From 0cb4032f9a799e5b1a4f35b7a1881c1b69104466 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 16 Apr 2021 16:45:18 -0400 Subject: [PATCH 1/8] gnu: OpenSSL: Absorb grafted replacement. * gnu/packages/tls.scm (openssl): Update to 1.1.1j. [replacement]: Remove field. (openssl/fixed): Remove variable. --- gnu/packages/tls.scm | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 25493cc7ca..25dcdd7228 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -296,8 +296,7 @@ (define-public guile3.0-gnutls (define-public openssl (package (name "openssl") - (replacement openssl/fixed) - (version "1.1.1i") + (version "1.1.1j") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -310,7 +309,7 @@ (define-public openssl (patches (search-patches "openssl-1.1-c-rehash-in.patch")) (sha256 (base32 - "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8")))) + "1gw17520vh13izy1xf5q0a2fqgcayymjjj5bk0dlkxndfnszrwma")))) (build-system gnu-build-system) (outputs '("out" "doc" ;6.8 MiB of man3 pages and full HTML documentation @@ -431,24 +430,6 @@ (define-public openssl (license license:openssl) (home-page "https://www.openssl.org/"))) -(define-public openssl/fixed - (package - (inherit openssl) - (version "1.1.1k") - (source (origin - (method url-fetch) - (uri (list (string-append "https://www.openssl.org/source/openssl-" - version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/" - "openssl-" version ".tar.gz") - (string-append "ftp://ftp.openssl.org/source/old/" - (string-trim-right version char-set:letter) - "/openssl-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1-c-rehash-in.patch")) - (sha256 - (base32 - "1rdfzcrxy9y38wqdw5942vmdax9hjhgrprzxm42csal7p5shhal9")))))) - (define-public openssl-1.0 (package (inherit openssl) From a456b09c43b2505edfbd3c16c4130af4b72a30e2 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 12 Mar 2021 13:47:59 -0500 Subject: [PATCH 2/8] gnu: gdk-pixbuf: Absorb grafted replacement. * gnu/packages/gtk.scm (gdk-pixbuf)[source]: Use gdk-pixbuf-CVE-2020-29385.patch. [replacement]: Remove field. (gdk-pixbuf/fixed): Remove variable. --- gnu/packages/gtk.scm | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index bffc9e0298..16efb072a3 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -567,12 +567,12 @@ (define-public gdk-pixbuf (package (name "gdk-pixbuf") (version "2.40.0") - (replacement gdk-pixbuf/fixed) (source (origin (method url-fetch) (uri (string-append "mirror://gnome/sources/" name "/" (version-major+minor version) "/" name "-" version ".tar.xz")) + (patches (search-patches "gdk-pixbuf-CVE-2020-29385.patch")) (sha256 (base32 "1rnlx9yfw970maxi2x6niaxmih5la11q1ilr7gzshz2kk585k0hm")))) @@ -624,15 +624,6 @@ (define-public gdk-pixbuf (license license:lgpl2.0+) (home-page "https://developer.gnome.org/gdk-pixbuf/"))) -(define gdk-pixbuf/fixed - (package - (inherit gdk-pixbuf) - (source (origin - (inherit (package-source gdk-pixbuf)) - (patches - (append (search-patches "gdk-pixbuf-CVE-2020-29385.patch") - (origin-patches (package-source gdk-pixbuf)))))))) - ;; To build gdk-pixbuf with SVG support, we need librsvg, and librsvg depends ;; on gdk-pixbuf, so this new varibale. Also, librsvg adds 90MiB to the ;; closure size. From d178039a07a33751ac4f7cd582df5ae7349db4fb Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 12 Mar 2021 13:44:18 -0500 Subject: [PATCH 3/8] gnu: cairo: Absorb grafted replacement. * gnu/packages/gtk.scm (cairo)[source]: Use cairo-CVE-2018-19876.patch and cairo-CVE-2020-35492.patch. [replacement]: Remove field. (cairo/fixed): Remove variable. --- gnu/packages/gtk.scm | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 16efb072a3..24fd48d971 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -125,11 +125,12 @@ (define-public cairo (package (name "cairo") (version "1.16.0") - (replacement cairo/fixed) (source (origin (method url-fetch) (uri (string-append "https://cairographics.org/releases/cairo-" version ".tar.xz")) + (patches (search-patches "cairo-CVE-2018-19876.patch" + "cairo-CVE-2020-35492.patch")) (sha256 (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")))) @@ -176,15 +177,6 @@ (define-public cairo (license license:lgpl2.1) ; or Mozilla Public License 1.1 (home-page "https://cairographics.org/"))) -(define cairo/fixed - (package - (inherit cairo) - (source (origin - (inherit (package-source cairo)) - (patches (append (search-patches "cairo-CVE-2018-19876.patch" - "cairo-CVE-2020-35492.patch") - (origin-patches (package-source cairo)))))))) - (define-public cairo-sans-poppler ;; Variant used to break the dependency cycle between Poppler and Cairo. (package/inherit cairo From 92434734c515c5b9fdd55d93eba74a56ad3e01d0 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 16 Apr 2021 16:51:16 -0400 Subject: [PATCH 4/8] gnu: libcroco: Absorb grafted replacement. * gnu/packages/gnome.scm (libcroco)[source]: Use libcroco-CVE-2020-12825.patch. [replacement]: Remove field. (libcroco/fixed): Remove variable. --- gnu/packages/gnome.scm | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 34f5078581..78a473b348 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -3221,10 +3221,10 @@ (define-public libcroco (uri (string-append "mirror://gnome/sources/" name "/" (version-major+minor version) "/" name "-" version ".tar.xz")) + (patches (search-patches "libcroco-CVE-2020-12825.patch")) (sha256 (base32 "1m110rbj5d2raxcdp4iz0qp172284945awrsbdlq99ksmqsc4zkn")))) - (replacement libcroco/fixed) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -3243,21 +3243,6 @@ (define-public libcroco ;; LGPLv2.1-only. (license license:lgpl2.1))) -(define libcroco/fixed - (package - (inherit libcroco) - (name "libcroco") - (version "0.6.13") - (source (origin - (method url-fetch) - (uri (string-append "mirror://gnome/sources/" name "/" - (version-major+minor version) "/" - name "-" version ".tar.xz")) - (sha256 - (base32 - "1m110rbj5d2raxcdp4iz0qp172284945awrsbdlq99ksmqsc4zkn")) - (patches (search-patches "libcroco-CVE-2020-12825.patch")))))) - (define-public libgsf (package (name "libgsf") From 0f7e1eed16dbe56e5873a7fdfbda514f488867ff Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 16 Apr 2021 16:56:11 -0400 Subject: [PATCH 5/8] gnu: cyrus-sasl: Absorb grafted replacement. * gnu/packages/cyrus-sasl.scm (cyrus-sasl)[source]: Use cyrus-sasl-CVE-2019-19906.patch. [replacement]: Remove field. (cyrus-sasl/fixed): Remove variable. --- gnu/packages/cyrus-sasl.scm | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/gnu/packages/cyrus-sasl.scm b/gnu/packages/cyrus-sasl.scm index c18703fde0..43c2099968 100644 --- a/gnu/packages/cyrus-sasl.scm +++ b/gnu/packages/cyrus-sasl.scm @@ -44,8 +44,8 @@ (define-public cyrus-sasl version ".tar.gz"))) (sha256 (base32 "1m85zcpgfdhm43cavpdkhb1s2zq1b31472hq1w1gs3xh94anp1i6")) - (patches (search-patches "cyrus-sasl-ac-try-run-fix.patch")))) - (replacement cyrus-sasl/fixed) + (patches (search-patches "cyrus-sasl-ac-try-run-fix.patch" + "cyrus-sasl-CVE-2019-19906.patch")))) (build-system gnu-build-system) (native-inputs `(("autoconf" ,autoconf) @@ -81,20 +81,3 @@ (define-public cyrus-sasl (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")) (home-page "https://cyrusimap.org/sasl/"))) - -(define cyrus-sasl/fixed - (package - (inherit cyrus-sasl) - (version "2.1.27") - (source (origin - (method url-fetch) - (uri (list (string-append - "https://cyrusimap.org/releases/cyrus-sasl-" - version ".tar.gz") - (string-append - "ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-" - version ".tar.gz"))) - (sha256 (base32 - "1m85zcpgfdhm43cavpdkhb1s2zq1b31472hq1w1gs3xh94anp1i6")) - (patches (search-patches "cyrus-sasl-ac-try-run-fix.patch" - "cyrus-sasl-CVE-2019-19906.patch")))))) From dc6779486759936c6a26962a473d591e4fb10e77 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 5 Mar 2021 15:15:01 -0500 Subject: [PATCH 6/8] gnu: Python 2: Absorb grafted replacement. * gnu/packages/python.scm (python-2.7)[source]: Add 'python-2.7-CVE-2021-3177.patch'. [replacement]: Remove field. (python-2.7/fixed): Remove variable. --- gnu/packages/python.scm | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 5d8fa1185b..b8a31bcc6f 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -107,7 +107,6 @@ (define-module (gnu packages python) (define-public python-2.7 (package (name "python2") - (replacement python-2.7/fixed) (version "2.7.17") (source (origin @@ -122,7 +121,8 @@ (define-public python-2.7 "python-2.7-site-prefixes.patch" "python-2.7-source-date-epoch.patch" "python-2.7-adjust-tests.patch" - "python-cross-compile.patch")) + "python-cross-compile.patch" + "python-2.7-CVE-2021-3177.patch")) (modules '((guix build utils))) (snippet '(begin @@ -351,14 +351,6 @@ (define-public python-2.7 (properties '((cpe-name . "python"))) (license license:psfl))) -(define python-2.7/fixed - (package - (inherit python-2.7) - (source (origin - (inherit (package-source python-2.7)) - (patches (append (search-patches "python-2.7-CVE-2021-3177.patch") - (origin-patches (package-source python-2.7)))))))) - ;; Current 2.x version. (define-public python-2 python-2.7) From 76b6c61609fd8352ce01059307cf1aec85b8d0df Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 5 Mar 2021 15:13:20 -0500 Subject: [PATCH 7/8] gnu: Python: Absorb grafted replacement. * gnu/packages/python.scm (python-3.8)[source]: Add 'python-3.8-CVE-2021-3177.patch'. [replacement]: Remove field. (python-3.8/fixed): Remove variable. --- gnu/packages/python.scm | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index b8a31bcc6f..ce424bdeb0 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -365,7 +365,6 @@ (define-public python2-called-python (define-public python-3.8 (package (inherit python-2) (name "python") - (replacement python-3.8/fixed) (version "3.8.2") (source (origin (method url-fetch) @@ -373,6 +372,7 @@ (define-public python-3.8 version "/Python-" version ".tar.xz")) (patches (search-patches "python-CVE-2020-26116.patch" + "python-3.8-CVE-2021-3177.patch" "python-3-fix-tests.patch" "python-3.8-fix-tests.patch" "python-3-deterministic-build-info.patch" @@ -523,14 +523,6 @@ (define-public python-3.8 (version-major+minor version) "/site-packages")))))))) -(define python-3.8/fixed - (package - (inherit python-3.8) - (source (origin - (inherit (package-source python-3.8)) - (patches (append (search-patches "python-3.8-CVE-2021-3177.patch") - (origin-patches (package-source python-3.8)))))))) - (define-public python-3.9 (package (inherit python-3.8) (name "python-next") From e12210dc92098d8581cea3007d57dbb6be16bb41 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 16 Apr 2021 17:18:57 -0400 Subject: [PATCH 8/8] gnu: GnuTLS: Absorb grafted replacement. * gnu/packages/tls.scm (gnutls)[source]: Add 'gnutls-CVE-2021-20231.patch' and 'gnutls-CVE-2021-20232.patch'. [replacement]: Remove field. (gnutls/fixed): Remove variable. --- gnu/packages/tls.scm | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 25dcdd7228..fee6276674 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -165,7 +165,6 @@ (define-public gnutls (package (name "gnutls") (version "3.6.15") - (replacement gnutls/fixed) (source (origin (method url-fetch) ;; Note: Releases are no longer on ftp.gnu.org since the @@ -174,7 +173,9 @@ (define-public gnutls (version-major+minor version) "/gnutls-" version ".tar.xz")) (patches (search-patches "gnutls-skip-trust-store-test.patch" - "gnutls-cross.patch")) + "gnutls-cross.patch" + "gnutls-CVE-2021-20231.patch" + "gnutls-CVE-2021-20232.patch")) (sha256 (base32 "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f")))) @@ -257,15 +258,6 @@ (define-public gnutls (properties '((ftp-server . "ftp.gnutls.org") (ftp-directory . "/gcrypt/gnutls"))))) -(define gnutls/fixed - (package - (inherit gnutls) - (source (origin - (inherit (package-source gnutls)) - (patches (append (search-patches "gnutls-CVE-2021-20231.patch" - "gnutls-CVE-2021-20232.patch") - (origin-patches (package-source gnutls)))))))) - (define-public gnutls/guile-2.0 ;; GnuTLS for Guile 2.0. (package/inherit gnutls