[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
08/14: gnu: graphviz: Update to 2.47.1.
From: |
guix-commits |
Subject: |
08/14: gnu: graphviz: Update to 2.47.1. |
Date: |
Sat, 12 Jun 2021 19:05:08 -0400 (EDT) |
mbakke pushed a commit to branch core-updates
in repository guix.
commit 5d4b721b7d924d434266f2ccbda1e247c9969970
Author: Marius Bakke <marius@gnu.org>
AuthorDate: Mon May 10 16:50:32 2021 +0200
gnu: graphviz: Update to 2.47.1.
* gnu/packages/graphviz.scm (graphviz): Update to 2.47.1.
[source]: Adjust for new download location.
* gnu/packages/patches/graphviz-CVE-2020-18032.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
---
gnu/local.mk | 1 -
gnu/packages/graphviz.scm | 20 +++------
gnu/packages/patches/graphviz-CVE-2020-18032.patch | 49 ----------------------
3 files changed, 5 insertions(+), 65 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index ce4bcf2..c57e587 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1141,7 +1141,6 @@ dist_patch_DATA =
\
%D%/packages/patches/gpodder-disable-updater.patch \
%D%/packages/patches/gpsbabel-fix-i686-test.patch \
%D%/packages/patches/grantlee-merge-theme-dirs.patch \
- %D%/packages/patches/graphviz-CVE-2020-18032.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
%D%/packages/patches/grocsvs-dont-use-admiral.patch \
%D%/packages/patches/gromacs-tinyxml2.patch \
diff --git a/gnu/packages/graphviz.scm b/gnu/packages/graphviz.scm
index 72c9665..34d6434 100644
--- a/gnu/packages/graphviz.scm
+++ b/gnu/packages/graphviz.scm
@@ -62,16 +62,15 @@
(define-public graphviz
(package
(name "graphviz")
- (replacement graphviz/fixed)
- (version "2.42.3")
+ (version "2.47.1")
(source (origin
(method url-fetch)
- (uri (string-append
-
"https://www2.graphviz.org/Packages/stable/portable_source/"
- "graphviz-" version ".tar.gz"))
+ (uri (string-append "https://gitlab.com/graphviz/graphviz"
+ "/-/package_files/9573974/download"))
+ (file-name (string-append "graphviz-" version ".tar.xz"))
(sha256
(base32
- "1pbswjbx3fjdlsxcm7cmlsl5bvaa3d6gcnr0cr8x3c8pag13zbwg"))))
+ "1hff831p300n989x1gmyzh3ix43xd2mgx01qgrrqill44n7zxfza"))))
(build-system gnu-build-system)
(arguments
;; FIXME: rtest/rtest.sh is a ksh script (!). Add ksh as an input.
@@ -127,15 +126,6 @@ software engineering, database and web design, machine
learning, and in visual
interfaces for other technical domains.")
(license license:epl1.0)))
-(define-public graphviz/fixed
- (hidden-package
- (package
- (inherit graphviz)
- (source (origin
- (inherit (package-source graphviz))
- (patches (append (search-patches
"graphviz-CVE-2020-18032.patch")
- (origin-patches (package-source
graphviz)))))))))
-
;; Older Graphviz needed for pygraphviz. See
;; https://github.com/pygraphviz/pygraphviz/issues/175
(define-public graphviz-2.38
diff --git a/gnu/packages/patches/graphviz-CVE-2020-18032.patch
b/gnu/packages/patches/graphviz-CVE-2020-18032.patch
deleted file mode 100644
index 4cf94a9..0000000
--- a/gnu/packages/patches/graphviz-CVE-2020-18032.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Fix CVE-2020-18032:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-18032
-https://gitlab.com/graphviz/graphviz/-/issues/1700
-
-Patch copied from upstream source repository:
-
-https://gitlab.com/graphviz/graphviz/-/commit/784411ca3655c80da0f6025ab20634b2a6ff696b
-
-From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
-From: Matthew Fernandez <matthew.fernandez@gmail.com>
-Date: Sat, 25 Jul 2020 19:31:01 -0700
-Subject: [PATCH] fix: out-of-bounds write on invalid label
-
-When the label for a node cannot be parsed (due to it being malformed), it
falls
-back on the symbol name of the node itself. I.e. the default label the node
-would have had if it had no label attribute at all. However, this is applied by
-dynamically altering the node's label to "\N", a shortcut for the symbol name
of
-the node. All of this is fine, however if the hand written label itself is
-shorter than the literal string "\N", not enough memory would have been
-allocated to write "\N" into the label text.
-
-Here we account for the possibility of error during label parsing, and assume
-that the label text may need to be overwritten with "\N" after the fact. Fixes
-issue #1700.
----
- lib/common/shapes.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/common/shapes.c b/lib/common/shapes.c
-index 0a0635fc3..9dca9ba6e 100644
---- a/lib/common/shapes.c
-+++ b/lib/common/shapes.c
-@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
- reclblp = ND_label(n)->text;
- len = strlen(reclblp);
- /* For some forgotten reason, an empty label is parsed into a space, so
-- * we need at least two bytes in textbuf.
-+ * we need at least two bytes in textbuf, as well as accounting for the
-+ * error path involving "\\N" below.
- */
-- len = MAX(len, 1);
-+ len = MAX(MAX(len, 1), (int)strlen("\\N"));
- textbuf = N_NEW(len + 1, char);
- if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
- agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
---
-2.31.1
-
- branch core-updates updated (8ceff70 -> a6c292a), guix-commits, 2021/06/12
- 02/14: gnu: postgresql: Remove replacement., guix-commits, 2021/06/12
- 01/14: gnu: OpenSSL: Remove replacement., guix-commits, 2021/06/12
- 03/14: gnu: libx11: Update to 1.7.1., guix-commits, 2021/06/12
- 04/14: gnu: expat: Remove replacement., guix-commits, 2021/06/12
- 06/14: gnu: GCC: Switch to GCC 10., guix-commits, 2021/06/12
- 08/14: gnu: graphviz: Update to 2.47.1.,
guix-commits <=
- 05/14: gnu: curl: Absorb replacement., guix-commits, 2021/06/12
- 10/14: gnu: pango: Update to 1.48.4., guix-commits, 2021/06/12
- 11/14: gnu: poppler: Update to 21.05.0., guix-commits, 2021/06/12
- 07/14: gnu: python-attrs: Update to 21.2.0., guix-commits, 2021/06/12
- 09/14: gnu: harfbuzz: Update to 2.8.1., guix-commits, 2021/06/12
- 13/14: gnu: glib: Add "static" output., guix-commits, 2021/06/12
- 12/14: gnu: python-magic: Update to 0.4.22., guix-commits, 2021/06/12
- 14/14: gnu: expat: Install the static library., guix-commits, 2021/06/12