~ruther/guix-local

a884fa2141c2bfc65467c0908bd98fd39df90a62 — Ludovic Courtès 9 years ago afb325d 
gnu: rush: Update to 1.8.

* gnu/packages/rush.scm (rush): Update to 1.8.
[source]: Remove 'patches'.
* gnu/packages/patches/cpio-gets-undeclared.patch,
gnu/packages/patches/rush-CVE-2013-6889.patch: Remove.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
patch browse .tar.gz 
4 files changed, 4 insertions(+), 78 deletions(-)

M gnu/local.mk
D gnu/packages/patches/cpio-gets-undeclared.patch
D gnu/packages/patches/rush-CVE-2013-6889.patch
M gnu/packages/rush.scm

M gnu/local.mk => gnu/local.mk +0 -2
@@ 476,7 476,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/clang-3.8-libc-search-path.patch		\
  %D%/packages/patches/clucene-pkgconfig.patch			\
  %D%/packages/patches/cmake-fix-tests.patch			\
  %D%/packages/patches/cpio-gets-undeclared.patch		\
  %D%/packages/patches/cpio-CVE-2016-2037.patch			\
  %D%/packages/patches/cpufrequtils-fix-aclocal.patch		\
  %D%/packages/patches/cracklib-CVE-2016-6318.patch		\


@@ 804,7 803,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/ruby-rack-ignore-failing-test.patch      \
  %D%/packages/patches/ruby-symlinkfix.patch                    \
  %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
  %D%/packages/patches/rush-CVE-2013-6889.patch			\
  %D%/packages/patches/sed-hurd-path-max.patch			\
  %D%/packages/patches/scheme48-tests.patch			\
  %D%/packages/patches/scotch-test-threading.patch		\


D gnu/packages/patches/cpio-gets-undeclared.patch => gnu/packages/patches/cpio-gets-undeclared.patch +0 -45
@@ 1,45 0,0 @@
This patch is needed to allow builds with newer versions of
the GNU libc (2.16+).

The upstream fix was:

  commit 66712c23388e93e5c518ebc8515140fa0c807348
  Author: Eric Blake <eblake@redhat.com>
  Date:   Thu Mar 29 13:30:41 2012 -0600

      stdio: don't assume gets any more

      Gnulib intentionally does not have a gets module, and now that C11
      and glibc have dropped it, we should be more proactive about warning
      any user on a platform that still has a declaration of this dangerous
      interface.

      * m4/stdio_h.m4 (gl_STDIO_H, gl_STDIO_H_DEFAULTS): Drop gets
      support.
      * modules/stdio (Makefile.am): Likewise.
      * lib/stdio-read.c (gets): Likewise.
      * tests/test-stdio-c++.cc: Likewise.
      * m4/warn-on-use.m4 (gl_WARN_ON_USE_PREPARE): Fix comment.
      * lib/stdio.in.h (gets): Make warning occur in more places.
      * doc/posix-functions/gets.texi (gets): Update documentation.
      Reported by Christer Solskogen.

      Signed-off-by: Eric Blake <eblake@redhat.com>

This patch just gets rid of the offending part.

--- cpio-2.11/gnu/stdio.in.h-orig	2012-11-25 22:17:06.000000000 +0400
+++ cpio-2.11/gnu/stdio.in.h		2012-11-25 22:18:36.000000000 +0400
@@ -135,12 +135,6 @@
                  "use gnulib module fflush for portable POSIX compliance");
 #endif
 
-/* It is very rare that the developer ever has full control of stdin,
-   so any use of gets warrants an unconditional warning.  Assume it is
-   always declared, since it is required by C89.  */
-#undef gets
-_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
-
 #if @GNULIB_FOPEN@
 # if @REPLACE_FOPEN@
 #  if !(defined __cplusplus && defined GNULIB_NAMESPACE)


D gnu/packages/patches/rush-CVE-2013-6889.patch => gnu/packages/patches/rush-CVE-2013-6889.patch +0 -23
@@ 1,23 0,0 @@
commit 00bdccd429517f12dbf37ab4397ddec3e51a2738
Author: Mats Erik Andersson <gnu@gisladisker.se>
Date:   Mon Jan 20 13:33:52 2014 +0200

    Protect against CVE-2013-6889 (tiny change).
    
    Reset the effective user identification in testing mode.

diff --git a/src/rush.c b/src/rush.c
index 45d737a..dc6518e 100644
--- a/src/rush.c
+++ b/src/rush.c
@@ -980,6 +980,10 @@ main(int argc, char **argv)
 	} else if (argc > optind)
 		die(usage_error, NULL, _("invalid command line"));
 	
+	/* Relinquish root privileges in test mode */
+	if (lint_option)
+		setuid(getuid());
+	
 	if (test_user_name) {
 		struct passwd *pw = getpwnam(test_user_name);
 		if (!pw)


M gnu/packages/rush.scm => gnu/packages/rush.scm +4 -8
@@ 26,18 26,14 @@
(define-public rush
  (package
    (name "rush")
    (version "1.7")
    (version "1.8")
    (source (origin
             (method url-fetch)
             (uri (string-append
                   "mirror://gnu/rush/rush-"
                   version
                   ".tar.gz"))
             (uri (string-append "mirror://gnu/rush/rush-"
                                 version ".tar.gz"))
             (sha256
              (base32
               "0fh0gbbp0iiq3wbkf503xb40r8ljk42vyj9bnlflbz82d6ipy1rm"))
             (patches (search-patches "cpio-gets-undeclared.patch"
                                      "rush-CVE-2013-6889.patch"))))
               "1vxdb81ify4xcyygh86250pi50krb16dkj42i5ii4ns3araiwckz"))))
    (build-system gnu-build-system)
    (home-page "http://www.gnu.org/software/rush/")
    (synopsis "Restricted user (login) shell")