diff options
author | Miroslav Šulc <fordfrog@gentoo.org> | 2020-08-05 19:57:09 +0200 |
---|---|---|
committer | Miroslav Šulc <fordfrog@gentoo.org> | 2020-08-05 19:57:26 +0200 |
commit | b643169012fae9013d509ef7fc19602450113b77 (patch) | |
tree | c861a47ac9233e00b185c7c414374cbc6b615e43 /media-sound | |
parent | dev-ros/amcl: ws (diff) | |
download | gentoo-b643169012fae9013d509ef7fc19602450113b77.tar.gz gentoo-b643169012fae9013d509ef7fc19602450113b77.tar.bz2 gentoo-b643169012fae9013d509ef7fc19602450113b77.zip |
media-sound/lilypond: fixed cve-2020-17353
Bug: https://bugs.gentoo.org/736074
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>
Diffstat (limited to 'media-sound')
-rw-r--r-- | media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch | 101 | ||||
-rw-r--r-- | media-sound/lilypond/lilypond-2.21.1-r1.ebuild | 130 | ||||
-rw-r--r-- | media-sound/lilypond/lilypond-2.21.4-r1.ebuild (renamed from media-sound/lilypond/lilypond-2.21.4.ebuild) | 1 |
3 files changed, 232 insertions, 0 deletions
diff --git a/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch new file mode 100644 index 000000000000..e91947eae056 --- /dev/null +++ b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch @@ -0,0 +1,101 @@ +From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001 +From: Han-Wen Nienhuys <hanwenn@gmail.com> +Date: Tue, 21 Jul 2020 14:45:08 +0200 +Subject: [PATCH] scm: disable embedded-ps and embedded-svg in -dsafe mode + +This prevents executing privileged PostScript and exploiting +Ghostscript vulnerablilities + +Tested: + $ lilypond -dsafe input/regression/les-nereides.ly + (works, kinda) + + $ cat f.ly + { c4_ \markup \postscript #" (x) show " } + + $ lilypond -dsafe f + Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...): + /home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps " +--- + scm/define-stencil-commands.scm | 65 ++++++++++++++++++++++------------------- + 1 file changed, 35 insertions(+), 30 deletions(-) + +diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm +index 09a2299..e388788 100644 +--- a/scm/define-stencil-commands.scm ++++ b/scm/define-stencil-commands.scm +@@ -21,36 +21,41 @@ + (define-public (ly:all-stencil-commands) + "Return the list of stencil commands that can be + defined in the output modules (@file{output-*.scm})." +- '(blank +- char +- circle +- dashed-line +- draw-line +- ellipse +- embedded-ps +- embedded-svg +- end-group-node +- glyph-string +- grob-cause +- named-glyph +- no-origin +- page-link +- path +- partial-ellipse +- placebox +- polygon +- resetcolor +- resetrotation +- resetscale +- round-filled-box +- setcolor +- setrotation +- setscale +- start-group-node +- text +- unknown +- url-link +- utf-8-string ++ (let* ++ ((commands '(blank ++ char ++ circle ++ dashed-line ++ draw-line ++ ellipse ++ end-group-node ++ glyph-string ++ grob-cause ++ named-glyph ++ no-origin ++ page-link ++ path ++ partial-ellipse ++ placebox ++ polygon ++ resetcolor ++ resetrotation ++ resetscale ++ round-filled-box ++ setcolor ++ setrotation ++ setscale ++ start-group-node ++ text ++ unknown ++ url-link ++ utf-8-string ++ ))) ++ ++ (if (ly:get-option 'safe) ++ commands ++ (append '(embedded-ps embedded-svg) ++ commands)) + )) + + ;; TODO: +-- +1.9.1 + diff --git a/media-sound/lilypond/lilypond-2.21.1-r1.ebuild b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild new file mode 100644 index 000000000000..1f1e8202a99c --- /dev/null +++ b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild @@ -0,0 +1,130 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +PYTHON_COMPAT=( python3_{6,7,8} ) + +inherit elisp-common autotools python-single-r1 toolchain-funcs xdg-utils + +if [[ "${PV}" = "9999" ]]; then + inherit git-r3 + EGIT_REPO_URI="https://git.savannah.gnu.org/git/lilypond.git" +else + MAIN_VER=$(ver_cut 1-2) + SRC_URI="http://lilypond.org/download/sources/v${MAIN_VER}/${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~x86" +fi + +DESCRIPTION="GNU Music Typesetter" +HOMEPAGE="http://lilypond.org/" + +LICENSE="GPL-3 FDL-1.3" +SLOT="0" +IUSE="debug emacs guile2 profile vim-syntax" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" + +BDEPEND=" + >=dev-texlive/texlive-metapost-2020 + >=sys-apps/texinfo-4.11 + >=sys-devel/bison-2.0 + sys-devel/flex + virtual/pkgconfig +" +RDEPEND=">=app-text/ghostscript-gpl-8.15 + >=dev-scheme/guile-1.8.2:12=[deprecated,regex] + media-fonts/tex-gyre + media-libs/fontconfig + media-libs/freetype:2 + >=x11-libs/pango-1.12.3 + emacs? ( >=app-editors/emacs-23.1:* ) + guile2? ( >=dev-scheme/guile-2.2:12 ) + !guile2? ( + >=dev-scheme/guile-1.8.2:12=[deprecated,regex] + <dev-scheme/guile-2.0:12 + ) + ${PYTHON_DEPS}" +DEPEND="${RDEPEND} + app-text/t1utils + dev-lang/perl + dev-libs/kpathsea + media-gfx/fontforge[png,python] + sys-devel/gettext" + +# Correct output data for tests isn't bundled with releases +RESTRICT="test" + +PATCHES=( + "${FILESDIR}"/${P}-fix-font-size.patch + "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch +) + +DOCS=( DEDICATION HACKING README.txt ROADMAP ) + +src_prepare() { + default + + if ! use vim-syntax ; then + sed -i 's/vim//' GNUmakefile.in || die + fi + + # respect CFLAGS + sed -i 's/OPTIMIZE -g/OPTIMIZE/' aclocal.m4 || die + + # remove bundled texinfo file (fixes bug #448560) + rm tex/texinfo.tex || die + + eautoreconf + + xdg_environment_reset #586592 +} + +src_configure() { + # documentation generation currently not supported since it requires a newer + # version of texi2html than is currently in the tree + + local myeconfargs=( + --with-texgyre-dir=/usr/share/fonts/tex-gyre + --disable-documentation + --disable-optimising + --disable-pipe + $(use_enable debug debugging) + $(use_enable profile profiling) + ) + export VARTEXFONTS="${T}/fonts" # https://bugs.gentoo.org/692010 + + econf "${myeconfargs[@]}" +} + +src_compile() { + default + + if use emacs ; then + elisp-compile elisp/lilypond-{font-lock,indent,mode,what-beat}.el \ + || die "elisp-compile failed" + fi +} + +src_install() { + emake DESTDIR="${D}" vimdir=/usr/share/vim/vimfiles install + + # remove elisp files since they are in the wrong directory + rm -r "${ED}"/usr/share/emacs || die + + if use emacs ; then + elisp-install ${PN} elisp/*.{el,elc} elisp/out/*.el \ + || die "elisp-install failed" + elisp-site-file-install "${FILESDIR}"/50${PN}-gentoo.el + fi + + python_fix_shebang "${ED}" + + einstalldocs +} + +pkg_postinst() { + use emacs && elisp-site-regen +} + +pkg_postrm() { + use emacs && elisp-site-regen +} diff --git a/media-sound/lilypond/lilypond-2.21.4.ebuild b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild index 3aa63a51f186..0196e4c7d4d9 100644 --- a/media-sound/lilypond/lilypond-2.21.4.ebuild +++ b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild @@ -55,6 +55,7 @@ RESTRICT="test" PATCHES=( "${FILESDIR}"/${PN}-2.21.1-fix-font-size.patch + "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch ) DOCS=( DEDICATION HACKING README.txt ROADMAP ) |