[PATCH] gnu: Remove allegro-5.0. [security fixes]

  • Done
  • quality assurance status badge
Details
2 participants
  • Maxim Cournoyer
  • Nicolas Graves
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal
N
N
Nicolas Graves wrote on 28 Oct 12:27 +0100
(address . guix-patches@gnu.org)(name . Nicolas Graves)(address . ngraves@ngraves.fr)
20241028112739.21615-1-ngraves@ngraves.fr
This package has no dependencies in Guix, is unsupported (see
https://liballeg.org/old.html)and is vulnerable to CVE-2021-36489.

* gnu/packages/game-development.scm (allegro-5.0): Delete variable.
* gnu/local.mk: Deregister patch.
* gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
---
gnu/local.mk | 1 -
gnu/packages/game-development.scm | 18 --------
.../allegro-mesa-18.2.5-and-later.patch | 41 -------------------
3 files changed, 60 deletions(-)
delete mode 100644 gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch

Toggle diff (90 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index c432685775..113d8ed68d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -954,7 +954,6 @@ dist_patch_DATA = \
%D%/packages/patches/akonadi-paths.patch \
%D%/packages/patches/akonadi-not-relocatable.patch \
%D%/packages/patches/akonadi-timestamps.patch \
- %D%/packages/patches/allegro-mesa-18.2.5-and-later.patch \
%D%/packages/patches/alure-dumb-2.patch \
%D%/packages/patches/ibus-anthy-fix-tests.patch \
%D%/packages/patches/ibus-table-paths.patch \
diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm
index ee869c9cc5..6100e4e94e 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -1132,24 +1132,6 @@ (define-public allegro
(home-page "https://liballeg.org")
(license license:bsd-3)))
-(define-public allegro-5.0
- (package (inherit allegro)
- (name "allegro")
- (version "5.0.11")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://github.com/liballeg/allegro5/releases"
- "/download/" version "/allegro-"
- (if (equal? "0" (string-take-right version 1))
- (string-drop-right version 2)
- version)
- ".tar.gz"))
- (patches (search-patches
- "allegro-mesa-18.2.5-and-later.patch"))
- (sha256
- (base32
- "0cd51qrh97jrr0xdmnivqgwljpmizg8pixsgvc4blqqlaz4i9zj9"))))))
-
(define-public aseprite
(package
(name "aseprite")
diff --git a/gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch b/gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch
deleted file mode 100644
index fa273a5dfa..0000000000
--- a/gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fixes compilation with Mesa >= 18.2.5.
-
-Taken from upstream:
-
-https://github.com/liballeg/allegro5/commit/a40d30e21802ecf5c9382cf34af9b01bd3781e47
-
-diff --git a/include/allegro5/allegro_opengl.h b/include/allegro5/allegro_opengl.h
-index 0f86a6768..652dd024e 100644
---- a/include/allegro5/allegro_opengl.h
-+++ b/include/allegro5/allegro_opengl.h
-@@ -103,10 +103,14 @@
-
- /* HACK: Prevent both Mesa and SGI's broken headers from screwing us */
- #define __glext_h_
-+#define __gl_glext_h_
- #define __glxext_h_
-+#define __glx_glxext_h_
- #include <GL/gl.h>
- #undef __glext_h_
-+#undef __gl_glext_h_
- #undef __glxext_h_
-+#undef __glx_glxext_h_
-
- #endif /* ALLEGRO_MACOSX */
-
-diff --git a/include/allegro5/opengl/GLext/glx_ext_defs.h b/include/allegro5/opengl/GLext/glx_ext_defs.h
-index 49c502091..fba8aea5d 100644
---- a/include/allegro5/opengl/GLext/glx_ext_defs.h
-+++ b/include/allegro5/opengl/GLext/glx_ext_defs.h
-@@ -1,7 +1,9 @@
- /* HACK: Prevent both Mesa and SGI's broken headers from screwing us */
- #define __glxext_h_
-+#define __glx_glxext_h_
- #include <GL/glx.h>
- #undef __glxext_h_
-+#undef __glx_glxext_h_
-
- #ifndef GLX_VERSION_1_3
- #define _ALLEGRO_GLX_VERSION_1_3
---
-2.20.0
--
2.46.0
N
N
Nicolas Graves wrote on 3 Nov 22:01 +0100
tag 74060 easy
(address . control@debbugs.gnu.org)
87ses8vxp7.fsf@ngraves.fr
tags 74060 + easy
quit

--
Best regards,
Nicolas Graves
M
M
Maxim Cournoyer wrote on 11 Nov 13:37 +0100
Re: [bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes]
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 74060@debbugs.gnu.org)
87iksu9cac.fsf@gmail.com
Hi!

Nicolas Graves <ngraves@ngraves.fr> writes:

Toggle quote (7 lines)
> This package has no dependencies in Guix, is unsupported (see
> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>
> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
> * gnu/local.mk: Deregister patch.
> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.

We also have an allegro-4.0 variable; is this one not vulnerable?
5.2.6).

--
Thanks,
Maxim
N
N
Nicolas Graves wrote on 11 Nov 15:17 +0100
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 74060@debbugs.gnu.org)
87r07h6eic.fsf@ngraves.fr
On 2024-11-11 21:37, Maxim Cournoyer wrote:

Toggle quote (15 lines)
> Hi!
>
> Nicolas Graves <ngraves@ngraves.fr> writes:
>
>> This package has no dependencies in Guix, is unsupported (see
>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>
>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>> * gnu/local.mk: Deregister patch.
>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>
> We also have an allegro-4.0 variable; is this one not vulnerable?
> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
> 5.2.6).

If it is removable easily, we should remove it yes. I might have
forgotten this one.

They are indeed unsupported versions, I reported that upstream in
which confirmed that these versions won't receive security patches.

--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 12 Nov 11:58 +0100
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 74060@debbugs.gnu.org)
877c9867nm.fsf@ngraves.fr
On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote:

Toggle quote (24 lines)
> On 2024-11-11 21:37, Maxim Cournoyer wrote:
>
>> Hi!
>>
>> Nicolas Graves <ngraves@ngraves.fr> writes:
>>
>>> This package has no dependencies in Guix, is unsupported (see
>>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>>
>>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>>> * gnu/local.mk: Deregister patch.
>>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>>
>> We also have an allegro-4.0 variable; is this one not vulnerable?
>> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
>> 5.2.6).
>
> If it is removable easily, we should remove it yes. I might have
> forgotten this one.
>
> They are indeed unsupported versions, I reported that upstream in
> https://github.com/liballeg/allegro5/issues/1587
> which confirmed that these versions won't receive security patches.

Indeed there's still a package depending on allegro-4 (aseprite). I
think that's the reason why I didn't consider updating it back then.
The issue is that the new version of aseprite seems nonfree (restricts
freedom to share the software, and the freedom to collaborate on the
software).

IMO we should remove both. Users can still use time-machine if they
really want to use that version, or submit a new version of aseprite in
nonguix. WDYT?

--
Best regards,
Nicolas Graves
M
M
Maxim Cournoyer wrote on 12 Nov 13:30 +0100
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 74060@debbugs.gnu.org)
87frnw3a96.fsf@gmail.com
Hi Nicolas,

Nicolas Graves <ngraves@ngraves.fr> writes:

Toggle quote (36 lines)
> On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote:
>
>> On 2024-11-11 21:37, Maxim Cournoyer wrote:
>>
>>> Hi!
>>>
>>> Nicolas Graves <ngraves@ngraves.fr> writes:
>>>
>>>> This package has no dependencies in Guix, is unsupported (see
>>>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>>>
>>>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>>>> * gnu/local.mk: Deregister patch.
>>>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>>>
>>> We also have an allegro-4.0 variable; is this one not vulnerable?
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
>>> 5.2.6).
>>
>> If it is removable easily, we should remove it yes. I might have
>> forgotten this one.
>>
>> They are indeed unsupported versions, I reported that upstream in
>> https://github.com/liballeg/allegro5/issues/1587
>> which confirmed that these versions won't receive security patches.
>
> Indeed there's still a package depending on allegro-4 (aseprite). I
> think that's the reason why I didn't consider updating it back then.
> The issue is that the new version of aseprite seems nonfree (restricts
> freedom to share the software, and the freedom to collaborate on the
> software).
>
> IMO we should remove both. Users can still use time-machine if they
> really want to use that version, or submit a new version of aseprite in
> nonguix. WDYT?

Sounds reasonable. We now have a package removal police (info
'(guix)Deprecation Policy'). For leaf packages, it's as easy as sending
a patch removing a package for review, and giving it one month before
merging it, to let time for anyone to voice their opinion.

--
Thanks,
Maxim
N
N
Nicolas Graves wrote on 12 Nov 18:04 +0100
control message for bug #74060
(address . control@debbugs.gnu.org)
87ldxo4c4c.fsf@ngraves.fr
close 74060
quit

Applied in 44b06b030d.


--
Best regards,
Nicolas Graves
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74060@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 74060
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch