Package: guix-patches;
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Fri, 7 Mar 2025 18:36:01 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 76819 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:36:01 GMT) Full text and rfc822 format available.Nicolas Graves <ngraves <at> ngraves.fr>:guix-patches <at> gnu.org.
(Fri, 07 Mar 2025 18:36:01 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: guix-patches <at> gnu.org Cc: ludo <at> gnu.org, Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 00/35] Add lint-hidden-cpe-vendors property Date: Fri, 7 Mar 2025 19:32:40 +0100
I hope it's good this time! I've also added some new security fixes on top. Nicolas Graves (20): gnu: got: Add lint-hidden-cpe-vendors property. gnu: tinyxml: Fix CVE-2023-34194. gnu: wayvnc: Update to 0.9.1. gnu: neatvnc: Update to 0.9.4. gnu: opus: Add lint-hidden-cve property. gnu: jq: Add lint-hidden-cve property. gnu: highlight: Add lint-hidden-cpe-vendors property. gnu: yasm: Refresh package definition. gnu: music: Add lint-hidden-cpe-vendors property. gnu: indent: Update to 2.2.13-0.1737c92. gnu: snappy: Add cpe-name property. gnu: zchunk: Update to 1.5.1. gnu: dash: Add lint-hidden-cpe-vendors property. gnu: git: Use lint-hidden-cpe-vendors. gnu: soil: Add lint-hidden-cpe-vendors property. gnu: re2c: Update to 4.1. gnu: libconfuse: Patch CVE-2022-40320. gnu: libxls: Update to 1.6.3. gnu: ruby-git: Update to 3.0.0. gnu: yajl: Patch CVE-2023-33460. Nicolas Graves via Guix-patches via (15): cve: Add cpe-vendor and lint-hidden-cpe-vendors properties. gnu: halibut: Add cpe-vendor property. gnu: portfolio: Update to 1.0.1. gnu: folders: Add lint-hidden-cpe-vendors property. gnu: spectra: Add lint-hidden-cpe-vendors property. gnu: express: Add lint-hidden-cpe-vendors property. gnu: cli: Add lint-hidden-cpe-vendors property. gnu: h2c: Add lint-hidden-cpe-vendors property. gnu: xenon: Update to 0.9.3. gnu: bolt: Update to 0.9.8. gnu: bwm-ng: Add lint-hidden-cpe-vendors property. gnu: onedrive: Update to 2.5.2. gnu: dex: Update to 0.10.1. gnu: immer: Add lint-hidden-cpe-vendors property. gnu: cvs: Add lint-hidden-cpe-vendors property. gnu/local.mk | 4 +- gnu/packages/algebra.scm | 1 + gnu/packages/assembly.scm | 5 +- gnu/packages/bioinformatics.scm | 4 +- gnu/packages/code.scm | 66 +++++--- gnu/packages/compression.scm | 7 +- gnu/packages/cpp.scm | 2 + gnu/packages/curl.scm | 1 + gnu/packages/documentation.scm | 14 +- gnu/packages/esolangs.scm | 1 + gnu/packages/gl.scm | 3 +- gnu/packages/gnome-xyz.scm | 5 +- gnu/packages/linux.scm | 16 +- gnu/packages/networking.scm | 1 + .../patches/indent-CVE-2024-0911.patch | 61 ------- .../patches/libconfuse-CVE-2022-40320.patch | 38 +++++ .../patches/tinyxml-CVE-2023-34194.patch | 28 +++ .../patches/yajl-CVE-2023-33460.patch | 38 +++++ gnu/packages/pretty-print.scm | 3 +- gnu/packages/re2c.scm | 4 +- gnu/packages/ruby.scm | 4 +- gnu/packages/shells.scm | 3 +- gnu/packages/statistics.scm | 4 +- gnu/packages/sync.scm | 5 +- gnu/packages/textutils.scm | 4 +- gnu/packages/version-control.scm | 22 +-- gnu/packages/vnc.scm | 8 +- gnu/packages/web.scm | 9 +- gnu/packages/xdisorg.scm | 17 +- gnu/packages/xiph.scm | 5 +- gnu/packages/xml.scm | 3 +- guix/cve.scm | 160 +++++++++++------- guix/lint.scm | 10 +- tests/cve.scm | 14 +- 34 files changed, 350 insertions(+), 220 deletions(-) delete mode 100644 gnu/packages/patches/indent-CVE-2024-0911.patch create mode 100644 gnu/packages/patches/libconfuse-CVE-2022-40320.patch create mode 100644 gnu/packages/patches/tinyxml-CVE-2023-34194.patch create mode 100644 gnu/packages/patches/yajl-CVE-2023-33460.patch -- 2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:03 GMT) Full text and rfc822 format available.Message #8 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 01/35] cve: Add cpe-vendor and lint-hidden-cpe-vendors properties. Date: Fri, 7 Mar 2025 19:38:30 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* guix/cve.scm: Exploit cpe vendors information.
(cpe->package-name): Rename to...
(cpe->package-identifier): Renamed from cpe->package-name. Use
cpe_vendor:cpe_name in place or cpe_name.
(vulnerabily-matches?): Add helper function.
(vulnerabilities->lookup-proc): Extract cpe_name for table
hashes. Add vendor and hidden-vendor arguments. Adapt condition to
pass vulnerabilities to result in the fold.
(write-cache, fetch-vulnerabilities): Update the format version.
* guix/lint.scm (package-vulnerabilities): Use additional arguments
from vulnerabilities->lookup-proc.
* tests/cve.scm (%expected-vulnerabilities): Adapt variable to changes
in guix/cve.scm.
---
guix/cve.scm | 160 ++++++++++++++++++++++++++++++--------------------
guix/lint.scm | 10 +++-
tests/cve.scm | 14 ++---
3 files changed, 112 insertions(+), 72 deletions(-)
diff --git a/guix/cve.scm b/guix/cve.scm
index 9e1cf5b587..5ea5219190 100644
--- a/guix/cve.scm
+++ b/guix/cve.scm
@@ -25,11 +25,11 @@ (define-module (guix cve)
#:use-module (web uri)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
- #:use-module (srfi srfi-11)
#:use-module (srfi srfi-19)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-34)
#:use-module (srfi srfi-35)
+ #:use-module (srfi srfi-71)
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
#:use-module (ice-9 vlist)
@@ -108,15 +108,16 @@ (define %cpe-package-rx
;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL".
(make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):"))
-(define (cpe->package-name cpe)
+(define (cpe->package-identifier cpe)
"Converts the Common Platform Enumeration (CPE) string CPE to a package
-name, in a very naive way. Return two values: the package name, and its
-version string. Return #f and #f if CPE does not look like an application CPE
-string."
+identifier, in a very naive way. Return three values: the CPE vendor, the
+package name, and its version string.
+Return three #f values if CPE does not look like an application CPE string."
(cond ((regexp-exec %cpe-package-rx cpe)
=>
(lambda (matches)
- (values (match:substring matches 2)
+ (values (match:substring matches 1)
+ (match:substring matches 2)
(match (match:substring matches 3)
("*" '_)
(version
@@ -128,7 +129,7 @@ (define (cpe->package-name cpe)
;; "cpe:2.3:a:openbsd:openssh:6.8:p1".
(string-drop patch-level 1)))))))))
(else
- (values #f #f))))
+ (values #f #f #f))))
(define (cpe-match->cve-configuration alist)
"Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package
@@ -142,17 +143,18 @@ (define (cpe-match->cve-configuration alist)
;; Normally "cpe23Uri" is here in each "cpe_match" item, but CVE-2020-0534
;; has a configuration that lacks it.
(and cpe
- (let-values (((package version) (cpe->package-name cpe)))
+ (let ((vendor package version (cpe->package-identifier cpe)))
(and package
- `(,package
- ,(cond ((and (or starti starte) (or endi ende))
- `(and ,(if starti `(>= ,starti) `(> ,starte))
- ,(if endi `(<= ,endi) `(< ,ende))))
- (starti `(>= ,starti))
- (starte `(> ,starte))
- (endi `(<= ,endi))
- (ende `(< ,ende))
- (else version))))))))
+ `(,vendor
+ ,package
+ ,(cond ((and (or starti starte) (or endi ende))
+ `(and ,(if starti `(>= ,starti) `(> ,starte))
+ ,(if endi `(<= ,endi) `(< ,ende))))
+ (starti `(>= ,starti))
+ (starte `(> ,starte))
+ (endi `(<= ,endi))
+ (ende `(< ,ende))
+ (else version))))))))
(define (configuration-data->cve-configurations alist)
"Given ALIST, a JSON dictionary for the baroque \"configurations\"
@@ -228,6 +230,25 @@ (define (version-matches? version sexp)
(('>= min)
(version>=? version min))))
+(define (vulnerability-matches? vuln vendor hidden-vendors)
+ "Checks if a VENDOR matches at least one of <vulnerability> VULN
+packages. When VENDOR is #f, ignore packages that have a vendor among
+HIDDEN-VENDORS."
+ (define hidden-vendor?
+ (if (list? hidden-vendors)
+ (cut member <> hidden-vendors)
+ (const #f)))
+
+ (match vuln
+ (($ <vulnerability> id packages)
+ (any (match-lambda
+ ((? (lambda (candidate)
+ (and vendor
+ (string=? candidate vendor)))) #t)
+ ((? hidden-vendor?) #f)
+ (otherwise (not vendor)))
+ (map car packages))))) ;candidate vendors
+
;;;
;;; High-level interface.
@@ -259,7 +280,7 @@ (define-record-type <vulnerability>
(vulnerability id packages)
vulnerability?
(id vulnerability-id) ;string
- (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...)
+ (packages vulnerability-packages)) ;((v1 p1 sexp1) (v2 p2 sexp2) ...)
(define vulnerability->sexp
(match-lambda
@@ -271,40 +292,53 @@ (define sexp->vulnerability
(('v id (packages ...))
(vulnerability id packages))))
+(define sexp-v1->vulnerability
+ (match-lambda
+ (('v id (packages ...))
+ (vulnerability id (map (cut cons #f <>) packages)))))
+
(define (cve-configuration->package-list config)
- "Parse CONFIG, a config sexp, and return a list of the form (P SEXP)
-where P is a package name and SEXP expresses constraints on the matching
-versions."
+ "Parse CONFIG, a config sexp, and return a list of the form (V P SEXP)
+where V is a CPE vendor, P is a package name and SEXP expresses constraints on
+the matching versions."
(let loop ((config config)
- (packages '()))
+ (results '()))
(match config
(('or configs ...)
- (fold loop packages configs))
- (('and config _ ...) ;XXX
- (loop config packages))
- (((? string? package) '_) ;any version
- (cons `(,package _)
- (alist-delete package packages)))
- (((? string? package) sexp)
- (let ((previous (assoc-ref packages package)))
- (if previous
- (cons `(,package (or ,sexp ,@previous))
- (alist-delete package packages))
- (cons `(,package ,sexp) packages)))))))
+ (fold loop results configs))
+ (('and config _ ...) ;XXX
+ (loop config results))
+ (((? string? vendor) (? string? package) sexp)
+ (let ((pruned-results (remove (match-lambda
+ ((vendor package _) #t)
+ (otherwise #f))
+ results)))
+ (match sexp
+ ('_ ;any version
+ (cons `(,vendor ,package _) pruned-results))
+ (_
+ (match (assoc-ref (assoc-ref results vendor) package)
+ ((previous)
+ (cons `(,vendor ,package (or ,sexp ,previous)) pruned-results))
+ (_
+ (cons `(,vendor ,package ,sexp) results))))))))))
(define (merge-package-lists lst)
- "Merge the list in LST, each of which has the form (p sexp), where P
-is the name of a package and SEXP is an sexp that constrains matching
-versions."
+ "Merge the list in LST, each of which has the form (V P SEXP), where V is a
+CPE vendor, P is the name of a package and SEXP is an sexp that constrains
+matching versions."
(fold (lambda (plist result) ;XXX: quadratic
(fold (match-lambda*
- (((package version) result)
- (match (assoc-ref result package)
- (#f
- (cons `(,package ,version) result))
- ((previous)
- (cons `(,package (or ,version ,previous))
- (alist-delete package result))))))
+ (((vendor package version) result)
+ (match (assoc-ref result vendor)
+ (((? (cut string=? package <>)) previous)
+ (cons `(,vendor ,package (or ,version ,previous))
+ (remove (match-lambda
+ ((vendor package _) #t)
+ (otherwise #f))
+ result)))
+ (_
+ (cons `(,vendor ,package ,version) result)))))
result
plist))
'()
@@ -337,7 +371,7 @@ (define vulns
(json->vulnerabilities input))
(write `(vulnerabilities
- 1 ;format version
+ 2 ;format version
,(map vulnerability->sexp vulns))
cache))))
@@ -371,8 +405,10 @@ (define (read* port)
(sexp (read* port)))
(close-port port)
(match sexp
- (('vulnerabilities 1 vulns)
- (map sexp->vulnerability vulns)))))
+ (('vulnerabilities 2 vulns)
+ (map sexp->vulnerability vulns))
+ (('vulnerabilities 1 vulns) ;old format, lacks vendor info
+ (map sexp-v1->vulnerability vulns)))))
(define* (current-vulnerabilities #:key (timeout 10))
"Return the current list of Common Vulnerabilities and Exposures (CVE) as
@@ -404,28 +440,26 @@ (define table
(($ <vulnerability> id packages)
(fold (lambda (package table)
(match package
- ((name . versions)
- (vhash-cons name (cons vuln versions)
+ ((vendor name versions)
+ (vhash-cons name (cons vuln `(,versions))
table))))
table
packages))))
vlist-null
vulnerabilities))
- (lambda* (package #:optional version)
- (vhash-fold* (if version
- (lambda (pair result)
- (match pair
- ((vuln sexp)
- (if (version-matches? version sexp)
- (cons vuln result)
- result))))
- (lambda (pair result)
- (match pair
- ((vuln . _)
- (cons vuln result)))))
- '()
- package table)))
+ (lambda* (package #:optional version #:key (vendor #f) (hidden-vendors '()))
+ (vhash-fold*
+ (lambda (pair result)
+ (match pair
+ ((vuln sexp)
+ (if (and (or (and (not vendor) (null? hidden-vendors))
+ (vulnerability-matches? vuln vendor hidden-vendors))
+ (or (not version) (version-matches? version sexp)))
+ (cons vuln result)
+ result))))
+ '()
+ package table)))
;;; cve.scm ends here
diff --git a/guix/lint.scm b/guix/lint.scm
index d54db725b5..095694ed49 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -1585,8 +1585,14 @@ (define package-vulnerabilities
(package-name package)))
(version (or (assoc-ref (package-properties package)
'cpe-version)
- (package-version package))))
- ((force lookup) name version)))))
+ (package-version package)))
+ (vendor (assoc-ref (package-properties package)
+ 'cpe-vendor))
+ (hidden-vendors (assoc-ref (package-properties package)
+ 'lint-hidden-cpe-vendors)))
+ ((force lookup) name version
+ #:vendor vendor
+ #:hidden-vendors hidden-vendors)))))
;; Prevent Guile 3 from inlining this procedure so we can mock it in tests.
(set! package-vulnerabilities package-vulnerabilities)
diff --git a/tests/cve.scm b/tests/cve.scm
index b69da0e120..90ada2b647 100644
--- a/tests/cve.scm
+++ b/tests/cve.scm
@@ -34,19 +34,19 @@ (define %expected-vulnerabilities
(vulnerability "CVE-2019-0001"
;; Only the "a" CPE configurations are kept; the "o"
;; configurations are discarded.
- '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2")))))
+ '(("juniper" "junos" (or "18.2" (or "18.21-s3" "18.21-s4")))))
(vulnerability "CVE-2019-0005"
- '(("junos" (or "18.11" "18.1"))))
+ '(("juniper" "junos" (or "18.1" "18.11"))))
;; CVE-2019-0005 has no "a" configurations.
(vulnerability "CVE-2019-14811"
- '(("ghostscript" (< "9.28"))))
+ '(("artifex" "ghostscript" (< "9.28"))))
(vulnerability "CVE-2019-17365"
- '(("nix" (<= "2.3"))))
+ '(("nixos" "nix" (<= "2.3"))))
(vulnerability "CVE-2019-1010180"
- '(("gdb" _))) ;any version
+ '(("gnu" "gdb" _))) ;any version
(vulnerability "CVE-2019-1010204"
- '(("binutils" (and (>= "2.21") (<= "2.31.1")))
- ("binutils_gold" (and (>= "1.11") (<= "1.16")))))
+ '(("gnu" "binutils" (and (>= "2.21") (<= "2.31.1")))
+ ("gnu" "binutils_gold" (and (>= "1.11") (<= "1.16")))))
;; CVE-2019-18192 has no associated configurations.
))
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:05 GMT) Full text and rfc822 format available.Message #11 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 02/35] gnu: halibut: Add cpe-vendor property. Date: Fri, 7 Mar 2025 19:38:31 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/documentation.scm (halibut)
[description]: Reformat field to match max chars.
[properties]: Add cpe-vendor property.
---
gnu/packages/documentation.scm | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index 21f6df2dcc..503b920d82 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -256,12 +256,14 @@ (define-public halibut
(home-page "https://www.chiark.greenend.org.uk/~sgtatham/halibut/")
(synopsis "Documentation production system for software manuals")
(description
- "Halibut is a text formatting system designed primarily for writing software
-documentation. It accepts a single source format and outputs any combination of
-plain text, HTML, Unix man or info pages, PostScript or PDF. It has extensive
-support for indexing and cross-referencing, and generates hyperlinks within output
-documents wherever possible. It supports Unicode, with the ability to fall back to
-an alternative representation if Unicode output is not available.")
+ "Halibut is a text formatting system designed primarily for writing
+software documentation. It accepts a single source format and outputs any
+combination of plain text, HTML, Unix man or info pages, PostScript or PDF.
+It has extensive support for indexing and cross-referencing, and generates
+hyperlinks within output documents wherever possible. It supports Unicode,
+with the ability to fall back to an alternative representation if Unicode
+output is not available.")
+ (properties `((cpe-vendor . "halibut_project")))
(license license:expat)))
(define-public doc++
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:07 GMT) Full text and rfc822 format available.Message #14 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 03/35] gnu: portfolio: Update to 1.0.1. Date: Fri, 7 Mar 2025 19:38:32 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/gnome-xyz.scm (portfolio): Update to 1.0.1.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/gnome-xyz.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnome-xyz.scm b/gnu/packages/gnome-xyz.scm
index 92d8b7cb03..fbee2c8e5c 100644
--- a/gnu/packages/gnome-xyz.scm
+++ b/gnu/packages/gnome-xyz.scm
@@ -485,7 +485,7 @@ (define-public gnome-plots
(define-public portfolio
(package
(name "portfolio")
- (version "1.0.0")
+ (version "1.0.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -494,7 +494,7 @@ (define-public portfolio
(file-name (git-file-name name version))
(sha256
(base32
- "1ai9mx801m5lngkljg42vrpvhbvc3071sp4jypsvbzw55hxnn5ba"))))
+ "1s06kd2dhsb143piw89yzwfck7qwzlh4nlgjj2bxpsa3g68c1g11"))))
(arguments
(list #:glib-or-gtk? #t
#:imported-modules `(,@%meson-build-system-modules
@@ -537,6 +537,7 @@ (define-public portfolio
"Portfolio is a minimalist file manager for those who want to use Linux
mobile devices. Tap to activate and long press to select, to browse, open,
copy, move, delete, or edit your files.")
+ (properties `((lint-hidden-cpe-vendors . ("radiustheme"))))
(license license:gpl3+)))
(define-public gnome-shell-extension-unite-shell
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:09 GMT) Full text and rfc822 format available.Message #17 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 04/35] gnu: folders: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:33 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/esolangs.scm (folders):
[properties]: Add lint-hindden-cpe-vendors property.
---
gnu/packages/esolangs.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/esolangs.scm b/gnu/packages/esolangs.scm
index f484108004..2f84688f9a 100644
--- a/gnu/packages/esolangs.scm
+++ b/gnu/packages/esolangs.scm
@@ -117,6 +117,7 @@ (define-public folders
(description "Folders is a programming language, in which programs
are encoded as (nested) directories. Note that the switches you pass to
@command{du} may affect your score when code golfing.")
+ (properties `((lint-hidden-cpe-vendors . ("premio" "jenkins"))))
(license license:expat)))
(define-public shakespeare-spl
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:10 GMT) Full text and rfc822 format available.Message #20 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 05/35] gnu: spectra: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:34 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/algebra.scm (spectra)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/algebra.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 5c12413faa..1e702150ae 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -1474,6 +1474,7 @@ (define-public spectra
built on top of Eigen. It is implemented as a header-only C++ library and can
be easily embedded in C++ projects that require calculating eigenvalues of
large matrices.")
+ (properties `((lint-hidden-cpe-vendors . ("brainstormforce" "wpspectra"))))
(license license:mpl2.0)))
(define-public gappa
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:11 GMT) Full text and rfc822 format available.Message #23 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 06/35] gnu: express: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:35 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/bioinformatics.scm (express)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/bioinformatics.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index d2959e1401..42ffcba037 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7873,6 +7873,7 @@ (define-public express
transcript-level RNA-Seq quantification, allele-specific/haplotype expression
analysis (from RNA-Seq), transcription factor binding quantification in
ChIP-Seq, and analysis of metagenomic data.")
+ (properties `((lint-hidden-cpe-vendors . ("openjsf" "qs_project"))))
(license license:artistic2.0)))
(define-public express-beta-diversity
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:13 GMT) Full text and rfc822 format available.Message #26 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 07/35] gnu: cli: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:36 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/cpp.scm (cli)[properties]: Add lint-hidden-cpe-vendors
property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index d6dc070756..7be5a87b4c 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2548,6 +2548,7 @@ (define-public cli
options that your program supports, their types, default values, and
documentation.")
(home-page "https://codesynthesis.com/projects/cli/")
+ (properties `((lint-hidden-cpe-vendors . ("github" "snyk"))))
(license license:expat)))
(define-public xsd
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:14 GMT) Full text and rfc822 format available.Message #29 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 08/35] gnu: h2c: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:37 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/curl.scm (h2c)[property]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/curl.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 3e9cd517a2..41b855c81e 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -382,6 +382,7 @@ (define-public h2c
(description
"Provided a set of HTTP request headers, h2c outputs how to invoke
curl to obtain exactly that HTTP request.")
+ (properties `((lint-hidden-cpe-vendors . ("golang"))))
(license license:expat)))
(define-public coeurl
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:15 GMT) Full text and rfc822 format available.Message #32 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 09/35] gnu: xenon: Update to 0.9.3. Date: Fri, 7 Mar 2025 19:38:38 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/code.scm (xenon): Update to 0.9.3.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/code.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 004f24de49..770a379a56 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -1058,14 +1058,14 @@ (define-public cscope
(define-public xenon
(package
(name "xenon")
- (version "0.9.0")
+ (version "0.9.3")
(source
(origin
(method url-fetch)
(uri (pypi-uri "xenon" version))
(sha256
(base32
- "1f4gynjzfckm3rjfywwgz1c7icfx3zjqirf16aj73xv0c9ncpffj"))))
+ "1yj31bqz2bphvvyb0jkas7bxc2rw76rf1csz0mwmvah8pbc3hxaa"))))
(build-system python-build-system)
(arguments (list #:tests? #f)) ;test suite not shipped with the PyPI archive
(inputs (list python-pyyaml python-radon python-requests))
@@ -1077,6 +1077,7 @@ (define-public xenon
line options, various thresholds can be set for the complexity of code. It
will fail (i.e., it will exit with a non-zero exit code) when any of these
requirements is not met.")
+ (properties '((lint-hidden-cpe-vendors . ("ashlar"))))
(license license:expat)))
(define-public python-xenon
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:16 GMT) Full text and rfc822 format available.Message #35 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 10/35] gnu: bolt: Update to 0.9.8. Date: Fri, 7 Mar 2025 19:38:39 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/linux.scm (bolt): Update to 0.9.8.
[arguments]<#:phases>: Update phase 'replace-directories.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/linux.scm | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 38bc9f640d..a1c8143ec8 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -3387,7 +3387,7 @@ (define-public iptables-nft
(define-public bolt
(package
(name "bolt")
- (version "0.9.5")
+ (version "0.9.8")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3396,7 +3396,7 @@ (define-public bolt
(file-name (git-file-name name version))
(sha256
(base32
- "1b9z0sfrz6bj0mddng9s0dx59g9239zmrl03hxx2x88mb7r0wmcg"))))
+ "1i9nyvx3qcf4m607qmpklpl9xqzsh423k8y3fr6c5n0k4ajy4cxh"))))
(build-system meson-build-system)
(arguments
(list #:configure-flags '(list "--localstatedir=/var")
@@ -3405,12 +3405,11 @@ (define-public bolt
(add-after 'unpack 'replace-directories
(lambda* (#:key outputs #:allow-other-keys)
(substitute* "meson.build"
- (("udev.get_pkgconfig_variable..udevdir..")
- (string-append "'"
- #$output "/lib/udev'")))
- (substitute* "scripts/meson-install.sh"
- (("mkdir.*")
- ""))))
+ (("udev.get_variable\\(pkgconfig: 'udevdir'\\)")
+ (string-append "'" #$output "/lib/udev'"))
+ ;; Don't install in /var
+ (("not systemd\\.found\\(\\)")
+ "false"))))
(add-before 'install 'no-polkit-magic
(lambda* (#:key outputs #:allow-other-keys)
(setenv "PKEXEC_UID" "something"))))))
@@ -3432,6 +3431,7 @@ (define-public bolt
@command{boltd}. It can list devices, monitor changes, and initiate
authorization of devices.")
(home-page "https://gitlab.freedesktop.org/bolt/bolt")
+ (properties `((lint-hidden-cpe-vendors . ("boltcms" "puppet"))))
(license license:gpl2+)))
(define-public jitterentropy-rngd
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:16 GMT) Full text and rfc822 format available.Message #38 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 11/35] gnu: bwm-ng: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:40 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/networking.scm (bwm-ng)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/networking.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index b0a0fb420d..d8e95e0ea2 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2130,6 +2130,7 @@ (define-public bwm-ng
(description "Bandwidth Monitor NG is a small and simple console based
live network and disk I/O bandwidth monitor.")
(home-page "https://www.gropp.org/?id=projects&sub=bwm-ng")
+ (properties '((lint-hidden-cpe-vendors . ("bwm-ng_project"))))
(license license:gpl2)))
(define-public aircrack-ng
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:17 GMT) Full text and rfc822 format available.Message #41 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 12/35] gnu: onedrive: Update to 2.5.2. Date: Fri, 7 Mar 2025 19:38:41 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/sync.scm (onedrive): Update to 2.5.2.
[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/sync.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/sync.scm b/gnu/packages/sync.scm
index a4d4e03b91..c863fb619b 100644
--- a/gnu/packages/sync.scm
+++ b/gnu/packages/sync.scm
@@ -374,7 +374,7 @@ (define-public owncloud-client
(define-public onedrive
(package
(name "onedrive")
- (version "2.4.25")
+ (version "2.5.2")
(source
(origin
(method git-fetch)
@@ -383,7 +383,7 @@ (define-public onedrive
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1i93mq4r9w8cqrdfsfv8wparfd3dbrppc5z04ab056545hk0x89k"))))
+ (base32 "0307qa3nncarn6r5837nn9z5nv8j60ycykq6pfn93qriabk65qlx"))))
(build-system gnu-build-system)
(arguments
(list
@@ -420,6 +420,7 @@ (define-public onedrive
Business, OneDrive for Office365 and SharePoint and fully supports Azure
National Cloud Deployments. It supports one-way and two-way sync capabilities
and securely connects to Microsoft OneDrive services.")
+ (properties '((lint-hidden-cpe-vendors . ("microsoft"))))
(license license:gpl3)))
(define-public lsyncd
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:40:18 GMT) Full text and rfc822 format available.Message #44 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 13/35] gnu: got: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:42 +0100
* gnu/packages/version-control.scl (got)[properties]: Add
lint-hidden-cpe-vendors and release-monitoring-url.
---
gnu/packages/version-control.scm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 9ecb5cf98a..a54c0e2a71 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -1225,7 +1225,11 @@ (define-public got
"Game of Trees (Got) is a version control system which prioritizes ease of use
and simplicity over flexibility.")
(license license:isc)
- (home-page "https://gameoftrees.org/")))
+ (home-page "https://gameoftrees.org/")
+ (properties
+ ;; Can lint for updates, but not update in place.
+ '((release-monitoring-url . "https://gameoftrees.org/releases/")
+ (lint-hidden-cpe-vendors . ("got_project"))))))
(define-public xdiff
(let ((revision "0")
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:09 GMT) Full text and rfc822 format available.Message #47 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 14/35] gnu: dex: Update to 0.10.1. Date: Fri, 7 Mar 2025 19:38:43 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/xdisorg.scm (dex): Update to 0.10.1.
[arguments]: Improve style.
[properties]: Add lint-hidden-cpe-vendors property.
---
gnu/packages/xdisorg.scm | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 5fd0685c7c..0e56a9e3bd 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -3644,7 +3644,7 @@ (define-public nwg-launchers
(define-public dex
(package
(name "dex")
- (version "0.9.0")
+ (version "0.10.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -3652,15 +3652,16 @@ (define-public dex
(commit (string-append "v" version))))
(sha256
(base32
- "03aapcywnz4kl548cygpi25m8adwbmqlmwgxa66v4156ax9dqs86"))
+ "1d7fqy63i4q0mw316i5ws1sgdq3f7h3bsf3avvmy0nzshz7i5y6m"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(arguments
- `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
- #:phases
- (modify-phases %standard-phases
- (delete 'configure))
- #:tests? #f))
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output))
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))
+ #:tests? #f)) ; No tests.
(inputs
(list python))
(native-inputs
@@ -3670,6 +3671,8 @@ (define-public dex
(description
"@command{dex}, @dfn{DesktopEntry Execution}, is a program to generate
and execute @file{.desktop} files of the Application type.")
+ (properties
+ '((lint-hidden-cpe-vendors . ("samsung" "linuxfoundation"))))
(license license:gpl3+)))
(define-public sx
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:09 GMT) Full text and rfc822 format available.Message #50 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 15/35] gnu: immer: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:44 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/cpp.scm (immer)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/cpp.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/cpp.scm b/gnu/packages/cpp.scm
index 7be5a87b4c..6df97bedfb 100644
--- a/gnu/packages/cpp.scm
+++ b/gnu/packages/cpp.scm
@@ -2108,6 +2108,7 @@ (define-public immer
(synopsis "Immutable data structures")
(description "Immer is a library of persistent and immutable data structures
written in C++.")
+ (properties '((lint-hidden-cpe-vendors . ("immer_project"))))
(license license:boost1.0)))
(define-public zug
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:10 GMT) Full text and rfc822 format available.Message #53 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org> Subject: [PATCH v7 16/35] gnu: cvs: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:45 +0100
From: Nicolas Graves via Guix-patches via <guix-patches <at> gnu.org>
* gnu/packages/version-control.scm (cvs)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/version-control.scm | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index a54c0e2a71..4b66fa02fb 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -3043,6 +3043,7 @@ (define-public cvs
Configuration Management (SCM). Using it, you can record the history of
sources files, and documents. It fills a similar role to the free software
RCS, PRCS, and Aegis packages.")
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"))))
(license license:gpl1+)))
(define-public cvs-fast-export
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:11 GMT) Full text and rfc822 format available.Message #56 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 18/35] gnu: wayvnc: Update to 0.9.1. Date: Fri, 7 Mar 2025 19:38:47 +0100
* gnu/packages/vnc.scm (wayvnc): Update to 0.9.1.
---
gnu/packages/vnc.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/vnc.scm b/gnu/packages/vnc.scm
index bb515ca744..3b09c1aa30 100644
--- a/gnu/packages/vnc.scm
+++ b/gnu/packages/vnc.scm
@@ -705,7 +705,7 @@ (define-public neatvnc
(define-public wayvnc
(package
(name "wayvnc")
- (version "0.8.0")
+ (version "0.9.1")
(source
(origin
(method git-fetch)
@@ -714,7 +714,7 @@ (define-public wayvnc
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1k02i70v8niqvadzfrki8q6wiymcfdqanc9zlmzdslw2bpdhqq90"))))
+ (base32 "1brnzwabnrhjblcfymwxsg4z58pzdnlql1mgsmijp0kw5n8770rc"))))
(build-system meson-build-system)
(native-inputs
(append (if (%current-target-system)
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:11 GMT) Full text and rfc822 format available.Message #59 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 17/35] gnu: tinyxml: Fix CVE-2023-34194. Date: Fri, 7 Mar 2025 19:38:46 +0100
* gnu/packages/patches/tinyxml-CVE-2023-34194.patch: Add patch.
* gnu/packages/xml.scm, gnu/local.mk: Record it.
---
gnu/local.mk | 1 +
.../patches/tinyxml-CVE-2023-34194.patch | 28 +++++++++++++++++++
gnu/packages/xml.scm | 3 +-
3 files changed, 31 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/tinyxml-CVE-2023-34194.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 997b7344ff..2d602e0708 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -2311,6 +2311,7 @@ dist_patch_DATA = \
%D%/packages/patches/tidy-CVE-2015-5522+5523.patch \
%D%/packages/patches/timewarrior-time-sensitive-tests.patch \
%D%/packages/patches/tinydir-fix-cbehave-test.patch \
+ %D%/packages/patches/tinyxml-CVE-2023-34194.patch \
%D%/packages/patches/tinyxml-use-stl.patch \
%D%/packages/patches/tk-find-library.patch \
%D%/packages/patches/tla2tools-build-xml.patch \
diff --git a/gnu/packages/patches/tinyxml-CVE-2023-34194.patch b/gnu/packages/patches/tinyxml-CVE-2023-34194.patch
new file mode 100644
index 0000000000..dee0aa1d93
--- /dev/null
+++ b/gnu/packages/patches/tinyxml-CVE-2023-34194.patch
@@ -0,0 +1,28 @@
+From: Guilhem Moulin <guilhem <at> debian.org>
+Date: Sat, 30 Dec 2023 14:15:54 +0100
+Subject: Avoid reachable assertion via crafted XML document with a '\0'
+ located after whitespace
+
+Bug: https://www.forescout.com/resources/sierra21-vulnerabilities
+Bug-Debian: https://bugs.debian.org/1059315
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-40462
+---
+ tinyxmlparser.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp
+index 8aa0dfa..1601962 100644
+--- a/tinyxmlparser.cpp
++++ b/tinyxmlparser.cpp
+@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm
+ }
+
+ p = SkipWhiteSpace( p, _encoding );
++ if ( !p || !*p )
++ {
++ break;
++ }
+ if ( StringEqual( p, "version", true, _encoding ) )
+ {
+ TiXmlAttribute attrib;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 10cd6d98fa..2ae9209f75 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1288,7 +1288,8 @@ (define-public tinyxml
(sha256
(base32
"14smciid19lvkxqznfig77jxn5s4iq3jpb47vh5a6zcaqp7gvg8m"))
- (patches (search-patches "tinyxml-use-stl.patch"))))
+ (patches (search-patches "tinyxml-use-stl.patch"
+ "tinyxml-CVE-2023-34194.patch"))))
(build-system gnu-build-system)
;; This library is missing *a lot* of the steps to make it usable, so we
;; have to add them here, like every other distro must do.
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:12 GMT) Full text and rfc822 format available.Message #62 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 19/35] gnu: neatvnc: Update to 0.9.4. Date: Fri, 7 Mar 2025 19:38:48 +0100
* gnu/packages/vnc.scm (neatvnc): Update to 0.9.4.
---
gnu/packages/vnc.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/vnc.scm b/gnu/packages/vnc.scm
index 3b09c1aa30..c4051c7672 100644
--- a/gnu/packages/vnc.scm
+++ b/gnu/packages/vnc.scm
@@ -682,7 +682,7 @@ (define-public libvnc
(define-public neatvnc
(package
(name "neatvnc")
- (version "0.8.0")
+ (version "0.9.4")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -691,7 +691,7 @@ (define-public neatvnc
(file-name (git-file-name name version))
(sha256
(base32
- "07vjagx14yiqgaiba24xvb3qbiznlfab23c14arx225y0rlw82h4"))))
+ "09vafk99zmrbrb5mxr1sqb21rvggbr69kx7rwqf2g6dxk07p1mqg"))))
(build-system meson-build-system)
(native-inputs (list pkg-config))
(inputs
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:13 GMT) Full text and rfc822 format available.Message #65 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 21/35] gnu: jq: Add lint-hidden-cve property. Date: Fri, 7 Mar 2025 19:38:50 +0100
* gnu/packages/web.scm (jq)[properties]: Add lint-hidden-cve property.
---
gnu/packages/web.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 193241bcf3..25436c32ab 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -5608,7 +5608,10 @@ (define-public jq
mangle the data format that you have into the one that you want with very
little effort, and the program to do so is often shorter and simpler than
you'd expect.")
- (license (list license:expat license:cc-by3.0))))
+ (license (list license:expat license:cc-by3.0))
+ ;; Both those CVEs are actually fixed in version 1.7.1.
+ (properties `((lint-hidden-cve . ("CVE-2023-50246"
+ "CVE-2023-50268"))))))
(define-public go-github-com-mikefarah-yq-v4
(package
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:13 GMT) Full text and rfc822 format available.Message #68 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 20/35] gnu: opus: Add lint-hidden-cve property. Date: Fri, 7 Mar 2025 19:38:49 +0100
* gnu/packages/xiph.scm (opus)[properties]: Add release-monitoring-url
and lint-hidden-cpe-vendors.
---
gnu/packages/xiph.scm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 7ca336b14a..7436cd1bd0 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -380,7 +380,10 @@ (define-public opus
standardized by the Internet Engineering Task Force (IETF) as RFC 6716 which
incorporated technology from Skype's SILK codec and Xiph.Org's CELT codec.")
;; This package shows a sizable speed increase when tuned.
- (properties `((tunable? . #t)))
+ (properties `((tunable? . #t)
+ (lint-hidden-cpe-vendors . ("discordjs"))
+ (release-monitoring-url
+ . "https://archive.mozilla.org/pub/opus/")))
(license license:bsd-3)
(home-page "https://www.opus-codec.org")))
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:18 GMT) Full text and rfc822 format available.Message #71 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 23/35] gnu: yasm: Refresh package definition. Date: Fri, 7 Mar 2025 19:38:52 +0100
* gnu/packages/assembly.scm (yasm):
[inputs]: Improve style.
[home-page]: Use a live home-page.
---
gnu/packages/assembly.scm | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/assembly.scm b/gnu/packages/assembly.scm
index 7fe9e0f11e..0d15e80d86 100644
--- a/gnu/packages/assembly.scm
+++ b/gnu/packages/assembly.scm
@@ -230,9 +230,8 @@ (define-public yasm
; non-deterministically when run in
; parallel
(inputs
- `(("python" ,python-wrapper)
- ("xmlto" ,xmlto)))
- (home-page "https://yasm.tortall.net/")
+ (list python-wrapper xmlto))
+ (home-page "https://github.com/yasm/yasm")
(synopsis "Rewrite of the NASM assembler")
(description
"Yasm is a complete rewrite of the NASM assembler.
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:19 GMT) Full text and rfc822 format available.Message #74 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 22/35] gnu: highlight: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:51 +0100
* gnu/packages/pretty-print.scm (highlight)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/pretty-print.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/pretty-print.scm b/gnu/packages/pretty-print.scm
index 621dc8bf9c..8721fbabe4 100644
--- a/gnu/packages/pretty-print.scm
+++ b/gnu/packages/pretty-print.scm
@@ -459,4 +459,5 @@ (define-public highlight
"Highlight converts source code to HTML, XHTML, RTF, LaTeX,
TeX, SVG, BBCode and terminal escape sequences with colored syntax
highlighting. Language definitions and color themes are customizable.")
- (license gpl3+)))
+ (license gpl3+)
+ (properties '((lint-hidden-cpe-vendors . ("highlight"))))))
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:19 GMT) Full text and rfc822 format available.Message #77 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 24/35] gnu: music: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:53 +0100
* gnu/packages/bioinformatics.scm (music)[properties]: Add
lint-hidden-cpe-vendors property.
---
gnu/packages/bioinformatics.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 42ffcba037..5e9773ce93 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -10211,7 +10211,8 @@ (define-public music
"MUSIC is an algorithm for identification of enriched regions at
multiple scales in the read depth signals from ChIP-Seq experiments.")
;; See https://github.com/gersteinlab/MUSIC/issues/6
- (license license:gpl2+))))
+ (license license:gpl2+)
+ (properties '((lint-hidden-cpe-vendors . ("apple")))))))
(define-public newick-utils
;; There are no recent releases so we package from git.
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:20 GMT) Full text and rfc822 format available.Message #80 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 26/35] gnu: snappy: Add cpe-name property. Date: Fri, 7 Mar 2025 19:38:55 +0100
* gnu/packages/compression.scm (snappy)[properties]: Add cpe-name. --- gnu/packages/compression.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index cdb029b225..c95fa4db53 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1399,7 +1399,8 @@ (define-public snappy compared to the fastest mode of zlib, Snappy is an order of magnitude faster for most inputs, but the resulting compressed files are anywhere from 20% to 100% bigger.") - (license license:asl2.0))) + (license license:asl2.0) + (properties '((cpe-name . "google"))))) ;; We need this for irods. (define-public snappy-with-clang6 -- 2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:20 GMT) Full text and rfc822 format available.Message #83 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 25/35] gnu: indent: Update to 2.2.13-0.1737c92. Date: Fri, 7 Mar 2025 19:38:54 +0100
* gnu/packages/patches/indent-CVE-2024-0911.patch: Delete file.
* gnu/local.mk: Unregister patch.
* gnu/packages/code.scm (indent): Update to 2.2.13-0.1737c92.
[arguments]{phases}: Add phase 'patch-bootstrap.
[native-inputs]: Add autoconf-2.71, automake, gettext-minimal.
[properties]: Add lint-hidden-cves.
---
gnu/local.mk | 1 -
gnu/packages/code.scm | 61 +++++++++++++------
.../patches/indent-CVE-2024-0911.patch | 61 -------------------
3 files changed, 42 insertions(+), 81 deletions(-)
delete mode 100644 gnu/packages/patches/indent-CVE-2024-0911.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 2d602e0708..d08f3bba0a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1610,7 +1610,6 @@ dist_patch_DATA = \
%D%/packages/patches/idris-test-ffi008.patch \
%D%/packages/patches/igraph-fix-varargs-integer-size.patch \
%D%/packages/patches/ilmbase-fix-tests.patch \
- %D%/packages/patches/indent-CVE-2024-0911.patch \
%D%/packages/patches/inferno-fix-crash.patch \
%D%/packages/patches/instead-use-games-path.patch \
%D%/packages/patches/intltool-perl-compatibility.patch \
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 770a379a56..2b065f2cd4 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -22,6 +22,7 @@
;;; Copyright © 2024 Sharlatan Hellseher <sharlatanus <at> gmail.com>
;;; Copyright © 2024 Artyom V. Poptsov <poptsov.artyom <at> gmail.com>
;;; Copyright © 2024 Jordan Moore <lockbox <at> struct.foo>
+;;; Copyright © 2025 Nicolas Graves <ngraves <at> ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -64,6 +65,7 @@ (define-module (gnu packages code)
#:use-module (gnu packages emacs)
#:use-module (gnu packages flex)
#:use-module (gnu packages gcc)
+ #:use-module (gnu packages gettext)
#:use-module (gnu packages golang-build)
#:use-module (gnu packages golang-crypto)
#:use-module (gnu packages golang-web)
@@ -875,29 +877,50 @@ (define-public astyle
(license license:lgpl3+)))
(define-public indent
- (package
- (name "indent")
- (version "2.2.13")
- (source (origin
- (method url-fetch)
- (uri (string-append "mirror://gnu/indent/indent-" version
- ".tar.gz"))
- (sha256
- (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))
- ;; Remove patch when updating.
- (patches (search-patches "indent-CVE-2024-0911.patch"))))
- (build-system gnu-build-system)
- (native-inputs
- (list texinfo))
- (synopsis "Code reformatter")
- (description
- "Indent is a program that makes source code easier to read by
+ (let ((commit "1737c929cbe2ec8a181107df9742894a44c57f71")
+ (revision "0"))
+ (package
+ (name "indent")
+ (version (git-version "2.2.13" revision commit))
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://git.savannah.gnu.org/git/indent")
+ (commit commit)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "138bqlwvfjv3w1plw2zzf0nqw38lhgimzx1gic6p8r5kizjp9123"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'patch-bootstrap
+ (lambda _
+ (substitute* "bootstrap"
+ (("^(wget|\\./configure|rm)" all)
+ (string-append "#" all)))
+ (call-with-output-file "doc/version.texi"
+ (lambda (port)
+ (format port "\
+@set UPDATED
+@set EDITION ~a
+@set VERSION ~a"
+ #$version
+ #$version))))))))
+ (native-inputs
+ (list autoconf-2.71 automake gettext-minimal texinfo))
+ (home-page "https://www.gnu.org/software/indent/")
+ (synopsis "Code reformatter")
+ (description
+ "Indent is a program that makes source code easier to read by
reformatting it in a consistent style. It can change the style to one of
several different styles such as GNU, BSD or K&R. It has some flexibility to
deal with incomplete or malformed syntax. GNU indent offers several
extensions over the standard utility.")
- (license license:gpl3+)
- (home-page "https://www.gnu.org/software/indent/")))
+ (license license:gpl3+)
+ (properties '((lint-hidden-cves . ("CVE-2023-40305"
+ "CVE-2024-0911")))))))
(define-public amalgamate
(let* ((commit "c91f07eea1133aa184f652b8f1398eaf03586208")
diff --git a/gnu/packages/patches/indent-CVE-2024-0911.patch b/gnu/packages/patches/indent-CVE-2024-0911.patch
deleted file mode 100644
index 4687d3f59a..0000000000
--- a/gnu/packages/patches/indent-CVE-2024-0911.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-Upstream issue: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
-Signed-off-by: Petr Písař <ppisar <at> redhat.com>
----
- regression/TEST | 2 +-
- regression/input/comment-parent-heap-underread.c | 3 +++
- regression/standard/comment-parent-heap-underread.c | 5 +++++
- src/output.c | 2 +-
- 4 files changed, 10 insertions(+), 2 deletions(-)
- create mode 100644 regression/input/comment-parent-heap-underread.c
- create mode 100644 regression/standard/comment-parent-heap-underread.c
-
-diff --git a/regression/TEST b/regression/TEST
-index 7c07c2e..951b1a2 100755
---- a/regression/TEST
-+++ b/regression/TEST
-@@ -40,6 +40,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
- macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
- bug-gnu-33364.c float-constant-suffix.c block-comments.c \
-- no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c"
-+ no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c \
-+ comment-parent-heap-underread.c"
-
- INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
- indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
-diff --git a/regression/input/comment-parent-heap-underread.c
-b/regression/input/comment-parent-heap-underread.c
-new file mode 100644
-index 0000000..68e13cf
---- /dev/null
-+++ b/regression/input/comment-parent-heap-underread.c
-@@ -0,0 +1,3 @@
-+void foo(void) {
-+/*a*/(1);
-+}
-diff --git a/regression/standard/comment-parent-heap-underread.c
-b/regression/standard/comment-parent-heap-underread.c
-new file mode 100644
-index 0000000..9a1c6e3
---- /dev/null
-+++ b/regression/standard/comment-parent-heap-underread.c
-@@ -0,0 +1,5 @@
-+void
-+foo (void)
-+{
-+/*a*/ (1);
-+}
-diff --git a/src/output.c b/src/output.c
-index ee01bcc..17eee6e 100644
---- a/src/output.c
-+++ b/src/output.c
-@@ -290,7 +290,7 @@ void set_buf_break (
- /* Did we just parse a bracket that will be put on the next line
- * by this line break? */
-
-- if ((*token == '(') || (*token == '['))
-+ if (level > 0 && ((*token == '(') || (*token == '[')))
- {
- --level; /* then don't take it into account */
- }
---
-2.43.0
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:21 GMT) Full text and rfc822 format available.Message #86 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 27/35] gnu: zchunk: Update to 1.5.1. Date: Fri, 7 Mar 2025 19:38:56 +0100
* gnu/packages/compression.scm (zchunk): Update to 1.5.1.
---
gnu/packages/compression.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index c95fa4db53..7119d6861b 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2534,7 +2534,7 @@ (define-public quazip
(define-public zchunk
(package
(name "zchunk")
- (version "1.3.1")
+ (version "1.5.1")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -2543,7 +2543,7 @@ (define-public zchunk
(file-name (git-file-name name version))
(sha256
(base32
- "19rw870150w1c730wzg2pn68ixmscq8cwa3vricqhwxs5l63r5wr"))))
+ "08ngp6d54fllk19qhdz6r1s9832781g322gn7524akbr3v1v5jjz"))))
(build-system meson-build-system)
(arguments
(list
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:21 GMT) Full text and rfc822 format available.Message #89 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 28/35] gnu: dash: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:57 +0100
* gnu/packages/shells.scm (dash)[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/shells.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index 63bdf69705..8b43e006ff 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -120,7 +120,8 @@ (define-public dash
GNU Bourne-Again Shell (@command{bash}) at most scripted tasks. Dash is a
direct descendant of NetBSD's Almquist Shell (@command{ash}).")
(license (list license:bsd-3
- license:gpl2+)))) ; mksignames.c
+ license:gpl2+)) ; mksignames.c
+ (properties '((lint-hidden-cpe-vendors . ("plotly"))))))
(define-public fish
(package
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:22 GMT) Full text and rfc822 format available.Message #92 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 30/35] gnu: soil: Add lint-hidden-cpe-vendors property. Date: Fri, 7 Mar 2025 19:38:59 +0100
* gnu/packages/gl.scm (soil)[properties]: Add lint-hidden-cpe-vendors.
---
gnu/packages/gl.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index c20e07e132..57f6d6eb36 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -994,7 +994,8 @@ (define-public soil
(description
"SOIL is a tiny C library used primarily for uploading textures into
OpenGL.")
- (license license:public-domain)))
+ (license license:public-domain)
+ (properties '((lint-hidden-cpe-vendors . ("roots"))))))
(define-public glfw
(package
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:22 GMT) Full text and rfc822 format available.Message #95 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 29/35] gnu: git: Use lint-hidden-cpe-vendors. Date: Fri, 7 Mar 2025 19:38:58 +0100
* gnu/packages/version-control.scm (git-minimal, git)[properties]: Use
lint-hidden-cpe-vendors in place of lint-hidden-cve.
---
gnu/packages/version-control.scm | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 4b66fa02fb..d85bdbe9c4 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -589,20 +589,7 @@ (define PATH-variable-definition
(description
"Git is a free distributed version control system designed to handle
everything from small to very large projects with speed and efficiency.")
- ;; XXX: Ignore this CVE to work around a name clash with the unrelated
- ;; "cpe:2.3:a:jenkins:git" package. The proper fix is for (guix cve) to
- ;; account for "vendor names".
- (properties '((lint-hidden-cve . ("CVE-2018-1000182"
- "CVE-2018-1000110"
- "CVE-2019-1003010"
- "CVE-2020-2136"
- "CVE-2021-21684"
- "CVE-2022-30947"
- "CVE-2022-30948"
- "CVE-2022-30949"
- "CVE-2022-36882"
- "CVE-2022-36883"
- "CVE-2022-36884"))
+ (properties '((lint-hidden-cpe-vendors . ("jenkins"))
(upstream-name . "git")))
(license license:gpl2)
(home-page "https://git-scm.com/")))
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:22 GMT) Full text and rfc822 format available.Message #98 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 31/35] gnu: re2c: Update to 4.1. Date: Fri, 7 Mar 2025 19:39:00 +0100
* gnu/packages/re2c.scm (re2c): Update to 4.1.
---
gnu/packages/re2c.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/re2c.scm b/gnu/packages/re2c.scm
index eb9daf4622..9b0dd80388 100644
--- a/gnu/packages/re2c.scm
+++ b/gnu/packages/re2c.scm
@@ -28,7 +28,7 @@ (define-module (gnu packages re2c)
(define-public re2c
(package
(name "re2c")
- (version "2.2")
+ (version "4.1")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/skvadrik/" name
@@ -36,7 +36,7 @@ (define-public re2c
name "-" version ".tar.xz"))
(sha256
(base32
- "1nkbv3bxz1kwwql1pdlnj3lxy5h2vsaif393ivb5b9d8610mxi0g"))))
+ "12rf6879y1iqd4k0f24fykp7praxcmay282yl86z411zvfx9nzfd"))))
(build-system gnu-build-system)
(home-page "https://re2c.org/")
(native-inputs
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:23 GMT) Full text and rfc822 format available.Message #101 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 32/35] gnu: libconfuse: Patch CVE-2022-40320. Date: Fri, 7 Mar 2025 19:39:01 +0100
* gnu/pacakges/patches/libconfuse-CVE-2022-40320.patch: Add file.
* gnu/packages/textutils.scm (libconfuse)[source]: Record patch.
* gnu/local.mk: Record patch.
---
gnu/local.mk | 1 +
.../patches/libconfuse-CVE-2022-40320.patch | 38 +++++++++++++++++++
gnu/packages/textutils.scm | 4 +-
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libconfuse-CVE-2022-40320.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index d08f3bba0a..dc7836d9a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1656,6 +1656,7 @@ dist_patch_DATA = \
%D%/packages/patches/julia-Use-MPFR-4.2.patch \
%D%/packages/patches/libcall-ui-make-it-installable.patch \
%D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch \
+ %D%/packages/patches/libconfuse-CVE-2022-40320.patch \
%D%/packages/patches/libcss-check-format.patch \
%D%/packages/patches/libextractor-tidy-support.patch \
%D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch \
diff --git a/gnu/packages/patches/libconfuse-CVE-2022-40320.patch b/gnu/packages/patches/libconfuse-CVE-2022-40320.patch
new file mode 100644
index 0000000000..5911f2d397
--- /dev/null
+++ b/gnu/packages/patches/libconfuse-CVE-2022-40320.patch
@@ -0,0 +1,38 @@
+[PATCH] Fix #163: unterminated username used with getpwnam()
+Signed-off-by: Joachim Wiberg <troglobit <at> gmail.com>
+---
+ src/confuse.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/confuse.c b/src/confuse.c
+index ce4fca8..060fae2 100644
+--- a/src/confuse.c
++++ b/src/confuse.c
+@@ -1863,18 +1863,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
+ passwd = getpwuid(geteuid());
+ file = filename + 1;
+ } else {
+- /* ~user or ~user/path */
+- char *user;
++ char *user; /* ~user or ~user/path */
++ size_t len;
+
+ file = strchr(filename, '/');
+ if (file == 0)
+ file = filename + strlen(filename);
+
+- user = malloc(file - filename);
++ len = file - filename - 1;
++ user = malloc(len + 1);
+ if (!user)
+ return NULL;
+
+- strncpy(user, filename + 1, file - filename - 1);
++ strncpy(user, &filename[1], len);
++ user[len] = 0;
+ passwd = getpwnam(user);
+ free(user);
+ }
+--
+2.48.1
+
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index c886b009be..9567e222ba 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -280,7 +280,9 @@ (define-public libconfuse
"releases/download/v" version
"/confuse-" version ".tar.xz"))
(sha256
- (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x"))))
+ (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x"))
+ (patches
+ (search-patches "libconfuse-CVE-2022-40320.patch"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags '("--disable-static")))
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:23 GMT) Full text and rfc822 format available.Message #104 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 33/35] gnu: libxls: Update to 1.6.3. Date: Fri, 7 Mar 2025 19:39:02 +0100
* gnu/packages/statistics.scm (libxls): Update to 1.6.3.
---
gnu/packages/statistics.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 3febd29ee3..ac3e9e1e92 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -209,14 +209,14 @@ (define-public jags
(define-public libxls
(package
(name "libxls")
- (version "1.6.2")
+ (version "1.6.3")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/libxls/libxls/releases/download/"
"v" version "/libxls-" version ".tar.gz"))
(sha256
- (base32 "0wg3ymr43aa1j3scyl9x83b2xgg7wilzpil0dj91a8dzji6w7b2x"))))
+ (base32 "0b327zafbwnfxj75n722z6a6zw195rs5bjmm5wskl9dml1p87yxj"))))
(build-system gnu-build-system)
(home-page "https://github.com/libxls/libxls")
(synopsis "Read binary (.xls) Excel spreadsheet files")
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:24 GMT) Full text and rfc822 format available.Message #107 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 34/35] gnu: ruby-git: Update to 3.0.0. Date: Fri, 7 Mar 2025 19:39:03 +0100
* gnu/packages/ruby.scm (ruby-git): Update to 3.0.0.
---
gnu/packages/ruby.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 58082359f6..1e24232605 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -6476,13 +6476,13 @@ (define-public ruby-delayed-job
(define-public ruby-git
(package
(name "ruby-git")
- (version "1.3.0")
+ (version "3.0.0")
(source (origin
(method url-fetch)
(uri (rubygems-uri "git" version))
(sha256
(base32
- "1waikaggw7a1d24nw0sh8fd419gbf7awh000qhsf411valycj6q3"))))
+ "0h026bb5j5m86l4gasx462im6in467picr56pixj1nc0fami47lm"))))
(build-system ruby-build-system)
(arguments
`(#:tests? #f ; no tests
--
2.48.1
guix-patches <at> gnu.org:bug#76819; Package guix-patches.
(Fri, 07 Mar 2025 18:41:24 GMT) Full text and rfc822 format available.Message #110 received at 76819 <at> debbugs.gnu.org (full text, mbox):
From: Nicolas Graves <ngraves <at> ngraves.fr> To: 76819 <at> debbugs.gnu.org Cc: Nicolas Graves <ngraves <at> ngraves.fr> Subject: [PATCH v7 35/35] gnu: yajl: Patch CVE-2023-33460. Date: Fri, 7 Mar 2025 19:39:04 +0100
* gnu/packages/patches/yajl-CVE-2023-33460.patch: Add file.
* gnu/local.mk: Record patch.
* gnu/packages/web.scm (yajl)[source]: Record patch.
---
gnu/local.mk | 1 +
.../patches/yajl-CVE-2023-33460.patch | 38 +++++++++++++++++++
gnu/packages/web.scm | 4 +-
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/yajl-CVE-2023-33460.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index dc7836d9a5..c00cee8b15 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -2439,6 +2439,7 @@ dist_patch_DATA = \
%D%/packages/patches/xterm-370-explicit-xcursor.patch \
%D%/packages/patches/xygrib-fix-finding-data.patch \
%D%/packages/patches/xygrib-newer-proj.patch \
+ %D%/packages/patches/yajl-CVE-2023-33460.patch \
%D%/packages/patches/yggdrasil-extra-config.patch \
%D%/packages/patches/zig-0.9-build-respect-PKG_CONFIG-env-var.patch \
%D%/packages/patches/zig-0.9-fix-runpath.patch \
diff --git a/gnu/packages/patches/yajl-CVE-2023-33460.patch b/gnu/packages/patches/yajl-CVE-2023-33460.patch
new file mode 100644
index 0000000000..9ba6e72774
--- /dev/null
+++ b/gnu/packages/patches/yajl-CVE-2023-33460.patch
@@ -0,0 +1,38 @@
+Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214
+
+Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
+Bug: https://github.com/lloyd/yajl/issues/250
+---
+ src/yajl_tree.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_tree.c b/src/yajl_tree.c
+index 3d357a32..56c7012f 100644
+--- a/src/yajl_tree.c
++++ b/src/yajl_tree.c
+@@ -143,7 +143,7 @@ static yajl_val context_pop(context_t *ctx)
+ ctx->stack = stack->next;
+
+ v = stack->value;
+-
++ free (stack->key);
+ free (stack);
+
+ return (v);
+@@ -444,7 +444,14 @@ yajl_val yajl_tree_parse (const char *input,
+ snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
+ YA_FREE(&(handle->alloc), internal_err_str);
+ }
++ while(ctx.stack != NULL) {
++ yajl_val v = context_pop(&ctx);
++ yajl_tree_free(v);
++ }
+ yajl_free (handle);
++ //If the requested memory is not released in time, it will cause memory leakage
++ if(ctx.root)
++ yajl_tree_free(ctx.root);
+ return NULL;
+ }
+
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 25436c32ab..26bc3b2939 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -1746,7 +1746,9 @@ (define-public yajl
(file-name (git-file-name name version))
(sha256
(base32
- "00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml"))))
+ "00yj06drb6izcxfxfqlhimlrb089kka0w0x8k27pyzyiq7qzcvml"))
+ (patches
+ (search-patches "yajl-CVE-2023-33460.patch"))))
(build-system cmake-build-system)
(arguments
'(#:phases
--
2.48.1
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.