sci-mathematics/pspp: Add security patches

This fixes several QA issues, adds a missing dependency, fixes
compiling with GCC 10, fixes tests, and adds patches for security.

Bug: https://bugs.gentoo.org/679392
Closes: https://bugs.gentoo.org/674362
Closes: https://bugs.gentoo.org/677282
Closes: https://bugs.gentoo.org/682342
Closes: https://bugs.gentoo.org/708548
Package-Manager: Portage-3.0.0, Repoman-2.3.23
Signed-off-by: John Helmert III <jchelmert3@posteo.net>
Closes: https://github.com/gentoo/gentoo/pull/16785
Signed-off-by: David Seifert <soap@gentoo.org>

7 files changed, 414 insertions, 0 deletions

diff --git a/sci-mathematics/pspp/files/pspp-1.2.0-CVE-2018-20230.patch b/sci-mathematics/pspp/files/pspp-1.2.0-CVE-2018-20230.patch
new file mode 100644
index 000000000000..f0fee070deb6
--- /dev/null
+++ b/sci-mathematics/pspp/files/pspp-1.2.0-CVE-2018-20230.patch
@@ -0,0 +1,134 @@
+Upstream: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=abd1f816ca3b4f382bddf4564ad092aa934f0ccc
+Bug: https://bugs.gentoo.org/679392
+
+From abd1f816ca3b4f382bddf4564ad092aa934f0ccc Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@cs.stanford.edu>
+Date: Tue, 1 Jan 2019 08:36:05 -0800
+Subject: pspp-dump-sav: Issue error message for too-large extension records.
+
+CVE-2018-20230.
+---
+ NEWS                      |  2 ++
+ utilities/pspp-dump-sav.c | 30 ++++++++++++++++++------------
+ 2 files changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 3263062ca..191a9804b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -9,6 +9,8 @@ Changes since 1.2.0:
+  * Plain text output is no longer divided into pages, since it is now
+    rarely printed on paper.
+ 
++ * Bug fix for CVE-2018-20230.
++
+ Changes from 1.0.1 to 1.2.0:
+ 
+  * New experimental command SAVE DATA COLLECTION to save MDD files.
+diff --git a/utilities/pspp-dump-sav.c b/utilities/pspp-dump-sav.c
+index aeb648665..b0001ac61 100644
+--- a/utilities/pspp-dump-sav.c
++++ b/utilities/pspp-dump-sav.c
+@@ -37,6 +37,7 @@
+ #include "gl/progname.h"
+ #include "gl/version-etc.h"
+ #include "gl/xalloc.h"
++#include "gl/xsize.h"
+ 
+ #define ID_MAX_LEN 64
+ 
+@@ -99,7 +100,7 @@ static void read_simple_compressed_data (struct sfm_reader *, int max_cases);
+ static void read_zlib_compressed_data (struct sfm_reader *);
+ 
+ static struct text_record *open_text_record (
+-  struct sfm_reader *, size_t size);
++  struct sfm_reader *, size_t size, size_t count);
+ static void close_text_record (struct text_record *);
+ static bool read_variable_to_value_pair (struct text_record *,
+                                          char **key, char **value);
+@@ -735,7 +736,7 @@ read_extra_product_info (struct sfm_reader *r,
+   const char *s;
+ 
+   printf ("%08llx: extra product info\n", (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   s = text_get_all (text);
+   print_string (s, strlen (s));
+   close_text_record (text);
+@@ -749,7 +750,7 @@ read_mrsets (struct sfm_reader *r, size_t size, size_t count)
+ 
+   printf ("%08llx: multiple response sets\n",
+           (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   for (;;)
+     {
+       const char *name;
+@@ -909,7 +910,7 @@ read_long_var_name_map (struct sfm_reader *r, size_t size, size_t count)
+ 
+   printf ("%08llx: long variable names (short => long)\n",
+           (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   while (read_variable_to_value_pair (text, &var, &long_name))
+     printf ("\t%s => %s\n", var, long_name);
+   close_text_record (text);
+@@ -926,7 +927,7 @@ read_long_string_map (struct sfm_reader *r, size_t size, size_t count)
+ 
+   printf ("%08llx: very long strings (variable => length)\n",
+           (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   while (read_variable_to_value_pair (text, &var, &length_s))
+     printf ("\t%s => %d\n", var, atoi (length_s));
+   close_text_record (text);
+@@ -1004,7 +1005,7 @@ read_datafile_attributes (struct sfm_reader *r, size_t size, size_t count)
+   struct text_record *text;
+ 
+   printf ("%08llx: datafile attributes\n", (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   read_attributes (r, text, "datafile");
+   close_text_record (text);
+ }
+@@ -1196,7 +1197,7 @@ read_variable_attributes (struct sfm_reader *r, size_t size, size_t count)
+   struct text_record *text;
+ 
+   printf ("%08llx: variable attributes\n", (long long int) ftello (r->file));
+-  text = open_text_record (r, size * count);
++  text = open_text_record (r, size, count);
+   for (;;)
+     {
+       const char *variable = text_tokenize (text, ':');
+@@ -1389,18 +1390,23 @@ struct text_record
+     size_t pos;                 /* Current position in buffer. */
+   };
+ 
+-/* Reads SIZE bytes into a text record for R,
++/* Reads SIZE * COUNT bytes into a text record for R,
+    and returns the new text record. */
+ static struct text_record *
+-open_text_record (struct sfm_reader *r, size_t size)
++open_text_record (struct sfm_reader *r, size_t size, size_t count)
+ {
+   struct text_record *text = xmalloc (sizeof *text);
+-  char *buffer = xmalloc (size + 1);
+-  read_bytes (r, buffer, size);
++
++  if (size_overflow_p (xsum (1, xtimes (size, count))))
++    sys_error (r, "Extension record too large.");
++
++  size_t n_bytes = size * count;
++  char *buffer = xmalloc (n_bytes + 1);
++  read_bytes (r, buffer, n_bytes);
+   buffer[size] = '\0';
+   text->reader = r;
+   text->buffer = buffer;
+-  text->size = size;
++  text->size = n_bytes;
+   text->pos = 0;
+   return text;
+ }
+-- 
+cgit v1.2.1
+
diff --git a/sci-mathematics/pspp/files/pspp-1.2.0-CVE-2019-9211.patch b/sci-mathematics/pspp/files/pspp-1.2.0-CVE-2019-9211.patch
new file mode 100644
index 000000000000..eb0b84414e88
--- /dev/null
+++ b/sci-mathematics/pspp/files/pspp-1.2.0-CVE-2019-9211.patch
@@ -0,0 +1,74 @@
+Source: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=0b842a84353790534a401e09a8d3bdd3d25bc3a6
+Bug: https://bugs.gentoo.org/679392
+
+From 0b842a84353790534a401e09a8d3bdd3d25bc3a6 Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@cs.stanford.edu>
+Date: Wed, 27 Feb 2019 20:11:06 -0800
+Subject: sys-file-writer: Remove assertions based on file position.
+
+These assertions can fail if the underlying file is not a regular file,
+e.g. if it is a device such as /dev/null.
+
+CVE-2019-9211.
+See also https://bugzilla.redhat.com/show_bug.cgi?id=1683499.
+See also https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9211.
+See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923417.
+---
+ src/data/sys-file-writer.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/src/data/sys-file-writer.c b/src/data/sys-file-writer.c
+index df5108e2a..bbe58aecd 100644
+--- a/src/data/sys-file-writer.c
++++ b/src/data/sys-file-writer.c
+@@ -953,7 +953,6 @@ write_long_string_value_labels (struct sfm_writer *w,
+   const char *encoding = dict_get_encoding (dict);
+   size_t n_vars = dict_get_var_cnt (dict);
+   size_t size, i;
+-  off_t start UNUSED;
+ 
+   /* Figure out the size in advance. */
+   size = 0;
+@@ -985,7 +984,6 @@ write_long_string_value_labels (struct sfm_writer *w,
+   write_int (w, 1);             /* Data item (byte) size. */
+   write_int (w, size);          /* Number of data items. */
+ 
+-  start = ftello (w->file);
+   for (i = 0; i < n_vars; i++)
+     {
+       struct variable *var = dict_get_var (dict, i);
+@@ -1022,7 +1020,6 @@ write_long_string_value_labels (struct sfm_writer *w,
+           free (label);
+         }
+     }
+-  assert (ftello (w->file) == start + size);
+ }
+ 
+ static void
+@@ -1032,7 +1029,6 @@ write_long_string_missing_values (struct sfm_writer *w,
+   const char *encoding = dict_get_encoding (dict);
+   size_t n_vars = dict_get_var_cnt (dict);
+   size_t size, i;
+-  off_t start UNUSED;
+ 
+   /* Figure out the size in advance. */
+   size = 0;
+@@ -1058,7 +1054,6 @@ write_long_string_missing_values (struct sfm_writer *w,
+   write_int (w, 1);             /* Data item (byte) size. */
+   write_int (w, size);          /* Number of data items. */
+ 
+-  start = ftello (w->file);
+   for (i = 0; i < n_vars; i++)
+     {
+       struct variable *var = dict_get_var (dict, i);
+@@ -1087,7 +1082,6 @@ write_long_string_missing_values (struct sfm_writer *w,
+           write_bytes (w, value_str (value, width), 8);
+         }
+     }
+-  assert (ftello (w->file) == start + size);
+ }
+ 
+ static void
+-- 
+cgit v1.2.1
+
diff --git a/sci-mathematics/pspp/files/pspp-1.2.0-fix-gcc10.patch b/sci-mathematics/pspp/files/pspp-1.2.0-fix-gcc10.patch
new file mode 100644
index 000000000000..d228ccc42596
--- /dev/null
+++ b/sci-mathematics/pspp/files/pspp-1.2.0-fix-gcc10.patch
@@ -0,0 +1,30 @@
+Upstream: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=614bbfbc4be1f4f47d55d3fbee9ae20f3a9955bb
+Gentoo Bug: https://bugs.gentoo.org/708548
+
+commit 614bbfbc4be1f4f47d55d3fbee9ae20f3a9955bb
+Author: Ben Pfaff <blp@cs.stanford.edu>
+Date:   Fri Nov 16 20:27:30 2018 -0800
+
+    psppire: Fix multiple definitions of align_enum_type and two others.
+    
+    These were defined in both psppire-dict.c and widgets.c, which causes a
+    problem building with -fno-common (which is desirable because it allows
+    Address Sanitizer to work better).
+
+diff --git a/src/ui/gui/widgets.c b/src/ui/gui/widgets.c
+index 26a5dac4f..6ce129249 100644
+--- a/src/ui/gui/widgets.c
++++ b/src/ui/gui/widgets.c
+@@ -171,9 +171,9 @@ enum_to_string (const GValue *src, GValue *dest)
+ 
+ 
+ 
+-GType align_enum_type;
+-GType measure_enum_type;
+-GType role_enum_type;
++extern GType align_enum_type;
++extern GType measure_enum_type;
++extern GType role_enum_type;
+ 
+ 
+ extern const GEnumValue align[];
diff --git a/sci-mathematics/pspp/files/pspp-1.2.0-fix-overflow.patch b/sci-mathematics/pspp/files/pspp-1.2.0-fix-overflow.patch
new file mode 100644
index 000000000000..8c31c5f87020
--- /dev/null
+++ b/sci-mathematics/pspp/files/pspp-1.2.0-fix-overflow.patch
@@ -0,0 +1,32 @@
+Upstream: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=be42ce976006feed2a7ba7599ee417c28887af52
+
+From be42ce976006feed2a7ba7599ee417c28887af52 Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@cs.stanford.edu>
+Date: Fri, 22 Feb 2019 17:16:40 -0800
+Subject: pspp-dump-sav; Fix write past end of buffer in corner case.
+
+If count == 0 and size > 0, then n_bytes is 0, buffer is a 1-byte
+allocation, and the assignment to buffer[size] would write to buffer[1]
+(or past it), which is past the end of the allocation.
+
+Found by Address Sanitizer.
+---
+ utilities/pspp-dump-sav.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utilities/pspp-dump-sav.c b/utilities/pspp-dump-sav.c
+index 1d8d78c87..70687ebc8 100644
+--- a/utilities/pspp-dump-sav.c
++++ b/utilities/pspp-dump-sav.c
+@@ -1403,7 +1403,7 @@ open_text_record (struct sfm_reader *r, size_t size, size_t count)
+   size_t n_bytes = size * count;
+   char *buffer = xmalloc (n_bytes + 1);
+   read_bytes (r, buffer, n_bytes);
+-  buffer[size] = '\0';
++  buffer[n_bytes] = '\0';
+   text->reader = r;
+   text->buffer = buffer;
+   text->size = n_bytes;
+-- 
+cgit v1.2.1
+
diff --git a/sci-mathematics/pspp/files/pspp-1.2.0-fix-segfaults.patch b/sci-mathematics/pspp/files/pspp-1.2.0-fix-segfaults.patch
new file mode 100644
index 000000000000..03b9d00fe73a
--- /dev/null
+++ b/sci-mathematics/pspp/files/pspp-1.2.0-fix-segfaults.patch
@@ -0,0 +1,45 @@
+Upstream: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=df8cf077b2aacb7fe7b33dd8cb90ba57c8681aa0
+
+From df8cf077b2aacb7fe7b33dd8cb90ba57c8681aa0 Mon Sep 17 00:00:00 2001
+From: John Darrington <john@darrington.wattle.id.au>
+Date: Sat, 2 Mar 2019 15:29:39 +0100
+Subject: PSPPIRE: Avoid some segmentation faults when corrupt data is
+ encountered.
+
+---
+ src/ui/gui/psppire-data-store.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/ui/gui/psppire-data-store.c b/src/ui/gui/psppire-data-store.c
+index f97b8eaf1..3c2765f5d 100644
+--- a/src/ui/gui/psppire-data-store.c
++++ b/src/ui/gui/psppire-data-store.c
+@@ -183,6 +183,8 @@ psppire_data_store_value_to_string (gpointer unused, PsppireDataStore *store, gi
+   g_return_val_if_fail (variable, g_strdup ("???"));
+ 
+   GVariant *vrnt = g_value_get_variant (v);
++  g_return_val_if_fail (vrnt, g_strdup ("???"));
++
+   union value val;
+   value_variant_get (&val, vrnt);
+ 
+@@ -231,12 +233,14 @@ __get_value (GtkTreeModel *tree_model,
+   if (NULL == variable)
+     return;
+ 
+-  g_value_init (value, G_TYPE_VARIANT);
+-
+   gint row = GPOINTER_TO_INT (iter->user_data);
+ 
+   struct ccase *cc = datasheet_get_row (store->datasheet, row);
+ 
++  g_return_if_fail (cc);
++
++  g_value_init (value, G_TYPE_VARIANT);
++
+   const union value *val = case_data_idx (cc, var_get_case_index (variable));
+ 
+   GVariant *vv = value_variant_new (val, var_get_width (variable));
+-- 
+cgit v1.2.1
+
diff --git a/sci-mathematics/pspp/files/pspp-1.2.0-fix-tests.patch b/sci-mathematics/pspp/files/pspp-1.2.0-fix-tests.patch
new file mode 100644
index 000000000000..1b92572cc820
--- /dev/null
+++ b/sci-mathematics/pspp/files/pspp-1.2.0-fix-tests.patch
@@ -0,0 +1,61 @@
+Upstream: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=fe94912b9c8682c4666873b84c83cda88f4c135d
+
+commit fe94912b9c8682c4666873b84c83cda88f4c135d
+Author: Ben Pfaff <blp@cs.stanford.edu>
+Date:   Mon Nov 26 06:54:52 2018 -0800
+
+    segment: Fix behavior when #! line is not new-line terminated.
+    
+    The code here is supposed to maintain a invariant that, when it returns a
+    nonnegative value, it initializes *type, but it failed to do that when a
+    #! line did not end in a new-line.  This fixes the problem.
+    
+    Bug #55101.
+    Thanks for Friedrich Beckmann for narrowing down the problem.
+    Found by the Debian buildd: https://buildd.debian.org/status/fetch.php?pkg=pspp&arch=arm64&ver=1.2.0-1&stamp=1543183214&raw=0
+
+diff --git a/src/language/lexer/segment.c b/src/language/lexer/segment.c
+index c0a09973c..c607c4bd1 100644
+--- a/src/language/lexer/segment.c
++++ b/src/language/lexer/segment.c
+@@ -92,21 +92,26 @@ segmenter_parse_shbang__ (struct segmenter *s, const char *input, size_t n,
+         {
+           if (input[1] == '!')
+             {
+-              int ofs;
+-
+-              for (ofs = 2; ofs < n; ofs++)
+-                if (input[ofs] == '\n')
+-                  {
+-                    if (input[ofs] == '\n' && input[ofs - 1] == '\r')
+-                      ofs--;
+-
+-                    s->state = S_GENERAL;
+-                    s->substate = SS_START_OF_COMMAND;
+-                    *type = SEG_SHBANG;
+-                    return ofs;
+-                  }
++              for (int ofs = 2; ; ofs++)
++                {
++                  if (ofs >= n)
++                    {
++                      if (!eof)
++                        return -1;
++                    }
++                  else if (input[ofs] == '\n')
++                    {
++                      if (input[ofs - 1] == '\r')
++                        ofs--;
++                    }
++                  else
++                    continue;
+ 
+-              return eof ? ofs : -1;
++                  s->state = S_GENERAL;
++                  s->substate = SS_START_OF_COMMAND;
++                  *type = SEG_SHBANG;
++                  return ofs;
++                }
+             }
+         }
+       else if (!eof)
diff --git a/sci-mathematics/pspp/files/pspp-1.2.0-py3.patch b/sci-mathematics/pspp/files/pspp-1.2.0-py3.patch
new file mode 100644
index 000000000000..d2bf940eae64
--- /dev/null
+++ b/sci-mathematics/pspp/files/pspp-1.2.0-py3.patch
@@ -0,0 +1,38 @@
+Upstream: https://git.savannah.gnu.org/cgit/pspp.git/commit/?id=123c3f55a80630655e84f97c9df558d988fa0055
+
+commit 123c3f55a80630655e84f97c9df558d988fa0055
+Author: Ben Pfaff <blp@cs.stanford.edu>
+Date:   Mon Nov 19 08:35:23 2018 -0800
+
+    test-date-input.py: Make compatible with Python 3.
+
+diff --git a/tests/data/test-date-input.py b/tests/data/test-date-input.py
+index 6ccc2f8f4..cdab260d6 100644
+--- a/tests/data/test-date-input.py
++++ b/tests/data/test-date-input.py
+@@ -50,8 +50,8 @@ def print_all_formats(date, template, formatted, exp_y, exp_m, exp_d,
+         global n
+         n += 1
+         year, month, day, julian, hour, minute, second = date
+-        quarter = (month - 1) / 3 + 1
+-        week = (julian - 1) / 7 + 1
++        quarter = (month - 1) // 3 + 1
++        week = (julian - 1) // 7 + 1
+         if year >= 1930 and year < 2030:
+             years = ('%d' % year, '%d' % (year % 100))
+         else:
+@@ -163,10 +163,10 @@ def print_all_formats(date, template, formatted, exp_y, exp_m, exp_d,
+         EPOCH = -577734         # 14 Oct 1582
+         expected = (EPOCH - 1
+                     + 365 * (exp_y - 1)
+-                    + (exp_y - 1) / 4
+-                    - (exp_y - 1) / 100
+-                    + (exp_y - 1) / 400
+-                    + (367 * exp_m - 362) / 12
++                    + (exp_y - 1) // 4
++                    - (exp_y - 1) // 100
++                    + (exp_y - 1) // 400
++                    + (367 * exp_m - 362) // 12
+                     + (0 if exp_m <= 2
+                        else -1 if exp_m >= 2 and is_leap_year(exp_y)
+                        else -2)