;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013 Nikita Karetnikov ;;; Copyright © 2016, 2017, 2018 Leo Famulari ;;; Copyright © 2016 Kei Kebreau ;;; Copyright © 2016, 2019 Efraim Flashner ;;; Copyright © 2018 Rutger Helling ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu packages w3m) #:use-module ((guix licenses) #:select (x11-style)) #:use-module (gnu packages gettext) #:use-module (gnu packages bdw-gc) #:use-module (gnu packages compression) #:use-module (gnu packages gtk) #:use-module (gnu packages ncurses) #:use-module (gnu packages perl) #:use-module (gnu packages pkg-config) #:use-module (gnu packages tls) #:use-module (gnu packages xorg) #:use-module (gnu packages) #:use-module (guix packages) #:use-module (guix git-download) #:use-module (guix build-system gnu)) (define-public w3m (package (name "w3m") (version "0.5.3+git20190105") (source (origin (method git-fetch) ;; Debian's fork of w3m is the only one that is still maintained. (uri (git-reference (url "https://salsa.debian.org/debian/w3m.git") (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 (base32 "1fbg2p8qh2gvi3g4iz4q6vc0k70pf248r4yndi5lcn2m3mzvjx0i")))) (build-system gnu-build-system) (arguments '(#:tests? #f ; no check target ;; Use $EDITOR instead of a hard-coded value. #:configure-flags '("--with-editor=") #:phases (modify-phases %standard-phases (add-before 'configure 'fix-perl (lambda _ (substitute* '("scripts/w3mmail.cgi.in" "scripts/dirlist.cgi.in") (("@PERL@") (which "perl"))) #t))))) (inputs `(("gdk-pixbuf" ,gdk-pixbuf) ("libgc" ,libgc) ("libx11" ,libx11) ("ncurses" ,ncurses) ("openssl" ,openssl) ("zlib" ,zlib))) (native-inputs `(("gettext" ,gettext-minimal) ("perl" ,perl) ("pkg-config" ,pkg-config))) (home-page "http://w3m.sourceforge.net/") (synopsis "Text-mode web browser") (description "w3m is a text-based web browser as well as a pager like @code{more} or @code{less}. With w3m you can browse web pages through a terminal emulator window. Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.") (license (x11-style "file://doc/README" "See 'doc/README' in the distribution.")))) ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 Ludovic Courtès 2024-03-11daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 Ludovic Courtès 2023-01-09daemon: Improve error message for wrong hash sizes....* nix/libutil/hash.cc (parseHash): Show the hash algorithm name and expected size in the error message. * tests/derivations.scm ("fixed-output derivation, invalid hash size"): New test. Ludovic Courtès 2022-12-18daemon: Make "opening file" error messages distinguishable....* nix/libstore/build.cc (DerivationGoal::openLogFile): Customize "opening file" error message. * nix/libutil/hash.cc (hashFile): Likewise. * nix/libutil/util.cc (readFile, writeFile): Likewise. Ludovic Courtès 2021-11-19daemon: Micro-optimize 'deletePath'....'remove' calls 'unlink' first and falls back to 'rmdir' upon EISDIR. This change gets rid of the 'unlink' call for every directory being removed. * nix/libutil/util.cc (_deletePath): Call 'unlink' or 'rmdir' depending on 'st.st_mode', rather than call 'remove'. Ludovic Courtès