media-sound/lilypond: fixed cve-2020-17353

Bug: https://bugs.gentoo.org/736074
Package-Manager: Portage-3.0.1, Repoman-2.3.23
Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

3 files changed, 232 insertions, 0 deletions

diff --git a/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch
new file mode 100644
index 000000000000..e91947eae056
--- /dev/null
+++ b/media-sound/lilypond/files/lilypond-fix-cve-2020-17353.patch
@@ -0,0 +1,101 @@
+From b84ea4740f3279516905c5db05f4074e777c16ff Mon Sep 17 00:00:00 2001
+From: Han-Wen Nienhuys <hanwenn@gmail.com>
+Date: Tue, 21 Jul 2020 14:45:08 +0200
+Subject: [PATCH] scm: disable embedded-ps and embedded-svg in -dsafe mode
+
+This prevents executing privileged PostScript and exploiting
+Ghostscript vulnerablilities
+
+Tested:
+ $ lilypond -dsafe input/regression/les-nereides.ly
+ (works, kinda)
+
+ $ cat f.ly
+ { c4_ \markup \postscript #" (x) show " }
+
+ $ lilypond -dsafe f
+ Preprocessing graphical objects.../home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: In procedure ly_make_stencil in expression (ly:make-stencil (list # #) (quote #) ...):
+  /home/hanwen/vc/lilypond/out/share/lilypond/current/scm/define-markup-commands.scm:1145:3: Wrong type argument in position 1 (expecting registered stencil expression): (embedded-ps "
+---
+ scm/define-stencil-commands.scm | 65 ++++++++++++++++++++++-------------------
+ 1 file changed, 35 insertions(+), 30 deletions(-)
+
+diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm
+index 09a2299..e388788 100644
+--- a/scm/define-stencil-commands.scm
++++ b/scm/define-stencil-commands.scm
+@@ -21,36 +21,41 @@
+ (define-public (ly:all-stencil-commands)
+   "Return the list of stencil commands that can be
+ defined in the output modules (@file{output-*.scm})."
+-  '(blank
+-    char
+-    circle
+-    dashed-line
+-    draw-line
+-    ellipse
+-    embedded-ps
+-    embedded-svg
+-    end-group-node
+-    glyph-string
+-    grob-cause
+-    named-glyph
+-    no-origin
+-    page-link
+-    path
+-    partial-ellipse
+-    placebox
+-    polygon
+-    resetcolor
+-    resetrotation
+-    resetscale
+-    round-filled-box
+-    setcolor
+-    setrotation
+-    setscale
+-    start-group-node
+-    text
+-    unknown
+-    url-link
+-    utf-8-string
++  (let*
++      ((commands '(blank
++                   char
++                   circle
++                   dashed-line
++                   draw-line
++                   ellipse
++                   end-group-node
++                   glyph-string
++                   grob-cause
++                   named-glyph
++                   no-origin
++                   page-link
++                   path
++                   partial-ellipse
++                   placebox
++                   polygon
++                   resetcolor
++                   resetrotation
++                   resetscale
++                   round-filled-box
++                   setcolor
++                   setrotation
++                   setscale
++                   start-group-node
++                   text
++                   unknown
++                   url-link
++                   utf-8-string
++                   )))
++
++    (if (ly:get-option 'safe)
++        commands
++        (append '(embedded-ps embedded-svg)
++                commands))
+     ))
+ 
+ ;; TODO:
+-- 
+1.9.1
+
diff --git a/media-sound/lilypond/lilypond-2.21.1-r1.ebuild b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild
new file mode 100644
index 000000000000..1f1e8202a99c
--- /dev/null
+++ b/media-sound/lilypond/lilypond-2.21.1-r1.ebuild
@@ -0,0 +1,130 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit elisp-common autotools python-single-r1 toolchain-funcs xdg-utils
+
+if [[ "${PV}" = "9999" ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://git.savannah.gnu.org/git/lilypond.git"
+else
+	MAIN_VER=$(ver_cut 1-2)
+	SRC_URI="http://lilypond.org/download/sources/v${MAIN_VER}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~x86"
+fi
+
+DESCRIPTION="GNU Music Typesetter"
+HOMEPAGE="http://lilypond.org/"
+
+LICENSE="GPL-3 FDL-1.3"
+SLOT="0"
+IUSE="debug emacs guile2 profile vim-syntax"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+BDEPEND="
+	>=dev-texlive/texlive-metapost-2020
+	>=sys-apps/texinfo-4.11
+	>=sys-devel/bison-2.0
+	sys-devel/flex
+	virtual/pkgconfig
+"
+RDEPEND=">=app-text/ghostscript-gpl-8.15
+	>=dev-scheme/guile-1.8.2:12=[deprecated,regex]
+	media-fonts/tex-gyre
+	media-libs/fontconfig
+	media-libs/freetype:2
+	>=x11-libs/pango-1.12.3
+	emacs? ( >=app-editors/emacs-23.1:* )
+	guile2? ( >=dev-scheme/guile-2.2:12 )
+	!guile2? (
+		>=dev-scheme/guile-1.8.2:12=[deprecated,regex]
+		<dev-scheme/guile-2.0:12
+	)
+	${PYTHON_DEPS}"
+DEPEND="${RDEPEND}
+	app-text/t1utils
+	dev-lang/perl
+	dev-libs/kpathsea
+	media-gfx/fontforge[png,python]
+	sys-devel/gettext"
+
+# Correct output data for tests isn't bundled with releases
+RESTRICT="test"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-fix-font-size.patch
+	"${FILESDIR}"/${PN}-fix-cve-2020-17353.patch
+)
+
+DOCS=( DEDICATION HACKING README.txt ROADMAP )
+
+src_prepare() {
+	default
+
+	if ! use vim-syntax ; then
+		sed -i 's/vim//' GNUmakefile.in || die
+	fi
+
+	# respect CFLAGS
+	sed -i 's/OPTIMIZE -g/OPTIMIZE/' aclocal.m4 || die
+
+	# remove bundled texinfo file (fixes bug #448560)
+	rm tex/texinfo.tex || die
+
+	eautoreconf
+
+	xdg_environment_reset #586592
+}
+
+src_configure() {
+	# documentation generation currently not supported since it requires a newer
+	# version of texi2html than is currently in the tree
+
+	local myeconfargs=(
+		--with-texgyre-dir=/usr/share/fonts/tex-gyre
+		--disable-documentation
+		--disable-optimising
+		--disable-pipe
+		$(use_enable debug debugging)
+		$(use_enable profile profiling)
+	)
+	export VARTEXFONTS="${T}/fonts"  # https://bugs.gentoo.org/692010
+
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	default
+
+	if use emacs ; then
+		elisp-compile elisp/lilypond-{font-lock,indent,mode,what-beat}.el \
+			|| die "elisp-compile failed"
+	fi
+}
+
+src_install() {
+	emake DESTDIR="${D}" vimdir=/usr/share/vim/vimfiles install
+
+	# remove elisp files since they are in the wrong directory
+	rm -r "${ED}"/usr/share/emacs || die
+
+	if use emacs ; then
+		elisp-install ${PN} elisp/*.{el,elc} elisp/out/*.el \
+			|| die "elisp-install failed"
+		elisp-site-file-install "${FILESDIR}"/50${PN}-gentoo.el
+	fi
+
+	python_fix_shebang "${ED}"
+
+	einstalldocs
+}
+
+pkg_postinst() {
+	use emacs && elisp-site-regen
+}
+
+pkg_postrm() {
+	use emacs && elisp-site-regen
+}
diff --git a/media-sound/lilypond/lilypond-2.21.4.ebuild b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild
index 3aa63a51f186..0196e4c7d4d9 100644
--- a/media-sound/lilypond/lilypond-2.21.4.ebuild
+++ b/media-sound/lilypond/lilypond-2.21.4-r1.ebuild
@@ -55,6 +55,7 @@ RESTRICT="test"
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-2.21.1-fix-font-size.patch
+	"${FILESDIR}"/${PN}-fix-cve-2020-17353.patch
 )
 
 DOCS=( DEDICATION HACKING README.txt ROADMAP )