Date: Monday, October 31, 2022 @ 15:03:05 Author: dvzrv Revision: 459645
upgpkg: guile1.8 1.8.8-9: Rebuild to fix CVE-2016-8605. Apply upstream fix for CVE-2016-8605: https://bugs.archlinux.org/task/67048. Remove unneeded quotes and curly braces. Add available soprovides. Add available sodeps and all actual depends. Patch libtool to prevent excessive overlinking. Switch to safer source hash algorithms. Added: guile1.8/trunk/guile-1.8.8-cve-2016-8605.patch Modified: guile1.8/trunk/PKGBUILD ---------------------------------+ PKGBUILD | 41 ++++++++++++++++++++++++---- guile-1.8.8-cve-2016-8605.patch | 54 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 6 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-10-31 14:44:48 UTC (rev 459644) +++ PKGBUILD 2022-10-31 15:03:05 UTC (rev 459645) @@ -2,15 +2,36 @@ pkgname=guile1.8 pkgver=1.8.8 -pkgrel=8 +pkgrel=9 pkgdesc='Portable, embeddable Scheme implementation written in C. Legacy branch.' url="https://www.gnu.org/software/guile/"; -arch=('x86_64') -license=('GPL') -depends=('gmp' 'libltdl' 'ncurses>=5.7' 'texinfo') -source=(https://ftp.gnu.org/pub/gnu/guile/guile-$pkgver.tar.gz) -md5sums=('18661a8fdfef13e2fcb7651720aa53f3') +arch=(x86_64) +license=(GPL) +depends=(gcc-libs glibc gmp libtool openssl texinfo) +makedepends=(ncurses readline) +provides=( + libguilereadline-v-17.so + libguile.so + libguile-srfi-srfi-60-v-2.so + libguile-srfi-srfi-4-v-3.so + libguile-srfi-srfi-13-14-v-3.so + libguile-srfi-srfi-1-v-3.so +) +source=( + https://ftp.gnu.org/pub/gnu/guile/guile-$pkgver.tar.gz + guile-1.8.8-cve-2016-8605.patch +) +sha512sums=('ede6feb90cd419d8763feb8c5169275490a653919573c4dfced025b74cf591072b3a10ffb9a3f6ee3fe7b0a0956ffcf434e0859b421455c8349cea56bf427db0' + '0f18011cc3a7c7b0a824cdecceace440eef77caa4b8da4ab3f589073aa5705afd62975f017ba53688213eb732d5bc1938ef44b431c795a50f9c60d45f772b570') +b2sums=('4820d635ac2c57526c0c03f3e0e6e4ac4276533ea8db15e6d1b759c33edec094a1a4bdc3e09ccae61f1b271d63565063746feea242a90c18cd575775444a42ef' + 'bc978ea279f14154ebfccaf8477a67bda0e2750d499206f03ccefe027626a3324bdd2941d34a43eeaea2d9546a62c2ff7d98f42e65f71b1d48aeaf44884d8f7b') +prepare() { + # fix CVE-2016-8605: https://bugs.archlinux.org/task/67048 + # backport of https://git.savannah.gnu.org/cgit/guile.git/commit/?id=844b2cf7586c31c01ab8e255d8a21aa836b7ff0b + patch -Np1 -d guile-$pkgver -i ../guile-1.8.8-cve-2016-8605.patch +} + build() { cd guile-$pkgver export CFLAGS+=" -O1" @@ -19,10 +40,18 @@ --disable-static \ --disable-error-on-warning \ --program-suffix=1.8 + + # prevent excessive overlinking due to libtool + sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool make } package() { + depends+=( + ncurses libncursesw.so + readline libreadline.so + ) + cd guile-$pkgver make DESTDIR="$pkgdir" install Added: guile-1.8.8-cve-2016-8605.patch =================================================================== --- guile-1.8.8-cve-2016-8605.patch (rev 0) +++ guile-1.8.8-cve-2016-8605.patch 2022-10-31 15:03:05 UTC (rev 459645) @@ -0,0 +1,54 @@ +commit 245608911698adb3472803856019bdd5670b6614 +Author: Ludovic Courtès <[email protected]> +Date: Tue Oct 11 10:14:26 2016 +0200 + + Remove 'umask' calls from 'mkdir'. + + Fixes <http://bugs.gnu.org/24659>. + + * libguile/filesys.c (SCM_DEFINE): Remove calls to 'umask' when MODE is + unbound; instead, use 0777 as the mode. Update docstring to clarify + this. + * doc/ref/posix.texi (File System): Adjust accordingly. + * NEWS: Mention it. + +diff --git a/libguile/filesys.c b/libguile/filesys.c +index e6e1db5..e6e37b0 100644 +--- a/libguile/filesys.c ++++ b/libguile/filesys.c +@@ -1255,26 +1255,21 @@ SCM_DEFINE (scm_getcwd, "getcwd", 0, 0, 0, + SCM_DEFINE (scm_mkdir, "mkdir", 1, 1, 0, + (SCM path, SCM mode), + "Create a new directory named by @var{path}. If @var{mode} is omitted\n" +- "then the permissions of the directory file are set using the current\n" +- "umask. Otherwise they are set to the decimal value specified with\n" +- "@var{mode}. The return value is unspecified.") ++ "then the permissions of the directory are set to @code{#o777}\n" ++ "masked with the current umask (@pxref{Processes, @code{umask}}).\n" ++ "Otherwise they are set to the value specified with @var{mode}.\n" ++ "The return value is unspecified.") + #define FUNC_NAME s_scm_mkdir + { + int rv; +- mode_t mask; ++ mode_t c_mode; + +- if (SCM_UNBNDP (mode)) +- { +- mask = umask (0); +- umask (mask); +- STRING_SYSCALL (path, c_path, rv = mkdir (c_path, 0777 ^ mask)); +- } +- else +- { +- STRING_SYSCALL (path, c_path, rv = mkdir (c_path, scm_to_uint (mode))); +- } ++ c_mode = SCM_UNBNDP (mode) ? 0777 : scm_to_uint (mode); ++ ++ STRING_SYSCALL (path, c_path, rv = mkdir (c_path, c_mode)); + if (rv != 0) + SCM_SYSERROR; ++ + return SCM_UNSPECIFIED; + } + #undef FUNC_NAME
