signal/sigsetops.c ++++ b/signal/sigsetops.c +@@ -3,7 +3,9 @@ + + #include <features.h> + +-#define _EXTERN_INLINE ++#ifndef _EXTERN_INLINE ++#define _EXTERN_INLINE __extern_inline ++#endif + #ifndef __USE_EXTERN_INLINES + # define __USE_EXTERN_INLINES 1 + #endif + +Link libmachuser and libhurduser automatically with libc, since they are +considered a standard part of the API in GNU-land. + +--- a/Makerules ++++ b/Makerules +@@ -978,6 +978,9 @@ + '$(libdir)/$(patsubst %,$(libtype.oS),$(libprefix)$(libc-name))'\ + ' AS_NEEDED (' $(rtlddir)/$(rtld-installed-name) ') )' \ + ) > $@.new ++ifeq ($(patsubst gnu%,,$(config-os)),) ++ echo 'INPUT ( AS_NEEDED ( -lmachuser -lhurduser ) )' >> $@.new ++endif + mv -f $@.new $@ + + endif
\ No newline at end of file diff --git a/gnu/packages/patches/glibc-locale-incompatibility.patch b/gnu/packages/patches/glibc-locale-incompatibility.patch new file mode 100644 index 0000000000..baf30a79a7 --- /dev/null +++ b/gnu/packages/patches/glibc-locale-incompatibility.patch @@ -0,0 +1,23 @@ +This patch avoids an assertion failure when incompatible locale data +is encountered: + + https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html + +--- glibc-2.22/locale/loadlocale.c 2015-09-22 17:16:02.321981548 +0200 ++++ glibc-2.22/locale/loadlocale.c 2015-09-22 17:17:34.814659064 +0200 +@@ -120,10 +120,11 @@ + _nl_value_type_LC_XYZ array. There are all pointers. */ + switch (category) + { +-#define CATTEST(cat) \ +- case LC_##cat: \ +- assert (cnt < (sizeof (_nl_value_type_LC_##cat) \ +- / sizeof (_nl_value_type_LC_##cat[0]))); \ ++#define CATTEST(cat) \ ++ case LC_##cat: \ ++ if (cnt >= (sizeof (_nl_value_type_LC_##cat) \ ++ / sizeof (_nl_value_type_LC_##cat[0]))) \ ++ goto puntdata; \ + break + CATTEST (NUMERIC); + CATTEST (TIME); diff --git a/gnu/packages/patches/glibc-locales.patch b/gnu/packages/patches/glibc-locales.patch index 3a125e845e..1bcf12bf6f 100644 --- a/gnu/packages/patches/glibc-locales.patch +++ b/gnu/packages/patches/glibc-locales.patch @@ -5,8 +5,8 @@ in a package separate from glibc. 2. Use '--no-archive' to avoid building the big locale archive, and because the already-built 'localedef' would want to write it to '/run/current-system/locale', which is not possible. - 3. Pass $(inst_complocaledir)/$$locale to install files in the right - place, and because otherwise, 'localedef' fails with: + 3. Pass $(localedir)/$$locale to install files in the right place, and + because otherwise, 'localedef' fails with: "cannot write output files to `(null)'". --- glibc-2.22/localedata/Makefile 1970-01-01 01:00:00.000000000 +0100 @@ -25,7 +25,7 @@ in a package separate from glibc. $(LOCALEDEF) --alias-file=../intl/locale.alias \ -i locales/$$input -c -f charmaps/$$charset \ - $(addprefix --prefix=,$(install_root)) $$locale \ -+ $(addprefix --prefix=,$(install_root)) $(inst_complocaledir)/$$locale \ ++ $(addprefix --prefix=,$(install_root)) $(localedir)/$$locale \ && echo ' done'; \ tst-setlocale-ENV = LC_ALL=ja_JP.EUC-JP diff --git a/gnu/packages/patches/libarchive-CVE-2013-0211.patch b/gnu/packages/patches/libarchive-CVE-2013-0211.patch new file mode 100644 index 0000000000..b024a7d4a8 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2013-0211.patch @@ -0,0 +1,21 @@ +Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems +Origin: upstream +Bug-Debian: http://bugs.debian.org/703957 +Forwarded: not-needed + +--- libarchive-3.0.4.orig/libarchive/archive_write.c ++++ libarchive-3.0.4/libarchive/archive_write.c +@@ -665,8 +665,13 @@ static ssize_t + _archive_write_data(struct archive *_a, const void *buff, size_t s) + { + struct archive_write *a = (struct archive_write *)_a; ++ const size_t max_write = INT_MAX; ++ + archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC, + ARCHIVE_STATE_DATA, "archive_write_data"); ++ /* In particular, this catches attempts to pass negative values. */ ++ if (s > max_write) ++ s = max_write; + archive_clear_error(&a->archive); + return ((a->format_write_data)(a, buff, s)); + } diff --git a/gnu/packages/patches/libarchive-CVE-2016-1541.patch b/gnu/packages/patches/libarchive-CVE-2016-1541.patch new file mode 100644 index 0000000000..6ac8773244 --- /dev/null +++ b/gnu/packages/patches/libarchive-CVE-2016-1541.patch @@ -0,0 +1,67 @@ +Fix CVE-2016-1541 (buffer overflow zip_read_mac_metadata) + +Taken from upstream source repository: +https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 + +When reading OS X metadata entries in Zip archives that were stored +without compression, libarchive would use the uncompressed entry size +to allocate a buffer but would use the compressed entry size to limit +the amount of data copied into that buffer. Since the compressed +and uncompressed sizes are provided by data in the archive itself, +an attacker could manipulate these values to write data beyond +the end of the allocated buffer. + +This fix provides three new checks to guard against such +manipulation and to make libarchive generally more robust when +handling this type of entry: + 1. If an OS X metadata entry is stored without compression, + abort the entire archive if the compressed and uncompressed + data sizes do not match. + 2. When sanity-checking the size of an OS X metadata entry, + abort this entry if either the compressed or uncompressed + size is larger than 4MB. + 3. When copying data into the allocated buffer, check the copy + size against both the compressed entry size and uncompressed + entry size. +--- + libarchive/archive_read_support_format_zip.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c +index 0f8262c..0a0be96 100644 +--- a/libarchive/archive_read_support_format_zip.c ++++ b/libarchive/archive_read_support_format_zip.c +@@ -2778,6 +2778,11 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry, + + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if (rsrc->uncompressed_size != rsrc->compressed_size) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Malformed OS X metadata entry: inconsistent size"); ++ return (ARCHIVE_FATAL); ++ } + #ifdef HAVE_ZLIB_H + case 8: /* Deflate compression. */ + #endif +@@ -2798,6 +2803,12 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry, + (intmax_t)rsrc->uncompressed_size); + return (ARCHIVE_WARN); + } ++ if (rsrc->compressed_size > (4 * 1024 * 1024)) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Mac metadata is too large: %jd > 4M bytes", ++ (intmax_t)rsrc->compressed_size); ++ return (ARCHIVE_WARN); ++ } + + metadata = malloc((size_t)rsrc->uncompressed_size); + if (metadata == NULL) { +@@ -2836,6 +2847,8 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry, + bytes_avail = remaining_bytes; + switch(rsrc->compression) { + case 0: /* No compression. */ ++ if ((size_t)bytes_avail > metadata_bytes) ++ bytes_avail = metadata_bytes; + memcpy(mp, p, bytes_avail); + bytes_used = (size_t)bytes_avail; + metadata_bytes -= bytes_used; diff --git a/gnu/packages/patches/libarchive-bsdtar-test.patch b/gnu/packages/patches/libarchive-bsdtar-test.patch new file mode 100644 index 0000000000..6a533a9a07 --- /dev/null +++ b/gnu/packages/patches/libarchive-bsdtar-test.patch @@ -0,0 +1,74 @@ +commit b539b2e597b566fe3c4b49cb61c9eef83e5e052d +Author: Pavel Raiskup <praiskup@redhat.com> +Date: Thu Jun 27 16:01:30 2013 +0200 + + Use ustar format in the test_option_b test + + .. because the ustar archive does not store SELinux context. As the default + format for bsdtar is "restricted pax" (trying to store xattrs and other + things by default), the test failed on Fedora because our files have by + default SELinux context set. This results in additional data in tested + archive ~> and the test failed because the archive was unexpectedly big: + + tar/test/test_option_b.c:41: File archive1.tar has size 3072, expected 2048 + + Reviewed by Konrad Kleine <konrad.wilhelm.kleine@gmail.com> + +diff --git a/tar/test/test_option_b.c b/tar/test/test_option_b.c +index be2ae65..6fea474 100644 +--- a/tar/test/test_option_b.c ++++ b/tar/test/test_option_b.c +@@ -25,8 +25,14 @@ + #include "test.h" + __FBSDID("$FreeBSD$"); + ++#define USTAR_OPT " --format=ustar" ++ + DEFINE_TEST(test_option_b) + { ++ char *testprog_ustar = malloc(strlen(testprog) + sizeof(USTAR_OPT) + 1); ++ strcpy(testprog_ustar, testprog); ++ strcat(testprog_ustar, USTAR_OPT); ++ + assertMakeFile("file1", 0644, "file1"); + if (systemf("cat file1 > test_cat.out 2> test_cat.err") != 0) { + skipping("Platform doesn't have cat"); +@@ -36,7 +42,7 @@ DEFINE_TEST(test_option_b) + /* + * Bsdtar does not pad if the output is going directly to a disk file. + */ +- assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog)); ++ assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog_ustar)); + failure("bsdtar does not pad archives written directly to regular files"); + assertFileSize("archive1.tar", 2048); + assertEmptyFile("test1.out"); +@@ -46,24 +52,24 @@ DEFINE_TEST(test_option_b) + * Bsdtar does pad to the block size if the output is going to a socket. + */ + /* Default is -b 20 */ +- assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog)); ++ assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog_ustar)); + failure("bsdtar does pad archives written to pipes"); + assertFileSize("archive2.tar", 10240); + assertEmptyFile("test2.err"); + +- assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog)); ++ assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog_ustar)); + assertFileSize("archive3.tar", 10240); + assertEmptyFile("test3.err"); + +- assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog)); ++ assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog_ustar)); + assertFileSize("archive4.tar", 5120); + assertEmptyFile("test4.err"); + +- assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog)); ++ assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog_ustar)); + assertFileSize("archive5.tar", 2048); + assertEmptyFile("test5.err"); + +- assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog)); ++ assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog_ustar)); + assertFileSize("archive6.tar", 4194304); + assertEmptyFile("test6.err"); + diff --git a/gnu/packages/patches/libarchive-fix-lzo-test-case.patch b/gnu/packages/patches/libarchive-fix-lzo-test-case.patch new file mode 100644 index 0000000000..ffdc0db922 --- /dev/null +++ b/gnu/packages/patches/libarchive-fix-lzo-test-case.patch @@ -0,0 +1,83 @@ +Description: This patch fixes test cases for LZO write support in various + architectures, such as armhf. Writing a certain amount of files would + cause the LZO compressor level 9 to produce a bigger archive than the + default compressor level. +Author: Andres Mejia <amejia@debian.org> + +--- a/libarchive/test/test_write_filter_lzop.c ++++ b/libarchive/test/test_write_filter_lzop.c +@@ -39,7 +39,7 @@ + size_t buffsize, datasize; + char path[16]; + size_t used1, used2; +- int i, r, use_prog = 0; ++ int i, r, use_prog = 0, filecount; + + assert((a = archive_write_new()) != NULL); + r = archive_write_add_filter_lzop(a); +@@ -58,9 +58,10 @@ + + datasize = 10000; + assert(NULL != (data = (char *)calloc(1, datasize))); ++ filecount = 10; + + /* +- * Write a 100 files and read them all back. ++ * Write a filecount files and read them all back. + */ + assert((a = archive_write_new()) != NULL); + assertEqualIntA(a, ARCHIVE_OK, archive_write_set_format_ustar(a)); +@@ -77,7 +78,7 @@ + assert((ae = archive_entry_new()) != NULL); + archive_entry_set_filetype(ae, AE_IFREG); + archive_entry_set_size(ae, datasize); +- for (i = 0; i < 100; i++) { ++ for (i = 0; i < filecount; i++) { + sprintf(path, "file%03d", i); + archive_entry_copy_pathname(ae, path); + assertEqualIntA(a, ARCHIVE_OK, archive_write_header(a, ae)); +@@ -97,7 +98,7 @@ + } else { + assertEqualIntA(a, ARCHIVE_OK, + archive_read_open_memory(a, buff, used1)); +- for (i = 0; i < 100; i++) { ++ for (i = 0; i < filecount; i++) { + sprintf(path, "file%03d", i); + if (!assertEqualInt(ARCHIVE_OK, + archive_read_next_header(a, &ae))) +@@ -133,7 +134,7 @@ + archive_write_set_options(a, "lzop:compression-level=9")); + assertEqualIntA(a, ARCHIVE_OK, + archive_write_open_memory(a, buff, buffsize, &used2)); +- for (i = 0; i < 100; i++) { ++ for (i = 0; i < filecount; i++) { + sprintf(path, "file%03d", i); + assert((ae = archive_entry_new()) != NULL); + archive_entry_copy_pathname(ae, path); +@@ -161,7 +162,7 @@ + archive_read_support_filter_all(a)); + assertEqualIntA(a, ARCHIVE_OK, + archive_read_open_memory(a, buff, used2)); +- for (i = 0; i < 100; i++) { ++ for (i = 0; i < filecount; i++) { + sprintf(path, "file%03d", i); + if (!assertEqualInt(ARCHIVE_OK, + archive_read_next_header(a, &ae))) +@@ -186,7 +187,7 @@ + archive_write_set_filter_option(a, NULL, "compression-level", "1")); + assertEqualIntA(a, ARCHIVE_OK, + archive_write_open_memory(a, buff, buffsize, &used2)); +- for (i = 0; i < 100; i++) { ++ for (i = 0; i < filecount; i++) { + sprintf(path, "file%03d", i); + assert((ae = archive_entry_new()) != NULL); + archive_entry_copy_pathname(ae, path); +@@ -216,7 +217,7 @@ + } else { + assertEqualIntA(a, ARCHIVE_OK, + archive_read_open_memory(a, buff, used2)); +- for (i = 0; i < 100; i++) { ++ for (i = 0; i < filecount; i++) { + sprintf(path, "file%03d", i); + if (!assertEqualInt(ARCHIVE_OK, + archive_read_next_header(a, &ae))) diff --git a/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch b/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch new file mode 100644 index 0000000000..ad94592c05 --- /dev/null +++ b/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch @@ -0,0 +1,18 @@ +Description: Patch to fix filename length calculation when writing mtree archives. +Author: Dave Reisner <dreisner@archlinux.org> +Origin: upstream + +--- a/libarchive/archive_write_set_format_mtree.c ++++ b/libarchive/archive_write_set_format_mtree.c +@@ -1855,9 +1855,9 @@ + return (ret); + } + +- /* Make a basename from dirname and slash */ ++ /* Make a basename from file->parentdir.s and slash */ + *slash = '\0'; +- file->parentdir.length = slash - dirname; ++ file->parentdir.length = slash - file->parentdir.s; + archive_strcpy(&(file->basename), slash + 1); + return (ret); + } diff --git a/gnu/packages/patches/libpthread-glibc-preparation.patch b/gnu/packages/patches/libpthread-glibc-preparation.patch new file mode 100644 index 0000000000..a43245436c --- /dev/null +++ b/gnu/packages/patches/libpthread-glibc-preparation.patch @@ -0,0 +1,146 @@ +This patch helps to integrate the Hurd's libpthread as a libc add-on. + +It writes the configure file, removes an rpc call not yet +implemented on the version of gnumach we use and defines +a missing macro. + +diff --git a/libpthread/configure b/libpthread/configure +new file mode 100644 +index 0000000..2cdbc71 +--- /dev/null ++++ b/libpthread/configure +@@ -0,0 +1,2 @@ ++libc_add_on_canonical=libpthread ++libc_add_on_subdirs=. +-- +1.9.0 + +We are using a version of GNU Mach that lacks 'thread_terminate_release' +(not introduced yet). The 'thread_terminate' RPC call will be enough for +our needs. +See <http://lists.gnu.org/archive/html/bug-hurd/2014-05/msg00127.html>. + +diff --git a/libpthread/sysdeps/mach/pt-thread-terminate.c b/libpthread/sysdeps/mach/pt-thread-terminate.c +index 6672065..129a611 100644 +--- a/libpthread/sysdeps/mach/pt-thread-terminate.c ++++ b/libpthread/sysdeps/mach/pt-thread-terminate.c +@@ -70,9 +70,9 @@ __pthread_thread_terminate (struct __pthread *thread) + __mach_port_destroy (__mach_task_self (), wakeup_port); + + /* Terminate and release all that's left. */ +- err = __thread_terminate_release (kernel_thread, mach_task_self (), +- kernel_thread, reply_port, +- stackaddr, stacksize); ++ /* err = __thread_terminate_release (kernel_thread, mach_task_self (), */ ++ /* kernel_thread, reply_port, */ ++ /* stackaddr, stacksize); */ + + /* The kernel does not support it yet. Leak but at least terminate + correctly. */ +-- +1.9.2 + +The __PTHREAD_SPIN_LOCK_INITIALIZER definition is missing, so we +define it to __SPIN_LOCK_INITIALIZER which already exists. +See <http://lists.gnu.org/archive/html/commit-hurd/2009-04/msg00006.html>. + +diff --git a/libpthread/sysdeps/mach/bits/spin-lock.h b/libpthread/sysdeps/mach/bits/spin-lock.h +index 537dac9..fca0e5a 100644 +--- a/libpthread/sysdeps/mach/bits/spin-lock.h ++++ b/libpthread/sysdeps/mach/bits/spin-lock.h +@@ -30,7 +30,7 @@ typedef __spin_lock_t __pthread_spinlock_t; + + /* Initializer for a spin lock object. */ + #ifndef __PTHREAD_SPIN_LOCK_INITIALIZER +-#error __PTHREAD_SPIN_LOCK_INITIALIZER undefined: should be defined by <lock-intern.h>. ++#define __PTHREAD_SPIN_LOCK_INITIALIZER __SPIN_LOCK_INITIALIZER + #endif + + __END_DECLS + +The version of the glibc we use doesn't include the shm-directory.c file and does +not yet support IS_IN. +See <https://lists.gnu.org/archive/html/bug-hurd/2015-03/msg00078.html> + +diff --git a/libpthread/Makefile b/libpthread/Makefile +index 2906788..b8dee58 100644 +--- a/libpthread/Makefile ++++ b/libpthread/Makefile +@@ -149,8 +149,6 @@ libpthread-routines := pt-attr pt-attr-destroy pt-attr-getdetachstate \ + sem-post sem-timedwait sem-trywait sem-unlink \ + sem-wait \ + \ +- shm-directory \ +- \ + cthreads-compat \ + $(SYSDEPS) + +-- +2.3.6 + +diff --git a/libpthread/pthread/pt-create.c b/libpthread/pthread/pt-create.c +index d88afae..84044dc 100644 +--- a/libpthread/pthread/pt-create.c ++++ b/libpthread/pthread/pt-create.c +@@ -28,7 +28,7 @@ + + #include <pt-internal.h> + +-#if IS_IN (libpthread) ++#ifdef IS_IN_libpthread + # include <ctype.h> + #endif + #ifdef HAVE_USELOCALE +@@ -50,7 +50,7 @@ entry_point (struct __pthread *self, void *(*start_routine)(void *), void *arg) + __resp = &self->res_state; + #endif + +-#if IS_IN (libpthread) ++#ifdef IS_IN_libpthread + /* Initialize pointers to locale data. */ + __ctype_init (); + #endif +diff --git a/libpthread/pthread/pt-initialize.c b/libpthread/pthread/pt-initialize.c +index 9e5404b..b9cacbd 100644 +--- a/libpthread/pthread/pt-initialize.c ++++ b/libpthread/pthread/pt-initialize.c +@@ -28,7 +28,7 @@ + + DEFINE_HOOK (__pthread_init, (void)); + +-#if IS_IN (libpthread) ++#ifdef IS_IN_libpthread + static const struct pthread_functions pthread_functions = + { + .ptr_pthread_attr_destroy = __pthread_attr_destroy, +@@ -81,7 +81,7 @@ static const struct pthread_functions pthread_functions = + void + ___pthread_init (void) + { +-#if IS_IN (libpthread) ++#ifdef IS_IN_libpthread + __libc_pthread_init(&pthread_functions); + #endif + RUN_HOOK (__pthread_init, ()); +diff --git a/libpthread/pthread/pt-internal.h b/libpthread/pthread/pt-internal.h +index 18b5b4c..8cdcfce 100644 +--- a/libpthread/pthread/pt-internal.h ++++ b/libpthread/pthread/pt-internal.h +@@ -35,7 +35,7 @@ + #include <pt-sysdep.h> + #include <pt-machdep.h> + +-#if IS_IN (libpthread) ++#ifdef IS_IN_libpthread + # include <ldsodefs.h> + #endif + +@@ -60,7 +60,7 @@ enum pthread_state + # define PTHREAD_SYSDEP_MEMBERS + #endif + +-#if !(IS_IN (libpthread)) ++#ifndef IS_IN_libpthread + #ifdef ENABLE_TLS + /* Type of the TCB. */ + typedef struct diff --git a/gnu/packages/patches/libxslt-CVE-2015-7995.patch b/gnu/packages/patches/libxslt-CVE-2015-7995.patch new file mode 100644 index 0000000000..f291d5b387 --- /dev/null +++ b/gnu/packages/patches/libxslt-CVE-2015-7995.patch @@ -0,0 +1,29 @@ +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 29 Oct 2015 19:33:23 +0800 +Subject: [PATCH] Fix for type confusion in preprocessing attributes + +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10 +We need to check that the parent node is an element before dereferencing +its namespace +--- + libxslt/preproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libxslt/preproc.c b/libxslt/preproc.c +index 0eb80a0..7f69325 100644 +--- a/libxslt/preproc.c ++++ b/libxslt/preproc.c +@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) { + } else if (IS_XSLT_NAME(inst, "attribute")) { + xmlNodePtr parent = inst->parent; + +- if ((parent == NULL) || (parent->ns == NULL) || ++ if ((parent == NULL) || ++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) || + ((parent->ns != inst->ns) && + (!xmlStrEqual(parent->ns->href, inst->ns->href))) || + (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) { +-- +2.6.3 + diff --git a/gnu/packages/patches/libxslt-generated-ids.patch b/gnu/packages/patches/libxslt-generated-ids.patch deleted file mode 100644 index 4273875c7c..0000000000 --- a/gnu/packages/patches/libxslt-generated-ids.patch +++ /dev/null @@ -1,173 +0,0 @@ -This makes generated IDs deterministic. - -Written by Daniel Veillard. - -This should be fixed in next release (2.29). -See https://bugzilla.gnome.org/show_bug.cgi?id=751621. - -diff --git a/libxslt/functions.c b/libxslt/functions.c -index 6448bde..5b00a6d 100644 ---- a/libxslt/functions.c -+++ b/libxslt/functions.c -@@ -651,6 +651,63 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) - } - - /** -+ * xsltCleanupIds: -+ * @ctxt: the transformation context -+ * @root: the root of the resulting document -+ * -+ * This clean up ids which may have been saved in Element contents -+ * by xsltGenerateIdFunction() to provide stable IDs on elements. -+ * -+ * Returns the number of items cleaned or -1 in case of error -+ */ -+int -+xsltCleanupIds(xsltTransformContextPtr ctxt, xmlNodePtr root) { -+ xmlNodePtr cur; -+ int count = 0; -+ -+ if ((ctxt == NULL) || (root == NULL)) -+ return(-1); -+ if (root->type != XML_ELEMENT_NODE) -+ return(-1); -+ -+ cur = root; -+ while (cur != NULL) { -+ if (cur->type == XML_ELEMENT_NODE) { -+ if (cur->content != NULL) { -+ cur->content = NULL; -+ count++; -+ } -+ if (cur->children != NULL) { -+ cur = cur->children; -+ continue; -+ } -+ } -+ if (cur->next != NULL) { -+ cur = cur->next; -+ continue; -+ } -+ do { -+ cur = cur->parent; -+ if (cur == NULL) -+ break; -+ if (cur == (xmlNodePtr) root) { -+ cur = NULL; -+ break; -+ } -+ if (cur->next != NULL) { -+ cur = cur->next; -+ break; -+ } -+ } while (cur != NULL); -+ } -+ -+fprintf(stderr, "Attributed %d IDs for element, cleaned up %d\n", -+ ctxt->nextid, count); -+ -+ return(count); -+} -+ -+/** - * xsltGenerateIdFunction: - * @ctxt: the XPath Parser context - * @nargs: the number of arguments -@@ -701,7 +758,39 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ - if (obj) - xmlXPathFreeObject(obj); - -- val = (long)((char *)cur - (char *)&base_address); -+ /* -+ * Try to provide stable ID for generated document: -+ * - usually ID are computed to be placed on elements via attributes -+ * so using the element as the node for the ID -+ * - the cur->content should be a correct placeholder for this, we use -+ * it to hold element node numbers in xmlXPathOrderDocElems to -+ * speed up XPath too -+ * - xsltCleanupIds() clean them up before handing the XSLT output -+ * to the API client. -+ * - other nodes types use the node address method but that should -+ * not end up in resulting document ID -+ * - we can enable this by default without risk of performance issues -+ * only the one pass xsltCleanupIds() is added -+ */ -+ if (cur->type == XML_ELEMENT_NODE) { -+ if (cur->content == NULL) { -+ xsltTransformContextPtr tctxt; -+ -+ tctxt = xsltXPathGetTransformContext(ctxt); -+ if (tctxt == NULL) { -+ val = (long)((char *)cur - (char *)&base_address); -+ } else { -+ tctxt->nextid++; -+ val = tctxt->nextid; -+ cur->content = (void *) (val); -+ } -+ } else { -+ val = (long) cur->content; -+ } -+ } else { -+ val = (long)((char *)cur - (char *)&base_address); -+ } -+ - if (val >= 0) { - sprintf((char *)str, "idp%ld", val); - } else { -diff --git a/libxslt/functions.h b/libxslt/functions.h -index e0e0bf9..4a1e163 100644 ---- a/libxslt/functions.h -+++ b/libxslt/functions.h -@@ -64,6 +64,13 @@ XSLTPUBFUN void XSLTCALL - int nargs); - - /* -+ * Cleanup for ID generation -+ */ -+XSLTPUBFUN int XSLTCALL -+ xsltCleanupIds (xsltTransformContextPtr ctxt, -+ xmlNodePtr root); -+ -+/* - * And the registration - */ - -diff --git a/libxslt/transform.c b/libxslt/transform.c -index 24f9eb2..2bdf6bf 100644 ---- a/libxslt/transform.c -+++ b/libxslt/transform.c -@@ -700,6 +700,7 @@ xsltNewTransformContext(xsltStylesheetPtr style, xmlDocPtr doc) { - cur->traceCode = (unsigned long*) &xsltDefaultTrace; - cur->xinclude = xsltGetXIncludeDefault(); - cur->keyInitLevel = 0; -+ cur->nextid = 0; - - return(cur); - -@@ -6092,6 +6093,13 @@ xsltApplyStylesheetInternal(xsltStylesheetPtr style, xmlDocPtr doc, - if (root != NULL) { - const xmlChar *doctype = NULL; - -+ /* -+ * cleanup ids which may have been saved in Elements content ptrs -+ */ -+ if (ctxt->nextid != 0) { -+ xsltCleanupIds(ctxt, root); -+ } -+ - if ((root->ns != NULL) && (root->ns->prefix != NULL)) - doctype = xmlDictQLookup(ctxt->dict, root->ns->prefix, root->name); - if (doctype == NULL) -diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h -index 95e8fe6..8eedae4 100644 ---- a/libxslt/xsltInternals.h -+++ b/libxslt/xsltInternals.h -@@ -1786,6 +1786,8 @@ struct _xsltTransformContext { - int funcLevel; /* Needed to catch recursive functions issues */ - int maxTemplateDepth; - int maxTemplateVars; -+ -+ unsigned long nextid;/* for generating stable ids */ - }; - - /** diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch new file mode 100644 index 0000000000..a296d8cb1b --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8629.patch @@ -0,0 +1,51 @@ +Copied from Fedora. +http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8629.patch?h=f22 + +From df17a1224a3406f57477bcd372c61e04c0e5a5bb Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 8 Jan 2016 12:45:25 -0500 +Subject: [PATCH 1/3] Verify decoded kadmin C strings [CVE-2015-8629] + +In xdr_nullstring(), check that the decoded string is terminated with +a zero byte and does not contain any internal zero bytes. + +CVE-2015-8629: + +In all versions of MIT krb5, an authenticated attacker can cause +kadmind to read beyond the end of allocated memory by sending a string +without a terminating zero byte. Information leakage may be possible +for an attacker with permission to modify the database. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C + +ticket: 8341 (new) +target_version: 1.14-next +target_version: 1.13-next +tags: pullup +--- + src/lib/kadm5/kadm_rpc_xdr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 2bef858..ba67084 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) + return FALSE; + } + } +- return (xdr_opaque(xdrs, *objp, size)); ++ if (!xdr_opaque(xdrs, *objp, size)) ++ return FALSE; ++ /* Check that the unmarshalled bytes are a C string. */ ++ if ((*objp)[size - 1] != '\0') ++ return FALSE; ++ if (memchr(*objp, '\0', size - 1) != NULL) ++ return FALSE; ++ return TRUE; + + case XDR_ENCODE: + if (size != 0) +-- +2.7.0.rc3 + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch new file mode 100644 index 0000000000..c21d84b1e7 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8630.patch @@ -0,0 +1,81 @@ +Copied from Fedora. +http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8630.patch?h=f22 + +From b863de7fbf080b15e347a736fdda0a82d42f4f6b Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 8 Jan 2016 12:52:28 -0500 +Subject: [PATCH 2/3] Check for null kadm5 policy name [CVE-2015-8630] + +In kadm5_create_principal_3() and kadm5_modify_principal(), check for +entry->policy being null when KADM5_POLICY is included in the mask. + +CVE-2015-8630: + +In MIT krb5 1.12 and later, an authenticated attacker with permission +to modify a principal entry can cause kadmind to dereference a null +pointer by supplying a null policy value but including KADM5_POLICY in +the mask. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +ticket: 8342 (new) +target_version: 1.14-next +target_version: 1.13-next +tags: pullup +--- + src/lib/kadm5/srv/svr_principal.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 5b95fa3..1d4365c 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle, + /* + * Argument sanity checking, and opening up the DB + */ ++ if (entry == NULL) ++ return EINVAL; + if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) || + (mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) || + (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || +@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle, + return KADM5_BAD_MASK; + if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0) + return KADM5_BAD_MASK; ++ if((mask & KADM5_POLICY) && entry->policy == NULL) ++ return KADM5_BAD_MASK; + if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; +- if (entry == NULL) +- return EINVAL; + + /* + * Check to see if the principal exists +@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle, + + krb5_clear_error_message(handle->context); + ++ if(entry == NULL) ++ return EINVAL; + if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) || + (mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) || + (mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) || +@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle, + return KADM5_BAD_MASK; + if((mask & ~ALL_PRINC_MASK)) + return KADM5_BAD_MASK; ++ if((mask & KADM5_POLICY) && entry->policy == NULL) ++ return KADM5_BAD_MASK; + if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR)) + return KADM5_BAD_MASK; +- if(entry == (kadm5_principal_ent_t) NULL) +- return EINVAL; + if (mask & KADM5_TL_DATA) { + tl_data_orig = entry->tl_data; + while (tl_data_orig) { +-- +2.7.0.rc3 + diff --git a/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch new file mode 100644 index 0000000000..dd1eb2945c --- /dev/null +++ b/gnu/packages/patches/mit-krb5-CVE-2015-8631.patch @@ -0,0 +1,576 @@ +Copied from Fedora. +http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-CVE-2015-8631.patch?h=f22 + +From 83ed75feba32e46f736fcce0d96a0445f29b96c2 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Fri, 8 Jan 2016 13:16:54 -0500 +Subject: [PATCH 3/3] Fix leaks in kadmin server stubs [CVE-2015-8631] + +In each kadmind server stub, initialize the client_name and +server_name variables, and release them in the cleanup handler. Many +of the stubs will otherwise leak the client and server name if +krb5_unparse_name() fails. Also make sure to free the prime_arg +variables in rename_principal_2_svc(), or we can leak the first one if +unparsing the second one fails. Discovered by Simo Sorce. + +CVE-2015-8631: + +In all versions of MIT krb5, an authenticated attacker can cause +kadmind to leak memory by supplying a null principal name in a request +which uses one. Repeating these requests will eventually cause +kadmind to exhaust all available memory. + + CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C + +ticket: 8343 (new) +target_version: 1.14-next +target_version: 1.13-next +tags: pullup +--- + src/kadmin/server/server_stubs.c | 151 ++++++++++++++++++++------------------- + 1 file changed, 77 insertions(+), 74 deletions(-) + +diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c +index 1879dc6..6ac797e 100644 +--- a/src/kadmin/server/server_stubs.c ++++ b/src/kadmin/server/server_stubs.c +@@ -334,7 +334,8 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -382,10 +383,10 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + free_server_handle(handle); + return &ret; + } +@@ -395,7 +396,8 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -444,10 +446,10 @@ create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + free_server_handle(handle); + return &ret; + } +@@ -457,8 +459,8 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -501,10 +503,10 @@ delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) + + } + free(prime_arg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + free_server_handle(handle); + return &ret; + } +@@ -514,8 +516,8 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -559,9 +561,9 @@ modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -570,10 +572,9 @@ generic_ret * + rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; +- char *prime_arg1, +- *prime_arg2; +- gss_buffer_desc client_name, +- service_name; ++ char *prime_arg1 = NULL, *prime_arg2 = NULL; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; +@@ -655,11 +656,11 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + + } ++exit_func: + free(prime_arg1); + free(prime_arg2); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -669,8 +670,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) + { + static gprinc_ret ret; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -719,9 +720,9 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -731,8 +732,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) + { + static gprincs_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -777,9 +778,9 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -789,8 +790,8 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -840,9 +841,9 @@ chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -852,8 +853,8 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -909,9 +910,9 @@ chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -921,8 +922,8 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -969,9 +970,9 @@ setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -981,8 +982,8 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1029,9 +1030,9 @@ setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1041,8 +1042,8 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1092,9 +1093,9 @@ setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) + } + + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1106,8 +1107,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1164,9 +1165,9 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1178,8 +1179,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1241,9 +1242,9 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1253,8 +1254,8 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1295,9 +1296,9 @@ create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1307,8 +1308,8 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1347,9 +1348,9 @@ delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1359,8 +1360,8 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1400,9 +1401,9 @@ modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1413,8 +1414,8 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) + static gpol_ret ret; + kadm5_ret_t ret2; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_principal_ent_rec caller_ent; + kadm5_server_handle_t handle; +@@ -1475,9 +1476,9 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + +@@ -1488,8 +1489,8 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) + { + static gpols_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1531,9 +1532,9 @@ get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + } ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1541,7 +1542,8 @@ exit_func: + getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + { + static getprivs_ret ret; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1571,9 +1573,9 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); + ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1583,7 +1585,8 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg, *funcname; +- gss_buffer_desc client_name, service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + +@@ -1629,9 +1632,9 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1641,8 +1644,8 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) + { + static gstrings_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1688,9 +1691,9 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1700,8 +1703,8 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) + { + static generic_ret ret; + char *prime_arg; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; +@@ -1744,9 +1747,9 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp) + krb5_free_error_message(handle->context, errmsg); + } + free(prime_arg); ++exit_func: + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); +-exit_func: + free_server_handle(handle); + return &ret; + } +@@ -1754,8 +1757,8 @@ exit_func: + generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + { + static generic_ret ret; +- gss_buffer_desc client_name, +- service_name; ++ gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + const char *errmsg = NULL; +@@ -1797,10 +1800,10 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) + rqstp->rq_cred.oa_flavor); + if (errmsg != NULL) + krb5_free_error_message(NULL, errmsg); +- gss_release_buffer(&minor_stat, &client_name); +- gss_release_buffer(&minor_stat, &service_name); + + exit_func: ++ gss_release_buffer(&minor_stat, &client_name); ++ gss_release_buffer(&minor_stat, &service_name); + return(&ret); + } + +-- +2.7.0.rc3 + diff --git a/gnu/packages/patches/mit-krb5-init-context-null-spnego.patch b/gnu/packages/patches/mit-krb5-init-context-null-spnego.patch new file mode 100644 index 0000000000..195db38d08 --- /dev/null +++ b/gnu/packages/patches/mit-krb5-init-context-null-spnego.patch @@ -0,0 +1,49 @@ +Copied from Fedora. +http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5-init_context_null_spnego.patch?h=f22 + +From 3beb564cea3d219efcf71682b6576cad548c2d23 Mon Sep 17 00:00:00 2001 +From: Simo Sorce <simo@redhat.com> +Date: Tue, 5 Jan 2016 12:11:59 -0500 +Subject: [PATCH] Check internal context on init context errors + +If the mechanism deletes the internal context handle on error, the +mechglue must do the same with the union context, to avoid crashes if +the application calls other functions with this invalid union context. + +[ghudson@mit.edu: edit commit message and code comment] + +ticket: 8337 (new) +target_version: 1.14-next +target_version: 1.13-next +tags: pullup +--- + src/lib/gssapi/mechglue/g_init_sec_context.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/lib/gssapi/mechglue/g_init_sec_context.c b/src/lib/gssapi/mechglue/g_init_sec_context.c +index aaae767..9f154b8 100644 +--- a/src/lib/gssapi/mechglue/g_init_sec_context.c ++++ b/src/lib/gssapi/mechglue/g_init_sec_context.c +@@ -224,12 +224,15 @@ OM_uint32 * time_rec; + + if (status != GSS_S_COMPLETE && status != GSS_S_CONTINUE_NEEDED) { + /* +- * the spec says (the preferred) method is to delete all +- * context info on the first call to init, and on all +- * subsequent calls make the caller responsible for +- * calling gss_delete_sec_context ++ * The spec says the preferred method is to delete all context info on ++ * the first call to init, and on all subsequent calls make the caller ++ * responsible for calling gss_delete_sec_context. However, if the ++ * mechanism decided to delete the internal context, we should also ++ * delete the union context. + */ + map_error(minor_status, mech); ++ if (union_ctx_id->internal_ctx_id == GSS_C_NO_CONTEXT) ++ *context_handle = GSS_C_NO_CONTEXT; + if (*context_handle == GSS_C_NO_CONTEXT) { + free(union_ctx_id->mech_type->elements); + free(union_ctx_id->mech_type); +-- +2.6.4 + diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch deleted file mode 100644 index 9d369aeb2c..0000000000 --- a/gnu/packages/patches/procps-non-linux.patch +++ /dev/null @@ -1,40 +0,0 @@ -From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001 -From: Craig Small <csmall@enc.com.au> -Date: Sun, 17 Apr 2016 09:09:41 +1000 -Subject: [PATCH] tests: Conditionally add prctl to test process - -prctl was already bypassed on Cygwin systems. This extends to -non-Linux systems such as kFreeBSD and Hurd. - ---- - lib/test_process.c | 4 ++-- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/test_process.c b/lib/test_process.c -index 6e652ed..6a4776c 100644 ---- a/lib/test_process.c -+++ b/lib/test_process.c -@@ -21,7 +21,9 @@ - #include <stdlib.h> - #include <unistd.h> - #include <signal.h> -+#ifdef __linux__ - #include <sys/prctl.h> -+#endif - #include "c.h" - - #define DEFAULT_SLEEPTIME 300 -@@ -78,8 +80,10 @@ - sigaction(SIGUSR1, &signal_action, NULL); - sigaction(SIGUSR2, &signal_action, NULL); - -+#ifdef __linux__ - /* set process name */ - prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL); -+#endif - - while (sleep_time > 0) { - sleep_time = sleep(sleep_time); --- -2.8.2 - diff --git a/gnu/packages/patches/rapicorn-isnan.patch b/gnu/packages/patches/rapicorn-isnan.patch deleted file mode 100644 index b0e7819e64..0000000000 --- a/gnu/packages/patches/rapicorn-isnan.patch +++ /dev/null @@ -1,87 +0,0 @@ -From e0c8341b3e4e13778bcde00d477e461ea8e94306 Mon Sep 17 00:00:00 2001 -From: Stefan Westerfeld <stefan@space.twc.de> -Date: Fri, 22 Apr 2016 18:03:37 +0200 -Subject: [PATCH 031/176] RCORE: compile fixes for KUbuntu 16.04/gcc - 5.3.1-14ubuntu2 - -Rapicorn uses isnan(...) and isinf(...) from cmath.h, however on KUbuntu 16.04 -it should use std::isnan(...) and std::isinf(...) instead. Patch below. - -Acked-by: Tim Janik <timj@gnu.org> ---- - rcore/strings.cc | 10 +++++----- - rcore/tests/benchrcore.cc | 4 ++-- - rcore/tests/strings.cc | 4 ++-- - 3 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/rcore/strings.cc b/rcore/strings.cc -index d5b0216..8b3bc3f 100644 ---- a/rcore/strings.cc -+++ b/rcore/strings.cc -@@ -437,7 +437,7 @@ static long double - libc_strtold (const char *nptr, char **endptr) - { - const long double result = strtold (nptr, endptr); -- if (isnan (result) && std::signbit (result) == 0) -+ if (std::isnan (result) && std::signbit (result) == 0) - { - const char *p = nptr; - while (isspace (*p)) -@@ -500,9 +500,9 @@ string_to_double (const char *dblstring, const char **endptr) - String - string_from_float (float value) - { -- if (isnan (value)) -+ if (std::isnan (value)) - return std::signbit (value) ? "-NaN" : "+NaN"; -- if (isinf (value)) -+ if (std::isinf (value)) - return std::signbit (value) ? "-Infinity" : "+Infinity"; - return string_format ("%.7g", value); - } -@@ -511,9 +511,9 @@ string_from_float (float value) - String - string_from_double (double value) - { -- if (isnan (value)) -+ if (std::isnan (value)) - return std::signbit (value) ? "-NaN" : "+NaN"; -- if (isinf (value)) -+ if (std::isinf (value)) - return std::signbit (value) ? "-Infinity" : "+Infinity"; - return string_format ("%.17g", value); - } -diff --git a/rcore/tests/benchrcore.cc b/rcore/tests/benchrcore.cc -index 3899a08..12fde16 100644 ---- a/rcore/tests/benchrcore.cc -+++ b/rcore/tests/benchrcore.cc -@@ -188,8 +188,8 @@ test_random_numbers() - const double rf = random_frange (989617512, 9876547656); - TASSERT (rf >= 989617512 && rf < 9876547656); - } -- TASSERT (isnan (random_frange (NAN, 1))); -- TASSERT (isnan (random_frange (0, NAN))); -+ TASSERT (std::isnan (random_frange (NAN, 1))); -+ TASSERT (std::isnan (random_frange (0, NAN))); - #if 0 // example penalty paid in random_int64() - size_t i, j = 0; - for (i = 0; i < 100; i++) -diff --git a/rcore/tests/strings.cc b/rcore/tests/strings.cc -index 468a6e6..dae3e3d 100644 ---- a/rcore/tests/strings.cc -+++ b/rcore/tests/strings.cc -@@ -311,9 +311,9 @@ string_conversions (void) - TCMP (string_to_double ("-0.5"), ==, -0.5); - double tfloat; - tfloat = string_to_double ("+NAN"); -- assert (isnan (tfloat) && std::signbit (tfloat) == 0); -+ assert (std::isnan (tfloat) && std::signbit (tfloat) == 0); - tfloat = string_to_double ("-NAN"); -- assert (isnan (tfloat) && std::signbit (tfloat) == 1); -+ assert (std::isnan (tfloat) && std::signbit (tfloat) == 1); - TCMP (string_capitalize ("fOO bar"), ==, "Foo Bar"); - TCMP (string_capitalize ("foo BAR BAZ", 2), ==, "Foo Bar BAZ"); - } --- -2.9.1 - diff --git a/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch b/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch new file mode 100644 index 0000000000..39d8e2b20a --- /dev/null +++ b/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch @@ -0,0 +1,33 @@ +commit e9ddc08da0982f36581ae5a8c7763453ff41cfe8 +Author: Sergey Poznyakoff <gray@gnu.org> +Date: Thu Sep 25 00:22:16 2014 +0300 + + Bugfixes. + + * doc/tar.1: Fix typo in font spec. + * src/tar.c (sort_mode_arg, sort_mode_flag): Protect "inode" + (SAVEDIR_SORT_INODE) with D_INO_IN_DIRENT + +diff --git a/src/tar.c b/src/tar.c +index 225c624..f8102e0 100644 +--- a/src/tar.c ++++ b/src/tar.c +@@ -1341,14 +1341,18 @@ static char filename_terminator; + static char const *const sort_mode_arg[] = { + "none", + "name", ++#if D_INO_IN_DIRENT + "inode", ++#endif + NULL + }; + + static int sort_mode_flag[] = { + SAVEDIR_SORT_NONE, + SAVEDIR_SORT_NAME, ++#if D_INO_IN_DIRENT + SAVEDIR_SORT_INODE ++#endif + }; + + ARGMATCH_VERIFY (sort_mode_arg, sort_mode_flag);
\ No newline at end of file |