summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiroslav Šulc <fordfrog@gentoo.org>2020-08-05 19:57:09 +0200
committerMiroslav Šulc <fordfrog@gentoo.org>2020-08-05 19:57:26 +0200
commitb643169012fae9013d509ef7fc19602450113b77 (patch)
treec861a47ac9233e00b185c7c414374cbc6b615e43 /media-sound
parentdev-ros/amcl: ws (diff)
downloadgentoo-b643169012fae9013d509ef7fc19602450113b77.tar.gz
gentoo-b643169012fae9013d509ef7fc19602450113b77.tar.bz2
gentoo-b643169012fae9013d509ef7fc19602450113b77.zip
media-sound/lilypond: fixed cve-2020-17353
Bug: https://bugs.gentoo.org/736074 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>
Diffstat (limited to 'media-sound')
-rw-r--r--media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch101
-rw-r--r--media-sound/lilypond/lilypond-2.21.1-r1.ebuild130
-rw-r--r--media-sound/lilypond/lilypond-2.21.4-r1.ebuild (renamed from media-sound/lilypond/lilypond-2.21.4.ebuild)1
3 files changed, 232 insertions, 0 deletions
diff --git a/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch
new file mode 100644
index 000000000000..e91947eae056
--- /dev/null
+++ b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch
@@ -0,0 +1,101 @@
+From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001
+From: Han-Wen Nienhuys <hanwenn@gmail.com>
+Date: Tue, 21 Jul 2020 14:45:08 +0200
+Subject: [PATCH] scm: disable embedded-ps and embedded-svg in -dsafe mode
+
+This prevents executing privileged PostScript and exploiting
+Ghostscript vulnerablilities
+
+Tested:
+ $ lilypond -dsafe input/regression/les-nereides.ly
+ (works, kinda)
+
+ $ cat f.ly
+ { c4_ \markup \postscript #" (x) show " }
+
+ $ lilypond -dsafe f
+ Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...):
+ /home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps "
+---
+ scm/define-stencil-commands.scm | 65 ++++++++++++++++++++++-------------------
+ 1 file changed, 35 insertions(+), 30 deletions(-)
+
+diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm
+index 09a2299..e388788 100644
+--- a/scm/define-stencil-commands.scm
++++ b/scm/define-stencil-commands.scm
+@@ -21,36 +21,41 @@
+ (define-public (ly:all-stencil-commands)
+ "Return the list of stencil commands that can be
+ defined in the output modules (@file{output-*.scm})."
+- '(blank
+- char
+- circle
+- dashed-line
+- draw-line
+- ellipse
+- embedded-ps
+- embedded-svg
+- end-group-node
+- glyph-string
+- grob-cause
+- named-glyph
+- no-origin
+- page-link
+- path
+- partial-ellipse
+- placebox
+- polygon
+- resetcolor
+- resetrotation
+- resetscale
+- round-filled-box
+- setcolor
+- setrotation
+- setscale
+- start-group-node
+- text
+- unknown
+- url-link
+- utf-8-string
++ (let*
++ ((commands '(blank
++ char
++ circle
++ dashed-line
++ draw-line
++ ellipse
++ end-group-node
++ glyph-string
++ grob-cause
++ named-glyph
++ no-origin
++ page-link
++ path
++ partial-ellipse
++ placebox
++ polygon
++ resetcolor
++ resetrotation
++ resetscale
++ round-filled-box
++ setcolor
++ setrotation
++ setscale
++ start-group-node
++ text
++ unknown
++ url-link
++ utf-8-string
++ )))
++
++ (if (ly:get-option 'safe)
++ commands
++ (append '(embedded-ps embedded-svg)
++ commands))
+ ))
+
+ ;; TODO:
+--
+1.9.1
+
diff --git a/media-sound/lilypond/lilypond-2.21.1-r1.ebuild b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild
new file mode 100644
index 000000000000..1f1e8202a99c
--- /dev/null
+++ b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild
@@ -0,0 +1,130 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit elisp-common autotools python-single-r1 toolchain-funcs xdg-utils
+
+if [[ "${PV}" = "9999" ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://git.savannah.gnu.org/git/lilypond.git"
+else
+ MAIN_VER=$(ver_cut 1-2)
+ SRC_URI="http://lilypond.org/download/sources/v${MAIN_VER}/${P}.tar.gz"
+ KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~x86"
+fi
+
+DESCRIPTION="GNU Music Typesetter"
+HOMEPAGE="http://lilypond.org/"
+
+LICENSE="GPL-3 FDL-1.3"
+SLOT="0"
+IUSE="debug emacs guile2 profile vim-syntax"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+BDEPEND="
+ >=dev-texlive/texlive-metapost-2020
+ >=sys-apps/texinfo-4.11
+ >=sys-devel/bison-2.0
+ sys-devel/flex
+ virtual/pkgconfig
+"
+RDEPEND=">=app-text/ghostscript-gpl-8.15
+ >=dev-scheme/guile-1.8.2:12=[deprecated,regex]
+ media-fonts/tex-gyre
+ media-libs/fontconfig
+ media-libs/freetype:2
+ >=x11-libs/pango-1.12.3
+ emacs? ( >=app-editors/emacs-23.1:* )
+ guile2? ( >=dev-scheme/guile-2.2:12 )
+ !guile2? (
+ >=dev-scheme/guile-1.8.2:12=[deprecated,regex]
+ <dev-scheme/guile-2.0:12
+ )
+ ${PYTHON_DEPS}"
+DEPEND="${RDEPEND}
+ app-text/t1utils
+ dev-lang/perl
+ dev-libs/kpathsea
+ media-gfx/fontforge[png,python]
+ sys-devel/gettext"
+
+# Correct output data for tests isn't bundled with releases
+RESTRICT="test"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-fix-font-size.patch
+ "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch
+)
+
+DOCS=( DEDICATION HACKING README.txt ROADMAP )
+
+src_prepare() {
+ default
+
+ if ! use vim-syntax ; then
+ sed -i 's/vim//' GNUmakefile.in || die
+ fi
+
+ # respect CFLAGS
+ sed -i 's/OPTIMIZE -g/OPTIMIZE/' aclocal.m4 || die
+
+ # remove bundled texinfo file (fixes bug #448560)
+ rm tex/texinfo.tex || die
+
+ eautoreconf
+
+ xdg_environment_reset #586592
+}
+
+src_configure() {
+ # documentation generation currently not supported since it requires a newer
+ # version of texi2html than is currently in the tree
+
+ local myeconfargs=(
+ --with-texgyre-dir=/usr/share/fonts/tex-gyre
+ --disable-documentation
+ --disable-optimising
+ --disable-pipe
+ $(use_enable debug debugging)
+ $(use_enable profile profiling)
+ )
+ export VARTEXFONTS="${T}/fonts" # https://bugs.gentoo.org/692010
+
+ econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+ default
+
+ if use emacs ; then
+ elisp-compile elisp/lilypond-{font-lock,indent,mode,what-beat}.el \
+ || die "elisp-compile failed"
+ fi
+}
+
+src_install() {
+ emake DESTDIR="${D}" vimdir=/usr/share/vim/vimfiles install
+
+ # remove elisp files since they are in the wrong directory
+ rm -r "${ED}"/usr/share/emacs || die
+
+ if use emacs ; then
+ elisp-install ${PN} elisp/*.{el,elc} elisp/out/*.el \
+ || die "elisp-install failed"
+ elisp-site-file-install "${FILESDIR}"/50${PN}-gentoo.el
+ fi
+
+ python_fix_shebang "${ED}"
+
+ einstalldocs
+}
+
+pkg_postinst() {
+ use emacs && elisp-site-regen
+}
+
+pkg_postrm() {
+ use emacs && elisp-site-regen
+}
diff --git a/media-sound/lilypond/lilypond-2.21.4.ebuild b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild
index 3aa63a51f186..0196e4c7d4d9 100644
--- a/media-sound/lilypond/lilypond-2.21.4.ebuild
+++ b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild
@@ -55,6 +55,7 @@ RESTRICT="test"
PATCHES=(
"${FILESDIR}"/${PN}-2.21.1-fix-font-size.patch
+ "${FILESDIR}"/${PN}-fix-cve-2020-17353.patch
)
DOCS=( DEDICATION HACKING README.txt ROADMAP )