Patches should fix all CVEs reported by `guix lint`:
CVE-2015-7747; CVE-2017-6827, CVE-2017-6828, CVE-2017-6829,
CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833,
CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837,
CVE-2017-6838, CVE-2017-6839; CVE-2018-13440; CVE-2018-17095
Since the patches do not reference to CVEs, it's a bit hard to tell which
patch actually closes which CVE. Debian reports all these to be closed by
the patches below and NixPkgs provides references.
* gnu/packages/audio.scm (audiofile): New variable.
* gnu/packages/patches/audiofile-fix-datatypes-in-tests.patch,
gnu/packages/patches/audiofile-fix-sign-conversion.patch,
gnu/packages/patches/audiofile-CVE-2015-7747.patch,
gnu/packages/patches/audiofile-CVE-2018-13440.patch,
gnu/packages/patches/audiofile-CVE-2018-17095.patch,
gnu/packages/patches/audiofile-Check-the-number-of-coefficients.patch,
gnu/packages/patches/audiofile-Fail-on-error-in-parseFormat.patch,
gnu/packages/patches/audiofile-Fix-index-overflow-in-IMA.cpp.patch,
gnu/packages/patches/audiofile-Fix-multiply-overflow-sfconvert.patch,
gnu/packages/patches/audiofile-Fix-overflow-in-MSADPCM-decodeSam.patch,
gnu/packages/patches/audiofile-division-by-zero-BlockCodec-runPull.patch,
gnu/packages/patches/audiofile-hurd.patch,
gnu/packages/patches/audiofile-signature-of-multiplyCheckOverflow.patch:
New files.
* gnu/local.mk: Add them.
* gnu/packages/patches/libgeotiff-adapt-test-script-for-proj-6.2.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/geo.scm (libgeotiff): Update to 1.5.1.
[inputs]: Replace proj.4 with proj.
[sources]: Add libgeotiff-adapt-test-script-for-proj-6.2.patch
to patches.
* gnu/packages/embedded.scm (gcc-arm-none-eabi-7-2018-q2-update): New
variable.
* gnu/packages/patches/gcc-7-cross-environment-variables.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Add `emacs-next' for building latest Emacs from git.
* gnu/packages/emacs.scm (emacs-next): New variable.
(emacs): make the autoload deletion snippet not fail when eshell/esh-groups.el
does not exist. This enables reuse of the entire snippet field of `emacs' for
`emacs-next'.
* gnu/packages/patches/emacs27-exec-path.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add the above patch file to it.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
The merge preceding this commit ignored the 'replacement' added to nss in
commit 04b33ce205, because the security fix is
already present in NSS 3.48. This commit removes the remaining bits.
* gnu/packages/patches/nss-CVE-2019-11745.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/nss.scm (nss/fixed): Remove variable.
* gnu/packages/patches/guile-finalization-crash.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/guile.scm (guile-2.2/bug-fix): New variable.
* gnu/packages/patches/websocket-fix-for-boost-1.70.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/web.scm (websocketpp): Use it.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/packages/patches/mes-remove-store-name.patch: New file, from upstream.
* gnu/packages/mes.scm (mes): Use it. Add `www.' to homepage.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/compression.scm (ncompress): New variable.
* gnu/packages/patches/compress-fix-softlinks.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/local.mk: Include lisp-xyz.scm.
* gnu/packages/lisp-xyz.scm: New file.
* gnu/packages/lisp.scm: Move all lisp libraries to lisp-xyz.scm, uglify-js to
javascript.scm and stumpwm to wm.scm.
* gnu/packages/javascript.scm: Add uglify-js.
* gnu/packages/wm.scm: Add stumpwm.
* gnu/packages/bioinformatics.scm: Find uglify-js in javascript.scm.
* gnu/packages/machine-learning.scm: Depend on lisp-xyz.scm instead of lisp.scm.
* gnu/packages/web.scm: Find uglify-js in javascript.scm.
* gnu/packages/web-browsers.scm: Depend on lisp-xyz.scm instead of lisp.scm.
* guix/build-system/minify.scm (default-uglify-js): Find uglify-js in
javascript module instead of lisp.
* gnu/local.mk: Include lisp-xyz.scm.
* gnu/packages/lisp-xyz.scm: New file.
* gnu/packages/lisp.scm: Move all lisp libraries to lisp-xyz.scm, uglify-js to
javascript.scm and stumpwm to wm.scm.
* gnu/packages/javascript.scm: Add uglify-js.
* gnu/packages/wm.scm: Add stumpwm.
* gnu/packages/bioinformatics.scm: Find uglify-js in javascript.scm.
* gnu/packages/machine-learning.scm: Depend on lisp-xyz.scm instead of lisp.scm.
* gnu/packages/web.scm: Find uglify-js in javascript.scm.
* gnu/packages/web-browsers.scm: Depend on lisp-xyz.scm instead of lisp.scm.
* guix/build-system/minify.scm (default-uglify-js): Find uglify-js in
javascript module instead of lisp.
Includes fixes for CVE-2019-11745, CVE-2019-17005, CVE-2019-17008,
CVE-2019-17009, CVE-2019-17010, CVE-2019-17011, and CVE-2019-17012.
* gnu/packages/patches/icecat-gnuzilla-fixes.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
* gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update.
(icecat-source): Update hash for the firefox source tarball. Update to the
latest from gnuzilla.git. Don't apply icecat-gnuzilla-fixes.patch. Remove
determinism fix in makeicecat that is now upstream. Tweak a status message.
(icecat)[arguments]: Add "--with-unsigned-addon-scopes=app" configure flag.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt.
* gnu/packages/patches/handbrake-opt-in-nvenc.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
* gnu/packages/video.scm (handbrake)[source]: Upgrade to 1.3.0. Remove
patch.
[native-inputs]: Remove cmake and curl.
[inputs]: Add dav1d and numactl.
[arguments]: Add "--disable-nvenc" to configure flags in place of patch.
Adjust "bootstrap" phase in response to upstream changes.
Add "patch-SHELL" and "relax-reqs" phases.
* gnu/packages/python-xyz.scm (python-scikit-image, python2-scikit-image):
Move these two from here...
* gnu/packages/python-science.scm: ...to this new file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
* gnu/local.mk: Include lisp-xyz.scm.
* gnu/packages/lisp-xyz.scm: New file.
* gnu/packages/lisp.scm: Move all lisp libraries to lisp-xyz.scm, uglify-js to
javascript.scm and stumpwm to wm.scm.
* gnu/packages/javascript.scm: Add uglify-js.
* gnu/packages/wm.scm: Add stumpwm.
* gnu/packages/bioinformatics.scm: Find uglify-js in javascript.scm.
* gnu/packages/machine-learning.scm: Depend on lisp-xyz.scm instead of lisp.scm.
* gnu/packages/web.scm: Find uglify-js in javascript.scm.
* gnu/packages/web-browsers.scm: Depend on lisp-xyz.scm instead of lisp.scm.
* gnu/packages/patches/psm-disable-memory-stats.patch: New file.
* gnu/packages/linux.scm (psm)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/services/pam-mount.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
* doc/guix.texi (PAM Mount Service): New subsection.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/packages/patches/feh-fix-tests-for-imlib2-1.6.patch: New file.
* gnu/packages/image-viewers.scm (feh)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
Signed-off-by: Marius Bakke <mbakke@fastmail.com>
This is a followup to d100d5d544.
* gnu/packages/patches/libseccomp-open-aarch64.patch: New file.
* gnu/packages/linux.scm (libseccomp)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/ghc-haddock-api-fix-haddock.patch: New file.
* gnu/local.mk: Add it.
* gnu/packages/haskell-xyz.scm (ghc-haddock-api): Update to 2.22.0.
[source]: Use the new patch.
[arguments]: Change the 'update-constraints' phase to allow newer
versions of 'QuickCheck' and 'hspec'.
This package used a patch to update the Cabal version constraints for
'language-glsl'. This is now done in a phase for consistency with
other Haskell packages.
* gnu/packages/elm.scm (elm-compiler): Add a phase that updates the
Cabal file to allow for newer versions of 'ansi-terminal',
'containers', 'http-client', 'language-glsl', and 'network'.
[source]: Remove 'elm-compiler-relax-glsl-bound.patch'.
* gnu/packages/patches/elm-compiler-relax-glsl-bound.patch: Delete file.
* gnu/local.mk: Remove it.
* gnu/packages/patches/ghc-microlens-aeson-fix-tests.patch: New file.
* gnu/local.mk: Add it.
* gnu/packages/haskell-xyz.scm (ghc-microlens-aeson): Use it.
The new source tarball does not have bundled dependencies, so it does
not need to be patched.
* gnu/packages/haskell-xyz.scm (ghc-haddock-library): Update to 1.7.0.
[source]: Remove 'patches', 'modules' and 'snippet'.
[arguments]: Update the 'relax-test-suite-dependencies' phase to allow
newer versions of 'hspec' and 'QuickCheck'; remove the
'add-examples-directory' phase.
* gnu/packages/patches/ghc-haddock-library-unbundle.patch: Delete file.
* gnu/local.mk: Remove it.
* gnu/packages/haskell-xyz.scm (ghc-hpack): Update to 0.31.2.
[source]: Use a patch to fix tests.
[inputs]: Add 'ghc-infer-license'.
* gnu/packages/patches/ghc-hpack-fix-tests.patch: New file.
* gnu/local.mk: Add it.
This fixes test failures of packages that use Open MPI, whereby UCX
would error out due to /sys/class/net being unavailable in the build
chroot that the daemon sets up.
* gnu/packages/patches/ucx-tcp-iface-ioctl.patch: New file.
* gnu/packages/fabric-management.scm (ucx)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/tomb-fix-errors-on-open.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/crypto.scm (tomb): Update to 2.7.
[source]: Use the patch.
This allows us to get better performance by default on machines with
OmniPath hardware.
* gnu/packages/patches/openmpi-psm2-priority.patch: New file.
* gnu/packages/mpi.scm (openmpi)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/java.scm (java-svg-salamander): New variable.
* gnu/packages/patches/java-svg-salamander-Fix-non-det.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/fribidi.scm (fribidi): Replace with fribidi/fixed.
(fribidi/fixed): New variable.
* gnu/packages/patches/fribidi-CVE-2019-18397.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* /gnu/packages/gnome-xyz.scm: New file.
(delft-icon-theme): New variable.
* /gnu/local.mk: Add it.
Signed-off-by: Mathieu Othacehe <m.othacehe@gmail.com>
* gnu/local.mk (dist_patch_DATA): Add new patch file.
* gnu/packages/patches/libvirt-create-machine-cgroup.patch: New patch,
submitted to upstream for upstream bug 1760233.
* gnu/packages/virtualization.scm (libvirt): Update version to 5.8.0.
Include patch. Avoid execution of failing tests qemuxml2argvtest and
qemuhotplugtest. Replace python by python-wrapper to avoid warnings on
patch-shebangs phase.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
The patch was introduced in commit 2be878d8e5.
* gnu/local.mk (dist_patch_DATA): Add
"python-pep8-stdlib-tokenize-compat.patch".
Signed-off-by: Gábor Boskovits <boskovits@gmail.com>
* gnu/packages/patches/docker-adjust-tests-for-changes-in-go.patch: New file.
* gnu/local.mk (dist_patch_DATA): Use this.
* gnu/packages/docker.scm (docker): Use this.
* gnu/packages/freedesktop.scm (udiskie): New variable.
* gnu/packages/patches/udiskie-no-appindicator.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
This commit moves some important fixes into a patch applied to the upstream
gnuzilla git repository, whereas previously they were applied in such a way
that only benefitted Guix users.
* gnu/packages/patches/icecat-default-search-ddg.patch,
gnu/packages/patches/icecat-disable-sync.patch: Delete files.
* gnu/packages/patches/icecat-gnuzilla-fixes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adapt accordingly.
* gnu/packages/gnuzilla.scm (icecat-source): Apply the new patch to the
gnuzilla checkout.
(icecat)[native-inputs]: Remove deleted patches.
[arguments]: In the 'wrap-program' phase, remove MOZ_LEGACY_PROFILES=1
from the wrapper.
Fixes CVE-2019-11757, CVE-2019-11759, CVE-2019-11760, CVE-2019-11761,
CVE-2019-11762, CVE-2019-11763, CVE-2019-11764, and CVE-2019-15903.
Note: IceCat 68 has not yet been released by the IceCat project. This is a
work-in-progress, and does not currently meet the privacy-respecting
standards of the IceCat project.
* gnu/packages/patches/icecat-default-search-ddg.patch,
gnu/packages/patches/icecat-disable-sync.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (%icecat-version): Update.
(mozilla-compare-locales, all-mozilla-locales): New variables.
(mozilla-locale): New procedure.
(mozilla-locales): New macro.
(icecat-source): Add code to populate the l10n directory. Remove the code
that copied the l10n directory from an older IceCat source tarball.
(icecat)[inputs]: Remove hunspell.
[native-inputs]: Comment out previous Guix-specific patches for now. Use the
newest rust, cargo, llvm, and clang. Add rust-cbindgen, node, nasm, python 3,
icecat-default-search-ddg.patch and icecat-disable-sync.patch.
[arguments]: In configure flags: remove "--disable-maintenance-service" and
"--enable-system-hunspell", and comment out flags to use system libraries
instead of bundled libraries for libevent, libogg, libvorbis, libvpx,
harfbuzz, graphite2, and sqlite. Add srfi-34 and srfi-35 to modules. Delete
fewer bundled libraries. Adapt the 'patch-source-shebangs' phase. Add a
custom 'build' phase that tries the standard 'build' phase up to 5 times.
In the 'wrap-program' phase, set MOZ_LEGACY_PROFILES=1 in the environment,
and add 'pulseaudio' to the front of LD_LIBRARY_PATH.
[description]: Add a warning that this is only a preview release.
* gnu/packages/patches/icecat-makeicecat.patch: Adapt.
* gnu/packages/avahi.scm (avahi/fixed): New variable.
(avahi)[replacement]: Use it.
* gnu/packages/patches/avahi-CVE-2018-1000845.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Now includs the patch file missed in
73f0ed8dbf.
* gnu/packages/pdf.scm (weasyprint): New variable.
* gnu/packages/patches/weasyprint-library-paths.patch: New file.
* gnu/local.mk: Add it.
* gnu/packages/gnome.scm (seahorse)[version]: Update version number.
[origin]: Update hash. Add patch needed for compilation with our
version of libsecret (0.19.1).
[inputs]: Add avahi dependency.
[native-inputs]: Add vala dependency. Use gettext-minimal instead of
intltool, as only xgettext is used.
* gnu/packages/patches/seahorse-gkr-use-0-on-empty-flags.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/packages/lisp.scm (cl-graph, sbcl-graph): New variables.
* gnu/packages/patches/sbcl-graph-asdf-definitions.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
