This adds fixes for CVE-2017-7757, CVE-2017-7758, and the remaining
5 patches for CVE-2017-5470.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add selected fixes from the
upstream mozilla-esr52 repository, through ESR 52.2.
This documents that we include fixes for the following CVEs: CVE-2017-5472,
CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754,
CVE-2017-7756, CVE-2017-7764, CVE-2017-7765, CVE-2017-7778, and that we
include 15 out of 20 patches for CVE-2017-5470.
* gnu/packages/gnuzilla.scm (icecat)[source]: Rename existing patches to
indicate their CVE assignments.
Partly fixes <https://bugs.gnu.org/26976>.
* gnu/packages/patches/guile-ssh-channel-finalization.patch: New file.
* gnu/packages/ssh.scm (guile-ssh)[source](patches): Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
* guix/scripts/package.scm (find-packages-by-description): Rewrite to
compute a score based on the number of regexps matched and the number of
matches for each regexp. Sort according to this score and return it as
a second value.
(process-query) <'search>: Capture the two return values of
'find-packages-by-description'. Pass #:extra-fields to
'package->recutils'.
* doc/guix.texi (Invoking guix package): Mention relevance, give an
example.
* gnu/build/marionette.scm (wait-for-file): New procedure.
* gnu/tests/base.scm (run-mcron-test)[test](wait-for-file): Remove.
Pass second argument in 'wait-for-file' calls.
* gnu/tests/ssh.scm (run-ssh-test)[test](wait-for-file): Remove.
Pass second argument in 'wait-for-file' calls.
* gnu/tests/messaging.scm (run-xmpp-test)[test](guest-wait-for-file):
Remove.
Use 'wait-for-file' instead, with second argument.
* gnu/services/admin.scm (<log-rotation>): New record type.
(syslog-rotation-config, simple-rotation-config): Remove.
(%default-rotations): Define as a list of <log-rotation> objects.
(log-rotation->config, log-rotations->/etc-entries): New procedures.
(<rottlog-configuration>)[periodic-rotations]: Remove.
[rotations]: New field.
(rottlog-etc): Use 'log-rotations->/etc-entries'.
* doc/guix.texi (Log Rotation): Update accordingly.
This avoids the open/fstat/close syscalls upon a cache hit that we had
with the previous idiom:
(call-with-input-file file read-derivation)
where caching happened in 'read-derivation' itself.
* guix/derivations.scm (%read-derivation): Rename to...
(read-derivation): ... this.
(read-derivation-from-file): New procedure.
(derivation-prerequisites, substitution-oracle)
(derivation-prerequisites-to-build):
(derivation-path->output-path, derivation-path->output-paths):
(derivation-path->base16-hash, map-derivation): Use
'read-derivation-from-file' instead of (call-with-input-file …
read-derivation).
* guix/grafts.scm (item->deriver): Likewise.
* guix/scripts/build.scm (log-url, options->things-to-build): Likewise.
* guix/scripts/graph.scm (file->derivation): Remove.
(derivation-dependencies, %derivation-node-type): Use
'read-derivation-from-file' instead.
* guix/scripts/offload.scm (guix-offload): Likewise.
* guix/scripts/perform-download.scm (guix-perform-download): Likewise.
* guix/scripts/publish.scm (load-derivation): Remove.
(narinfo-string): Use 'read-derivation-from-file'.
* gnu/packages/patches/libmwaw-CVE-2017-9433.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/libreoffice.scm (libmwaw)[source]: Use it.
Trying to boot GuixSD when an audio CD is in the drive will die with an
"input/output error" when trying to read the superblock from the cd
drive.
This patch catches and warns in this case rather than dying.
* gnu/build/file-systems.scm (ENOENT-safe): Handle EIO.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/packages.scm (specifications->manifest): New procedure.
* doc/guix.texi (Invoking guix package): Change example from using
'(compose list specification->package+output)' to using
'specifications->manifest'.