WARNING: CVE-2015-4473 may not be fully addressed here, because I was unable
to backport some of the patches (for upstream bugs 1182711 and 1146213). I
was also unable to backport CVE-2015-4484 (upstream bug 1171540) and
CVE-2015-4487 (upstream bug 1171603). I was unable to find any commit in the
upstream repository that claims to address bug 1105914 (CVE-2015-4478).
* gnu/packages/patches/icecat-CVE-2015-4473-partial.patch,
gnu/packages/patches/icecat-CVE-2015-4482.patch,
gnu/packages/patches/icecat-CVE-2015-4488.patch,
gnu/packages/patches/icecat-CVE-2015-4489.patch,
gnu/packages/patches/icecat-CVE-2015-4491.patch,
gnu/packages/patches/icecat-CVE-2015-4492.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Fixes bug #21226.
Linux 3.19 introduced a fix for a security vulnerability in user namespaces.
This fix introduced a new proc file called 'setgroups' and was backported to
many older kernels. However, some users run a kernel that is new enough to
support user namespaces yet old enough to not include the patch, so we must
skip the tests.
* tests/containers.scm: Skip all tests if /proc/self/setgroups does not exist.
Reported by Eric Dvorsak <eric@dvorsak.fr> on #guix.
* guix/scripts/import/elpa.scm (%default-options): Remove redundant
quote which led to an error if --archive option was not specified.
* gnu/packages/scanner.scm (sane-backends): Build with libusb-compat as an
input and install a udev rule to give users access to scanners.
Modified-By: Mark H Weaver <mhw@netris.org>
It's not always possible to map 65536 uids when creating a container as the
root user within another user namespace. This is true when building Guix
within the build daemon's container. By using a uid range of 1 by default,
even as the root user, the tests now pass.
* gnu/build/linux-container.scm (initialize-user-namespace, run-container):
Add 'host-uids' argument.
(call-with-container): Add #:host-uids keyword argument.
* tests/containers.scm ("container-excursion"): Update 'run-container' call.
* gnu/build/file-systems.scm (regular-file?): New procedure.
(mount-file-system): Create a regular file instead of a directory when bind
mounting a regular file.
* gnu/packages/patches/icecat-CVE-2015-4495.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patch. Move the 'patches'
field above the snippet.
* gnu/packages/patches/pidgin-add-search-path.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/messaging.scm (pidgin): New variable.
* gnu/packages/texlive.scm (texlive-extra-src, texlive-texmf-src,
texlive-bin, texlive-texmf, texlive): Update to 2015.
(texlive-bin): Add inputs gmp and mpfr. Add configure flags to use
system gmp and mpfr.
(texlive-texmf)[arguments]: Add tlpkg directory to PERL5LIB path during
the 'texmf-config phase.