From cf80e70f47532fa5057755b6e08cc6ea1a346a1f Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Wed, 10 Nov 2021 20:18:46 +0000 Subject: [PATCH 2/2] gnu: geary: Upgrade to 40.0 * gnu/packages/gnome.scm (geary): Upgrade to 40.0. --- gnu/local.mk | 1 - gnu/packages/gnome.scm | 52 ++++--- .../patches/geary-CVE-2020-24661.patch | 133 ------------------ 3 files changed, 35 insertions(+), 151 deletions(-) delete mode 100644 gnu/packages/patches/geary-CVE-2020-24661.patch diff --git a/gnu/local.mk b/gnu/local.mk index f25548f137..d35be45f76 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1111,7 +1111,6 @@ dist_patch_DATA = \ %D%/packages/patches/gdm-elogind-support.patch \ %D%/packages/patches/gdm-remove-hardcoded-xwayland-path.patch \ %D%/packages/patches/gdm-wayland-session-wrapper-from-env.patch \ - %D%/packages/patches/geary-CVE-2020-24661.patch \ %D%/packages/patches/genimage-mke2fs-test.patch \ %D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \ diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index ca4ed25fe3..ce00783692 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -140,6 +140,7 @@ (define-module (gnu packages gnome) #:use-module (gnu packages inkscape) #:use-module (gnu packages iso-codes) #:use-module (gnu packages kerberos) + #:use-module (gnu packages language) #:use-module (gnu packages libcanberra) #:use-module (gnu packages libffi) #:use-module (gnu packages libunistring) @@ -11739,34 +11740,46 @@ (define-public gnome-boxes (define-public geary (package (name "geary") - (version "3.34.1") + (version "40.0") (source (origin (method git-fetch) (uri (git-reference - (url "https://gitlab.gnome.org/GNOME/geary") - (commit version))) + (url "https://gitlab.gnome.org/GNOME/geary.git") + (commit (string-append "gnome-" version)))) (file-name (git-file-name name version)) (sha256 (base32 - "01cc921kyh3zxz07biqbdzkjgmdcc36kwjyajm4y382a75cl5zg7")) - (patches (search-patches "geary-CVE-2020-24661.patch")))) + "04hvw86r8sczvjm1z3ls5y5y5h6nyfb648rjkfx05ib00mqq5v1x")))) (build-system meson-build-system) (arguments `(#:glib-or-gtk? #t + #:configure-flags + '("-Dprofile=release") #:phases (modify-phases %standard-phases (add-after 'unpack 'disable-failing-tests (lambda _ - (substitute* "test/meson.build" - (("test\\('client-tests', geary_test_client_bin\\)") - "")) - #t)) + (substitute* "test/test-client.vala" + (("client.add_suite\\(new Application.CertificateManagerTest\\(\\).suite\\);") + "")))) + (add-after 'unpack 'generate-vapis + (lambda* (#:key inputs #:allow-other-keys) + ;; It’s not possible to generate the GMime vapi, because + ;; there’s custom metadata that gmime didn’t + ;; install. Thus, the vapi should be built and installed + ;; with gmime. + (define gmime + (assoc-ref inputs "gmime")) + (copy-file (string-append gmime "/share/vala/vapi/gmime-3.0.vapi") + "bindings/vapi/gmime-3.0.vapi"))) (add-after 'unpack 'disable-postinstall-script (lambda _ - (substitute* "meson.build" - (("meson.add_install_script\\(\ -join_paths\\('build-aux', 'post_install.py'\\)\\)") - "")) - #t)) + (substitute* "build-aux/post_install.py" + (("gtk-update-icon-cache") + "true")))) + (add-before 'check 'setup-home + (lambda _ + ;; Tests require a writable HOME. + (setenv "HOME" (getcwd)))) (add-before 'check 'setup-xvfb (lambda _ (system "Xvfb :1 &") @@ -11777,28 +11790,33 @@ (define-public geary ("folks" ,folks) ("gcr" ,gcr) ("glib" ,glib) - ("gmime" ,gmime-2.6) + ("gmime" ,gmime) ("gnome-online-accounts:lib" ,gnome-online-accounts "lib") + ("gsettings-desktop-schemas" ,gsettings-desktop-schemas) ("gspell" ,gspell) + ("gsound" ,gsound) ("gtk+" ,gtk+) ("iso-codes" ,iso-codes) ("json-glib" ,json-glib) ("libcanberra" ,libcanberra) ("libgee" ,libgee) - ("libhandy" ,libhandy-0.0) + ("libhandy" ,libhandy) ("libpeas" ,libpeas) ("libsecret" ,libsecret) + ("libstemmer" ,libstemmer) ("libunwind" ,libunwind) ("sqlite" ,sqlite) - ("webkitgtk" ,webkitgtk) + ("webkitgtk" ,webkitgtk-with-libsoup2) ("ytnef" ,ytnef))) (native-inputs `(("appstream-glib" ,appstream-glib) ("cmake-minimal" ,cmake-minimal) ("desktop-file-utils" ,desktop-file-utils) ("gettext" ,gettext-minimal) + ("glib" ,glib) ("glib:bin" ,glib "bin") + ("gmime" ,gmime) ("gobject-introspection" ,gobject-introspection) ("itstool" ,itstool) ("libarchive" ,libarchive) diff --git a/gnu/packages/patches/geary-CVE-2020-24661.patch b/gnu/packages/patches/geary-CVE-2020-24661.patch deleted file mode 100644 index 6cbc224786..0000000000 --- a/gnu/packages/patches/geary-CVE-2020-24661.patch +++ /dev/null @@ -1,133 +0,0 @@ -From d4e86dc91e1d8a940dc40872fe94ef9ac0fed1b5 Mon Sep 17 00:00:00 2001 -From: Michael Gratton -Date: Tue, 25 Aug 2020 03:54:09 +0000 -Subject: [PATCH] Merge branch 'mjog/866-self-signed-certificates' into - 'mainline' - -Fix invalid certificate pinning when GCR support is unavailable - -Closes #866 - -See merge request GNOME/geary!529 - -(cherry picked from commit 423a55b00f1dc6bee9dc17e67c0aea6f42387a77) - -5088adfe Application.CertificateManager: Rename some methods for clarity -0d957559 Application.CertificateManager: Check locally pinned certs for equality ---- - .../application-certificate-manager.vala | 44 +++++++++---------- - 1 file changed, 22 insertions(+), 22 deletions(-) - -diff --git a/src/client/application/application-certificate-manager.vala b/src/client/application/application-certificate-manager.vala -index 4881d73c0..65f6af4fa 100644 ---- a/src/client/application/application-certificate-manager.vala -+++ b/src/client/application/application-certificate-manager.vala -@@ -381,8 +381,8 @@ private class Application.TlsDatabase : GLib.TlsDatabase { - GLib.TlsCertificateFlags ret = this.parent.verify_chain( - chain, purpose, identity, interaction, flags, cancellable - ); -- if (should_verify(ret, purpose, identity) && -- verify(chain, identity, cancellable)) { -+ if (check_pinned(ret, purpose, identity) && -+ is_pinned(chain, identity, cancellable)) { - ret = 0; - } - return ret; -@@ -399,16 +399,16 @@ private class Application.TlsDatabase : GLib.TlsDatabase { - GLib.TlsCertificateFlags ret = yield this.parent.verify_chain_async( - chain, purpose, identity, interaction, flags, cancellable - ); -- if (should_verify(ret, purpose, identity) && -- yield verify_async(chain, identity, cancellable)) { -+ if (check_pinned(ret, purpose, identity) && -+ yield is_pinned_async(chain, identity, cancellable)) { - ret = 0; - } - return ret; - } - -- private inline bool should_verify(GLib.TlsCertificateFlags parent_ret, -- string purpose, -- GLib.SocketConnectable? identity) { -+ private inline bool check_pinned(GLib.TlsCertificateFlags parent_ret, -+ string purpose, -+ GLib.SocketConnectable? identity) { - // If the parent didn't verify, check for a locally pinned - // cert if it looks like we should, but always reject revoked - // certs -@@ -420,22 +420,22 @@ private class Application.TlsDatabase : GLib.TlsDatabase { - ); - } - -- private bool verify(GLib.TlsCertificate chain, -- GLib.SocketConnectable identity, -- GLib.Cancellable? cancellable) -+ private bool is_pinned(GLib.TlsCertificate chain, -+ GLib.SocketConnectable identity, -+ GLib.Cancellable? cancellable) - throws GLib.Error { -- bool is_verified = false; -+ bool is_pinned = false; - string id = to_name(identity); - TrustContext? context = null; - lock (this.pinned_certs) { - context = this.pinned_certs.get(id); - if (context != null) { -- is_verified = true; -+ is_pinned = context.certificate.is_same(chain); - } else { - // Cert not found in memory, check with GCR if - // enabled. - if (this.use_gcr) { -- is_verified = gcr_trust_is_certificate_pinned( -+ is_pinned = gcr_trust_is_certificate_pinned( - new Gcr.SimpleCertificate(chain.certificate.data), - GLib.TlsDatabase.PURPOSE_AUTHENTICATE_SERVER, - id, -@@ -443,7 +443,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase { - ); - } - -- if (!is_verified) { -+ if (!is_pinned) { - // Cert is not pinned in memory or in GCR, so look - // for it on disk. Do this even if GCR support is - // enabled, since if the cert was previously saved -@@ -453,7 +453,7 @@ private class Application.TlsDatabase : GLib.TlsDatabase { - this.store_dir, id, cancellable - ); - this.pinned_certs.set(id, context); -- is_verified = true; -+ is_pinned = context.certificate.is_same(chain); - } catch (GLib.IOError.NOT_FOUND err) { - // Cert was not found saved, so it not pinned - } catch (GLib.Error err) { -@@ -465,18 +465,18 @@ private class Application.TlsDatabase : GLib.TlsDatabase { - } - } - } -- return is_verified; -+ return is_pinned; - } - -- private async bool verify_async(GLib.TlsCertificate chain, -- GLib.SocketConnectable identity, -- GLib.Cancellable? cancellable) -+ private async bool is_pinned_async(GLib.TlsCertificate chain, -+ GLib.SocketConnectable identity, -+ GLib.Cancellable? cancellable) - throws GLib.Error { -- bool is_valid = false; -+ bool pinned = false; - yield Geary.Nonblocking.Concurrent.global.schedule_async(() => { -- is_valid = verify(chain, identity, cancellable); -+ pinned = is_pinned(chain, identity, cancellable); - }, cancellable); -- return is_valid; -+ return pinned; - } - - private TrustContext? lookup_id(string id) { --- -GitLab - -- 2.34.0