From b0716eac4e800a0ea53e1b949250f671702f28a0 Mon Sep 17 00:00:00 2001 From: Tom Callaway Date: Tue, 30 Oct 2012 15:39:24 -0400 Subject: apply workaround to CVE-2012-4527 --- mcrypt-2.6.8.orig/src/mcrypt.c +++ mcrypt-2.6.8/src/mcrypt.c @@ -41,6 +41,8 @@ # include #endif +#define WIDTH 80 + static char rcsid[] = "$Id: mcrypt.c,v 1.2 2007/11/07 17:10:21 nmav Exp $"; @@ -482,7 +484,7 @@ #ifdef HAVE_STAT if (stream_flag == FALSE) { if (is_normal_file(file[i]) == FALSE) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: %s is not a regular file. Skipping...\n"), program_name, file[i]); @@ -501,7 +503,7 @@ dinfile = file[i]; if ((isatty(fileno((FILE *) (stdin))) == 1) && (stream_flag == TRUE) && (force == 0)) { /* not a tty */ - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: Encrypted data will not be read from a terminal.\n"), program_name); @@ -520,7 +522,7 @@ einfile = file[i]; if ((isatty(fileno((FILE *) (stdout))) == 1) && (stream_flag == TRUE) && (force == 0)) { /* not a tty */ - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: Encrypted data will not be written to a terminal.\n"), program_name); @@ -544,7 +546,7 @@ strcpy(outfile, einfile); /* if file has already the .nc ignore it */ if (strstr(outfile, ".nc") != NULL) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: file %s has the .nc suffix... skipping...\n"), program_name, outfile); @@ -590,10 +592,10 @@ if (x == 0) { if (stream_flag == FALSE) { - sprintf(tmperr, _("File %s was decrypted.\n"), dinfile); + snprintf(tmperr, WIDTH, _("File %s was decrypted.\n"), dinfile); err_warn(tmperr); } else { - sprintf(tmperr, _("Stdin was decrypted.\n")); + snprintf(tmperr, WIDTH, _("Stdin was decrypted.\n")); err_warn(tmperr); } #ifdef HAVE_STAT @@ -610,7 +612,7 @@ } else { if (stream_flag == FALSE) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("File %s was NOT decrypted successfully.\n"), dinfile); @@ -636,10 +638,10 @@ if (x == 0) { if (stream_flag == FALSE) { - sprintf(tmperr, _("File %s was encrypted.\n"), einfile); + snprintf(tmperr, WIDTH, _("File %s was encrypted.\n"), einfile); err_warn(tmperr); } else { - sprintf(tmperr, _("Stdin was encrypted.\n")); + snprintf(tmperr, WIDTH, _("Stdin was encrypted.\n")); err_warn(tmperr); } #ifdef HAVE_STAT @@ -655,7 +657,7 @@ } else { if (stream_flag == FALSE) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("File %s was NOT encrypted successfully.\n"), einfile); - git v0.12 actually equal packages in a bag's inputs. The problem would manifest itself when running, for instance: guix build inkscape -d --with-graft=glib=glib-networking --no-grafts The resulting derivation would differ due from that without '--with-graft'. This was due to the fact that glib propagates libffi; this instance of libffi was not rewritten even though other instances in the graph were rewritten. Thus, glib would end up with two non-eq? libffi instances, which in turn would lead to duplicate entries in its '%build-inputs' variable. Fixes <https://bugs.gnu.org/43890>. * guix/packages.scm (package-mapping)[rewrite]: Remove call to 'cut?' and call 'replace' unconditionally. [replace]: Add 'cut?' case. * tests/guix-build.sh: Add test combining '--no-grafts' and '--with-graft'. * tests/packages.scm ("package-input-rewriting/spec, identity") ("package-input-rewriting, identity"): New tests. Ludovic Courtès 2020-10-15ui: Only suggest modules that export the unbound variable identifier....Fixes <https://bugs.gnu.org/43498>. Reported by Tobias Geerinckx-Rice <me@tobias.gr>. * guix/ui.scm (known-variable-definition): Check for variables in the public interface of HEAD, not in HEAD itself. * tests/guix-build.sh: Add test. Ludovic Courtès 2020-09-28tests: Simplify shell exit status negation;...* tests/guix-archive.sh, tests/guix-build-branch.sh, tests/guix-build.sh, tests/guix-daemon.sh, tests/guix-download.sh, tests/guix-environment.sh, tests/guix-gc.sh, tests/guix-git-authenticate.sh, tests/guix-graph.sh, tests/guix-hash.sh, tests/guix-lint.sh, tests/guix-pack-relocatable.sh, tests/guix-pack.sh, tests/guix-package-aliases.sh, tests/guix-package-net.sh, tests/guix-package.sh: Use the shell '!' keyword to negate command exit status in place of 'if ...; then false; else true; fi' Eric Bavier 2020-09-27packages: 'package-input-rewriting/spec' can rewrite implicit dependencies....With this change, '--with-input', '--with-graft', etc. also apply to implicit dependencies. Thus, it's now possible to do: guix build python-itsdangerous --with-input=python-wrapper=python@2 or: guix build hello --with-graft=glibc=glibc@2.29 Additionally, before, implicit inputs were not rewritten, which could lead to duplicates in the output of 'bag-transitive-inputs' (packages that are not 'eq?' but lead to the same derivation). This in turn would lead to unnecessary rebuilds when using '--with-input' & co. This change fixes it by ensuring even implicit inputs are rewritten. Fixes <https://bugs.gnu.org/42156>. * guix/packages.scm (package-input-rewriting/spec): Add #:deep? defaulting to #true, and pass it to 'package-mapping'. [replacement-property]: New variable. [rewrite]: Check that property and set it on the result of PROC. [cut?]: New procedure. * tests/packages.scm ("package-input-rewriting/spec"): Ensure implicit inputs were unchanged. ("package-input-rewriting/spec, partial match"): Pass #:deep? #f. ("package-input-rewriting/spec, deep") ("package-input-rewriting/spec, no duplicates"): New tests. (package/inherit): Move before use. * tests/guix-build.sh: Add tests. * tests/scripts-build.scm ("options->transformation, with-graft"): Compare dependencies by package name or derivation file name. * doc/guix.texi (Defining Packages): Adjust accordingly. Ludovic Courtès