From 3bd218e8d4abde56e7ce9149311df5e60db0e321 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Tue, 8 Dec 2020 21:11:19 +0100 Subject: gnu: ghostscript: Fix CVE-2020-15900. * gnu/packages/patches/ghostscript-CVE-2020-15900.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/ghostscript.scm (ghostscript)[source](patches): Add it. --- gnu/local.mk | 1 + gnu/packages/ghostscript.scm | 1 + .../patches/ghostscript-CVE-2020-15900.patch | 36 ++++++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 gnu/packages/patches/ghostscript-CVE-2020-15900.patch diff --git a/gnu/local.mk b/gnu/local.mk index 97dd9a74d0..7f0b69cacf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1055,6 +1055,7 @@ dist_patch_DATA = \ %D%/packages/patches/ghc-monad-par-fix-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-html-tests.patch \ %D%/packages/patches/ghc-pandoc-fix-latex-test.patch \ + %D%/packages/patches/ghostscript-CVE-2020-15900.patch \ %D%/packages/patches/ghostscript-freetype-compat.patch \ %D%/packages/patches/ghostscript-no-header-id.patch \ %D%/packages/patches/ghostscript-no-header-uuid.patch \ diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index b132fba7eb..03a516dc52 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -171,6 +171,7 @@ printing, and psresize, for adjusting page sizes.") (base32 "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p")) (patches (search-patches "ghostscript-freetype-compat.patch" + "ghostscript-CVE-2020-15900.patch" "ghostscript-no-header-creationdate.patch" "ghostscript-no-header-id.patch" "ghostscript-no-header-uuid.patch")) diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch new file mode 100644 index 0000000000..b6658d7c7f --- /dev/null +++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch @@ -0,0 +1,36 @@ +Fix CVE-2020-15900. + +https://cve.circl.lu/cve/CVE-2020-15900 +https://artifex.com/security-advisories/CVE-2020-15900 + +Taken from upstream: +https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b + +diff --git a/psi/zstring.c b/psi/zstring.c +--- a/psi/zstring.c ++++ b/psi/zstring.c +@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) + return 0; + found: + op->tas.type_attrs = op1->tas.type_attrs; +- op->value.bytes = ptr; +- r_set_size(op, size); ++ op->value.bytes = ptr; /* match */ ++ op->tas.rsize = size; /* match */ + push(2); +- op[-1] = *op1; +- r_set_size(op - 1, ptr - op[-1].value.bytes); +- op1->value.bytes = ptr + size; +- r_set_size(op1, count + (!forward ? (size - 1) : 0)); ++ op[-1] = *op1; /* pre */ ++ op[-3].value.bytes = ptr + size; /* post */ ++ if (forward) { ++ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ ++ op[-3].tas.rsize = count; /* post */ ++ } else { ++ op[-1].tas.rsize = count; /* pre */ ++ op[-3].tas.rsize -= count + size; /* post */ ++ } + make_true(op); + return 0; + } -- cgit v1.2.3 td>file-systems: Always do recursive bind mounts....Fixes <https://issues.guix.gnu.org/59185>. * guix/build/syscalls.scm (MS_REC): New variable. * gnu/build/file-systems.scm (mount-flags->bit-mask): Set MS_REC bit when bind-mounting. Ricardo Wurmus 2022-11-03file-systems: Gracefully handle EMEDIUMTYPE in 'read-partitions'....* gnu/build/file-systems.scm (ENOENT-safe): Catch EMEDIUMTYPE and warn. Marius Bakke 2022-10-20file-systems: Support the 'no-diratime' mount flag....* gnu/build/file-systems.scm (mount-flags->bit-mask): Handle 'no-diratime'. * doc/guix.texi (File Systems): Document it. Ludovic Courtès 2022-09-08file-systems: Open files with O_CLOEXEC....Since this code is run from PID 1, this ensures file descriptors to sensitive files and devices are not accidentally leaked to sub-processes. * gnu/build/file-systems.scm (call-with-input-file): New procedure. (mount-file-system): Use 'close-fdes' + 'open-fdes'. Ludovic Courtès 2022-08-10gnu: system: file-systems: Add shared flag....* gnu/build/file-systems.scm (mount-flags->bit-mask, mount-file-system): Handle shared flag. * gnu/system/file-systems.scm (invalid-file-system-flags): Add shared to known flags. * guix/build/syscalls.scm (MS_SHARED): New variable. * doc/guix.texi (File Systems): Document shared flag. Oleg Pykhalov 2022-07-01file-systems: Add 'cleanly-unmounted-ext2?'....* gnu/build/file-systems.scm (ext2-superblock-cleanly-unmounted?) (cleanly-unmounted-ext2?): New procedures. Ludovic Courtès 2022-04-08file-systems: Invoke fsck tools with 'system*/tty'....This ensures those programs, if invoked by shepherd (where standard input is /dev/null), can still interact with the user if needed. * gnu/build/file-systems.scm (check-ext2-file-system) (check-bcachefs-file-system, check-btrfs-file-system): (check-fat-file-system, check-jfs-file-system): (check-f2fs-file-system, check-ntfs-file-system): (check-xfs-file-system): Use 'system*/tty' instead of 'system*'. Ludovic Courtès 2022-04-08mapped-devices: Ensure 'cryptsetup open' gets a tty....Fixes <https://issues.guix.gnu.org/54770>. Regression introduced in 400c9ed3d779308e56038305d40cd93acb496180. Previously, for an encrypted /home (say), "cryptsetup open" would be invoked by shepherd, with /dev/null as its standard input. It would thus run in non-interactive mode and, instead of asking for a passphrase, fail with: Nothing to read on input. This change ensures it runs in interactive mode. * gnu/build/file-systems.scm (system*/console, system*/tty): New procedures. * gnu/system/mapped-devices.scm (open-luks-device): Use 'system*/tty' instead of 'system*'. Ludovic Courtès 2021-11-23system: Add swap flags....* gnu/system/file-systems.scm (swap-space)[priority, discard?]: Add them. * guix/build/syscalls.scm (SWAP_FLAG_PREFER, SWAP_FLAG_PRIO_MASK, SWAP_FLAG_PRIO_SHIFT, SWAP_FLAG_DISCARD): Add them. * gnu/build/file-systems.scm (swap-space->flags-bit-mask): Add it. * gnu/services/base.scm (swap-service-type): Use it. Signed-off-by: Ludovic Courtès <ludo@gnu.org> Josselin Poiret 2021-09-28file-systems: Prefer low-memory mode of ‘btrfs check’....* gnu/build/file-systems.scm (check-btrfs-file-system): Add ‘--mode lowmem’ arguments when supported. Reported by Noisytoot on #guix. Tobias Geerinckx-Rice 2021-09-23file-systems: Add support for XFS....* gnu/build/file-systems.scm (%xfs-endianness): New syntax. (xfs-superblock?, read-xfs-superblock, xfs-superblock-uuid) (xfs-superblock-volume-name, check-xfs-file-system): New procedures. (%partition-label-readers, %partition-uuid-readers, check-file-system): Register them. * doc/guix.texi (Keyboard Layout and Networking and Partitioning): Note XFS support. Tobias Geerinckx-Rice 2021-09-23file-systems: Add file system to *-SUPERBLOCK-VOLUME-NAME docstrings....* gnu/build/file-systems.scm (ext2-superblock-volume-name) (bcachefs-superblock-volume-name, btrfs-superblock-volume-name) (fat32-superblock-volume-name, fat16-superblock-volume-name) (iso9660-superblock-volume-name, jfs-superblock-volume-name) (f2fs-superblock-volume-name): Mention the file system type in the docstring for consistency with the other superblock procedures. Tobias Geerinckx-Rice 2021-09-23gnu: Don't abuse check-btrfs-file-system to scan....It was never guaranteed to be run for non-root file systems. It was for root file systems only due to a bug now fixed. * gnu/build/file-systems.scm (check-btrfs-file-system): Don't invoke ‘btrfs device scan’ here. * gnu/system/linux-initrd.scm (raw-initrd): Do so here if any btrfs file systems are present. Tobias Geerinckx-Rice 2021-09-23file-systems: Support forced checks & repairs....* gnu/build/file-systems.scm (check-ext2-file-system) (check-bcachefs-file-system, check-btrfs-file-system) (check-fat-file-system, check-jfs-file-system, check-f2fs-file-system) (check-ntfs-file-system, check-file-system): Take and honour new FORCE? and REPAIR arguments. Update the docstring. Adjust all callers. * gnu/system/file-systems.scm <file-system>: Add new SKIP-CHECK-IF-CLEAN? and REPAIR fields. (file-system->spec, spec->file-system): Adjust accordingly. * gnu/build/linux-boot.scm (mount-root-file-system): Take new SKIP-CHECK-IF-CLEAN? and REPAIR keyword arguments. Thread them through to CHECK-FILE-SYSTEM. * doc/guix.texi (File Systems): Document both new <file-system> options. Tobias Geerinckx-Rice 2021-05-04file-systems: Rewrite comment....* gnu/build/file-systems.scm (read-bcachefs-superblock): Make comment less damned negative. Tobias Geerinckx-Rice 2021-05-04file-systems: Handle abnormal ‘bcachefs fsck’ exits....* gnu/build/file-systems.scm (check-bcachefs-file-system): Handle a STATUS:EXIT-VAL of #F. Tobias Geerinckx-Rice 2021-04-23file-systems: read-partition-{uuid,label} don't swallow ENOENT & co....Previously, (read-partition-uuid "/does/not/exist") would return #f. With this change, a 'system-error exception is raised as expected. * gnu/build/file-systems.scm (ENOENT-safe): Clarify docstring. (partition-field-reader): Remove use of 'ENOENT-safe'. (partition-predicate): Wrap READER in 'ENOENT-safe'. Ludovic Courtès 2021-03-10file-systems: 'mount-file-system' preserves the right mount flags....Fixes <https://bugs.gnu.org/47007>. Reported by Jelle Licht <jlicht@fsfe.org>. Since commit dcb640f02b1f9590c3bd4301a22bf31bd60c56d4, we could end up applying the wrong mount flags because the (find ...) expression could pick the "wrong" mount point in the presence of bind mounts. * gnu/build/file-systems.scm (mount-file-system): Use 'statfs' to compute FLAGS whe FS is a bind mount. Ludovic Courtès 2021-02-25file-systems: 'mount-file-system' preserves source flags for bind mounts....Fixes <https://bugs.gnu.org/46292>. * gnu/build/file-systems.scm (mount-file-system): If FS is a bind mount, add its original mount flags to FLAGS. Ludovic Courtès 2020-12-06file-systems: Fix ‘bcachefs fsck’ exit value logic....Bit 1 means the target device was mounted read-only whilst checking. This should never happen in an initrd context but is not an error. * gnu/build/file-systems.scm (check-bcachefs-file-system): Ignore status bits that don't signal an error. Remove the 'reboot-required case. Tobias Geerinckx-Rice 2020-11-07file-systems: Add support for bcachefs....* gnu/build/file-systems.scm (%bcachefs-endianness): New syntax. (bcachefs-superblock?, read-bcachefs-superblock) (bcachefs-superblock-external-uuid, bcachefs-superblock-volume-name) (check-bcachefs-file-system): New procedures. (%partition-label-readers, %partition-uuid-readers, check-file-system): Register them. Tobias Geerinckx-Rice 2020-10-30file-systems: Allow swap space lookup by UUID/label....* gnu/build/file-systems.scm (%linux-swap-magic, %page-size): New variables. (linux-swap-superblock?, read-linux-swap-superblock) (linux-swap-superblock-uuid, linux-swap-superblock-volume-name): New procedures. (%partition-label-readers, %partition-uuid-readers): Add them. Ludovic Courtès 2020-09-07linux-boot: Handle nfs-root device strings....* gnu/build/linux-boot.scm (device-string->file-system-device): Support nfs-root "device" strings. * gnu/build/file-systems.scm (canonicalize-device-spec): Support nfs-root "device" strings. * gnu/machine/ssh.scm (machine-check-file-system-availability): Avoid checking of NFS file systems. * gnu/system.scm (read-boot-parameters, device-sexp->device): Support nfs-root "device" strings. Signed-off-by: Danny Milosavljevic <dannym@scratchpost.org> Stefan 2020-07-31file-system: Add mount-may-fail? option....* gnu/system/file-systems.scm (<file-system>): Add a mount-may-fail? field. (file-system->spec): adapt accordingly, (spec->file-system): ditto. * gnu/build/file-systems.scm (mount-file-system): If 'system-error is raised and mount-may-fail? is true, ignore it. Otherwise, re-raise the exception. Signed-off-by: Mathieu Othacehe <othacehe@gnu.org> Mathieu Othacehe 2020-07-26file-systems: Add NTFS support....* gnu/system/uuid.scm (%ntfs-endianness): New macro, (ntfs-uuid->string): new procedure, (%ntfs-endianness): new variable, (string->ntfs-uuid): new exported procedure, (%uuid-parsers): add NTFS support, (%uuid-printers): add NTFS support. * gnu/build/file-systems.scm (%ntfs-endianness): New macro, (ntfs-superblock?, read-ntfs-superblock, ntfs-superblock-uuid, check-ntfs-file-system): new procedure, (%partition-uuid-readers): add NTFS support, (check-file-system): add NTFS support. Mathieu Othacehe