From 0565cde6892c4fcc503a86227e366d3500040076 Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Sat, 25 Jun 2022 16:33:44 +0200 Subject: gnu: zlib: Support mingw cross-compilation. * gnu/packages/compression.scm (zlib): Only run configure if not mingw. Signed-off-by: Liliana Marie Prikler --- gnu/packages/compression.scm | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 5b31b0ad52..df056dd65a 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -113,7 +113,16 @@ (build-system gnu-build-system) (outputs '("out" "static")) (arguments - `(#:phases + `(#:make-flags + ,(if (target-mingw?) + `(list ,(string-append "PREFIX=" (%current-target-system) "-") + "BINARY_PATH = $(prefix)/bin" + "INCLUDE_PATH = $(prefix)/include" + "LIBRARY_PATH = $(prefix)/lib" + "SHARED_MODE = 1" + (string-append "prefix = " (assoc-ref %outputs "out"))) + ''()) + #:phases (modify-phases %standard-phases (replace 'configure (lambda* (#:key outputs #:allow-other-keys) @@ -125,8 +134,10 @@ ,@(if (%current-target-system) `((setenv "CHOST" ,(%current-target-system))) '()) - (invoke "./configure" - (string-append "--prefix=" out))))) + ,@(if (target-mingw?) + `((rename-file "win32/Makefile.gcc" "Makefile")) + `((invoke "./configure" + (string-append "--prefix=" out))))))) (add-after 'install 'move-static-library (lambda* (#:key outputs #:allow-other-keys) (let ((out (assoc-ref outputs "out")) -- cgit v1.2.3 From de40c03a750e069a554353bc58dddd634595b1fd Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Tue, 2 Aug 2022 15:09:01 -0400 Subject: gnu: zchunk: Update to 1.2.2. * gnu/packages/compression.scm (zchunk): Update to 1.2.2. --- gnu/packages/compression.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index df056dd65a..6070c5beb1 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -2346,7 +2346,7 @@ reading from and writing to ZIP archives.") (define-public zchunk (package (name "zchunk") - (version "1.1.16") + (version "1.2.2") (source (origin (method git-fetch) (uri (git-reference @@ -2355,7 +2355,7 @@ reading from and writing to ZIP archives.") (file-name (git-file-name name version)) (sha256 (base32 - "0nlzwnv6wh2yjyyv27f81jnvmk7psgpbnw7dsdp7frfkya569hgv")))) + "0q0avb0397xkmidl8rxasfywp0r7w3awk6271pa2d9xl9p1n82zy")))) (build-system meson-build-system) (arguments `(#:phases (modify-phases %standard-phases -- cgit v1.2.3 From b8424f0cddd6be29a51b778790dd5a4ca10007c4 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 8 Aug 2022 18:47:20 +0300 Subject: gnu: unzip: Mark safe from CVE-2019-13232. * gnu/packages/compression.scm (unzip)[properties]: New field. --- gnu/packages/compression.scm | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 6070c5beb1..e5bc3813c5 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1846,6 +1846,7 @@ UnZip lists, tests, or extracts files from a .zip archive. The default behaviour (with no options) is to extract into the current directory, and subdirectories below it, all files from the specified zipfile. UnZip recreates the stored directory structure by default.") + (properties `((lint-hidden-cve . ("CVE-2019-13232")))) (license (license:non-copyleft "file://LICENSE" "See LICENSE in the distribution.")))) -- cgit v1.2.3 From 5e009a88746bf3c20b29626a8671055c47a42bd0 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 8 Aug 2022 19:13:07 +0300 Subject: gnu: unzip: Patch for CVE-2022-0529 and CVE-2022-0530. * gnu/packages/compression.scm (unzip)[replacement]: New field. (unzip/fixed): New variable. * gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 10 ++ .../unzip-CVE-2022-0529+CVE-2022-0530.patch | 177 +++++++++++++++++++++ 3 files changed, 188 insertions(+) create mode 100644 gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch (limited to 'gnu/packages/compression.scm') diff --git a/gnu/local.mk b/gnu/local.mk index a837d16e34..ac40640658 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1900,6 +1900,7 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-CVE-2014-9636.patch \ %D%/packages/patches/unzip-CVE-2015-7696.patch \ %D%/packages/patches/unzip-CVE-2015-7697.patch \ + %D%/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch \ %D%/packages/patches/unzip-allow-greater-hostver-values.patch \ %D%/packages/patches/unzip-attribs-overflow.patch \ %D%/packages/patches/unzip-overflow-on-invalid-input.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index e5bc3813c5..6854bcafe4 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1768,6 +1768,7 @@ Compression ratios of 2:1 to 3:1 are common for text files.") (package (inherit zip) (name "unzip") (version "6.0") + (replacement unzip/fixed) (source (origin (method url-fetch) @@ -1850,6 +1851,15 @@ recreates the stored directory structure by default.") (license (license:non-copyleft "file://LICENSE" "See LICENSE in the distribution.")))) +(define unzip/fixed + (package (inherit unzip) + (source + (origin + (inherit (package-source unzip)) + (patches (append + (origin-patches (package-source unzip)) + (search-patches "unzip-CVE-2022-0529+CVE-2022-0530.patch"))))))) + (define-public ziptime (let ((commit "2a5bc9dfbf7c6a80e5f7cb4dd05b4036741478bc") (revision "0")) diff --git a/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch b/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch new file mode 100644 index 0000000000..e3fe2314ac --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch @@ -0,0 +1,177 @@ +https://nvd.nist.gov/vuln/detail/CVE-2022-0529 +https://nvd.nist.gov/vuln/detail/CVE-2022-0530 +https://sources.debian.org/src/unzip/6.0-27/debian/patches/28-cve-2022-0529-and-cve-2022-0530.patch/ + +From: Steven M. Schweda +Subject: Fix for CVE-2022-0529 and CVE-2022-0530 +Bug-Debian: https://bugs.debian.org/1010355 +X-Debian-version: 6.0-27 + +--- a/fileio.c ++++ b/fileio.c +@@ -171,8 +171,10 @@ + static ZCONST char Far FilenameTooLongTrunc[] = + "warning: filename too long--truncating.\n"; + #ifdef UNICODE_SUPPORT ++ static ZCONST char Far UFilenameCorrupt[] = ++ "error: Unicode filename corrupt.\n"; + static ZCONST char Far UFilenameTooLongTrunc[] = +- "warning: Converted unicode filename too long--truncating.\n"; ++ "warning: Converted Unicode filename too long--truncating.\n"; + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; +@@ -2361,16 +2363,30 @@ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); +- /* make sure filename is short enough */ +- if (strlen(fn) >= FILNAMSIZ) { +- fn[FILNAMSIZ - 1] = '\0'; ++ ++ /* 2022-07-22 SMS, et al. CVE-2022-0530 ++ * Detect conversion failure, emit message. ++ * Continue with unconverted name. ++ */ ++ if (fn == NULL) ++ { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(UFilenameTooLongTrunc))); +- error = PK_WARN; ++ LoadFarString(UFilenameCorrupt))); ++ error = PK_ERR; ++ } ++ else ++ { ++ /* make sure filename is short enough */ ++ if (strlen(fn) >= FILNAMSIZ) { ++ fn[FILNAMSIZ - 1] = '\0'; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(UFilenameTooLongTrunc))); ++ error = PK_WARN; ++ } ++ /* replace filename with converted UTF-8 */ ++ strcpy(G.filename, fn); ++ free(fn); + } +- /* replace filename with converted UTF-8 */ +- strcpy(G.filename, fn); +- free(fn); + } + # endif /* UNICODE_WCHAR */ + if (G.unipath_filename != G.filename_full) +--- a/process.c ++++ b/process.c +@@ -222,6 +222,8 @@ + "\nwarning: Unicode Path version > 1\n"; + static ZCONST char Far UnicodeMismatchError[] = + "\nwarning: Unicode Path checksum invalid\n"; ++ static ZCONST char Far UFilenameTooLongTrunc[] = ++ "warning: filename too long (P1) -- truncating.\n"; + #endif + + +@@ -1915,7 +1917,7 @@ + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. + +- 2014-12-05 SMS. ++ 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141. + Added checks to ensure that enough data are available before calling + makeint64() or makelong(). Replaced various sizeof() values with + simple ("4" or "8") constants. (The Zip64 structures do not depend +@@ -1947,9 +1949,10 @@ + ef_len - EB_HEADSIZE)); + break; + } ++ + if (eb_id == EF_PKSZ64) + { +- int offset = EB_HEADSIZE; ++ unsigned offset = EB_HEADSIZE; + + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) + { +@@ -2046,7 +2049,7 @@ + } + if (eb_id == EF_UNIPATH) { + +- int offset = EB_HEADSIZE; ++ unsigned offset = EB_HEADSIZE; + ush ULen = eb_len - 5; + ulg chksum = CRCVAL_INITIAL; + +@@ -2504,16 +2507,17 @@ + int state_dependent; + int wsize = 0; + int max_bytes = MB_CUR_MAX; +- char buf[9]; ++ char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */ + char *buffer = NULL; + char *local_string = NULL; ++ size_t buffer_size; /* CVE-2022-0529 */ + + for (wsize = 0; wide_string[wsize]; wsize++) ; + + if (max_bytes < MAX_ESCAPE_BYTES) + max_bytes = MAX_ESCAPE_BYTES; +- +- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { ++ buffer_size = wsize * max_bytes + 1; /* Reused below. */ ++ if ((buffer = (char *)malloc( buffer_size)) == NULL) { + return NULL; + } + +@@ -2551,8 +2555,28 @@ + } else { + /* no MB for this wide */ + /* use escape for wide character */ +- char *escape_string = wide_to_escape_string(wide_string[i]); +- strcat(buffer, escape_string); ++ size_t buffer_len; ++ size_t escape_string_len; ++ char *escape_string; ++ int err_msg = 0; ++ ++ escape_string = wide_to_escape_string(wide_string[i]); ++ buffer_len = strlen( buffer); ++ escape_string_len = strlen( escape_string); ++ ++ /* Append escape string, as space allows. */ ++ /* 2022-07-18 SMS, et al. CVE-2022-0529 */ ++ if (escape_string_len > buffer_size- buffer_len- 1) ++ { ++ escape_string_len = buffer_size- buffer_len- 1; ++ if (err_msg == 0) ++ { ++ err_msg = 1; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( UFilenameTooLongTrunc))); ++ } ++ } ++ strncat( buffer, escape_string, escape_string_len); + free(escape_string); + } + } +@@ -2604,9 +2628,18 @@ + ZCONST char *utf8_string; + int escape_all; + { +- zwchar *wide = utf8_to_wide_string(utf8_string); +- char *loc = wide_to_local_string(wide, escape_all); +- free(wide); ++ zwchar *wide; ++ char *loc = NULL; ++ ++ wide = utf8_to_wide_string( utf8_string); ++ ++ /* 2022-07-25 SMS, et al. CVE-2022-0530 */ ++ if (wide != NULL) ++ { ++ loc = wide_to_local_string( wide, escape_all); ++ free( wide); ++ } ++ + return loc; + } + -- cgit v1.2.3 From 36c5fa6c4d50999ca533be882e743a061b3ad0d8 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 7 Aug 2022 02:00:00 +0200 Subject: gnu: unzip: Use G-expressions. * gnu/packages/compression.scm (unzip)[arguments]: Rewrite as G-expressions. --- gnu/packages/compression.scm | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 6854bcafe4..026629cad1 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1818,25 +1818,29 @@ Compression ratios of 2:1 to 3:1 are common for text files.") (build-system gnu-build-system) ;; no inputs; bzip2 is not supported, since not compiled with BZ_NO_STDIO (arguments - `(#:phases (modify-phases %standard-phases - (delete 'configure) - (add-after 'unpack 'fortify - (lambda _ - ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow. - ;; This environment variable is recommended in 'unix/Makefile' - ;; for passing flags to the C compiler. - (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") - #t)) - (replace 'build - (lambda* (#:key make-flags #:allow-other-keys) - (apply invoke "make" - `("-j" ,(number->string - (parallel-job-count)) - ,@make-flags - "generic_gcc"))))) - #:make-flags (list "-f" "unix/Makefile" - (string-append "prefix=" %output) - (string-append "MANDIR=" %output "/share/man/man1")))) + (list #:phases + #~(modify-phases %standard-phases + (delete 'configure) + (add-after 'unpack 'fortify + (lambda _ + ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow. + ;; This environment variable is recommended in 'unix/Makefile' + ;; for passing flags to the C compiler. + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") + #t)) + (replace 'build + (lambda* (#:key make-flags #:allow-other-keys) + (apply invoke "make" + `("-j" ,(number->string + (parallel-job-count)) + ,@make-flags + "generic_gcc"))))) + #:make-flags + ;; Fix cross-compilation without affecting native builds, as doing so + ;; would trigger too many rebuilds: https://issues.guix.gnu.org/57127 + #~(list "-f" "unix/Makefile" + (string-append "prefix=" %output) + (string-append "MANDIR=" %output "/share/man/man1")))) (home-page "http://www.info-zip.org/UnZip.html") (synopsis "Decompression and file extraction utility") (description -- cgit v1.2.3 From 45db0ca5e9b8a7bca34d8c87d76debfda56c824d Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 7 Aug 2022 02:00:00 +0200 Subject: gnu: unzip: Fix cross-compilation. Fixes . * gnu/packages/compression.scm (unzip)[arguments]: Use #$output when cross-compiling. --- gnu/packages/compression.scm | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 026629cad1..684979018c 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1838,9 +1838,13 @@ Compression ratios of 2:1 to 3:1 are common for text files.") #:make-flags ;; Fix cross-compilation without affecting native builds, as doing so ;; would trigger too many rebuilds: https://issues.guix.gnu.org/57127 - #~(list "-f" "unix/Makefile" - (string-append "prefix=" %output) - (string-append "MANDIR=" %output "/share/man/man1")))) + (if (%current-target-system) + #~(list "-f" "unix/Makefile" + (string-append "prefix=" #$output) + (string-append "MANDIR=" #$output "/share/man/man1")) + #~(list "-f" "unix/Makefile" + (string-append "prefix=" %output) + (string-append "MANDIR=" %output "/share/man/man1"))))) (home-page "http://www.info-zip.org/UnZip.html") (synopsis "Decompression and file extraction utility") (description -- cgit v1.2.3