[PATCH 0/6] Add lint-hidden-cve property for near-leaf packages.

  • Open
  • quality assurance status badge
Details
One participant
  • Nicolas Graves
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal

Debbugs page

N
N
Nicolas Graves wrote 5 days ago
(address . guix-patches@gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027182422.27007-1-ngraves@ngraves.fr
This patch series is what's left of 74034 after I've split it in two.
It introduces some useful lint-hidden-cve properties were that's
useful, fixing build or updating packages along the way.

Nicolas Graves (6):
gnu: gerbv: Add lint-hidden-cve property.
gnu: libgda: Rename patch for guix lint.
gnu: upx: Update to 4.2.4.
gnu: sylpheed: Add release-monitoring-url property.
gnu: openvswitch: Update to 3.4.0.
gnu: quagga: Fix build and hide CVE.

gnu/local.mk | 2 +-
gnu/packages/compression.scm | 7 ++++---
gnu/packages/engineering.scm | 2 ++
gnu/packages/gnome.scm | 2 +-
gnu/packages/mail.scm | 2 ++
gnu/packages/networking.scm | 14 ++++++++++----
...021-39359.patch => libgda-CVE-2021-39359.patch} | 0
7 files changed, 20 insertions(+), 9 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

--
2.46.0
N
N
Nicolas Graves wrote 5 days ago
[PATCH 2/6] gnu: libgda: Rename patch for guix lint.
(address . 74050@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027183141.28120-2-ngraves@ngraves.fr
* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
gnu/local.mk | 2 +-
gnu/packages/gnome.scm | 2 +-
...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
3 files changed, 2 insertions(+), 2 deletions(-)
rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

Toggle diff (32 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA = \
%D%/packages/patches/libcroco-CVE-2020-12825.patch \
%D%/packages/patches/libcyaml-libyaml-compat.patch \
%D%/packages/patches/libexpected-use-provided-catch2.patch \
- %D%/packages/patches/libgda-cve-2021-39359.patch \
+ %D%/packages/patches/libgda-CVE-2021-39359.patch \
%D%/packages/patches/libgda-disable-data-proxy-test.patch \
%D%/packages/patches/libgda-fix-build.patch \
%D%/packages/patches/libgda-fix-missing-initialization.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
name "-" version ".tar.xz"))
(sha256
(base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
- (patches (search-patches "libgda-cve-2021-39359.patch"
+ (patches (search-patches "libgda-CVE-2021-39359.patch"
"libgda-disable-data-proxy-test.patch"
"libgda-fix-build.patch"
"libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
--
2.46.0
N
N
Nicolas Graves wrote 5 days ago
[PATCH 1/6] gnu: gerbv: Add lint-hidden-cve property.
(address . 74050@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027183141.28120-1-ngraves@ngraves.fr
* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
gnu/packages/engineering.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
you load several files on top of each other, do measurements on the displayed
image, etc. Besides viewing Gerbers, you may also view Excellon drill files
as well as pick-place files.")
+ ;; This CVE has been fixed in version 2.10.0.
+ (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
(license license:gpl2+)))
(define-public translate2geda
--
2.46.0
N
N
Nicolas Graves wrote 5 days ago
[PATCH 3/6] gnu: upx: Update to 4.2.4.
(address . 74050@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027183141.28120-3-ngraves@ngraves.fr
* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/compression.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
(define-public upx
(package
(name "upx")
- (version "4.1.0")
+ (version "4.2.4")
(source
(origin
(method url-fetch)
(uri (string-append "https://github.com/upx/upx/releases/download/v"
version "/upx-" version "-src.tar.xz"))
(sha256
- (base32
- "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+ (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
(build-system cmake-build-system)
(home-page "https://upx.github.io/")
(synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
compressor. UPX typically reduces the file size of programs and shared
libraries by around 50%--70%, thus reducing disk space, network load times,
download times, and other distribution and storage costs.")
+ ;; These CVEs have been fixed since 4.0.2 but are still linted.
+ (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
(license license:gpl2+)))
(define-public quazip-0
--
2.46.0
N
N
Nicolas Graves wrote 5 days ago
[PATCH 4/6] gnu: sylpheed: Add release-monitoring-url property.
(address . 74050@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027183141.28120-4-ngraves@ngraves.fr
* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
gnu/packages/mail.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (15 lines)
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
"Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
client. Sylpheed provides intuitive user-interface. Sylpheed is also
designed for keyboard-oriented operation.")
+ (properties '((release-monitoring-url
+ . "https://sylpheed.sraoss.jp/en/download.html")))
(license license:gpl2+)))
(define-public python-authres
--
2.46.0
N
N
Nicolas Graves wrote 5 days ago
[PATCH 5/6] gnu: openvswitch: Update to 3.4.0.
(address . 74050@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027183141.28120-5-ngraves@ngraves.fr
* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 8c5548323f..67584be64b 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2878,7 +2878,7 @@ (define-public nzbget
(define-public openvswitch
(package
(name "openvswitch")
- (version "3.2.0")
+ (version "3.4.0")
(source (origin
(method url-fetch)
(uri (string-append
@@ -2886,7 +2886,7 @@ (define-public openvswitch
version ".tar.gz"))
(sha256
(base32
- "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+ "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags
@@ -2962,7 +2962,9 @@ (define-public openvswitch
supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
IPFIX, RSPAN, CLI, LACP, 802.1ag).")
(properties
- '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+ '((release-monitoring-url . "https://www.openvswitch.org/download/")
+ ;; This CVE is fixed since 3.2.0.
+ (lint-hidden-cve . ("CVE-2023-5366"))))
(license ; see debian/copyright for detail
(list license:lgpl2.1 ; xenserver and utilities/bugtool
license:gpl2 ; datapath
--
2.46.0
N
N
Nicolas Graves wrote 5 days ago
[PATCH 6/6] gnu: quagga: Fix build and hide CVE.
(address . 74050@debbugs.gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241027183141.28120-6-ngraves@ngraves.fr
* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
gnu/packages/networking.scm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

Toggle diff (26 lines)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 67584be64b..910299a0a6 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3139,7 +3139,7 @@ (define-public quagga
(delete-file "vtysh/extract.pl")))))
(build-system gnu-build-system)
(native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
- (inputs (list readline c-ares))
+ (inputs (list c-ares libxcrypt readline))
(synopsis "Routing Software Suite")
(description "Quagga is a routing software suite, providing implementations
of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3150,6 +3150,10 @@ (define-public quagga
clients which typically implement a routing protocol and communicate routing
updates to the zebra daemon.")
(home-page "https://www.nongnu.org/quagga/")
+ ;; This CVE concerns systemd services files that we currently don't use.
+ ;; If we were to use them, a fixing patch can be found here:
+ ;; https://build.opensuse.org/request/show/1035188
+ (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
(license license:gpl2+)))
(define-public bgpq3
--
2.46.0
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74050@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74050
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch