Bugfixes including CVE-2025-24294: "Possible Denial of Service in resolv
gem".
* gnu/packages/ruby.scm (ruby-3.3): Update to 3.3.9.
Change-Id: I5f73c8e523d6ce574b5cca8bab14c4abde2a6337
Signed-off-by: Andreas Enge <andreas@enge.fr>
This is needed for cross-compiling.
* gnu/packages/patches/cyrus-sasl-fix-time-h.patch: New file.
* gnu/packages/cyrus-sasl.scm (dist_patch_DATA): Register it.
* gnu/packages/cyrus-sasl.scm (cyrus-sasl)[source]: Use the patch.
[native-inputs]: Add autoconf, automake and libtool.
[arguments]<#:phases>{autoreconf}: New phase.
Change-Id: I46e3801d50758f79df0447dd3bd483b427277e12
Signed-off-by: Andreas Enge <andreas@enge.fr>
* gnu/packages/linux.scm (customize-linux): New keyword argument modconfig.
[arguments]{phases}: Use it in configure phase to run make localmodconfig.
Change-Id: I5fbfb9617b41155eaa59197c2a7fe79c5c63c72d
"guix perform-download" is used to implement the daemon's "download" and
"git-download" builtin builders. Because these are builtins, it runs without
any additional isolation beyond merely running as a build user. In such a
context, allowing arbitrary user-supplied code to be evaluated will easily
lead to the build user being taken over, which can then be used to corrupt
future builds, enable exploitation of certain vulnerabilities, and in the case
of the rootless daemon completely take over guix-daemon.
Use (ice-9 sandbox) to ensure that only safe bindings are available during the
evaluation of the content-addressed-mirrors file.
* guix/perform-download.scm (%safe-bindings, %sandbox-module): new variables.
(syntax-noop): new syntax.
(eval-content-addressed-mirrors, assert-store-file,
call-with-input-file/no-symlinks): new procedures.
(perform-download): use assert-store-file to ensure files are in the store
before being read. Use call-with-input-file/no-symlinks for opening
untrusted files. Use eval-content-addressed-mirrors to evaluate the
content-addressed-mirrors file.
Change-Id: I8ed27a95d84dbcc7d72d0d75f172d113f8be6c79
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* guix/build/download.scm (url-fetch): don't pass the return value from a
content-addressed-mirror procedure to 'string->uri' if it is #f.
Change-Id: Ic4f94f86fcfebe6f2e60cb3c4330ce57886ab647
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Since this is used to implement the "download" and "git-download" builtins,
which are run outside of any chroot, this is trusted code with respect to the
user-supplied strings it reads.
* guix/scripts/perform-download.scm (read/safe): new procedure.
(perform-download, perform-git-download): use it.
(guix-perform-download): explicitly set 'read-eval?' to #f and
'read-hash-procedures' to '(). #f is the default value of 'read-eval?' on
startup, but set it anyway to be certain.
Change-Id: I93cb8e32607a6f9a559a26c1cbd6b88212ead884
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Mercurial currently has CVEs. IMHO, it's unsafe to carry them around
in a profile. However, updating mercurial potential leads to a lot of
rebuilds and I don't want to tackle this right now.
As for other packages, the way forward is to add a variant of the
package only used for hg-fetch, here mercurial/pinned.
* gnu/packages/version-control.scm
(mercurial-check-phase): Add helper variable.
(mercurial): Update to 7.1.
[arguments]: Use gexps.
<#:phases>: Refresh them. Add phase 'add-install-to-pythonpath for
running tests. Run tests after install. Add phase 'configure-check.
<#:imported-modules, #:modules>: Add them for
'add-install-for-pythonpath.k
[native-inputs]: Remove python-nose. Add python-setuptools-next,
python-setuptools-scm-next.
(mercurial/pinned): Inherit from mercurial, but build the exact same
derivation as the previous mercurial variable.
* guix/hg-download.scm (hg-package): Use mercurial/pinned.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Subversion currently has CVEs. IMHO, it's unsafe to carry them around
in a profile. However, updating subversion potential leads to a lot of
rebuilds and I don't want to tackle this right now.
As for other packages, the way forward is to add a variant of the
package only used for svn-fetch, here subversion/pinned.
* gnu/packages/version-control.scm (subversion): Update to 1.14.5.
(subversion/pinned): Inherit from subversion, but build the exact same
derivation as the previous subversion variable.
* guix/svn-download.scm (subversion-package): Use subversion/pinned.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This is a followup to 6a45a2aac0.
* gnu/packages/guile-xyz.scm (guile-fibers-1.4)[source]: Add missing ‘uri’
field.
Change-Id: Ie17a4e70c18c021aac9d5d88f1789c16fd4c7ad9
