Package: guix-patches;
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Sun, 5 Nov 2017 13:39:02 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29158 in the body.
You can then email your comments to 29158 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#29158; Package guix-patches.
(Sun, 05 Nov 2017 13:39:02 GMT) Full text and rfc822 format available.Marius Bakke <mbakke <at> fastmail.com>:guix-patches <at> gnu.org.
(Sun, 05 Nov 2017 13:39:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Marius Bakke <mbakke <at> fastmail.com> To: guix-patches <at> gnu.org Cc: Marius Bakke <mbakke <at> fastmail.com> Subject: [PATCH] gnu: ncurses: Update to 6.0-20170930. Date: Sun, 5 Nov 2017 14:38:24 +0100
* gnu/packages/ncurses.scm (ncurses): Update to 6.0-20170930.
[source](patches): Remove.
[source](uri): Adjust to version suffix.
[arguments]: Add 'apply-rollup-patch' phase.
[native-inputs]: Add a "rollup-patch" origin.
* gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
gnu/local.mk | 1 -
gnu/packages/ncurses.scm | 33 +++-
.../patches/ncurses-CVE-2017-10684-10685.patch | 200 ---------------------
3 files changed, 28 insertions(+), 206 deletions(-)
delete mode 100644 gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8e562c018..ecd80d198 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -890,7 +890,6 @@ dist_patch_DATA = \
%D%/packages/patches/mupdf-CVE-2017-15587.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/mutt-store-references.patch \
- %D%/packages/patches/ncurses-CVE-2017-10684-10685.patch \
%D%/packages/patches/net-tools-bitrot.patch \
%D%/packages/patches/netcdf-date-time.patch \
%D%/packages/patches/netcdf-tst_h_par.patch \
diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm
index 9f5905bc8..5a1486fcc 100644
--- a/gnu/packages/ncurses.scm
+++ b/gnu/packages/ncurses.scm
@@ -38,12 +38,12 @@
(define-public ncurses
(package
(name "ncurses")
- (version "6.0")
+ (version "6.0-20170930")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/ncurses/ncurses-"
- version ".tar.gz"))
- (patches (search-patches "ncurses-CVE-2017-10684-10685.patch"))
+ (car (string-split version #\-))
+ ".tar.gz"))
(sha256
(base32
"0q3jck7lna77z5r42f13c4xglc7azd19pxfrjrpgp2yf615w4lgm"))))
@@ -71,6 +71,12 @@
(cons (string-append "--host=" target)
configure-flags)
configure-flags))))))
+ (apply-rollup-patch-phase
+ '(lambda* (#:key inputs #:allow-other-keys)
+ (copy-file (assoc-ref inputs "rollup-patch")
+ (string-append (getcwd) "/rollup-patch.sh.bz2"))
+ (and (zero? (system* "bzip2" "-d" "rollup-patch.sh.bz2"))
+ (zero? (system* "sh" "rollup-patch.sh")))))
(remove-shebang-phase
'(lambda _
;; To avoid retaining a reference to the bootstrap Bash via the
@@ -166,6 +172,8 @@
,@(if (target-mingw?) '("--enable-term-driver") '()))))
#:tests? #f ; no "check" target
#:phases (modify-phases %standard-phases
+ (add-after 'unpack 'apply-rollup-patch
+ ,apply-rollup-patch-phase)
(replace 'configure ,configure-phase)
(add-after 'install 'post-install
,post-install-phase)
@@ -174,8 +182,23 @@
(add-after 'unpack 'remove-unneeded-shebang
,remove-shebang-phase)))))
(self-native-input? #t) ; for `tic'
- (native-inputs
- `(("pkg-config" ,pkg-config)))
+ (native-inputs
+ `(("pkg-config" ,pkg-config)
+
+ ;; Ncurses distributes "stable" patchsets to be applied on top
+ ;; of the release tarball. These are only available as shell
+ ;; scripts(!) so we decompress and apply them in a phase.
+ ;; See <https://invisible-mirror.net/archives/ncurses/6.0/README>.
+ ("rollup-patch"
+ ,(origin
+ (method url-fetch)
+ (uri (string-append
+ "https://invisible-mirror.net/archives/ncurses/"
+ (car (string-split version #\-))
+ "/ncurses-" version "-patch.sh.bz2"))
+ (sha256
+ (base32
+ "08a1pp8wnj1fwpa1pz3fgrmd6xwp21idniswqz8lx3w3z2nb4ydi"))))))
(native-search-paths
(list (search-path-specification
(variable "TERMINFO_DIRS")
diff --git a/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch b/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch
deleted file mode 100644
index 1f1b26801..000000000
--- a/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-Fix CVE-2017-10684 and CVE-2017-10685:
-
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685
-
-Bug reports included proof of concept reproducer inputs:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1464684
-https://bugzilla.redhat.com/show_bug.cgi?id=1464685
-https://bugzilla.redhat.com/show_bug.cgi?id=1464686
-https://bugzilla.redhat.com/show_bug.cgi?id=1464687
-https://bugzilla.redhat.com/show_bug.cgi?id=1464688
-https://bugzilla.redhat.com/show_bug.cgi?id=1464691
-https://bugzilla.redhat.com/show_bug.cgi?id=1464692
-
-Patches copied from ncurses patch release 20170701:
-
-ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz
-
-Excerpt from patch release announcement:
-
- + add/improve checks in tic's parser to address invalid input
- (Redhat #1464684, #1464685, #1464686, #1464691).
- + alloc_entry.c, add a check for a null-pointer.
- + parse_entry.c, add several checks for valid pointers as well as
- one check to ensure that a single character on a line is not
- treated as the 2-character termcap short-name.
- + the fixes for Redhat #1464685 obscured a problem subsequently
- reported in Redhat #1464687; the given test-case was no longer
- reproducible. Testing without the fixes for the earlier reports
- showed a problem with buffer overflow in dump_entry.c, which is
- addressed by reducing the use of a fixed-size buffer.
-
-https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00001.html
-
---- ncurses-6.0-20170624+/ncurses/tinfo/alloc_entry.c 2017-04-09 23:33:51.000000000 +0000
-+++ ncurses-6.0-20170701/ncurses/tinfo/alloc_entry.c 2017-06-27 23:48:55.000000000 +0000
-@@ -96,7 +96,11 @@
- {
- char *result = 0;
- size_t old_next_free = next_free;
-- size_t len = strlen(string) + 1;
-+ size_t len;
-+
-+ if (string == 0)
-+ return _nc_save_str("");
-+ len = strlen(string) + 1;
-
- if (len == 1 && next_free != 0) {
- /*
---- ncurses-6.0-20170624+/ncurses/tinfo/parse_entry.c 2017-06-24 22:59:46.000000000 +0000
-+++ ncurses-6.0-20170701/ncurses/tinfo/parse_entry.c 2017-06-28 00:53:12.000000000 +0000
-@@ -236,13 +236,14 @@
- * implemented it. Note that the resulting terminal type was never the
- * 2-character name, but was instead the first alias after that.
- */
-+#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
- ptr = _nc_curr_token.tk_name;
- if (_nc_syntax == SYN_TERMCAP
- #if NCURSES_XNAMES
- && !_nc_user_definable
- #endif
- ) {
-- if (ptr[2] == '|') {
-+ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
- ptr += 3;
- _nc_curr_token.tk_name[2] = '\0';
- }
-@@ -284,9 +285,11 @@
- if (is_use || is_tc) {
- entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
- entryp->uses[entryp->nuses].line = _nc_curr_line;
-- entryp->nuses++;
-- if (entryp->nuses > 1 && is_tc) {
-- BAD_TC_USAGE
-+ if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
-+ entryp->nuses++;
-+ if (entryp->nuses > 1 && is_tc) {
-+ BAD_TC_USAGE
-+ }
- }
- } else {
- /* normal token lookup */
-@@ -588,7 +591,7 @@
- static void
- append_acs(string_desc * dst, int code, char *src)
- {
-- if (src != 0 && strlen(src) == 1) {
-+ if (VALID_STRING(src) && strlen(src) == 1) {
- append_acs0(dst, code, *src);
- }
- }
-@@ -849,15 +852,14 @@
- }
-
- if (tp->Strings[to_ptr->nte_index]) {
-+ const char *s = tp->Strings[from_ptr->nte_index];
-+ const char *t = tp->Strings[to_ptr->nte_index];
- /* There's no point in warning about it if it's the same
- * string; that's just an inefficiency.
- */
-- if (strcmp(
-- tp->Strings[from_ptr->nte_index],
-- tp->Strings[to_ptr->nte_index]) != 0)
-+ if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0)
- _nc_warning("%s (%s) already has an explicit value %s, ignoring ko",
-- ap->to, ap->from,
-- _nc_visbuf(tp->Strings[to_ptr->nte_index]));
-+ ap->to, ap->from, t);
- continue;
- }
-
---- ncurses-6.0-20170624+/progs/dump_entry.c 2017-06-23 22:47:43.000000000 +0000
-+++ ncurses-6.0-20170701/progs/dump_entry.c 2017-07-01 11:27:29.000000000 +0000
-@@ -841,9 +841,10 @@
- PredIdx num_strings = 0;
- bool outcount = 0;
-
--#define WRAP_CONCAT \
-- wrap_concat(buffer); \
-- outcount = TRUE
-+#define WRAP_CONCAT1(s) wrap_concat(s); outcount = TRUE
-+#define WRAP_CONCAT2(a,b) wrap_concat(a); WRAP_CONCAT1(b)
-+#define WRAP_CONCAT3(a,b,c) wrap_concat(a); WRAP_CONCAT2(b,c)
-+#define WRAP_CONCAT WRAP_CONCAT1(buffer)
-
- len = 12; /* terminfo file-header */
-
-@@ -1007,9 +1008,9 @@
- set_attributes = save_sgr;
-
- trimmed_sgr0 = _nc_trim_sgr0(tterm);
-- if (strcmp(capability, trimmed_sgr0))
-+ if (strcmp(capability, trimmed_sgr0)) {
- capability = trimmed_sgr0;
-- else {
-+ } else {
- if (trimmed_sgr0 != exit_attribute_mode)
- free(trimmed_sgr0);
- }
-@@ -1046,13 +1047,21 @@
- _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
- "%s=!!! %s WILL NOT CONVERT !!!",
- name, srccap);
-+ WRAP_CONCAT;
- } else if (suppress_untranslatable) {
- continue;
- } else {
- char *s = srccap, *d = buffer;
-- _nc_SPRINTF(d, _nc_SLIMIT(sizeof(buffer)) "..%s=", name);
-- d += strlen(d);
-+ WRAP_CONCAT3("..", name, "=");
- while ((*d = *s++) != 0) {
-+ if ((d - buffer - 1) >= (int) sizeof(buffer)) {
-+ fprintf(stderr,
-+ "%s: value for %s is too long\n",
-+ _nc_progname,
-+ name);
-+ *d = '\0';
-+ break;
-+ }
- if (*d == ':') {
- *d++ = '\\';
- *d = ':';
-@@ -1061,13 +1070,12 @@
- }
- d++;
- }
-+ WRAP_CONCAT;
- }
- } else {
-- _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
-- "%s=%s", name, cv);
-+ WRAP_CONCAT3(name, "=", cv);
- }
- len += (int) strlen(capability) + 1;
-- WRAP_CONCAT;
- } else {
- char *src = _nc_tic_expand(capability,
- outform == F_TERMINFO, numbers);
-@@ -1083,8 +1091,7 @@
- strcpy_DYN(&tmpbuf, src);
- }
- len += (int) strlen(capability) + 1;
-- wrap_concat(tmpbuf.text);
-- outcount = TRUE;
-+ WRAP_CONCAT1(tmpbuf.text);
- }
- }
- /* e.g., trimmed_sgr0 */
-@@ -1526,7 +1533,8 @@
- }
- if (len > critlen) {
- (void) fprintf(stderr,
-- "warning: %s entry is %d bytes long\n",
-+ "%s: %s entry is %d bytes long\n",
-+ _nc_progname,
- _nc_first_name(tterm->term_names),
- len);
- SHOW_WHY("# WARNING: this entry, %d bytes long, may core-dump %s libraries!\n",
--
2.15.0
Marius Bakke <mbakke <at> fastmail.com>:Marius Bakke <mbakke <at> fastmail.com>:Message #10 received at 29158-done <at> debbugs.gnu.org (full text, mbox):
From: Marius Bakke <mbakke <at> fastmail.com> To: 29158-done <at> debbugs.gnu.org Subject: Re: [PATCH] gnu: ncurses: Update to 6.0-20170930. Date: Sun, 19 Nov 2017 15:59:54 +0100
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes: > * gnu/packages/ncurses.scm (ncurses): Update to 6.0-20170930. > [source](patches): Remove. > [source](uri): Adjust to version suffix. > [arguments]: Add 'apply-rollup-patch' phase. > [native-inputs]: Add a "rollup-patch" origin. > * gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch: Delete file. > * gnu/local.mk (dist_patch_DATA): Remove it. Since there were no comments in two weeks, I have 'staged' this in my local queue for core-updates and will push later today/tomorrow. Ludo: Is the kernel on Hydra upgraded now? Let's start a new 'core' evaluation once this patch makes it.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#29158; Package guix-patches.
(Mon, 20 Nov 2017 09:37:02 GMT) Full text and rfc822 format available.Message #13 received at 29158 <at> debbugs.gnu.org (full text, mbox):
From: ludo <at> gnu.org (Ludovic Courtès) To: 29158 <at> debbugs.gnu.org Cc: mbakke <at> fastmail.com Subject: Re: bug#29158: [PATCH] gnu: ncurses: Update to 6.0-20170930. Date: Mon, 20 Nov 2017 10:36:37 +0100
Hello Marius! Marius Bakke <mbakke <at> fastmail.com> skribis: > Marius Bakke <mbakke <at> fastmail.com> writes: > >> * gnu/packages/ncurses.scm (ncurses): Update to 6.0-20170930. >> [source](patches): Remove. >> [source](uri): Adjust to version suffix. >> [arguments]: Add 'apply-rollup-patch' phase. >> [native-inputs]: Add a "rollup-patch" origin. >> * gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch: Delete file. >> * gnu/local.mk (dist_patch_DATA): Remove it. > > Since there were no comments in two weeks, I have 'staged' this in my > local queue for core-updates and will push later today/tomorrow. Sounds reasonable. > Ludo: Is the kernel on Hydra upgraded now? Let's start a new 'core' > evaluation once this patch makes it. Yes, the kernel is upgraded. These “core” evaluations are relatively cheap, so you can start new ones maybe not too often, but without fear (I just did.) Thanks, Ludo’.
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Mon, 18 Dec 2017 12:24:05 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.