me/guix
Archived
1
0
Fork 0
Code Activity

Merge branch 'master' into core-updates

Browse source
This commit is contained in:
Leo Famulari 2016-10-28 13:40:10 -04:00
commit a6447e7fb6
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
7 changed files with 240 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
gnu/local.mk
View file

@ -663,6 +663,7 @@ dist_patch_DATA = \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libwebp-CVE-2016-9085.patch \
%D%/packages/patches/libwmf-CAN-2004-0941.patch \
%D%/packages/patches/libwmf-CVE-2006-3376.patch \
%D%/packages/patches/libwmf-CVE-2007-0455.patch \

20
gnu/packages/emacs.scm
View file

@ -2228,6 +2228,26 @@ perspective only its buffers are available by default.")
;; the Expat license.
(license license:gpl3+)))
(define-public emacs-request
(package
(name "emacs-request")
(version "0.2.0")
(source (origin
(method url-fetch)
(uri (string-append
"https://github.com/tkf/emacs-request/archive/v"
version ".tar.gz"))
(file-name (string-append name "-" version ".tar.gz"))
(sha256
(base32 "0sll9g9x15jxrdr58pdxx4iz74rnjd43q521iqm890i6hmkrgwap"))))
(build-system emacs-build-system)
(home-page "https://github.com/tkf/emacs-request")
(synopsis "Package for speaking HTTP in Emacs Lisp")
(description "This package provides a HTTP request library with multiple
backends. It supports url.el which is shipped with Emacs and the curl command
line program.")
(license license:gpl3+)))
(define-public emacs-rudel
(package
(name "emacs-rudel")

6
gnu/packages/image.scm
View file

@ -658,15 +658,17 @@ multi-dimensional image processing.")
(define-public libwebp
(package
(name "libwebp")
(version "0.4.3")
(version "0.5.1")
(source
(origin
(method url-fetch)
(uri (string-append
"http://downloads.webmproject.org/releases/webp/libwebp-" version
".tar.gz"))
(patches (search-patches "libwebp-CVE-2016-9085.patch"))
(sha256
(base32 "1i4hfczjm3b1qj1g4cc9hgb69l47f3nkgf6hk7nz4dm9zmc0vgpg"))))
(base32
"1pqki1g8nzi8qgciysypd5r38zccv81np1dn43g27830rmpnrmka"))))
(build-system gnu-build-system)
(inputs
`(("freeglut" ,freeglut)

144
gnu/packages/patches/libwebp-CVE-2016-9085.patch Normal file
View file

@ -0,0 +1,144 @@
Fix CVE-2016-9085 (several integer overflows):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9085
http://seclists.org/oss-sec/2016/q4/253
Patch copied from upstream source repository:
https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83
From e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 Mon Sep 17 00:00:00 2001
From: Pascal Massimino <pascal.massimino@gmail.com>
Date: Mon, 10 Oct 2016 11:48:39 +0200
Subject: [PATCH] fix potential overflow when width * height * 4 >= (1<<32)
Mostly: avoid doing calculation like: ptr + j * stride
when stride is 'int'. Rather use size_t, or pointer increments (ptr += stride)
when possible.
BUG=webp:314
Change-Id: I81c684b515dd1ec4f601f32d50a6e821c4e46e20
---
examples/gifdec.c | 56 +++++++++++++++++++++++++++++++------------------------
1 file changed, 32 insertions(+), 24 deletions(-)
diff --git a/examples/gifdec.c b/examples/gifdec.c
index 83c3d82..7df176f 100644
--- a/examples/gifdec.c
+++ b/examples/gifdec.c
@@ -20,6 +20,7 @@
#include "webp/encode.h"
#include "webp/mux_types.h"
+#include "webp/format_constants.h"
#define GIF_TRANSPARENT_COLOR 0x00000000
#define GIF_WHITE_COLOR 0xffffffff
@@ -103,12 +104,19 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index,
const GifImageDesc* const image_desc = &gif->Image;
uint32_t* dst = NULL;
uint8_t* tmp = NULL;
- int ok = 0;
- GIFFrameRect rect = {
+ const GIFFrameRect rect = {
image_desc->Left, image_desc->Top, image_desc->Width, image_desc->Height
};
+ const uint64_t memory_needed = 4 * rect.width * (uint64_t)rect.height;
+ int ok = 0;
*gif_rect = rect;
+ if (memory_needed != (size_t)memory_needed ||
+ memory_needed > 4 * MAX_IMAGE_AREA) {
+ fprintf(stderr, "Image is too large (%d x %d).", rect.width, rect.height);
+ return 0;
+ }
+
// Use a view for the sub-picture:
if (!WebPPictureView(picture, rect.x_offset, rect.y_offset,
rect.width, rect.height, &sub_image)) {
@@ -132,15 +140,15 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index,
y += interlace_jumps[pass]) {
if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End;
Remap(gif, tmp, rect.width, transparent_index,
- dst + y * sub_image.argb_stride);
+ dst + y * (size_t)sub_image.argb_stride);
}
}
} else { // Non-interlaced image.
int y;
- for (y = 0; y < rect.height; ++y) {
+ uint32_t* ptr = dst;
+ for (y = 0; y < rect.height; ++y, ptr += sub_image.argb_stride) {
if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End;
- Remap(gif, tmp, rect.width, transparent_index,
- dst + y * sub_image.argb_stride);
+ Remap(gif, tmp, rect.width, transparent_index, ptr);
}
}
ok = 1;
@@ -216,13 +224,11 @@ int GIFReadMetadata(GifFileType* const gif, GifByteType** const buf,
static void ClearRectangle(WebPPicture* const picture,
int left, int top, int width, int height) {
- int j;
- for (j = top; j < top + height; ++j) {
- uint32_t* const dst = picture->argb + j * picture->argb_stride;
- int i;
- for (i = left; i < left + width; ++i) {
- dst[i] = GIF_TRANSPARENT_COLOR;
- }
+ int i, j;
+ const size_t stride = picture->argb_stride;
+ uint32_t* dst = picture->argb + top * stride + left;
+ for (j = 0; j < height; ++j, dst += stride) {
+ for (i = 0; i < width; ++i) dst[i] = GIF_TRANSPARENT_COLOR;
}
}
@@ -246,29 +252,31 @@ void GIFDisposeFrame(GIFDisposeMethod dispose, const GIFFrameRect* const rect,
if (dispose == GIF_DISPOSE_BACKGROUND) {
GIFClearPic(curr_canvas, rect);
} else if (dispose == GIF_DISPOSE_RESTORE_PREVIOUS) {
- const int src_stride = prev_canvas->argb_stride;
- const uint32_t* const src =
- prev_canvas->argb + rect->x_offset + rect->y_offset * src_stride;
- const int dst_stride = curr_canvas->argb_stride;
- uint32_t* const dst =
- curr_canvas->argb + rect->x_offset + rect->y_offset * dst_stride;
+ const size_t src_stride = prev_canvas->argb_stride;
+ const uint32_t* const src = prev_canvas->argb + rect->x_offset
+ + rect->y_offset * src_stride;
+ const size_t dst_stride = curr_canvas->argb_stride;
+ uint32_t* const dst = curr_canvas->argb + rect->x_offset
+ + rect->y_offset * dst_stride;
assert(prev_canvas != NULL);
- WebPCopyPlane((uint8_t*)src, 4 * src_stride, (uint8_t*)dst, 4 * dst_stride,
+ WebPCopyPlane((uint8_t*)src, (int)(4 * src_stride),
+ (uint8_t*)dst, (int)(4 * dst_stride),
4 * rect->width, rect->height);
}
}
void GIFBlendFrames(const WebPPicture* const src,
const GIFFrameRect* const rect, WebPPicture* const dst) {
- int j;
+ int i, j;
+ const size_t src_stride = src->argb_stride;
+ const size_t dst_stride = dst->argb_stride;
assert(src->width == dst->width && src->height == dst->height);
for (j = rect->y_offset; j < rect->y_offset + rect->height; ++j) {
- int i;
for (i = rect->x_offset; i < rect->x_offset + rect->width; ++i) {
- const uint32_t src_pixel = src->argb[j * src->argb_stride + i];
+ const uint32_t src_pixel = src->argb[j * src_stride + i];
const int src_alpha = src_pixel >> 24;
if (src_alpha != 0) {
- dst->argb[j * dst->argb_stride + i] = src_pixel;
+ dst->argb[j * dst_stride + i] = src_pixel;
}
}
}
--
2.10.1

22
gnu/packages/python.scm
View file

@ -4836,15 +4836,25 @@ libxml2 and libxslt.")
(define-public python-beautifulsoup4
(package
(name "python-beautifulsoup4")
(version "4.5.0")
(version "4.5.1")
(source
(origin
(method url-fetch)
(uri (pypi-uri "beautifulsoup4" version))
(sha256
(base32
"1rf94360s8pmn37vxqjl0g74krq2p6nj3wbn6pj94ik6ny44q24f"))))
"1qgmhw65ncsgccjhslgkkszif47q6gvxwqv4mim17agxd81p951w"))))
(build-system python-build-system)
(arguments
`(#:phases
(modify-phases %standard-phases
;; The Python 2 source is the definitive source of beautifulsoup4. We
;; must use this conversion script when building with Python 3. The
;; conversion script also runs the tests.
;; For more information, see the file 'convert-py3k' in the source
;; distribution.
(replace 'check
(lambda _ (zero? (system* "./convert-py3k")))))))
(home-page
"http://www.crummy.com/software/BeautifulSoup/bs4/")
(synopsis
@ -4862,7 +4872,8 @@ converts incoming documents to Unicode and outgoing documents to UTF-8.")
(package
(inherit (package-with-python2
(strip-python2-variant python-beautifulsoup4)))
(native-inputs `(("python2-setuptools" ,python2-setuptools)))))
(native-inputs `(("python2-setuptools" ,python2-setuptools)))
(arguments `(#:python ,python-2))))
(define-public python2-cssutils
(package
@ -8191,6 +8202,11 @@ server with very acceptable performance.")
(base32
"13kf9bdxrc95y9vriaz0viry3ah11nz4rlrykcfvb8nlqpx3dcm4"))))
(build-system python-build-system)
(arguments
'(;; Wsgiproxy2's test suite requires Restkit, which does not yet fully
;; support Python 3:
;; https://github.com/benoitc/restkit/issues/140
#:tests? #f))
(native-inputs
`(("unzip" ,unzip)
("python-nose" ,python-nose)

50
gnu/packages/qt.scm
View file

@ -4,6 +4,7 @@
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
;;;
;;; This file is part of GNU Guix.
;;;
@ -1112,3 +1113,52 @@ contain over 620 classes.")
"QtKeychain is a Qt library to store passwords and other secret data
securely. It will not store any data unencrypted unless explicitly requested.")
(license license:bsd-3)))
(define-public qwt
(package
(name "qwt")
(version "6.1.3")
(source
(origin
(method url-fetch)
(uri
(string-append "mirror://sourceforge/qwt/qwt/"
version "/qwt-" version ".tar.bz2"))
(sha256
(base32 "0cwp63s03dw351xavb3pzbjlqvx7kj88wv7v4a2b18m9f97d7v7k"))))
(build-system gnu-build-system)
(inputs
`(("qtbase" ,qtbase)
("qtsvg" ,qtsvg)
("qttools" ,qttools)))
(arguments
`(#:phases
(modify-phases %standard-phases
(replace 'configure
(lambda* (#:key outputs #:allow-other-keys)
(let ((out (assoc-ref outputs "out")))
(substitute* '("qwtconfig.pri")
(("/usr/local/qwt-\\$\\$QWT\\_VERSION") out))
(zero? (system* "qmake")))))
(add-after 'install 'install-documentation
(lambda* (#:key outputs #:allow-other-keys)
(let* ((out (assoc-ref outputs "out"))
(man (string-append out "/share/man")))
;; Remove some incomplete manual pages.
(for-each delete-file (find-files "doc/man/man3" "^_tmp.*"))
(mkdir-p man)
(copy-recursively "doc/man" man)
#t))))))
(home-page "http://qwt.sourceforge.net")
(synopsis "Qt widgets for plots, scales, dials and other technical software
GUI components")
(description
"The Qwt library contains widgets and components which are primarily useful
for technical and scientific purposes. It includes a 2-D plotting widget,
different kinds of sliders, and much more.")
(license
(list
;; The Qwt license is LGPL2.1 with some exceptions.
(license:non-copyleft "http://qwt.sourceforge.net/qwtlicense.html")
;; textengines/mathml/qwt_mml_document.{cpp,h} is dual LGPL2.1/GPL3 (either).
license:lgpl2.1 license:gpl3))))

2
gnu/packages/web.scm
View file

@ -3162,6 +3162,8 @@ their web site.")
(base32
"00hb4qg2am06g81mygfi1jsbx8830024jm45g6qp9g8fr6am91yf"))))
(build-system python-build-system)
(arguments
'(#:tests? #f))
(home-page
"https://github.com/kurtmckee/feedparser")
(synopsis "Parse feeds in Python")