NEW: audio/moc

[Michael Seyfert]

I'm trying to get this into the ports tree yet again.

MOC is a console audio player with simple ncurses interface.  It
supports OGG, WAV, MP3 and other formats.  Just run mocp, go to some
directory using the menu and press enter to start playing the file.
The program will automatically play the rest of the files in the
directory.

please see attached.

-- 
Michael Seyfert 


moc_port_openbsd.tzg
Description: Binary data

Re: NEW: sysutils/vifm

[Dmitrij D. Czarkoff]

Landry Breuil said:
> On Wed, Feb 03, 2016 at 12:42:34AM +0100, Dmitrij D. Czarkoff wrote:
> > Stuart Henderson said:
> > > On 2016/02/03 00:25, Dmitrij D. Czarkoff wrote:
> > > > Stuart Henderson said:
> > > > > On 2016/02/02 21:58, Landry Breuil wrote:
> > > > > > Oh, and the code in src/int/file_magic.c even has a fallback to use 
> > > > > > file
> > > > > > %s -b --mime-type called via popen()..
> > > > > 
> > > > > It would be nice to kill the other options and use file(1) from base
> > > > > as the only detection method, it is *loads* safer.
> > > > 
> > > > Well, the actual code is:
> > > > 
> > > > | snprintf(command, sizeof(command), "file \"%s\" -b --mime-type", 
> > > > filename);
> > > > 
> > > > Note double quotes.  Of course no quoting is performed on filename.
> > > > Thus:
> > > > 
> > > > 1. If filename contains double quote, vifm sigfaults.
> > > > 2. If filename is nasty, nasty things happen.  Eg. I renamed a png image
> > > >to "$(echo text)", and vifm opened it in vi.  I guess filename
> > > >"`doas rm -Rf $HOME/*`" will also pleasantly surprise user.
> > > 
> > > Ugh. I have seen CVEs assigned for smaller problems than that!
> > 
> > I've added a naive patch to openbsd-wip version of this port.  Vifm
> > still opens renamed png in vi, but at least does not execute commands.
> 
> better report it directly upstream then ? :)

I'd leave this honor to maintainer.

-- 
Dmitrij D. Czarkoff

Re: windowmaker 0.95.7 anyone?

[David Coppa]

On Wed, 03 Feb 2016, Sebastian Reitenbach wrote:

> On 02/02/16 23:12, mi...@dataswamp.org wrote:
> >On 09:53, David Coppa wrote:
> >>If you send me what you have atm, I'll have a look...
> >Sure, thanks. Juan Francisco Cantero Hurtado suggested to remove any 
> >pledge() patches for now so I did that. As I said: I have been using this 
> >for the last 3 months or so without any issues. Especially I did not see any 
> >of the bugs that the older wmaker related threads mentioned (windows 
> >spawning multiple times etc.).
> >
> >Regards,
> >Michael
> 
> 
> configure runs through, but then it fails on building that it cannot find 
> aclocal-1.14
> installing automake-1.14.1 let me build the package.
> 
> Wondering why this aclocal run pops up in hte build stage, and not in some 
> (pre) configure
> step.
> 
> 
> using it with GNUstep GWorkspace desktop, works fine so far.
> 
> Instead of that tarball, a patch against current ports tree would be better.

Here's a proper diff with some additional fixes.

Works ok for me.

Ciao!
David

Index: Makefile
===
RCS file: /cvs/ports/x11/windowmaker/Makefile,v
retrieving revision 1.92
diff -u -p -u -p -r1.92 Makefile
--- Makefile7 Dec 2015 18:24:11 -   1.92
+++ Makefile3 Feb 2016 12:17:01 -
@@ -3,39 +3,45 @@
 COMMENT-main=  window manager that emulates NEXTSTEP(tm)
 COMMENT-lang=  language subpackage for Window Maker
 
-V= 0.92.0
+V =0.95.7
 DISTNAME=  WindowMaker-${V}
 PKGNAME-main=  ${DISTNAME:L}
-REVISION-main= 56
 FULLPKGNAME-lang=  windowmaker-lang-${V}
-REVISION-lang= 5
 
-SHARED_LIBS += wraster  5.0  # 4.0
+SHARED_LIBS +=  WINGs 0.0 # 2.1
+SHARED_LIBS +=  WMaker0.0 # 1.1
+SHARED_LIBS +=  WUtil 0.0 # 3.0
+SHARED_LIBS +=  wraster   5.1 # 4.1
 
 CATEGORIES=x11 x11/windowmaker
 
-HOMEPAGE=  http://windowmaker.org/
+HOMEPAGE=  http://www.windowmaker.info
 
 # GPLv2+
 PERMIT_PACKAGE_CDROM=  Yes
 
-WANTLIB += X11 Xext Xft Xinerama Xpm Xrender c expat fontconfig
-WANTLIB += freetype jpeg m png pthread-stubs tiff gif xcb z
+WANTLIB += ICE SM X11 Xmu Xext Xft Xinerama Xpm Xrandr Xrender
+WANTLIB += Xt c expat fontconfig freetype gif jpeg kvm m png
+WANTLIB += pthread pthread-stubs tiff xcb z 
 
 MASTER_SITES=  ${MASTER_SITE_WINDOWMAKER:=source/release/}
-EXTRACT_SUFX=  .tar.bz2
 
 NO_TEST=   Yes
 SEPARATE_BUILD=Yes
 CONFIGURE_STYLE=   gnu
 CONFIGURE_ARGS+=   ${CONFIGURE_SHARED} \
+   --disable-magick \
+   --disable-webp \
+   --enable-randr \
--enable-static \
--enable-xinerama \
-   --with-datadir="${LOCALBASE}/share/WindowMaker" \
-   --with-nlsdir="${LOCALBASE}/share/locale"
+   --localedir="${LOCALBASE}/share/locale" 
 
-CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" 
LIBS="-L${LOCALBASE}/lib" \
-   LINGUAS='be bg bs ca cs da de el es et fi fr gl hr hu 
it ja ko ms nl no pl pt ro ru sk sv tr zh_CN zh_TW'
+CONFIGURE_ENV= CPPFLAGS="-I${X11BASE}/include -I${LOCALBASE}/include" \
+   LIBS="-L${X11BASE}/lib -L${LOCALBASE}/lib" \
+   LINGUAS='*' \
+   ac_cv_lib_exif_exif_data_new_from_file=no \
+   wm_cv_func_secure_getenv=no
 
 MULTI_PACKAGES=-main -lang
 
@@ -44,27 +50,24 @@ LIB_DEPENDS=graphics/tiff \
graphics/png \
graphics/giflib
 
-RUN_DEPENDS-lang=  x11/windowmaker>=0.90.0
+RUN_DEPENDS-lang = x11/windowmaker>=${V}
 LIB_DEPENDS-lang=
 WANTLIB-lang=
 
-post-patch:
-# Rename wrongly named locale files
-   @mv ${WRKSRC}/WindowMaker/menu.cz ${WRKSRC}/WindowMaker/menu.cs
-   @mv ${WRKSRC}/WindowMaker/menu.se ${WRKSRC}/WindowMaker/menu.sv
+WMAKER_SHARE = ${PREFIX}/share/WindowMaker
 
 pre-configure:
-   @perl -pi -e "s|%%PREFIX%%|${PREFIX}|g" \
-   ${WRKSRC}/WINGs/wapplication.c \
-   ${WRKSRC}/WPrefs.app/Menu.c \
-   ${WRKSRC}/WPrefs.app/Paths.c \
-   ${WRKSRC}/WindowMaker/Defaults/WMWindowAttributes.in \
-   ${WRKSRC}/WindowMaker/Defaults/WindowMaker.in
+   @touch ${WRKSRC}/configure.ac ${WRKSRC}/aclocal.m4 \
+   ${WRKSRC}/configure ${WRKSRC}/Makefile.am \
+   ${WRKSRC}/Makefile.in
 
 post-install:
mv ${WRKINST}/${SYSCONFDIR}/WindowMaker ${PREFIX}/share/examples/
${INSTALL_DATA_DIR} ${PREFIX}/share/WindowMaker/Sounds
${INSTALL_DATA_DIR} ${PREFIX}/GNUstep/Applications
ln -s ${LOCALBASE}/share/WPrefs 
${PREFIX}/GNUstep/Applications/WPrefs.app
+# Rename 

CVS: cvs.openbsd.org: ports

[Jasper Lievisse Adriaanse]

CVSROOT:/cvs
Module name:ports
Changes by: jas...@cvs.openbsd.org  2016/02/03 06:24:38

Modified files:
security/libnettle: Tag: OPENBSD_5_8 Makefile 
Added files:
security/libnettle/patches: Tag: OPENBSD_5_8 patch-ecc-256_c 
patch-x86_64_ecc-384-modp_asm 

Log message:
- Security fixes for CVE-2015-8803 - CVE-2015-8805
- -current is not affected after the update to 3.2

ok aja@ (MAINTAINER)

Re: [UPDATE] archivers/p7zip

[Josh Grosse]

On Wed, Feb 03, 2016 at 09:42:55AM +0300, Andre S wrote:
> p7zip-15.09p3
> 
> Core dumped when used "l" command to list contents of password protected
> archive.
> 
> Core dumped when used "t" command to test integrity of password protected
> archive.
> 
> $ 7z a -p test.7z test.txt
> Success.
> 
> $ 7z l test.7z
> Enter password (will not be echoed):Abort trap (core dumped)
> 
> $ 7z t test.7z
> Enter password (will not be echoed):Abort trap (core dumped)
 
Ouch. Thanks for the report. And for the fix, which broadens
the applicable secondary pledges to include tty.

In testing on amd64, I do get different results.  The list command 
does not prompt for a password.  

However the pledge() for list is also the pledge for stdout extractions, so 
your recommendation to expand that pledge is fine.  If you would be kind 
enough to post your architecture, that may be helpful in trying to recreate
the same results which occurred for you.

I was unable to apply your patch directly due to white space
alignment. I applied your recommendations and have posted the
equivalent patch below, using mutt, which is less likely to chew
on unified diffs than some other Email applications.

OK $MAINTAINER.

Index: Makefile
===
RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
retrieving revision 1.30
diff -u -p -r1.30 Makefile
--- Makefile31 Jan 2016 22:29:37 -  1.30
+++ Makefile3 Feb 2016 11:21:33 -
@@ -6,7 +6,7 @@ COMMENT-main=   file archiver with high co
 COMMENT-rar=   rar modules for p7zip
 
 V= 15.09
-REVISION=  3
+REVISION=  4
 DISTNAME=  p7zip_${V}_src_all
 PKGNAME=   p7zip-${V}
 PKGNAME-main=  p7zip-${V}
Index: patches/patch-CPP_7zip_UI_Console_Main_cpp
===
RCS file: 
/systems/cvs/ports/archivers/p7zip/patches/patch-CPP_7zip_UI_Console_Main_cpp,v
retrieving revision 1.3
diff -u -p -r1.3 patch-CPP_7zip_UI_Console_Main_cpp
--- patches/patch-CPP_7zip_UI_Console_Main_cpp  31 Jan 2016 22:29:37 -  
1.3
+++ patches/patch-CPP_7zip_UI_Console_Main_cpp  3 Feb 2016 11:22:33 -
@@ -88,7 +88,7 @@ Pledge archivers/p7zip main executables
 +#ifdef PLEDGE_DEBUG
 +  printf("reduced pledge: test stdout\n");
 +#endif
-+  if (pledge("stdio rpath", NULL) == -1) {
++  if (pledge("stdio rpath tty", NULL) == -1) {
 +  perror("pledge");
 +  exit(2);
 +}
@@ -106,7 +106,7 @@ Pledge archivers/p7zip main executables
 +  printf("reduced pledge: list\n");
 +#endif
 +
-+  if (pledge("stdio rpath", NULL) == -1) {
++  if (pledge("stdio rpath tty", NULL) == -1) {
 +perror("pledge");
 +exit(2);
 +  }

CVS: cvs.openbsd.org: ports

[Jasper Lievisse Adriaanse]

CVSROOT:/cvs
Module name:ports
Changes by: jas...@cvs.openbsd.org  2016/02/03 05:22:01

Modified files:
www/netsurf/libnsgif: Tag: OPENBSD_5_8 Makefile 
Added files:
www/netsurf/libnsgif/patches: Tag: OPENBSD_5_8 
  patch-src_libnsgif_c 

Log message:
stack overflow (CVE-2015-7505) and out-of-bounds read (CVE-2015-7506)

Re: [UPDATE] archivers/p7zip

[Josh Grosse]

On 2016-02-03 07:13, Theo Buehler wrote:

On Wed, Feb 03, 2016 at 06:43:41AM -0500, Josh Grosse wrote:

In testing on amd64, I do get different results.  The list command
does not prompt for a password.


Same here.  This is very odd behavior.  I would not expect a "password
protected" archive to reveal information about its content.


Indeed.  I can test on i386, and see if it has the same behavior.  If it
varies, I may be able to determine where the divergence takes place.
But I likely won't be able to get to this for a day or two.


I'm not sure if a maintainer ok is enough for me to commit it, so I
leave it at an

ok tb@


My OK has no authority whatsoever.  :)

CVS: cvs.openbsd.org: ports

[Benoit Lecocq]

CVSROOT:/cvs
Module name:ports
Changes by: ben...@cvs.openbsd.org  2016/02/03 04:16:01

Modified files:
textproc/p5-Lingua-Stem-Ru: Makefile distinfo 

Log message:
Update to p5-Lingua-Stem-Ru-0.02.

CVS: cvs.openbsd.org: ports

[Jasper Lievisse Adriaanse]

CVSROOT:/cvs
Module name:ports
Changes by: jas...@cvs.openbsd.org  2016/02/03 05:31:18

Modified files:
www/netsurf/libnsbmp: Tag: OPENBSD_5_8 Makefile 
Added files:
www/netsurf/libnsbmp/patches: Tag: OPENBSD_5_8 
  patch-src_libnsbmp_c 

Log message:
Security fixes for heap overflow (CVE-2015-7508) and out-of-bounds read 
(CVE-2015-7507)

rpm-3.0.6p7 core dumps while installing a rpm

[Jiri B]

Hi,

rpm core dumps when "installing" a rpm[1]:

rpm-3.0.6p7
kern.version=OpenBSD 5.9-beta (GENERIC.MP) #1862: Thu Jan 21 18:48:14 MST 2016

Steps to reproduce:
* mkdir -p /tmp/rpm/var/lib/rpm
* rpm -ivv --ignoreos --ignorearch --nodeps --dbpath /var/lib/rpm --root 
/tmp/rpm /tmp/ovirt-release36.rpm

j.

#0  0x0a22c6ae489a in thrkill () at :2
No locals.
#1  0x0a22c6adff59 in *_libc_abort () at /usr/src/lib/libc/stdlib/abort.c:52
mask = 4294967263
sa = {__sigaction_u = {__sa_handler = 0xe, __sa_sigaction = 0xe}, 
sa_mask = 3334369443, sa_flags = 2594}
#2  0x0a22c6ac2299 in wrterror (msg=0xa22c6beb398 "use after free", 
p=0xa22efb484a0) at /usr/src/lib/libc/stdlib/malloc.c:283
iov = {{iov_base = 0xa209d985ae0 <__progname_storage>, iov_len = 3}, 
{iov_base = 0x7f7ea990, iov_len = 10}, {iov_base = 0xa22c6beb3a7, iov_len = 
7}, {iov_base = 0xa22c6bec2b0, iov_len = 8}, {iov_base = 0xa22c6beb398, iov_len 
= 14}, {iov_base = 0x7f7ea970, iov_len = 14}, {iov_base = 0xa22c6be70a3, 
iov_len = 1}}
pidbuf = "(9436) in \000\235 \n\000\000,\024\360\306"
buf = " 0xa22efb484a0\000\271,\024\360\306"
saved_errno = 2
#3  0x0a22c6ac386c in validate_junk (p=) at 
/usr/src/lib/libc/stdlib/malloc.c:1235
r = 
pool = 
byte = 0
sz = 11144478476442
#4  ofree (p=0xa22efb484a0) at /usr/src/lib/libc/stdlib/malloc.c:1306
i = 9
pool = 0xa22f30846c0
r = 
sz = 
#5  0x0a22c6ac390e in free (ptr=0xa2399bc59c0) at 
/usr/src/lib/libc/stdlib/malloc.c:1340
saved_errno = 2
#6  0x0a209d52c3ed in headerFree (h=0xa22fc192700) at 
/home/jirib/openbsd/pobj/rpm-3.0.6/rpm-3.0.6/lib/header.c:985
i = 3
#7  0x0a209d524525 in alFree (al=0xa22ab554918) at 
/home/jirib/openbsd/pobj/rpm-3.0.6/rpm-3.0.6/lib/depends.c:111
i = 0
r = 0xa
#8  0x0a209d52643d in rpmtransFree (rpmdep=0xa22ab554900) at 
/home/jirib/openbsd/pobj/rpm-3.0.6/rpm-3.0.6/lib/depends.c:718
addedPackages = 0xa22ab554918
availablePackages = 0xa22ab554948
#9  0x0a209d542cd0 in rpmInstall (rootdir=0xa2399bc55b0 "/tmp/rpm", 
fileArgv=0xa22c38cde80, transFlags=0, interfaceFlags=4, probFilter=3, 
relocations=0x0) at 
/home/jirib/openbsd/pobj/rpm-3.0.6/rpm-3.0.6/lib/rpminstall.c:390
db = 0xa2391a84c80
fd = 0xa235b2e3a00
i = 1
mode = 514
rc = -1
major = 3
pkgURL = 0xa237b836ce0
tmppkgURL = 0xa237b836de0
fileURL = 0xa237b836ce8
numPkgs = 1
numTmpPkgs = 0
numRPMS = 1
numSRPMS = 0
numFailed = 1
h = 0xa22fc192700
isSource = 0
rpmdep = 0xa22ab554900
numConflicts = 286385781
stopInstall = 0
notifyFlags = 20
dbIsOpen = 1
sourceURL = 0x7f7eab10
defaultReloc = 0x0
#10 0x0a209d50d37b in main (argc=10, argv=0x7f7eaee8) at 
/home/jirib/openbsd/pobj/rpm-3.0.6/rpm-3.0.6/rpm.c:1395
bigMode = MODE_INSTALL
qva = 0xa209d97d000 
ba = 0xa209d97d020 
QVSource = RPMQV_PACKAGE
arg = -1
installFlags = 0
uninstallFlags = 0
interfaceFlags = 4
gotDbpath = 1
verifyFlags = -86208
checksigFlags = 0
timeCheck = 0
addSign = 0
specFile = 0x7f7eaf40 "q\260\376\377\177\177"
tce = 0xe675574635ab 
passPhrase = 0xa209d665798 ""
cookie = 0x0
optArg = 0xa237b836770 "/var/lib/rpm"
pipeChild = 0
pkg = 0x8 
errString = 0x0
optCon = 0xa236f598800
infoCommand = {0xa209d667f3b "--info", 0x0}
installCommand = {0xa209d667f42 "--install", 0x0}
ec = 0
status = -1177988376
p = {0, 0}
relocations = 0x0
numRelocations = 0
sigTag = 2594
upgrade = 0
freshen = 0
probFilter = 3

[1] http://resources.ovirt.org/pub/yum-repo/ovirt-release36.rpm

Firefox 44 font change

[Christian Weisgerber]

Firefox 44 appears to have snuck in a change in font handling:

Bitmap fonts are no longer used.  At least that's what I see with
only the default fonts installed (xenocara defaults plus ghostscript
since that gets pulled in as a dependency).

This has two effects I noticed:

(1) For Latin script which is otherwise rendered with DejaVu,
some butt-ugly bitmap font (Lucida, I think) would occasionally
sneak through on some sites.  This no longer happens.

(2) The default CJK fonts are no longer displayed, easily verifiable
under {ja,ko,zh}.wikipedia.org.  I now only get squares with
Unicode numbers.

Now, I'm not saying this is necessarily a bad thing.  I doubt anybody
will complain about (1).  People who actually read CJK text and are
potentially affected by (2) probably have better fonts installed
anyway since those shipped with xenocara are really poor.

Landry tells me he can't reproduce this, which is even weirder.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

CVS: cvs.openbsd.org: ports

[Vadim Zhukov]

CVSROOT:/cvs
Module name:ports
Changes by: z...@cvs.openbsd.org2016/02/03 13:47:13

Modified files:
devel/intellij : Makefile 
devel/intellij/files: idea.1 

Log message:
There is a special mdoc macro, .Lk, for hyperlinks like that.

[NEW] ovirt-engine-cli and its deps

[Jiri B]

Hi,

new ovirt-engine-cli port in attachment, it's CLI for oVirt
Engine (or Red Hat Enterprise Virtualization Manager).

I'm using it daily and I can maintain ovirt-engine-cli
and py-ovirt-engine-sdk.

j.


ovirt-engine-cli.tar.gz
Description: application/tar-gz


py-kitchen.tar.gz
Description: application/tar-gz


py-ovirt-engine-sdk.tar.gz
Description: application/tar-gz


py-ply.tar.gz
Description: application/tar-gz

CVS: cvs.openbsd.org: ports

[Alexander Bluhm]

CVSROOT:/cvs
Module name:ports
Changes by: bl...@cvs.openbsd.org   2016/02/03 08:06:08

Modified files:
devel/p5-Data-Validate-IP: Makefile distinfo 

Log message:
update p5-Data-Validate-IP to 0.25

Re: Adding pledge() to www/lynx

[Frederic Cambus]

On Fri, Jan 29, 2016 at 04:37:13AM +0100, Theo Buehler wrote:

> > > is it possible to get rid of proc exec? I didn't add them on my end...
> 
> there are shell escapes, so they are probably needed.  I don't really
> use lynx myself, but it seems to me that it's worth investigating
> tighter pledges conditionally on various "lynx -restriction=..."
> options (hopefully those can't be changed at runtime).
> 
> > Also should it call "err" or "exit_immediately" on failure?
> 
> I agree that the latter looks like the right way to go.

Here is a new diff for testing, with more restrictive promises.

It builds on patches and suggestions provided off-list by tb@ and
daniel@. Thanks guys for all the feedback and ideas.

The idea is to avoid using otherwise required 'getpw', 'proc', 'exec'
promises entirely. We achieve this by disabling a couple of features,
mostly removing obsolete stuff. While we are at it, we attempt to pave
the way to be able to remove even more promises in the future, and
reduce potential attack vectors.

We disable them either at compile time :

--disable-bibp-urls
--disable-dired
--disable-finger

Or by hardcoding boolean values to disable the features just before
calling pledge and entering main program loop :

no_exec = TRUE; 
no_mail = TRUE;
no_shell = TRUE;

rlogin_ok = FALSE;
telnet_ok = FALSE;

Manpage has been updated to mention those restrictions.

Also, CFLAGS="-DNOUSERS" was added in the Makefile to disable getpwnam
and getpwuid.

Comments?

Index: Makefile
===
RCS file: /cvs/ports/www/lynx/Makefile,v
retrieving revision 1.22
diff -u -p -u -p -r1.22 Makefile
--- Makefile14 Jan 2016 10:45:07 -  1.22
+++ Makefile3 Feb 2016 23:17:38 -
@@ -5,7 +5,7 @@ PL =8
 COMMENT =  text web browser
 DISTNAME = lynx${V}dev.${PL}
 PKGNAME =  lynx-${V}pl${PL}
-REVISION = 1
+REVISION = 2
 EXTRACT_SUFX = .tar.bz2
 CATEGORIES =   www net
 
@@ -16,6 +16,7 @@ MAINTAINER =  Frederic Cambus 

CVS: cvs.openbsd.org: ports

[Stuart Henderson]

CVSROOT:/cvs
Module name:ports
Changes by: st...@cvs.openbsd.org   2016/02/03 17:21:14

Modified files:
net/dnscrypt-proxy: Tag: OPENBSD_5_8 Makefile distinfo 
net/dnscrypt-proxy/pkg: Tag: OPENBSD_5_8 PLIST-main 
Removed files:
net/dnscrypt-proxy/patches: Tag: OPENBSD_5_8 
patch-src_libevent-modified_evutil_rand_c 

Log message:
Update to dnscrypt-proxy 1.6.1

- Security: malformed packets could cause the OpenDNS deviceid,
OpenDNS set-client-ip, blocking and  blocking plugins to use
uninitialized pointers, leading to a denial of service or possibly
code execution. The vulnerable code is present since dnscrypt-proxy
1.1.0. OpenDNS users and people using dnscrypt-proxy in order to block
domain names and IP addresses should upgrade as soon as possible.

Re: pledge textproc/the_silver_searcher

[Doug Hogan]

On Wed, Feb 03, 2016 at 06:02:55PM +0100, Florian Stinglmayr wrote:
> Michael's patch is very nice and should definitely make it in.
> 
> Yet after speaking with upstream the other day it was made very clear to
> me that upstream wants the patch in their repository. Since my upstream
> patch requires a change in configure.ac (and thus a rerunning
> autoreconf) I don't want to put it in ports. So my plan is:

Great!

> 1. Use Michael's patch until upstream releases a new version.
> 2. Send Michael's patch upstream.
> 3. Wait for new version.
> 4. Update port, remove old patches.
> 
> Attached below is the git patch that will go upstream. I'd appreciate
> any feedback.

Some feedback below.

> diff --git a/src/main.c b/src/main.c
> index 4d0e623..1551c0d 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -35,6 +35,12 @@ int main(int argc, char **argv) {
>  int workers_len;
>  int num_cores;
>  
> +#ifdef HAVE_PLEDGE
> +if (pledge("stdio rpath proc exec", NULL) < 0) {

Can you use the standard convention == -1?  It's (almost?) universally
checked that way.  Makes it easier to spot errors when everything is
consistent.

> diff --git a/src/options.c b/src/options.c
> index 6bc5b18..bcd452e 100644
> --- a/src/options.c
> +++ b/src/options.c
> @@ -600,6 +600,12 @@ void parse_options(int argc, char **argv, char 
> **base_paths[], char **paths[]) {
>  }
>  }
>  
> +#ifdef HAVE_PLEDGE
> +if (opts.skip_vcs_ignores && pledge("stdio rpath proc", NULL) < 0) {

This is a minor nit, but almost every other one is "if (pledge(".

> +#ifdef HAVE_PLEDGE
> +if (pledge("stdio rpath proc", NULL) < -1) {

This will never happen.  It should be == -1.

Re: graphics/djvulibre: fix a bug in documents with duplicate page titles

[Juan Francisco Cantero Hurtado]

On Wed, Feb 03, 2016 at 03:08:53AM +0100, Juan Francisco Cantero Hurtado wrote:
> The patch adds support for documents with duplicate page titles. I
> need this change to update pdf2djvu to the latest version.
> 
> I've not tested any djvu viewer, just the conversion. So any test is
> welcome.

Tested with zathura-djvu and everything works fine.

> 
> OK?
> 
> 
> Index: Makefile
> ===
> RCS file: /cvs/ports/graphics/djvulibre/Makefile,v
> retrieving revision 1.34
> diff -u -p -r1.34 Makefile
> --- Makefile  12 May 2015 16:10:27 -  1.34
> +++ Makefile  3 Feb 2016 01:53:18 -
> @@ -3,6 +3,7 @@
>  COMMENT= view, decode and encode DjVu files
>  
>  DISTNAME=djvulibre-3.5.27
> +REVISION=0
>  SHARED_LIBS= djvulibre   26.0# 27.0
>  CATEGORIES=  graphics print
>  
> Index: patches/patch-libdjvu_DjVmDir_cpp
> ===
> RCS file: patches/patch-libdjvu_DjVmDir_cpp
> diff -N patches/patch-libdjvu_DjVmDir_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-libdjvu_DjVmDir_cpp 3 Feb 2016 01:53:18 -
> @@ -0,0 +1,94 @@
> +$OpenBSD$
> +
> +"accept documents with duplicate page titles"
> +
> +http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> +https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1
> +
> +--- libdjvu/DjVmDir.cpp.orig Tue Jul  8 23:15:07 2014
>  libdjvu/DjVmDir.cpp  Wed Feb  3 01:51:28 2016
> +@@ -223,7 +223,6 @@ DjVmDir::decode(const GP )
> +page2file.resize(-1);
> +name2file.empty();
> +id2file.empty();
> +-   title2file.empty();
> + 
> +int ver=str.read8();
> +bool bundled=(ver & 0x80)!=0;
> +@@ -375,18 +374,6 @@ DjVmDir::decode(const GP )
> +   G_THROW( ERR_MSG("DjVmDir.dupl_id") "\t" + file->id);
> +id2file[file->id]=file;
> +   }
> +-
> +- // Generate title2file map
> +-  for(pos=files_list;pos;++pos)
> +-  {
> +-   GP file=files_list[pos];
> +-   if (file->title.length())
> +-   {
> +-  if (title2file.contains(file->title))
> +- G_THROW( ERR_MSG("DjVmDir.dupl_title") "\t" + file->title);
> +-  title2file[file->title]=file;
> +-   }
> +-  }
> +}
> + }
> + 
> +@@ -556,11 +543,19 @@ DjVmDir::id_to_file(const GUTF8String ) const
> + }
> + 
> + GP
> +-DjVmDir::title_to_file(const GUTF8String ) const
> ++DjVmDir::title_to_file(const GUTF8String , GPosition spos) const
> + {
> +-   GCriticalSectionLock lock((GCriticalSection *) _lock);
> +-   GPosition pos;
> +-   return (title2file.contains(title, 
> pos))?title2file[pos]:(GP(0));
> ++  if (! title)
> ++return 0;
> ++  GCriticalSectionLock lock((GCriticalSection *) _lock);
> ++  if (! spos)
> ++for (GPosition pos = spos; pos; ++pos)
> ++  if (files_list[pos]->is_page() && files_list[pos]->title == title)
> ++return files_list[pos];
> ++  for (GPosition pos = files_list; pos; ++pos)
> ++if (files_list[pos]->is_page() && files_list[pos]->title == title)
> ++  return files_list[pos];
> ++  return 0;
> + }
> + 
> + GP
> +@@ -661,14 +656,7 @@ DjVmDir::insert_file(const GP & file, int pos_nu
> +  G_THROW( ERR_MSG("DjVmDir.dupl_name2") "\t" + file->name);
> +name2file[file->name]=file;
> +id2file[file->id]=file;
> +-   if (file->title.length())
> +- {
> +-   if (title2file.contains(file->title))  
> +- // duplicate titles may become ok some day
> +- G_THROW( ERR_MSG("DjVmDir.dupl_title2") "\t" + file->title);
> +-   title2file[file->title]=file;
> +- }
> +-
> ++   
> +   // Make sure that there is no more than one file with shared 
> annotations
> +if (file->is_shared_anno())
> +{
> +@@ -727,7 +715,6 @@ DjVmDir::delete_file(const GUTF8String )
> +   {
> +  name2file.del(f->name);
> +  id2file.del(f->id);
> +- title2file.del(f->title);
> +  if (f->is_page())
> +  {
> + for(int page=0;page +@@ -788,9 +775,7 @@ DjVmDir::set_file_title(const GUTF8String , const G
> +if (!id2file.contains(id, pos))
> +   G_THROW( ERR_MSG("DjVmDir.no_info") "\t" + GUTF8String(id));
> +GP file=id2file[pos];
> +-   title2file.del(file->title);
> +file->title=title;
> +-   title2file[title]=file;
> + }
> + 
> + GPList
> Index: patches/patch-libdjvu_DjVmDir_h
> ===
> RCS file: patches/patch-libdjvu_DjVmDir_h
> diff -N patches/patch-libdjvu_DjVmDir_h
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-libdjvu_DjVmDir_h   3 Feb 2016 01:53:18 -
> @@ -0,0 +1,41 @@
> +$OpenBSD$
> +
> +"accept documents with duplicate page titles"
> +
> +http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> 

textproc/zathura: missing RUN_DEPENDS

[Juan Francisco Cantero Hurtado]

When I install a zathura plugin because I only want a viewer for that
format, pkg_add will not install also the main package. Without the
core package, the plugin is useless.

While here, change the COMMENT.

The patch is very simple. OK?

Index: core/Makefile
===
RCS file: /cvs/ports/textproc/zathura/core/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- core/Makefile   20 Sep 2015 07:33:44 -  1.3
+++ core/Makefile   4 Feb 2016 01:53:39 -
@@ -1,7 +1,8 @@
 # $OpenBSD: Makefile,v 1.3 2015/09/20 07:33:44 landry Exp $
 
 V =0.3.3
-COMMENT =  PDF viewer with vi-like keybindings
+REVISION = 0
+COMMENT =  multi-format document viewer with vi-like keybindings
 DISTNAME = zathura-${V}
 CATEGORIES =   textproc x11
 
Index: plugins/Makefile.inc
===
RCS file: /cvs/ports/textproc/zathura/plugins/Makefile.inc,v
retrieving revision 1.4
diff -u -p -r1.4 Makefile.inc
--- plugins/Makefile.inc25 Aug 2015 14:23:25 -  1.4
+++ plugins/Makefile.inc4 Feb 2016 01:53:39 -
@@ -8,7 +8,8 @@ PERMIT_PACKAGE_CDROM ?= Yes
 PERMIT_PACKAGE_FTP ?=  Yes
 PERMIT_DISTFILES_FTP ?=Yes
 
-RUN_DEPENDS ?= devel/desktop-file-utils
+RUN_DEPENDS ?= devel/desktop-file-utils \
+   textproc/zathura/core
 LIB_DEPENDS += x11/girara
 BUILD_DEPENDS ?=   textproc/zathura/core
 
Index: plugins/cb/Makefile
===
RCS file: /cvs/ports/textproc/zathura/plugins/cb/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- plugins/cb/Makefile 25 Aug 2015 14:23:25 -  1.3
+++ plugins/cb/Makefile 4 Feb 2016 01:53:39 -
@@ -3,7 +3,7 @@
 V =0.1.2
 COMMENT =  comic book plugin for zathura
 DISTNAME = zathura-cb-${V}
-REVISION = 1
+REVISION = 2
 
 HOMEPAGE = http://pwmt.org/projects/zathura/plugins/zathura-cb/
 
Index: plugins/djvu/Makefile
===
RCS file: /cvs/ports/textproc/zathura/plugins/djvu/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- plugins/djvu/Makefile   25 Aug 2015 14:23:25 -  1.3
+++ plugins/djvu/Makefile   4 Feb 2016 01:53:39 -
@@ -3,7 +3,7 @@
 V =0.2.3
 COMMENT =  djvu plugin for zathura
 DISTNAME = zathura-djvu-${V}
-REVISION = 1
+REVISION = 2
 
 HOMEPAGE = http://pwmt.org/projects/zathura/plugins/zathura-djvu
 
Index: plugins/mupdf/Makefile
===
RCS file: /cvs/ports/textproc/zathura/plugins/mupdf/Makefile,v
retrieving revision 1.6
diff -u -p -r1.6 Makefile
--- plugins/mupdf/Makefile  25 Aug 2015 14:23:25 -  1.6
+++ plugins/mupdf/Makefile  4 Feb 2016 01:53:39 -
@@ -1,7 +1,7 @@
 # $OpenBSD: Makefile,v 1.6 2015/08/25 14:23:25 sthen Exp $
 
 V =0.2.7
-REVISION = 2
+REVISION = 3
 COMMENT =  mupdf pdf plugin for zathura
 DISTNAME = zathura-pdf-mupdf-${V}
 
Index: plugins/poppler/Makefile
===
RCS file: /cvs/ports/textproc/zathura/plugins/poppler/Makefile,v
retrieving revision 1.4
diff -u -p -r1.4 Makefile
--- plugins/poppler/Makefile25 Aug 2015 14:23:25 -  1.4
+++ plugins/poppler/Makefile4 Feb 2016 01:53:39 -
@@ -3,7 +3,7 @@
 V =0.2.5
 COMMENT =  poppler pdf plugin for zathura
 DISTNAME = zathura-pdf-poppler-${V}
-REVISION = 1
+REVISION = 2
 
 HOMEPAGE = http://pwmt.org/projects/zathura/plugins/zathura-pdf-poppler/
 
Index: plugins/ps/Makefile
===
RCS file: /cvs/ports/textproc/zathura/plugins/ps/Makefile,v
retrieving revision 1.4
diff -u -p -r1.4 Makefile
--- plugins/ps/Makefile 25 Aug 2015 14:23:25 -  1.4
+++ plugins/ps/Makefile 4 Feb 2016 01:53:39 -
@@ -3,7 +3,7 @@
 V =0.2.2
 COMMENT =  spectre postscript plugin for zathura
 DISTNAME = zathura-ps-${V}
-REVISION = 2
+REVISION = 3
 
 HOMEPAGE = http://pwmt.org/projects/zathura/plugins/zathura-ps/
 

Re: Firefox 44 font change

[Juan Francisco Cantero Hurtado]

On Wed, Feb 03, 2016 at 10:56:48PM +0100, Christian Weisgerber wrote:
> Firefox 44 appears to have snuck in a change in font handling:
> 
> Bitmap fonts are no longer used.  At least that's what I see with
> only the default fonts installed (xenocara defaults plus ghostscript
> since that gets pulled in as a dependency).
> 
> This has two effects I noticed:
> 
> (1) For Latin script which is otherwise rendered with DejaVu,
> some butt-ugly bitmap font (Lucida, I think) would occasionally
> sneak through on some sites.  This no longer happens.
> 
> (2) The default CJK fonts are no longer displayed, easily verifiable
> under {ja,ko,zh}.wikipedia.org.  I now only get squares with
> Unicode numbers.
> 
> Now, I'm not saying this is necessarily a bad thing.  I doubt anybody
> will complain about (1).  People who actually read CJK text and are
> potentially affected by (2) probably have better fonts installed
> anyway since those shipped with xenocara are really poor.
> 
> Landry tells me he can't reproduce this, which is even weirder.

Search the string "font." in about:config. The text in bold are
non-default values. Look if you have the file
.config/fontconfig/fonts.conf. Firefox uses these about:config
settings and fontconfig to select the fonts.

Open "ja.wikipedia.org", click with the secondary button of your mouse
in any line of text and click in "Inspect Element". Click in
"Inspector" and "Fonts". It will show which font is used to render
that text.


-- 
Juan Francisco Cantero Hurtado http://juanfra.info

CVS: cvs.openbsd.org: ports

[Stuart Henderson]

CVSROOT:/cvs
Module name:ports
Changes by: st...@cvs.openbsd.org   2016/02/03 19:56:29

Modified files:
telephony/asterisk: Makefile distinfo 

Log message:
security update to asterisk-13.7.1 (if anyone has time to look at
pulling -stable up to 11.21.1, that would be appreciated..)

BEAST vulnerability in HTTP server
http://downloads.digium.com/pub/security/AST-2016-001.html

File descriptor exhaustion in chan_sip
http://downloads.digium.com/pub/security/AST-2016-002.html

Remote crash vulnerability when receiving UDPTL FAX data.
http://downloads.digium.com/pub/security/AST-2016-003.html

Re: pledge textproc/the_silver_searcher

[Florian Stinglmayr]

On Fri, Jan 29, 2016 at 04:13:20PM -0500, Michael McConville wrote:
> Sorry for disappearing.
>
> Thanks for pointing out the VCS popen. Below is a draft that
> incorporates your suggestions. Let me know if it's too fine-grained. My
> thought was that it's ideal to drop exec as early as possible.
>

Michael's patch is very nice and should definitely make it in.

Yet after speaking with upstream the other day it was made very clear to
me that upstream wants the patch in their repository. Since my upstream
patch requires a change in configure.ac (and thus a rerunning
autoreconf) I don't want to put it in ports. So my plan is:

1. Use Michael's patch until upstream releases a new version.
2. Send Michael's patch upstream.
3. Wait for new version.
4. Update port, remove old patches.

Attached below is the git patch that will go upstream. I'd appreciate
any feedback.

Regards,
Florian

diff --git a/configure.ac b/configure.ac
index 42aaf79..65293c1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -57,7 +57,7 @@ AC_CHECK_DECL([CPU_ZERO, CPU_SET], [AC_DEFINE([USE_CPU_SET], 
[], [Use CPU_SET ma
 AC_CHECK_MEMBER([struct dirent.d_type], [AC_DEFINE([HAVE_DIRENT_DTYPE], [], 
[Have dirent struct member d_type])], [], [[#include ]])
 AC_CHECK_MEMBER([struct dirent.d_namlen], [AC_DEFINE([HAVE_DIRENT_DNAMLEN], 
[], [Have dirent struct member d_namlen])], [], [[#include ]])
 
-AC_CHECK_FUNCS(fgetln getline realpath strlcpy strndup vasprintf madvise 
posix_fadvise pthread_setaffinity_np)
+AC_CHECK_FUNCS(fgetln getline realpath strlcpy strndup vasprintf madvise 
posix_fadvise pthread_setaffinity_np pledge)
 
 AC_CONFIG_FILES([Makefile the_silver_searcher.spec])
 AC_CONFIG_HEADERS([src/config.h])
diff --git a/src/main.c b/src/main.c
index 4d0e623..1551c0d 100644
--- a/src/main.c
+++ b/src/main.c
@@ -35,6 +35,12 @@ int main(int argc, char **argv) {
 int workers_len;
 int num_cores;
 
+#ifdef HAVE_PLEDGE
+if (pledge("stdio rpath proc exec", NULL) < 0) {
+die("pledge: %s", strerror(errno));
+}
+#endif
+
 set_log_level(LOG_LEVEL_WARN);
 
 work_queue = NULL;
@@ -156,6 +162,12 @@ int main(int argc, char **argv) {
 log_debug("No CPU affinity support.");
 #endif
 }
+
+#ifdef HAVE_PLEDGE
+if (pledge("stdio rpath", NULL) < 0) {
+die("pledge: %s", strerror(errno));
+}
+#endif
 for (i = 0; paths[i] != NULL; i++) {
 log_debug("searching path %s for %s", paths[i], opts.query);
 symhash = NULL;
diff --git a/src/options.c b/src/options.c
index 6bc5b18..bcd452e 100644
--- a/src/options.c
+++ b/src/options.c
@@ -600,6 +600,12 @@ void parse_options(int argc, char **argv, char 
**base_paths[], char **paths[]) {
 }
 }
 
+#ifdef HAVE_PLEDGE
+if (opts.skip_vcs_ignores && pledge("stdio rpath proc", NULL) < 0) {
+die("pledge: %s", strerror(errno));
+}
+#endif
+
 if (help) {
 usage();
 exit(0);
@@ -659,6 +665,12 @@ void parse_options(int argc, char **argv, char 
**base_paths[], char **paths[]) {
 }
 }
 
+#ifdef HAVE_PLEDGE
+if (pledge("stdio rpath proc", NULL) < -1) {
+die("pledge: %s", strerror(errno));
+}
+#endif
+
 if (opts.context > 0) {
 opts.before = opts.context;
 opts.after = opts.context;

CVS: cvs.openbsd.org: ports

[Stuart Henderson]

CVSROOT:/cvs
Module name:ports
Changes by: st...@cvs.openbsd.org   2016/02/03 17:20:09

Modified files:
net/dnscrypt-proxy: Makefile distinfo 
net/dnscrypt-proxy/pkg: PLIST-main 
Removed files:
net/dnscrypt-proxy/patches: 
patch-src_libevent-modified_evutil_rand_c 

Log message:
Update to dnscrypt-proxy 1.6.1

- Security: malformed packets could cause the OpenDNS deviceid,
OpenDNS set-client-ip, blocking and  blocking plugins to use
uninitialized pointers, leading to a denial of service or possibly
code execution. The vulnerable code is present since dnscrypt-proxy
1.1.0. OpenDNS users and people using dnscrypt-proxy in order to block
domain names and IP addresses should upgrade as soon as possible.

CVS: cvs.openbsd.org: ports

[Antoine Jacoutot]

CVSROOT:/cvs
Module name:ports
Changes by: ajacou...@cvs.openbsd.org   2016/02/03 23:54:48

Modified files:
sysutils/google-cloud-sdk: Makefile distinfo 
sysutils/google-cloud-sdk/pkg: PLIST 

Log message:
Update to google-cloud-sdk-95.0.0.
- add support for subnets

CVS: cvs.openbsd.org: ports

[Antoine Jacoutot]

CVSROOT:/cvs
Module name:ports
Changes by: ajacou...@cvs.openbsd.org   2016/02/03 23:55:18

Modified files:
security/gnutls: Makefile distinfo 

Log message:
Bugfix update to gnutls-3.3.21.

CVS: cvs.openbsd.org: ports

[Antoine Jacoutot]

CVSROOT:/cvs
Module name:ports
Changes by: ajacou...@cvs.openbsd.org   2016/02/03 23:55:48

Modified files:
print/cups-pk-helper: Makefile distinfo 
print/cups-pk-helper/pkg: PLIST 

Log message:
Update to cups-pk-helper-0.2.6.

lang/gcc on macppc

[Michael McConville]

I'm getting the below error when building the GCC port on a Power Mac G5
running the most recent snapshot. It fails reliably when I retry the
build, so it doesn't seem like an Act of God(TM) caused by a kernel or
hardware bug.

The build is successful with Ada disabled.

Is this a known issue? Let me know if a full build log would be useful.


true DO=all multi-do # gmake
gmake[4]: Leaving directory '/home/build/build-powerpc/libbacktrace'
gmake[3]: Leaving directory '/home/build/build-powerpc/libbacktrace'
gmake[3]: Entering directory '/home/build/build-powerpc/libcpp'
test -f config.h || (rm -f stamp-h1 && gmake stamp-h1)
gmake[3]: Leaving directory '/home/build/build-powerpc/libcpp'
gmake[3]: Entering directory '/home/build/build-powerpc/libdecnumber'
gmake[3]: Nothing to be done for 'all'.
gmake[3]: Leaving directory '/home/build/build-powerpc/libdecnumber'
gmake[3]: Entering directory '/home/build/build-powerpc/gcc'
/home/build/build-powerpc/./prev-gcc/gnatbind -nostdinc -I- -I. -Iada 
-I/home/build/gcc-4.9.3/gcc/ada -I/home/build/gcc-4.9.3/gcc/ada/gcc-interface 
-o b_gnat1.adb -n ada/gnat1drv.ali

raised CONSTRAINT_ERROR : SIGBUS
/home/build/gcc-4.9.3/gcc/ada/gcc-interface/Make-lang.in:932: recipe for target 
'ada/b_gnat1.adb' failed
gmake[3]: *** [ada/b_gnat1.adb] Error 1
gmake[3]: Leaving directory '/home/build/build-powerpc/gcc'
Makefile:4256: recipe for target 'all-stage2-gcc' failed
gmake[2]: *** [all-stage2-gcc] Error 2
gmake[2]: Leaving directory '/home/build/build-powerpc'
Makefile:18532: recipe for target 'stage2-bubble' failed
gmake[1]: *** [stage2-bubble] Error 2
gmake[1]: Leaving directory '/home/build/build-powerpc'
Makefile:18551: recipe for target 'bootstrap2' failed
gmake: *** [bootstrap2] Error 2

Re: Firefox 44 font change

[Landry Breuil]

On Wed, Feb 03, 2016 at 10:56:48PM +0100, Christian Weisgerber wrote:
> Firefox 44 appears to have snuck in a change in font handling:
> 
> Bitmap fonts are no longer used.  At least that's what I see with
> only the default fonts installed (xenocara defaults plus ghostscript
> since that gets pulled in as a dependency).
> 
> This has two effects I noticed:
> 
> (1) For Latin script which is otherwise rendered with DejaVu,
> some butt-ugly bitmap font (Lucida, I think) would occasionally
> sneak through on some sites.  This no longer happens.
> 
> (2) The default CJK fonts are no longer displayed, easily verifiable
> under {ja,ko,zh}.wikipedia.org.  I now only get squares with
> Unicode numbers.
> 
> Now, I'm not saying this is necessarily a bad thing.  I doubt anybody
> will complain about (1).  People who actually read CJK text and are
> potentially affected by (2) probably have better fonts installed
> anyway since those shipped with xenocara are really poor.
> 
> Landry tells me he can't reproduce this, which is even weirder.

And ja.wikipedia.org also displays fine on 45.0b2 w/ gtk3, as it does
with esr 38.5.2 using an empty profile.

Landry

Re: Adding pledge() to www/lynx

[Landry Breuil]

On Wed, Feb 03, 2016 at 08:24:57PM +0100, Frederic Cambus wrote:
> On Fri, Jan 29, 2016 at 04:37:13AM +0100, Theo Buehler wrote:
> 
> > > > is it possible to get rid of proc exec? I didn't add them on my end...
> > 
> > there are shell escapes, so they are probably needed.  I don't really
> > use lynx myself, but it seems to me that it's worth investigating
> > tighter pledges conditionally on various "lynx -restriction=..."
> > options (hopefully those can't be changed at runtime).
> > 
> > > Also should it call "err" or "exit_immediately" on failure?
> > 
> > I agree that the latter looks like the right way to go.
> 
> Here is a new diff for testing, with more restrictive promises.
> 
> It builds on patches and suggestions provided off-list by tb@ and
> daniel@. Thanks guys for all the feedback and ideas.
> 
> The idea is to avoid using otherwise required 'getpw', 'proc', 'exec'
> promises entirely. We achieve this by disabling a couple of features,
> mostly removing obsolete stuff. While we are at it, we attempt to pave
> the way to be able to remove even more promises in the future, and
> reduce potential attack vectors.
> 
> We disable them either at compile time :
> 
> --disable-bibp-urls
> --disable-dired
> --disable-finger

That looks like a wise move to me :)
If you can just add comments to patches explaining why you do the
getenv(HOME) dance to avoid getpw in pledge for the next guy that
stumbles upon it..

Landry

CVS: cvs.openbsd.org: ports

[Benoit Lecocq]

CVSROOT:/cvs
Module name:ports
Changes by: ben...@cvs.openbsd.org  2016/02/04 00:55:40

Modified files:
textproc/p5-XML-XPath: Makefile distinfo 

Log message:
Update to p5-XML-XPath-1.29.

Re: textproc/zathura: missing RUN_DEPENDS

[Landry Breuil]

On Thu, Feb 04, 2016 at 03:05:24AM +0100, Juan Francisco Cantero Hurtado wrote:
> When I install a zathura plugin because I only want a viewer for that
> format, pkg_add will not install also the main package. Without the
> core package, the plugin is useless.
> 
> While here, change the COMMENT.
> 
> The patch is very simple. OK?

I *think* there was a reason for this...dunno if this was circular
dependencies at build time or something like this.
Maybe look into the ports@ archives for justifications ?

Landry

Re: lang/gcc on macppc

[Landry Breuil]

On Thu, Feb 04, 2016 at 12:29:05AM -0500, Michael McConville wrote:
> I'm getting the below error when building the GCC port on a Power Mac G5
> running the most recent snapshot. It fails reliably when I retry the
> build, so it doesn't seem like an Act of God(TM) caused by a kernel or
> hardware bug.

Macppc reliably failing to build stuff is a normal behaviour :)
I get random toolchain failures all the time on macppc*.ports

Landry

Re: [UPDATE] archivers/p7zip

[Theo Buehler]

On Wed, Feb 03, 2016 at 06:43:41AM -0500, Josh Grosse wrote:
> In testing on amd64, I do get different results.  The list command
> does not prompt for a password.

Same here.  This is very odd behavior.  I would not expect a "password
protected" archive to reveal information about its content.

I'm not sure if a maintainer ok is enough for me to commit it, so I
leave it at an

ok tb@

Re: [UPDATE] archivers/p7zip

[Andre S]

On 02/03/16 14:43, Josh Grosse wrote:

On Wed, Feb 03, 2016 at 09:42:55AM +0300, Andre S wrote:

p7zip-15.09p3

Core dumped when used "l" command to list contents of password protected
archive.

Core dumped when used "t" command to test integrity of password protected
archive.

$ 7z a -p test.7z test.txt
Success.

$ 7z l test.7z
Enter password (will not be echoed):Abort trap (core dumped)

$ 7z t test.7z
Enter password (will not be echoed):Abort trap (core dumped)


Ouch. Thanks for the report. And for the fix, which broadens
the applicable secondary pledges to include tty.

In testing on amd64, I do get different results.  The list command
does not prompt for a password.

However the pledge() for list is also the pledge for stdout extractions, so
your recommendation to expand that pledge is fine.  If you would be kind
enough to post your architecture, that may be helpful in trying to recreate
the same results which occurred for you.


My architecture is amd64.

Sorry. I sent incomplete example.
I forgot to specify option -mhe=on (enables archive header encryption)

Correct example:

$ 7z a -p -mhe=on test.7z test.txt
Success.

$ 7z l test.7z
Enter password (will not be echoed):Abort trap (core dumped)

$ 7z t test.7z
Enter password (will not be echoed):Abort trap (core dumped)



I was unable to apply your patch directly due to white space
alignment. I applied your recommendations and have posted the
equivalent patch below, using mutt, which is less likely to chew
on unified diffs than some other Email applications.


Thanks. Thunderbird wrap long lines.

CVS: cvs.openbsd.org: ports

[Giovanni Bechis]

CVSROOT:/cvs
Module name:ports
Changes by: giova...@cvs.openbsd.org2016/02/03 11:58:24

Modified files:
www/phpmyadmin : Makefile distinfo 

Log message:
Security update to 4.4.15.4
Fixes:
PMSA-2016-[1-7], PMSA-2016-8 and PMSA-2016-9 do not affect us

CVS: cvs.openbsd.org: ports

[Giovanni Bechis]

CVSROOT:/cvs
Module name:ports
Changes by: giova...@cvs.openbsd.org2016/02/03 11:49:10

Modified files:
www/piwik  : Makefile distinfo 
www/piwik/pkg  : PLIST 

Log message:
Security update to 2.15.0

Re: [UPDATE] archivers/p7zip

[Dmitrij D. Czarkoff]

Theo Buehler said:
> I'm not sure if a maintainer ok is enough for me to commit it, so I
> leave it at an

According to my findings, p7zip uses getpass(3), which reads directly
from tty, so "tty" promise makes sense in contexts where password is
needed.

OK czarkoff@

-- 
Dmitrij D. Czarkoff