From a630c64709af2ab7fdeb797ee35d89964b1fc042 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 5 Feb 2018 16:21:12 -0500 Subject: gnu: p7zip: Fix CVE-2017-17969. * gnu/packages/patches/p7zip-CVE-2017-17969.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/compression.scm (p7zip)[source]: Use it. --- gnu/packages/patches/p7zip-CVE-2017-17969.patch | 35 +++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 gnu/packages/patches/p7zip-CVE-2017-17969.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/p7zip-CVE-2017-17969.patch b/gnu/packages/patches/p7zip-CVE-2017-17969.patch new file mode 100644 index 0000000000..51c24000e5 --- /dev/null +++ b/gnu/packages/patches/p7zip-CVE-2017-17969.patch @@ -0,0 +1,35 @@ +Fix CVE-2017-17969: + +https://sourceforge.net/p/p7zip/bugs/204/ +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969 + +Patch copied from Debian. + +Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp +Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch +Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7 +Bug: https://sourceforge.net/p/p7zip/bugs/204/ +Bug-Debian: https://bugs.debian.org/888297 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969 +Author: Antoine Beaupré +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2018-02-01 +Applied-Upstream: 18.00-beta + +--- a/CPP/7zip/Compress/ShrinkDecoder.cpp ++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp +@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialIn + { + _stack[i++] = _suffixes[cur]; + cur = _parents[cur]; ++ if (cur >= kNumItems || i >= kNumItems) ++ break; + } +- ++ ++ if (cur >= kNumItems || i >= kNumItems) ++ break; ++ + _stack[i++] = (Byte)cur; + lastChar2 = (Byte)cur; + -- cgit v1.2.3 From 924b96db0aecc9f0b0bcd21165b5d5ea47199e29 Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe Date: Mon, 5 Feb 2018 16:50:14 +0100 Subject: gnu: gpsbabel: Update to 1.5.4 and fix build. * gnu/packages/patches/gpsbabel-minizip.patch: New file. * gnu/packages/patches/gpsbabel-qstring.patch: New file. * gnu/local.mk (dist_patch_DATA): Update accordingly. * gnu/packages/gps.scm (gpsbabel): Update to 1.5.4, [source]: add two previous patches to fix build, [snippet]: remove "gpsbabel" directory excursion, [arguments]: ditto. --- gnu/local.mk | 2 + gnu/packages/gps.scm | 22 +++++---- gnu/packages/patches/gpsbabel-minizip.patch | 13 ++++++ gnu/packages/patches/gpsbabel-qstring.patch | 69 +++++++++++++++++++++++++++++ 4 files changed, 94 insertions(+), 12 deletions(-) create mode 100644 gnu/packages/patches/gpsbabel-minizip.patch create mode 100644 gnu/packages/patches/gpsbabel-qstring.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 7011282272..8aa09a5fe5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -717,6 +717,8 @@ dist_patch_DATA = \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ + %D%/packages/patches/gpsbabel-minizip.patch \ + %D%/packages/patches/gpsbabel-qstring.patch \ %D%/packages/patches/graphite2-ffloat-store.patch \ %D%/packages/patches/grep-gnulib-lock.patch \ %D%/packages/patches/grep-timing-sensitive-test.patch \ diff --git a/gnu/packages/gps.scm b/gnu/packages/gps.scm index 051d01b02b..211a33ef89 100644 --- a/gnu/packages/gps.scm +++ b/gnu/packages/gps.scm @@ -25,6 +25,7 @@ (define-module (gnu packages gps) #:use-module (guix git-download) #:use-module (guix build-system gnu) #:use-module ((guix licenses) #:prefix license:) + #:use-module (gnu packages) #:use-module (gnu packages base) #:use-module (gnu packages pkg-config) #:use-module (gnu packages compression) @@ -38,7 +39,7 @@ (define-module (gnu packages gps) (define-public gpsbabel (package (name "gpsbabel") - (version "1.5.2") + (version "1.5.4") (source (origin (method url-fetch) ;; XXX: Downloads from gpsbabel.org are hidden behind a POST, so @@ -48,17 +49,21 @@ (define-public gpsbabel version ".orig.tar.gz")) (sha256 (base32 - "0xf7wmy2m29g2lm8lqc74yf8rf7sxfl3cfwbk7dpf0yf42pb0b6w")) + "19hykxhyl567gf8qcrl33qhv95w0g4vxw9r3h9b8d8plx9bnaf8l")) + (patches (search-patches + "gpsbabel-minizip.patch" + ;; XXX: Remove this patch on the next release. + "gpsbabel-qstring.patch")) (modules '((guix build utils))) (snippet '(begin ;; Delete files under GPL-compatible licences but never used ;; on GNU systems, rather than bloating the LICENSE field. - (with-directory-excursion "gpsbabel" - (delete-file "gui/serial_mac.cc") ; Apple MIT - (delete-file "mingw/include/ddk/hidsdi.h")) ; public domain + (delete-file "gui/serial_mac.cc") ; Apple MIT + (delete-file "mingw/include/ddk/hidsdi.h") ; public domain #t)))) (build-system gnu-build-system) + ;; TODO: "make doc" requires Docbook & co. (arguments `(#:configure-flags '("--with-zlib=system" @@ -66,13 +71,6 @@ (define-public gpsbabel ;; recent binutils: ;; https://codereview.qt-project.org/#/c/111787/ "CXXFLAGS=-std=gnu++11 -fPIC") - #:phases - (modify-phases %standard-phases - (add-before 'configure 'pre-configure - (lambda _ - (chdir "gpsbabel")))) - ;; TODO: "make doc" requires Docbook & co. - ;; On i686, 'raymarine.test' fails because of a rounding error: ;; . As a workaround, disable tests ;; on these platforms. diff --git a/gnu/packages/patches/gpsbabel-minizip.patch b/gnu/packages/patches/gpsbabel-minizip.patch new file mode 100644 index 0000000000..8f3bb36f57 --- /dev/null +++ b/gnu/packages/patches/gpsbabel-minizip.patch @@ -0,0 +1,13 @@ +Patch taken from https://sources.debian.org/data/main/g/gpsbabel/1.5.3-2/debian/patches/use_minizip. + +--- a/Makefile.in ++++ b/Makefile.in +@@ -120,7 +120,7 @@ LIBOBJS = queue.o route.o waypt.o filter + src/core/usasciicodec.o\ + src/core/ziparchive.o \ + $(GARMIN) $(JEEPS) $(SHAPE) @ZLIB@ $(FMTS) $(FILTERS) +-OBJS = main.o globals.o $(LIBOBJS) @FILEINFO@ ++OBJS = main.o globals.o $(MINIZIP) $(LIBOBJS) @FILEINFO@ + + DEPFILES = $(OBJS:.o=.d) + \ No newline at end of file diff --git a/gnu/packages/patches/gpsbabel-qstring.patch b/gnu/packages/patches/gpsbabel-qstring.patch new file mode 100644 index 0000000000..8ba1a7213b --- /dev/null +++ b/gnu/packages/patches/gpsbabel-qstring.patch @@ -0,0 +1,69 @@ +Extracted from following patch of gpsbabel: +https://github.com/gpsbabel/gpsbabel/commit/604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3 + +From 604178aa8ad4d3c3ad218df24c1e9a6a1f683bb3 Mon Sep 17 00:00:00 2001 +From: Harel Mazor +Date: Tue, 24 Jan 2017 00:35:04 +0200 +Subject: [PATCH] Added geojson read capablity, moved magic strings to + constants, fixed windows compilation issues. + +--- a/tef_xml.cc ++++ b/tef_xml.cc +@@ -72,11 +72,11 @@ tef_start(xg_string args, const QXmlStreamAttributes* attrv) + bool valid = false; + + foreach(QXmlStreamAttribute attr, *attrv) { +- if (attr.name().compare("Comment", Qt::CaseInsensitive) == 0) { +- if (attr.value().compare("TourExchangeFormat", Qt::CaseInsensitive) == 0) { ++ if (attr.name().compare(QString("Comment"), Qt::CaseInsensitive) == 0) { ++ if (attr.value().compare(QString("TourExchangeFormat"), Qt::CaseInsensitive) == 0) { + valid = true; + } +- } else if (attr.name().compare("Version", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Version"), Qt::CaseInsensitive) == 0) { + version = attr.value().toString().toDouble(); + } + } +@@ -95,9 +95,9 @@ tef_header(xg_string args, const QXmlStreamAttributes* attrv) + { + route = route_head_alloc(); + foreach(QXmlStreamAttribute attr, *attrv) { +- if (attr.name().compare("Name", Qt::CaseInsensitive) == 0) { ++ if (attr.name().compare(QString("Name"), Qt::CaseInsensitive) == 0) { + route->rte_name = attr.value().toString().trimmed(); +- } else if (attr.name().compare("Software", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Software"), Qt::CaseInsensitive) == 0) { + route->rte_desc = attr.value().toString().trimmed(); + } + } +@@ -248,20 +248,20 @@ tef_item_start(xg_string args, const QXmlStreamAttributes* attrv) + QString attrstr = attr.value().toString(); + QByteArray attrtext = attrstr.toUtf8(); + +- if (attr.name().compare("SegDescription", Qt::CaseInsensitive) == 0) { ++ if (attr.name().compare(QString("SegDescription"), Qt::CaseInsensitive) == 0) { + wpt_tmp->shortname = attrstr.trimmed(); +- } else if (attr.name().compare("PointDescription", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("PointDescription"), Qt::CaseInsensitive) == 0) { + wpt_tmp->description = attrstr.trimmed(); +- } else if (attr.name().compare("ViaStation", Qt::CaseInsensitive) == 0 && +- attr.value().compare("true", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("ViaStation"), Qt::CaseInsensitive) == 0 && ++ attr.value().compare(QString("true"), Qt::CaseInsensitive) == 0) { + wpt_tmp->wpt_flags.fmt_use = 1; /* only a flag */ + + /* new in TEF V2 */ +- } else if (attr.name().compare("Instruction", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Instruction"), Qt::CaseInsensitive) == 0) { + wpt_tmp->description = attrstr.trimmed(); +- } else if (attr.name().compare("Altitude", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("Altitude"), Qt::CaseInsensitive) == 0) { + wpt_tmp->altitude = attrstr.toDouble(); +- } else if (attr.name().compare("TimeStamp", Qt::CaseInsensitive) == 0) { ++ } else if (attr.name().compare(QString("TimeStamp"), Qt::CaseInsensitive) == 0) { + /* nothing for the moment */ + } + } +-- +2.16.1 + -- cgit v1.2.3 From 71e789319cfe81731d61ec3c6a6dd2110baa7190 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 6 Feb 2018 17:33:14 +0100 Subject: gnu: hwloc: Add 2.0.0. * gnu/packages/mpi.scm (hwloc-2.0): New variable. * gnu/packages/patches/hwloc-tests-without-sysfs.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/mpi.scm | 23 +++++++++++- .../patches/hwloc-tests-without-sysfs.patch | 42 ++++++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/hwloc-tests-without-sysfs.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 8aa09a5fe5..ca400dae6d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -757,6 +757,7 @@ dist_patch_DATA = \ %D%/packages/patches/higan-remove-march-native-flag.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \ + %D%/packages/patches/hwloc-tests-without-sysfs.patch \ %D%/packages/patches/hydra-disable-darcs-test.patch \ %D%/packages/patches/icecat-avoid-bundled-libraries.patch \ %D%/packages/patches/icecat-bug-1348660-pt5.patch \ diff --git a/gnu/packages/mpi.scm b/gnu/packages/mpi.scm index d9a2094bea..442f7c5371 100644 --- a/gnu/packages/mpi.scm +++ b/gnu/packages/mpi.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2014, 2015 Eric Bavier -;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès +;;; Copyright © 2014, 2015, 2016, 2017, 2018 Ludovic Courtès ;;; Copyright © 2014 Ian Denhardt ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017 Dave Love @@ -39,9 +39,12 @@ (define-module (gnu packages mpi) #:use-module (gnu packages ncurses) #:use-module (gnu packages pkg-config) #:use-module (gnu packages valgrind) + #:use-module (srfi srfi-1) #:use-module (ice-9 match)) (define-public hwloc + ;; Note: For now we keep 1.x as the default because many packages have yet + ;; to migrate to 2.0. (package (name "hwloc") (version "1.11.8") @@ -110,6 +113,24 @@ (define-public hwloc bind processes, and much more.") (license bsd-3))) +(define-public hwloc-2.0 + ;; Note: 2.0 isn't the default yet, see above. + (package + (inherit hwloc) + (version "2.0.0") + (source (origin + (method url-fetch) + (uri (string-append "https://www.open-mpi.org/software/hwloc/v" + (version-major+minor version) + "/downloads/hwloc-" version ".tar.bz2")) + (sha256 + (base32 + "021765f9y6pxcxrvfpzzwaig16ypfbph5xjpkd29qkhzs9r6zrcr")) + (patches (search-patches "hwloc-tests-without-sysfs.patch")))) + + ;; libnuma is no longer needed. + (inputs (alist-delete "numactl" (package-inputs hwloc))))) + (define-public openmpi (package (name "openmpi") diff --git a/gnu/packages/patches/hwloc-tests-without-sysfs.patch b/gnu/packages/patches/hwloc-tests-without-sysfs.patch new file mode 100644 index 0000000000..ea6ec41616 --- /dev/null +++ b/gnu/packages/patches/hwloc-tests-without-sysfs.patch @@ -0,0 +1,42 @@ +Fix a test failure in the build environment, where /sys is missing. +From . + +From a2cc4f2e2bf4a8bbdd61b578a62e27e7482799cf Mon Sep 17 00:00:00 2001 +From: Brice Goglin +Date: Tue, 6 Feb 2018 17:13:26 +0100 +Subject: [PATCH] linux: honor the filtering cores and packages when reading + topology from cpuinfo + +Caused a make check crash in lstopo --filter all:none in chroot without sysfs. + +Thanks to Ludovic Courtes for the report. + +Signed-off-by: Brice Goglin +--- + hwloc/topology-linux.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c +index 290da0d72..e1bbf94e1 100644 +--- a/hwloc/topology-linux.c ++++ b/hwloc/topology-linux.c +@@ -4101,7 +4101,8 @@ look_cpuinfo(struct hwloc_topology *topology, + } + /* create package objects */ + hwloc_debug("%u pkgs%s\n", numpkgs, missingpkg ? ", but some missing package" : ""); +- if (!missingpkg && numpkgs>0) { ++ if (!missingpkg && numpkgs>0 ++ && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_PACKAGE)) { + for (i = 0; i < numpkgs; i++) { + struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_PACKAGE, Lpkg_to_Ppkg[i]); + int doneinfos = 0; +@@ -4145,7 +4146,8 @@ look_cpuinfo(struct hwloc_topology *topology, + } + /* create Core objects */ + hwloc_debug("%u cores%s\n", numcores, missingcore ? ", but some missing core" : ""); +- if (!missingcore && numcores>0) { ++ if (!missingcore && numcores>0 ++ && hwloc_filter_check_keep_object_type(topology, HWLOC_OBJ_CORE)) { + for (i = 0; i < numcores; i++) { + struct hwloc_obj *obj = hwloc_alloc_setup_object(topology, HWLOC_OBJ_CORE, Lcore_to_Pcore[i]); + obj->cpuset = hwloc_bitmap_alloc(); -- cgit v1.2.3 From 0b18c0b0de9aabb12b4c1503303e4dde410f6470 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 7 Feb 2018 03:01:11 -0500 Subject: gnu: mupdf: Fix CVE-2017-17858. * gnu/packages/patches/mupdf-CVE-2017-17858.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pdf.scm (mupdf)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/mupdf-CVE-2017-17858.patch | 111 ++++++++++++++++++++++++ gnu/packages/pdf.scm | 3 +- 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2017-17858.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index ca400dae6d..421350881b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -921,6 +921,7 @@ dist_patch_DATA = \ %D%/packages/patches/mozjs38-version-detection.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ %D%/packages/patches/mupdf-build-with-latest-openjpeg.patch \ + %D%/packages/patches/mupdf-CVE-2017-17858.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/mutt-store-references.patch \ %D%/packages/patches/ncurses-CVE-2017-10684-10685.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2017-17858.patch b/gnu/packages/patches/mupdf-CVE-2017-17858.patch new file mode 100644 index 0000000000..66df127509 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-17858.patch @@ -0,0 +1,111 @@ +Fix CVE-2017-17858: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17858 +https://bugs.ghostscript.com/show_bug.cgi?id=698819 +https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md + +Patch copied from upstream source repository: + +https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731 + +From 55c3f68d638ac1263a386e0aaa004bb6e8bde731 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Mon, 11 Dec 2017 14:09:15 +0100 +Subject: [PATCH] Bugs 698804/698810/698811: Keep PDF object numbers below + limit. + +This ensures that: + * xref tables with objects pointers do not grow out of bounds. + * other readers, e.g. Adobe Acrobat can parse PDFs written by mupdf. +--- + include/mupdf/pdf/object.h | 3 +++ + source/pdf/pdf-repair.c | 5 +---- + source/pdf/pdf-xref.c | 21 ++++++++++++--------- + 3 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h +index 21ed8595..4177112b 100644 +--- a/include/mupdf/pdf/object.h ++++ b/include/mupdf/pdf/object.h +@@ -3,6 +3,9 @@ + + typedef struct pdf_document_s pdf_document; + ++/* Defined in PDF 1.7 according to Acrobat limit. */ ++#define PDF_MAX_OBJECT_NUMBER 8388607 ++ + /* + * Dynamic objects. + * The same type of objects as found in PDF and PostScript. +diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c +index ca149bd3..0c29758e 100644 +--- a/source/pdf/pdf-repair.c ++++ b/source/pdf/pdf-repair.c +@@ -6,9 +6,6 @@ + + /* Scan file for objects and reconstruct xref table */ + +-/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */ +-#define MAX_OBJECT_NUMBER (10 << 20) +- + struct entry + { + int num; +@@ -436,7 +433,7 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) + break; + } + +- if (num <= 0 || num > MAX_OBJECT_NUMBER) ++ if (num <= 0 || num > PDF_MAX_OBJECT_NUMBER) + { + fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen); + goto have_next_token; +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 00586dbd..6284e70b 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -868,11 +868,12 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + fz_seek(ctx, file, -(2 + (int)strlen(s)), SEEK_CUR); + } + +- if (ofs < 0) +- fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs); +- if (ofs > INT64_MAX - len) +- fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big"); +- ++ if (ofs < 0 || ofs > PDF_MAX_OBJECT_NUMBER ++ || len < 0 || len > PDF_MAX_OBJECT_NUMBER ++ || ofs + len - 1 > PDF_MAX_OBJECT_NUMBER) ++ { ++ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); ++ } + /* broken pdfs where size in trailer undershoots entries in xref sections */ + if (ofs + len > xref_len) + { +@@ -933,10 +934,8 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, in + pdf_xref_entry *table; + int i, n; + +- if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1) +- fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index"); +- //if (i0 + i1 > pdf_xref_len(ctx, doc)) +- // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries"); ++ if (i0 < 0 || i0 > PDF_MAX_OBJECT_NUMBER || i1 < 0 || i1 > PDF_MAX_OBJECT_NUMBER || i0 + i1 - 1 > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "xref subsection object numbers are out of range"); + + table = pdf_xref_find_subsection(ctx, doc, i0, i1); + for (i = i0; i < i0 + i1; i++) +@@ -2086,6 +2085,10 @@ pdf_create_object(fz_context *ctx, pdf_document *doc) + /* TODO: reuse free object slots by properly linking free object chains in the ofs field */ + pdf_xref_entry *entry; + int num = pdf_xref_len(ctx, doc); ++ ++ if (num > PDF_MAX_OBJECT_NUMBER) ++ fz_throw(ctx, FZ_ERROR_GENERIC, "too many objects stored in pdf"); ++ + entry = pdf_get_incremental_xref_entry(ctx, doc, num); + entry->type = 'f'; + entry->ofs = -1; +-- +2.16.1 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 96773da717..9730e6150c 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -584,7 +584,8 @@ (define-public mupdf (method url-fetch) (uri (string-append "https://mupdf.com/downloads/archive/" name "-" version "-source.tar.xz")) - (patches (search-patches "mupdf-build-with-latest-openjpeg.patch")) + (patches (search-patches "mupdf-build-with-latest-openjpeg.patch" + "mupdf-CVE-2017-17858.patch")) (sha256 (base32 "0b9j0gqbc3jhmx87r6idcsh8lnb30840c3hyx6dk2gdjqqh3hysp")) -- cgit v1.2.3 From 906f1b48e20a032c22a164c89f9e8862ab2bec7a Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 3 Jan 2018 09:01:53 +0100 Subject: gnu: luajit: Update to 2.1.0-beta3. * gnu/packages/lua.scm (luajit): Update to 2.1.0-beta3. [source]: Remove symlinks patch. * gnu/packages/patches/luajit-symlinks.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/lua.scm | 8 ++++---- gnu/packages/patches/luajit-symlinks.patch | 25 ------------------------- 3 files changed, 4 insertions(+), 30 deletions(-) delete mode 100644 gnu/packages/patches/luajit-symlinks.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 421350881b..3f0023a2fb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -891,7 +891,6 @@ dist_patch_DATA = \ %D%/packages/patches/lua51-pkgconfig.patch \ %D%/packages/patches/lua-liblua-so.patch \ %D%/packages/patches/luajit-no_ldconfig.patch \ - %D%/packages/patches/luajit-symlinks.patch \ %D%/packages/patches/luit-posix.patch \ %D%/packages/patches/luminance-hdr-qt-printer.patch \ %D%/packages/patches/lvm2-static-link.patch \ diff --git a/gnu/packages/lua.scm b/gnu/packages/lua.scm index b375ff90c3..fd14956007 100644 --- a/gnu/packages/lua.scm +++ b/gnu/packages/lua.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2016 doncatnip ;;; Copyright © 2016, 2017 Clément Lassieur ;;; Copyright © 2016 José Miguel Sánchez García +;;; Copyright © 2018 Tobias Geerinckx-Rice ;;; Copyright © 2018 Fis Trivial ;;; ;;; This file is part of GNU Guix. @@ -116,15 +117,14 @@ (define-public lua-5.1 (define-public luajit (package (name "luajit") - (version "2.1.0-beta2") + (version "2.1.0-beta3") (source (origin (method url-fetch) (uri (string-append "http://luajit.org/download/LuaJIT-" version ".tar.gz")) (sha256 - (base32 "0iyghj1xjlmd9ywa4flf9yszynf3jhbp0yqb9b49k7ab0g528fbi")) - (patches (search-patches "luajit-symlinks.patch" - "luajit-no_ldconfig.patch")))) + (base32 "1hyrhpkwjqsv54hnnx4cl8vk44h9d6c9w0fz1jfjz00w255y7lhs")) + (patches (search-patches "luajit-no_ldconfig.patch")))) (build-system gnu-build-system) (arguments '(#:tests? #f ;luajit is distributed without tests diff --git a/gnu/packages/patches/luajit-symlinks.patch b/gnu/packages/patches/luajit-symlinks.patch deleted file mode 100644 index 2466c34144..0000000000 --- a/gnu/packages/patches/luajit-symlinks.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0a54a8f125d7ab508c7c88d5ad4ed1b0c63cb5b6 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Tom=C3=A1=C5=A1=20=C4=8Cech?= -Date: Wed, 4 Feb 2015 11:32:55 +0100 -Subject: [PATCH 1/2] Provide two symlinks for dynamic library during install - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 0891b71..343ecb5 100644 ---- a/Makefile -+++ b/Makefile -@@ -56,7 +56,7 @@ INSTALL_PCNAME= luajit.pc - INSTALL_STATIC= $(INSTALL_LIB)/$(INSTALL_ANAME) - INSTALL_DYN= $(INSTALL_LIB)/$(INSTALL_SONAME) - INSTALL_SHORT1= $(INSTALL_LIB)/$(INSTALL_SOSHORT) --INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT) -+INSTALL_SHORT2= $(INSTALL_LIB)/$(INSTALL_SOSHORT).$(MAJVER) - INSTALL_T= $(INSTALL_BIN)/$(INSTALL_TNAME) - INSTALL_TSYM= $(INSTALL_BIN)/$(INSTALL_TSYMNAME) - INSTALL_PC= $(INSTALL_PKGCONFIG)/$(INSTALL_PCNAME) --- -2.2.2 - -- cgit v1.2.3 From f81b6e770324e2b0b31a9cfdfe7f6d9793cb73c9 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 8 Feb 2018 18:21:02 +0100 Subject: gnu: libtirpc: Update to 1.0.2. * gnu/packages/onc-rpc.scm (libtirpc): Update to 1.0.2. [patches]: Remove patch for fixed CVE. * gnu/packages/patches/libtirpc-CVE-2017-8779.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/onc-rpc.scm | 6 +- gnu/packages/patches/libtirpc-CVE-2017-8779.patch | 263 ---------------------- 3 files changed, 3 insertions(+), 267 deletions(-) delete mode 100644 gnu/packages/patches/libtirpc-CVE-2017-8779.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 3f0023a2fb..823469eea2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -852,7 +852,6 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-tiffgetfield-bugs.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch \ %D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch \ - %D%/packages/patches/libtirpc-CVE-2017-8779.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunistring-gnulib-multi-core.patch \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm index a76ac36eab..61a643b037 100644 --- a/gnu/packages/onc-rpc.scm +++ b/gnu/packages/onc-rpc.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014, 2017 Ludovic Courtès ;;; Copyright © 2016 John Darrington ;;; Copyright © 2017 Leo Famulari +;;; Copyright © 2018 Tobias Geerinckx-Rice ;;; ;;; This file is part of GNU Guix. ;;; @@ -30,16 +31,15 @@ (define-module (gnu packages onc-rpc) (define-public libtirpc (package (name "libtirpc") - (version "1.0.1") + (version "1.0.2") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/libtirpc/libtirpc/" version "/libtirpc-" version ".tar.bz2")) - (patches (search-patches "libtirpc-CVE-2017-8779.patch")) (sha256 (base32 - "17mqrdgsgp9m92pmq7bvr119svdg753prqqxmg4cnz5y657rfmji")))) + "1xchbxy0xql7yl7z4n1icj8r7dmly46i22fvm00vdjq64zlmqg3j")))) (build-system gnu-build-system) (arguments `(#:phases diff --git a/gnu/packages/patches/libtirpc-CVE-2017-8779.patch b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch deleted file mode 100644 index 742e64df25..0000000000 --- a/gnu/packages/patches/libtirpc-CVE-2017-8779.patch +++ /dev/null @@ -1,263 +0,0 @@ -Fix CVE-2017-8779: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 - -Patch copied from the bug reporter's 3rd-party repository: - -https://github.com/guidovranken/rpcbomb/blob/master/libtirpc_patch.txt - -diff --git a/src/rpc_generic.c b/src/rpc_generic.c -index 2f09a8f..589cbd5 100644 ---- a/src/rpc_generic.c -+++ b/src/rpc_generic.c -@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf) - - switch (af) { - case AF_INET: -+ if (nbuf->len < sizeof(*sin)) { -+ return NULL; -+ } - sin = nbuf->buf; - if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf) - == NULL) -@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf) - break; - #ifdef INET6 - case AF_INET6: -+ if (nbuf->len < sizeof(*sin6)) { -+ return NULL; -+ } - sin6 = nbuf->buf; - if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6) - == NULL) -@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr) - - port = 0; - sin = NULL; -+ if (uaddr == NULL) -+ return NULL; - addrstr = strdup(uaddr); - if (addrstr == NULL) - return NULL; -diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c -index 43fd385..a923c8e 100644 ---- a/src/rpcb_prot.c -+++ b/src/rpcb_prot.c -@@ -41,6 +41,7 @@ - #include - #include - #include -+#include "rpc_com.h" - - bool_t - xdr_rpcb(xdrs, objp) -@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp) - if (!xdr_u_int32_t(xdrs, &objp->r_vers)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) { - return (FALSE); - } - return (TRUE); -@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp) - XDR *xdrs; - rpcb_entry *objp; - { -- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) { - return (FALSE); - } - if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) { - return (FALSE); - } - return (TRUE); -@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p) - bool_t dummy; - struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p; - -- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) { - return (FALSE); - } - if (!xdr_u_int(xdrs, &objp->results.results_len)) { -@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp) - if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) { - return (FALSE); - } -+ -+ if (objp->maxlen > RPC_MAXDATASIZE) { -+ return (FALSE); -+ } -+ - dummy = xdr_bytes(xdrs, (char **)&(objp->buf), - (u_int *)&(objp->len), objp->maxlen); - return (dummy); -diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c -index 08db745..28e6a48 100644 ---- a/src/rpcb_st_xdr.c -+++ b/src/rpcb_st_xdr.c -@@ -37,6 +37,7 @@ - - - #include -+#include "rpc_com.h" - - /* Link list of all the stats about getport and getaddr */ - -@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp) - if (!xdr_int(xdrs, &objp->failure)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { - return (FALSE); - } - -@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) - IXDR_PUT_INT32(buf, objp->failure); - IXDR_PUT_INT32(buf, objp->indirect); - } -- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { - return (FALSE); - } - if (!xdr_pointer(xdrs, (char **)&objp->next, -@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) - objp->failure = (int)IXDR_GET_INT32(buf); - objp->indirect = (int)IXDR_GET_INT32(buf); - } -- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { - return (FALSE); - } - if (!xdr_pointer(xdrs, (char **)&objp->next, -@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp) - if (!xdr_int(xdrs, &objp->indirect)) { - return (FALSE); - } -- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) { -+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) { - return (FALSE); - } - if (!xdr_pointer(xdrs, (char **)&objp->next, -diff --git a/src/xdr.c b/src/xdr.c -index f3fb9ad..b9a1558 100644 ---- a/src/xdr.c -+++ b/src/xdr.c -@@ -42,8 +42,10 @@ - #include - #include - -+#include - #include - #include -+#include - - typedef quad_t longlong_t; /* ANSI long long type */ - typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ -@@ -53,7 +55,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */ - */ - #define XDR_FALSE ((long) 0) - #define XDR_TRUE ((long) 1) --#define LASTUNSIGNED ((u_int) 0-1) - - /* - * for unit alignment -@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) - { - char *sp = *cpp; /* sp is the actual string pointer */ - u_int nodesize; -+ bool_t ret, allocated = FALSE; - - /* - * first deal with the length since xdr bytes are counted -@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) - } - if (sp == NULL) { - *cpp = sp = mem_alloc(nodesize); -+ allocated = TRUE; - } - if (sp == NULL) { - warnx("xdr_bytes: out of memory"); -@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize) - /* FALLTHROUGH */ - - case XDR_ENCODE: -- return (xdr_opaque(xdrs, sp, nodesize)); -+ ret = xdr_opaque(xdrs, sp, nodesize); -+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { -+ if (allocated == TRUE) { -+ free(sp); -+ *cpp = NULL; -+ } -+ } -+ return (ret); - - case XDR_FREE: - if (sp != NULL) { -@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize) - char *sp = *cpp; /* sp is the actual string pointer */ - u_int size; - u_int nodesize; -+ bool_t ret, allocated = FALSE; - - /* - * first deal with the length since xdr strings are counted-strings -@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize) - switch (xdrs->x_op) { - - case XDR_DECODE: -- if (sp == NULL) -+ if (sp == NULL) { - *cpp = sp = mem_alloc(nodesize); -+ allocated = TRUE; -+ } - if (sp == NULL) { - warnx("xdr_string: out of memory"); - return (FALSE); -@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize) - /* FALLTHROUGH */ - - case XDR_ENCODE: -- return (xdr_opaque(xdrs, sp, size)); -+ ret = xdr_opaque(xdrs, sp, size); -+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) { -+ if (allocated == TRUE) { -+ free(sp); -+ *cpp = NULL; -+ } -+ } -+ return (ret); - - case XDR_FREE: - mem_free(sp, nodesize); -@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp) - XDR *xdrs; - char **cpp; - { -- return xdr_string(xdrs, cpp, LASTUNSIGNED); -+ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE); - } - - /* -- cgit v1.2.3 From e61da2e8848782052d6d5d69f111520a7f772e52 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Wed, 7 Feb 2018 14:39:40 +0800 Subject: gnu: mpv: Fix CVE-2018-6360. * gnu/packages/patches/mpv-CVE-2018-6360-1.patch, gnu/packages/patches/mpv-CVE-2018-6360-2.patch, gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/video.scm (mpv)[source]: Use them. Signed-off-by: Leo Famulari --- gnu/local.mk | 5 +- gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 138 +++++++++++++++++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 +++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 84 +++++++++++++++ gnu/packages/video.scm | 5 +- 5 files changed, 289 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-1.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-2.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-3.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index 823469eea2..2ef483df0e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -9,7 +9,7 @@ # Copyright © 2016 Adonay "adfeno" Felipe Nogueira # Copyright © 2016, 2017 Ricardo Wurmus # Copyright © 2016 Ben Woodcroft -# Copyright © 2016, 2017 Alex Vong +# Copyright © 2016, 2017, 2018 Alex Vong # Copyright © 2016, 2017 Efraim Flashner # Copyright © 2016, 2017 Jan Nieuwenhuizen # Copyright © 2017 Tobias Geerinckx-Rice @@ -909,6 +909,9 @@ dist_patch_DATA = \ %D%/packages/patches/mhash-keygen-test-segfault.patch \ %D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \ %D%/packages/patches/mpc123-initialize-ao.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-1.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-2.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-3.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \ diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch new file mode 100644 index 0000000000..55fc7daaf3 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch @@ -0,0 +1,138 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 + +To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4 +checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available +for the 0.28.0 release. So it should be safe to remove hunk #4. + +From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino +Date: Fri, 26 Jan 2018 01:19:04 +0000 +Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from + youtube-dl + +Not very clean since there's a lot of potential unsafe urls that youtube-dl +can give us, depending on whether it's a single url, split tracks, +playlists, segmented dash, etc. +--- + player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 47 insertions(+), 7 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index dd96ecc01d..b480c21625 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -16,6 +16,18 @@ local ytdl = { + + local chapter_list = {} + ++function Set (t) ++ local set = {} ++ for _, v in pairs(t) do set[v] = true end ++ return set ++end ++ ++local safe_protos = Set { ++ "http", "https", "ftp", "ftps", ++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", ++ "data" ++} ++ + local function exec(args) + local ret = utils.subprocess({args = args}) + return ret.status, ret.stdout, ret +@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base) + + for i = offset, #fragments do + local fragment = fragments[i] ++ if not url_is_safe(join_url(base, fragment)) then ++ return nil ++ end + table.insert(parts, edl_escape(join_url(base, fragment))) + if fragment.duration then + parts[#parts] = +@@ -208,6 +223,15 @@ local function proto_is_dash(json) + or json["protocol"] == "http_dash_segments" + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function add_single_video(json) + local streamurl = "" + local max_bitrate = 0 +@@ -238,14 +264,18 @@ local function add_single_video(json) + edl_track = edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) ++ local url = edl_track or track.url ++ if not url_is_safe(url) then ++ return ++ end + if track.acodec and track.acodec ~= "none" then + -- audio track + mp.commandv("audio-add", +- edl_track or track.url, "auto", ++ url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~= "none" then + -- video track +- streamurl = edl_track or track.url ++ streamurl = url + end + end + +@@ -264,7 +294,13 @@ local function add_single_video(json) + + msg.debug("streamurl: " .. streamurl) + +- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) ++ streamurl = streamurl:gsub("^data:", "data://", 1) ++ ++ if not url_is_safe(streamurl) then ++ return ++ end ++ ++ mp.set_property("stream-open-filename", streamurl) + + mp.set_property("file-local-options/force-media-title", json.title) + +@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () + site = entry["webpage_url"] + end + +- if not (site:find("https?://") == 1) then +- site = "ytdl://" .. site ++ -- links with only youtube id as returned by --flat-playlist ++ if not site:find("://") then ++ table.insert(playlist, "ytdl://" .. site) ++ elseif url_is_safe(site) then ++ table.insert(playlist, site) + end +- table.insert(playlist, site) + + end + +- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) ++ if #playlist > 0 then ++ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) ++ end + end + + else -- probably a video +-- +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch new file mode 100644 index 0000000000..b37e33a641 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch @@ -0,0 +1,59 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f + +From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino +Date: Fri, 26 Jan 2018 11:26:27 +0000 +Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code + +lua isn't javascript. +--- + player/lua/ytdl_hook.lua | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index b480c21625..458c94af38 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -84,6 +84,15 @@ local function edl_escape(url) + return "%" .. string.len(url) .. "%" .. url + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function time_to_secs(time_string) + local ret + +@@ -223,15 +232,6 @@ local function proto_is_dash(json) + or json["protocol"] == "http_dash_segments" + end + +-local function url_is_safe(url) +- local proto = type(url) == "string" and url:match("^(.+)://") or nil +- local safe = proto and safe_protos[proto] +- if not safe then +- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) +- end +- return safe +-end +- + local function add_single_video(json) + local streamurl = "" + local max_bitrate = 0 +-- +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch new file mode 100644 index 0000000000..dc3e272d37 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch @@ -0,0 +1,84 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828 + +From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino +Date: Fri, 26 Jan 2018 18:54:17 +0000 +Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls + +--- + player/lua/ytdl_hook.lua | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index 458c94af38..6c8e78657d 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -264,18 +264,17 @@ local function add_single_video(json) + edl_track = edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) +- local url = edl_track or track.url +- if not url_is_safe(url) then ++ if not edl_track and not url_is_safe(track.url) then + return + end + if track.acodec and track.acodec ~= "none" then + -- audio track + mp.commandv("audio-add", +- url, "auto", ++ edl_track or track.url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~= "none" then + -- video track +- streamurl = url ++ streamurl = edl_track or track.url + end + end + +@@ -284,6 +283,9 @@ local function add_single_video(json) + edl_track = edl_track_joined(json.fragments, json.protocol, + json.is_live, json.fragment_base_url) + ++ if not edl_track and not url_is_safe(json.url) then ++ return ++ end + -- normal video or single track + streamurl = edl_track or json.url + set_http_headers(json.http_headers) +@@ -294,13 +296,7 @@ local function add_single_video(json) + + msg.debug("streamurl: " .. streamurl) + +- streamurl = streamurl:gsub("^data:", "data://", 1) +- +- if not url_is_safe(streamurl) then +- return +- end +- +- mp.set_property("stream-open-filename", streamurl) ++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) + + mp.set_property("file-local-options/force-media-title", json.title) + +@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () + + msg.debug("EDL: " .. playlist) + ++ if not playlist then ++ return ++ end ++ + -- can't change the http headers for each entry, so use the 1st + if json.entries[1] then + set_http_headers(json.entries[1].http_headers) +-- +2.16.1 + diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 8cbe590bf2..5865713b85 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -6,7 +6,7 @@ ;;; Copyright © 2015, 2016, 2017 Efraim Flashner ;;; Copyright © 2015 Andy Patterson ;;; Copyright © 2015 Ricardo Wurmus -;;; Copyright © 2015, 2016, 2017 Alex Vong +;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong ;;; Copyright © 2016, 2017 Alex Griffin ;;; Copyright © 2016 Kei Kebreau ;;; Copyright © 2016 Dmitry Nikolaev @@ -1018,6 +1018,9 @@ (define-public mpv (sha256 (base32 "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f")) + (patches (search-patches "mpv-CVE-2018-6360-1.patch" + "mpv-CVE-2018-6360-2.patch" + "mpv-CVE-2018-6360-3.patch")) (file-name (string-append name "-" version ".tar.gz")))) (build-system waf-build-system) (native-inputs -- cgit v1.2.3