[bug#74035] [PATCH 00/24] [security fixes] for near-leaf packages

[bug#74035] [PATCH 00/24] [security fixes] for near-leaf packages

[Nicolas Graves via Guix-patches via]

This patch series adds updates and security fixes for packages that
have less than 10 dependent packages.

Nicolas Graves (24):
  gnu: python-django-4.2: Update to 4.2.16. [security fixes]
  gnu: maradns: Update to 3.5.0036. [security fixes]
  gnu: maradns: Improve style.
  gnu: libmobi: Update to 0.12. [security fixes]
  gnu: bart: Update to 0.9.00. [security fixes]
  gnu: wireshark: Update to 4.4.1. [security fixes]
  gnu: pam-u2f: Update to 1.3.0. [security fixes]
  gnu: darkhttpd: Update to 1.16. [security fixes]
  gnu: xlsxio: Update to 0.2.35. [security fixes]
  gnu: pypy: Update to 7.3.17. [security fixes]
  gnu: indent: Remove uneeded arguments.
  gnu: indent: Add patch for CVE-2024-0911. [security fixes]
  gnu: squashfs-tools: Update to 4.6.1. [security fixes]
  gnu: shapelib: Update to 1.6.1. [security fixes]
  gnu: libzapojit: Update to 0.0.3-1.99d49ba. [security fixes]
  gnu: gifsicle: Update to 1.95. [security fixes]
  gnu: sendmail: Update to 8.18.1. [security fixes]
  gnu: openvpn: Update to 2.6.12. [security fixes]
  gnu: youtube-dl: Deprecate package.
  gnu: liblouis: Update to 3.31.0. [security fixes]
  gnu: unicorn: Update to 2.1.1. [security fixes]
  gnu: Add sexpp.
  gnu: rnp: Update to 0.17.1. [security fixes]
  gnu: cjson: Update to 1.7.18. [security fixes]

 gnu/local.mk                                  |  1 +
 gnu/packages/code.scm                         | 31 +-------
 gnu/packages/compression.scm                  | 52 ++++++-------
 gnu/packages/django.scm                       |  8 +-
 gnu/packages/dns.scm                          | 64 ++++++++--------
 gnu/packages/ebook.scm                        |  4 +-
 gnu/packages/emulators.scm                    |  9 ++-
 gnu/packages/geo.scm                          |  8 +-
 gnu/packages/gnome.scm                        | 45 ++++++-----
 gnu/packages/image-processing.scm             |  8 +-
 gnu/packages/image.scm                        |  4 +-
 gnu/packages/javascript.scm                   |  4 +-
 gnu/packages/language.scm                     | 47 ++++++------
 gnu/packages/mail.scm                         |  5 +-
 gnu/packages/networking.scm                   |  4 +-
 gnu/packages/openpgp.scm                      | 76 +++++++++++++------
 .../patches/indent-CVE-2024-0911.patch        | 61 +++++++++++++++
 gnu/packages/pypy.scm                         |  4 +-
 gnu/packages/security-token.scm               |  9 +--
 gnu/packages/video.scm                        |  3 +-
 gnu/packages/vpn.scm                          |  4 +-
 gnu/packages/web.scm                          | 24 +++---
 gnu/packages/xml.scm                          |  4 +-
 23 files changed, 278 insertions(+), 201 deletions(-)
 create mode 100644 gnu/packages/patches/indent-CVE-2024-0911.patch

-- 
2.46.0

[bug#74035] [PATCH 01/24] gnu: python-django-4.2: Update to 4.2.16. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-24680, CVE-2024-41989, CVE-2024-41990,
CVE-2024-41991, CVE-2024-42005, CVE-2024-45230, CVE-2024-45231,
CVE-2023-43665 and CVE-2023-46695.

* gnu/packages/django.scm (python-django-4.2): Update to 4.2.16.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/django.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/django.scm b/gnu/packages/django.scm
index 4404c8368d..4cf043f7c1 100644
--- a/gnu/packages/django.scm
+++ b/gnu/packages/django.scm
@@ -57,13 +57,13 @@ (define-module (gnu packages django)
 (define-public python-django-4.2
   (package
     (name "python-django")
-    (version "4.2.5")
+    (version "4.2.16")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Django" version))
               (sha256
                (base32
-                "1ha6c5j3pizbsfzw37r52lvdz8z5lblq4iwa99mpkdzz92aiqp2y"))))
+                "1b8xgwg3gjr974j60x3vgcpp85cg5dwhzqdpdbl8qh3cg311c5kg"))))
     (build-system pyproject-build-system)
     (arguments
      '(#:test-flags
@@ -140,7 +140,9 @@ (define-public python-django-4.2
 any Web site.  Django focuses on automating as much as possible and adhering
 to the @dfn{don't repeat yourself} (DRY) principle.")
     (license license:bsd-3)
-    (properties `((cpe-name . "django")))))
+    (properties `((cpe-name . "django")
+                  ;; This CVE seems fixed since 4.2.1.
+                  (lint-hidden-cve . ("CVE-2023-31047"))))))
 
 (define-public python-django-3.2
   (package
-- 
2.46.0

[bug#74035] [PATCH 02/24] gnu: maradns: Update to 3.5.0036. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-31137.

* gnu/packages/dns.scm (maradns): Update to 3.5.0036.
[properties]: Add release-monitoring-url property.
---
 gnu/packages/dns.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index e911a142ef..bd2df30f01 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1181,7 +1181,7 @@ (define-public public-suffix-list
 (define-public maradns
   (package
     (name "maradns")
-    (version "3.5.0022")
+    (version "3.5.0036")
     (source
      (origin
        (method url-fetch)
@@ -1189,7 +1189,7 @@ (define-public maradns
                            (version-major+minor version) "/"
                            version "/maradns-" version ".tar.xz"))
        (sha256
-        (base32 "1sw267jxxxngjcar8cj3jpxnpiz0szgkhlz5l46c67qs690w9kdi"))))
+        (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f                      ; need to be root to run tests
@@ -1226,6 +1226,8 @@ (define-public maradns
     (description "MaraDNS is a small and lightweight DNS server.  MaraDNS
 consists of a UDP-only authoritative DNS server for hosting domains, and a UDP
 and TCP-capable recursive DNS server for finding domains on the internet.")
+    (properties '((release-monitoring-url
+                   . "https://maradns.samiam.org/download.html")))
     (license license:bsd-2)))
 
 (define-public openresolv
-- 
2.46.0

[bug#74035] [PATCH 03/24] gnu: maradns: Improve style.

[Nicolas Graves via Guix-patches via]

* gnu/packages/dns.scm (maradns)[arguments]: Use gexps.
---
 gnu/packages/dns.scm | 58 ++++++++++++++++++++++----------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index bd2df30f01..7a78fb0308 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1192,35 +1192,35 @@ (define-public maradns
         (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f                      ; need to be root to run tests
-       #:make-flags
-       (list
-        ,(string-append "CC=" (cc-for-target))
-        (string-append "PREFIX=" %output)
-        (string-append "RPM_BUILD_ROOT=" %output))
-       #:phases
-       (modify-phases %standard-phases
-         (replace 'configure
-           (lambda* (#:key native-inputs target #:allow-other-keys)
-             ;; make_32bit_tables generates a header file that is used during
-             ;; compilation. Hence, during cross compilation, it should be
-             ;; built for the host system.
-             (when target
-               (substitute* "rng/Makefile"
-                 (("\\$\\(CC\\) -o make_32bit_tables")
-                  (string-append (assoc-ref native-inputs "gcc")
-                                 "/bin/gcc -o make_32bit_tables"))))
-             (invoke "./configure")))
-         (add-before 'install 'create-install-directories
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let ((out (assoc-ref outputs "out")))
-               (for-each (lambda (dir)
-                           (mkdir-p (string-append out dir)))
-                         (list "/bin" "/sbin" "/etc"
-                               "/share/man/man1"
-                               "/share/man/man5"
-                               "/share/man/man8"))
-               #t))))))
+     (list
+      #:tests? #f                      ; need to be root to run tests
+      #:make-flags
+      #~(list
+         (string-append "CC=" #$(cc-for-target))
+         (string-append "PREFIX=" #$output)
+         (string-append "RPM_BUILD_ROOT=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda* (#:key native-inputs target #:allow-other-keys)
+              ;; make_32bit_tables generates a header file that is used during
+              ;; compilation. Hence, during cross compilation, it should be
+              ;; built for the host system.
+              (when target
+                (substitute* "rng/Makefile"
+                  (("\\$\\(CC\\) -o make_32bit_tables")
+                   (string-append (search-input-file native-inputs "/bin/gcc")
+                                  " -o make_32bit_tables"))))
+              ;; ./configure doesn't support default flags
+              (invoke "./configure")))
+          (add-before 'install 'create-install-directories
+            (lambda _
+              (for-each (lambda (dir)
+                          (mkdir-p (string-append #$output dir)))
+                        (list "/bin" "/sbin" "/etc"
+                              "/share/man/man1"
+                              "/share/man/man5"
+                              "/share/man/man8")))))))
     (home-page "https://maradns.samiam.org")
     (synopsis "Small lightweight DNS server")
     (description "MaraDNS is a small and lightweight DNS server.  MaraDNS
-- 
2.46.0

[bug#74035] [PATCH 04/24] gnu: libmobi: Update to 0.12. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-1533, CVE-2022-1534, CVE-2022-1907, CVE-2022-1908,
CVE-2022-1987, CVE-2022-2279, CVE-2022-29788, CVE-2021-3751,
CVE-2021-3881, CVE-2021-3888 and CVE-2021-3889.

* gnu/packages/ebook.scm (libmobi): Update to 0.12.
---
 gnu/packages/ebook.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ebook.scm b/gnu/packages/ebook.scm
index dc30c98fdf..bf8dcfad09 100644
--- a/gnu/packages/ebook.scm
+++ b/gnu/packages/ebook.scm
@@ -648,7 +648,7 @@ (define-public xchm
 (define-public libmobi
   (package
     (name "libmobi")
-    (version "0.6")
+    (version "0.12")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -657,7 +657,7 @@ (define-public libmobi
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "0yps72cm609xn2k7alflkdhp9kgr1w7zzyxjygz0n1kqrdcplihh"))))
+                "0cwya9n0rd97ai0fcqjwq7b3sjzigf3ywp7bnkbbw541f3knpds9"))))
     (build-system gnu-build-system)
     (native-inputs
      (list autoconf automake libtool))
-- 
2.46.0

[bug#74035] [PATCH 05/24] gnu: bart: Update to 0.9.00. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes bart reproducibility and CVE-2022-45387.

* gnu/packages/image-processing.scm (bart): Update to 0.9.00.
---
 gnu/packages/image-processing.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
index a79eaf6aed..3a7c67362f 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -115,20 +115,19 @@ (define-module (gnu packages image-processing)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1))
 
-;; TODO: this is not reproducible.
 (define-public bart
   (package
     (name "bart")
-    (version "0.8.00")
+    (version "0.9.00")
     (source
      (origin
        (method git-fetch)
        (uri (git-reference
              (url "https://github.com/mrirecon/bart")
-             (commit "eacc67b95cf128487ecc48f0e6541ea4dca08818")))
+             (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "05lcf7c3g7ms5h82bw1mi4kzkdv5wpqi1zrfhqfkgbcpd3irj6aq"))))
+        (base32 "0mj6jmw31rsnvqmpfqahhj4cy9iv5xgrhzmcsrikdz5dgd45lmjz"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -140,6 +139,7 @@ (define-public bart
                       "OPENBLAS=1"
                       "SCALAPACK=1"
                       (string-append "BLAS_BASE=" #$(this-package-input "openblas"))
+                      (string-append "CC=" #$(cc-for-target))
                       (string-append "FFTW_BASE=" #$(this-package-input "fftw")))
       #:parallel-build? #false ;leads to non-deterministic output
       #:phases
-- 
2.46.0

[bug#74035] [PATCH 06/24] gnu: wireshark: Update to 4.4.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-9780.

* gnu/packages/networking.scm (wireshark): Update to 4.4.1.
---
 gnu/packages/networking.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 7ed011a7f4..31b72f1104 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -1805,14 +1805,14 @@ (define-public whois
 (define-public wireshark
   (package
     (name "wireshark")
-    (version "4.4.0")
+    (version "4.4.1")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://www.wireshark.org/download/src/wireshark-"
                            version ".tar.xz"))
        (sha256
-        (base32 "0s8jqxcvq7ibfsq8v4scl8dq7y5hqgpivq4iw9y2x6jj136cvmga"))))
+        (base32 "1v2nflm8rdifc6pwlzn1ciz22wl15zwkqs3r7gjw60kh59brd7ib"))))
     (build-system qt-build-system)
     (arguments
      (list
-- 
2.46.0

[bug#74035] [PATCH 07/24] gnu: pam-u2f: Update to 1.3.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-31924.

* gnu/packages/security-token.scm (pam-u2f): Update to 1.3.0.
[inputs]: Add libfido2, openssl. Remove libu2f-host, libu2f-server.
[native-inputs]: Sort packages.
---
 gnu/packages/security-token.scm | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 5abb461c0c..156a7d5e28 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -682,7 +682,7 @@ (define-public libu2f-server
 (define-public pam-u2f
   (package
     (name "pam-u2f")
-    (version "1.0.8")
+    (version "1.3.0")
     (source (origin
               (method git-fetch)
               (uri
@@ -691,17 +691,16 @@ (define-public pam-u2f
                 (commit (string-append "pam_u2f-" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32
-                "04d9davyi33gqbvga1rvh9fijp6f16mx2xmnn4n61rnhcn2jac98"))))
+               (base32 "1swvys98mw7ailllgqicvhj315qajhvqrmm314cp3bj0l76s9qpv"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
        (list (string-append "--with-pam-dir="
                             (assoc-ref %outputs "out") "/lib/security"))))
     (inputs
-     (list libu2f-host libu2f-server linux-pam))
+     (list libfido2 linux-pam openssl))
     (native-inputs
-     (list autoconf automake libtool asciidoc pkg-config))
+     (list asciidoc autoconf automake libtool pkg-config))
     (home-page "https://developers.yubico.com/pam-u2f/")
     (synopsis "PAM module for U2F authentication")
     (description
-- 
2.46.0

[bug#74035] [PATCH 08/24] gnu: darkhttpd: Update to 1.16. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-23770 and CVE-2024-23771.

* gnu/packages/web.scm (darkhttpd): Update to 1.16.
[arguments]: Improve style.
---
 gnu/packages/web.scm | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 34739bf088..eb27d3448c 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6417,7 +6417,7 @@ (define-public surfraw
 (define-public darkhttpd
   (package
     (name "darkhttpd")
-    (version "1.13")
+    (version "1.16")
     (source
      (origin
        (method git-fetch)
@@ -6426,20 +6426,18 @@ (define-public darkhttpd
              (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "0w11xq160q9yyffv4mw9ncp1n0dl50d9plmwxb0yijaaxls9i4sk"))))
+        (base32 "15mmq1v8p50mm9wx5w6g4rlr40b7d044lw7rs1wyzdiw9lcnihvm"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags
-       (list (string-append "CC=" ,(cc-for-target)))
-       #:tests? #f ; No test suite
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure)            ; no configure script
-         (replace 'install
-           (lambda* (#:key outputs #:allow-other-keys)
-             (install-file "darkhttpd"
-                           (string-append (assoc-ref outputs "out")
-                                          "/bin")))))))
+     (list
+      #:make-flags #~(list (string-append "CC=" #$(cc-for-target)))
+      #:tests? #f ; No test suite
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure)            ; no configure script
+          (replace 'install
+            (lambda _
+              (install-file "darkhttpd" (string-append #$output "/bin")))))))
     (synopsis "Simple static web server")
     (description "darkhttpd is a simple static web server.  It is
 standalone and does not need inetd or ucspi-tcp.  It does not need any
-- 
2.46.0

[bug#74035] [PATCH 09/24] gnu: xlsxio: Update to 0.2.35. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-34795.

* gnu/packages/xml.scm (xlsxio): Update to 0.2.35.
---
 gnu/packages/xml.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index cfd53a291a..4a3936b66d 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1545,7 +1545,7 @@ (define-public xerces-c
 (define-public xlsxio
   (package
     (name "xlsxio")
-    (version "0.2.33")
+    (version "0.2.35")
     (source
      (origin
        (method git-fetch)
@@ -1554,7 +1554,7 @@ (define-public xlsxio
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "16i3yd168kb63za7jpycpb2by4831gz7wi90vzifdf85csc8c70s"))))
+        (base32 "140ap2l3qy27z1fhqpkq3a44aikhr3v5zlnm9m8vag42qiagiznx"))))
     (native-inputs
      (list expat gnu-make minizip which))
     (build-system gnu-build-system)
-- 
2.46.0

[bug#74035] [PATCH 10/24] gnu: pypy: Update to 7.3.17. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-37454.

* gnu/packages/pypy.scm (pypy): Update to 7.3.17.
---
 gnu/packages/pypy.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/pypy.scm b/gnu/packages/pypy.scm
index a39621b5ad..90986ac096 100644
--- a/gnu/packages/pypy.scm
+++ b/gnu/packages/pypy.scm
@@ -42,14 +42,14 @@ (define-module (gnu packages pypy)
 (define-public pypy
   (package
     (name "pypy")
-    (version "7.3.13")
+    (version "7.3.17")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://downloads.python.org/pypy/"
                                   "pypy3.10-v" version "-src.tar.bz2"))
               (sha256
                (base32
-                "0v9s6pwrnaxqi5h1pvmaphj6kgyczx07ykl07hcx656h34y77haa"))))
+                "1xsbn9mbxi2kai4gg1nz6n6cbqsq60qh65f5l6ld7ip9g32lpmva"))))
     (build-system gnu-build-system)
     (arguments
      (list
-- 
2.46.0

[bug#74035] [PATCH 11/24] gnu: indent: Remove uneeded arguments.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (indent)
[arguments]: Remove field.
[native-inputs]: Remove automake.
---
 gnu/packages/code.scm | 27 +--------------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index bbf10be987..094dd32982 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -881,33 +881,8 @@ (define-public indent
             (sha256
              (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))))
    (build-system gnu-build-system)
-   (arguments
-    `(#:phases
-      (modify-phases %standard-phases
-        (add-after 'unpack 'fix-docdir
-          (lambda _
-            ;; Although indent uses a modern autoconf in which docdir
-            ;; defaults to PREFIX/share/doc, the doc/Makefile.am
-            ;; overrides this to be in PREFIX/doc.  Fix this.
-            (substitute* "doc/Makefile.in"
-              (("^docdir = .*$") "docdir = @docdir@\n"))
-            #t))
-        (add-after 'unpack 'fix-configure
-          (lambda* (#:key inputs native-inputs #:allow-other-keys)
-            ;; Replace outdated config.sub and config.guess:
-            (with-directory-excursion "config"
-              (for-each (lambda (file)
-                          (install-file
-                           (string-append (assoc-ref
-                                           (or native-inputs inputs) "automake")
-                                          "/share/automake-"
-                                          ,(version-major+minor
-                                            (package-version automake))
-                                          "/" file) "."))
-                        '("config.sub" "config.guess")))
-            #t)))))
    (native-inputs
-    (list texinfo automake)) ; For up to date 'config.guess' and 'config.sub'.
+    (list texinfo))
    (synopsis "Code reformatter")
    (description
     "Indent is a program that makes source code easier to read by
-- 
2.46.0

[bug#74035] [PATCH 12/24] gnu: indent: Add patch for CVE-2024-0911. [security fixes]

[Nicolas Graves via Guix-patches via]

* gnu/packages/patches/indent-CVE-2024-0911.patch: Add patch here...
* gnu/local.mk: ...here...
* gnu/packages/code.scm (indent)[source]<origin>: ...and here.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/code.scm                         |  4 +-
 .../patches/indent-CVE-2024-0911.patch        | 61 +++++++++++++++++++
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/indent-CVE-2024-0911.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index d253b424bb..1a69a22aba 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1559,6 +1559,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/idris-test-ffi008.patch			\
   %D%/packages/patches/igraph-fix-varargs-integer-size.patch	\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/indent-CVE-2024-0911.patch	\
   %D%/packages/patches/instead-use-games-path.patch		\
   %D%/packages/patches/intltool-perl-compatibility.patch	\
   %D%/packages/patches/irrlicht-use-system-libs.patch		\
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 094dd32982..dda37528b8 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -879,7 +879,9 @@ (define-public indent
             (uri (string-append "mirror://gnu/indent/indent-" version
                                 ".tar.gz"))
             (sha256
-             (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))))
+             (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))
+            ;; Remove patch when updating.
+            (patches (search-patches "indent-CVE-2024-0911.patch"))))
    (build-system gnu-build-system)
    (native-inputs
     (list texinfo))
diff --git a/gnu/packages/patches/indent-CVE-2024-0911.patch b/gnu/packages/patches/indent-CVE-2024-0911.patch
new file mode 100644
index 0000000000..4687d3f59a
--- /dev/null
+++ b/gnu/packages/patches/indent-CVE-2024-0911.patch
@@ -0,0 +1,61 @@
+Upstream issue: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regression/TEST                                     | 2 +-
+ regression/input/comment-parent-heap-underread.c    | 3 +++
+ regression/standard/comment-parent-heap-underread.c | 5 +++++
+ src/output.c                                        | 2 +-
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 regression/input/comment-parent-heap-underread.c
+ create mode 100644 regression/standard/comment-parent-heap-underread.c
+
+diff --git a/regression/TEST b/regression/TEST
+index 7c07c2e..951b1a2 100755
+--- a/regression/TEST
++++ b/regression/TEST
+@@ -40,6 +40,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
+         macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
+         bug-gnu-33364.c float-constant-suffix.c block-comments.c \
+-        no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c"
++        no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c \
++        comment-parent-heap-underread.c"
+ 
+ INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
+         indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
+diff --git a/regression/input/comment-parent-heap-underread.c 
+b/regression/input/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..68e13cf
+--- /dev/null
++++ b/regression/input/comment-parent-heap-underread.c
+@@ -0,0 +1,3 @@
++void foo(void) {
++/*a*/(1);
++}
+diff --git a/regression/standard/comment-parent-heap-underread.c 
+b/regression/standard/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..9a1c6e3
+--- /dev/null
++++ b/regression/standard/comment-parent-heap-underread.c
+@@ -0,0 +1,5 @@
++void
++foo (void)
++{
++/*a*/ (1);
++}
+diff --git a/src/output.c b/src/output.c
+index ee01bcc..17eee6e 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -290,7 +290,7 @@ void set_buf_break (
+     /* Did we just parse a bracket that will be put on the next line
+      * by this line break? */
+ 
+-    if ((*token == '(') || (*token == '['))
++    if (level > 0 && ((*token == '(') || (*token == '[')))
+     {
+         --level;                        /* then don't take it into account */
+     }
+-- 
+2.43.0
-- 
2.46.0

[bug#74035] [PATCH 13/24] gnu: squashfs-tools: Update to 4.6.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-40153 and CVE-2021-41072.

* gnu/packages/compression.scm (squashfs-tools): Update to 4.6.1.
[arguments]: Improve style.
<#:make-flags>: Add INSTALL_MANPAGES_DIR value.
<#:phases>: Remove phase 'install-documentation. Add phase
'patch-generated-source-shebangs.
[native-inputs]: Add coreutils-minimal, help2man, which.
[inputs]: Rewrite.
---
 gnu/packages/compression.scm | 52 ++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index a32b15a64a..b3eca16191 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1023,7 +1023,7 @@ (define-public lz4
 (define-public squashfs-tools
   (package
     (name "squashfs-tools")
-    (version "4.5")
+    (version "4.6.1")
     (source
      (origin
        (method git-fetch)
@@ -1032,34 +1032,34 @@ (define-public squashfs-tools
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "18d4nwa22vgb8j2badngjngw63f0lj501cvlh3920wqy2mqxwav6"))))
+        (base32 "14nisidxx2d2qivyv7xfcg59qkj4fjiniir7nvymazdsng63gcr1"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f                      ; no check target
-       #:make-flags
-       (list (string-append "CC=" ,(cc-for-target))
-             "XZ_SUPPORT=1"
-             "LZO_SUPPORT=1"
-             "LZ4_SUPPORT=1"
-             "ZSTD_SUPPORT=1"
-             (string-append "INSTALL_DIR=" (assoc-ref %outputs "out") "/bin"))
-       #:phases
-       (modify-phases %standard-phases
-         (replace 'configure
-           (lambda _
-             (chdir "squashfs-tools")))
-         (add-after 'install 'install-documentation
-           ;; Install what very little usage documentation is provided.
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let* ((out (assoc-ref outputs "out"))
-                    (doc (string-append out "/share/doc/" ,name)))
-               (install-file "../USAGE" doc)))))))
+     (list
+      #:tests? #f                      ; no check target
+      #:make-flags
+      #~(list
+         (string-append "CC=" #$(cc-for-target))
+         "XZ_SUPPORT=1"
+         "LZO_SUPPORT=1"
+         "LZ4_SUPPORT=1"
+         "ZSTD_SUPPORT=1"
+         (string-append "INSTALL_DIR=" #$output "/bin")
+         (string-append "INSTALL_MANPAGES_DIR=" #$output "/share/man/man1"))
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda _
+              (chdir "squashfs-tools")))
+          (add-after 'patch-source-shebangs 'patch-generated-source-shebangs
+            (lambda _
+              (substitute* (find-files "generate-manpages" "\\.sh")
+                (("print \"#!/bin/sh")
+                 (string-append "print \"#!" (which "sh")))))))))
+    (native-inputs
+     (list coreutils-minimal help2man which))
     (inputs
-     `(("lz4" ,lz4)
-       ("lzo" ,lzo)
-       ("xz" ,xz)
-       ("zlib" ,zlib)
-       ("zstd:lib" ,zstd "lib")))
+     (list lz4 lzo xz zlib `(,zstd "lib")))
     (home-page "https://github.com/plougher/squashfs-tools")
     (synopsis "Tools to create and extract squashfs file systems")
     (description
-- 
2.46.0

[bug#74035] [PATCH 14/24] gnu: shapelib: Update to 1.6.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-0699.

* gnu/packages/geo.scm (shapelib): Update to 1.6.1.
---
 gnu/packages/geo.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm
index 5d120b3c98..affa50c515 100644
--- a/gnu/packages/geo.scm
+++ b/gnu/packages/geo.scm
@@ -2574,7 +2574,7 @@ (define-public readosm
 (define-public shapelib
   (package
     (name "shapelib")
-    (version "1.5.0")
+    (version "1.6.1")
     (source
      (origin
        (method git-fetch)
@@ -2583,7 +2583,7 @@ (define-public shapelib
              (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1lzch0jf6yqhw391phhafzw4ghmiz98zkf698h4fmq109fa2vhqd"))))
+        (base32 "0l67gp1618lcw7fg2iclbh016cqyw85s3cmd3qzx6aw0jq19hj8n"))))
     (build-system gnu-build-system)
     (native-inputs
      (list autoconf automake libtool))
@@ -2591,8 +2591,8 @@ (define-public shapelib
     (synopsis "Provides C library to write and update ESRI Shapefiles")
     (description
      "The Shapefile C Library provides the ability to write simple C programs
-for reading, writing and updating (to a limited extent) ESRI Shapefiles, and the
-associated attribute file (@file{.dbf}).")
+for reading, writing and updating (to a limited extent) ESRI Shapefiles, and
+the associated attribute file (@file{.dbf}).")
     (license license:gpl2+)))
 
 (define-public spatialite-tools
-- 
2.46.0

[bug#74035] [PATCH 15/24] gnu: libzapojit: Update to 0.0.3-1.99d49ba. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-39360.

* gnu/packages/gnome.scm (libzapojit): Update to 0.0.3-1.99d49ba.
---
 gnu/packages/gnome.scm | 45 ++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 9b26819261..9abe433aa4 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -10591,28 +10591,31 @@ (define-public gsound
     (license license:lgpl2.1+)))
 
 (define-public libzapojit
-  (package
-    (name "libzapojit")
-    (version "0.0.3")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnome/sources/" name "/"
-                                  (version-major+minor version) "/"
-                                  name "-" version ".tar.xz"))
-              (sha256
-               (base32
-                "0zn3s7ryjc3k1abj4k55dr2na844l451nrg9s6cvnnhh569zj99x"))))
-    (build-system gnu-build-system)
-    (native-inputs
-     (list gobject-introspection intltool pkg-config))
-    (inputs
-     (list gnome-online-accounts json-glib rest))
-    (home-page "https://wiki.gnome.org/Projects/Zapojit")
-    (synopsis "Library for accessing SkyDrive and Hotmail")
-    (description
-     "Libzapojit is a GLib-based library for accessing online service APIs of
+  (let ((revision "1")
+        (commit "99d49bac5edc4afdcac742a0a142908e405597b0"))
+    (package
+      (name "libzapojit")
+      (version (git-version "0.0.3" revision commit))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://gitlab.gnome.org/Archive/libzapojit")
+               (commit commit)))
+         (file-name (git-file-name name version))
+         (sha256
+          (base32 "12frqg925rmic3rf37h5vs48xdy3mfi4ip24v0bl73h5sxy8n828"))))
+      (build-system gnu-build-system)
+      (native-inputs
+       (list gobject-introspection intltool pkg-config))
+      (inputs
+       (list gnome-online-accounts json-glib rest))
+      (home-page "https://wiki.gnome.org/Projects/Zapojit")
+      (synopsis "Library for accessing SkyDrive and Hotmail")
+      (description
+       "Libzapojit is a GLib-based library for accessing online service APIs of
 Microsoft SkyDrive and Hotmail, using their REST protocols.")
-    (license license:lgpl2.1+)))
+      (license license:lgpl2.1+))))
 
 (define-public gnome-clocks
   (package
-- 
2.46.0

[bug#74035] [PATCH 16/24] gnu: gifsicle: Update to 1.95. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-44821 and CVE-2023-46009.

* gnu/packages/image.scm (gifsicle): Update to 1.95.
---
 gnu/packages/image.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 7f17c71aef..0d6593dc21 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -2172,14 +2172,14 @@ (define-public swappy
 (define-public gifsicle
   (package
    (name "gifsicle")
-   (version "1.94")
+   (version "1.95")
    (source
      (origin
        (method url-fetch)
        (uri (string-append "https://www.lcdf.org/gifsicle/gifsicle-"
                            version ".tar.gz"))
        (sha256
-        (base32 "16zq5wd6fyjgy0p0mak15k3mh1zpqb9rg6gqfpg215kqq02p1jab"))))
+        (base32 "0l69gn562l7a1l10zz1bfs756ipd682idgpk60qs3llz013icwdj"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases
-- 
2.46.0

[bug#74035] [PATCH 17/24] gnu: sendmail: Update to 8.18.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-51765 and CVE-2021-3618.

* gnu/packages/mail.scm (sendmail): Update to 8.18.1.
---
 gnu/packages/mail.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 77be7626a9..63e0f24534 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -3122,7 +3122,7 @@ (define-public mhonarc
 (define-public sendmail
   (package
     (name "sendmail")
-    (version "8.15.2")
+    (version "8.18.1")
     (source
      (origin
        (method url-fetch)
@@ -3130,8 +3130,7 @@ (define-public sendmail
              "ftp://ftp.sendmail.org/pub/sendmail/sendmail."
              version ".tar.gz"))
        (sha256
-        (base32
-         "0fdl9ndmspqspdlmghzxlaqk56j3yajk52d7jxcg21b7sxglpy94"))))
+        (base32 "0w07iw4imp9wvczd2mijns7zxl8p1wk29b9yrzvhcj4fqc4z7wfb"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-- 
2.46.0

[bug#74035] [PATCH 18/24] gnu: openvpn: Update to 2.6.12. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2024-24974, CVE-2024-27459 and CVE-2024-27903.

* gnu/packages/vpn.scm (openvpn): Update to 2.6.12.
---
 gnu/packages/vpn.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index 9f36595bfd..193b247779 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -867,7 +867,7 @@ (define-public openfortivpn
 (define-public openvpn
   (package
     (name "openvpn")
-    (version "2.6.7")
+    (version "2.6.12")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -875,7 +875,7 @@ (define-public openvpn
                     version ".tar.gz"))
               (sha256
                (base32
-                "04wr0g97nmv81javym8r99mglmb86v1i49xmnmzf938x1cs7g67f"))))
+                "0a8r3bvg4aic9b7dix0h7990g3j1gq17wd3w6vqk8vk8xgfhyq8w"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--enable-iproute2=yes")))
-- 
2.46.0

[bug#74035] [PATCH 19/24] gnu: youtube-dl: Deprecate package.

[Nicolas Graves via Guix-patches via]

This package is not developped anymore.

* gnu/packages/video.scm (youtube-dl): Deprecate package.
---
 gnu/packages/video.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 92c0acef3c..9fca994b54 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -93,6 +93,7 @@ (define-module (gnu packages video)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix utils)
   #:use-module (guix packages)
+  #:use-module (guix deprecation)
   #:use-module (guix download)
   #:use-module (guix gexp)
   #:use-module (guix git-download)
@@ -3084,7 +3085,7 @@ (define-public yle-dl
 video streaming services of the Finnish national broadcasting company Yle.")
     (license license:gpl3+)))
 
-(define-public youtube-dl
+(define-deprecated/public youtube-dl #f
   (package
     (name "youtube-dl")
     (version "2021.12.17")
-- 
2.46.0

[bug#74035] [PATCH 20/24] gnu: liblouis: Update to 3.31.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-26981.

* gnu/packages/language.scm (liblouis): Update to 3.31.0.
[arguments]: Improve style using gexps.
[native-inputs]: Rewrite and replace python-wrapper by python.
---
 gnu/packages/language.scm | 47 ++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 25 deletions(-)

diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
index 78fcba4287..6a5e7927b4 100644
--- a/gnu/packages/language.scm
+++ b/gnu/packages/language.scm
@@ -10,6 +10,7 @@
 ;;; Copyright © 2023 gemmaro <gemmaro.dev@gmail.com>
 ;;; Copyright © 2024 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2024 Charles <charles@charje.net>
+;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -338,7 +339,7 @@ (define-public libchewing
 (define-public liblouis
   (package
     (name "liblouis")
-    (version "3.15.0")
+    (version "3.31.0")
     (source
      (origin
        (method git-fetch)
@@ -348,34 +349,30 @@ (define-public liblouis
          (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1ljy5xsy7vf2r0ix0d7bqcr6qvr6897f8madsx9zlm1mrj31n5px"))))
+        (base32 "02bga2l4jiyrgfqdl27wszz5yd6h80n2dmq3p6nb2br83jywisfh"))))
     (build-system gnu-build-system)
     (outputs '("out" "bin" "doc" "python"))
     (arguments
-     `(#:configure-flags
-       (list
-        "--disable-static"
-        "--enable-ucs4")
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'install 'install-python-extension
-           (lambda* (#:key outputs #:allow-other-keys)
-             (with-directory-excursion "python"
-               (invoke "python" "setup.py" "install"
-                       (string-append "--prefix="
-                                      (assoc-ref outputs "python"))
-                       "--root=/")))))))
+     (list
+      #:configure-flags #~(list "--disable-static" "--enable-ucs4")
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'install 'install-python-extension
+            (lambda _
+              (with-directory-excursion "python"
+                (invoke "python3" "setup.py" "install" "--root=/"
+                        (string-append "--prefix=" #$output:python))))))))
     (native-inputs
-     `(("autoconf" ,autoconf)
-       ("automake" ,automake)
-       ("clang-format" ,clang)
-       ("help2man" ,help2man)
-       ("libtool" ,libtool)
-       ("libyaml" ,libyaml)
-       ("makeinfo" ,texinfo)
-       ("perl" ,perl)
-       ("pkg-config" ,pkg-config)
-       ("python" ,python-wrapper)))
+     (list autoconf
+           automake
+           clang
+           help2man
+           libtool
+           libyaml
+           texinfo
+           perl
+           pkg-config
+           python))
     (synopsis "Braille translator and back-translator")
     (description "Liblouis is a braille translator and back-translator named in
 honor of Louis Braille.  It features support for computer and literary braille,
-- 
2.46.0

[bug#74035] [PATCH 21/24] gnu: unicorn: Update to 2.1.1. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2021-4296.

* gnu/packages/emulators.scm (unicorn): Update to 2.1.1.
---
 gnu/packages/emulators.scm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/emulators.scm b/gnu/packages/emulators.scm
index f0a60c0b49..948e588c4c 100644
--- a/gnu/packages/emulators.scm
+++ b/gnu/packages/emulators.scm
@@ -3508,13 +3508,18 @@ (define-public zsnes
 (define-public unicorn
   (package
     (name "unicorn")
-    (version "2.0.1.post1")
+    (version "2.1.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri name version))
        (sha256
-        (base32 "0mlfs8qfi0clyncfkbxp6in0cpl747510i6bqymwid43xcirbikz"))))
+        (base32 "18sbrycr62wcs3a68a9q76ihpahfsd4bn3mryvyhimwwn1342kwh"))
+       (modules '((guix build utils)))
+       ;; cmake files are not in the cmake dir in pypi
+       (snippet #~(substitute* "src/CMakeLists.txt"
+                    (("include\\(cmake/")
+                     "include(")))))
     (build-system pyproject-build-system)
     (native-inputs (list cmake pkg-config))
     (home-page "https://www.unicorn-engine.org")
-- 
2.46.0

[bug#74035] [PATCH 22/24] gnu: Add sexpp.

[Nicolas Graves via Guix-patches via]

* gnu/packages/openpgp.scm (sexpp): New variable.
---
 gnu/packages/openpgp.scm | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 9b6f04b407..356908ab1f 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2020 Justus Winter <justus@sequoia-pgp.org>
+;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -157,3 +158,26 @@ (define-public rnp
         license:asl2.0
         ;; Nominet UK's BSD 3-Clause License (netpgp).
         license:bsd-3)))))
+
+(define-public sexpp
+  (package
+    (name "sexpp")
+    (version "0.9.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/rnpgp/sexpp")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "16y9f42w6ay3w0s23xmigqm0qi1swdfvc93g2xn3xkg1r4kpmnwq"))))
+    (build-system cmake-build-system)
+    (arguments
+     (list #:configure-flags '(list "-DDOWNLOAD_GTEST=off")))
+    (native-inputs (list googletest pkg-config))
+    (home-page "https://github.com/rnpgp/sexpp")
+    (synopsis "C++ library for S-expressions")
+    (description
+     "This package provides a C++ library for working with S-Expressions.")
+    (license license:expat)))
-- 
2.46.0

[bug#74035] [PATCH 23/24] gnu: rnp: Update to 0.17.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-29479 and CVE-2023-29480.

* gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
[arguments]: Improve style using gexps.
<#:phases>: Add phase 'inject-sexpp-source.
[inputs]: Add sexpp.
---
 gnu/packages/openpgp.scm | 52 +++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 356908ab1f..baf786c5ee 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -23,6 +23,7 @@ (define-module (gnu packages openpgp)
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (gnu packages)
   #:use-module (gnu packages check)
@@ -98,10 +99,10 @@ (define-public dkgpg
     (license license:gpl2+)))
 
 (define-public rnp
-  (let ((day-of-release "2022-09-22"))
+  (let ((day-of-release "2024-05-14"))
     (package
       (name "rnp")
-      (version "0.16.2")
+      (version "0.17.1")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -110,33 +111,40 @@ (define-public rnp
                 (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "13z5kxm48a72w4m2crwgdjdng4a4pwxsd72r2z3a4pcakfp2swi8"))))
+                  "052872b6a88vkcc58alxcm532y6dra5qqd997jga41v72h3pnj4d"))))
       (build-system cmake-build-system)
-      (arguments `(#:configure-flags
-                   '("-DBUILD_SHARED_LIBS=on"
-                     "-DBUILD_TESTING=on"
-                     "-DDOWNLOAD_GTEST=off"
-                     "-DDOWNLOAD_RUBYRNP=off")
-                   #:phases
-                   (modify-phases %standard-phases
-                     (add-after 'unpack 'patch-tests
-                       (lambda _
-                         (substitute* "src/tests/support.cpp"
-                           (("\"cp\"") (search-input-file inputs "/bin/cp")))))
-                     (replace 'check
-                       (lambda* (#:key tests? #:allow-other-keys)
-                         (when tests?
-                           ;; Some OpenPGP certificates used by the tests expire.
-                           ;; To work around that, set the time to roughly the
-                           ;; release date.
-                           (invoke "faketime" ,day-of-release "make" "test")))))))
+      (arguments
+       (list
+        #:configure-flags
+        ''("-DBUILD_SHARED_LIBS=on"
+           "-DBUILD_TESTING=on"
+           "-DDOWNLOAD_GTEST=off"
+           "-DDOWNLOAD_RUBYRNP=off")
+        #:phases
+        #~(modify-phases %standard-phases
+            (add-after 'unpack 'patch-tests
+              (lambda _
+                (substitute* "src/tests/support.cpp"
+                  (("\"cp\"") (search-input-file inputs "/bin/cp")))))
+            (add-after 'unpack 'inject-sexpp-source
+              (lambda _
+                (rmdir "src/libsexpp")
+                (symlink #$(package-source (this-package-input "sexpp"))
+                         "src/libsexpp")))
+            (replace 'check
+              (lambda* (#:key tests? #:allow-other-keys)
+                (when tests?
+                  ;; Some OpenPGP certificates used by the tests expire.
+                  ;; To work around that, set the time to roughly the
+                  ;; release date.
+                  (invoke "faketime" #$day-of-release "make" "test")))))))
       (native-inputs
        (list gnupg       ; for tests
              googletest  ; for tests
              libfaketime ; for tests
              pkg-config
              python))
-      (inputs (list botan bzip2 json-c zlib))
+      (inputs (list botan bzip2 json-c sexpp zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description
-- 
2.46.0

[bug#74035] [PATCH 24/24] gnu: cjson: Update to 1.7.18. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-50471 and CVE-2023-50472.

* gnu/packages/javascript.scm (cjson): Update to 1.7.18.
---
 gnu/packages/javascript.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/javascript.scm b/gnu/packages/javascript.scm
index 4f97dcfef6..b48acf47dc 100644
--- a/gnu/packages/javascript.scm
+++ b/gnu/packages/javascript.scm
@@ -49,7 +49,7 @@ (define-module (gnu packages javascript)
 (define-public cjson
   (package
     (name "cjson")
-    (version "1.7.16")
+    (version "1.7.18")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -57,7 +57,7 @@ (define-public cjson
                     (commit (string-append "v" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32 "00599lzzb0vszk317n0gln7wizdpchy4warxgpj3khrir73pphbb"))))
+               (base32 "08p37q4i3za3dgz7wynma1fh8y4rq7pyzyjzcda710nxrmsm1pyv"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DENABLE_CJSON_UTILS=On")))
-- 
2.46.0

[bug#74035] [PATCH v2 01/26] gnu: libyang: Update to 3.4.2. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-28902, CVE-2021-28903, CVE-2021-28904,
CVE-2021-28905 and CVE-2021-28906.

* gnu/packages/networking.scm (libyang): Update to 3.4.2.
---
 gnu/packages/networking.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 8481e2d2f4..17d4072ee0 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -4238,7 +4238,7 @@ (define-public iwgtk
 (define-public libyang
   (package
     (name "libyang")
-    (version "1.0.215")
+    (version "3.4.2")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -4247,12 +4247,12 @@ (define-public libyang
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "0mrs2ppmq77z8sbqgm2w0rl9bfgybd6bcxanakfww4chih6cy0dw"))))
+                "07skjr3r4na12kadca2dyk45clpcpnp4zkkwfaa8sqyslx7vhj56"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags
        (list "-DENABLE_BUILD_TESTS=ON" "-DENABLE_LYD_PRIV=ON")))
-    (propagated-inputs (list pcre))
+    (propagated-inputs (list pcre2))
     (native-inputs (list cmocka pkg-config))
     (home-page "https://github.com/CESNET/libyang")
     (synopsis "YANG data modelling language library")
-- 
2.46.0

[bug#74035] [PATCH v2 02/26] gnu: python-django-4.2: Update to 4.2.16. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-24680, CVE-2024-41989, CVE-2024-41990,
CVE-2024-41991, CVE-2024-42005, CVE-2024-45230, CVE-2024-45231,
CVE-2023-43665 and CVE-2023-46695.

* gnu/packages/django.scm (python-django-4.2): Update to 4.2.16.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/django.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/django.scm b/gnu/packages/django.scm
index 4404c8368d..4cf043f7c1 100644
--- a/gnu/packages/django.scm
+++ b/gnu/packages/django.scm
@@ -57,13 +57,13 @@ (define-module (gnu packages django)
 (define-public python-django-4.2
   (package
     (name "python-django")
-    (version "4.2.5")
+    (version "4.2.16")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "Django" version))
               (sha256
                (base32
-                "1ha6c5j3pizbsfzw37r52lvdz8z5lblq4iwa99mpkdzz92aiqp2y"))))
+                "1b8xgwg3gjr974j60x3vgcpp85cg5dwhzqdpdbl8qh3cg311c5kg"))))
     (build-system pyproject-build-system)
     (arguments
      '(#:test-flags
@@ -140,7 +140,9 @@ (define-public python-django-4.2
 any Web site.  Django focuses on automating as much as possible and adhering
 to the @dfn{don't repeat yourself} (DRY) principle.")
     (license license:bsd-3)
-    (properties `((cpe-name . "django")))))
+    (properties `((cpe-name . "django")
+                  ;; This CVE seems fixed since 4.2.1.
+                  (lint-hidden-cve . ("CVE-2023-31047"))))))
 
 (define-public python-django-3.2
   (package
-- 
2.46.0

[bug#74035] [PATCH v2 02/26] gnu: python-django-4.2: Update to 4.2.16. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 1748 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2024-24680, CVE-2024-41989, CVE-2024-41990,
> CVE-2024-41991, CVE-2024-42005, CVE-2024-45230, CVE-2024-45231,
> CVE-2023-43665 and CVE-2023-46695.
>
> * gnu/packages/django.scm (python-django-4.2): Update to 4.2.16.
> [properties]: Add lint-hidden-cve property.
> ---
>  gnu/packages/django.scm | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/gnu/packages/django.scm b/gnu/packages/django.scm
> index 4404c8368d..4cf043f7c1 100644
> --- a/gnu/packages/django.scm
> +++ b/gnu/packages/django.scm
> @@ -57,13 +57,13 @@ (define-module (gnu packages django)
>  (define-public python-django-4.2
>    (package
>      (name "python-django")
> -    (version "4.2.5")
> +    (version "4.2.16")
>      (source (origin
>                (method url-fetch)
>                (uri (pypi-uri "Django" version))
>                (sha256
>                 (base32
> -                "1ha6c5j3pizbsfzw37r52lvdz8z5lblq4iwa99mpkdzz92aiqp2y"))))
> +                "1b8xgwg3gjr974j60x3vgcpp85cg5dwhzqdpdbl8qh3cg311c5kg"))))
>      (build-system pyproject-build-system)
>      (arguments
>       '(#:test-flags
> @@ -140,7 +140,9 @@ (define-public python-django-4.2
>  any Web site.  Django focuses on automating as much as possible and adhering
>  to the @dfn{don't repeat yourself} (DRY) principle.")
>      (license license:bsd-3)
> -    (properties `((cpe-name . "django")))))
> +    (properties `((cpe-name . "django")
> +                  ;; This CVE seems fixed since 4.2.1.
> +                  (lint-hidden-cve . ("CVE-2023-31047"))))))
>  
>  (define-public python-django-3.2
>    (package

apply.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 03/26] gnu: maradns: Update to 3.5.0036. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-31137.

* gnu/packages/dns.scm (maradns): Update to 3.5.0036.
[properties]: Add release-monitoring-url property.
---
 gnu/packages/dns.scm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index e911a142ef..bd2df30f01 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1181,7 +1181,7 @@ (define-public public-suffix-list
 (define-public maradns
   (package
     (name "maradns")
-    (version "3.5.0022")
+    (version "3.5.0036")
     (source
      (origin
        (method url-fetch)
@@ -1189,7 +1189,7 @@ (define-public maradns
                            (version-major+minor version) "/"
                            version "/maradns-" version ".tar.xz"))
        (sha256
-        (base32 "1sw267jxxxngjcar8cj3jpxnpiz0szgkhlz5l46c67qs690w9kdi"))))
+        (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f                      ; need to be root to run tests
@@ -1226,6 +1226,8 @@ (define-public maradns
     (description "MaraDNS is a small and lightweight DNS server.  MaraDNS
 consists of a UDP-only authoritative DNS server for hosting domains, and a UDP
 and TCP-capable recursive DNS server for finding domains on the internet.")
+    (properties '((release-monitoring-url
+                   . "https://maradns.samiam.org/download.html")))
     (license license:bsd-2)))
 
 (define-public openresolv
-- 
2.46.0

[bug#74035] [PATCH v2 03/26] gnu: maradns: Update to 3.5.0036. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 1698 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2023-31137.
>
> * gnu/packages/dns.scm (maradns): Update to 3.5.0036.
> [properties]: Add release-monitoring-url property.
> ---
>  gnu/packages/dns.scm | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
> index e911a142ef..bd2df30f01 100644
> --- a/gnu/packages/dns.scm
> +++ b/gnu/packages/dns.scm
> @@ -1181,7 +1181,7 @@ (define-public public-suffix-list
>  (define-public maradns
>    (package
>      (name "maradns")
> -    (version "3.5.0022")
> +    (version "3.5.0036")
>      (source
>       (origin
>         (method url-fetch)
> @@ -1189,7 +1189,7 @@ (define-public maradns
>                             (version-major+minor version) "/"
>                             version "/maradns-" version ".tar.xz"))
>         (sha256
> -        (base32 "1sw267jxxxngjcar8cj3jpxnpiz0szgkhlz5l46c67qs690w9kdi"))))
> +        (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
>      (build-system gnu-build-system)
>      (arguments
>       `(#:tests? #f                      ; need to be root to run tests
> @@ -1226,6 +1226,8 @@ (define-public maradns
>      (description "MaraDNS is a small and lightweight DNS server.  MaraDNS
>  consists of a UDP-only authoritative DNS server for hosting domains, and a UDP
>  and TCP-capable recursive DNS server for finding domains on the internet.")
> +    (properties '((release-monitoring-url
> +                   . "https://maradns.samiam.org/download.html")))
>      (license license:bsd-2)))
>  
>  (define-public openresolv

apply.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 04/26] gnu: maradns: Improve style.

[Nicolas Graves via Guix-patches via]

* gnu/packages/dns.scm (maradns)[arguments]: Use gexps.
---
 gnu/packages/dns.scm | 58 ++++++++++++++++++++++----------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index bd2df30f01..7a78fb0308 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1192,35 +1192,35 @@ (define-public maradns
         (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f                      ; need to be root to run tests
-       #:make-flags
-       (list
-        ,(string-append "CC=" (cc-for-target))
-        (string-append "PREFIX=" %output)
-        (string-append "RPM_BUILD_ROOT=" %output))
-       #:phases
-       (modify-phases %standard-phases
-         (replace 'configure
-           (lambda* (#:key native-inputs target #:allow-other-keys)
-             ;; make_32bit_tables generates a header file that is used during
-             ;; compilation. Hence, during cross compilation, it should be
-             ;; built for the host system.
-             (when target
-               (substitute* "rng/Makefile"
-                 (("\\$\\(CC\\) -o make_32bit_tables")
-                  (string-append (assoc-ref native-inputs "gcc")
-                                 "/bin/gcc -o make_32bit_tables"))))
-             (invoke "./configure")))
-         (add-before 'install 'create-install-directories
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let ((out (assoc-ref outputs "out")))
-               (for-each (lambda (dir)
-                           (mkdir-p (string-append out dir)))
-                         (list "/bin" "/sbin" "/etc"
-                               "/share/man/man1"
-                               "/share/man/man5"
-                               "/share/man/man8"))
-               #t))))))
+     (list
+      #:tests? #f                      ; need to be root to run tests
+      #:make-flags
+      #~(list
+         (string-append "CC=" #$(cc-for-target))
+         (string-append "PREFIX=" #$output)
+         (string-append "RPM_BUILD_ROOT=" #$output))
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda* (#:key native-inputs target #:allow-other-keys)
+              ;; make_32bit_tables generates a header file that is used during
+              ;; compilation. Hence, during cross compilation, it should be
+              ;; built for the host system.
+              (when target
+                (substitute* "rng/Makefile"
+                  (("\\$\\(CC\\) -o make_32bit_tables")
+                   (string-append (search-input-file native-inputs "/bin/gcc")
+                                  " -o make_32bit_tables"))))
+              ;; ./configure doesn't support default flags
+              (invoke "./configure")))
+          (add-before 'install 'create-install-directories
+            (lambda _
+              (for-each (lambda (dir)
+                          (mkdir-p (string-append #$output dir)))
+                        (list "/bin" "/sbin" "/etc"
+                              "/share/man/man1"
+                              "/share/man/man5"
+                              "/share/man/man8")))))))
     (home-page "https://maradns.samiam.org")
     (synopsis "Small lightweight DNS server")
     (description "MaraDNS is a small and lightweight DNS server.  MaraDNS
-- 
2.46.0

[bug#74035] [PATCH v2 04/26] gnu: maradns: Improve style.

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 3703 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> * gnu/packages/dns.scm (maradns)[arguments]: Use gexps.
> ---
>  gnu/packages/dns.scm | 58 ++++++++++++++++++++++----------------------
>  1 file changed, 29 insertions(+), 29 deletions(-)
>
> diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
> index bd2df30f01..7a78fb0308 100644
> --- a/gnu/packages/dns.scm
> +++ b/gnu/packages/dns.scm
> @@ -1192,35 +1192,35 @@ (define-public maradns
>          (base32 "185kl7zfvnwzfpyxbzpwck13m468av74kbqijp0s4v33iicfpnvc"))))
>      (build-system gnu-build-system)
>      (arguments
> -     `(#:tests? #f                      ; need to be root to run tests
> -       #:make-flags
> -       (list
> -        ,(string-append "CC=" (cc-for-target))
> -        (string-append "PREFIX=" %output)
> -        (string-append "RPM_BUILD_ROOT=" %output))
> -       #:phases
> -       (modify-phases %standard-phases
> -         (replace 'configure
> -           (lambda* (#:key native-inputs target #:allow-other-keys)
> -             ;; make_32bit_tables generates a header file that is used during
> -             ;; compilation. Hence, during cross compilation, it should be
> -             ;; built for the host system.
> -             (when target
> -               (substitute* "rng/Makefile"
> -                 (("\\$\\(CC\\) -o make_32bit_tables")
> -                  (string-append (assoc-ref native-inputs "gcc")
> -                                 "/bin/gcc -o make_32bit_tables"))))
> -             (invoke "./configure")))
> -         (add-before 'install 'create-install-directories
> -           (lambda* (#:key outputs #:allow-other-keys)
> -             (let ((out (assoc-ref outputs "out")))
> -               (for-each (lambda (dir)
> -                           (mkdir-p (string-append out dir)))
> -                         (list "/bin" "/sbin" "/etc"
> -                               "/share/man/man1"
> -                               "/share/man/man5"
> -                               "/share/man/man8"))
> -               #t))))))
> +     (list
> +      #:tests? #f                      ; need to be root to run tests
> +      #:make-flags
> +      #~(list
> +         (string-append "CC=" #$(cc-for-target))
> +         (string-append "PREFIX=" #$output)
> +         (string-append "RPM_BUILD_ROOT=" #$output))
> +      #:phases
> +      #~(modify-phases %standard-phases
> +          (replace 'configure
> +            (lambda* (#:key native-inputs target #:allow-other-keys)
> +              ;; make_32bit_tables generates a header file that is used during
> +              ;; compilation. Hence, during cross compilation, it should be
> +              ;; built for the host system.
> +              (when target
> +                (substitute* "rng/Makefile"
> +                  (("\\$\\(CC\\) -o make_32bit_tables")
> +                   (string-append (search-input-file native-inputs "/bin/gcc")
> +                                  " -o make_32bit_tables"))))
> +              ;; ./configure doesn't support default flags
> +              (invoke "./configure")))
> +          (add-before 'install 'create-install-directories
> +            (lambda _
> +              (for-each (lambda (dir)
> +                          (mkdir-p (string-append #$output dir)))
> +                        (list "/bin" "/sbin" "/etc"
> +                              "/share/man/man1"
> +                              "/share/man/man5"
> +                              "/share/man/man8")))))))
>      (home-page "https://maradns.samiam.org")
>      (synopsis "Small lightweight DNS server")
>      (description "MaraDNS is a small and lightweight DNS server.  MaraDNS

apply.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 05/26] gnu: libmobi: Update to 0.12. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-1533, CVE-2022-1534, CVE-2022-1907, CVE-2022-1908,
CVE-2022-1987, CVE-2022-2279, CVE-2022-29788, CVE-2021-3751,
CVE-2021-3881, CVE-2021-3888 and CVE-2021-3889.

* gnu/packages/ebook.scm (libmobi): Update to 0.12.
---
 gnu/packages/ebook.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ebook.scm b/gnu/packages/ebook.scm
index dc30c98fdf..bf8dcfad09 100644
--- a/gnu/packages/ebook.scm
+++ b/gnu/packages/ebook.scm
@@ -648,7 +648,7 @@ (define-public xchm
 (define-public libmobi
   (package
     (name "libmobi")
-    (version "0.6")
+    (version "0.12")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -657,7 +657,7 @@ (define-public libmobi
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "0yps72cm609xn2k7alflkdhp9kgr1w7zzyxjygz0n1kqrdcplihh"))))
+                "0cwya9n0rd97ai0fcqjwq7b3sjzigf3ywp7bnkbbw541f3knpds9"))))
     (build-system gnu-build-system)
     (native-inputs
      (list autoconf automake libtool))
-- 
2.46.0

[bug#74035] [PATCH v2 05/26] gnu: libmobi: Update to 0.12. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2022-1533, CVE-2022-1534, CVE-2022-1907, CVE-2022-1908,
> CVE-2022-1987, CVE-2022-2279, CVE-2022-29788, CVE-2021-3751,
> CVE-2021-3881, CVE-2021-3888 and CVE-2021-3889.
>
> * gnu/packages/ebook.scm (libmobi): Update to 0.12.
> ---
>  gnu/packages/ebook.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/ebook.scm b/gnu/packages/ebook.scm
> index dc30c98fdf..bf8dcfad09 100644
> --- a/gnu/packages/ebook.scm
> +++ b/gnu/packages/ebook.scm
> @@ -648,7 +648,7 @@ (define-public xchm
>  (define-public libmobi
>    (package
>      (name "libmobi")
> -    (version "0.6")
> +    (version "0.12")
>      (source (origin
>                (method git-fetch)
>                (uri (git-reference
> @@ -657,7 +657,7 @@ (define-public libmobi
>                (file-name (git-file-name name version))
>                (sha256
>                 (base32
> -                "0yps72cm609xn2k7alflkdhp9kgr1w7zzyxjygz0n1kqrdcplihh"))))
> +                "0cwya9n0rd97ai0fcqjwq7b3sjzigf3ywp7bnkbbw541f3knpds9"))))
>      (build-system gnu-build-system)
>      (native-inputs
>       (list autoconf automake libtool))

apply.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 06/26] gnu: bart: Update to 0.9.00. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes bart reproducibility and CVE-2022-45387.

* gnu/packages/image-processing.scm (bart): Update to 0.9.00.
---
 gnu/packages/image-processing.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
index a79eaf6aed..3a7c67362f 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -115,20 +115,19 @@ (define-module (gnu packages image-processing)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1))
 
-;; TODO: this is not reproducible.
 (define-public bart
   (package
     (name "bart")
-    (version "0.8.00")
+    (version "0.9.00")
     (source
      (origin
        (method git-fetch)
        (uri (git-reference
              (url "https://github.com/mrirecon/bart")
-             (commit "eacc67b95cf128487ecc48f0e6541ea4dca08818")))
+             (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "05lcf7c3g7ms5h82bw1mi4kzkdv5wpqi1zrfhqfkgbcpd3irj6aq"))))
+        (base32 "0mj6jmw31rsnvqmpfqahhj4cy9iv5xgrhzmcsrikdz5dgd45lmjz"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -140,6 +139,7 @@ (define-public bart
                       "OPENBLAS=1"
                       "SCALAPACK=1"
                       (string-append "BLAS_BASE=" #$(this-package-input "openblas"))
+                      (string-append "CC=" #$(cc-for-target))
                       (string-append "FFTW_BASE=" #$(this-package-input "fftw")))
       #:parallel-build? #false ;leads to non-deterministic output
       #:phases
-- 
2.46.0

[bug#74035] [PATCH v2 07/26] gnu: wireshark: Update to 4.4.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-9780.

* gnu/packages/networking.scm (wireshark): Update to 4.4.1.
---
 gnu/packages/networking.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 17d4072ee0..be8b5c8e93 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -1805,14 +1805,14 @@ (define-public whois
 (define-public wireshark
   (package
     (name "wireshark")
-    (version "4.4.0")
+    (version "4.4.1")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://www.wireshark.org/download/src/wireshark-"
                            version ".tar.xz"))
        (sha256
-        (base32 "0s8jqxcvq7ibfsq8v4scl8dq7y5hqgpivq4iw9y2x6jj136cvmga"))))
+        (base32 "1v2nflm8rdifc6pwlzn1ciz22wl15zwkqs3r7gjw60kh59brd7ib"))))
     (build-system qt-build-system)
     (arguments
      (list
-- 
2.46.0

[bug#74035] [PATCH v2 07/26] gnu: wireshark: Update to 4.4.1. [security fixes]

[Z572]

[-- Attachment #1: Type: text/plain, Size: 1076 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2024-9780.
>
> * gnu/packages/networking.scm (wireshark): Update to 4.4.1.
> ---
>  gnu/packages/networking.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
> index 17d4072ee0..be8b5c8e93 100644
> --- a/gnu/packages/networking.scm
> +++ b/gnu/packages/networking.scm
> @@ -1805,14 +1805,14 @@ (define-public whois
>  (define-public wireshark
>    (package
>      (name "wireshark")
> -    (version "4.4.0")
> +    (version "4.4.1")
>      (source
>       (origin
>         (method url-fetch)
>         (uri (string-append "https://www.wireshark.org/download/src/wireshark-"
>                             version ".tar.xz"))
>         (sha256
> -        (base32 "0s8jqxcvq7ibfsq8v4scl8dq7y5hqgpivq4iw9y2x6jj136cvmga"))))
> +        (base32 "1v2nflm8rdifc6pwlzn1ciz22wl15zwkqs3r7gjw60kh59brd7ib"))))
>      (build-system qt-build-system)
>      (arguments
>       (list

apply, and switch to git-fetch.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 08/26] gnu: pam-u2f: Update to 1.3.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-31924.

* gnu/packages/security-token.scm (pam-u2f): Update to 1.3.0.
[inputs]: Add libfido2, openssl. Remove libu2f-host, libu2f-server.
[native-inputs]: Sort packages.
---
 gnu/packages/security-token.scm | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 5abb461c0c..156a7d5e28 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -682,7 +682,7 @@ (define-public libu2f-server
 (define-public pam-u2f
   (package
     (name "pam-u2f")
-    (version "1.0.8")
+    (version "1.3.0")
     (source (origin
               (method git-fetch)
               (uri
@@ -691,17 +691,16 @@ (define-public pam-u2f
                 (commit (string-append "pam_u2f-" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32
-                "04d9davyi33gqbvga1rvh9fijp6f16mx2xmnn4n61rnhcn2jac98"))))
+               (base32 "1swvys98mw7ailllgqicvhj315qajhvqrmm314cp3bj0l76s9qpv"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
        (list (string-append "--with-pam-dir="
                             (assoc-ref %outputs "out") "/lib/security"))))
     (inputs
-     (list libu2f-host libu2f-server linux-pam))
+     (list libfido2 linux-pam openssl))
     (native-inputs
-     (list autoconf automake libtool asciidoc pkg-config))
+     (list asciidoc autoconf automake libtool pkg-config))
     (home-page "https://developers.yubico.com/pam-u2f/")
     (synopsis "PAM module for U2F authentication")
     (description
-- 
2.46.0

[bug#74035] [PATCH v2 09/26] gnu: darkhttpd: Update to 1.16. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2024-23770 and CVE-2024-23771.

* gnu/packages/web.scm (darkhttpd): Update to 1.16.
[arguments]: Improve style.
---
 gnu/packages/web.scm | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 34739bf088..eb27d3448c 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6417,7 +6417,7 @@ (define-public surfraw
 (define-public darkhttpd
   (package
     (name "darkhttpd")
-    (version "1.13")
+    (version "1.16")
     (source
      (origin
        (method git-fetch)
@@ -6426,20 +6426,18 @@ (define-public darkhttpd
              (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "0w11xq160q9yyffv4mw9ncp1n0dl50d9plmwxb0yijaaxls9i4sk"))))
+        (base32 "15mmq1v8p50mm9wx5w6g4rlr40b7d044lw7rs1wyzdiw9lcnihvm"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:make-flags
-       (list (string-append "CC=" ,(cc-for-target)))
-       #:tests? #f ; No test suite
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure)            ; no configure script
-         (replace 'install
-           (lambda* (#:key outputs #:allow-other-keys)
-             (install-file "darkhttpd"
-                           (string-append (assoc-ref outputs "out")
-                                          "/bin")))))))
+     (list
+      #:make-flags #~(list (string-append "CC=" #$(cc-for-target)))
+      #:tests? #f ; No test suite
+      #:phases
+      #~(modify-phases %standard-phases
+          (delete 'configure)            ; no configure script
+          (replace 'install
+            (lambda _
+              (install-file "darkhttpd" (string-append #$output "/bin")))))))
     (synopsis "Simple static web server")
     (description "darkhttpd is a simple static web server.  It is
 standalone and does not need inetd or ucspi-tcp.  It does not need any
-- 
2.46.0

[bug#74035] [PATCH v2 09/26] gnu: darkhttpd: Update to 1.16. [security fixes]

[Z572]

[-- Attachment #1: Type: text/plain, Size: 2186 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2024-23770 and CVE-2024-23771.
>
> * gnu/packages/web.scm (darkhttpd): Update to 1.16.
> [arguments]: Improve style.
> ---
>  gnu/packages/web.scm | 24 +++++++++++-------------
>  1 file changed, 11 insertions(+), 13 deletions(-)
>
> diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
> index 34739bf088..eb27d3448c 100644
> --- a/gnu/packages/web.scm
> +++ b/gnu/packages/web.scm
> @@ -6417,7 +6417,7 @@ (define-public surfraw
>  (define-public darkhttpd
>    (package
>      (name "darkhttpd")
> -    (version "1.13")
> +    (version "1.16")
>      (source
>       (origin
>         (method git-fetch)
> @@ -6426,20 +6426,18 @@ (define-public darkhttpd
>               (commit (string-append "v" version))))
>         (file-name (git-file-name name version))
>         (sha256
> -        (base32 "0w11xq160q9yyffv4mw9ncp1n0dl50d9plmwxb0yijaaxls9i4sk"))))
> +        (base32 "15mmq1v8p50mm9wx5w6g4rlr40b7d044lw7rs1wyzdiw9lcnihvm"))))
>      (build-system gnu-build-system)
>      (arguments
> -     `(#:make-flags
> -       (list (string-append "CC=" ,(cc-for-target)))
> -       #:tests? #f ; No test suite
> -       #:phases
> -       (modify-phases %standard-phases
> -         (delete 'configure)            ; no configure script
> -         (replace 'install
> -           (lambda* (#:key outputs #:allow-other-keys)
> -             (install-file "darkhttpd"
> -                           (string-append (assoc-ref outputs "out")
> -                                          "/bin")))))))
> +     (list
> +      #:make-flags #~(list (string-append "CC=" #$(cc-for-target)))
> +      #:tests? #f ; No test suite
> +      #:phases
> +      #~(modify-phases %standard-phases
> +          (delete 'configure)            ; no configure script
> +          (replace 'install
> +            (lambda _
> +              (install-file "darkhttpd" (string-append #$output "/bin")))))))
>      (synopsis "Simple static web server")
>      (description "darkhttpd is a simple static web server.  It is
>  standalone and does not need inetd or ucspi-tcp.  It does not need any

apply, and enable tests.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 10/26] gnu: xlsxio: Update to 0.2.35. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-34795.

* gnu/packages/xml.scm (xlsxio): Update to 0.2.35.
---
 gnu/packages/xml.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index cfd53a291a..4a3936b66d 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1545,7 +1545,7 @@ (define-public xerces-c
 (define-public xlsxio
   (package
     (name "xlsxio")
-    (version "0.2.33")
+    (version "0.2.35")
     (source
      (origin
        (method git-fetch)
@@ -1554,7 +1554,7 @@ (define-public xlsxio
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "16i3yd168kb63za7jpycpb2by4831gz7wi90vzifdf85csc8c70s"))))
+        (base32 "140ap2l3qy27z1fhqpkq3a44aikhr3v5zlnm9m8vag42qiagiznx"))))
     (native-inputs
      (list expat gnu-make minizip which))
     (build-system gnu-build-system)
-- 
2.46.0

[bug#74035] [PATCH v2 10/26] gnu: xlsxio: Update to 0.2.35. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 1039 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2023-34795.
>
> * gnu/packages/xml.scm (xlsxio): Update to 0.2.35.
> ---
>  gnu/packages/xml.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
> index cfd53a291a..4a3936b66d 100644
> --- a/gnu/packages/xml.scm
> +++ b/gnu/packages/xml.scm
> @@ -1545,7 +1545,7 @@ (define-public xerces-c
>  (define-public xlsxio
>    (package
>      (name "xlsxio")
> -    (version "0.2.33")
> +    (version "0.2.35")
>      (source
>       (origin
>         (method git-fetch)
> @@ -1554,7 +1554,7 @@ (define-public xlsxio
>               (commit version)))
>         (file-name (git-file-name name version))
>         (sha256
> -        (base32 "16i3yd168kb63za7jpycpb2by4831gz7wi90vzifdf85csc8c70s"))))
> +        (base32 "140ap2l3qy27z1fhqpkq3a44aikhr3v5zlnm9m8vag42qiagiznx"))))
>      (native-inputs
>       (list expat gnu-make minizip which))
>      (build-system gnu-build-system)
apply

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 11/26] gnu: pypy: Update to 7.3.17. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-37454.

* gnu/packages/pypy.scm (pypy): Update to 7.3.17.
---
 gnu/packages/pypy.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/pypy.scm b/gnu/packages/pypy.scm
index a39621b5ad..90986ac096 100644
--- a/gnu/packages/pypy.scm
+++ b/gnu/packages/pypy.scm
@@ -42,14 +42,14 @@ (define-module (gnu packages pypy)
 (define-public pypy
   (package
     (name "pypy")
-    (version "7.3.13")
+    (version "7.3.17")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://downloads.python.org/pypy/"
                                   "pypy3.10-v" version "-src.tar.bz2"))
               (sha256
                (base32
-                "0v9s6pwrnaxqi5h1pvmaphj6kgyczx07ykl07hcx656h34y77haa"))))
+                "1xsbn9mbxi2kai4gg1nz6n6cbqsq60qh65f5l6ld7ip9g32lpmva"))))
     (build-system gnu-build-system)
     (arguments
      (list
-- 
2.46.0

[bug#74035] [PATCH v2 11/26] gnu: pypy: Update to 7.3.17. [security fixes]

[Z572]

[-- Attachment #1: Type: text/plain, Size: 1063 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2022-37454.
>
> * gnu/packages/pypy.scm (pypy): Update to 7.3.17.
> ---
>  gnu/packages/pypy.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/pypy.scm b/gnu/packages/pypy.scm
> index a39621b5ad..90986ac096 100644
> --- a/gnu/packages/pypy.scm
> +++ b/gnu/packages/pypy.scm
> @@ -42,14 +42,14 @@ (define-module (gnu packages pypy)
>  (define-public pypy
>    (package
>      (name "pypy")
> -    (version "7.3.13")
> +    (version "7.3.17")
>      (source (origin
>                (method url-fetch)
>                (uri (string-append "https://downloads.python.org/pypy/"
>                                    "pypy3.10-v" version "-src.tar.bz2"))
>                (sha256
>                 (base32
> -                "0v9s6pwrnaxqi5h1pvmaphj6kgyczx07ykl07hcx656h34y77haa"))))
> +                "1xsbn9mbxi2kai4gg1nz6n6cbqsq60qh65f5l6ld7ip9g32lpmva"))))
>      (build-system gnu-build-system)
>      (arguments
>       (list

apply

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 12/26] gnu: indent: Remove uneeded arguments.

[Nicolas Graves via Guix-patches via]

* gnu/packages/code.scm (indent)
[arguments]: Remove field.
[native-inputs]: Remove automake.
---
 gnu/packages/code.scm | 27 +--------------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index 3f7a6de478..b1523f5ac7 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -881,33 +881,8 @@ (define-public indent
             (sha256
              (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))))
    (build-system gnu-build-system)
-   (arguments
-    `(#:phases
-      (modify-phases %standard-phases
-        (add-after 'unpack 'fix-docdir
-          (lambda _
-            ;; Although indent uses a modern autoconf in which docdir
-            ;; defaults to PREFIX/share/doc, the doc/Makefile.am
-            ;; overrides this to be in PREFIX/doc.  Fix this.
-            (substitute* "doc/Makefile.in"
-              (("^docdir = .*$") "docdir = @docdir@\n"))
-            #t))
-        (add-after 'unpack 'fix-configure
-          (lambda* (#:key inputs native-inputs #:allow-other-keys)
-            ;; Replace outdated config.sub and config.guess:
-            (with-directory-excursion "config"
-              (for-each (lambda (file)
-                          (install-file
-                           (string-append (assoc-ref
-                                           (or native-inputs inputs) "automake")
-                                          "/share/automake-"
-                                          ,(version-major+minor
-                                            (package-version automake))
-                                          "/" file) "."))
-                        '("config.sub" "config.guess")))
-            #t)))))
    (native-inputs
-    (list texinfo automake)) ; For up to date 'config.guess' and 'config.sub'.
+    (list texinfo))
    (synopsis "Code reformatter")
    (description
     "Indent is a program that makes source code easier to read by
-- 
2.46.0

[bug#74035] [PATCH v2 13/26] gnu: indent: Add patch for CVE-2024-0911. [security fixes]

[Nicolas Graves via Guix-patches via]

* gnu/packages/patches/indent-CVE-2024-0911.patch: Add patch here...
* gnu/local.mk: ...here...
* gnu/packages/code.scm (indent)[source]<origin>: ...and here.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/code.scm                         |  4 +-
 .../patches/indent-CVE-2024-0911.patch        | 61 +++++++++++++++++++
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/indent-CVE-2024-0911.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 3b94e6cc7e..06e8f1363c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1562,6 +1562,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/idris-test-ffi008.patch			\
   %D%/packages/patches/igraph-fix-varargs-integer-size.patch	\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
+  %D%/packages/patches/indent-CVE-2024-0911.patch	\
   %D%/packages/patches/instead-use-games-path.patch		\
   %D%/packages/patches/intltool-perl-compatibility.patch	\
   %D%/packages/patches/irrlicht-use-system-libs.patch		\
diff --git a/gnu/packages/code.scm b/gnu/packages/code.scm
index b1523f5ac7..04ca4dfd6b 100644
--- a/gnu/packages/code.scm
+++ b/gnu/packages/code.scm
@@ -879,7 +879,9 @@ (define-public indent
             (uri (string-append "mirror://gnu/indent/indent-" version
                                 ".tar.gz"))
             (sha256
-             (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))))
+             (base32 "15c0ayp9rib7hzvrcxm5ijs0mpagw5y8kf5w0jr9fryfqi7n6r4y"))
+            ;; Remove patch when updating.
+            (patches (search-patches "indent-CVE-2024-0911.patch"))))
    (build-system gnu-build-system)
    (native-inputs
     (list texinfo))
diff --git a/gnu/packages/patches/indent-CVE-2024-0911.patch b/gnu/packages/patches/indent-CVE-2024-0911.patch
new file mode 100644
index 0000000000..4687d3f59a
--- /dev/null
+++ b/gnu/packages/patches/indent-CVE-2024-0911.patch
@@ -0,0 +1,61 @@
+Upstream issue: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regression/TEST                                     | 2 +-
+ regression/input/comment-parent-heap-underread.c    | 3 +++
+ regression/standard/comment-parent-heap-underread.c | 5 +++++
+ src/output.c                                        | 2 +-
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+ create mode 100644 regression/input/comment-parent-heap-underread.c
+ create mode 100644 regression/standard/comment-parent-heap-underread.c
+
+diff --git a/regression/TEST b/regression/TEST
+index 7c07c2e..951b1a2 100755
+--- a/regression/TEST
++++ b/regression/TEST
+@@ -40,6 +40,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \
+         macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \
+         bug-gnu-33364.c float-constant-suffix.c block-comments.c \
+-        no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c"
++        no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c \
++        comment-parent-heap-underread.c"
+ 
+ INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \
+         indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \
+diff --git a/regression/input/comment-parent-heap-underread.c 
+b/regression/input/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..68e13cf
+--- /dev/null
++++ b/regression/input/comment-parent-heap-underread.c
+@@ -0,0 +1,3 @@
++void foo(void) {
++/*a*/(1);
++}
+diff --git a/regression/standard/comment-parent-heap-underread.c 
+b/regression/standard/comment-parent-heap-underread.c
+new file mode 100644
+index 0000000..9a1c6e3
+--- /dev/null
++++ b/regression/standard/comment-parent-heap-underread.c
+@@ -0,0 +1,5 @@
++void
++foo (void)
++{
++/*a*/ (1);
++}
+diff --git a/src/output.c b/src/output.c
+index ee01bcc..17eee6e 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -290,7 +290,7 @@ void set_buf_break (
+     /* Did we just parse a bracket that will be put on the next line
+      * by this line break? */
+ 
+-    if ((*token == '(') || (*token == '['))
++    if (level > 0 && ((*token == '(') || (*token == '[')))
+     {
+         --level;                        /* then don't take it into account */
+     }
+-- 
+2.43.0
-- 
2.46.0

[bug#74035] [PATCH v2 14/26] gnu: squashfs-tools: Update to 4.6.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-40153 and CVE-2021-41072.

* gnu/packages/compression.scm (squashfs-tools): Update to 4.6.1.
[arguments]: Improve style.
<#:make-flags>: Add INSTALL_MANPAGES_DIR value.
<#:phases>: Remove phase 'install-documentation. Add phase
'patch-generated-source-shebangs.
[native-inputs]: Add coreutils-minimal, help2man, which.
[inputs]: Rewrite.
---
 gnu/packages/compression.scm | 52 ++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..7627717db6 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1023,7 +1023,7 @@ (define-public lz4
 (define-public squashfs-tools
   (package
     (name "squashfs-tools")
-    (version "4.5")
+    (version "4.6.1")
     (source
      (origin
        (method git-fetch)
@@ -1032,34 +1032,34 @@ (define-public squashfs-tools
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "18d4nwa22vgb8j2badngjngw63f0lj501cvlh3920wqy2mqxwav6"))))
+        (base32 "14nisidxx2d2qivyv7xfcg59qkj4fjiniir7nvymazdsng63gcr1"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f                      ; no check target
-       #:make-flags
-       (list (string-append "CC=" ,(cc-for-target))
-             "XZ_SUPPORT=1"
-             "LZO_SUPPORT=1"
-             "LZ4_SUPPORT=1"
-             "ZSTD_SUPPORT=1"
-             (string-append "INSTALL_DIR=" (assoc-ref %outputs "out") "/bin"))
-       #:phases
-       (modify-phases %standard-phases
-         (replace 'configure
-           (lambda _
-             (chdir "squashfs-tools")))
-         (add-after 'install 'install-documentation
-           ;; Install what very little usage documentation is provided.
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let* ((out (assoc-ref outputs "out"))
-                    (doc (string-append out "/share/doc/" ,name)))
-               (install-file "../USAGE" doc)))))))
+     (list
+      #:tests? #f                      ; no check target
+      #:make-flags
+      #~(list
+         (string-append "CC=" #$(cc-for-target))
+         "XZ_SUPPORT=1"
+         "LZO_SUPPORT=1"
+         "LZ4_SUPPORT=1"
+         "ZSTD_SUPPORT=1"
+         (string-append "INSTALL_DIR=" #$output "/bin")
+         (string-append "INSTALL_MANPAGES_DIR=" #$output "/share/man/man1"))
+      #:phases
+      #~(modify-phases %standard-phases
+          (replace 'configure
+            (lambda _
+              (chdir "squashfs-tools")))
+          (add-after 'patch-source-shebangs 'patch-generated-source-shebangs
+            (lambda _
+              (substitute* (find-files "generate-manpages" "\\.sh")
+                (("print \"#!/bin/sh")
+                 (string-append "print \"#!" (which "sh")))))))))
+    (native-inputs
+     (list coreutils-minimal help2man which))
     (inputs
-     `(("lz4" ,lz4)
-       ("lzo" ,lzo)
-       ("xz" ,xz)
-       ("zlib" ,zlib)
-       ("zstd:lib" ,zstd "lib")))
+     (list lz4 lzo xz zlib `(,zstd "lib")))
     (home-page "https://github.com/plougher/squashfs-tools")
     (synopsis "Tools to create and extract squashfs file systems")
     (description
-- 
2.46.0

[bug#74035] [PATCH v2 14/26] gnu: squashfs-tools: Update to 4.6.1. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 3531 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2021-40153 and CVE-2021-41072.
>
> * gnu/packages/compression.scm (squashfs-tools): Update to 4.6.1.
> [arguments]: Improve style.
> <#:make-flags>: Add INSTALL_MANPAGES_DIR value.
> <#:phases>: Remove phase 'install-documentation. Add phase
> 'patch-generated-source-shebangs.
> [native-inputs]: Add coreutils-minimal, help2man, which.
> [inputs]: Rewrite.
> ---
>  gnu/packages/compression.scm | 52 ++++++++++++++++++------------------
>  1 file changed, 26 insertions(+), 26 deletions(-)
>
> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
> index 97696ff0ef..7627717db6 100644
> --- a/gnu/packages/compression.scm
> +++ b/gnu/packages/compression.scm
> @@ -1023,7 +1023,7 @@ (define-public lz4
>  (define-public squashfs-tools
>    (package
>      (name "squashfs-tools")
> -    (version "4.5")
> +    (version "4.6.1")
>      (source
>       (origin
>         (method git-fetch)
> @@ -1032,34 +1032,34 @@ (define-public squashfs-tools
>               (commit version)))
>         (file-name (git-file-name name version))
>         (sha256
> -        (base32 "18d4nwa22vgb8j2badngjngw63f0lj501cvlh3920wqy2mqxwav6"))))
> +        (base32 "14nisidxx2d2qivyv7xfcg59qkj4fjiniir7nvymazdsng63gcr1"))))
>      (build-system gnu-build-system)
>      (arguments
> -     `(#:tests? #f                      ; no check target
> -       #:make-flags
> -       (list (string-append "CC=" ,(cc-for-target))
> -             "XZ_SUPPORT=1"
> -             "LZO_SUPPORT=1"
> -             "LZ4_SUPPORT=1"
> -             "ZSTD_SUPPORT=1"
> -             (string-append "INSTALL_DIR=" (assoc-ref %outputs "out") "/bin"))
> -       #:phases
> -       (modify-phases %standard-phases
> -         (replace 'configure
> -           (lambda _
> -             (chdir "squashfs-tools")))
> -         (add-after 'install 'install-documentation
> -           ;; Install what very little usage documentation is provided.
> -           (lambda* (#:key outputs #:allow-other-keys)
> -             (let* ((out (assoc-ref outputs "out"))
> -                    (doc (string-append out "/share/doc/" ,name)))
> -               (install-file "../USAGE" doc)))))))
> +     (list
> +      #:tests? #f                      ; no check target
> +      #:make-flags
> +      #~(list
> +         (string-append "CC=" #$(cc-for-target))
> +         "XZ_SUPPORT=1"
> +         "LZO_SUPPORT=1"
> +         "LZ4_SUPPORT=1"
> +         "ZSTD_SUPPORT=1"
> +         (string-append "INSTALL_DIR=" #$output "/bin")
> +         (string-append "INSTALL_MANPAGES_DIR=" #$output "/share/man/man1"))
> +      #:phases
> +      #~(modify-phases %standard-phases
> +          (replace 'configure
> +            (lambda _
> +              (chdir "squashfs-tools")))
> +          (add-after 'patch-source-shebangs 'patch-generated-source-shebangs
> +            (lambda _
> +              (substitute* (find-files "generate-manpages" "\\.sh")
> +                (("print \"#!/bin/sh")
> +                 (string-append "print \"#!" (which "sh")))))))))
> +    (native-inputs
> +     (list coreutils-minimal help2man which))
>      (inputs
> -     `(("lz4" ,lz4)
> -       ("lzo" ,lzo)
> -       ("xz" ,xz)
> -       ("zlib" ,zlib)
> -       ("zstd:lib" ,zstd "lib")))
> +     (list lz4 lzo xz zlib `(,zstd "lib")))
>      (home-page "https://github.com/plougher/squashfs-tools")
>      (synopsis "Tools to create and extract squashfs file systems")
>      (description
apply

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 15/26] gnu: shapelib: Update to 1.6.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-0699.

* gnu/packages/geo.scm (shapelib): Update to 1.6.1.
---
 gnu/packages/geo.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/geo.scm b/gnu/packages/geo.scm
index 5d120b3c98..affa50c515 100644
--- a/gnu/packages/geo.scm
+++ b/gnu/packages/geo.scm
@@ -2574,7 +2574,7 @@ (define-public readosm
 (define-public shapelib
   (package
     (name "shapelib")
-    (version "1.5.0")
+    (version "1.6.1")
     (source
      (origin
        (method git-fetch)
@@ -2583,7 +2583,7 @@ (define-public shapelib
              (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1lzch0jf6yqhw391phhafzw4ghmiz98zkf698h4fmq109fa2vhqd"))))
+        (base32 "0l67gp1618lcw7fg2iclbh016cqyw85s3cmd3qzx6aw0jq19hj8n"))))
     (build-system gnu-build-system)
     (native-inputs
      (list autoconf automake libtool))
@@ -2591,8 +2591,8 @@ (define-public shapelib
     (synopsis "Provides C library to write and update ESRI Shapefiles")
     (description
      "The Shapefile C Library provides the ability to write simple C programs
-for reading, writing and updating (to a limited extent) ESRI Shapefiles, and the
-associated attribute file (@file{.dbf}).")
+for reading, writing and updating (to a limited extent) ESRI Shapefiles, and
+the associated attribute file (@file{.dbf}).")
     (license license:gpl2+)))
 
 (define-public spatialite-tools
-- 
2.46.0

[bug#74035] [PATCH v2 16/26] gnu: libzapojit: Update to 0.0.3-1.99d49ba. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-39360.

* gnu/packages/gnome.scm (libzapojit): Update to 0.0.3-1.99d49ba.
---
 gnu/packages/gnome.scm | 45 ++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..82ea9d6699 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -10591,28 +10591,31 @@ (define-public gsound
     (license license:lgpl2.1+)))
 
 (define-public libzapojit
-  (package
-    (name "libzapojit")
-    (version "0.0.3")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnome/sources/" name "/"
-                                  (version-major+minor version) "/"
-                                  name "-" version ".tar.xz"))
-              (sha256
-               (base32
-                "0zn3s7ryjc3k1abj4k55dr2na844l451nrg9s6cvnnhh569zj99x"))))
-    (build-system gnu-build-system)
-    (native-inputs
-     (list gobject-introspection intltool pkg-config))
-    (inputs
-     (list gnome-online-accounts json-glib rest))
-    (home-page "https://wiki.gnome.org/Projects/Zapojit")
-    (synopsis "Library for accessing SkyDrive and Hotmail")
-    (description
-     "Libzapojit is a GLib-based library for accessing online service APIs of
+  (let ((revision "1")
+        (commit "99d49bac5edc4afdcac742a0a142908e405597b0"))
+    (package
+      (name "libzapojit")
+      (version (git-version "0.0.3" revision commit))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://gitlab.gnome.org/Archive/libzapojit")
+               (commit commit)))
+         (file-name (git-file-name name version))
+         (sha256
+          (base32 "12frqg925rmic3rf37h5vs48xdy3mfi4ip24v0bl73h5sxy8n828"))))
+      (build-system gnu-build-system)
+      (native-inputs
+       (list gobject-introspection intltool pkg-config))
+      (inputs
+       (list gnome-online-accounts json-glib rest))
+      (home-page "https://wiki.gnome.org/Projects/Zapojit")
+      (synopsis "Library for accessing SkyDrive and Hotmail")
+      (description
+       "Libzapojit is a GLib-based library for accessing online service APIs of
 Microsoft SkyDrive and Hotmail, using their REST protocols.")
-    (license license:lgpl2.1+)))
+      (license license:lgpl2.1+))))
 
 (define-public gnome-clocks
   (package
-- 
2.46.0

[bug#74035] [PATCH v2 16/26] gnu: libzapojit: Update to 0.0.3-1.99d49ba. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 2783 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2021-39360.
>
> * gnu/packages/gnome.scm (libzapojit): Update to 0.0.3-1.99d49ba.
> ---
>  gnu/packages/gnome.scm | 45 ++++++++++++++++++++++--------------------
>  1 file changed, 24 insertions(+), 21 deletions(-)
>
> diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
> index 77a0633b50..82ea9d6699 100644
> --- a/gnu/packages/gnome.scm
> +++ b/gnu/packages/gnome.scm
> @@ -10591,28 +10591,31 @@ (define-public gsound
>      (license license:lgpl2.1+)))
>  
>  (define-public libzapojit
> -  (package
> -    (name "libzapojit")
> -    (version "0.0.3")
> -    (source (origin
> -              (method url-fetch)
> -              (uri (string-append "mirror://gnome/sources/" name "/"
> -                                  (version-major+minor version) "/"
> -                                  name "-" version ".tar.xz"))
> -              (sha256
> -               (base32
> -                "0zn3s7ryjc3k1abj4k55dr2na844l451nrg9s6cvnnhh569zj99x"))))
> -    (build-system gnu-build-system)
> -    (native-inputs
> -     (list gobject-introspection intltool pkg-config))
> -    (inputs
> -     (list gnome-online-accounts json-glib rest))
> -    (home-page "https://wiki.gnome.org/Projects/Zapojit")
> -    (synopsis "Library for accessing SkyDrive and Hotmail")
> -    (description
> -     "Libzapojit is a GLib-based library for accessing online service APIs of
> +  (let ((revision "1")
> +        (commit "99d49bac5edc4afdcac742a0a142908e405597b0"))
> +    (package
> +      (name "libzapojit")
> +      (version (git-version "0.0.3" revision commit))
> +      (source
> +       (origin
> +         (method git-fetch)
> +         (uri (git-reference
> +               (url "https://gitlab.gnome.org/Archive/libzapojit")
> +               (commit commit)))
> +         (file-name (git-file-name name version))
> +         (sha256
> +          (base32 "12frqg925rmic3rf37h5vs48xdy3mfi4ip24v0bl73h5sxy8n828"))))
> +      (build-system gnu-build-system)
> +      (native-inputs
> +       (list gobject-introspection intltool pkg-config))
> +      (inputs
> +       (list gnome-online-accounts json-glib rest))
> +      (home-page "https://wiki.gnome.org/Projects/Zapojit")
> +      (synopsis "Library for accessing SkyDrive and Hotmail")
> +      (description
> +       "Libzapojit is a GLib-based library for accessing online service APIs of
>  Microsoft SkyDrive and Hotmail, using their REST protocols.")
> -    (license license:lgpl2.1+)))
> +      (license license:lgpl2.1+))))
>  
>  (define-public gnome-clocks
>    (package
apply, and add autoconf, autoconf-archive, automake, glib:bin and
libtool to fix build.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 17/26] gnu: gifsicle: Update to 1.95. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-44821 and CVE-2023-46009.

* gnu/packages/image.scm (gifsicle): Update to 1.95.
---
 gnu/packages/image.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 7f17c71aef..0d6593dc21 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -2172,14 +2172,14 @@ (define-public swappy
 (define-public gifsicle
   (package
    (name "gifsicle")
-   (version "1.94")
+   (version "1.95")
    (source
      (origin
        (method url-fetch)
        (uri (string-append "https://www.lcdf.org/gifsicle/gifsicle-"
                            version ".tar.gz"))
        (sha256
-        (base32 "16zq5wd6fyjgy0p0mak15k3mh1zpqb9rg6gqfpg215kqq02p1jab"))))
+        (base32 "0l69gn562l7a1l10zz1bfs756ipd682idgpk60qs3llz013icwdj"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases
-- 
2.46.0

[bug#74035] [PATCH v2 17/26] gnu: gifsicle: Update to 1.95. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 1070 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2023-44821 and CVE-2023-46009.
>
> * gnu/packages/image.scm (gifsicle): Update to 1.95.
> ---
>  gnu/packages/image.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
> index 7f17c71aef..0d6593dc21 100644
> --- a/gnu/packages/image.scm
> +++ b/gnu/packages/image.scm
> @@ -2172,14 +2172,14 @@ (define-public swappy
>  (define-public gifsicle
>    (package
>     (name "gifsicle")
> -   (version "1.94")
> +   (version "1.95")
>     (source
>       (origin
>         (method url-fetch)
>         (uri (string-append "https://www.lcdf.org/gifsicle/gifsicle-"
>                             version ".tar.gz"))
>         (sha256
> -        (base32 "16zq5wd6fyjgy0p0mak15k3mh1zpqb9rg6gqfpg215kqq02p1jab"))))
> +        (base32 "0l69gn562l7a1l10zz1bfs756ipd682idgpk60qs3llz013icwdj"))))
>     (build-system gnu-build-system)
>     (arguments
>      '(#:phases
apply, and build from git source, use g-expressions.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 18/26] gnu: sendmail: Update to 8.18.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-51765 and CVE-2021-3618.

* gnu/packages/mail.scm (sendmail): Update to 8.18.1.
---
 gnu/packages/mail.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..ca1a55818e 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -3122,7 +3122,7 @@ (define-public mhonarc
 (define-public sendmail
   (package
     (name "sendmail")
-    (version "8.15.2")
+    (version "8.18.1")
     (source
      (origin
        (method url-fetch)
@@ -3130,8 +3130,7 @@ (define-public sendmail
              "ftp://ftp.sendmail.org/pub/sendmail/sendmail."
              version ".tar.gz"))
        (sha256
-        (base32
-         "0fdl9ndmspqspdlmghzxlaqk56j3yajk52d7jxcg21b7sxglpy94"))))
+        (base32 "0w07iw4imp9wvczd2mijns7zxl8p1wk29b9yrzvhcj4fqc4z7wfb"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-- 
2.46.0

[bug#74035] [PATCH v2 19/26] gnu: openvpn: Update to 2.6.12. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2024-24974, CVE-2024-27459 and CVE-2024-27903.

* gnu/packages/vpn.scm (openvpn): Update to 2.6.12.
---
 gnu/packages/vpn.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index 9f36595bfd..193b247779 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -867,7 +867,7 @@ (define-public openfortivpn
 (define-public openvpn
   (package
     (name "openvpn")
-    (version "2.6.7")
+    (version "2.6.12")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -875,7 +875,7 @@ (define-public openvpn
                     version ".tar.gz"))
               (sha256
                (base32
-                "04wr0g97nmv81javym8r99mglmb86v1i49xmnmzf938x1cs7g67f"))))
+                "0a8r3bvg4aic9b7dix0h7990g3j1gq17wd3w6vqk8vk8xgfhyq8w"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--enable-iproute2=yes")))
-- 
2.46.0

[bug#74035] [PATCH v2 20/26] gnu: liblouis: Update to 3.31.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2022-26981.

* gnu/packages/language.scm (liblouis): Update to 3.31.0.
[arguments]: Improve style using gexps.
[native-inputs]: Rewrite and replace python-wrapper by python.
---
 gnu/packages/language.scm | 47 ++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 25 deletions(-)

diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
index 78fcba4287..6a5e7927b4 100644
--- a/gnu/packages/language.scm
+++ b/gnu/packages/language.scm
@@ -10,6 +10,7 @@
 ;;; Copyright © 2023 gemmaro <gemmaro.dev@gmail.com>
 ;;; Copyright © 2024 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2024 Charles <charles@charje.net>
+;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -338,7 +339,7 @@ (define-public libchewing
 (define-public liblouis
   (package
     (name "liblouis")
-    (version "3.15.0")
+    (version "3.31.0")
     (source
      (origin
        (method git-fetch)
@@ -348,34 +349,30 @@ (define-public liblouis
          (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "1ljy5xsy7vf2r0ix0d7bqcr6qvr6897f8madsx9zlm1mrj31n5px"))))
+        (base32 "02bga2l4jiyrgfqdl27wszz5yd6h80n2dmq3p6nb2br83jywisfh"))))
     (build-system gnu-build-system)
     (outputs '("out" "bin" "doc" "python"))
     (arguments
-     `(#:configure-flags
-       (list
-        "--disable-static"
-        "--enable-ucs4")
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'install 'install-python-extension
-           (lambda* (#:key outputs #:allow-other-keys)
-             (with-directory-excursion "python"
-               (invoke "python" "setup.py" "install"
-                       (string-append "--prefix="
-                                      (assoc-ref outputs "python"))
-                       "--root=/")))))))
+     (list
+      #:configure-flags #~(list "--disable-static" "--enable-ucs4")
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'install 'install-python-extension
+            (lambda _
+              (with-directory-excursion "python"
+                (invoke "python3" "setup.py" "install" "--root=/"
+                        (string-append "--prefix=" #$output:python))))))))
     (native-inputs
-     `(("autoconf" ,autoconf)
-       ("automake" ,automake)
-       ("clang-format" ,clang)
-       ("help2man" ,help2man)
-       ("libtool" ,libtool)
-       ("libyaml" ,libyaml)
-       ("makeinfo" ,texinfo)
-       ("perl" ,perl)
-       ("pkg-config" ,pkg-config)
-       ("python" ,python-wrapper)))
+     (list autoconf
+           automake
+           clang
+           help2man
+           libtool
+           libyaml
+           texinfo
+           perl
+           pkg-config
+           python))
     (synopsis "Braille translator and back-translator")
     (description "Liblouis is a braille translator and back-translator named in
 honor of Louis Braille.  It features support for computer and literary braille,
-- 
2.46.0

[bug#74035] [PATCH v2 20/26] gnu: liblouis: Update to 3.31.0. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 3465 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2022-26981.
>
> * gnu/packages/language.scm (liblouis): Update to 3.31.0.
> [arguments]: Improve style using gexps.
> [native-inputs]: Rewrite and replace python-wrapper by python.
> ---
>  gnu/packages/language.scm | 47 ++++++++++++++++++---------------------
>  1 file changed, 22 insertions(+), 25 deletions(-)
>
> diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
> index 78fcba4287..6a5e7927b4 100644
> --- a/gnu/packages/language.scm
> +++ b/gnu/packages/language.scm
> @@ -10,6 +10,7 @@
>  ;;; Copyright © 2023 gemmaro <gemmaro.dev@gmail.com>
>  ;;; Copyright © 2024 Efraim Flashner <efraim@flashner.co.il>
>  ;;; Copyright © 2024 Charles <charles@charje.net>
> +;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -338,7 +339,7 @@ (define-public libchewing
>  (define-public liblouis
>    (package
>      (name "liblouis")
> -    (version "3.15.0")
> +    (version "3.31.0")
>      (source
>       (origin
>         (method git-fetch)
> @@ -348,34 +349,30 @@ (define-public liblouis
>           (commit (string-append "v" version))))
>         (file-name (git-file-name name version))
>         (sha256
> -        (base32 "1ljy5xsy7vf2r0ix0d7bqcr6qvr6897f8madsx9zlm1mrj31n5px"))))
> +        (base32 "02bga2l4jiyrgfqdl27wszz5yd6h80n2dmq3p6nb2br83jywisfh"))))
>      (build-system gnu-build-system)
>      (outputs '("out" "bin" "doc" "python"))
>      (arguments
> -     `(#:configure-flags
> -       (list
> -        "--disable-static"
> -        "--enable-ucs4")
> -       #:phases
> -       (modify-phases %standard-phases
> -         (add-after 'install 'install-python-extension
> -           (lambda* (#:key outputs #:allow-other-keys)
> -             (with-directory-excursion "python"
> -               (invoke "python" "setup.py" "install"
> -                       (string-append "--prefix="
> -                                      (assoc-ref outputs "python"))
> -                       "--root=/")))))))
> +     (list
> +      #:configure-flags #~(list "--disable-static" "--enable-ucs4")
> +      #:phases
> +      #~(modify-phases %standard-phases
> +          (add-after 'install 'install-python-extension
> +            (lambda _
> +              (with-directory-excursion "python"
> +                (invoke "python3" "setup.py" "install" "--root=/"
> +                        (string-append "--prefix=" #$output:python))))))))
>      (native-inputs
> -     `(("autoconf" ,autoconf)
> -       ("automake" ,automake)
> -       ("clang-format" ,clang)
> -       ("help2man" ,help2man)
> -       ("libtool" ,libtool)
> -       ("libyaml" ,libyaml)
> -       ("makeinfo" ,texinfo)
> -       ("perl" ,perl)
> -       ("pkg-config" ,pkg-config)
> -       ("python" ,python-wrapper)))
> +     (list autoconf
> +           automake
> +           clang
> +           help2man
> +           libtool
> +           libyaml
> +           texinfo
> +           perl
> +           pkg-config
> +           python))
>      (synopsis "Braille translator and back-translator")
>      (description "Liblouis is a braille translator and back-translator named in
>  honor of Louis Braille.  It features support for computer and literary braille,
apply, adjust message and use python-minimal, not python.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 20/26] gnu: liblouis: Update to 3.31.0. [security fixes]

[Ludovic Courtès]

Hi,

Zheng Junjie <zhengjunjie@iscas.ac.cn> skribis:

> Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:
>
>> This fixes CVE-2022-26981.
>>
>> * gnu/packages/language.scm (liblouis): Update to 3.31.0.
>> [arguments]: Improve style using gexps.
>> [native-inputs]: Rewrite and replace python-wrapper by python.

[...]

> apply, adjust message and use python-minimal, not python.

Apparently this broke liblouisutdml:
<https://ci.guix.gnu.org/build/6336033/details>.

Many test failures like this:

--8<---------------cut here---------------start------------->8---
warning: lou_getDataPath is deprecated.
../../lbu_files/wiskunde.ctb:43: warning: class is deprecated, use attribute instead
../../lbu_files/wiskunde.ctb:44: warning: class is deprecated, use attribute instead
../../lbu_files/wiskunde.ctb:45: warning: class is deprecated, use attribute instead
../../lbu_files/wiskunde.ctb:46: warning: class is deprecated, use attribute instead
../../lbu_files/wiskunde.ctb:47: warning: class is deprecated, use attribute instead
../../lbu_files/wiskunde.ctb:49: warning: class is deprecated, use attribute instead
unicode.dis,../../lbu_files/wiskunde.ctb,braille-patterns.cti: 6 warnings issued
warning: lou_getDataPath is deprecated.
FAIL test_mathml_woluwe/test_045.test (exit status: 1)
--8<---------------cut here---------------end--------------->8---

Ludo’.

[bug#74035] [PATCH v2 20/26] gnu: liblouis: Update to 3.31.0. [security fixes]

[Z572]

[-- Attachment #1: Type: text/plain, Size: 1564 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Zheng Junjie <zhengjunjie@iscas.ac.cn> skribis:
>
>> Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:
>>
>>> This fixes CVE-2022-26981.
>>>
>>> * gnu/packages/language.scm (liblouis): Update to 3.31.0.
>>> [arguments]: Improve style using gexps.
>>> [native-inputs]: Rewrite and replace python-wrapper by python.
>
> [...]
>
>> apply, adjust message and use python-minimal, not python.
>
> Apparently this broke liblouisutdml:
> <https://ci.guix.gnu.org/build/6336033/details>.
>
> Many test failures like this:
>
> --8<---------------cut here---------------start------------->8---
> warning: lou_getDataPath is deprecated.
> ../../lbu_files/wiskunde.ctb:43: warning: class is deprecated, use attribute instead
> ../../lbu_files/wiskunde.ctb:44: warning: class is deprecated, use attribute instead
> ../../lbu_files/wiskunde.ctb:45: warning: class is deprecated, use attribute instead
> ../../lbu_files/wiskunde.ctb:46: warning: class is deprecated, use attribute instead
> ../../lbu_files/wiskunde.ctb:47: warning: class is deprecated, use attribute instead
> ../../lbu_files/wiskunde.ctb:49: warning: class is deprecated, use attribute instead
> unicode.dis,../../lbu_files/wiskunde.ctb,braille-patterns.cti: 6 warnings issued
> warning: lou_getDataPath is deprecated.
> FAIL test_mathml_woluwe/test_045.test (exit status: 1)
> --8<---------------cut here---------------end--------------->8---
>
> Ludo’.

please try https://issues.guix.gnu.org/74238 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 21/26] gnu: youtube-dl: Deprecate package.

[Nicolas Graves via Guix-patches via]

This package is not developped anymore.

* gnu/packages/video.scm (youtube-dl): Deprecate package.
---
 gnu/packages/video.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index ff5dcd8daa..74cfabf6e7 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -93,6 +93,7 @@ (define-module (gnu packages video)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix utils)
   #:use-module (guix packages)
+  #:use-module (guix deprecation)
   #:use-module (guix download)
   #:use-module (guix gexp)
   #:use-module (guix git-download)
@@ -3085,7 +3086,7 @@ (define-public yle-dl
 video streaming services of the Finnish national broadcasting company Yle.")
     (license license:gpl3+)))
 
-(define-public youtube-dl
+(define-deprecated/public youtube-dl #f
   (package
     (name "youtube-dl")
     (version "2021.12.17")
-- 
2.46.0

[bug#74035] [PATCH v2 22/26] gnu: unicorn: Update to 2.1.1. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2021-4296.

* gnu/packages/emulators.scm (unicorn): Update to 2.1.1.
---
 gnu/packages/emulators.scm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/emulators.scm b/gnu/packages/emulators.scm
index f0a60c0b49..948e588c4c 100644
--- a/gnu/packages/emulators.scm
+++ b/gnu/packages/emulators.scm
@@ -3508,13 +3508,18 @@ (define-public zsnes
 (define-public unicorn
   (package
     (name "unicorn")
-    (version "2.0.1.post1")
+    (version "2.1.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri name version))
        (sha256
-        (base32 "0mlfs8qfi0clyncfkbxp6in0cpl747510i6bqymwid43xcirbikz"))))
+        (base32 "18sbrycr62wcs3a68a9q76ihpahfsd4bn3mryvyhimwwn1342kwh"))
+       (modules '((guix build utils)))
+       ;; cmake files are not in the cmake dir in pypi
+       (snippet #~(substitute* "src/CMakeLists.txt"
+                    (("include\\(cmake/")
+                     "include(")))))
     (build-system pyproject-build-system)
     (native-inputs (list cmake pkg-config))
     (home-page "https://www.unicorn-engine.org")
-- 
2.46.0

[bug#74035] [PATCH v2 23/26] gnu: Add sexpp.

[Nicolas Graves via Guix-patches via]

* gnu/packages/openpgp.scm (sexpp): New variable.
---
 gnu/packages/openpgp.scm | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 9b6f04b407..356908ab1f 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2020 Justus Winter <justus@sequoia-pgp.org>
+;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -157,3 +158,26 @@ (define-public rnp
         license:asl2.0
         ;; Nominet UK's BSD 3-Clause License (netpgp).
         license:bsd-3)))))
+
+(define-public sexpp
+  (package
+    (name "sexpp")
+    (version "0.9.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/rnpgp/sexpp")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "16y9f42w6ay3w0s23xmigqm0qi1swdfvc93g2xn3xkg1r4kpmnwq"))))
+    (build-system cmake-build-system)
+    (arguments
+     (list #:configure-flags '(list "-DDOWNLOAD_GTEST=off")))
+    (native-inputs (list googletest pkg-config))
+    (home-page "https://github.com/rnpgp/sexpp")
+    (synopsis "C++ library for S-expressions")
+    (description
+     "This package provides a C++ library for working with S-Expressions.")
+    (license license:expat)))
-- 
2.46.0

[bug#74035] [PATCH v2 24/26] gnu: rnp: Update to 0.17.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-29479 and CVE-2023-29480.

* gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
[arguments]: Improve style using gexps.
<#:phases>: Add phase 'inject-sexpp-source.
[inputs]: Add sexpp.
---
 gnu/packages/openpgp.scm | 52 +++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 356908ab1f..baf786c5ee 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -23,6 +23,7 @@ (define-module (gnu packages openpgp)
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (gnu packages)
   #:use-module (gnu packages check)
@@ -98,10 +99,10 @@ (define-public dkgpg
     (license license:gpl2+)))
 
 (define-public rnp
-  (let ((day-of-release "2022-09-22"))
+  (let ((day-of-release "2024-05-14"))
     (package
       (name "rnp")
-      (version "0.16.2")
+      (version "0.17.1")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -110,33 +111,40 @@ (define-public rnp
                 (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "13z5kxm48a72w4m2crwgdjdng4a4pwxsd72r2z3a4pcakfp2swi8"))))
+                  "052872b6a88vkcc58alxcm532y6dra5qqd997jga41v72h3pnj4d"))))
       (build-system cmake-build-system)
-      (arguments `(#:configure-flags
-                   '("-DBUILD_SHARED_LIBS=on"
-                     "-DBUILD_TESTING=on"
-                     "-DDOWNLOAD_GTEST=off"
-                     "-DDOWNLOAD_RUBYRNP=off")
-                   #:phases
-                   (modify-phases %standard-phases
-                     (add-after 'unpack 'patch-tests
-                       (lambda _
-                         (substitute* "src/tests/support.cpp"
-                           (("\"cp\"") (search-input-file inputs "/bin/cp")))))
-                     (replace 'check
-                       (lambda* (#:key tests? #:allow-other-keys)
-                         (when tests?
-                           ;; Some OpenPGP certificates used by the tests expire.
-                           ;; To work around that, set the time to roughly the
-                           ;; release date.
-                           (invoke "faketime" ,day-of-release "make" "test")))))))
+      (arguments
+       (list
+        #:configure-flags
+        ''("-DBUILD_SHARED_LIBS=on"
+           "-DBUILD_TESTING=on"
+           "-DDOWNLOAD_GTEST=off"
+           "-DDOWNLOAD_RUBYRNP=off")
+        #:phases
+        #~(modify-phases %standard-phases
+            (add-after 'unpack 'patch-tests
+              (lambda _
+                (substitute* "src/tests/support.cpp"
+                  (("\"cp\"") (search-input-file inputs "/bin/cp")))))
+            (add-after 'unpack 'inject-sexpp-source
+              (lambda _
+                (rmdir "src/libsexpp")
+                (symlink #$(package-source (this-package-input "sexpp"))
+                         "src/libsexpp")))
+            (replace 'check
+              (lambda* (#:key tests? #:allow-other-keys)
+                (when tests?
+                  ;; Some OpenPGP certificates used by the tests expire.
+                  ;; To work around that, set the time to roughly the
+                  ;; release date.
+                  (invoke "faketime" #$day-of-release "make" "test")))))))
       (native-inputs
        (list gnupg       ; for tests
              googletest  ; for tests
              libfaketime ; for tests
              pkg-config
              python))
-      (inputs (list botan bzip2 json-c zlib))
+      (inputs (list botan bzip2 json-c sexpp zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description
-- 
2.46.0

[bug#74035] [PATCH v2 25/26] gnu: cjson: Update to 1.7.18. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-50471 and CVE-2023-50472.

* gnu/packages/javascript.scm (cjson): Update to 1.7.18.
---
 gnu/packages/javascript.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/javascript.scm b/gnu/packages/javascript.scm
index 4f97dcfef6..b48acf47dc 100644
--- a/gnu/packages/javascript.scm
+++ b/gnu/packages/javascript.scm
@@ -49,7 +49,7 @@ (define-module (gnu packages javascript)
 (define-public cjson
   (package
     (name "cjson")
-    (version "1.7.16")
+    (version "1.7.18")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -57,7 +57,7 @@ (define-public cjson
                     (commit (string-append "v" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32 "00599lzzb0vszk317n0gln7wizdpchy4warxgpj3khrir73pphbb"))))
+               (base32 "08p37q4i3za3dgz7wynma1fh8y4rq7pyzyjzcda710nxrmsm1pyv"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DENABLE_CJSON_UTILS=On")))
-- 
2.46.0

[bug#74035] [PATCH v2 25/26] gnu: cjson: Update to 1.7.18. [security fixes]

[Z572]

[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2023-50471 and CVE-2023-50472.
>
> * gnu/packages/javascript.scm (cjson): Update to 1.7.18.
> ---
>  gnu/packages/javascript.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/javascript.scm b/gnu/packages/javascript.scm
> index 4f97dcfef6..b48acf47dc 100644
> --- a/gnu/packages/javascript.scm
> +++ b/gnu/packages/javascript.scm
> @@ -49,7 +49,7 @@ (define-module (gnu packages javascript)
>  (define-public cjson
>    (package
>      (name "cjson")
> -    (version "1.7.16")
> +    (version "1.7.18")
>      (source (origin
>                (method git-fetch)
>                (uri (git-reference
> @@ -57,7 +57,7 @@ (define-public cjson
>                      (commit (string-append "v" version))))
>                (file-name (git-file-name name version))
>                (sha256
> -               (base32 "00599lzzb0vszk317n0gln7wizdpchy4warxgpj3khrir73pphbb"))))
> +               (base32 "08p37q4i3za3dgz7wynma1fh8y4rq7pyzyjzcda710nxrmsm1pyv"))))
>      (build-system cmake-build-system)
>      (arguments
>       `(#:configure-flags '("-DENABLE_CJSON_UTILS=On")))

apply

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v2 26/26] gnu: snapcast: Update to 0.29.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-36177.

* gnu/packages/audio.scm (snapcast): Update to 0.29.0.
---
 gnu/packages/audio.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index eaffa0842d..467dc4a74f 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -1567,7 +1567,7 @@ (define-public omins-lv2
 (define-public snapcast
   (package
     (name "snapcast")
-    (version "0.27.0")
+    (version "0.29.0")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -1576,7 +1576,7 @@ (define-public snapcast
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "10l5hvmaqr9ykipsnzl95wqg19ff36rhpa1q88axxcia0k2valkn"))))
+                "1960xp54vsndj9vvc03kx9kg9phdchdgrfghhvcp2b0nfq2qcqqm"))))
     (build-system cmake-build-system)
     (arguments
      '(#:tests? #f))                    ; no included tests
-- 
2.46.0

[bug#74035] [PATCH v2 01/26] gnu: libyang: Update to 3.4.2. [security fixes]

[Zheng Junjie]

[-- Attachment #1: Type: text/plain, Size: 1536 bytes --]

Nicolas Graves via Guix-patches via <guix-patches@gnu.org> writes:

> This fixes CVE-2021-28902, CVE-2021-28903, CVE-2021-28904,
> CVE-2021-28905 and CVE-2021-28906.
>
> * gnu/packages/networking.scm (libyang): Update to 3.4.2.
> ---
>  gnu/packages/networking.scm | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
> index 8481e2d2f4..17d4072ee0 100644
> --- a/gnu/packages/networking.scm
> +++ b/gnu/packages/networking.scm
> @@ -4238,7 +4238,7 @@ (define-public iwgtk
>  (define-public libyang
>    (package
>      (name "libyang")
> -    (version "1.0.215")
> +    (version "3.4.2")
>      (source (origin
>                (method git-fetch)
>                (uri (git-reference
> @@ -4247,12 +4247,12 @@ (define-public libyang
>                (file-name (git-file-name name version))
>                (sha256
>                 (base32
> -                "0mrs2ppmq77z8sbqgm2w0rl9bfgybd6bcxanakfww4chih6cy0dw"))))
> +                "07skjr3r4na12kadca2dyk45clpcpnp4zkkwfaa8sqyslx7vhj56"))))
>      (build-system cmake-build-system)
>      (arguments
>       `(#:configure-flags
>         (list "-DENABLE_BUILD_TESTS=ON" "-DENABLE_LYD_PRIV=ON")))
> -    (propagated-inputs (list pcre))
> +    (propagated-inputs (list pcre2))
>      (native-inputs (list cmocka pkg-config))
>      (home-page "https://github.com/CESNET/libyang")
>      (synopsis "YANG data modelling language library")

apply, and update it single dependent package: frrouting.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

[bug#74035] [PATCH v3 0/8] [security] fixes for near-leaf packages

[Nicolas Graves via Guix-patches via]

This patch series removes patches that have been built in the v2, so
that it's easier to review.  It's also a bump for QA.

Nicolas Graves (8):
  gnu: bart: Update to 0.9.00. [security fixes]
  gnu: pam-u2f: Update to 1.3.0. [security fixes]
  gnu: sendmail: Update to 8.18.1. [security fixes]
  gnu: openvpn: Update to 2.6.12. [security fixes]
  gnu: youtube-dl: Deprecate package.
  gnu: unicorn: Update to 2.1.1. [security fixes]
  gnu: Add sexpp.
  gnu: rnp: Update to 0.17.1. [security fixes]

 gnu/packages/emulators.scm        |  9 +++-
 gnu/packages/image-processing.scm |  8 ++--
 gnu/packages/mail.scm             |  5 +-
 gnu/packages/openpgp.scm          | 76 ++++++++++++++++++++++---------
 gnu/packages/security-token.scm   |  9 ++--
 gnu/packages/video.scm            |  3 +-
 gnu/packages/vpn.scm              |  4 +-
 7 files changed, 75 insertions(+), 39 deletions(-)

-- 
2.46.0

[bug#74035] [PATCH v3 1/8] gnu: bart: Update to 0.9.00. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes bart reproducibility and CVE-2022-45387.

* gnu/packages/image-processing.scm (bart): Update to 0.9.00.
---
 gnu/packages/image-processing.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
index a79eaf6aed..3a7c67362f 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -115,20 +115,19 @@ (define-module (gnu packages image-processing)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1))
 
-;; TODO: this is not reproducible.
 (define-public bart
   (package
     (name "bart")
-    (version "0.8.00")
+    (version "0.9.00")
     (source
      (origin
        (method git-fetch)
        (uri (git-reference
              (url "https://github.com/mrirecon/bart")
-             (commit "eacc67b95cf128487ecc48f0e6541ea4dca08818")))
+             (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "05lcf7c3g7ms5h82bw1mi4kzkdv5wpqi1zrfhqfkgbcpd3irj6aq"))))
+        (base32 "0mj6jmw31rsnvqmpfqahhj4cy9iv5xgrhzmcsrikdz5dgd45lmjz"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -140,6 +139,7 @@ (define-public bart
                       "OPENBLAS=1"
                       "SCALAPACK=1"
                       (string-append "BLAS_BASE=" #$(this-package-input "openblas"))
+                      (string-append "CC=" #$(cc-for-target))
                       (string-append "FFTW_BASE=" #$(this-package-input "fftw")))
       #:parallel-build? #false ;leads to non-deterministic output
       #:phases
-- 
2.46.0

[bug#74035] [PATCH v3 2/8] gnu: pam-u2f: Update to 1.3.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-31924.

* gnu/packages/security-token.scm (pam-u2f): Update to 1.3.0.
[inputs]: Add libfido2, openssl. Remove libu2f-host, libu2f-server.
[native-inputs]: Sort packages.
---
 gnu/packages/security-token.scm | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 5abb461c0c..156a7d5e28 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -682,7 +682,7 @@ (define-public libu2f-server
 (define-public pam-u2f
   (package
     (name "pam-u2f")
-    (version "1.0.8")
+    (version "1.3.0")
     (source (origin
               (method git-fetch)
               (uri
@@ -691,17 +691,16 @@ (define-public pam-u2f
                 (commit (string-append "pam_u2f-" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32
-                "04d9davyi33gqbvga1rvh9fijp6f16mx2xmnn4n61rnhcn2jac98"))))
+               (base32 "1swvys98mw7ailllgqicvhj315qajhvqrmm314cp3bj0l76s9qpv"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
        (list (string-append "--with-pam-dir="
                             (assoc-ref %outputs "out") "/lib/security"))))
     (inputs
-     (list libu2f-host libu2f-server linux-pam))
+     (list libfido2 linux-pam openssl))
     (native-inputs
-     (list autoconf automake libtool asciidoc pkg-config))
+     (list asciidoc autoconf automake libtool pkg-config))
     (home-page "https://developers.yubico.com/pam-u2f/")
     (synopsis "PAM module for U2F authentication")
     (description
-- 
2.46.0

[bug#74035] [PATCH v3 3/8] gnu: sendmail: Update to 8.18.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-51765 and CVE-2021-3618.

* gnu/packages/mail.scm (sendmail): Update to 8.18.1.
---
 gnu/packages/mail.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..ca1a55818e 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -3122,7 +3122,7 @@ (define-public mhonarc
 (define-public sendmail
   (package
     (name "sendmail")
-    (version "8.15.2")
+    (version "8.18.1")
     (source
      (origin
        (method url-fetch)
@@ -3130,8 +3130,7 @@ (define-public sendmail
              "ftp://ftp.sendmail.org/pub/sendmail/sendmail."
              version ".tar.gz"))
        (sha256
-        (base32
-         "0fdl9ndmspqspdlmghzxlaqk56j3yajk52d7jxcg21b7sxglpy94"))))
+        (base32 "0w07iw4imp9wvczd2mijns7zxl8p1wk29b9yrzvhcj4fqc4z7wfb"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-- 
2.46.0

[bug#74035] [PATCH v4 1/8] gnu: bart: Update to 0.9.00. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes bart reproducibility and CVE-2022-45387.

* gnu/packages/image-processing.scm (bart): Update to 0.9.00.
---
 gnu/packages/image-processing.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
index a79eaf6aed..3a7c67362f 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -115,20 +115,19 @@ (define-module (gnu packages image-processing)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1))
 
-;; TODO: this is not reproducible.
 (define-public bart
   (package
     (name "bart")
-    (version "0.8.00")
+    (version "0.9.00")
     (source
      (origin
        (method git-fetch)
        (uri (git-reference
              (url "https://github.com/mrirecon/bart")
-             (commit "eacc67b95cf128487ecc48f0e6541ea4dca08818")))
+             (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "05lcf7c3g7ms5h82bw1mi4kzkdv5wpqi1zrfhqfkgbcpd3irj6aq"))))
+        (base32 "0mj6jmw31rsnvqmpfqahhj4cy9iv5xgrhzmcsrikdz5dgd45lmjz"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -140,6 +139,7 @@ (define-public bart
                       "OPENBLAS=1"
                       "SCALAPACK=1"
                       (string-append "BLAS_BASE=" #$(this-package-input "openblas"))
+                      (string-append "CC=" #$(cc-for-target))
                       (string-append "FFTW_BASE=" #$(this-package-input "fftw")))
       #:parallel-build? #false ;leads to non-deterministic output
       #:phases
-- 
2.46.0

[bug#74035] [PATCH v4 1/8] gnu: bart: Update to 0.9.00. [security fixes]

[Maxim Cournoyer]

Hi,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This fixes bart reproducibility and CVE-2022-45387.

CVE-2022-45387 is about the Jenkins bart plugin, not this BART toolbox
software; so it's nice to update it but there's no CVE fix here.

-- 
Thanks,
Maxim

[bug#74035] [PATCH v4 1/8] gnu: bart: Update to 0.9.00. [security fixes]

[Nicolas Graves via Guix-patches via]

On 2024-11-11 20:47, Maxim Cournoyer wrote:

> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> writes:
>
>> This fixes bart reproducibility and CVE-2022-45387.
>
> CVE-2022-45387 is about the Jenkins bart plugin, not this BART toolbox
> software; so it's nice to update it but there's no CVE fix here.

Indeed, thanks for checking!

-- 
Best regards,
Nicolas Graves

[bug#74035] [PATCH v4 1/8] gnu: bart: Update to 0.9.00. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes bart reproducibility and CVE-2022-45387.

* gnu/packages/image-processing.scm (bart): Update to 0.9.00.
---
 gnu/packages/image-processing.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
index a79eaf6aed..3a7c67362f 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -115,20 +115,19 @@ (define-module (gnu packages image-processing)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1))
 
-;; TODO: this is not reproducible.
 (define-public bart
   (package
     (name "bart")
-    (version "0.8.00")
+    (version "0.9.00")
     (source
      (origin
        (method git-fetch)
        (uri (git-reference
              (url "https://github.com/mrirecon/bart")
-             (commit "eacc67b95cf128487ecc48f0e6541ea4dca08818")))
+             (commit (string-append "v" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "05lcf7c3g7ms5h82bw1mi4kzkdv5wpqi1zrfhqfkgbcpd3irj6aq"))))
+        (base32 "0mj6jmw31rsnvqmpfqahhj4cy9iv5xgrhzmcsrikdz5dgd45lmjz"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -140,6 +139,7 @@ (define-public bart
                       "OPENBLAS=1"
                       "SCALAPACK=1"
                       (string-append "BLAS_BASE=" #$(this-package-input "openblas"))
+                      (string-append "CC=" #$(cc-for-target))
                       (string-append "FFTW_BASE=" #$(this-package-input "fftw")))
       #:parallel-build? #false ;leads to non-deterministic output
       #:phases
-- 
2.46.0

[bug#74035] [PATCH v4 2/8] gnu: pam-u2f: Update to 1.3.0. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2021-31924.

* gnu/packages/security-token.scm (pam-u2f): Update to 1.3.0.
[inputs]: Add libfido2, openssl. Remove libu2f-host, libu2f-server.
[native-inputs]: Sort packages.
---
 gnu/packages/security-token.scm | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 5abb461c0c..156a7d5e28 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -682,7 +682,7 @@ (define-public libu2f-server
 (define-public pam-u2f
   (package
     (name "pam-u2f")
-    (version "1.0.8")
+    (version "1.3.0")
     (source (origin
               (method git-fetch)
               (uri
@@ -691,17 +691,16 @@ (define-public pam-u2f
                 (commit (string-append "pam_u2f-" version))))
               (file-name (git-file-name name version))
               (sha256
-               (base32
-                "04d9davyi33gqbvga1rvh9fijp6f16mx2xmnn4n61rnhcn2jac98"))))
+               (base32 "1swvys98mw7ailllgqicvhj315qajhvqrmm314cp3bj0l76s9qpv"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
        (list (string-append "--with-pam-dir="
                             (assoc-ref %outputs "out") "/lib/security"))))
     (inputs
-     (list libu2f-host libu2f-server linux-pam))
+     (list libfido2 linux-pam openssl))
     (native-inputs
-     (list autoconf automake libtool asciidoc pkg-config))
+     (list asciidoc autoconf automake libtool pkg-config))
     (home-page "https://developers.yubico.com/pam-u2f/")
     (synopsis "PAM module for U2F authentication")
     (description
-- 
2.46.0

[bug#74035] [PATCH v4 3/8] gnu: sendmail: Update to 8.18.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-51765 and CVE-2021-3618.

* gnu/packages/mail.scm (sendmail): Update to 8.18.1.
---
 gnu/packages/mail.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..ca1a55818e 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -3122,7 +3122,7 @@ (define-public mhonarc
 (define-public sendmail
   (package
     (name "sendmail")
-    (version "8.15.2")
+    (version "8.18.1")
     (source
      (origin
        (method url-fetch)
@@ -3130,8 +3130,7 @@ (define-public sendmail
              "ftp://ftp.sendmail.org/pub/sendmail/sendmail."
              version ".tar.gz"))
        (sha256
-        (base32
-         "0fdl9ndmspqspdlmghzxlaqk56j3yajk52d7jxcg21b7sxglpy94"))))
+        (base32 "0w07iw4imp9wvczd2mijns7zxl8p1wk29b9yrzvhcj4fqc4z7wfb"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-- 
2.46.0

[bug#74035] [PATCH v4 4/8] gnu: openvpn: Update to 2.6.12. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2024-24974, CVE-2024-27459 and CVE-2024-27903.

* gnu/packages/vpn.scm (openvpn): Update to 2.6.12.
---
 gnu/packages/vpn.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index 9f36595bfd..193b247779 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -867,7 +867,7 @@ (define-public openfortivpn
 (define-public openvpn
   (package
     (name "openvpn")
-    (version "2.6.7")
+    (version "2.6.12")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -875,7 +875,7 @@ (define-public openvpn
                     version ".tar.gz"))
               (sha256
                (base32
-                "04wr0g97nmv81javym8r99mglmb86v1i49xmnmzf938x1cs7g67f"))))
+                "0a8r3bvg4aic9b7dix0h7990g3j1gq17wd3w6vqk8vk8xgfhyq8w"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--enable-iproute2=yes")))
-- 
2.46.0

[bug#74035] [PATCH v4 5/8] gnu: youtube-dl: Deprecate package.

[Nicolas Graves via Guix-patches via]

This package is not developped anymore.

* gnu/packages/video.scm (youtube-dl): Deprecate package.
---
 gnu/packages/video.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index ff5dcd8daa..74cfabf6e7 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -93,6 +93,7 @@ (define-module (gnu packages video)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix utils)
   #:use-module (guix packages)
+  #:use-module (guix deprecation)
   #:use-module (guix download)
   #:use-module (guix gexp)
   #:use-module (guix git-download)
@@ -3085,7 +3086,7 @@ (define-public yle-dl
 video streaming services of the Finnish national broadcasting company Yle.")
     (license license:gpl3+)))
 
-(define-public youtube-dl
+(define-deprecated/public youtube-dl #f
   (package
     (name "youtube-dl")
     (version "2021.12.17")
-- 
2.46.0

[bug#74035] [PATCH v4 5/8] gnu: youtube-dl: Deprecate package.

[Maxim Cournoyer]

Hi Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This package is not developped anymore.
>
> * gnu/packages/video.scm (youtube-dl): Deprecate package.

This is maybe a bit preposterous; the repository is still alive, last
touched in August of this year [0].

[0]  https://github.com/ytdl-org/youtube-dl

I've dropped this commit from my locally queued series.

-- 
Thanks,
Maxim

[bug#74035] [PATCH v4 5/8] gnu: youtube-dl: Deprecate package.

[Nicolas Graves via Guix-patches via]

On 2024-11-11 20:48, Maxim Cournoyer wrote:

> Hi Nicolas,
>
> Nicolas Graves <ngraves@ngraves.fr> writes:
>
>> This package is not developped anymore.
>>
>> * gnu/packages/video.scm (youtube-dl): Deprecate package.
>
> This is maybe a bit preposterous; the repository is still alive, last
> touched in August of this year [0].
>
> [0]  https://github.com/ytdl-org/youtube-dl
>
> I've dropped this commit from my locally queued series.

My bad, I only checked the home-page because I thought development was
halted (and basically efforts for that functionality went to yt-dlp
instead) for legal reasons.  At least the home-page is indeed blocked in
France.  I haven't tested the package, OK to drop this commit.

-- 
Best regards,
Nicolas Graves

[bug#74035] [PATCH v4 6/8] gnu: unicorn: Update to 2.1.1. [security fixes]

[Nicolas Graves via Guix-patches via]

Thix fixes CVE-2021-4296.

* gnu/packages/emulators.scm (unicorn): Update to 2.1.1.
---
 gnu/packages/emulators.scm | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/emulators.scm b/gnu/packages/emulators.scm
index f0a60c0b49..948e588c4c 100644
--- a/gnu/packages/emulators.scm
+++ b/gnu/packages/emulators.scm
@@ -3508,13 +3508,18 @@ (define-public zsnes
 (define-public unicorn
   (package
     (name "unicorn")
-    (version "2.0.1.post1")
+    (version "2.1.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri name version))
        (sha256
-        (base32 "0mlfs8qfi0clyncfkbxp6in0cpl747510i6bqymwid43xcirbikz"))))
+        (base32 "18sbrycr62wcs3a68a9q76ihpahfsd4bn3mryvyhimwwn1342kwh"))
+       (modules '((guix build utils)))
+       ;; cmake files are not in the cmake dir in pypi
+       (snippet #~(substitute* "src/CMakeLists.txt"
+                    (("include\\(cmake/")
+                     "include(")))))
     (build-system pyproject-build-system)
     (native-inputs (list cmake pkg-config))
     (home-page "https://www.unicorn-engine.org")
-- 
2.46.0

[bug#74035] [PATCH v4 7/8] gnu: Add sexpp.

[Nicolas Graves via Guix-patches via]

* gnu/packages/openpgp.scm (sexpp): New variable.
---
 gnu/packages/openpgp.scm | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 9b6f04b407..356908ab1f 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2020 Justus Winter <justus@sequoia-pgp.org>
+;;; Copyright © 2024 Nicolas Graves <ngraves@ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -157,3 +158,26 @@ (define-public rnp
         license:asl2.0
         ;; Nominet UK's BSD 3-Clause License (netpgp).
         license:bsd-3)))))
+
+(define-public sexpp
+  (package
+    (name "sexpp")
+    (version "0.9.0")
+    (source
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/rnpgp/sexpp")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32 "16y9f42w6ay3w0s23xmigqm0qi1swdfvc93g2xn3xkg1r4kpmnwq"))))
+    (build-system cmake-build-system)
+    (arguments
+     (list #:configure-flags '(list "-DDOWNLOAD_GTEST=off")))
+    (native-inputs (list googletest pkg-config))
+    (home-page "https://github.com/rnpgp/sexpp")
+    (synopsis "C++ library for S-expressions")
+    (description
+     "This package provides a C++ library for working with S-Expressions.")
+    (license license:expat)))
-- 
2.46.0

[bug#74035] [PATCH v4 8/8] gnu: rnp: Update to 0.17.1. [security fixes]

[Nicolas Graves via Guix-patches via]

This fixes CVE-2023-29479 and CVE-2023-29480.

* gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
[arguments]: Improve style using gexps.
<#:phases>: Add phase 'inject-sexpp-source.
[inputs]: Add sexpp.
---
 gnu/packages/openpgp.scm | 52 +++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/openpgp.scm b/gnu/packages/openpgp.scm
index 356908ab1f..baf786c5ee 100644
--- a/gnu/packages/openpgp.scm
+++ b/gnu/packages/openpgp.scm
@@ -23,6 +23,7 @@ (define-module (gnu packages openpgp)
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (gnu packages)
   #:use-module (gnu packages check)
@@ -98,10 +99,10 @@ (define-public dkgpg
     (license license:gpl2+)))
 
 (define-public rnp
-  (let ((day-of-release "2022-09-22"))
+  (let ((day-of-release "2024-05-14"))
     (package
       (name "rnp")
-      (version "0.16.2")
+      (version "0.17.1")
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -110,33 +111,40 @@ (define-public rnp
                 (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "13z5kxm48a72w4m2crwgdjdng4a4pwxsd72r2z3a4pcakfp2swi8"))))
+                  "052872b6a88vkcc58alxcm532y6dra5qqd997jga41v72h3pnj4d"))))
       (build-system cmake-build-system)
-      (arguments `(#:configure-flags
-                   '("-DBUILD_SHARED_LIBS=on"
-                     "-DBUILD_TESTING=on"
-                     "-DDOWNLOAD_GTEST=off"
-                     "-DDOWNLOAD_RUBYRNP=off")
-                   #:phases
-                   (modify-phases %standard-phases
-                     (add-after 'unpack 'patch-tests
-                       (lambda _
-                         (substitute* "src/tests/support.cpp"
-                           (("\"cp\"") (search-input-file inputs "/bin/cp")))))
-                     (replace 'check
-                       (lambda* (#:key tests? #:allow-other-keys)
-                         (when tests?
-                           ;; Some OpenPGP certificates used by the tests expire.
-                           ;; To work around that, set the time to roughly the
-                           ;; release date.
-                           (invoke "faketime" ,day-of-release "make" "test")))))))
+      (arguments
+       (list
+        #:configure-flags
+        ''("-DBUILD_SHARED_LIBS=on"
+           "-DBUILD_TESTING=on"
+           "-DDOWNLOAD_GTEST=off"
+           "-DDOWNLOAD_RUBYRNP=off")
+        #:phases
+        #~(modify-phases %standard-phases
+            (add-after 'unpack 'patch-tests
+              (lambda _
+                (substitute* "src/tests/support.cpp"
+                  (("\"cp\"") (search-input-file inputs "/bin/cp")))))
+            (add-after 'unpack 'inject-sexpp-source
+              (lambda _
+                (rmdir "src/libsexpp")
+                (symlink #$(package-source (this-package-input "sexpp"))
+                         "src/libsexpp")))
+            (replace 'check
+              (lambda* (#:key tests? #:allow-other-keys)
+                (when tests?
+                  ;; Some OpenPGP certificates used by the tests expire.
+                  ;; To work around that, set the time to roughly the
+                  ;; release date.
+                  (invoke "faketime" #$day-of-release "make" "test")))))))
       (native-inputs
        (list gnupg       ; for tests
              googletest  ; for tests
              libfaketime ; for tests
              pkg-config
              python))
-      (inputs (list botan bzip2 json-c zlib))
+      (inputs (list botan bzip2 json-c sexpp zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description
-- 
2.46.0

[bug#74035] [PATCH v4 8/8] gnu: rnp: Update to 0.17.1. [security fixes]

[Maxim Cournoyer]

Hi,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This fixes CVE-2023-29479 and CVE-2023-29480.
>
> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
> [arguments]: Improve style using gexps.
> <#:phases>: Add phase 'inject-sexpp-source.
> [inputs]: Add sexpp.

This one fails its test suite for me:

--8<---------------cut here---------------start------------->8---
        Start  15: rnp_tests.s2k_iteration_tuning
 16/263 Test  #15: rnp_tests.s2k_iteration_tuning ................................................***Failed    8.02 sec
[...]
The following tests FAILED:
	 15 - rnp_tests.s2k_iteration_tuning (Failed)
--8<---------------cut here---------------end--------------->8---

It should probably be repoted upstream.

-- 
Thanks,
Maxim

[bug#74035] [PATCH v4 8/8] gnu: rnp: Update to 0.17.1. [security fixes]

[Nicolas Graves via Guix-patches via]

On 2024-11-11 22:14, Maxim Cournoyer wrote:

> Hi,
>
> Nicolas Graves <ngraves@ngraves.fr> writes:
>
>> This fixes CVE-2023-29479 and CVE-2023-29480.
>>
>> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
>> [arguments]: Improve style using gexps.
>> <#:phases>: Add phase 'inject-sexpp-source.
>> [inputs]: Add sexpp.
>
> This one fails its test suite for me:
>
> --8<---------------cut here---------------start------------->8---
>         Start  15: rnp_tests.s2k_iteration_tuning
>  16/263 Test  #15: rnp_tests.s2k_iteration_tuning ................................................***Failed    8.02 sec
> [...]
> The following tests FAILED:
> 	 15 - rnp_tests.s2k_iteration_tuning (Failed)
> --8<---------------cut here---------------end--------------->8---
>
> It should probably be repoted upstream.

Strange, it worked for me IIRC.  Maybe tests are flaky and we should
exclude this one?

-- 
Best regards,
Nicolas Graves

bug#74035: [PATCH v4 8/8] gnu: rnp: Update to 0.17.1. [security fixes]

[Maxim Cournoyer]

Hi Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

> On 2024-11-11 22:14, Maxim Cournoyer wrote:
>
>> Hi,
>>
>> Nicolas Graves <ngraves@ngraves.fr> writes:
>>
>>> This fixes CVE-2023-29479 and CVE-2023-29480.
>>>
>>> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
>>> [arguments]: Improve style using gexps.
>>> <#:phases>: Add phase 'inject-sexpp-source.
>>> [inputs]: Add sexpp.
>>
>> This one fails its test suite for me:
>>
>> --8<---------------cut here---------------start------------->8---
>>         Start  15: rnp_tests.s2k_iteration_tuning
>>  16/263 Test  #15: rnp_tests.s2k_iteration_tuning ................................................***Failed    8.02 sec
>> [...]
>> The following tests FAILED:
>> 	 15 - rnp_tests.s2k_iteration_tuning (Failed)
>> --8<---------------cut here---------------end--------------->8---
>>
>> It should probably be repoted upstream.
>
> Strange, it worked for me IIRC.  Maybe tests are flaky and we should
> exclude this one?

The test appears to be sensitive to the CPU speed; upstream provided a
solution.  I've now applied this series, culminating with commit
44b06b030d.  Thank you!

-- 
Maxim

[bug#74035] [PATCH v4 8/8] gnu: rnp: Update to 0.17.1. [security fixes]

[Maxim Cournoyer]

Hi,

Nicolas Graves <ngraves@ngraves.fr> writes:

> This fixes CVE-2023-29479 and CVE-2023-29480.
>
> * gnu/packages/openpgp.scm (rnp): Update to 0.17.1.
> [arguments]: Improve style using gexps.
> <#:phases>: Add phase 'inject-sexpp-source.
> [inputs]: Add sexpp.

I could work it out with this:

--8<---------------cut here---------------start------------->8---
modified   gnu/packages/openpgp.scm
@@ -117,6 +117,9 @@ (define-public rnp
        (list
         #:configure-flags
         ''("-DBUILD_SHARED_LIBS=on"
+           ;; Lower the minimum tuning ratio from 6 to 4, as suggested
+           ;; upstream to avoid the s2k_iteration_tuning failing.
+           "-DS2K_MINIMUM_TUNING_RATIO=4"
            "-DBUILD_TESTING=on"
            "-DDOWNLOAD_GTEST=off"
            "-DDOWNLOAD_RUBYRNP=off")
@@ -129,22 +132,27 @@ (define-public rnp
             (add-after 'unpack 'inject-sexpp-source
               (lambda _
                 (rmdir "src/libsexpp")
-                (symlink #$(package-source (this-package-input "sexpp"))
+                (symlink #$(package-source (this-package-native-input "sexpp"))
                          "src/libsexpp")))
             (replace 'check
-              (lambda* (#:key tests? #:allow-other-keys)
+              (lambda* (#:key tests? parallel-tests? #:allow-other-keys)
                 (when tests?
                   ;; Some OpenPGP certificates used by the tests expire.
                   ;; To work around that, set the time to roughly the
                   ;; release date.
-                  (invoke "faketime" #$day-of-release "make" "test")))))))
+                  (setenv "CTEST_OUTPUT_ON_FAILURE" "1")
+                  (invoke "faketime" #$day-of-release "ctest"
+                          "-j" (if parallel-tests?
+                                   (number->string (parallel-job-count))
+                                   "1"))))))))
       (native-inputs
-       (list gnupg       ; for tests
-             googletest  ; for tests
-             libfaketime ; for tests
+       (list gnupg                      ;for tests
+             googletest                 ;for tests
+             libfaketime                ;for tests
              pkg-config
-             python))
-      (inputs (list botan bzip2 json-c sexpp zlib))
+             python
+             sexpp))                    ;sexpp is used as source only
+      (inputs (list botan bzip2 json-c zlib))
       (synopsis
        "RFC4880-compliant OpenPGP library written in C++")
       (description
--8<---------------cut here---------------end--------------->8---

Thanks to upstream's extreme responsiveness (answered in seconds!)

Nitpick: inline comments shouldn't have a space between the ';' and the text.

I've also made the test suite run in parallel and restored the
CTEST_OUTPUT_ON_FAILURE behavior of the stock check phase, as that's
very useful in case of problems.

-- 
Thanks,
Maxim