unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCHES] ImageMagick security updates without grafting
@ 2021-03-27 13:09 Mark H Weaver
  2021-03-27 14:36 ` Maxime Devos
  0 siblings, 1 reply; 15+ messages in thread
From: Mark H Weaver @ 2021-03-27 13:09 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 980 bytes --]

Hello Guix,

Here's a proposed patch set that will henceforth enable us to freely
update ImageMagick (and dblatex, and gtk-doc) on our 'master' branch
without grafts.  This is done by adding variables 'imagemagick/stable',
'dblatex/stable', and 'gtk-doc/stable', which are then used as
'native-inputs' in selected packages.

The idea here is that the overwhelming majority of dependencies on
'imagemagick' are via references to 'gtk-doc' in the 'native-inputs' of
GNOME libraries.  The risk of running buggy imagemagick code within Guix
build containers is presumably quite limited, and in any case, grafting
is no better in this regard.

The last 3 commits of this series apply more bug fixes beyond what we
currently have in 'master', including for CVE-2020-27829, as well as a
few other recent upstream commits that look to me potentially security
relevant.

Are there any comments or objections to this approach?

      Mark

Note: I haven't yet fully tested these commits.



[-- Attachment #2: [PATCH 1/8] gnu: imagemagick: Remove graft --]
[-- Type: text/x-patch, Size: 3336 bytes --]

From eaecf83224fdae115a533d03b6fe949794835d43 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:07:32 -0400
Subject: [PATCH 1/8] gnu: imagemagick: Remove graft.

Note that this commit does *not* integrate the fixes that were previously
applied via the graft.  This commit simply discards those fixes.  We will
address those security flaws, without grafting, in subsequent commits.

* gnu/packages/imagemagick.scm (imagemagick)[replacement]: Remove field.
(imagemagick/fixed): Remove variable.
---
 gnu/packages/imagemagick.scm | 40 ------------------------------------
 1 file changed, 40 deletions(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index a3562f2e13..cc5f1de4bf 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -51,7 +51,6 @@
     ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
     ;; users are ready for the 7-series API.
     (version "6.9.11-48")
-    (replacement imagemagick/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
@@ -128,45 +127,6 @@ transform images, adjust image colors, apply various special effects, or draw
 text, lines, polygons, ellipses and Bézier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.php"))))
 
-(define-public imagemagick/fixed
-  (package
-    (inherit imagemagick)
-    (name "imagemagick")
-    ;; 'g' for 'guix', appended character to retain version length so grafting
-    ;; works properly.
-    (version "6.9.12-2g")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://imagemagick/ImageMagick-"
-                                  ;; Hardcode the version here since we had to
-                                  ;; change it above.
-                                  "6.9.12-2.tar.xz"))
-              (sha256
-               (base32
-                "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa"))))
-    (arguments
-     (substitute-keyword-arguments (package-arguments imagemagick)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'install 'fix-compat-cheat-rename-so
-             (lambda* (#:key outputs #:allow-other-keys)
-               (with-directory-excursion
-                   (string-append (assoc-ref outputs "out")
-                                  "/lib")
-                 (symlink "libMagick++-6.Q16.so.9.0.0"
-                          "libMagick++-6.Q16.so.8.0.0")
-                 (symlink "libMagick++-6.Q16.so.9"
-                          "libMagick++-6.Q16.so.8")
-                 (symlink "libMagickCore-6.Q16.so.7.0.0"
-                          "libMagickCore-6.Q16.so.6.0.0")
-                 (symlink "libMagickCore-6.Q16.so.7"
-                          "libMagickCore-6.Q16.so.6")
-                 (symlink "libMagickWand-6.Q16.so.7.0.0"
-                          "libMagickWand-6.Q16.so.6.0.0")
-                 (symlink "libMagickWand-6.Q16.so.7"
-                          "libMagickWand-6.Q16.so.6"))
-               #t))))))))
-
 (define-public perl-image-magick
   (package
     (name "perl-image-magick")
-- 
2.31.0


[-- Attachment #3: [PATCH 2/8] gnu: imagemagick: Add 'imagemagick/stable' variant --]
[-- Type: text/x-patch, Size: 1314 bytes --]

From 370089473506c800cf3480f67a00860400fbed18 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:16:23 -0400
Subject: [PATCH 2/8] gnu: imagemagick: Add 'imagemagick/stable' variant.

* gnu/packages/imagemagick.scm (imagemagick/stable): New variable.
(imagemagick): This is now an alias to 'imagemagick/stable'.
---
 gnu/packages/imagemagick.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index cc5f1de4bf..6d4649fbac 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -44,7 +44,7 @@
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xorg))
 
-(define-public imagemagick
+(define-public imagemagick/stable
   (package
     (name "imagemagick")
     ;; The 7 release series has an incompatible API, while the 6 series is still
@@ -127,6 +127,9 @@ transform images, adjust image colors, apply various special effects, or draw
 text, lines, polygons, ellipses and Bézier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.php"))))
 
+(define-public imagemagick
+  imagemagick/stable)
+
 (define-public perl-image-magick
   (package
     (name "perl-image-magick")
-- 
2.31.0


[-- Attachment #4: [PATCH 3/8] gnu: dblatex: Add 'dblatex/stable' variant --]
[-- Type: text/x-patch, Size: 1489 bytes --]

From 8a251cdb8e730c364d79fc6f2fba21bafc82302a Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:27:25 -0400
Subject: [PATCH 3/8] gnu: dblatex: Add 'dblatex/stable' variant.

* gnu/packages/docbook.scm (dblatex/stable): New variable.
---
 gnu/packages/docbook.scm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/gnu/packages/docbook.scm b/gnu/packages/docbook.scm
index 012e86f6a5..9b2c70014d 100644
--- a/gnu/packages/docbook.scm
+++ b/gnu/packages/docbook.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2020 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -33,6 +34,7 @@
   #:use-module (guix licenses)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module ((guix build utils) #:select (alist-replace))
   #:use-module (guix build-system trivial)
   #:use-module (guix build-system python))
 
@@ -460,3 +462,8 @@ process.  MathML 2.0 markups are supported too.  It started as a clone of
 DB2LaTeX.")
     ;; lib/contrib/which is under an X11 license
     (license gpl2+)))
+
+(define-public dblatex/stable
+  (package/inherit dblatex
+    (inputs (alist-replace "imagemagick" `(,imagemagick/stable)
+                           (package-inputs dblatex)))))
-- 
2.31.0


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #5: [PATCH 4/8] gnu: gtk-doc: Add 'gtk-doc/stable' variant --]
[-- Type: text/x-patch, Size: 1232 bytes --]

From 9de91519a64c3a2fadd8a9730d6fb032d764885b Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:28:58 -0400
Subject: [PATCH 4/8] gnu: gtk-doc: Add 'gtk-doc/stable' variant.

* gnu/packages/gtk.scm (gtk-doc/stable): New variable.
---
 gnu/packages/gtk.scm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index cf9116214c..0cd1391fa2 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -48,6 +48,7 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix git-download)
+  #:use-module ((guix build utils) #:select (alist-replace))
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system meson)
@@ -1829,6 +1830,11 @@ typically used to document the public API of GTK+ and GNOME libraries, but it
 can also be used to document application code.")
     (license license:gpl2+)))
 
+(define-public gtk-doc/stable
+  (package/inherit gtk-doc
+    (inputs (alist-replace "dblatex" `(,dblatex/stable)
+                           (package-inputs gtk-doc)))))
+
 (define-public gtk-engines
   (package
     (name "gtk-engines")
-- 
2.31.0


[-- Attachment #6: [PATCH 5/8] gnu: Use 'gtk-doc/stable' in native-inputs of selected packages --]
[-- Type: text/x-patch, Size: 24504 bytes --]

From 941bcda1cb65d89974ebc775666a6bd432964a78 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:34:35 -0400
Subject: [PATCH 5/8] gnu: Use 'gtk-doc/stable' in native-inputs of selected
 packages.

* gnu/packages/calendar.scm (libical),
gnu/packages/check.scm (umockdev),
gnu/packages/fontutils.scm (libraqm),
gnu/packages/freedesktop.scm (appstream, farstream, libglib-testing)
(udisks, libfprint, libportal),
gnu/packages/geo.scm (memphis, osm-gps-map),
gnu/packages/glib.scm (template-glib),
gnu/packages/gnome.scm (gupnp-igd, libcloudproviders, libgrss, seed)
(gtx, dee, zeitgeist, phodav, gssdp, gupnp, gupnp-dlna, gupnp-av, rygel)
(libnma, gdl, libnotify, vte-ng, dconf, libxklavier, libsoup, colord)
(geoclue, geocode-glib, amtk, grilo, gvfs, gusb, network-manager)
(network-manager-applet, gfbgraph, libunique, cheese, libhandy)
(gnome-latex, libgda),
gnu/packages/gstreamer.scm (orc),
gnu/packages/gtk.scm (at-spi2-core, goocanvas),
gnu/packages/language.scm (nimf),
gnu/packages/networking.scm (libnice),
gnu/packages/video.scm (schroedinger),
gnu/packages/virtualization.scm (libosinfo),
gnu/packages/webkit.scm (wpewebkit, webkitgtk),
gnu/packages/xml.scm (libxmlb)[native-inputs]: Replace 'gtk-doc' with
'gtk-doc/stable'.
---
 gnu/packages/calendar.scm       |  2 +-
 gnu/packages/check.scm          |  2 +-
 gnu/packages/fontutils.scm      |  2 +-
 gnu/packages/freedesktop.scm    | 12 +++---
 gnu/packages/geo.scm            |  4 +-
 gnu/packages/glib.scm           |  2 +-
 gnu/packages/gnome.scm          | 70 ++++++++++++++++-----------------
 gnu/packages/gstreamer.scm      |  2 +-
 gnu/packages/gtk.scm            |  4 +-
 gnu/packages/language.scm       |  2 +-
 gnu/packages/networking.scm     |  2 +-
 gnu/packages/video.scm          |  2 +-
 gnu/packages/virtualization.scm |  2 +-
 gnu/packages/webkit.scm         |  4 +-
 gnu/packages/xml.scm            |  2 +-
 15 files changed, 57 insertions(+), 57 deletions(-)

diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index 4e1e4f05b6..d473900ac5 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -156,7 +156,7 @@ the <tz.h> library for handling time zones and leap seconds.")
     (native-inputs
      `(("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 21514d1bc4..a1e44ad81f 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -2732,7 +2732,7 @@ provides a simple way to achieve this.")
     (native-inputs
      `(("vala" ,vala)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
 
        ;; For tests.
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index a4c92f5bea..1d9c81b8a6 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -965,7 +965,7 @@ Unicode Charts.  It was developed for use with DejaVu Fonts project.")
     (arguments
      `(#:configure-flags (list "--disable-static")))
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)
+     `(("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)))
     (inputs
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 4105dd7ca0..a9e96c9928 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -173,7 +173,7 @@
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("gperf" ,gperf)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
        ("xsltproc" ,libxslt)))
@@ -261,7 +261,7 @@ application-centers for distributions.")
        ("docbook-xml" ,docbook-xml-4.1.2)
        ("docbook-xsl" ,docbook-xsl)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
@@ -313,7 +313,7 @@ for videoconferencing.")
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (inputs
      `(("dbus" ,dbus)
        ("glib" ,glib)))
@@ -1202,7 +1202,7 @@ Analysis and Reporting Technology) functionality.")
        ("glib:bin" ,glib "bin")         ; for glib-mkenums
        ("gnome-common" ,gnome-common)   ; TODO: Why is this needed?
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("xsltproc" ,libxslt)))
@@ -1598,7 +1598,7 @@ wish to perform colour calibration.")
      `(("eudev" ,eudev)
        ("glib:bin" ,glib "bin")         ; for {glib-,}mkenums
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)             ; for 88 KiB of API documentation
+       ("gtk-doc" ,gtk-doc/stable)             ; for 88 KiB of API documentation
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glib" ,glib)
@@ -2197,7 +2197,7 @@ fallback to generic Systray support if none of those are available.")
                  #t))))))
       (native-inputs
        `(("pkg-config" ,pkg-config)
-         ("gtk-doc" ,gtk-doc)
+         ("gtk-doc" ,gtk-doc/stable)
          ("docbook-xsl" ,docbook-xsl)
          ("docbook-xml" ,docbook-xml)
          ("libxml2" ,libxml2)
diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm
index c988d6b114..97fa83b86b 100644
--- a/gnu/packages/geo.scm
+++ b/gnu/packages/geo.scm
@@ -151,7 +151,7 @@
        ("automake" ,automake)
        ("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -1138,7 +1138,7 @@ OpenStreetMap data files.")
     (build-system gnu-build-system)
     (native-inputs
      `(("gnome-common" ,gnome-common)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("cairo" ,cairo)
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 9c3cd75624..c04bd334e9 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -1165,7 +1165,7 @@ other API remains the same.")
      `(("bison" ,bison)
        ("flex" ,flex)
        ("glib:bin" ,glib "bin") ;; For glib-mkenums
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (home-page "https://gitlab.gnome.org/GNOME/template-glib")
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 7607db27f1..ce8a5e8f02 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -263,7 +263,7 @@
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
        ("gsettings-desktop-schemas" ,gsettings-desktop-schemas)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)
@@ -366,7 +366,7 @@ features to enable users to create their discs easily and quickly.")
     (native-inputs
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (inputs
@@ -415,7 +415,7 @@ services.")
     (native-inputs
      `(("docbook-xml" ,docbook-xml-4.1.2)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)
@@ -512,7 +512,7 @@ bindings.")
        ("docbook-xml" ,docbook-xml-4.1.2)
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)))
@@ -622,7 +622,7 @@ It is written in C using GObject and libsoup.")
                        "/share/gtk-doc/html"))))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("glib" ,glib)))
@@ -692,7 +692,7 @@ of writing test cases for asynchronous interactions.")
        ("dbus-test-runner" ,dbus-test-runner)
        ("docbook-xml" ,docbook-xml-4.3)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ;; Would only be required by configure flag "--enable-extended-tests".
        ;("gtx" ,gtx)
        ("pkg-config" ,pkg-config)
@@ -768,7 +768,7 @@ of known objects without needing a central registrar.")
        ("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)
@@ -1177,7 +1177,7 @@ Library reference documentation.")
     `(("docbook-xml" ,docbook-xml-4.3)
       ("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)))
    (inputs
     `(("avahi" ,avahi)
@@ -1295,7 +1295,7 @@ It has miners for Facebook, Flickr, Google, ownCloud and SkyDrive.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
    (inputs
@@ -1326,7 +1326,7 @@ a debugging tool, @command{gssdp-device-sniffer}.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
    (inputs
@@ -1357,7 +1357,7 @@ for creating UPnP devices and control points, written in C using
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("libxml" ,libxml2)
       ("pkg-config" ,pkg-config)
       ("vala" ,vala)))
@@ -1391,7 +1391,7 @@ given profile, etc.  DLNA is a subset of UPnP A/V.")
     `(("gettext" ,gettext-minimal)
       ("glib:bin" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("libxml" ,libxml2)
       ("pkg-config" ,pkg-config)))
    (inputs
@@ -1607,7 +1607,7 @@ preview files on the GNOME desktop.")
     (native-inputs
      `(("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (inputs
@@ -1669,7 +1669,7 @@ client devices can handle.")
      `(("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
@@ -2417,7 +2417,7 @@ GNOME Desktop.")
        ("automake" ,automake)
        ("glib" ,glib "bin")             ; for glib-genmarshal, etc.
        ("gnome-common" ,gnome-common)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("libtool" ,libtool)
@@ -3057,7 +3057,7 @@ configuring CUPS.")
        ("gobject-introspection" ,gobject-introspection)
 
        ;; For the documentation.
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("xsltproc" ,libxslt)
        ("docbook-xsl" ,docbook-xsl)))
     (home-page "https://developer-next.gnome.org/libnotify/")
@@ -4503,7 +4503,7 @@ editors, IDEs, etc.")
                 "0rnm5c6m3abbm81jsfdas0y80z299ny54gr4syn4bfrms3s4g19l"))))
     (build-system meson-build-system)
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)
+     `(("gtk-doc" ,gtk-doc/stable)
        ,@(package-native-inputs vte)))
     (arguments
      `(#:configure-flags '("-Ddocs=true")))
@@ -4621,7 +4621,7 @@ and RDP protocols.")
        ("docbook-xml" ,docbook-xml-4.2)
        ("docbook-xsl" ,docbook-xsl)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (arguments
@@ -4689,7 +4689,7 @@ and objects.")
      `(("glib:bin"              ,glib "bin") ; for glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection)
        ("pkg-config"            ,pkg-config)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("which" ,which)
        ("autoconf" ,autoconf)
@@ -4912,7 +4912,7 @@ libxml to ease remote use of the RESTful API.")
      `(("docbook-xml" ,docbook-xml-4.1.2)
        ("glib:bin" ,glib "bin")                   ; for glib-mkenums
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -5279,7 +5279,7 @@ keyboard shortcuts.")
      `(("glib:bin" ,glib "bin")         ; for glib-compile-resources, etc.
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)))
     (propagated-inputs
@@ -5324,7 +5324,7 @@ output devices.")
        ("gobject-introspection" ,gobject-introspection)
        ("modem-manager" ,modem-manager)
        ("libnotify" ,libnotify)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)))
     (inputs
      `(("avahi" ,avahi)
@@ -5369,7 +5369,7 @@ permission from user.")
        ("glibc-locales" ,glibc-locales) ; for tests
        ("gettext" ,gettext-minimal)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("json-glib" ,json-glib)))
     (propagated-inputs
@@ -5675,7 +5675,7 @@ which are easy to play with the aid of a mouse.")
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
        ("glib:bin" ,glib "bin")         ; for glib-mkenums
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glib" ,glib)
@@ -6092,7 +6092,7 @@ as possible!")
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("vala" ,vala)))
     (inputs
      `(("cyrus-sasl" ,cyrus-sasl)
@@ -6526,7 +6526,7 @@ part of udev-extras, then udev, then systemd.  It's now a project on its own.")
     (native-inputs
      `(("glib:bin" ,glib "bin") ; for glib-genmarshal, etc.
        ("gettext" ,gettext-minimal)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("xsltproc" ,libxslt)))
     (inputs
@@ -6591,7 +6591,7 @@ DAV, and others.")
      `(("gobject-introspection" ,gobject-introspection)
        ("pkg-config" ,pkg-config)
        ("vala" ,vala)
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (propagated-inputs
      ;; Both of these are required by gusb.pc.
      `(("glib" ,glib)
@@ -7795,7 +7795,7 @@ users.")
      `(("glib" ,glib)))
     (native-inputs
      `(("glib:bin" ,glib "bin")         ; for gdbus-codegen
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("gobject-introspection" ,gobject-introspection)
        ("docbook-xml" ,docbook-xml)
        ("docbook-xsl" ,docbook-xsl)
@@ -8052,7 +8052,7 @@ Cisco's AnyConnect SSL VPN.")
      `(("intltool" ,intltool)
        ("glib:bin" ,glib "bin") ; for glib-compile-resources, etc.
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (propagated-inputs
      ;; libnm-gtk.pc refers to all these.
@@ -9800,7 +9800,7 @@ compiled.")
                            "--enable-introspection")))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
 
        ;; The 0.2.4 ‘release’ tarball isn't bootstrapped.
@@ -9872,7 +9872,7 @@ environment, which can notably display keyboard layouts.")
      `(("pkg-config" ,pkg-config)
        ("gobject-introspection" ,gobject-introspection)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)))
+       ("gtk-doc" ,gtk-doc/stable)))
     (propagated-inputs
      ;; Referred to in .h files and .pc.
      `(("gtk+" ,gtk+)))
@@ -10457,7 +10457,7 @@ photo-booth-like software, such as Cheese.")
        ("docbook-xml" ,docbook-xml-4.3)
        ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("itstool" ,itstool)
        ("libxml2" ,libxml2)
        ("libxslt" ,libxslt)
@@ -10996,7 +10996,7 @@ tabs, and it supports drag and drop re-ordering of terminals.")
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection) ; for g-ir-scanner
        ("vala" ,vala)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("gettext" ,gettext-minimal)
 
@@ -11531,7 +11531,7 @@ card sheets that you’ll find at most office supply stores.")
      `(("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("itstool" ,itstool)
        ("pkg-config" ,pkg-config)
@@ -12123,7 +12123,7 @@ developed with the aim of being used with the Librem 5 phone.")
        ("glib:bin" ,glib "bin")
        ("gnome-common" ,gnome-common)
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 1c7ba98a86..6a4e14167d 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -384,7 +384,7 @@ http://www.tux.org/~ricdude/overview.html")
                 "if (error) return 77;"))
              #t)))))
     (native-inputs
-     `(("gtk-doc" ,gtk-doc)))
+     `(("gtk-doc" ,gtk-doc/stable)))
     (home-page "https://gstreamer.freedesktop.org/modules/orc.html")
     (synopsis "Oil runtime compiler")
     (description
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 0cd1391fa2..fdc946ca20 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -723,7 +723,7 @@ in the GNOME project.")
    (native-inputs
     `(("gettext" ,gettext-minimal)
       ("gobject-introspection" ,gobject-introspection)
-      ("gtk-doc" ,gtk-doc)
+      ("gtk-doc" ,gtk-doc/stable)
       ("glib" ,glib "bin")
       ("pkg-config" ,pkg-config)))
    (synopsis "Assistive Technology Service Provider Interface, core components")
@@ -2241,7 +2241,7 @@ popovers.")
      `(("gettext" ,gettext-minimal)
        ("glib-bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)
        ("python" ,python)))
     (inputs
diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
index d4b9b8d4cb..5325445a24 100644
--- a/gnu/packages/language.scm
+++ b/gnu/packages/language.scm
@@ -170,7 +170,7 @@
        ("gobject-introspection" ,gobject-introspection)
        ("gtk+-2:bin" ,gtk+-2 "bin")
        ("gtk+:bin" ,gtk+ "bin")
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("intltool" ,intltool)
        ("libtool" ,libtool)
        ("perl" ,perl)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index ea3e3f67e7..ecc6f57f4e 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -302,7 +302,7 @@ Android, and ChromeOS.")
     (native-inputs
      `(("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("gstreamer" ,gstreamer)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index a17708c7dd..4853884d05 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -381,7 +381,7 @@ video decode, encode and filtering on Intel's Gen graphics hardware platforms.")
                #t))))))
     (native-inputs
      `(("dash" ,dash)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glew" ,glew)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index fabac5b984..96347adf7c 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -984,7 +984,7 @@ Debian or a derivative using @command{debootstrap}.")
     (native-inputs
      `(("glib" ,glib "bin")  ; glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("vala" ,vala)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 89eee74def..d8378354bd 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -174,7 +174,7 @@ engine that uses Wayland for graphics output.")
        ("docbook-xsl" ,docbook-xsl)
        ("glib:bin" ,glib "bin")
        ("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
@@ -301,7 +301,7 @@ acceleration in mind, leveraging common 3D graphics APIs for best performance.")
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)
-       ("gtk-doc" ,gtk-doc) ; For documentation generation
+       ("gtk-doc" ,gtk-doc/stable) ; For documentation generation
        ("docbook-xml" ,docbook-xml) ; For documentation generation
        ("ruby" ,ruby)))
     (propagated-inputs
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index d05d326f5b..defc0323e6 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -99,7 +99,7 @@
      `(#:glib-or-gtk? #t))
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
-       ("gtk-doc" ,gtk-doc)
+       ("gtk-doc" ,gtk-doc/stable)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("appstream-glib" ,appstream-glib)
-- 
2.31.0


[-- Attachment #7: [PATCH 6/8] gnu: imagemagick: Update to 6.9.12-4 --]
[-- Type: text/x-patch, Size: 1955 bytes --]

From 5f144be02171e93613184793e254a25c674e232e Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:48:37 -0400
Subject: [PATCH 6/8] gnu: imagemagick: Update to 6.9.12-4.

* gnu/packages/imagemagick.scm (imagemagick): Update to 6.9.12-4.
---
 gnu/packages/imagemagick.scm | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 6d4649fbac..4200ed1daf 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016, 2021 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
@@ -128,7 +128,19 @@ text, lines, polygons, ellipses and Bézier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.php"))))
 
 (define-public imagemagick
-  imagemagick/stable)
+  (package
+    (inherit imagemagick/stable)
+    ;; The 7 release series has an incompatible API, while the 6 series is still
+    ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
+    ;; users are ready for the 7-series API.
+    (version "6.9.12-4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://imagemagick/ImageMagick-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))))))
 
 (define-public perl-image-magick
   (package
-- 
2.31.0


[-- Attachment #8: [PATCH 7/8] gnu: imagemagick: Fix CVE-2020-27829 --]
[-- Type: text/x-patch, Size: 3272 bytes --]

From 986fa9c54db10e597f3b7d5db859e28b1c0f9317 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 08:08:10 -0400
Subject: [PATCH 7/8] gnu: imagemagick: Fix CVE-2020-27829.

* gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/imagemagick.scm (source): Add patch.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/imagemagick.scm                  |  4 ++-
 .../patches/imagemagick-CVE-2020-27829.patch  | 27 +++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0aec66414e..18799bac7f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1221,6 +1221,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/id3lib-UTF16-writing-bug.patch			\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/imagemagick-CVE-2020-27829.patch		\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 4200ed1daf..44598fbb73 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -140,7 +140,9 @@ text, lines, polygons, ellipses and Bézier curves.")
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))))))
+                "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))
+              (patches
+               (search-patches "imagemagick-CVE-2020-27829.patch"))))))
 
 (define-public perl-image-magick
   (package
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..b15c1d0879
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,27 @@
+We omit the ChangeLog changes below, since they do not apply cleanly.
+
+
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:26:59 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ ChangeLog     | 6 ++++++
+ coders/tiff.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927ab..1eecf17ae 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         extent+=image->columns*sizeof(uint32);
+ #endif
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+-          sizeof(*strip_pixels));
++          2*sizeof(*strip_pixels));
+         if (strip_pixels == (unsigned char *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
-- 
2.31.0


[-- Attachment #9: [PATCH 8/8] gnu: imagemagick: Add more upstream fixes --]
[-- Type: text/x-patch, Size: 6822 bytes --]

From 66713ce145d4594f317d05ab1c89fcb051e9eb72 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 27 Mar 2021 07:01:10 -0400
Subject: [PATCH 8/8] gnu: imagemagick: Add more upstream fixes.

* gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch,
gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch,
gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/imagemagick.scm (source): Add patches.
---
 gnu/local.mk                                  |  3 ++
 gnu/packages/imagemagick.scm                  |  5 ++-
 .../imagemagick-ReadDCMImage-fix.patch        | 26 ++++++++++++++
 .../imagemagick-ReadDCMPixels-fix.patch       | 35 +++++++++++++++++++
 .../imagemagick-WriteTHUMBNAILImage-fix.patch | 25 +++++++++++++
 5 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
 create mode 100644 gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
 create mode 100644 gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 18799bac7f..bea6b8a569 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1222,6 +1222,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/idris-disable-test.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
   %D%/packages/patches/imagemagick-CVE-2020-27829.patch		\
+  %D%/packages/patches/imagemagick-ReadDCMImage-fix.patch	\
+  %D%/packages/patches/imagemagick-ReadDCMPixels-fix.patch	\
+  %D%/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch	\
   %D%/packages/patches/inetutils-hurd.patch			\
   %D%/packages/patches/inkscape-poppler-0.76.patch		\
   %D%/packages/patches/intel-xed-fix-nondeterminism.patch	\
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 44598fbb73..f4cc488c43 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -142,7 +142,10 @@ text, lines, polygons, ellipses and Bézier curves.")
                (base32
                 "1pkwij76yz7vd5grl6520pgpa912qb6kh34qamx4zfndwcx6cf6b"))
               (patches
-               (search-patches "imagemagick-CVE-2020-27829.patch"))))))
+               (search-patches "imagemagick-ReadDCMImage-fix.patch"
+                               "imagemagick-ReadDCMPixels-fix.patch"
+                               "imagemagick-WriteTHUMBNAILImage-fix.patch"
+                               "imagemagick-CVE-2020-27829.patch"))))))
 
 (define-public perl-image-magick
   (package
diff --git a/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch b/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
new file mode 100644
index 0000000000..42ece43682
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
@@ -0,0 +1,26 @@
+From 512668dfd92b20d0d08b91d62b422d8262573281 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Wed, 24 Mar 2021 20:37:15 +0100
+Subject: [PATCH] Throw exception when no exception was raised but status was
+ false (#3432).
+
+---
+ coders/dcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 7a68ed6e8..ed17c9567 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3989,6 +3989,8 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+         if (redmap != (int *) NULL)
+           redmap=(int *) RelinquishMagickMemory(redmap);
+         image=DestroyImageList(image);
++        if ((status == MagickFalse) && (exception->severity < ErrorException))
++          ThrowReaderException(CorruptImageError,"CorruptImage");
+         return(GetFirstImageInList(images));
+       }
+     if (info.depth != (1UL*MAGICKCORE_QUANTUM_DEPTH))
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch b/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
new file mode 100644
index 0000000000..a91999186b
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
@@ -0,0 +1,35 @@
+From c8f25953ad1dd38a8b2d92738f0f742ad7e0bce7 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sun, 21 Mar 2021 21:21:15 -0400
+Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32322
+
+---
+ coders/dcm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 29eed9618..7a68ed6e8 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -2984,12 +2984,12 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info,
+         }
+       else
+         {
+-          SetPixelRed(q,(Quantum) (((ssize_t) pixel.red) |
+-            (((ssize_t) GetPixelRed(q)) << 8)));
+-          SetPixelGreen(q,(Quantum) (((ssize_t) pixel.green) |
+-            (((ssize_t) GetPixelGreen(q)) << 8)));
+-          SetPixelBlue(q,(Quantum) (((ssize_t) pixel.blue) |
+-            (((ssize_t) GetPixelBlue(q)) << 8)));
++          SetPixelRed(q,(Quantum) (((size_t) pixel.red) |
++            (((size_t) GetPixelRed(q)) << 8)));
++          SetPixelGreen(q,(Quantum) (((size_t) pixel.green) |
++            (((size_t) GetPixelGreen(q)) << 8)));
++          SetPixelBlue(q,(Quantum) (((size_t) pixel.blue) |
++            (((size_t) GetPixelBlue(q)) << 8)));
+         }
+       q++;
+     }
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
new file mode 100644
index 0000000000..f38a45b800
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
@@ -0,0 +1,25 @@
+From 6a5d3575487487f2703383338bd17c8c25068f19 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Mar 2021 08:58:18 -0400
+Subject: [PATCH] eliminate compiler warning
+
+---
+ coders/thumbnail.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/thumbnail.c b/coders/thumbnail.c
+index 3833341b0..1e2bfe8c2 100644
+--- a/coders/thumbnail.c
++++ b/coders/thumbnail.c
+@@ -199,7 +199,7 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
+     q++;
+   }
+   if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+-      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
++      ((ssize_t) length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
+     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+   thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
+   if (thumbnail_image == (Image *) NULL)
+-- 
+2.31.0
+
-- 
2.31.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* Re: [PATCHES] ImageMagick security updates without grafting
  2021-03-27 13:09 [PATCHES] ImageMagick security updates without grafting Mark H Weaver
@ 2021-03-27 14:36 ` Maxime Devos
  2021-03-28  0:01   ` Mark H Weaver
  0 siblings, 1 reply; 15+ messages in thread
From: Maxime Devos @ 2021-03-27 14:36 UTC (permalink / raw)
  To: Mark H Weaver, guix-devel

[-- Attachment #1: Type: text/plain, Size: 1834 bytes --]

On Sat, 2021-03-27 at 09:09 -0400, Mark H Weaver wrote:
> Hello Guix,
> 
> Here's a proposed patch set that will henceforth enable us to freely
> update ImageMagick (and dblatex, and gtk-doc) on our 'master' branch
> without grafts.  This is done by adding variables 'imagemagick/stable',
> 'dblatex/stable', and 'gtk-doc/stable', which are then used as
> 'native-inputs' in selected packages.
> 
> The idea here is that the overwhelming majority of dependencies on
> 'imagemagick' are via references to 'gtk-doc' in the 'native-inputs' of
> GNOME libraries.  The risk of running buggy imagemagick code within Guix
> build containers is presumably quite limited, and in any case, grafting
> is no better in this regard.

This approach (& patches) look good to me.

> [...]
> Are there any comments or objections to this approach?

What does ‘guix refresh --list-dependent imagemagick@6.9.11-48’
output now?  If it there are many dependent packages, could some
of them use imagemagick/stable, dblatex/stable or gtk-doc/stable
as well?

Maybe add a comment to imagemagick/stable on why there is a 
/stable variant, for future reference.  Perhaps something along
the lines of:

;; This is a variant of the 'imagemagick' package that is not
;; updated often.  Where possible, use this variant instead of
;; the updated 'imagemagick' package to avoid large rebuilds
;; each time 'imagemagick' is updated (e.g. with security fixes),
;; unless this causes security issues.
;;
;; Normally the grafts mechanism would be used instead, but
;; imagemagick is a complicated package to graft.  See
;; <https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00381.html>.

>       Mark
> 
> Note: I haven't yet fully tested these commits.

Note: I haven't tested your patches.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCHES] ImageMagick security updates without grafting
  2021-03-27 14:36 ` Maxime Devos
@ 2021-03-28  0:01   ` Mark H Weaver
  2021-03-28  9:59     ` Maxime Devos
  0 siblings, 1 reply; 15+ messages in thread
From: Mark H Weaver @ 2021-03-28  0:01 UTC (permalink / raw)
  To: Maxime Devos, guix-devel

Hi Maxime,

Maxime Devos <maximedevos@telenet.be> writes:
> This approach (& patches) look good to me.

Thanks for looking.

> What does ‘guix refresh --list-dependent imagemagick@6.9.11-48’
> output now?

When I last checked, it reported on the order of 2400 dependent package
rebuilds.

> If it there are many dependent packages, could some
> of them use imagemagick/stable, dblatex/stable or gtk-doc/stable
> as well?

Yes, that's exactly the purpose of this patch set.  Although at present,
the only user of 'imagemagick/stable' is 'dblatex/stable', and the only
user of 'dblatex/stable' is 'gtk-doc/stable'.

> Maybe add a comment to imagemagick/stable on why there is a 
> /stable variant, for future reference.

Good idea.  I added comments similar to what you had suggested.

Thanks for the review!  I went ahead and pushed a revised version of
these commits to 'master', starting with commit
7c2b840d6c586f80fe22a862ce4e362c997559a5, but if anyone has further
input on this approach, it's still not too late to change things.

       Thanks,
         Mark


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCHES] ImageMagick security updates without grafting
  2021-03-28  0:01   ` Mark H Weaver
@ 2021-03-28  9:59     ` Maxime Devos
  2021-03-28 21:37       ` Mark H Weaver
  0 siblings, 1 reply; 15+ messages in thread
From: Maxime Devos @ 2021-03-28  9:59 UTC (permalink / raw)
  To: Mark H Weaver, guix-devel

[-- Attachment #1: Type: text/plain, Size: 1185 bytes --]

On Sat, 2021-03-27 at 20:01 -0400, Mark H Weaver wrote:
> [...]
> Maxime wrote:
> > What does ‘guix refresh --list-dependent imagemagick@6.9.11-48’
> > output now?

> When I last checked, it reported on the order of 2400 dependent package
> rebuilds.

I should have written imagemagick@6.9.12-4 here.

> > If it there are many dependent packages, could some
> > of them use imagemagick/stable, dblatex/stable or gtk-doc/stable
> > as well?
> 
> Yes, that's exactly the purpose of this patch set.  Although at present,
> the only user of 'imagemagick/stable' is 'dblatex/stable', and the only
> user of 'dblatex/stable' is 'gtk-doc/stable'.

You missed a few packages:
in gnu/packages/mate.scm: search for "gtk-doc".
Also, the (gnu packages imagemagick) import seems
unused.

Looking at the package graph, many packages depend on imagemagick
through python-sphinx, so it may be worthwile to define a
python-sphinx/stable and use it instead of python-sphinx in the
native-inputs.

I suggest
 guix graph --type=reverse-package imagemagick@6.9.12-4 | dot -Tpdf > a.pdf

to find out if there are more uses for imagemagick/stable.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCHES] ImageMagick security updates without grafting
  2021-03-28  9:59     ` Maxime Devos
@ 2021-03-28 21:37       ` Mark H Weaver
  2021-03-28 22:05         ` Maxime Devos
  2021-03-28 22:33         ` Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) Mark H Weaver
  0 siblings, 2 replies; 15+ messages in thread
From: Mark H Weaver @ 2021-03-28 21:37 UTC (permalink / raw)
  To: Maxime Devos, guix-devel

Maxime Devos <maximedevos@telenet.be> writes:

> On Sat, 2021-03-27 at 20:01 -0400, Mark H Weaver wrote:
>> [...]
>> Maxime wrote:
>> > What does ‘guix refresh --list-dependent imagemagick@6.9.11-48’
>> > output now?
>
>> When I last checked, it reported on the order of 2400 dependent package
>> rebuilds.
>
> I should have written imagemagick@6.9.12-4 here.

On my Guix system, after applying my recent patch set, "guix refresh -l
imagemagick" (which refers to imagemagick@6.9.12-4) reports 603
dependent packages.

I see that, according to our guidelines, since this number is greater
than 300, it implies that updates to 'imagemagick' should not be done on
the 'master' branch.

On the other hand, for what it's worth, on my own GNOME system, the
number of rebuilds from my patch set was quite minimal, and *far* less
than the number of rebuilds than I usually need to do when updating my
system to the latest 'master' after just a few days.

I should say that I'm fully in support of having guidelines like this to
limit the number of rebuilds on 'master'.  It's especially important to
me since I never use substitutes, and build everything locally on my
(rather old) Thinkpad X200.

That said, _number_ of dependent packages is not a good measure of what
we should be trying to minimize.  I can build hundreds of 'python-*'
packages in the time it takes to build a single package like 'webkitgtk'
or 'icecat'.

A better measure might try to estimate the total amount of *build time*
suffered by _all_ Guix users, as a result of updating a given package.
That would depend on both (1) the estimated _time_ needed to build the
dependent packages, and (2) the estimated number of users of those
dependent packages, perhaps based on download statistics from our
substitute servers.

>> > If it there are many dependent packages, could some
>> > of them use imagemagick/stable, dblatex/stable or gtk-doc/stable
>> > as well?
>> 
>> Yes, that's exactly the purpose of this patch set.  Although at present,
>> the only user of 'imagemagick/stable' is 'dblatex/stable', and the only
>> user of 'dblatex/stable' is 'gtk-doc/stable'.
>
> You missed a few packages:
> in gnu/packages/mate.scm: search for "gtk-doc".
> Also, the (gnu packages imagemagick) import seems
> unused.

I did not attempt to comprehensively change all 'native-inputs'
references of 'gtk-doc' to 'gtk-doc/stable'.  I stopped when the number
of rebuilds on my own GNOME system became quite minimal.  That's why the
summary line of commit 9dea1618755891526f708aa335b4136c1302d16e ends
with the words "selected packages".

However, I see now that we should continue working on this, at least
until we can update 'imagemagick' on 'master' without violating our
guidelines.

> Looking at the package graph, many packages depend on imagemagick
> through python-sphinx, so it may be worthwile to define a
> python-sphinx/stable and use it instead of python-sphinx in the
> native-inputs.
>
> I suggest
>  guix graph --type=reverse-package imagemagick@6.9.12-4 | dot -Tpdf > a.pdf
>
> to find out if there are more uses for imagemagick/stable.

That's a good idea.  Would you like to work on it?

One thing to be very careful about is to only use 'gtk-doc/stable',
'dblatex/stable', and 'imagemagick/stable' in native-inputs, and
moreover to make sure that no references to these */stable packages
remain in any package outputs.

Of course, if any package retains references to its 'native-inputs',
that's always a bug, but I wouldn't be surprised if such bugs exist in
Guix.  Such bugs might be relatively harmless now (except when
cross-compiling), but they could become a security bug if a package
retains a reference to 'imagemagick/stable'.

On my own system and user profile, which includes GNOME, I'm glad to
report that I have *no* references to 'imagemagick' at all, not even to
its newest release, and that's my strong preference.

     Regards,
       Mark


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCHES] ImageMagick security updates without grafting
  2021-03-28 21:37       ` Mark H Weaver
@ 2021-03-28 22:05         ` Maxime Devos
  2021-03-29 21:28           ` Mark H Weaver
  2021-03-28 22:33         ` Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) Mark H Weaver
  1 sibling, 1 reply; 15+ messages in thread
From: Maxime Devos @ 2021-03-28 22:05 UTC (permalink / raw)
  To: Mark H Weaver, guix-devel

[-- Attachment #1: Type: text/plain, Size: 4409 bytes --]

On Sun, 2021-03-28 at 17:37 -0400, Mark H Weaver wrote:
> Maxime Devos <maximedevos@telenet.be> writes:
> 
> > On Sat, 2021-03-27 at 20:01 -0400, Mark H Weaver wrote:
> > > [...]
> > > Maxime wrote:
> > > > What does ‘guix refresh --list-dependent imagemagick@6.9.11-48’
> > > > output now?
> > > When I last checked, it reported on the order of 2400 dependent package
> > > rebuilds.
> > 
> > I should have written imagemagick@6.9.12-4 here.
> 
> On my Guix system, after applying my recent patch set, "guix refresh -l
> imagemagick" (which refers to imagemagick@6.9.12-4) reports 603
> dependent packages.

I had a similar number (after "guix pull").  Looks good.

> I see that, according to our guidelines, since this number is greater
> than 300, it implies that updates to 'imagemagick' should not be done on
> the 'master' branch.
> 
> On the other hand, for what it's worth, on my own GNOME system, the
> number of rebuilds from my patch set was quite minimal, and *far* less
> than the number of rebuilds than I usually need to do when updating my
> system to the latest 'master' after just a few days.
> 
> I should say that I'm fully in support of having guidelines like this to
> limit the number of rebuilds on 'master'.  It's especially important to
> me since I never use substitutes, and build everything locally on my
> (rather old) Thinkpad X200.
> 
> That said, _number_ of dependent packages is not a good measure of what
> we should be trying to minimize.  I can build hundreds of 'python-*'
> packages in the time it takes to build a single package like 'webkitgtk'
> or 'icecat'.
> 
> A better measure might try to estimate the total amount of *build time*
> suffered by _all_ Guix users, as a result of updating a given package.
> That would depend on both (1) the estimated _time_ needed to build the
> dependent packages, and (2) the estimated number of users of those
> dependent packages, perhaps based on download statistics from our
> substitute servers.

That seems a good idea, but something to discuss in a new thread
(or a bug report to make sure it is not forgotten).

> > You missed a few packages:
> > in gnu/packages/mate.scm: search for "gtk-doc".
> > Also, the (gnu packages imagemagick) import seems
> > unused.
> 
> I did not attempt to comprehensively change all 'native-inputs'
> references of 'gtk-doc' to 'gtk-doc/stable'.  I stopped when the number
> of rebuilds on my own GNOME system became quite minimal.  That's why the
> summary line of commit 9dea1618755891526f708aa335b4136c1302d16e ends
> with the words "selected packages".

I have began writing a patch that changes *all* references of
gtk-doc to gtk-doc/stable (in native-inputs only).

> However, I see now that we should continue working on this, at least
> until we can update 'imagemagick' on 'master' without violating our
> guidelines.
> 
> > Looking at the package graph, many packages depend on imagemagick
> > through python-sphinx, so it may be worthwile to define a
> > python-sphinx/stable and use it instead of python-sphinx in the
> > native-inputs.
> > 
> > I suggest
> >  guix graph --type=reverse-package imagemagick@6.9.12-4 | dot -Tpdf > a.pdf
> > 
> > to find out if there are more uses for imagemagick/stable.
> 
> That's a good idea.  Would you like to work on it?

Yes.

> One thing to be very careful about is to only use 'gtk-doc/stable',
> 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and
> moreover to make sure that no references to these */stable packages
> remain in any package outputs.
> 
> Of course, if any package retains references to its 'native-inputs',
> that's always a bug, but I wouldn't be surprised if such bugs exist in
> Guix.  Such bugs might be relatively harmless now (except when
> cross-compiling), but they could become a security bug if a package
> retains a reference to 'imagemagick/stable'.

I'll be careful!

> On my own system and user profile, which includes GNOME, I'm glad to
> report that I have *no* references to 'imagemagick' at all, not even to
> its newest release, and that's my strong preference.

Note to self, before I forget how to test this:

guix build $PACKAGES
# maybe guix build $PACKAGES --no-grafts?
guix graph --type=references $PACKAGES
# ^ look in output for "imagemagick".

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting)
  2021-03-28 21:37       ` Mark H Weaver
  2021-03-28 22:05         ` Maxime Devos
@ 2021-03-28 22:33         ` Mark H Weaver
  2021-03-29  6:54           ` Maxime Devos
                             ` (2 more replies)
  1 sibling, 3 replies; 15+ messages in thread
From: Mark H Weaver @ 2021-03-28 22:33 UTC (permalink / raw)
  To: Maxime Devos, guix-devel

Earlier, I wrote:
> One thing to be very careful about is to only use 'gtk-doc/stable',
> 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and
> moreover to make sure that no references to these */stable packages
> remain in any package outputs.
>
> Of course, if any package retains references to its 'native-inputs',
> that's always a bug, but I wouldn't be surprised if such bugs exist in
> Guix.  Such bugs might be relatively harmless now (except when
> cross-compiling), but they could become a security bug if a package
> retains a reference to 'imagemagick/stable'.

It occurs to me that we will need some tooling to ensure that no
references to these buggy "*/stable" packages end up in package outputs
that users actually use.  Otherwise, it is likely that sooner or later,
a runtime reference to one of these buggy packages will sneak in to our
systems.

An initial idea is that these "*/stable" packages could have a package
property (perhaps named something like 'build-time-only') that indicates
that references to its outputs should not occur within the outputs of
any other package that does not have that same property.

We'd also need to somehow ensure that users don't install these
'build-time-only' packages directly, at least not without an additional
option (e.g. --force-unsafe-build-time-only) to override it.

Additionally, it might be good to issue warnings if 'build-time-only'
packages are not hidden, or if they are found within the 'inputs' or
'propagated-inputs' fields of any package that's not also
'build-time-only'.  Both of these last two checks have loopholes,
however, so they are not reliable indicators.

Thoughts?  Other proposals?

     Regards,
       Mark


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting)
  2021-03-28 22:33         ` Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) Mark H Weaver
@ 2021-03-29  6:54           ` Maxime Devos
  2021-04-04 20:14             ` Mark H Weaver
  2021-03-29 12:43           ` Ricardo Wurmus
  2021-03-30 10:39           ` Needed: tooling to detect references to buggy */stable packages Ludovic Courtès
  2 siblings, 1 reply; 15+ messages in thread
From: Maxime Devos @ 2021-03-29  6:54 UTC (permalink / raw)
  To: Mark H Weaver, guix-devel

[-- Attachment #1: Type: text/plain, Size: 3691 bytes --]

On Sun, 2021-03-28 at 18:33 -0400, Mark H Weaver wrote:
> Earlier, I wrote:
> > One thing to be very careful about is to only use 'gtk-doc/stable',
> > 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and
> > moreover to make sure that no references to these */stable packages
> > remain in any package outputs.
> > 
> > Of course, if any package retains references to its 'native-inputs',
> > that's always a bug, but I wouldn't be surprised if such bugs exist in
> > Guix.  Such bugs might be relatively harmless now (except when
> > cross-compiling), but they could become a security bug if a package
> > retains a reference to 'imagemagick/stable'.

It just occurred to me: could we automatically add all native-inputs
to #:disallowed-references when cross-compiling?  This shouldn't break
any packages, except possibly when cross-compiling.

Or stronger, add all native-inputs to #:disallowed-references (unless
they are also in inputs or propagated-inputs), even when compiling
natively?

Problems include:
* I guess a world rebuild, as the derivations would be different.
* In some places we have the following pattern:

    (native-inputs
     `(("autoconf" ,autoconf)
       ("automake" ,automake)
       ("pkg-config" ,pkg-config)
       ,@(if (%current-target-system)
             `(("guile" ,guile-3.0))   ;for 'guild compile' and 'guile-3.0.pc'
             '())))
    (inputs
     `(("guile" ,guile-3.0)
       ("lzlib" ,lzlib)))
    (synopsis "Guile bindings to lzlib")

  The (if (%current-target-system) ...) would need to be made unconditional.
* I guess an option to disable this behaviour might be useful.

> It occurs to me that we will need some tooling to ensure that no
> references to these buggy "*/stable" packages end up in package outputs
> that users actually use.  Otherwise, it is likely that sooner or later,
> a runtime reference to one of these buggy packages will sneak in to our
> systems.
> 
> An initial idea is that these "*/stable" packages could have a package
> property (perhaps named something like 'build-time-only') that indicates
> that references to its outputs should not occur within the outputs of
> any other package that does not have that same property.

Would this be (a) something enforced by the build process (using
#:disallowed-references or #:allowed-references), or (b) a linter?

> We'd also need to somehow ensure that users don't install these
> 'build-time-only' packages directly, at least not without an additional
> option (e.g. --force-unsafe-build-time-only) to override it.

What about a developer running "guix environment eom"?  IIUC, this would
make the developer vulnerable (at least, once I've gotten around replacing
the 'gtk-doc' input with 'gtk-doc/stable'), so it might make sense to
replace /stable -> unstable packages here.

However, now the developer ends up with a different set of packages than
wil be seen in the build environment ...

> Additionally, it might be good to issue warnings if 'build-time-only'
> packages are not hidden,

This seems good to me.  This should prevent
"guix install imagemagick@bad-version".

>  or if they are found within the 'inputs' or
> 'propagated-inputs' fields of any package that's not also
> 'build-time-only'.  Both of these last two checks have loopholes,
> however, so they are not reliable indicators.

But these (automatic "guix lint") checks could still catch many
problems in practice before they are committed!  

> Thoughts?  Other proposals?

Is this something you will be writing "guix lint" checkers (or other
checkers) for yourself?

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting)
  2021-03-28 22:33         ` Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) Mark H Weaver
  2021-03-29  6:54           ` Maxime Devos
@ 2021-03-29 12:43           ` Ricardo Wurmus
  2021-03-30 10:39           ` Needed: tooling to detect references to buggy */stable packages Ludovic Courtès
  2 siblings, 0 replies; 15+ messages in thread
From: Ricardo Wurmus @ 2021-03-29 12:43 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel


Mark H Weaver <mhw@netris.org> writes:

> Earlier, I wrote:
>> One thing to be very careful about is to only use 'gtk-doc/stable',
>> 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and
>> moreover to make sure that no references to these */stable packages
>> remain in any package outputs.
>>
>> Of course, if any package retains references to its 'native-inputs',
>> that's always a bug, but I wouldn't be surprised if such bugs exist in
>> Guix.  Such bugs might be relatively harmless now (except when
>> cross-compiling), but they could become a security bug if a package
>> retains a reference to 'imagemagick/stable'.
>
> It occurs to me that we will need some tooling to ensure that no
> references to these buggy "*/stable" packages end up in package outputs
> that users actually use.  Otherwise, it is likely that sooner or later,
> a runtime reference to one of these buggy packages will sneak in to our
> systems.

The gnu-build-system takes a keyword #:disallowed-references that could
be used here.

-- 
Ricardo


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCHES] ImageMagick security updates without grafting
  2021-03-28 22:05         ` Maxime Devos
@ 2021-03-29 21:28           ` Mark H Weaver
  2021-03-30 22:23             ` Mark H Weaver
  0 siblings, 1 reply; 15+ messages in thread
From: Mark H Weaver @ 2021-03-29 21:28 UTC (permalink / raw)
  To: Maxime Devos, guix-devel

Hi Maxime,

Maxime Devos <maximedevos@telenet.be> writes:

> On Sun, 2021-03-28 at 17:37 -0400, Mark H Weaver wrote:
>> One thing to be very careful about is to only use 'gtk-doc/stable',
>> 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and
>> moreover to make sure that no references to these */stable packages
>> remain in any package outputs.
>> 
>> Of course, if any package retains references to its 'native-inputs',
>> that's always a bug, but I wouldn't be surprised if such bugs exist in
>> Guix.  Such bugs might be relatively harmless now (except when
>> cross-compiling), but they could become a security bug if a package
>> retains a reference to 'imagemagick/stable'.
>
> I'll be careful!
>
>> On my own system and user profile, which includes GNOME, I'm glad to
>> report that I have *no* references to 'imagemagick' at all, not even to
>> its newest release, and that's my strong preference.
>
> Note to self, before I forget how to test this:
>
> guix build $PACKAGES
> # maybe guix build $PACKAGES --no-grafts?
> guix graph --type=references $PACKAGES
> # ^ look in output for "imagemagick".

For the record, it seems that this command gives false positives.  As
pointed out in <https://bugs.gnu.org/47479>, the output of that command
suggests that 'inkscape' retains references to 'imagemagick', but that
turns out to be false, at least on my system.

I suppose the behavior of "guix graph" here makes sense, and is likely
_not_ a bug, because IIUC "guix graph" does its work without requiring
'imagemagick' to be built, and therefore it cannot know whether
imagemagick's build system would retain a reference to a native-input
during its build process.  IMO, it would be inappropriate for "guix
graph" to *assume* that references to native-inputs will not retained.

The tool I expect to be reliable here is "guix gc -R".  For example, I
check for references to 'imagemagick' in my system and user profiles
with the following commands:

--8<---------------cut here---------------start------------->8---
mhw@jojen ~$ guix gc -R $(readlink /run/current-system) | grep -i imagemagick
mhw@jojen ~$ guix gc -R $(readlink -f ~/.guix-profile) | grep -i imagemagick
--8<---------------cut here---------------end--------------->8---

     Thanks,
       Mark


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Needed: tooling to detect references to buggy */stable packages
  2021-03-28 22:33         ` Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) Mark H Weaver
  2021-03-29  6:54           ` Maxime Devos
  2021-03-29 12:43           ` Ricardo Wurmus
@ 2021-03-30 10:39           ` Ludovic Courtès
  2021-04-04 19:54             ` Mark H Weaver
  2 siblings, 1 reply; 15+ messages in thread
From: Ludovic Courtès @ 2021-03-30 10:39 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

Hi,

Mark H Weaver <mhw@netris.org> skribis:

> It occurs to me that we will need some tooling to ensure that no
> references to these buggy "*/stable" packages end up in package outputs
> that users actually use.  Otherwise, it is likely that sooner or later,
> a runtime reference to one of these buggy packages will sneak in to our
> systems.

Couldn’t we use #:disallowed-references for this?

Thanks,
Ludo’.


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCHES] ImageMagick security updates without grafting
  2021-03-29 21:28           ` Mark H Weaver
@ 2021-03-30 22:23             ` Mark H Weaver
  0 siblings, 0 replies; 15+ messages in thread
From: Mark H Weaver @ 2021-03-30 22:23 UTC (permalink / raw)
  To: Maxime Devos, guix-devel

Mark H Weaver <mhw@netris.org> writes:

> Maxime Devos <maximedevos@telenet.be> writes:
>
>> guix build $PACKAGES
>> # maybe guix build $PACKAGES --no-grafts?
>> guix graph --type=references $PACKAGES
>> # ^ look in output for "imagemagick".
>
> For the record, it seems that this command gives false positives.

Sorry, I was mistaken here.  That command appears to be reliable for
this purpose.

> As pointed out in <https://bugs.gnu.org/47479>, the output of that
> command suggests that 'inkscape' retains references to 'imagemagick',
> but that turns out to be false, at least on my system.

It turns out we were talking about two different versions of 'inkscape'.
I was confused by the fact that our 'inkscape' variable points to an
older version of inkscape than "inkscape" selects on the command line.

Anyway, it turns out that inkscape@1.0.2 improperly retains a reference
to its native-input 'imagemagick', but inkscape@0.92.4 does not.
See <https://bugs.gnu.org/47479> for more.

> I suppose the behavior of "guix graph" here makes sense, and is likely
> _not_ a bug, because IIUC "guix graph" does its work without requiring
> 'imagemagick' to be built,

What I wrote is true for many of the graph types supported by "guix
graph", but not when "--type=references" is passed.
Sorry for the confusion.

       Mark


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Needed: tooling to detect references to buggy */stable packages
  2021-03-30 10:39           ` Needed: tooling to detect references to buggy */stable packages Ludovic Courtès
@ 2021-04-04 19:54             ` Mark H Weaver
  0 siblings, 0 replies; 15+ messages in thread
From: Mark H Weaver @ 2021-04-04 19:54 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Mark H Weaver <mhw@netris.org> skribis:
>
>> It occurs to me that we will need some tooling to ensure that no
>> references to these buggy "*/stable" packages end up in package outputs
>> that users actually use.  Otherwise, it is likely that sooner or later,
>> a runtime reference to one of these buggy packages will sneak in to our
>> systems.
>
> Couldn’t we use #:disallowed-references for this?

Yes, but it would be suboptimal because we would have to remember to
explicitly add #:disallowed-references to every package that uses these
*/stable packages but is not itself a */stable package.

The number of packages that would need to be annotated with
#:disallowed-references is a couple of orders of magnitude larger than
the number of */stable packages that would need to be annotated with a
'build-time-only' flag.

Part of the motivation behind this proposed tooling is to avoid simple
mistakes leading to buggy code on our systems.  For example, given the
large number of packages that could use 'gtk-doc/stable', I think it's
quite likely that people will start adding 'gtk-doc/stable' to other
packages (mimicking what they see from existing packages), and might
forget to add the associated #:disallowed-references annotations.

Ideally, the 'build-time-only' flags would be used to automatically
generate a set of _implicit_ #:disallowed-references for each package,
to be added to the explicitly given ones.

More concretely: the implicit #:disallowed-references for packages
marked 'build-time-only' would be empty.  For other packages, it would
include all outputs of all 'native-inputs' and 'inputs' (and ideally
including implicit inputs) that are marked as 'build-time-only'.

What do you think?

      Thanks,
        Mark


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting)
  2021-03-29  6:54           ` Maxime Devos
@ 2021-04-04 20:14             ` Mark H Weaver
  2021-04-05  9:53               ` Maxime Devos
  0 siblings, 1 reply; 15+ messages in thread
From: Mark H Weaver @ 2021-04-04 20:14 UTC (permalink / raw)
  To: Maxime Devos, guix-devel

Hi Maxime,

Maxime Devos <maximedevos@telenet.be> writes:

> On Sun, 2021-03-28 at 18:33 -0400, Mark H Weaver wrote:
>> Earlier, I wrote:
>> > One thing to be very careful about is to only use 'gtk-doc/stable',
>> > 'dblatex/stable', and 'imagemagick/stable' in native-inputs, and
>> > moreover to make sure that no references to these */stable packages
>> > remain in any package outputs.
>> > 
>> > Of course, if any package retains references to its 'native-inputs',
>> > that's always a bug, but I wouldn't be surprised if such bugs exist in
>> > Guix.  Such bugs might be relatively harmless now (except when
>> > cross-compiling), but they could become a security bug if a package
>> > retains a reference to 'imagemagick/stable'.
>
> It just occurred to me: could we automatically add all native-inputs
> to #:disallowed-references when cross-compiling?  This shouldn't break
> any packages, except possibly when cross-compiling.
>
> Or stronger, add all native-inputs to #:disallowed-references (unless
> they are also in inputs or propagated-inputs), even when compiling
> natively?

Yes, I think this is a good idea and worth considering.  However, we'd
need to consider the case where the same package is in both 'inputs' and
'native-inputs'.  When cross-compiling, it's no problem, because the
same package in those two fields will lead to distinct output paths,
since they are compiled for different systems.  However, when compiling
natively, the outputs of packages occurring in both 'inputs' and
'native-inputs' should *not* be implicitly included in
#:disallowed-references.

> Problems include:
> * I guess a world rebuild, as the derivations would be different.

Indeed!

> * In some places we have the following pattern:
>
>     (native-inputs
>      `(("autoconf" ,autoconf)
>        ("automake" ,automake)
>        ("pkg-config" ,pkg-config)
>        ,@(if (%current-target-system)
>              `(("guile" ,guile-3.0))   ;for 'guild compile' and 'guile-3.0.pc'
>              '())))
>     (inputs
>      `(("guile" ,guile-3.0)
>        ("lzlib" ,lzlib)))
>     (synopsis "Guile bindings to lzlib")
>
>   The (if (%current-target-system) ...) would need to be made unconditional.

I don't understand this.  Why would it need to be made unconditional?

> * I guess an option to disable this behaviour might be useful.
>
>> It occurs to me that we will need some tooling to ensure that no
>> references to these buggy "*/stable" packages end up in package outputs
>> that users actually use.  Otherwise, it is likely that sooner or later,
>> a runtime reference to one of these buggy packages will sneak in to our
>> systems.
>> 
>> An initial idea is that these "*/stable" packages could have a package
>> property (perhaps named something like 'build-time-only') that indicates
>> that references to its outputs should not occur within the outputs of
>> any other package that does not have that same property.
>
> Would this be (a) something enforced by the build process (using
> #:disallowed-references or #:allowed-references), or (b) a linter?

I would prefer option (a) above.
  
>> We'd also need to somehow ensure that users don't install these
>> 'build-time-only' packages directly, at least not without an additional
>> option (e.g. --force-unsafe-build-time-only) to override it.
>
> What about a developer running "guix environment eom"?  IIUC, this would
> make the developer vulnerable (at least, once I've gotten around replacing
> the 'gtk-doc' input with 'gtk-doc/stable'), so it might make sense to
> replace /stable -> unstable packages here.
>
> However, now the developer ends up with a different set of packages than
> wil be seen in the build environment ...

That's an excellent point, for which I don't have any good answer.
I'm open to suggestions.

> Is this something you will be writing "guix lint" checkers (or other
> checkers) for yourself?

At the present time, I'm more inclined to add machinery to automatically
add _implicit_ #:disallowed-references, to enforce this checking at
package build time.  This would require rebuilding everything that
depends on a '*/stable' package, which means that this kind of tooling
could not be applied directly to 'master', but would need to go through
'staging'.

What do you think?

    Thanks,
      Mark


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting)
  2021-04-04 20:14             ` Mark H Weaver
@ 2021-04-05  9:53               ` Maxime Devos
  0 siblings, 0 replies; 15+ messages in thread
From: Maxime Devos @ 2021-04-05  9:53 UTC (permalink / raw)
  To: Mark H Weaver, guix-devel

[-- Attachment #1: Type: text/plain, Size: 1370 bytes --]

On Sun, 2021-04-04 at 16:14 -0400, Mark H Weaver wrote:
> Maxime Devo wrote:
> > * In some places we have the following pattern:
> > 
> >   [...]
> I don't understand this.  Why would it need to be made unconditional?

I don't understand either anymore.

> [...]
>
> At the present time, I'm more inclined to add machinery to automatically
> add _implicit_ #:disallowed-references, to enforce this checking at
> package build time.  This would require rebuilding everything that
> depends on a '*/stable' package, which means that this kind of tooling
> could not be applied directly to 'master', but would need to go through
> 'staging'.

That seems good to me.  I believe the current plan is:

* Add a 'stable' property to the gtk-doc/stable, dblatex/stable ... packages.
* Change gnu-build-system, glib-or-gtk-build-system ... to implicitely add
  packages in inputs, propagated-inputs or native-inputs that have the 'stable'
  property to #:disallowed-references, unless the package that is being built is
  a 'stable' package itself.

And an idea for the future is:

* Implicitely add all packages in native-inputs to #:disallowed-references,
  unless they are in inputs or propagated-inputs as well.
* Verify everything still works well (when cross-compiling and when compiling
  natively), and fix breakage.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2021-04-05  9:55 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-27 13:09 [PATCHES] ImageMagick security updates without grafting Mark H Weaver
2021-03-27 14:36 ` Maxime Devos
2021-03-28  0:01   ` Mark H Weaver
2021-03-28  9:59     ` Maxime Devos
2021-03-28 21:37       ` Mark H Weaver
2021-03-28 22:05         ` Maxime Devos
2021-03-29 21:28           ` Mark H Weaver
2021-03-30 22:23             ` Mark H Weaver
2021-03-28 22:33         ` Needed: tooling to detect references to buggy */stable packages (was: Re: [PATCHES] ImageMagick security updates without grafting) Mark H Weaver
2021-03-29  6:54           ` Maxime Devos
2021-04-04 20:14             ` Mark H Weaver
2021-04-05  9:53               ` Maxime Devos
2021-03-29 12:43           ` Ricardo Wurmus
2021-03-30 10:39           ` Needed: tooling to detect references to buggy */stable packages Ludovic Courtès
2021-04-04 19:54             ` Mark H Weaver

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).