diff options
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/cmake-fix-tests.patch | 83 | ||||
| -rw-r--r-- | gnu/packages/patches/flex-CVE-2016-6354.patch | 30 | ||||
| -rw-r--r-- | gnu/packages/patches/fontconfig-CVE-2016-5384.patch | 170 | ||||
| -rw-r--r-- | gnu/packages/patches/gawk-fts-test.patch | 51 | ||||
| -rw-r--r-- | gnu/packages/patches/guile-relocatable.patch | 14 | ||||
| -rw-r--r-- | gnu/packages/patches/perl-CVE-2015-8607.patch | 68 | ||||
| -rw-r--r-- | gnu/packages/patches/perl-CVE-2016-2381.patch | 116 | ||||
| -rw-r--r-- | gnu/packages/patches/perl-no-build-time.patch | 26 | ||||
| -rw-r--r-- | gnu/packages/patches/perl-reproducible-build-date.patch | 17 | ||||
| -rw-r--r-- | gnu/packages/patches/perl-source-date-epoch.patch | 19 | ||||
| -rw-r--r-- | gnu/packages/patches/procps-non-linux.patch | 40 | ||||
| -rw-r--r-- | gnu/packages/patches/python-3.4-fix-tests.patch | 12 | ||||
| -rw-r--r-- | gnu/packages/patches/python-3.5-fix-tests.patch | 46 | ||||
| -rw-r--r-- | gnu/packages/patches/python-disable-ssl-test.patch | 12 | ||||
| -rw-r--r-- | gnu/packages/patches/python-fix-tests.patch | 15 |
15 files changed, 189 insertions, 530 deletions
diff --git a/gnu/packages/patches/cmake-fix-tests.patch b/gnu/packages/patches/cmake-fix-tests.patch index f59e2cd625..732b0023ab 100644 --- a/gnu/packages/patches/cmake-fix-tests.patch +++ b/gnu/packages/patches/cmake-fix-tests.patch @@ -1,6 +1,17 @@ ---- cmake-3.2.2.orig/Tests/CMakeLists.txt 2015-04-14 01:09:00.000000000 +0800 -+++ cmake-3.2.2/Tests/CMakeLists.txt 2015-04-28 15:02:34.913039742 +0800 -@@ -342,10 +342,12 @@ +From af0a62dadfb3db25880bc653e2e4c97435a604c9 Mon Sep 17 00:00:00 2001 +From: Efraim Flashner <efraim@flashner.co.il> +Date: Mon, 29 Aug 2016 20:07:58 +0300 +Subject: [PATCH] cmake-fix-tests + +--- + Tests/CMakeLists.txt | 83 ++++++++++++++++++++++++++++------------------------ + 1 file changed, 44 insertions(+), 39 deletions(-) + +diff --git a/Tests/CMakeLists.txt b/Tests/CMakeLists.txt +index f21e430..56014a2 100644 +--- a/Tests/CMakeLists.txt ++++ b/Tests/CMakeLists.txt +@@ -416,10 +416,12 @@ if(BUILD_TESTING) endif() # run test for BundleUtilities on supported platforms/compilers @@ -17,7 +28,7 @@ if(NOT "${CMAKE_GENERATOR}" STREQUAL "Watcom WMake") add_test(BundleUtilities ${CMAKE_CTEST_COMMAND} -@@ -2257,16 +2259,17 @@ +@@ -2481,30 +2483,32 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release PASS_REGULAR_EXPRESSION "Could not find executable" FAIL_REGULAR_EXPRESSION "SegFault") @@ -31,6 +42,20 @@ - ) - set_tests_properties(CTestTestUpload PROPERTIES - PASS_REGULAR_EXPRESSION "Upload\\.xml") +- +- configure_file( +- "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in" +- "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" +- @ONLY ESCAPE_QUOTES) +- add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND} +- -C \${CTEST_CONFIGURATION_TYPE} +- -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV +- --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log" +- ) +- set_tests_properties(CTestCoverageCollectGCOV PROPERTIES +- PASS_REGULAR_EXPRESSION +- "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov") +- set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=) +# This test requires network connectivity: skip it. +# configure_file( +# "${CMake_SOURCE_DIR}/Tests/CTestTestUpload/test.cmake.in" @@ -42,6 +67,54 @@ +# ) +# set_tests_properties(CTestTestUpload PROPERTIES +# PASS_REGULAR_EXPRESSION "Upload\\.xml") ++ ++# This test times out ++# configure_file( ++# "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in" ++# "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" ++# @ONLY ESCAPE_QUOTES) ++# add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND} ++# -C \${CTEST_CONFIGURATION_TYPE} ++# -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV ++# --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log" ++# ) ++# set_tests_properties(CTestCoverageCollectGCOV PROPERTIES ++# PASS_REGULAR_EXPRESSION ++# "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov") ++# set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=) + + configure_file( + "${CMake_SOURCE_DIR}/Tests/CTestTestEmptyBinaryDirectory/test.cmake.in" +@@ -2860,17 +2864,18 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release + set_tests_properties(CTestTestStopTime PROPERTIES + PASS_REGULAR_EXPRESSION "The stop time has been passed") + +- configure_file( +- "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in" +- "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" +- @ONLY ESCAPE_QUOTES) +- add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND} +- -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V +- --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log" +- ) +- #make sure all 3 subdirs were added +- set_tests_properties(CTestTestSubdir PROPERTIES +- PASS_REGULAR_EXPRESSION "0 tests failed out of 3") ++# This test fails to build 2 of the 3 tests ++# configure_file( ++# "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in" ++# "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" ++# @ONLY ESCAPE_QUOTES) ++# add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND} ++# -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V ++# --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log" ++# ) ++# #make sure all 3 subdirs were added ++# set_tests_properties(CTestTestSubdir PROPERTIES ++# PASS_REGULAR_EXPRESSION "0 tests failed out of 3") configure_file( - "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in" + "${CMake_SOURCE_DIR}/Tests/CTestTestTimeout/test.cmake.in" +-- +2.9.3 + diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch new file mode 100644 index 0000000000..1f3cb028d4 --- /dev/null +++ b/gnu/packages/patches/flex-CVE-2016-6354.patch @@ -0,0 +1,30 @@ +Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 +https://security-tracker.debian.org/tracker/CVE-2016-6354 + +Patch copied from upstream source repository: +https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 + +From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001 +From: Will Estes <westes575@gmail.com> +Date: Sat, 27 Feb 2016 11:56:05 -0500 +Subject: [PATCH] Fixed incorrect integer type + +--- + src/flex.skl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/flex.skl b/src/flex.skl +index 36a526a..64f853d 100644 +--- a/src/flex.skl ++++ b/src/flex.skl +@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer() + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) diff --git a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch b/gnu/packages/patches/fontconfig-CVE-2016-5384.patch deleted file mode 100644 index 617d5afbaf..0000000000 --- a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch +++ /dev/null @@ -1,170 +0,0 @@ -Fix CVE-2016-5384 (double-free resulting in arbitrary code execution): - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384> - -Copied from upstream code repository: - -<https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940> - -From 7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sat, 25 Jun 2016 19:18:53 +0200 -Subject: Properly validate offsets in cache files. - -The cache files are insufficiently validated. Even though the magic -number at the beginning of the file as well as time stamps are checked, -it is not verified if contained offsets are in legal ranges or are -even pointers. - -The lack of validation allows an attacker to trigger arbitrary free() -calls, which in turn allows double free attacks and therefore arbitrary -code execution. Due to the conversion from offsets into pointers through -macros, this even allows to circumvent ASLR protections. - -This attack vector allows privilege escalation when used with setuid -binaries like fbterm. A user can create ~/.fonts or any other -system-defined user-private font directory, run fc-cache and adjust -cache files in ~/.cache/fontconfig. The execution of setuid binaries will -scan these files and therefore are prone to attacks. - -If it's not about code execution, an endless loop can be created by -letting linked lists become circular linked lists. - -This patch verifies that: - -- The file is not larger than the maximum addressable space, which - basically only affects 32 bit systems. This allows out of boundary - access into unallocated memory. -- Offsets are always positive or zero -- Offsets do not point outside file boundaries -- No pointers are allowed in cache files, every "pointer or offset" - field must be an offset or NULL -- Iterating linked lists must not take longer than the amount of elements - specified. A violation of this rule can break a possible endless loop. - -If one or more of these points are violated, the cache is recreated. -This is current behaviour. - -Even though this patch fixes many issues, the use of mmap() shall be -forbidden in setuid binaries. It is impossible to guarantee with these -checks that a malicious user does not change cache files after -verification. This should be handled in a different patch. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> - -diff --git a/src/fccache.c b/src/fccache.c -index 71e8f03..02ec301 100644 ---- a/src/fccache.c -+++ b/src/fccache.c -@@ -27,6 +27,7 @@ - #include <fcntl.h> - #include <dirent.h> - #include <string.h> -+#include <limits.h> - #include <sys/types.h> - #include <sys/stat.h> - #include <assert.h> -@@ -587,6 +588,82 @@ FcCacheTimeValid (FcConfig *config, FcCache *cache, struct stat *dir_stat) - return cache->checksum == (int) dir_stat->st_mtime && fnano; - } - -+static FcBool -+FcCacheOffsetsValid (FcCache *cache) -+{ -+ char *base = (char *)cache; -+ char *end = base + cache->size; -+ intptr_t *dirs; -+ FcFontSet *fs; -+ int i, j; -+ -+ if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) || -+ memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL) -+ return FcFalse; -+ -+ if (cache->dirs < 0 || cache->dirs >= cache->size || -+ cache->dirs_count < 0 || -+ cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t)) -+ return FcFalse; -+ -+ dirs = FcCacheDirs (cache); -+ if (dirs) -+ { -+ for (i = 0; i < cache->dirs_count; i++) -+ { -+ FcChar8 *dir; -+ -+ if (dirs[i] < 0 || -+ dirs[i] > end - (char *) dirs - sizeof (intptr_t)) -+ return FcFalse; -+ -+ dir = FcOffsetToPtr (dirs, dirs[i], FcChar8); -+ if (memchr (dir, '\0', end - (char *) dir) == NULL) -+ return FcFalse; -+ } -+ } -+ -+ if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet)) -+ return FcFalse; -+ -+ fs = FcCacheSet (cache); -+ if (fs) -+ { -+ if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern)) -+ return FcFalse; -+ -+ if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts)) -+ return FcFalse; -+ -+ for (i = 0; i < fs->nfont; i++) -+ { -+ FcPattern *font = FcFontSetFont (fs, i); -+ FcPatternElt *e; -+ FcValueListPtr l; -+ -+ if ((char *) font < base || -+ (char *) font > end - sizeof (FcFontSet) || -+ font->elts_offset < 0 || -+ font->elts_offset > end - (char *) font || -+ font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt)) -+ return FcFalse; -+ -+ -+ e = FcPatternElts(font); -+ if (e->values != 0 && !FcIsEncodedOffset(e->values)) -+ return FcFalse; -+ -+ for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l)) -+ if (l->next != NULL && !FcIsEncodedOffset(l->next)) -+ break; -+ if (j < 0) -+ return FcFalse; -+ } -+ } -+ -+ return FcTrue; -+} -+ - /* - * Map a cache file into memory - */ -@@ -596,7 +673,8 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di - FcCache *cache; - FcBool allocated = FcFalse; - -- if (fd_stat->st_size < (int) sizeof (FcCache)) -+ if (fd_stat->st_size > INTPTR_MAX || -+ fd_stat->st_size < (int) sizeof (FcCache)) - return NULL; - cache = FcCacheFindByStat (fd_stat); - if (cache) -@@ -652,6 +730,7 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di - if (cache->magic != FC_CACHE_MAGIC_MMAP || - cache->version < FC_CACHE_VERSION_NUMBER || - cache->size != (intptr_t) fd_stat->st_size || -+ !FcCacheOffsetsValid (cache) || - !FcCacheTimeValid (config, cache, dir_stat) || - !FcCacheInsert (cache, fd_stat)) - { --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/gawk-fts-test.patch b/gnu/packages/patches/gawk-fts-test.patch deleted file mode 100644 index de1f5c431c..0000000000 --- a/gnu/packages/patches/gawk-fts-test.patch +++ /dev/null @@ -1,51 +0,0 @@ -This is upstream commit c9a018c. We have observed random failures of -this test on i686 that seem related to load. - -2015-05-21 Arnold D. Robbins <arnold@skeeve.com> - - * fts.awk: Really remove atime from the output. - This avoids spurious failures on heavily loaded systems. - -diff --git a/test/fts.awk b/test/fts.awk -index b1df060..dea5b68 100644 ---- a/test/fts.awk -+++ b/test/fts.awk -@@ -50,6 +50,11 @@ function sort_traverse(data, sorted, i) - { - asorti(data, sorted) - for (i = 1; i in sorted; i++) { -+ # 5/2015: skip for atime, since there can -+ # occasionally be small differences. -+ if (sorted[i] == "atime") -+ continue -+ - indent() - printf("%s --> %s\n", sorted[i], data[sorted[i]]) > output - } -@@ -63,17 +68,20 @@ function traverse(data, i) - printf("%s:\n", i) > output - - Level++ -- if (("mtime" in data[i]) && ! isarray(data[i][mtime])) { -+ if (("mtime" in data[i]) && ! isarray(data[i]["mtime"])) { - sort_traverse(data[i]) - } else { - traverse(data[i]) - } - Level-- -- } else if (data[i] != "atime") { -- # 4/2015: skip for atime, since there can -- # occasionally be small differences. -- indent() -- printf("%s --> %s\n", i, data[i]) > output -+# } else { -+# JUNK = 1 -+# if (i != "atime") { -+# # 4/2015: skip for atime, since there can -+# # occasionally be small differences. -+# indent() -+# printf("%s --> %s\n", i, data[i]) > output -+# } - } - } - } diff --git a/gnu/packages/patches/guile-relocatable.patch b/gnu/packages/patches/guile-relocatable.patch index 077394cdde..2431495f24 100644 --- a/gnu/packages/patches/guile-relocatable.patch +++ b/gnu/packages/patches/guile-relocatable.patch @@ -1,8 +1,6 @@ This patch changes Guile to use a default search path relative to the location of the `guile' binary, allowing it to be relocated. -diff --git a/libguile/load.c b/libguile/load.c -index af2ca45..19dd338 100644 --- a/libguile/load.c +++ b/libguile/load.c @@ -26,6 +26,7 @@ @@ -12,8 +10,8 @@ index af2ca45..19dd338 100644 +#include <libgen.h> #include "libguile/_scm.h" - #include "libguile/private-gc.h" /* scm_getenv_int */ -@@ -255,6 +256,32 @@ scm_init_load_path () + #include "libguile/alist.h" +@@ -325,6 +326,32 @@ SCM cpath = SCM_EOL; #ifdef SCM_LIBRARY_DIR @@ -43,10 +41,10 @@ index af2ca45..19dd338 100644 + strcpy (ccache_dir, prefix); + strcat (ccache_dir, "/lib/guile/2.0/ccache"); + - env = getenv ("GUILE_SYSTEM_PATH"); + env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_PATH")); if (env && strcmp (env, "") == 0) /* special-case interpret system-path=="" as meaning no system path instead -@@ -263,10 +290,7 @@ scm_init_load_path () +@@ -333,10 +360,7 @@ else if (env) path = scm_parse_path (scm_from_locale_string (env), path); else @@ -56,9 +54,9 @@ index af2ca45..19dd338 100644 - scm_from_locale_string (SCM_PKGDATA_DIR)); + path = scm_list_1 (scm_from_locale_string (module_dir)); - env = getenv ("GUILE_SYSTEM_COMPILED_PATH"); + env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_COMPILED_PATH")); if (env && strcmp (env, "") == 0) -@@ -276,8 +300,7 @@ scm_init_load_path () +@@ -346,8 +370,7 @@ cpath = scm_parse_path (scm_from_locale_string (env), cpath); else { diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch deleted file mode 100644 index 4c25d41740..0000000000 --- a/gnu/packages/patches/perl-CVE-2015-8607.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001 -From: Tony Cook <tony@develop-help.com> -Date: Tue, 15 Dec 2015 10:56:54 +1100 -Subject: ensure File::Spec::canonpath() preserves taint - -Previously the unix specific XS implementation of canonpath() would -return an untainted path when supplied a tainted path. - -For the empty string case, newSVpvs() already sets taint as needed on -its result. - -This issue was assigned CVE-2015-8607. - -Bug: https://rt.perl.org/Ticket/Display.html?id=126862 -Bug-Debian: https://bugs.debian.org/810719 -Origin: upstream -Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff ---- - dist/PathTools/Cwd.xs | 1 + - dist/PathTools/t/taint.t | 19 ++++++++++++++++++- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs -index 9d4dcf0..3d018dc 100644 ---- a/dist/PathTools/Cwd.xs -+++ b/dist/PathTools/Cwd.xs -@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path) - *o = 0; - SvPOK_on(retval); - SvCUR_set(retval, o - SvPVX(retval)); -+ SvTAINT(retval); - return retval; - } - -diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t -index 309b3e5..48f8c5b 100644 ---- a/dist/PathTools/t/taint.t -+++ b/dist/PathTools/t/taint.t -@@ -12,7 +12,7 @@ use Test::More; - BEGIN { - plan( - ${^TAINT} -- ? (tests => 17) -+ ? (tests => 21) - : (skip_all => "A perl without taint support") - ); - } -@@ -34,3 +34,20 @@ foreach my $func (@Functions) { - - # Previous versions of Cwd tainted $^O - is !tainted($^O), 1, "\$^O should not be tainted"; -+ -+{ -+ # [perl #126862] canonpath() loses taint -+ my $tainted = substr($ENV{PATH}, 0, 0); -+ # yes, getcwd()'s result should be tainted, and is tested above -+ # but be sure -+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)), -+ "canonpath() keeps taint on non-empty string"; -+ ok tainted(File::Spec->canonpath($tainted)), -+ "canonpath() keeps taint on empty string"; -+ -+ (Cwd::getcwd() =~ /^(.*)/); -+ my $untainted = $1; -+ ok !tainted($untainted), "make sure our untainted value is untainted"; -+ ok !tainted(File::Spec->canonpath($untainted)), -+ "canonpath() doesn't add taint to untainted string"; -+} diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch deleted file mode 100644 index 99d1944a5d..0000000000 --- a/gnu/packages/patches/perl-CVE-2016-2381.patch +++ /dev/null @@ -1,116 +0,0 @@ -Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables). - -Copied from upstream: -http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076 - -References: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 -http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html -https://security-tracker.debian.org/tracker/CVE-2016-2381 - ---- - -From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001 -From: Tony Cook <tony@develop-help.com> -Date: Wed, 27 Jan 2016 11:52:15 +1100 -Subject: remove duplicate environment variables from environ - -If we see duplicate environment variables while iterating over -environ[]: - -a) make sure we use the same value in %ENV that getenv() returns. - -Previously on a duplicate, %ENV would have the last entry for the name -from environ[], but a typical getenv() would return the first entry. - -Rather than assuming all getenv() implementations return the first entry -explicitly call getenv() to ensure they agree. - -b) remove duplicate entries from environ - -Previously if there was a duplicate definition for a name in environ[] -setting that name in %ENV could result in an unsafe value being passed -to a child process, so ensure environ[] has no duplicates. - -Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff ---- - perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 49 insertions(+), 2 deletions(-) - -diff --git a/perl.c b/perl.c -index 67d32ce..26aeb91 100644 ---- a/perl.c -+++ b/perl.c -@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env) - } - if (env) { - char *s, *old_var; -+ STRLEN nlen; - SV *sv; -+ HV *dups = newHV(); -+ - for (; *env; env++) { - old_var = *env; - - if (!(s = strchr(old_var,'=')) || s == old_var) - continue; -+ nlen = s - old_var; - - #if defined(MSDOS) && !defined(DJGPP) - *s = '\0'; - (void)strupr(old_var); - *s = '='; - #endif -- sv = newSVpv(s+1, 0); -- (void)hv_store(hv, old_var, s - old_var, sv, 0); -+ if (hv_exists(hv, old_var, nlen)) { -+ const char *name = savepvn(old_var, nlen); -+ -+ /* make sure we use the same value as getenv(), otherwise code that -+ uses getenv() (like setlocale()) might see a different value to %ENV -+ */ -+ sv = newSVpv(PerlEnv_getenv(name), 0); -+ -+ /* keep a count of the dups of this name so we can de-dup environ later */ -+ if (hv_exists(dups, name, nlen)) -+ ++SvIVX(*hv_fetch(dups, name, nlen, 0)); -+ else -+ (void)hv_store(dups, name, nlen, newSViv(1), 0); -+ -+ Safefree(name); -+ } -+ else { -+ sv = newSVpv(s+1, 0); -+ } -+ (void)hv_store(hv, old_var, nlen, sv, 0); - if (env_is_not_environ) - mg_set(sv); - } -+ if (HvKEYS(dups)) { -+ /* environ has some duplicate definitions, remove them */ -+ HE *entry; -+ hv_iterinit(dups); -+ while ((entry = hv_iternext_flags(dups, 0))) { -+ STRLEN nlen; -+ const char *name = HePV(entry, nlen); -+ IV count = SvIV(HeVAL(entry)); -+ IV i; -+ SV **valp = hv_fetch(hv, name, nlen, 0); -+ -+ assert(valp); -+ -+ /* try to remove any duplicate names, depending on the -+ * implementation used in my_setenv() the iteration might -+ * not be necessary, but let's be safe. -+ */ -+ for (i = 0; i < count; ++i) -+ my_setenv(name, 0); -+ -+ /* and set it back to the value we set $ENV{name} to */ -+ my_setenv(name, SvPV_nolen(*valp)); -+ } -+ } -+ SvREFCNT_dec_NN(dups); - } - #endif /* USE_ENVIRON_ARRAY */ - #endif /* !PERL_MICRO */ diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch deleted file mode 100644 index 5d78e8f462..0000000000 --- a/gnu/packages/patches/perl-no-build-time.patch +++ /dev/null @@ -1,26 +0,0 @@ -Do not record the configuration and build time so that builds can be -reproduced bit-for-bit. - ---- perl-5.22.0/Configure 1970-01-01 01:00:00.000000000 +0100 -+++ perl-5.22.0/Configure 2015-12-13 00:14:43.148165080 +0100 -@@ -3834,6 +3817,7 @@ esac - - : who configured the system - cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1` -+cf_time='Thu Jan 1 00:00:01 UTC 1970' - case "$cf_by" in - "") - cf_by=`(logname) 2>/dev/null` - ---- perl-5.22.0/perl.c 2015-12-13 00:25:30.269156627 +0100 -+++ perl-5.22.0/perl.c 2015-12-13 00:25:38.265218175 +0100 -@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv) - PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options, - sizeof(non_bincompat_options) - 1, SVs_TEMP)); - --#ifdef __DATE__ -+#if 0 - # ifdef __TIME__ - PUSHs(Perl_newSVpvn_flags(aTHX_ - STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__), - diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch new file mode 100644 index 0000000000..d5bd25dbfb --- /dev/null +++ b/gnu/packages/patches/perl-reproducible-build-date.patch @@ -0,0 +1,17 @@ +Don't encode the current timestamp. + +This affects the output of `perl -V`, specifically the message "Compiled +at [...]". + +diff --git a/perl.c b/perl.c +index 228a0d8..ed38313 100644 +--- a/perl.c ++++ b/perl.c +@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv) + PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options, + sizeof(non_bincompat_options) - 1, SVs_TEMP)); + ++#define PERL_BUILD_DATE "Jan 1 1970 00:00:00" + #ifndef PERL_BUILD_DATE + # ifdef __DATE__ + # ifdef __TIME__ diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch deleted file mode 100644 index 37330c9537..0000000000 --- a/gnu/packages/patches/perl-source-date-epoch.patch +++ /dev/null @@ -1,19 +0,0 @@ -Adapted from <https://bugs.debian.org/801621>. -Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable. - ---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:33:03.321787590 +0100 -+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:36:33.367361338 +0100 -@@ -884,7 +884,12 @@ sub devise_date { - my ($self) = @_; - my $input = $self->source_filename; - my $time; -- if ($input) { -+ -+ if (defined($ENV{SOURCE_DATE_EPOCH}) && -+ $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { -+ $time = $ENV{SOURCE_DATE_EPOCH}; -+ } -+ elsif ($input) { - $time = (stat $input)[9] || time; - } else { - $time = time; diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch deleted file mode 100644 index 9d369aeb2c..0000000000 --- a/gnu/packages/patches/procps-non-linux.patch +++ /dev/null @@ -1,40 +0,0 @@ -From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001 -From: Craig Small <csmall@enc.com.au> -Date: Sun, 17 Apr 2016 09:09:41 +1000 -Subject: [PATCH] tests: Conditionally add prctl to test process - -prctl was already bypassed on Cygwin systems. This extends to -non-Linux systems such as kFreeBSD and Hurd. - ---- - lib/test_process.c | 4 ++-- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/test_process.c b/lib/test_process.c -index 6e652ed..6a4776c 100644 ---- a/lib/test_process.c -+++ b/lib/test_process.c -@@ -21,7 +21,9 @@ - #include <stdlib.h> - #include <unistd.h> - #include <signal.h> -+#ifdef __linux__ - #include <sys/prctl.h> -+#endif - #include "c.h" - - #define DEFAULT_SLEEPTIME 300 -@@ -78,8 +80,10 @@ - sigaction(SIGUSR1, &signal_action, NULL); - sigaction(SIGUSR2, &signal_action, NULL); - -+#ifdef __linux__ - /* set process name */ - prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL); -+#endif - - while (sleep_time > 0) { - sleep_time = sleep(sleep_time); --- -2.8.2 - diff --git a/gnu/packages/patches/python-3.4-fix-tests.patch b/gnu/packages/patches/python-3.4-fix-tests.patch new file mode 100644 index 0000000000..d1f8138e79 --- /dev/null +++ b/gnu/packages/patches/python-3.4-fix-tests.patch @@ -0,0 +1,12 @@ +--- Lib/test/test_posixpath.py 2014-03-01 05:46:56.984311000 +0100 ++++ Lib/test/test_posixpath.py 2014-03-07 00:59:20.888311000 +0100 +@@ -319,7 +319,11 @@ + del env['HOME'] + home = pwd.getpwuid(os.getuid()).pw_dir + # $HOME can end with a trailing /, so strip it (see #17809) +- self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) ++ # The Guix builders have '/' as a home directory, so ++ # home.rstrip("/") will be an empty string and the test will ++ # fail. Let's just disable it since it does not really make ++ # sense with such a bizarre setup. ++ # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch new file mode 100644 index 0000000000..46d2a84efb --- /dev/null +++ b/gnu/packages/patches/python-3.5-fix-tests.patch @@ -0,0 +1,46 @@ +Additional test fixes which affect Python 3.5 (and presumably later) but not +prior revisions of Python. + +--- Lib/test/test_pathlib.py 2014-03-01 03:02:36.088311000 +0100 ++++ Lib/test/test_pathlib.py 2014-03-01 04:56:37.768311000 +0100 +@@ -1986,8 +1986,9 @@ + expect = set() if not support.fs_is_case_insensitive(BASE) else given + self.assertEqual(given, expect) + self.assertEqual(set(p.rglob("FILEd*")), set()) + ++ @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests") + def test_expanduser(self): + P = self.cls + support.import_module('pwd') + import pwd +--- Lib/test/test_tarfile.py 2016-02-24 19:22:52.597208055 +0000 ++++ Lib/test/test_tarfile.py 2016-02-24 20:50:48.941950135 +0000 +@@ -2305,11 +2305,14 @@ + try: + import pwd, grp + except ImportError: + return False +- if pwd.getpwuid(0)[0] != 'root': +- return False +- if grp.getgrgid(0)[0] != 'root': ++ try: ++ if pwd.getpwuid(0)[0] != 'root': ++ return False ++ if grp.getgrgid(0)[0] != 'root': ++ return False ++ except KeyError: + return False + return True + + +--- Lib/test/test_asyncio/test_base_events.py ++++ Lib/test/test_asyncio/test_base_events.py +@@ -142,6 +142,8 @@ class BaseEventTests(test_utils.TestCase): + (INET, STREAM, TCP, '', ('1.2.3.4', 1)), + base_events._ipaddr_info('1.2.3.4', b'1', INET, STREAM, TCP)) + ++ @unittest.skipUnless(support.is_resource_enabled('network'), ++ 'network is not enabled') + def test_getaddrinfo_servname(self): + INET = socket.AF_INET + STREAM = socket.SOCK_STREAM diff --git a/gnu/packages/patches/python-disable-ssl-test.patch b/gnu/packages/patches/python-disable-ssl-test.patch deleted file mode 100644 index e351c77505..0000000000 --- a/gnu/packages/patches/python-disable-ssl-test.patch +++ /dev/null @@ -1,12 +0,0 @@ -Disable a test that fails with openssl-1.0.2b. - ---- Lib/test/test_ssl.py.orig 2015-02-25 06:27:45.000000000 -0500 -+++ Lib/test/test_ssl.py 2015-06-12 03:14:09.395212502 -0400 -@@ -2718,6 +2718,7 @@ - chatty=True, connectionchatty=True) - self.assertIs(stats['compression'], None) - -+ @unittest.skipIf(True, "openssl 1.0.2b complains: dh key too small") - def test_dh_params(self): - # Check we can get a connection with ephemeral Diffie-Hellman - context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) diff --git a/gnu/packages/patches/python-fix-tests.patch b/gnu/packages/patches/python-fix-tests.patch index 82c19980f9..e093307c51 100644 --- a/gnu/packages/patches/python-fix-tests.patch +++ b/gnu/packages/patches/python-fix-tests.patch @@ -20,21 +20,6 @@ http://bugs.python.org/issue20868 . def test_tarfile_root_owner(self): tmpdir, tmpdir2, base_name = self._create_files() ---- Lib/test/test_posixpath.py 2014-03-01 05:46:56.984311000 +0100 -+++ Lib/test/test_posixpath.py 2014-03-07 00:59:20.888311000 +0100 -@@ -319,7 +319,11 @@ - del env['HOME'] - home = pwd.getpwuid(os.getuid()).pw_dir - # $HOME can end with a trailing /, so strip it (see #17809) -- self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) -+ # The Guix builders have '/' as a home directory, so -+ # home.rstrip("/") will be an empty string and the test will -+ # fail. Let's just disable it since it does not really make -+ # sense with such a bizarre setup. -+ # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/")) - - def test_normpath(self): - self.assertEqual(posixpath.normpath(""), ".") --- Lib/test/test_socket.py.orig 2014-03-02 22:14:12.264311000 +0100 +++ Lib/test/test_socket.py 2014-03-21 03:50:45.660311000 +0100 @@ -819,6 +819,8 @@ |