Date: Tuesday, October 27, 2020 @ 00:30:19 Author: dvzrv Revision: 734106
upgpkg: lilypond 2.20.0-4: Rebuild to fix CVE-2020-17353. Change pkgdesc to upstream description. Switch url to https. Add all used licenses: FDL1.3, GPL3, OFL. Add to pro-audio group. Add all available soname deps in package() and the respective packages to makedepends. Add all direct dependencies to depends. Remove lilyfontsize.patch which was only added due to a misbehaving desktop environment. Add upstream patch for CVE-2020-17353 (FS#67680). Run autoconf in prepare() instead of autogen.sh (all heuristics in there are not needed). Install custom license and docs. Update maintainer info. Added: lilypond/trunk/lilypond-2.20.0-CVE-2020-17353.patch Modified: lilypond/trunk/PKGBUILD Deleted: lilypond/trunk/lilyfontsize.patch --------------------------------------+ PKGBUILD | 62 +++++++++++++++----------- lilyfontsize.patch | 13 ----- lilypond-2.20.0-CVE-2020-17353.patch | 76 +++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 39 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-10-27 00:09:45 UTC (rev 734105) +++ PKGBUILD 2020-10-27 00:30:19 UTC (rev 734106) @@ -1,45 +1,55 @@ -# Maintainer: Evgeniy Alekseev <arcanis at archlinux dot org> -# Maintainer: Sergej Pupykin <pupykin.s+a...@gmail.com> -# Maintainer: Geoffroy Carrier <geoff...@archlinux.org> +# Maintainer: David Runge <dv...@archlinux.org> +# Contributor: Evgeniy Alekseev <arcanis at archlinux dot org> +# Contributor: Sergej Pupykin <pupykin.s+a...@gmail.com> +# Contributor: Geoffroy Carrier <geoff...@archlinux.org> # Contributor: William Rea <sillywi...@gmail.com> # Contributor: Robert Emil Berge <filokte...@linuxophic.org> pkgname=lilypond pkgver=2.20.0 -pkgrel=3 -pkgdesc="An automated music engraving system" +pkgrel=4 +pkgdesc="Music engraving program, devoted to producing the highest-quality sheet music possible" arch=('x86_64') -url="http://lilypond.org" -license=('GPL') -depends=('fontconfig' 'freetype2' 'guile1.8' 'ghostscript' 'glib2' 'pango') +url="https://lilypond.org" +license=('FDL1.3' 'GPL3' 'custom:OFL') +groups=('pro-audio') +depends=('gcc-libs' 'ghostscript' 'glibc' 'guile1.8' 'ttf-dejavu') +# TODO: package extractpdfmark +makedepends=('dblatex' 'fontconfig' 'fontforge' 'freetype2' 'glib2' +'gnu-free-fonts' 'gsfonts' 'imagemagick' 'mftrace' 'netpbm' 'pango' 'python2' +'rsync' 't1utils' 'texi2html' 'texinfo' 'texlive-core' 'tex-gyre-fonts' +'texlive-langcyrillic' 'ttf-bitstream-vera' 'ttf-liberation' +'ttf-linux-libertine' 'zip') optdepends=('python2: for lilypond-book and other scripts') -makedepends=('flex' 'bison' 'gettext' 'mftrace' 'texinfo' 'fontforge' 't1utils' - 'gsfonts' 'texi2html' 'dblatex' 'texlive-langcyrillic' 'imagemagick' - 'zip' 'rsync' 'netpbm' 'texlive-core' 'tex-gyre-fonts' 'python2') options=('emptydirs') -source=("http://lilypond.org/downloads/sources/v${pkgver%.*}/$pkgname-$pkgver.tar.gz" - lilyfontsize.patch) -sha256sums=('595901323fbc88d3039ca4bdbc2d8c5ce46b182edcb3ea9c0940eba849bba661' - '17b86b7a0b09b73cb5cf8751464571cf6a785c0b1a23db425cc828855a9d8ae6') +source=("https://lilypond.org/downloads/sources/v${pkgver%.*}/$pkgname-$pkgver.tar.gz" + "${pkgname}-2.20.0-CVE-2020-17353.patch") +sha512sums=('8c5749576362b8c8acaed9eed50f22fdbf986bbe1733219921e366166d9cb829ffb280bfec936647248ddc48b3441af67a4e9d4023e003fdc7522d913f83928a' + '99663585ceed5493cc25e34c85f68328254d55822d66767f8384d058218835d24179b938547d303f84b33dae328b2b9734748a1c58186a7f279695d76f5ac2b7') +b2sums=('1bf4aa1db189b6a2c4be9b9f35a0ac913533640cc2ca6327492909cf71218bba7a31ca3c5a84a94746e361e2f985fe1b73e4ad6fbea13927e465f7b7f14bd16a' + '6a5b7ab61da2a7e96aa54c411784fc7d698afdc3cfded9bfd3e50639c083aa400edf58f5c041a360a36ac418f00c851ca45a56aa2d008baa56d5422c15a42f37') prepare() { - cd "$srcdir/$pkgname-$pkgver" - - sed -e 's|1.82, 1.82|1.82|g' -i configure.ac # Remove version constraint on texi2html - - patch -p1 -i "$srcdir/lilyfontsize.patch" - - ./autogen.sh --noconf + cd "$pkgname-$pkgver" + # fix CVE-2020-17353: FS#67680 + patch -Np1 -i "../${pkgname}-2.20.0-CVE-2020-17353.patch" + # Remove version constraint on texi2html + sed -e 's|1.82, 1.82|1.82|g' -i configure.ac + autoconf --force --verbose } build() { - cd "$srcdir/$pkgname-$pkgver" - ./configure \ - --prefix=/usr + cd "$pkgname-$pkgver" + ./configure --prefix=/usr make } package() { - cd "$srcdir/$pkgname-$pkgver" + depends+=('libfontconfig.so' 'libfreetype.so' 'libglib-2.0.so' + 'libgobject-2.0.so' 'libpangoft2-1.0.so' 'libpango-1.0.so') + cd "$pkgname-$pkgver" make DESTDIR="$pkgdir" vimdir="/usr/share/vim/vimfiles" install + install -vDm 644 LICENSE.OFL -t "${pkgdir}/usr/share/licenses/${pkgname}/" + install -vDm 644 {AUTHORS,NEWS,README}.txt \ + -t "${pkgdir}/usr/share/doc/${pkgname}/" } Deleted: lilyfontsize.patch =================================================================== --- lilyfontsize.patch 2020-10-27 00:09:45 UTC (rev 734105) +++ lilyfontsize.patch 2020-10-27 00:30:19 UTC (rev 734106) @@ -1,13 +0,0 @@ -diff -wbBur lilypond-2.18.2/lily/pango-font.cc lilypond-2.18.2.fix/lily/pango-font.cc ---- lilypond-2.18.2/lily/pango-font.cc 2014-03-17 19:29:16.000000000 +0400 -+++ lilypond-2.18.2.fix/lily/pango-font.cc 2016-12-02 19:36:55.634555707 +0300 -@@ -315,7 +315,8 @@ - pango_fc_font_unlock_face (fcfont); - pango_glyph_string_free (pgs); - pgs = 0; -- PangoFontDescription *descr = pango_font_describe (pa->font); -+// PangoFontDescription *descr = pango_font_describe (pa->font); -+ PangoFontDescription *descr = pango_context_get_font_description (context_); - Real size = pango_font_description_get_size (descr) - / (Real (PANGO_SCALE)); - Added: lilypond-2.20.0-CVE-2020-17353.patch =================================================================== --- lilypond-2.20.0-CVE-2020-17353.patch (rev 0) +++ lilypond-2.20.0-CVE-2020-17353.patch 2020-10-27 00:30:19 UTC (rev 734106) @@ -0,0 +1,76 @@ +diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm +index 09a2299..e388788 100644 +--- a/scm/define-stencil-commands.scm ++++ b/scm/define-stencil-commands.scm +@@ -21,36 +21,41 @@ + (define-public (ly:all-stencil-commands) + "Return the list of stencil commands that can be + defined in the output modules (@file{output-*.scm})." +- '(blank +- char +- circle +- dashed-line +- draw-line +- ellipse +- embedded-ps +- embedded-svg +- end-group-node +- glyph-string +- grob-cause +- named-glyph +- no-origin +- page-link +- path +- partial-ellipse +- placebox +- polygon +- resetcolor +- resetrotation +- resetscale +- round-filled-box +- setcolor +- setrotation +- setscale +- start-group-node +- text +- unknown +- url-link +- utf-8-string ++ (let* ++ ((commands '(blank ++ char ++ circle ++ dashed-line ++ draw-line ++ ellipse ++ end-group-node ++ glyph-string ++ grob-cause ++ named-glyph ++ no-origin ++ page-link ++ path ++ partial-ellipse ++ placebox ++ polygon ++ resetcolor ++ resetrotation ++ resetscale ++ round-filled-box ++ setcolor ++ setrotation ++ setscale ++ start-group-node ++ text ++ unknown ++ url-link ++ utf-8-string ++ ))) ++ ++ (if (ly:get-option 'safe) ++ commands ++ (append '(embedded-ps embedded-svg) ++ commands)) + )) + + ;; TODO: