Merge pull request #79119 from NixOS/staging-next

Staging next
This commit is contained in:
Frederik Rietdijk 2020-02-05 19:09:27 +01:00 committed by GitHub
commit 87a19e9048
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 341 additions and 82 deletions

View File

@ -10,13 +10,13 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "enchant"; pname = "enchant";
version = "2.2.5"; version = "2.2.7";
outputs = [ "out" "dev" ]; outputs = [ "out" "dev" ];
src = fetchurl { src = fetchurl {
url = "https://github.com/AbiWord/${pname}/releases/download/v${version}/${pname}-${version}.tar.gz"; url = "https://github.com/AbiWord/${pname}/releases/download/v${version}/${pname}-${version}.tar.gz";
sha256 = "0r41qjz3104h5raiwlw5ywwybafbxdjz12j1bnq3kq60jlr6d2pf"; sha256 = "029smcna98hllgkm2gy94qa7qphxs4xaa8cdbg5kaaw16mhrf8hv";
}; };
nativeBuildInputs = [ nativeBuildInputs = [

View File

@ -1,4 +1,4 @@
{ stdenv, lib, fetchurl, libiconv, xz }: { stdenv, lib, fetchurl, libiconv, xz, fetchpatch }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "gettext"; pname = "gettext";
@ -11,7 +11,12 @@ stdenv.mkDerivation rec {
patches = [ patches = [
./absolute-paths.diff ./absolute-paths.diff
./gettext.git-2336451ed68d91ff4b5ae1acbc1eca30e47a86a9.patch ./gettext.git-2336451ed68d91ff4b5ae1acbc1eca30e47a86a9.patch
]; ]
++ lib.optional stdenv.isDarwin
(fetchpatch {
url = "https://git.savannah.gnu.org/cgit/gettext.git/patch?id=ec0e6b307456ceab352669ae6bccca9702108753";
sha256 = "0xqs01c7xl7vmw6bqvsmrzxxjxk2a4spcdpmlwm3b4hi2wc2lxnf";
});
outputs = [ "out" "man" "doc" "info" ]; outputs = [ "out" "man" "doc" "info" ];

View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "libxkbcommon"; pname = "libxkbcommon";
version = "0.8.4"; version = "0.10.0";
src = fetchurl { src = fetchurl {
url = "https://xkbcommon.org/download/${pname}-${version}.tar.xz"; url = "https://xkbcommon.org/download/${pname}-${version}.tar.xz";
sha256 = "12vc91ydhphd5sddz15560r41l7k0i7mq6nma8kkbzdp6bwwzpb0"; sha256 = "1wmnl0hngn6vrqrya4r8hvimlkr4jag39yjprls4gyrqvh667hsp";
}; };
outputs = [ "out" "dev" "doc" ]; outputs = [ "out" "dev" "doc" ];

View File

@ -1,4 +1,4 @@
{ stdenv, lib, fetchurl { stdenv, lib, fetchurl, fetchpatch
, zlib, xz, python, ncurses, findXMLCatalogs , zlib, xz, python, ncurses, findXMLCatalogs
, pythonSupport ? stdenv.buildPlatform == stdenv.hostPlatform , pythonSupport ? stdenv.buildPlatform == stdenv.hostPlatform
, icuSupport ? false, icu ? null , icuSupport ? false, icu ? null
@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
# https://github.com/NixOS/nixpkgs/pull/63174 # https://github.com/NixOS/nixpkgs/pull/63174
# https://github.com/NixOS/nixpkgs/pull/72342 # https://github.com/NixOS/nixpkgs/pull/72342
./utf8-xmlErrorFuncHandler.patch ./utf8-xmlErrorFuncHandler.patch
(fetchpatch {
name = "CVE-2020-7595.patch";
url = "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5.patch";
sha256 = "0klvaxkzakkpyq0m44l9xrpn5kwaii194sqsivfm6zhnb9hhl15l";
})
]; ];
outputs = [ "bin" "dev" "out" "man" "doc" ] outputs = [ "bin" "dev" "out" "man" "doc" ]

View File

@ -27,7 +27,7 @@
with stdenv.lib; with stdenv.lib;
let let
version = "19.3.2"; version = "19.3.3";
branch = versions.major version; branch = versions.major version;
in in
@ -42,7 +42,7 @@ stdenv.mkDerivation {
"ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz" "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
"https://mesa.freedesktop.org/archive/mesa-${version}.tar.xz" "https://mesa.freedesktop.org/archive/mesa-${version}.tar.xz"
]; ];
sha256 = "1hg1gvcwvayksrdh9z8rfz66h3z1ffspmm2qgyy2nd8n8qrfwfjf"; sha256 = "02czqdqf64i3az5p1allnxycyjad3x35cj0hz0017mi5pc84ikl1";
}; };
prePatch = "patchShebangs ."; prePatch = "patchShebangs .";

View File

@ -1,11 +1,11 @@
{ stdenv, fetchurl }: { stdenv, fetchurl }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "mtdev-1.1.5"; name = "mtdev-1.1.6";
src = fetchurl { src = fetchurl {
url = "http://bitmath.org/code/mtdev/${name}.tar.bz2"; url = "http://bitmath.org/code/mtdev/${name}.tar.bz2";
sha256 = "0zxs7shzgbalkvlaiibi25bd902rbmkv9n1lww6q8j3ri9qdaxv6"; sha256 = "1q700h9dqcm3zl6c3gj0qxxjcx6ibw2c51wjijydhwdcm26v5mqm";
}; };
meta = with stdenv.lib; { meta = with stdenv.lib; {

View File

@ -1,11 +1,11 @@
{ stdenv, fetchurl, openssl, cyrus_sasl, db, groff, libtool }: { stdenv, fetchurl, openssl, cyrus_sasl, db, groff, libtool }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "openldap-2.4.48"; name = "openldap-2.4.49";
src = fetchurl { src = fetchurl {
url = "https://www.openldap.org/software/download/OpenLDAP/openldap-release/${name}.tgz"; url = "https://www.openldap.org/software/download/OpenLDAP/openldap-release/${name}.tgz";
sha256 = "0k87qra4kirb6xgja4q1jyw6piwb9v8b8g6gkxq4plawmgy3ylnr"; sha256 = "0vp524rsngdcykf6ki7vprsyg7gj8z7hszg8xwxz50219fa1gcg3";
}; };
# TODO: separate "out" and "bin" # TODO: separate "out" and "bin"

View File

@ -1,12 +0,0 @@
Index: TimeDate-2.30/t/getdate.t
===================================================================
--- TimeDate-2.30.orig/t/getdate.t
+++ TimeDate-2.30/t/getdate.t
@@ -156,7 +156,7 @@ Jul 22 10:00:00 UTC 2002 ;102733200
!;
require Time::Local;
-my $offset = Time::Local::timegm(0,0,0,1,0,70);
+my $offset = Time::Local::timegm(0,0,0,1,0,1970);
@data = split(/\n/, $data);

View File

@ -1,4 +1,4 @@
{ stdenv, lib, buildPythonPackage, fetchPypi, pytz, pytest, freezegun, glibcLocales }: { stdenv, lib, buildPythonPackage, fetchPypi, fetchpatch, pytz, pytest, freezegun, glibcLocales }:
buildPythonPackage rec { buildPythonPackage rec {
pname = "Babel"; pname = "Babel";
@ -9,14 +9,31 @@ buildPythonPackage rec {
sha256 = "e86135ae101e31e2c8ec20a4e0c5220f4eed12487d5cf3f78be7e98d3a57fc28"; sha256 = "e86135ae101e31e2c8ec20a4e0c5220f4eed12487d5cf3f78be7e98d3a57fc28";
}; };
patches = [
# The following 2 patches fix the test suite failing on nix < 2.3 with
# Python < 3 because those nix versions do not run in a pseudoterminal,
# which makes Python 2 not set the default encoding to UTF-8, and the
# Babel code crashes when printing a warning in that case.
# See #75676 and https://github.com/python-babel/babel/pull/691.
# It is important to fix this because otherwise Babel is not buildable
# with older nix versions (e.g. on machines used as --builders).
# TODO: Remove at release > 2.8.0.
(fetchpatch {
name = "Babel-Introduce-invariant-that-invalid_pofile-takes-unicode-line.patch";
url = "https://github.com/python-babel/babel/commit/f4f6653e6aa053724d2c6dc0ee71dcb928013352.patch";
sha256 = "1kyknwn9blspcf9yxmgdiaxdii1dnkblyhcflqwhxyl1mss1dxv5";
})
(fetchpatch {
name = "Babel-Fix-unicode-printing-error-on-Python-2-without-TTY.patch";
url = "https://github.com/python-babel/babel/commit/da7f31143847659b6b74d802618b03438aceb350.patch";
sha256 = "09yny8614knr8ngrrddmqzkxk70am135rccv2ncc6dji4xbqbfln";
})
];
propagatedBuildInputs = [ pytz ]; propagatedBuildInputs = [ pytz ];
checkInputs = [ pytest freezegun ]; checkInputs = [ pytest freezegun ];
# Note that a test will fail with an encoding error on Python 2 with Nix < 2.3
# due to https://github.com/NixOS/nixpkgs/pull/75676#issuecomment-579008837.
# TODO: Remove the above comment when we use a version that includes the fix
# from https://github.com/python-babel/babel/pull/691
doCheck = !stdenv.isDarwin; doCheck = !stdenv.isDarwin;
meta = with lib; { meta = with lib; {

View File

@ -2,12 +2,12 @@
buildPythonPackage rec { buildPythonPackage rec {
pname = "pyatspi"; pname = "pyatspi";
version = "2.32.1"; version = "2.34.0";
format = "other"; format = "other";
src = fetchurl { src = fetchurl {
url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz"; url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
sha256 = "1283cbwd2kacgdij96xk26721f6amyzdhy2py11kdj5cprdlm5c4"; sha256 = "0j3f75j0zd6ca8msg7yr19qsfirqkn9fk8pqbjnlhqrpri455g4p";
}; };
nativeBuildInputs = [ pkgconfig ]; nativeBuildInputs = [ pkgconfig ];

View File

@ -3,13 +3,13 @@ pycairo, cairo, which, ncurses, meson, ninja, isPy3k, gnome3 }:
buildPythonPackage rec { buildPythonPackage rec {
pname = "pygobject"; pname = "pygobject";
version = "3.32.1"; version = "3.34.0";
format = "other"; format = "other";
src = fetchurl { src = fetchurl {
url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz"; url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
sha256 = "1n04dnvq3bx7vk7pgnxlg6kiwnc7xxv9bjabkv7abpmqjkprvj9j"; sha256 = "06i7ynnbvgpz0gw09zsjbvhgcp5qz4yzdifw27qjwdazg2mckql7";
}; };
outputs = [ "out" "dev" ]; outputs = [ "out" "dev" ];

View File

@ -50,13 +50,12 @@ cmakeConfigurePhase() {
# because we usually do not package the framework # because we usually do not package the framework
cmakeFlags="-DCMAKE_FIND_FRAMEWORK=last $cmakeFlags" cmakeFlags="-DCMAKE_FIND_FRAMEWORK=last $cmakeFlags"
# on macOS i686 was only relevant for 10.5 or earlier.
cmakeFlags="-DCMAKE_OSX_ARCHITECTURES=x86_64 $cmakeFlags"
# we never want to use the global macOS SDK # we never want to use the global macOS SDK
cmakeFlags="-DCMAKE_OSX_SYSROOT= $cmakeFlags" cmakeFlags="-DCMAKE_OSX_SYSROOT= $cmakeFlags"
# disable OSX deployment target
# we don't want our binaries to have a "minimum" OSX version
cmakeFlags="-DCMAKE_OSX_DEPLOYMENT_TARGET= $cmakeFlags"
# correctly detect our clang compiler # correctly detect our clang compiler
cmakeFlags="-DCMAKE_POLICY_DEFAULT_CMP0025=NEW $cmakeFlags" cmakeFlags="-DCMAKE_POLICY_DEFAULT_CMP0025=NEW $cmakeFlags"

View File

@ -1,4 +1,4 @@
{ stdenv, fetchFromGitLab, fetchpatch, python, ensureNewerSourcesForZipFilesHook { stdenv, fetchFromGitLab, python, ensureNewerSourcesForZipFilesHook
# optional list of extra waf tools, e.g. `[ "doxygen" "pytest" ]` # optional list of extra waf tools, e.g. `[ "doxygen" "pytest" ]`
, withTools ? null , withTools ? null
}: }:
@ -8,22 +8,15 @@ let
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "waf"; pname = "waf";
version = "2.0.18"; version = "2.0.19";
src = fetchFromGitLab { src = fetchFromGitLab {
owner = "ita1024"; owner = "ita1024";
repo = "waf"; repo = "waf";
rev = "${pname}-${version}"; rev = "${pname}-${version}";
sha256 = "1ifcanm2x2i8qwgfkwgdxwaqcdwsx5jg8bd1d6sqjps3pz7s5qxx"; sha256 = "1ydmx20blr776qnmnqp0whyiy81a3glln49m9fva2cmampmandpb";
}; };
patches = [
(fetchpatch {
url = "https://gitlab.com/grahamc/waf/commit/fc1c98f1fb575fb26b867a61cbca79aa894db2ea.patch";
sha256 = "0kzfrr6nh1ay8nyk0i69nhkkrq7hskn7yw1qyjxrda1y3wxj6jp8";
})
];
buildInputs = [ python ensureNewerSourcesForZipFilesHook ]; buildInputs = [ python ensureNewerSourcesForZipFilesHook ];
configurePhase = '' configurePhase = ''

View File

@ -15,10 +15,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ cmake ]; nativeBuildInputs = [ cmake ];
buildInputs = with llvmPackages; [ clang-unwrapped llvm rapidjson ]; buildInputs = with llvmPackages; [ clang-unwrapped llvm rapidjson ];
cmakeFlags = [ cmakeFlags = [ "-DCCLS_VERSION=${version}" ];
"-DCCLS_VERSION=${version}"
"-DCMAKE_OSX_DEPLOYMENT_TARGET=10.12"
];
preConfigure = '' preConfigure = ''
cmakeFlagsArray+=(-DCMAKE_CXX_FLAGS="-fvisibility=hidden -fno-rtti") cmakeFlagsArray+=(-DCMAKE_CXX_FLAGS="-fvisibility=hidden -fno-rtti")

View File

@ -26,7 +26,6 @@ stdenv.mkDerivation {
cmakeFlags = [ cmakeFlags = [
"-DSYSTEM_CLANG=ON" "-DSYSTEM_CLANG=ON"
"-DCLANG_CXX=ON" "-DCLANG_CXX=ON"
"-DCMAKE_OSX_DEPLOYMENT_TARGET=10.12"
]; ];
shell = runtimeShell; shell = runtimeShell;

View File

@ -1,10 +1,15 @@
{ stdenv, fetchurl, xar, cpio, pkgs, python3, pbzx, lib }: { stdenv, fetchurl, xar, cpio, pkgs, python3, pbzx, lib }:
let version = "10.12"; in
# Ensure appleSdkVersion is up to date.
assert stdenv.isDarwin -> stdenv.appleSdkVersion == version;
let let
# sadly needs to be exported because security_tool needs it # sadly needs to be exported because security_tool needs it
sdk = stdenv.mkDerivation rec { sdk = stdenv.mkDerivation rec {
version = "10.12";
pname = "MacOS_SDK"; pname = "MacOS_SDK";
inherit version;
# This URL comes from https://swscan.apple.com/content/catalogs/others/index-10.12.merged-1.sucatalog, which we found by: # This URL comes from https://swscan.apple.com/content/catalogs/others/index-10.12.merged-1.sucatalog, which we found by:
# 1. Google: site:swscan.apple.com and look for a name that seems appropriate for your version # 1. Google: site:swscan.apple.com and look for a name that seems appropriate for your version

View File

@ -31,7 +31,6 @@ self = stdenv.mkDerivation rec {
outputs = [ "out" "static" ]; outputs = [ "out" "static" ];
cmakeFlags = [ cmakeFlags = [
"-DCMAKE_OSX_DEPLOYMENT_TARGET=10.12" # For std::shared_timed_mutex.
"-DCMAKE_SKIP_BUILD_RPATH=OFF" # To run libmysql/libmysql_api_test during build. "-DCMAKE_SKIP_BUILD_RPATH=OFF" # To run libmysql/libmysql_api_test during build.
"-DFORCE_UNSUPPORTED_COMPILER=1" # To configure on Darwin. "-DFORCE_UNSUPPORTED_COMPILER=1" # To configure on Darwin.
"-DWITH_ROUTER=OFF" # It may be packaged separately. "-DWITH_ROUTER=OFF" # It may be packaged separately.

View File

@ -1,6 +1,9 @@
{ lib { lib
, localSystem, crossSystem, config, overlays, crossOverlays ? [] , localSystem, crossSystem, config, overlays, crossOverlays ? []
# The version of darwin.apple_sdk used for sources provided by apple.
, appleSdkVersion ? "10.12"
# Minimum required macOS version, used both for compatibility as well as reproducability.
, macosVersionMin ? "10.12"
# Allow passing in bootstrap files directly so we can test the stdenv bootstrap process when changing the bootstrap tools # Allow passing in bootstrap files directly so we can test the stdenv bootstrap process when changing the bootstrap tools
, bootstrapFiles ? let , bootstrapFiles ? let
fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> { fetch = { file, sha256, executable ? true }: import <nix/fetchurl.nix> {
@ -28,15 +31,19 @@ let
]; ];
in rec { in rec {
commonPreHook = '' commonPreHook = ''
export NIX_ENFORCE_PURITY="''${NIX_ENFORCE_PURITY-1}" export NIX_ENFORCE_NO_NATIVE=''${NIX_ENFORCE_NO_NATIVE-1}
export NIX_ENFORCE_NO_NATIVE="''${NIX_ENFORCE_NO_NATIVE-1}" export NIX_ENFORCE_PURITY=''${NIX_ENFORCE_PURITY-1}
export NIX_IGNORE_LD_THROUGH_GCC=1 export NIX_IGNORE_LD_THROUGH_GCC=1
stripAllFlags=" " # the Darwin "strip" command doesn't know "-s"
export MACOSX_DEPLOYMENT_TARGET=10.12
export SDKROOT= export SDKROOT=
export CMAKE_OSX_ARCHITECTURES=x86_64
# Ensure consistent LC_VERSION_MIN_MACOSX and remove LC_UUID.
export MACOSX_DEPLOYMENT_TARGET=${macosVersionMin}
export NIX_LDFLAGS+=" -macosx_version_min ${macosVersionMin} -sdk_version ${appleSdkVersion} -no_uuid"
# Workaround for https://openradar.appspot.com/22671534 on 10.11. # Workaround for https://openradar.appspot.com/22671534 on 10.11.
export gl_cv_func_getcwd_abort_bug=no export gl_cv_func_getcwd_abort_bug=no
stripAllFlags=" " # the Darwin "strip" command doesn't know "-s"
''; '';
bootstrapTools = derivation { bootstrapTools = derivation {
@ -130,8 +137,7 @@ in rec {
__extraImpureHostDeps = commonImpureHostDeps; __extraImpureHostDeps = commonImpureHostDeps;
extraAttrs = { extraAttrs = {
inherit platform; inherit macosVersionMin appleSdkVersion platform;
parent = last;
}; };
overrides = self: super: (overrides self super) // { fetchurl = thisStdenv.fetchurlBoot; }; overrides = self: super: (overrides self super) // { fetchurl = thisStdenv.fetchurlBoot; };
}; };
@ -400,9 +406,9 @@ in rec {
extraBuildInputs = [ pkgs.darwin.CF ]; extraBuildInputs = [ pkgs.darwin.CF ];
extraAttrs = { extraAttrs = {
inherit platform bootstrapTools; libc = pkgs.darwin.Libsystem;
libc = pkgs.darwin.Libsystem;
shellPackage = pkgs.bash; shellPackage = pkgs.bash;
inherit macosVersionMin appleSdkVersion platform bootstrapTools;
}; };
allowedRequisites = (with pkgs; [ allowedRequisites = (with pkgs; [

View File

@ -10,11 +10,11 @@ let
pythonForDocs = python3.withPackages (pkgs: with pkgs; [ pygobject3 ]); pythonForDocs = python3.withPackages (pkgs: with pkgs; [ pygobject3 ]);
in stdenv.mkDerivation rec { in stdenv.mkDerivation rec {
pname = "network-manager"; pname = "network-manager";
version = "1.22.4"; version = "1.22.6";
src = fetchurl { src = fetchurl {
url = "mirror://gnome/sources/NetworkManager/${stdenv.lib.versions.majorMinor version}/NetworkManager-${version}.tar.xz"; url = "mirror://gnome/sources/NetworkManager/${stdenv.lib.versions.majorMinor version}/NetworkManager-${version}.tar.xz";
sha256 = "0682hm5l3ix8cq35yl5pxidri4kxbdnvj9llf8vg9mcg5abdaslv"; sha256 = "0r65hk7nw44jq4k6h91wrprr0x9410ibd1n7mpmlh4f4kgy276dw";
}; };
outputs = [ "out" "dev" "devdoc" "man" "doc" ]; outputs = [ "out" "dev" "devdoc" "man" "doc" ];

View File

@ -0,0 +1,33 @@
From b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 Mon Sep 17 00:00:00 2001
From: Andreas Gruenbacher <agruen@gnu.org>
Date: Fri, 6 Apr 2018 11:34:51 +0200
Subject: Allow input files to be missing for ed-style patches
* src/pch.c (do_ed_script): Allow input files to be missing so that new
files will be created as with non-ed-style patches.
---
src/pch.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/pch.c b/src/pch.c
index bc6278c..0c5cc26 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char const *outname,
if (! dry_run && ! skip_rest_of_patch) {
int exclusive = *outname_needs_removal ? 0 : O_EXCL;
- assert (! inerrno);
- *outname_needs_removal = true;
- copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ if (inerrno != ENOENT)
+ {
+ *outname_needs_removal = true;
+ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ }
sprintf (buf, "%s %s%s", editor_program,
verbosity == VERBOSE ? "" : "- ",
outname);
--
cgit v1.0-41-gc330

View File

@ -0,0 +1,211 @@
From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001
From: Andreas Gruenbacher <agruen@gnu.org>
Date: Fri, 6 Apr 2018 12:14:49 +0200
Subject: Fix arbitrary command execution in ed-style patches
(CVE-2018-1000156)
* src/pch.c (do_ed_script): Write ed script to a temporary file instead
of piping it to ed: this will cause ed to abort on invalid commands
instead of rejecting them and carrying on.
* tests/ed-style: New test case.
* tests/Makefile.am (TESTS): Add test case.
---
src/pch.c | 91 ++++++++++++++++++++++++++++++++++++++++---------------
tests/Makefile.am | 1 +
tests/ed-style | 41 +++++++++++++++++++++++++
3 files changed, 108 insertions(+), 25 deletions(-)
create mode 100644 tests/ed-style
diff --git a/src/pch.c b/src/pch.c
index 0c5cc26..4fd5a05 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -33,6 +33,7 @@
# include <io.h>
#endif
#include <safe.h>
+#include <sys/wait.h>
#define INITHUNKMAX 125 /* initial dynamic allocation size */
@@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char const *outname,
static char const editor_program[] = EDITOR_PROGRAM;
file_offset beginning_of_this_line;
- FILE *pipefp = 0;
size_t chars_read;
+ FILE *tmpfp = 0;
+ char const *tmpname;
+ int tmpfd;
+ pid_t pid;
+
+ if (! dry_run && ! skip_rest_of_patch)
+ {
+ /* Write ed script to a temporary file. This causes ed to abort on
+ invalid commands such as when line numbers or ranges exceed the
+ number of available lines. When ed reads from a pipe, it rejects
+ invalid commands and treats the next line as a new command, which
+ can lead to arbitrary command execution. */
+
+ tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
+ if (tmpfd == -1)
+ pfatal ("Can't create temporary file %s", quotearg (tmpname));
+ tmpfp = fdopen (tmpfd, "w+b");
+ if (! tmpfp)
+ pfatal ("Can't open stream for file %s", quotearg (tmpname));
+ }
- if (! dry_run && ! skip_rest_of_patch) {
- int exclusive = *outname_needs_removal ? 0 : O_EXCL;
- if (inerrno != ENOENT)
- {
- *outname_needs_removal = true;
- copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
- }
- sprintf (buf, "%s %s%s", editor_program,
- verbosity == VERBOSE ? "" : "- ",
- outname);
- fflush (stdout);
- pipefp = popen(buf, binary_transput ? "wb" : "w");
- if (!pipefp)
- pfatal ("Can't open pipe to %s", quotearg (buf));
- }
for (;;) {
char ed_command_letter;
beginning_of_this_line = file_tell (pfp);
@@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char const *outname,
}
ed_command_letter = get_ed_command_letter (buf);
if (ed_command_letter) {
- if (pipefp)
- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
+ if (tmpfp)
+ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
write_fatal ();
if (ed_command_letter != 'd' && ed_command_letter != 's') {
p_pass_comments_through = true;
while ((chars_read = get_line ()) != 0) {
- if (pipefp)
- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
+ if (tmpfp)
+ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
write_fatal ();
if (chars_read == 2 && strEQ (buf, ".\n"))
break;
@@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char const *outname,
break;
}
}
- if (!pipefp)
+ if (!tmpfp)
return;
- if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
- || fflush (pipefp) != 0)
+ if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
+ || fflush (tmpfp) != 0)
write_fatal ();
- if (pclose (pipefp) != 0)
- fatal ("%s FAILED", editor_program);
+
+ if (lseek (tmpfd, 0, SEEK_SET) == -1)
+ pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+
+ if (! dry_run && ! skip_rest_of_patch) {
+ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+ *outname_needs_removal = true;
+ if (inerrno != ENOENT)
+ {
+ *outname_needs_removal = true;
+ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ }
+ sprintf (buf, "%s %s%s", editor_program,
+ verbosity == VERBOSE ? "" : "- ",
+ outname);
+ fflush (stdout);
+
+ pid = fork();
+ if (pid == -1)
+ pfatal ("Can't fork");
+ else if (pid == 0)
+ {
+ dup2 (tmpfd, 0);
+ execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
+ _exit (2);
+ }
+ else
+ {
+ int wstatus;
+ if (waitpid (pid, &wstatus, 0) == -1
+ || ! WIFEXITED (wstatus)
+ || WEXITSTATUS (wstatus) != 0)
+ fatal ("%s FAILED", editor_program);
+ }
+ }
+
+ fclose (tmpfp);
+ safe_unlink (tmpname);
if (ofp)
{
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6b6df63..16f8693 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -32,6 +32,7 @@ TESTS = \
crlf-handling \
dash-o-append \
deep-directories \
+ ed-style \
empty-files \
false-match \
fifo \
diff --git a/tests/ed-style b/tests/ed-style
new file mode 100644
index 0000000..d8c0689
--- /dev/null
+++ b/tests/ed-style
@@ -0,0 +1,41 @@
+# Copyright (C) 2018 Free Software Foundation, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# in any medium, are permitted without royalty provided the copyright
+# notice and this notice are preserved.
+
+. $srcdir/test-lib.sh
+
+require cat
+use_local_patch
+use_tmpdir
+
+# ==============================================================
+
+cat > ed1.diff <<EOF
+0a
+foo
+.
+EOF
+
+check 'patch -e foo -i ed1.diff' <<EOF
+EOF
+
+check 'cat foo' <<EOF
+foo
+EOF
+
+cat > ed2.diff <<EOF
+1337a
+r !echo bar
+,p
+EOF
+
+check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
+?
+Status: 2
+EOF
+
+check 'cat foo' <<EOF
+foo
+EOF
--
cgit v1.0-41-gc330

View File

@ -13,16 +13,13 @@ stdenv.mkDerivation rec {
patches = [ patches = [
# https://git.savannah.gnu.org/cgit/patch.git/patch/?id=f290f48a621867084884bfff87f8093c15195e6a # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=f290f48a621867084884bfff87f8093c15195e6a
./CVE-2018-6951.patch ./CVE-2018-6951.patch
(fetchurl {
url = https://git.savannah.gnu.org/cgit/patch.git/patch/?id=b5a91a01e5d0897facdd0f49d64b76b0f02b43e1; # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=b5a91a01e5d0897facdd0f49d64b76b0f02b43e1
name = "Allow_input_files_to_be_missing_for_ed-style_patches.patch"; ./Allow_input_files_to_be_missing_for_ed-style_patches.patch
sha256 = "0iw0lk0yhnhvfjzal48ij6zdr92mgb84jq7fwryy1hdhi47hhq64";
}) # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
(fetchurl { ./CVE-2018-1000156.patch
url = https://git.savannah.gnu.org/cgit/patch.git/patch/?id=123eaff0d5d1aebe128295959435b9ca5909c26d;
name = "CVE-2018-1000156.patch";
sha256 = "1bpy16n3hm5nv9xkrn6c4wglzsdzj3ss1biq16w9kfv48p4hx2vg";
})
# https://git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300 # https://git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300
./CVE-2018-6952.patch ./CVE-2018-6952.patch

View File

@ -5258,11 +5258,11 @@ in
networkmanager-fortisslvpn = callPackage ../tools/networking/network-manager/fortisslvpn { }; networkmanager-fortisslvpn = callPackage ../tools/networking/network-manager/fortisslvpn { };
networkmanager_strongswan = callPackage ../tools/networking/network-manager/strongswan.nix { }; networkmanager_strongswan = callPackage ../tools/networking/network-manager/strongswan { };
networkmanagerapplet = callPackage ../tools/networking/network-manager/applet.nix { }; networkmanagerapplet = callPackage ../tools/networking/network-manager/applet { };
networkmanager_dmenu = callPackage ../tools/networking/network-manager/dmenu.nix { }; networkmanager_dmenu = callPackage ../tools/networking/network-manager/dmenu { };
newsboat = callPackage ../applications/networking/feedreaders/newsboat { newsboat = callPackage ../applications/networking/feedreaders/newsboat {
inherit (darwin.apple_sdk.frameworks) Security; inherit (darwin.apple_sdk.frameworks) Security;

View File

@ -19545,8 +19545,13 @@ let
url = mirror://cpan/authors/id/G/GB/GBARR/TimeDate-2.30.tar.gz; url = mirror://cpan/authors/id/G/GB/GBARR/TimeDate-2.30.tar.gz;
sha256 = "11lf54akr9nbivqkjrhvkmfdgkbhw85sq0q4mak56n6bf542bgbm"; sha256 = "11lf54akr9nbivqkjrhvkmfdgkbhw85sq0q4mak56n6bf542bgbm";
}; };
# https://rt.cpan.org/Public/Bug/Display.html?id=124509 patches = [
patches = [ ../development/perl-modules/timedate-2020.patch ]; # https://rt.cpan.org/Public/Bug/Display.html?id=124509
(fetchpatch {
url = "https://github.com/atoomic/perl-TimeDate/commit/4b67ccbdc1846620470ca524a5f3e2afd7b33f66.patch";
sha256 = "1q37yw0b2pammvl0aana70nq7krqwhpcanqa11h2pg9sa9ls7q87";
})
];
}; };
TimeDuration = buildPerlPackage { TimeDuration = buildPerlPackage {