GNU bug report logs -
#74050
[PATCH 0/6] Add lint-hidden-cve property for near-leaf packages.
Previous Next
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sun, 27 Oct 2024 18:26:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 74050 in the body.
You can then email your comments to 74050 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#74050; Package
guix-patches.
(Sun, 27 Oct 2024 18:26:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 27 Oct 2024 18:26:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This patch series is what's left of 74034 after I've split it in two.
It introduces some useful lint-hidden-cve properties were that's
useful, fixing build or updating packages along the way.
Nicolas Graves (6):
gnu: gerbv: Add lint-hidden-cve property.
gnu: libgda: Rename patch for guix lint.
gnu: upx: Update to 4.2.4.
gnu: sylpheed: Add release-monitoring-url property.
gnu: openvswitch: Update to 3.4.0.
gnu: quagga: Fix build and hide CVE.
gnu/local.mk | 2 +-
gnu/packages/compression.scm | 7 ++++---
gnu/packages/engineering.scm | 2 ++
gnu/packages/gnome.scm | 2 +-
gnu/packages/mail.scm | 2 ++
gnu/packages/networking.scm | 14 ++++++++++----
...021-39359.patch => libgda-CVE-2021-39359.patch} | 0
7 files changed, 20 insertions(+), 9 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74050; Package
guix-patches.
(Sun, 27 Oct 2024 18:33:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 74050 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
gnu/local.mk | 2 +-
gnu/packages/gnome.scm | 2 +-
...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
3 files changed, 2 insertions(+), 2 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)
diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA = \
%D%/packages/patches/libcroco-CVE-2020-12825.patch \
%D%/packages/patches/libcyaml-libyaml-compat.patch \
%D%/packages/patches/libexpected-use-provided-catch2.patch \
- %D%/packages/patches/libgda-cve-2021-39359.patch \
+ %D%/packages/patches/libgda-CVE-2021-39359.patch \
%D%/packages/patches/libgda-disable-data-proxy-test.patch \
%D%/packages/patches/libgda-fix-build.patch \
%D%/packages/patches/libgda-fix-missing-initialization.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
name "-" version ".tar.xz"))
(sha256
(base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
- (patches (search-patches "libgda-cve-2021-39359.patch"
+ (patches (search-patches "libgda-CVE-2021-39359.patch"
"libgda-disable-data-proxy-test.patch"
"libgda-fix-build.patch"
"libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74050; Package
guix-patches.
(Sun, 27 Oct 2024 18:33:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 74050 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/engineering.scm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
you load several files on top of each other, do measurements on the displayed
image, etc. Besides viewing Gerbers, you may also view Excellon drill files
as well as pick-place files.")
+ ;; This CVE has been fixed in version 2.10.0.
+ (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
(license license:gpl2+)))
(define-public translate2geda
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74050; Package
guix-patches.
(Sun, 27 Oct 2024 18:33:03 GMT)
Full text and
rfc822 format available.
Message #14 received at 74050 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/compression.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
(define-public upx
(package
(name "upx")
- (version "4.1.0")
+ (version "4.2.4")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/upx/upx/releases/download/v"
version "/upx-" version "-src.tar.xz"))
(sha256
- (base32
- "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+ (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
(build-system cmake-build-system)
(home-page "https://upx.github.io/")
(synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
compressor. UPX typically reduces the file size of programs and shared
libraries by around 50%--70%, thus reducing disk space, network load times,
download times, and other distribution and storage costs.")
+ ;; These CVEs have been fixed since 4.0.2 but are still linted.
+ (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
(license license:gpl2+)))
(define-public quazip-0
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74050; Package
guix-patches.
(Sun, 27 Oct 2024 18:33:03 GMT)
Full text and
rfc822 format available.
Message #17 received at 74050 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
gnu/packages/mail.scm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
"Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
client. Sylpheed provides intuitive user-interface. Sylpheed is also
designed for keyboard-oriented operation.")
+ (properties '((release-monitoring-url
+ . "https://sylpheed.sraoss.jp/en/download.html")))
(license license:gpl2+)))
(define-public python-authres
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74050; Package
guix-patches.
(Sun, 27 Oct 2024 18:33:04 GMT)
Full text and
rfc822 format available.
Message #20 received at 74050 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 8c5548323f..67584be64b 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2878,7 +2878,7 @@ (define-public nzbget
(define-public openvswitch
(package
(name "openvswitch")
- (version "3.2.0")
+ (version "3.4.0")
(source (origin
(method url-fetch)
(uri (string-append
@@ -2886,7 +2886,7 @@ (define-public openvswitch
version ".tar.gz"))
(sha256
(base32
- "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+ "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
@@ -2962,7 +2962,9 @@ (define-public openvswitch
supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
IPFIX, RSPAN, CLI, LACP, 802.1ag).")
(properties
- '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+ '((release-monitoring-url . "https://www.openvswitch.org/download/")
+ ;; This CVE is fixed since 3.2.0.
+ (lint-hidden-cve . ("CVE-2023-5366"))))
(license ; see debian/copyright for detail
(list license:lgpl2.1 ; xenserver and utilities/bugtool
license:gpl2 ; datapath
--
2.46.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#74050; Package
guix-patches.
(Sun, 27 Oct 2024 18:33:04 GMT)
Full text and
rfc822 format available.
Message #23 received at 74050 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 67584be64b..910299a0a6 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3139,7 +3139,7 @@ (define-public quagga
(delete-file "vtysh/extract.pl")))))
(build-system gnu-build-system)
(native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
- (inputs (list readline c-ares))
+ (inputs (list c-ares libxcrypt readline))
(synopsis "Routing Software Suite")
(description "Quagga is a routing software suite, providing implementations
of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3150,6 +3150,10 @@ (define-public quagga
clients which typically implement a routing protocol and communicate routing
updates to the zebra daemon.")
(home-page "https://www.nongnu.org/quagga/")
+ ;; This CVE concerns systemd services files that we currently don't use.
+ ;; If we were to use them, a fixing patch can be found here:
+ ;; https://build.opensuse.org/request/show/1035188
+ (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
(license license:gpl2+)))
(define-public bgpq3
--
2.46.0
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Wed, 06 Nov 2024 21:27:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
bug acknowledged by developer.
(Wed, 06 Nov 2024 21:27:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 74050-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Nicolas Graves <ngraves <at> ngraves.fr> skribis:
> gnu: gerbv: Add lint-hidden-cve property.
> gnu: libgda: Rename patch for guix lint.
> gnu: upx: Update to 4.2.4.
> gnu: sylpheed: Add release-monitoring-url property.
> gnu: openvswitch: Update to 3.4.0.
> gnu: quagga: Fix build and hide CVE.
Applied, thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 05 Dec 2024 12:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 278 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.