[bug#74035] [PATCH 00/24] [security fixes] for near-leaf packages

[bug#74035] [PATCH 00/24] [security fixes] for near-leaf packages

[Nicolas Graves via Guix-patches via]

This patch series adds updates and security fixes for packages that
have less than 10 dependent packages.

Nicolas Graves (24):
  gnu: python-django-4.2: Update to 4.2.16. [security fixes]
  gnu: maradns: Update to 3.5.0036. [security fixes]
  gnu: maradns: Improve style.
  gnu: libmobi: Update to 0.12. [security fixes]
  gnu: bart: Update to 0.9.00. [security fixes]
  gnu: wireshark: Update to 4.4.1. [security fixes]
  gnu: pam-u2f: Update to 1.3.0. [security fixes]
  gnu: darkhttpd: Update to 1.16. [security fixes]
  gnu: xlsxio: Update to 0.2.35. [security fixes]
  gnu: pypy: Update to 7.3.17. [security fixes]
  gnu: indent: Remove uneeded arguments.
  gnu: indent: Add patch for CVE-2024-0911. [security fixes]
  gnu: squashfs-tools: Update to 4.6.1. [security fixes]
  gnu: shapelib: Update to 1.6.1. [security fixes]
  gnu: libzapojit: Update to 0.0.3-1.99d49ba. [security fixes]
  gnu: gifsicle: Update to 1.95. [security fixes]
  gnu: sendmail: Update to 8.18.1. [security fixes]
  gnu: openvpn: Update to 2.6.12. [security fixes]
  gnu: youtube-dl: Deprecate package.
  gnu: liblouis: Update to 3.31.0. [security fixes]
  gnu: unicorn: Update to 2.1.1. [security fixes]
  gnu: Add sexpp.
  gnu: rnp: Update to 0.17.1. [security fixes]
  gnu: cjson: Update to 1.7.18. [security fixes]

 gnu/local.mk                                  |  1 +
 gnu/packages/code.scm                         | 31 +-------
 gnu/packages/compression.scm                  | 52 ++++++-------
 gnu/packages/django.scm                       |  8 +-
 gnu/packages/dns.scm                          | 64 ++++++++--------
 gnu/packages/ebook.scm                        |  4 +-
 gnu/packages/emulators.scm                    |  9 ++-
 gnu/packages/geo.scm                          |  8 +-
 gnu/packages/gnome.scm                        | 45 ++++++-----
 gnu/packages/image-processing.scm             |  8 +-
 gnu/packages/image.scm                        |  4 +-
 gnu/packages/javascript.scm                   |  4 +-
 gnu/packages/language.scm                     | 47 ++++++------
 gnu/packages/mail.scm                         |  5 +-
 gnu/packages/networking.scm                   |  4 +-
 gnu/packages/openpgp.scm                      | 76 +++++++++++++------
 .../patches/indent-CVE-2024-0911.patch        | 61 +++++++++++++++
 gnu/packages/pypy.scm                         |  4 +-
 gnu/packages/security-token.scm               |  9 +--
 gnu/packages/video.scm                        |  3 +-
 gnu/packages/vpn.scm                          |  4 +-
 gnu/packages/web.scm                          | 24 +++---
 gnu/packages/xml.scm                          |  4 +-
 23 files changed, 278 insertions(+), 201 deletions(-)
 create mode 100644 gnu/packages/patches/indent-CVE-2024-0911.patch

-- 
2.46.0

[bug#74035] [PATCH 01/24] gnu: python-django-4.2: Update to 4.2.16. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-24680, CVE-2024-41989, CVE-2024-41990,
CVE-2024-41991, CVE-2024-42005, CVE-2024-45230, CVE-2024-45231,
CVE-2023-43665 and CVE-2023-46695.

* gnu/packages/django.scm (python-django-4.2): Update to 4.2.16.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/django.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/django.scm b/gnu/packages/django.scm
index 4404c8368d..4cf043f7c1 100644
--- a/gnu/packages/django.scm
+++ b/gnu/packages/django.scm
@@ -57,13 +57,13 @@ (define-module (gnu packages django)
 (define-public python-django-4.2
   (package
     (name "python-django")
-    (version "4.2.5")
+    (version "4.2.16")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Django" version))
               (sha256
                (base32
-                "1ha6c5j3pizbsfzw37r52lvdz8z5lblq4iwa99mpkdzz92aiqp2y"))))
+                "1b8xgwg3gjr974j60x3vgcpp85cg5dwhzqdpdbl8qh3cg311c5kg"))))
     (build-system pyproject-build-system)
     (arguments
      '(#:test-flags
@@ -140,7 +140,9 @@ (define-public python-django-4.2
 any Web site.  Django focuses on automating as much as possible and adhering
 to the @dfn{don't repeat yourself} (DRY) principle.")
     (license license:bsd-3)
-    (properties `((cpe-name . "django")))))
+    (properties `((cpe-name . "django")
+                  ;; This CVE seems fixed since 4.2.1.
+                  (lint-hidden-cve . ("CVE-2023-31047"))))))
 
 (define-public python-django-3.2
   (package
-- 
2.46.0

[bug#74035] [PATCH 02/24] gnu: maradns: Update to 3.5.0036. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-31137.

* gnu/packages/dns.scm (maradns): Update to 3.5.0036.
[properties]: Add release-monitoring-url property.
---
 gnu/packages/dns.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index e911a142ef..bd2df30f01 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1181,7 +1181,7 @@ (define-public public-suffix-list
 (define-public maradns
   (package
     (name "maradns")
-    (version "3.5.0022")
+    (version "3.5.0036")
     (source
      (origin
        (method url-fetch)
@@ -1189,7 +1189,7 @@ (define-public maradns
                            (version-major+minor version) "/"
                            version "/maradns-" version ".tar.xz"))
        (sha256
-        (base32 "1sw267jxxxngjcar8cj3jpxnpiz0szgkhlz5l46c67qs690w9kdi"))))
+        (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f                      ; need to be root to run tests
@@ -1226,6 +1226,8 @@ (define-public maradns
     (description "MaraDNS is a small and lightweight DNS server.  MaraDNS
 consists of a UDP-only authoritative DNS server for hosting domains, and a UDP
 and TCP-capable recursive DNS server for finding domains on the internet.")
+    (properties '((release-monitoring-url
+                   . "https://maradns.samiam.org/download.html")))
     (license license:bsd-2)))
 
 (define-public openresolv
-- 
2.46.0

[bug#74035] [PATCH 03/24] gnu: maradns: Improve style.

[Nicolas Graves via Guix-patches via]

* gnu/packages/dns.scm (maradns)[arguments]: Use gexps.
---
 gnu/packages/dns.scm | 58 ++++++++++++++++++++++----------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index bd2df30f01..7a78fb0308 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1192,35 +1192,35 @@ (define-public maradns
         (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f                      ; need to be root to run tests
-       #:make-flags
-       (list
-        ,(string-append "CC=" (cc-for-target))
-        (string-append "PREFIX=" %output)
-        (string-append "RPM_BUILD_ROOT=" %output))
-       #:phases
-       (modify-phases %standard-phases
-         (replace 'configure
-           (lambda* (#:key native-inputs target #:allow-other-keys)
-             ;; make_32bit_tables generates a header file that is used during
-             ;; compilation. Hence, during cross compilation, it should be
-             ;; built for the host system.
-             (when target
-               (substitute* "rng/Makefile"
-                 (("\\$\\(CC\\) -o make_32bit_tables")
-                  (string-append (assoc-ref native-inputs "gcc")
-                                 "/bin/gcc -o make_32bit_tables"))))
-             (invoke "./configure")))
-         (add-before 'install 'create-install-directories
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let ((out (assoc-ref outputs "out")))
-               (for-each (lambda (dir)
-                           (mkdir-p (string-append out dir)))
-                         (list "/bin" "/sbin" "/etc"
-                               "/share/man/man1"
-                               "/share/man/man5"
-                               "/share/man/man8"))
-               #t))))))
+     (list
+      #:tests? #f                      ; need to be root to run tests
+      #:make-flags
+      #~(list
+         (string-append "CC=" #$(cc-for-target))
+         (string-append "PREFIX=" #$output)
+         (string-append "RPM_BUILD_ROOT=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda* (#:key native-inputs target #:allow-other-keys)
+              ;; make_32bit_tables generates a header file that is used during
+              ;; compilation. Hence, during cross compilation, it should be
+              ;; built for the host system.
+              (when target
+                (substitute* "rng/Makefile"
+                  (("\\$\\(CC\\) -o make_32bit_tables")
+                   (string-append (search-input-file native-inputs "/bin/gcc")
+                                  " -o make_32bit_tables"))))
+              ;; ./configure doesn't support default flags
+              (invoke "./configure")))
+          (add-before 'install 'create-install-directories
+            (lambda _
+              (for-each (lambda (dir)
+                          (mkdir-p (string-append #$output dir)))
+                        (list "/bin" "/sbin" "/etc"
+                              "/share/man/man1"
+                              "/share/man/man5"
+                              "/share/man/man8")))))))
     (home-page "https://maradns.samiam.org")
     (synopsis "Small lightweight DNS server")
     (description "MaraDNS is a small and lightweight DNS server.  MaraDNS
-- 
2.46.0

[bug#74035] [PATCH 04/24] gnu: libmobi: Update to 0.12. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-1533, CVE-2022-1534, CVE-2022-1907, CVE-2022-1908,
CVE-2022-1987, CVE-2022-2279, CVE-2022-29788, CVE-2021-3751,
CVE-2021-3881, CVE-2021-3888 and CVE-2021-3889.

* gnu/packages/ebook.scm (libmobi): Update to 0.12.
---
 gnu/packages/ebook.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ebook.scm b/gnu/packages/ebook.scm
index dc30c98fdf..bf8dcfad09 100644
--- a/gnu/packages/ebook.scm
+++ b/gnu/packages/ebook.scm
@@ -648,7 +648,7 @@ (define-public xchm
 (define-public libmobi
   (package
     (name "libmobi")
-    (version "0.6")
+    (version "0.12")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -657,7 +657,7 @@ (define-public libmobi
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "0yps72cm609xn2k7alflkdhp9kgr1w7zzyxjygz0n1kqrdcplihh"))))
+                "0cwya9n0rd97ai0fcqjwq7b3sjzigf3ywp7bnkbbw541f3knpds9"))))
     (build-system gnu-build-system)
     (native-inputs
      (list autoconf automake libtool))
-- 
2.46.0

[bug#74035] [PATCH 05/24] gnu: bart: Update to 0.9.00. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes bart reproducibility and CVE-2022-45387.

* gnu/packages/image-processing.scm (bart): Update to 0.9.00.
---
 gnu/packages/image-processing.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
index a79eaf6aed..3a7c67362f 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -115,20 +115,19 @@ (define-module (gnu packages image-processing)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1))
 
-;; TODO: this is not reproducible.
 (define-public bart
   (package
     (name "bart")
-    (version "0.8.00")
+    (version "0.9.00")
     (source
      (origin
        (method git-fetch)
        (uri (git-reference
              (url "https://github.com/mrirecon/bart")
-             (commit "eacc67b95cf128487ecc48f0e6541ea4dca08818")))
+             (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "05lcf7c3g7ms5h82bw1mi4kzkdv5wpqi1zrfhqfkgbcpd3irj6aq"))))
+        (base32 "0mj6jmw31rsnvqmpfqahhj4cy9iv5xgrhzmcsrikdz5dgd45lmjz"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -140,6 +139,7 @@ (define-public bart
                       "OPENBLAS=1"
                       "SCALAPACK=1"
                       (string-append "BLAS_BASE=" #$(this-package-input "openblas"))
+                      (string-append "CC=" #$(cc-for-target))
                       (string-append "FFTW_BASE=" #$(this-package-input "fftw")))
       #:parallel-build? #false ;leads to non-deterministic output
       #:phases
-- 
2.46.0

[bug#74035] [PATCH 06/24] gnu: wireshark: Update to 4.4.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-9780.

* gnu/packages/networking.scm (wireshark): Update to 4.4.1.
---
 gnu/packages/networking.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 7ed011a7f4..31b72f1104 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -1805,14 +1805,14 @@ (define-public whois
 (define-public wireshark
   (package
     (name "wireshark")
-    (version "4.4.0")
+    (version "4.4.1")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://www.wireshark.org/download/src/wireshark-"
                            version ".tar.xz"))
        (sha256
-        (base32 "0s8jqxcvq7ibfsq8v4scl8dq7y5hqgpivq4iw9y2x6jj136cvmga"))))
+        (base32 "1v2nflm8rdifc6pwlzn1ciz22wl15zwkqs3r7gjw60kh59brd7ib"))))
     (build-system qt-build-system)
     (arguments
      (list
-- 
2.46.0

[bug#74035] [PATCH 07/24] gnu: pam-u2f: Update to 1.3.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-31924.

* gnu/packages/security-token.scm (pam-u2f): Update to 1.3.0.
[inputs]: Add libfido2, openssl. Remove libu2f-host, libu2f-server.
[native-inputs]: Sort packages.
---
 gnu/packages/security-token.scm | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 5abb461c0c..156a7d5e28 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -682,7 +682,7 @@ (define-public libu2f-server
 (define-public pam-u2f
   (package
     (name "pam-u2f")
-    (version "1.0.8")
+    (version "1.3.0")
     (source (origin
               (method git-fetch)
               (uri
@@ -691,17 +691,16 @@ (define-public pam-u2f
                 (commit (string-append "pam_u2f-" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32
-                "04d9davyi33gqbvga1rvh9fijp6f16mx2xmnn4n61rnhcn2jac98"))))
+               (base32 "1swvys98mw7ailllgqicvhj315qajhvqrmm314cp3bj0l76s9qpv"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
        (list (string-append "--with-pam-dir="
                             (assoc-ref %outputs "out") "/lib/security"))))
     (inputs
-     (list libu2f-host libu2f-server linux-pam))
+     (list libfido2 linux-pam openssl))
     (native-inputs
-     (list autoconf automake libtool asciidoc pkg-config))
+     (list asciidoc autoconf automake libtool pkg-config))
     (home-page "https://developers.yubico.com/pam-u2f/")
     (synopsis "PAM module for U2F authentication")
     (description
-- 
2.46.0

[bug#74035] [PATCH 08/24] gnu: darkhttpd: Update to 1.16. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-23770 and CVE-2024-23771.

* gnu/packages/web.scm (darkhttpd): Update to 1.16.
[arguments]: Improve style.
---
 gnu/packages/web.scm | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 34739bf088..eb27d3448c 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6417,7 +6417,7 @@ (define-public surfraw
 (define-public darkhttpd
   (package
     (name "darkhttpd")
-    (version "1.13")
+    (version "1.16")
     (source
      (origin
        (method git-fetch)
@@ -6426,20 +6426,18 @@ (define-public darkhttpd
              (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "0w11xq160q9yyffv4mw9ncp1n0dl50d9plmwxb0yijaaxls9i4sk"))))
+        (base32 "15mmq1v8p50mm9wx5w6g4rlr40b7d044lw7rs1wyzdiw9lcnihvm"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags
-       (list (string-append "CC=" ,(cc-for-target)))
-       #:tests? #f ; No test suite
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure)            ; no configure script
-         (replace 'install
-           (lambda* (#:key outputs #:allow-other-keys)
-             (install-file "darkhttpd"
-                           (string-append (assoc-ref outputs "out")
-                                          "/bin")))))))
+     (list
+      #:make-flags #~(list (string-append "CC=" #$(cc-for-target)))
+      #:tests? #f ; No test suite
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure)            ; no configure script
+          (replace 'install
+            (lambda _
+              (install-file "darkhttpd" (string-append #$output "/bin")))))))
     (synopsis "Simple static web server")
     (description "darkhttpd is a simple static web server.  It is
 standalone and does not need inetd or ucspi-tcp.  It does not need any
-- 
2.46.0

[bug#74035] [PATCH 09/24] gnu: xlsxio: Update to 0.2.35. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-34795.

* gnu/packages/xml.scm (xlsxio): Update to 0.2.35.
---
 gnu/packages/xml.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index cfd53a291a..4a3936b66d 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1545,7 +1545,7 @@ (define-public xerces-c
 (define-public xlsxio
   (package
     (name "xlsxio")
-    (version "0.2.33")
+    (version "0.2.35")
     (source
      (origin
        (method git-fetch)
@@ -1554,7 +1554,7 @@ (define-public xlsxio
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "16i3yd168kb63za7jpycpb2by4831gz7wi90vzifdf85csc8c70s"))))
+        (base32 "140ap2l3qy27z1fhqpkq3a44aikhr3v5zlnm9m8vag42qiagiznx"))))
     (native-inputs
      (list expat gnu-make minizip which))
     (build-system gnu-build-system)
-- 
2.46.0

[bug#74035] [PATCH 10/24] gnu: pypy: Update to 7.3.17. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-37454.

* gnu/packages/pypy.scm (pypy): Update to 7.3.17.
---
 gnu/packages/pypy.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/pypy.scm b/gnu/packages/pypy.scm
index a39621b5ad..90986ac096 100644
--- a/gnu/packages/pypy.scm
+++ b/gnu/packages/pypy.scm
@@ -42,14 +42,14 @@ (define-module (gnu packages pypy)
 (define-public pypy
   (package
     (name "pypy")
-    (version "7.3.13")
+    (version "7.3.17")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://downloads.python.org/pypy/"
                                   "pypy3.10-v" version "-src.tar.bz2"))
               (sha256
                (base32
-                "0v9s6pwrnaxqi5h1pvmaphj6kgyczx07ykl07hcx656h34y77haa"))))
+                "1xsbn9mbxi2kai4gg1nz6n6cbqsq60qh65f5l6ld7ip9g32lpmva"))))
     (build-system gnu-build-system)
     (arguments
      (list
-- 
2.46.0

[bug#74035] [PATCH 11/24] gnu: indent: Remove uneeded arguments.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (indent)
[arguments]: Remove field.
[native-inputs]: Remove automake.
---
 gnu/packages/code.scm | 27 +--------------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index bbf10be987..094dd32982 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -881,33 +881,8 @@ (define-public indent
             (sha256
              (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))))
    (build-system gnu-build-system)
-   (arguments
-    `(#:phases
-      (modify-phases %standard-phases
-        (add-after 'unpack 'fix-docdir
-          (lambda _
-            ;; Although indent uses a modern autoconf in which docdir
-            ;; defaults to PREFIX/share/doc, the doc/Makefile.am
-            ;; overrides this to be in PREFIX/doc.  Fix this.
-            (substitute* "doc/Makefile.in"
-              (("^docdir = .*$") "docdir = @docdir@\n"))
-            #t))
-        (add-after 'unpack 'fix-configure
-          (lambda* (#:key inputs native-inputs #:allow-other-keys)
-            ;; Replace outdated config.sub and config.guess:
-            (with-directory-excursion "config"
-              (for-each (lambda (file)
-                          (install-file
-                           (string-append (assoc-ref
-                                           (or native-inputs inputs) "automake")
-                                          "/share/automake-"
-                                          ,(version-major+minor
-                                            (package-version automake))
-                                          "/" file) "."))
-                        '("config.sub" "config.guess")))
-            #t)))))
    (native-inputs
-    (list texinfo automake)) ; For up to date 'config.guess' and 'config.sub'.
+    (list texinfo))
    (synopsis "Code reformatter")
    (description
     "Indent is a program that makes source code easier to read by
-- 
2.46.0

[bug#74035] [PATCH 12/24] gnu: indent: Add patch for CVE-2024-0911. [security fixes]

[Nicolas Graves via Guix-patches via]

* gnu/packages/patches/indent-CVE-2024-0911.patch: Add patch here...
* gnu/local.mk: ...here...
* gnu/packages/code.scm (indent)[source]<origin>: ...and here.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/code.scm                         |  4 +-
 .../patches/indent-CVE-2024-0911.patch        | 61 +++++++++++++++++++
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/indent-CVE-2024-0911.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index d253b424bb..1a69a22aba 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1559,6 +1559,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/idris-test-ffi008.patch			\
   %D%/packages/patches/igraph-fix-varargs-integer-size.patch	\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/indent-CVE-2024-0911.patch	\
   %D%/packages/patches/instead-use-games-path.patch		\
   %D%/packages/patches/intltool-perl-compatibility.patch	\
   %D%/packages/patches/irrlicht-use-system-libs.patch		\
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 094dd32982..dda37528b8 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -879,7 +879,9 @@ (define-public indent
             (uri (string-append "mirror://gnu/indent/indent-" version
                                 ".tar.gz"))
             (sha256
-             (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))))
+             (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))
+            ;; Remove patch when updating.
+            (patches (search-patches "indent-CVE-2024-0911.patch"))))
    (build-system gnu-build-system)
    (native-inputs
     (list texinfo))
diff --git a/gnu/packages/patches/indent-CVE-2024-0911.patch b/gnu/packages/patches/indent-CVE-2024-0911.patch
new file mode 100644
index 0000000000..4687d3f59a
--- /dev/null
+++ b/gnu/packages/patches/indent-CVE-2024-0911.patch
@@ -0,0 +1,61 @@
+Upstream issue: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regression/TEST                                     | 2 +-
+ regression/input/comment-parent-heap-underread.c    | 3 +++
+ regression/standard/comment-parent-heap-underread.c | 5 +++++
+ src/output.c                                        | 2 +-
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 regression/input/comment-parent-heap-underread.c
+ create mode 100644 regression/standard/comment-parent-heap-underread.c
+
+diff --git a/regression/TEST b/regression/TEST
+index 7c07c2e..951b1a2 100755
+--- a/regression/TEST
++++ b/regression/TEST
+@@ -40,6 +40,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
+         macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
+         bug-gnu-33364.c float-constant-suffix.c block-comments.c \
+-        no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c"
++        no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c \
++        comment-parent-heap-underread.c"
+ 
+ INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
+         indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
+diff --git a/regression/input/comment-parent-heap-underread.c 
+b/regression/input/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..68e13cf
+--- /dev/null
++++ b/regression/input/comment-parent-heap-underread.c
+@@ -0,0 +1,3 @@
++void foo(void) {
++/*a*/(1);
++}
+diff --git a/regression/standard/comment-parent-heap-underread.c 
+b/regression/standard/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..9a1c6e3
+--- /dev/null
++++ b/regression/standard/comment-parent-heap-underread.c
+@@ -0,0 +1,5 @@
++void
++foo (void)
++{
++/*a*/ (1);
++}
+diff --git a/src/output.c b/src/output.c
+index ee01bcc..17eee6e 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -290,7 +290,7 @@ void set_buf_break (
+     /* Did we just parse a bracket that will be put on the next line
+      * by this line break? */
+ 
+-    if ((*token == '(') || (*token == '['))
++    if (level > 0 && ((*token == '(') || (*token == '[')))
+     {
+         --level;                        /* then don't take it into account */
+     }
+-- 
+2.43.0
-- 
2.46.0

[bug#74035] [PATCH 13/24] gnu: squashfs-tools: Update to 4.6.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-40153 and CVE-2021-41072.

* gnu/packages/compression.scm (squashfs-tools): Update to 4.6.1.
[arguments]: Improve style.
<#:make-flags>: Add INSTALL_MANPAGES_DIR value.
<#:phases>: Remove phase 'install-documentation. Add phase
'patch-generated-source-shebangs.
[native-inputs]: Add coreutils-minimal, help2man, which.
[inputs]: Rewrite.
---
 gnu/packages/compression.scm | 52 ++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index a32b15a64a..b3eca16191 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1023,7 +1023,7 @@ (define-public lz4
 (define-public squashfs-tools
   (package
     (name "squashfs-tools")
-    (version "4.5")
+    (version "4.6.1")
     (source
      (origin
        (method git-fetch)
@@ -1032,34 +1032,34 @@ (define-public squashfs-tools
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "18d4nwa22vgb8j2badngjngw63f0lj501cvlh3920wqy2mqxwav6"))))
+        (base32 "14nisidxx2d2qivyv7xfcg59qkj4fjiniir7nvymazdsng63gcr1"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f                      ; no check target
-       #:make-flags
-       (list (string-append "CC=" ,(cc-for-target))
-             "XZ_SUPPORT=1"
-             "LZO_SUPPORT=1"
-             "LZ4_SUPPORT=1"
-             "ZSTD_SUPPORT=1"
-             (string-append "INSTALL_DIR=" (assoc-ref %outputs "out") "/bin"))
-       #:phases
-       (modify-phases %standard-phases
-         (replace 'configure
-           (lambda _
-             (chdir "squashfs-tools")))
-         (add-after 'install 'install-documentation
-           ;; Install what very little usage documentation is provided.
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let* ((out (assoc-ref outputs "out"))
-                    (doc (string-append out "/share/doc/" ,name)))
-               (install-file "../USAGE" doc)))))))
+     (list
+      #:tests? #f                      ; no check target
+      #:make-flags
+      #~(list
+         (string-append "CC=" #$(cc-for-target))
+         "XZ_SUPPORT=1"
+         "LZO_SUPPORT=1"
+         "LZ4_SUPPORT=1"
+         "ZSTD_SUPPORT=1"
+         (string-append "INSTALL_DIR=" #$output "/bin")
+         (string-append "INSTALL_MANPAGES_DIR=" #$output "/share/man/man1"))
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda _
+              (chdir "squashfs-tools")))
+          (add-after 'patch-source-shebangs 'patch-generated-source-shebangs
+            (lambda _
+              (substitute* (find-files "generate-manpages" "\\.sh")
+                (("print \"#!/bin/sh")
+                 (string-append "print \"#!" (which "sh")))))))))
+    (native-inputs
+     (list coreutils-minimal help2man which))
     (inputs
-     `(("lz4" ,lz4)
-       ("lzo" ,lzo)
-       ("xz" ,xz)
-       ("zlib" ,zlib)
-       ("zstd:lib" ,zstd "lib")))
+     (list lz4 lzo xz zlib `(,zstd "lib")))
     (home-page "https://github.com/plougher/squashfs-tools")
     (synopsis "Tools to create and extract squashfs file systems")
     (description
-- 
2.46.0

[bug#74035] [PATCH 14/24] gnu: shapelib: Update to 1.6.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-0699.

* gnu/packages/geo.scm (shapelib): Update to 1.6.1.
---
 gnu/packages/geo.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm
index 5d120b3c98..affa50c515 100644
--- a/gnu/packages/geo.scm
+++ b/gnu/packages/geo.scm
@@ -2574,7 +2574,7 @@ (define-public readosm
 (define-public shapelib
   (package
     (name "shapelib")
-    (version "1.5.0")
+    (version "1.6.1")
     (source
      (origin
        (method git-fetch)
@@ -2583,7 +2583,7 @@ (define-public shapelib
              (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1lzch0jf6yqhw391phhafzw4ghmiz98zkf698h4fmq109fa2vhqd"))))
+        (base32 "0l67gp1618lcw7fg2iclbh016cqyw85s3cmd3qzx6aw0jq19hj8n"))))
     (build-system gnu-build-system)
     (native-inputs
      (list autoconf automake libtool))
@@ -2591,8 +2591,8 @@ (define-public shapelib
     (synopsis "Provides C library to write and update ESRI Shapefiles")
     (description
      "The Shapefile C Library provides the ability to write simple C programs
-for reading, writing and updating (to a limited extent) ESRI Shapefiles, and the
-associated attribute file (@file{.dbf}).")
+for reading, writing and updating (to a limited extent) ESRI Shapefiles, and
+the associated attribute file (@file{.dbf}).")
     (license license:gpl2+)))
 
 (define-public spatialite-tools
-- 
2.46.0

[bug#74035] [PATCH 15/24] gnu: libzapojit: Update to 0.0.3-1.99d49ba. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-39360.

* gnu/packages/gnome.scm (libzapojit): Update to 0.0.3-1.99d49ba.
---
 gnu/packages/gnome.scm | 45 ++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 9b26819261..9abe433aa4 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -10591,28 +10591,31 @@ (define-public gsound
     (license license:lgpl2.1+)))
 
 (define-public libzapojit
-  (package
-    (name "libzapojit")
-    (version "0.0.3")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnome/sources/" name "/"
-                                  (version-major+minor version) "/"
-                                  name "-" version ".tar.xz"))
-              (sha256
-               (base32
-                "0zn3s7ryjc3k1abj4k55dr2na844l451nrg9s6cvnnhh569zj99x"))))
-    (build-system gnu-build-system)
-    (native-inputs
-     (list gobject-introspection intltool pkg-config))
-    (inputs
-     (list gnome-online-accounts json-glib rest))
-    (home-page "https://wiki.gnome.org/Projects/Zapojit")
-    (synopsis "Library for accessing SkyDrive and Hotmail")
-    (description
-     "Libzapojit is a GLib-based library for accessing online service APIs of
+  (let ((revision "1")
+        (commit "99d49bac5edc4afdcac742a0a142908e405597b0"))
+    (package
+      (name "libzapojit")
+      (version (git-version "0.0.3" revision commit))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://gitlab.gnome.org/Archive/libzapojit")
+               (commit commit)))
+         (file-name (git-file-name name version))
+         (sha256
+          (base32 "12frqg925rmic3rf37h5vs48xdy3mfi4ip24v0bl73h5sxy8n828"))))
+      (build-system gnu-build-system)
+      (native-inputs
+       (list gobject-introspection intltool pkg-config))
+      (inputs
+       (list gnome-online-accounts json-glib rest))
+      (home-page "https://wiki.gnome.org/Projects/Zapojit")
+      (synopsis "Library for accessing SkyDrive and Hotmail")
+      (description
+       "Libzapojit is a GLib-based library for accessing online service APIs of
 Microsoft SkyDrive and Hotmail, using their REST protocols.")
-    (license license:lgpl2.1+)))
+      (license license:lgpl2.1+))))
 
 (define-public gnome-clocks
   (package
-- 
2.46.0

[bug#74035] [PATCH 16/24] gnu: gifsicle: Update to 1.95. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-44821 and CVE-2023-46009.

* gnu/packages/image.scm (gifsicle): Update to 1.95.
---
 gnu/packages/image.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 7f17c71aef..0d6593dc21 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -2172,14 +2172,14 @@ (define-public swappy
 (define-public gifsicle
   (package
    (name "gifsicle")
-   (version "1.94")
+   (version "1.95")
    (source
      (origin
        (method url-fetch)
        (uri (string-append "https://www.lcdf.org/gifsicle/gifsicle-"
                            version ".tar.gz"))
        (sha256
-        (base32 "16zq5wd6fyjgy0p0mak15k3mh1zpqb9rg6gqfpg215kqq02p1jab"))))
+        (base32 "0l69gn562l7a1l10zz1bfs756ipd682idgpk60qs3llz013icwdj"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases
-- 
2.46.0

[bug#74035] [PATCH 17/24] gnu: sendmail: Update to 8.18.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-51765 and CVE-2021-3618.

* gnu/packages/mail.scm (sendmail): Update to 8.18.1.
---
 gnu/packages/mail.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 77be7626a9..63e0f24534 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -3122,7 +3122,7 @@ (define-public mhonarc
 (define-public sendmail
   (package
     (name "sendmail")
-    (version "8.15.2")
+    (version "8.18.1")
     (source
      (origin
        (method url-fetch)
@@ -3130,8 +3130,7 @@ (define-public sendmail
              "ftp://ftp.sendmail.org/pub/sendmail/sendmail."
              version ".tar.gz"))
        (sha256
-        (base32
-         "0fdl9ndmspqspdlmghzxlaqk56j3yajk52d7jxcg21b7sxglpy94"))))
+        (base32 "0w07iw4imp9wvczd2mijns7zxl8p1wk29b9yrzvhcj4fqc4z7wfb"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-- 
2.46.0

[bug#74035] [PATCH 18/24] gnu: openvpn: Update to 2.6.12. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2024-24974, CVE-2024-27459 and CVE-2024-27903.

* gnu/packages/vpn.scm (openvpn): Update to 2.6.12.
---
 gnu/packages/vpn.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index 9f36595bfd..193b247779 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -867,7 +867,7 @@ (define-public openfortivpn
 (define-public openvpn
   (package
     (name "openvpn")
-    (version "2.6.7")
+    (version "2.6.12")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -875,7 +875,7 @@ (define-public openvpn
                     version ".tar.gz"))
               (sha256
                (base32
-                "04wr0g97nmv81javym8r99mglmb86v1i49xmnmzf938x1cs7g67f"))))
+                "0a8r3bvg4aic9b7dix0h7990g3j1gq17wd3w6vqk8vk8xgfhyq8w"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--enable-iproute2=yes")))
-- 
2.46.0

[bug#74035] [PATCH 19/24] gnu: youtube-dl: Deprecate package.

[Nicolas Graves via Guix-patches via]

This package is not developped anymore.

* gnu/packages/video.scm (youtube-dl): Deprecate package.
---
 gnu/packages/video.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 92c0acef3c..9fca994b54 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -93,6 +93,7 @@ (define-module (gnu packages video)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix utils)
   #:use-module (guix packages)
+  #:use-module (guix deprecation)
   #:use-module (guix download)
   #:use-module (guix gexp)
   #:use-module (guix git-download)
@@ -3084,7 +3085,7 @@ (define-public yle-dl
 video streaming services of the Finnish national broadcasting company Yle.")
     (license license:gpl3+)))
 
-(define-public youtube-dl
+(define-deprecated/public youtube-dl #f
   (package
     (name "youtube-dl")
     (version "2021.12.17")
-- 
2.46.0

[bug#74035] [PATCH 20/24] gnu: liblouis: Update to 3.31.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-26981.

* gnu/packages/language.scm (liblouis): Update to 3.31.0.
[arguments]: Improve style using gexps.
[native-inputs]: Rewrite and replace python-wrapper by python.
---
 gnu/packages/language.scm | 47 ++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 25 deletions(-)

diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
index 78fcba4287..6a5e7927b4 100644
--- a/gnu/packages/language.scm
+++ b/gnu/packages/language.scm
@@ -10,6 +10,7 @@
 ;;; Copyright © 2023 gemmaro <gemmaro.dev@gmail.com>
 ;;; Copyright © 2024 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2024 Charles <charles@charje.net>
+;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -338,7 +339,7 @@ (define-public libchewing
 (define-public liblouis
   (package
     (name "liblouis")
-    (version "3.15.0")
+    (version "3.31.0")
     (source
      (origin
        (method git-fetch)
@@ -348,34 +349,30 @@ (define-public liblouis
          (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1ljy5xsy7vf2r0ix0d7bqcr6qvr6897f8madsx9zlm1mrj31n5px"))))
+        (base32 "02bga2l4jiyrgfqdl27wszz5yd6h80n2dmq3p6nb2br83jywisfh"))))
     (build-system gnu-build-system)
     (outputs '("out" "bin" "doc" "python"))
     (arguments
-     `(#:configure-flags
-       (list
-        "--disable-static"
-        "--enable-ucs4")
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'install 'install-python-extension
-           (lambda* (#:key outputs #:allow-other-keys)
-             (with-directory-excursion "python"
-               (invoke "python" "setup.py" "install"
-                       (string-append "--prefix="
-                                      (assoc-ref outputs "python"))
-                       "--root=/")))))))
+     (list
+      #:configure-flags #~(list "--disable-static" "--enable-ucs4")
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'install 'install-python-extension
+            (lambda _
+              (with-directory-excursion "python"
+                (invoke "python3" "setup.py" "install" "--root=/"
+                        (string-append "--prefix=" #$output:python))))))))
     (native-inputs
-     `(("autoconf" ,autoconf)
-       ("automake" ,automake)
-       ("clang-format" ,clang)
-       ("help2man" ,help2man)
-       ("libtool" ,libtool)
-       ("libyaml" ,libyaml)
-       ("makeinfo" ,texinfo)
-       ("perl" ,perl)
-       ("pkg-config" ,pkg-config)
-       ("python" ,python-wrapper)))
+     (list autoconf
+           automake
+           clang
+           help2man
+           libtool
+           libyaml
+           texinfo
+           perl
+           pkg-config
+           python))
     (synopsis "Braille translator and back-translator")
     (description "Liblouis is a braille translator and back-translator named in
 honor of Louis Braille.  It features support for computer and literary braille,
-- 
2.46.0

[bug#74035] [PATCH 21/24] gnu: unicorn: Update to 2.1.1. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2021-4296.

* gnu/packages/emulators.scm (unicorn): Update to 2.1.1.
---
 gnu/packages/emulators.scm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/emulators.scm b/gnu/packages/emulators.scm
index f0a60c0b49..948e588c4c 100644
--- a/gnu/packages/emulators.scm
+++ b/gnu/packages/emulators.scm
@@ -3508,13 +3508,18 @@ (define-public zsnes
 (define-public unicorn
   (package
     (name "unicorn")
-    (version "2.0.1.post1")
+    (version "2.1.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri name version))
        (sha256
-        (base32 "0mlfs8qfi0clyncfkbxp6in0cpl747510i6bqymwid43xcirbikz"))))
+        (base32 "18sbrycr62wcs3a68a9q76ihpahfsd4bn3mryvyhimwwn1342kwh"))
+       (modules '((guix build utils)))
+       ;; cmake files are not in the cmake dir in pypi
+       (snippet #~(substitute* "src/CMakeLists.txt"
+                    (("include\\(cmake/")
+                     "include(")))))
     (build-system pyproject-build-system)
     (native-inputs (list cmake pkg-config))
     (home-page "https://www.unicorn-engine.org")
-- 
2.46.0

[bug#74035] [PATCH 22/24] gnu: Add sexpp.

[Nicolas Graves via Guix-patches via]

* gnu/packages/openpgp.scm (sexpp): New variable.
---
 gnu/packages/openpgp.scm | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 9b6f04b407..356908ab1f 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2020 Justus Winter <justus@sequoia-pgp.org>
+;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -157,3 +158,26 @@ (define-public rnp
         license:asl2.0
         ;; Nominet UK's BSD 3-Clause License (netpgp).
         license:bsd-3)))))
+
+(define-public sexpp
+  (package
+    (name "sexpp")
+    (version "0.9.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/rnpgp/sexpp")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "16y9f42w6ay3w0s23xmigqm0qi1swdfvc93g2xn3xkg1r4kpmnwq"))))
+    (build-system cmake-build-system)
+    (arguments
+     (list #:configure-flags '(list "-DDOWNLOAD_GTEST=off")))
+    (native-inputs (list googletest pkg-config))
+    (home-page "https://github.com/rnpgp/sexpp")
+    (synopsis "C++ library for S-expressions")
+    (description
+     "This package provides a C++ library for working with S-Expressions.")
+    (license license:expat)))
-- 
2.46.0

[bug#74035] [PATCH 23/24] gnu: rnp: Update to 0.17.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-29479 and CVE-2023-29480.

* gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
[arguments]: Improve style using gexps.
<#:phases>: Add phase 'inject-sexpp-source.
[inputs]: Add sexpp.
---
 gnu/packages/openpgp.scm | 52 +++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 356908ab1f..baf786c5ee 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -23,6 +23,7 @@ (define-module (gnu packages openpgp)
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (gnu packages)
   #:use-module (gnu packages check)
@@ -98,10 +99,10 @@ (define-public dkgpg
     (license license:gpl2+)))
 
 (define-public rnp
-  (let ((day-of-release "2022-09-22"))
+  (let ((day-of-release "2024-05-14"))
     (package
       (name "rnp")
-      (version "0.16.2")
+      (version "0.17.1")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -110,33 +111,40 @@ (define-public rnp
                 (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "13z5kxm48a72w4m2crwgdjdng4a4pwxsd72r2z3a4pcakfp2swi8"))))
+                  "052872b6a88vkcc58alxcm532y6dra5qqd997jga41v72h3pnj4d"))))
       (build-system cmake-build-system)
-      (arguments `(#:configure-flags
-                   '("-DBUILD_SHARED_LIBS=on"
-                     "-DBUILD_TESTING=on"
-                     "-DDOWNLOAD_GTEST=off"
-                     "-DDOWNLOAD_RUBYRNP=off")
-                   #:phases
-                   (modify-phases %standard-phases
-                     (add-after 'unpack 'patch-tests
-                       (lambda _
-                         (substitute* "src/tests/support.cpp"
-                           (("\"cp\"") (search-input-file inputs "/bin/cp")))))
-                     (replace 'check
-                       (lambda* (#:key tests? #:allow-other-keys)
-                         (when tests?
-                           ;; Some OpenPGP certificates used by the tests expire.
-                           ;; To work around that, set the time to roughly the
-                           ;; release date.
-                           (invoke "faketime" ,day-of-release "make" "test")))))))
+      (arguments
+       (list
+        #:configure-flags
+        ''("-DBUILD_SHARED_LIBS=on"
+           "-DBUILD_TESTING=on"
+           "-DDOWNLOAD_GTEST=off"
+           "-DDOWNLOAD_RUBYRNP=off")
+        #:phases
+        #~(modify-phases %standard-phases
+            (add-after 'unpack 'patch-tests
+              (lambda _
+                (substitute* "src/tests/support.cpp"
+                  (("\"cp\"") (search-input-file inputs "/bin/cp")))))
+            (add-after 'unpack 'inject-sexpp-source
+              (lambda _
+                (rmdir "src/libsexpp")
+                (symlink #$(package-source (this-package-input "sexpp"))
+                         "src/libsexpp")))
+            (replace 'check
+              (lambda* (#:key tests? #:allow-other-keys)
+                (when tests?
+                  ;; Some OpenPGP certificates used by the tests expire.
+                  ;; To work around that, set the time to roughly the
+                  ;; release date.
+                  (invoke "faketime" #$day-of-release "make" "test")))))))
       (native-inputs
        (list gnupg       ; for tests
              googletest  ; for tests
              libfaketime ; for tests
              pkg-config
              python))
-      (inputs (list botan bzip2 json-c zlib))
+      (inputs (list botan bzip2 json-c sexpp zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description
-- 
2.46.0

[bug#74035] [PATCH 24/24] gnu: cjson: Update to 1.7.18. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-50471 and CVE-2023-50472.

* gnu/packages/javascript.scm (cjson): Update to 1.7.18.
---
 gnu/packages/javascript.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/javascript.scm b/gnu/packages/javascript.scm
index 4f97dcfef6..b48acf47dc 100644
--- a/gnu/packages/javascript.scm
+++ b/gnu/packages/javascript.scm
@@ -49,7 +49,7 @@ (define-module (gnu packages javascript)
 (define-public cjson
   (package
     (name "cjson")
-    (version "1.7.16")
+    (version "1.7.18")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -57,7 +57,7 @@ (define-public cjson
                     (commit (string-append "v" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32 "00599lzzb0vszk317n0gln7wizdpchy4warxgpj3khrir73pphbb"))))
+               (base32 "08p37q4i3za3dgz7wynma1fh8y4rq7pyzyjzcda710nxrmsm1pyv"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DENABLE_CJSON_UTILS=On")))
-- 
2.46.0