YouCompleteMe needs the packages to be available in ycmd's third_party
directory, and things start getting pretty complicated when we try to
use our package libs instead of the vendored ones. We can revisit this
at a later time, but we'll need to ensure that we don't break the vim
plugin.
Tested in vim.
This allows the library to interact gracefully with additional certificates
users might have configured in /etc/ssl/certs/ca-certificates.crt via NixOS.
From the Red Hat advisory:
* A vulnerability was discovered in spice in the server's protocol
handling. An authenticated attacker could send crafted messages to
the spice server causing a heap overflow leading to a crash or
possible code execution. (CVE-2016-9577)
* A vulnerability was discovered in spice in the server's protocol
handling. An attacker able to connect to the spice server could send
crafted messages which would cause the process to crash.
(CVE-2016-9578)
gst-plugins-bad:
From the Arch Linux advisory:
- CVE-2017-5843 (arbitrary code execution): A double-free issue has
been found in gstreamer before 1.10.3, in
gst_mxf_demux_update_essence_tracks.
- CVE-2017-5848 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_ps_demux_parse_psm.
More: https://lwn.net/Vulnerabilities/713772/
gst-plugins-base:
From the Arch Linux advisory:
- CVE-2017-5837 (denial of service): A floating point exception issue
has been found in gstreamer before 1.10.3, in
gst_riff_create_audio_caps.
- CVE-2017-5839 (denial of service): An endless recursion issue
leading to stack overflow has been found in gstreamer before 1.10.3,
in gst_riff_create_audio_caps.
- CVE-2017-5842 (arbitrary code execution): An off-by-one write has
been found in gstreamer before 1.10.3, in
html_context_handle_element.
- CVE-2017-5844 (denial of service): A floating point exception issue
has been found in gstreamer before 1.10.3, in
gst_riff_create_audio_caps.
More: https://lwn.net/Vulnerabilities/713773/
gst-plugins-good:
From the Arch Linux advisory:
- CVE-2016-10198 (denial of service): An invalid memory read flaw has
been found in gstreamer before 1.10.3, in
gst_aac_parse_sink_setcaps.
- CVE-2016-10199 (denial of service): An out of bounds read has been
found in gstreamer before 1.10.3, in qtdemux_tag_add_str_full.
- CVE-2017-5840 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in qtdemux_parse_samples.
- CVE-2017-5841 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
- CVE-2017-5845 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
More: https://lwn.net/Vulnerabilities/713774/
gst-plugins-ugly:
From the Arch Linux advisory:
- CVE-2017-5846 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in
gst_asf_demux_process_ext_stream_props.
- CVE-2017-5847 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in
gst_asf_demux_process_ext_content_desc.
More: https://lwn.net/Vulnerabilities/713775/
gstreamer:
From the Arch Linux advisory:
An out of bounds read has been found in gstreamer before 1.10.3, in
gst_date_time_new_from_iso8601_string.
More: https://lwn.net/Vulnerabilities/713776/
-split-sections replaced -split-objs with following upsides:
1) -split-objs adds considerable overhead to compile time
2) combined with stripping, it causes issues when cross-compiling
For upstream see https://ghc.haskell.org/trac/ghc/ticket/8405
This is supported only for Linux/Windows using ld linker.
GHC master also turns on -split-sections by default.
Example using stack:
Without splitting
$ du /nix/store/5paayhibayr73zqfaj458g4k4mv108jn-stack-1.3.2
4 /nix/store/5paayhibayr73zqfaj458g4k4mv108jn-stack-1.3.2/share/bash-completion/completions
4 /nix/store/5paayhibayr73zqfaj458g4k4mv108jn-stack-1.3.2/share/bash-completion
4 /nix/store/5paayhibayr73zqfaj458g4k4mv108jn-stack-1.3.2/share
23416 /nix/store/5paayhibayr73zqfaj458g4k4mv108jn-stack-1.3.2/bin
23420 /nix/store/5paayhibayr73zqfaj458g4k4mv108jn-stack-1.3.2
With -split-objs
$ du /nix/store/fypymm529adpx71gdzm0851xz42wdbz0-stack-1.3.2
20632 /nix/store/fypymm529adpx71gdzm0851xz42wdbz0-stack-1.3.2/bin
4 /nix/store/fypymm529adpx71gdzm0851xz42wdbz0-stack-1.3.2/share/bash-completion/completions
4 /nix/store/fypymm529adpx71gdzm0851xz42wdbz0-stack-1.3.2/share/bash-completion
4 /nix/store/fypymm529adpx71gdzm0851xz42wdbz0-stack-1.3.2/share
20636 /nix/store/fypymm529adpx71gdzm0851xz42wdbz0-stack-1.3.2
With -split-sections
$ du /nix/store/40l6krinx1zx41lr87c4m12hxj4ldf3x-stack-1.3.2
4 /nix/store/40l6krinx1zx41lr87c4m12hxj4ldf3x-stack-1.3.2/share/bash-completion/completions
4 /nix/store/40l6krinx1zx41lr87c4m12hxj4ldf3x-stack-1.3.2/share/bash-completion
4 /nix/store/40l6krinx1zx41lr87c4m12hxj4ldf3x-stack-1.3.2/share
20672 /nix/store/40l6krinx1zx41lr87c4m12hxj4ldf3x-stack-1.3.2/bin
20676 /nix/store/40l6krinx1zx41lr87c4m12hxj4ldf3x-stack-1.3.2
Note: you currently need following overrides to build stack on 802:
vector-algorithms = dontCheck super.vector-algorithms;
path-io = doJailbreak super.path-io;
stack = doJailbreak super.stack;
Note: Should also work on GHC 8.0.1, but I'm being careful here.
We could backport later on.
Upstream bug: https://bugs.ghostscript.com/show_bug.cgi?id=697457
A new release containing this fix is expected in march; until then,
apply patch from upstream. Note that there have been essentially no
changes between 0.13 and this patch.
The most recent version on the sourceforge page is 0.11 which is quite
old; the official upstream site has 0.13; judging by the commit delta,
there've been quite a few bug fixes etc since 0.11.
