[bug#74050] [PATCH 0/6] Add lint-hidden-cve property for near-leaf packages.

[bug#74050] [PATCH 0/6] Add lint-hidden-cve property for near-leaf packages.

[Nicolas Graves via Guix-patches via]

This patch series is what's left of 74034 after I've split it in two.
It introduces some useful lint-hidden-cve properties were that's
useful, fixing build or updating packages along the way.

Nicolas Graves (6):
  gnu: gerbv: Add lint-hidden-cve property.
  gnu: libgda: Rename patch for guix lint.
  gnu: upx: Update to 4.2.4.
  gnu: sylpheed: Add release-monitoring-url property.
  gnu: openvswitch: Update to 3.4.0.
  gnu: quagga: Fix build and hide CVE.

 gnu/local.mk                                       |  2 +-
 gnu/packages/compression.scm                       |  7 ++++---
 gnu/packages/engineering.scm                       |  2 ++
 gnu/packages/gnome.scm                             |  2 +-
 gnu/packages/mail.scm                              |  2 ++
 gnu/packages/networking.scm                        | 14 ++++++++++----
 ...021-39359.patch => libgda-CVE-2021-39359.patch} |  0
 7 files changed, 20 insertions(+), 9 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

-- 
2.46.0

[bug#74050] [PATCH 1/6] gnu: gerbv: Add lint-hidden-cve property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/engineering.scm (gerbv)[properties]: Add
lint-hidden-cve property.
---
 gnu/packages/engineering.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 6f449f0c39..89e60a7218 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -868,6 +868,8 @@ (define-public gerbv
 you load several files on top of each other, do measurements on the displayed
 image, etc.  Besides viewing Gerbers, you may also view Excellon drill files
 as well as pick-place files.")
+    ;; This CVE has been fixed in version 2.10.0.
+    (properties '((lint-hidden-cve . ("CVE-2023-4508"))))
     (license license:gpl2+)))
 
 (define-public translate2geda
-- 
2.46.0

[bug#74050] [PATCH 2/6] gnu: libgda: Rename patch for guix lint.

[Nicolas Graves via Guix-patches via]

* gnu/packages/gnome.scm (libgda)[source]<origin>: Rename patch for
CVE to be ignored by guix lint.
---
 gnu/local.mk                                                    | 2 +-
 gnu/packages/gnome.scm                                          | 2 +-
 ...{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename gnu/packages/patches/{libgda-cve-2021-39359.patch => libgda-CVE-2021-39359.patch} (100%)

diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..d253b424bb 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1666,7 +1666,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libcroco-CVE-2020-12825.patch		\
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
   %D%/packages/patches/libexpected-use-provided-catch2.patch	\
-  %D%/packages/patches/libgda-cve-2021-39359.patch		\
+  %D%/packages/patches/libgda-CVE-2021-39359.patch		\
   %D%/packages/patches/libgda-disable-data-proxy-test.patch     \
   %D%/packages/patches/libgda-fix-build.patch			\
   %D%/packages/patches/libgda-fix-missing-initialization.patch	\
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 77a0633b50..9b26819261 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -13653,7 +13653,7 @@ (define-public libgda
                            name "-" version ".tar.xz"))
        (sha256
         (base32 "0w564z7krgjk19r39mi5qn4kggpdg9ggbyn9pb4aavb61r14npwr"))
-       (patches (search-patches "libgda-cve-2021-39359.patch"
+       (patches (search-patches "libgda-CVE-2021-39359.patch"
                                 "libgda-disable-data-proxy-test.patch"
                                 "libgda-fix-build.patch"
                                 "libgda-fix-missing-initialization.patch"
diff --git a/gnu/packages/patches/libgda-cve-2021-39359.patch b/gnu/packages/patches/libgda-CVE-2021-39359.patch
similarity index 100%
rename from gnu/packages/patches/libgda-cve-2021-39359.patch
rename to gnu/packages/patches/libgda-CVE-2021-39359.patch
-- 
2.46.0

[bug#74050] [PATCH 3/6] gnu: upx: Update to 4.2.4.

[Nicolas Graves via Guix-patches via]

* gnu/packages/compression.scm (upx): Update to 4.2.4.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/compression.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 97696ff0ef..a32b15a64a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2438,15 +2438,14 @@ (define-public ucl
 (define-public upx
   (package
     (name "upx")
-    (version "4.1.0")
+    (version "4.2.4")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://github.com/upx/upx/releases/download/v"
                            version "/upx-" version "-src.tar.xz"))
        (sha256
-        (base32
-         "1l273pwa573x9l3izw75cz8ysn2g8w8w3s56rahppa3ya65zg0h5"))))
+        (base32 "1i71p03861hlf5x1w217l67zm5inm449zhbg6kpv8zyj0wb5dmjy"))))
     (build-system cmake-build-system)
     (home-page "https://upx.github.io/")
     (synopsis "Compression tool for executables")
@@ -2455,6 +2454,8 @@ (define-public upx
 compressor.  UPX typically reduces the file size of programs and shared
 libraries by around 50%--70%, thus reducing disk space, network load times,
 download times, and other distribution and storage costs.")
+    ;; These CVEs have been fixed since 4.0.2 but are still linted.
+    (properties `((lint-hidden-cve . ("CVE-2023-23456" "CVE-2023-23457"))))
     (license license:gpl2+)))
 
 (define-public quazip-0
-- 
2.46.0

[bug#74050] [PATCH 4/6] gnu: sylpheed: Add release-monitoring-url property.

[Nicolas Graves via Guix-patches via]

* gnu/packages/mail.scm (sylpheed)[properties]: Add
release-monitoring-url.
---
 gnu/packages/mail.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 2c69a7b818..77be7626a9 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -4561,6 +4561,8 @@ (define-public sylpheed
      "Sylpheed is a simple, lightweight but featureful, and easy-to-use e-mail
 client.  Sylpheed provides intuitive user-interface.  Sylpheed is also
 designed for keyboard-oriented operation.")
+    (properties '((release-monitoring-url
+                   . "https://sylpheed.sraoss.jp/en/download.html")))
     (license license:gpl2+)))
 
 (define-public python-authres
-- 
2.46.0

[bug#74050] [PATCH 5/6] gnu: openvswitch: Update to 3.4.0.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (openvswitch): Update to 3.4.0.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 8c5548323f..67584be64b 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2878,7 +2878,7 @@ (define-public nzbget
 (define-public openvswitch
   (package
     (name "openvswitch")
-    (version "3.2.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2886,7 +2886,7 @@ (define-public openvswitch
                     version ".tar.gz"))
               (sha256
                (base32
-                "1i0lb40lwbakmmqklmfcgr01l1ymsawgdi7k9a1zzp8ariw7x4ff"))))
+                "10g84h6lis6fafyjhvmdrs8r539xcar04cc3rsk448gs6848hsqr"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -2962,7 +2962,9 @@ (define-public openvswitch
 supporting standard management interfaces and protocols (e.g. NetFlow, sFlow,
 IPFIX, RSPAN, CLI, LACP, 802.1ag).")
     (properties
-     '((release-monitoring-url . "https://www.openvswitch.org/download/")))
+     '((release-monitoring-url . "https://www.openvswitch.org/download/")
+       ;; This CVE is fixed since 3.2.0.
+       (lint-hidden-cve . ("CVE-2023-5366"))))
     (license                            ; see debian/copyright for detail
      (list license:lgpl2.1              ; xenserver and utilities/bugtool
            license:gpl2                 ; datapath
-- 
2.46.0

[bug#74050] [PATCH 6/6] gnu: quagga: Fix build and hide CVE.

[Nicolas Graves via Guix-patches via]

* gnu/packages/networking.scm (quagga)
[inputs]: Add libxcrypt.
[properties]: Add lint-hidden-cve property.
---
 gnu/packages/networking.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 67584be64b..910299a0a6 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -3139,7 +3139,7 @@ (define-public quagga
                         (delete-file "vtysh/extract.pl")))))
     (build-system gnu-build-system)
     (native-inputs (list gawk gcc-9 pkg-config perl dejagnu))
-    (inputs (list readline c-ares))
+    (inputs (list c-ares libxcrypt readline))
     (synopsis "Routing Software Suite")
     (description "Quagga is a routing software suite, providing implementations
 of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4 for Unix platforms.
@@ -3150,6 +3150,10 @@ (define-public quagga
 clients which typically implement a routing protocol and communicate routing
 updates to the zebra daemon.")
     (home-page "https://www.nongnu.org/quagga/")
+    ;; This CVE concerns systemd services files that we currently don't use.
+    ;; If we were to use them, a fixing patch can be found here:
+    ;; https://build.opensuse.org/request/show/1035188
+    (properties '((lint-hidden-cve . ("CVE-2021-44038"))))
     (license license:gpl2+)))
 
 (define-public bgpq3
-- 
2.46.0