The vulnerability database is evolving with time. It can cause the lint
step to fail suddenly without any source code changes on our side.
Moreover, sometimes, there is nothing we can do to fix the issue nor to
silence that specific error.
Found 1 known vulnerability.
Vulnerability #1: GO-2022-1039
Programs which compile regular expressions from untrusted
sources may be vulnerable to memory exhaustion or denial of
service. The parsed regexp representation is linear in the size
of the input, but in some cases the constant factor can be as
high as 40,000, making relatively small regexps consume much
larger amounts of memory. After fix, each regexp being parsed is
limited to a 256 MB memory footprint. Regular expressions whose
representation would use more space than that are rejected.
Normal use of regular expressions is unaffected.
Call stacks in your code:
config/config.go:1000:46:
git.sr.ht/~rjarry/aerc/config.AercConfig.LoadBinds calls
regexp.Compile, which eventually calls regexp/syntax.Parse
Found in: regexp/syntax@go1.18.6
Fixed in: regexp/syntax@go1.19.2
More info: https://pkg.go.dev/vuln/GO-2022-1039
Move govulncheck into its own make target to be executed manually.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
Due to multiple levels of nested quoting, it is not possible to escape
spaces and/or quotes from GOFLAGS and pass the value to go build
-ldflags to set a compile time variable.
Encode main.Flags in base64 and decode it when reading it.
Fixes: d7e6dc3649 ("aerc: add build info to version string")
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
Example:
$ aerc -v
aerc 0.11.0 +notmuch (go1.18.4 amd64 linux)
Also include that version information in the debug and panic logs.
debug.ReadBuildInfo() is only available in go 1.18+. Add a new variable
set at build time to store $GOFLAGS.
Suggested-by: Tim Culverhouse <tim@timculverhouse.com>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
go vet has been removed from the lint step as it is run by the new
linter.
Signed-off-by: Moritz Poldrack <moritz@poldrack.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
Ensure abbreviated commit id of fixed length in computed version
regardless of user's configuration. Choose length 12 as safe value.
Link: https://github.com/git/git/commit/dce96489162b
Signed-off-by: Jose Lombera <jose@lombera.dev>
Acked-by: Moritz Poldrack <moritz@poldrack.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
Run go vet only for now. More linters can be added later. Run linters in
the CI pipeline.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
Add a dev target which enables Go's race detector. This requires CGo to
be enabled and reduces performance significantly, but helps in finding
data races which can lead to hard to diagnose bugs.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
Replace the implicit shell-parsing with explicitly running the command.
This allows the built version to be reflected in the build log.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
Add the -trimpath flag to the default build command to remove the user's
path from stack traces.
Use a separate BUILD_OPTS make var to avoid it being accidentally
overridden on the command line.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Acked-by: Robin Jarry <robin@jarry.cc>
Implement a filter to read text/calendar (ics) data with awk.
Parses multiple events and shows the date recurrence if
available. Awk alternative to the python filter.
Signed-off-by: Koni Marti <koni.marti@gmail.com>
Acked-by: Robin Jarry <robin@jarry.cc>
Skip the tests if gpg is not installed.
Avoid interference with the global ~/.gnupg.
Automatically delete GNUPGHOME at the end of tests.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>
If socksify (from dante) is not installed then the filter uses w3m
without it to render an html message part.
Signed-off-by: Jens Grassel <jens@wegtam.com>
Acked-by: Robin Jarry <robin@jarry.cc>
The LDFLAGS environment variable is usually indented for C the linker
flags which are not compatible with go -ldflags.
Use a more explicit GO_LDFLAGS variable instead. Allow adding extra
flags without overriding the default ones by specifying
GO_EXTRA_LDFLAGS.
This may break the build on some distros that rely on setting LDFLAGS to
change the default shareDir or version. They will have to switch to
GO_EXTRA_LDFLAGS.
Link: https://salsa.debian.org/go-team/packages/aerc/-/commit/e9ed90beae9f
Link: https://src.fedoraproject.org/rpms/aerc/blob/f36/f/aerc.spec#_86
Fixes: e7e22aba60 ("mk: rebuild if goflags or ldflags have changed")
Signed-off-by: Robin Jarry <robin@jarry.cc>
This is a python script for python 3 using the vobject library to show
details about an ics file (text/calendar attachment).
Signed-off-by: Jens Grassel <jens@wegtam.com>
Tested-by: Moritz Poldrack <moritz@poldrack.dev>
We should use the Makefile value of SHAREDIR when searching for config
files and templates etc.
This is important for systems which do not use the standard file
hierarchy or which do not have a consistent location for installing
program files, for example NixOS, which will have a different install
location with every update.
Signed-off-by: Daniel Patterson <me@danielpatterson.dev>
Acked-by: Robin Jarry <robin@jarry.cc>
When building with BSD make, running `make` after updating a source file
will not cause the binary to be rebuilt. After inspection, it appears
that the GOSRC variable only contains "go.mod go.sum". The aerc target
does not depend on .go source files.
The $(shell) construct is GNU make specific. BSD make has a special
assignment operator (!=) which evaluates a shell command. Since GNU make
4.0, the BSD != operator is supported for compatibility.
Use a syntax that is available in both make flavours.
Link: https://git.savannah.gnu.org/cgit/make.git/commit/?id=b34438bee83ee
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Koni Marti <koni.marti@gmail.com>
Running make with different values for GOFLAGS or VERSION does not cause
aerc to be rebuilt whereas it should.
Write the go build command line into a file and force aerc to be rebuilt
if the command line has changed.
Use the BSD make compatible != operator to run the command. This
operator is also available in GNU make since version 4.0.
Link: https://git.savannah.gnu.org/cgit/make.git/commit/?id=b34438bee83ee
Signed-off-by: Robin Jarry <robin@jarry.cc>
Tested-by: Koni Marti <koni.marti@gmail.com>
This script is referenced by some users configuration. Restore it to
avoid breaking existing setups.
Fixes: bca93cd915 ("filters: add a more complete plaintext filter")
Signed-off-by: Robin Jarry <robin@jarry.cc>
This filter script is not compatible with the previous one. Rename it to
avoid issues with existing configs.
Fixes: bca93cd915 ("filters: add a more complete plaintext filter")
Signed-off-by: Robin Jarry <robin@jarry.cc>
Add an XDG desktop file to handle mailto: links, to make it easier to
reply to mailing list threads and compose emails with aerc in general.
Signed-off-by: Moritz Poldrack <git@moritz.sh>
Signed-off-by: Robin Jarry <robin@jarry.cc>
Instead of using a static SHAREDIR at compile time, use a list of
standard paths to use at runtime for templates, config files and
stylesets.
This implies removing all default filters in the default configuration.
Replace them with basic commands. New users can configure the filters as
they wish.
Signed-off-by: Robin Jarry <robin@jarry.cc>
Do not use this to run the debugger. Instead, build a non-optimized
binary and display what command should be executed to attach to
a running program.
Signed-off-by: Robin Jarry <robin@jarry.cc>
This reverts commit 22ad9e199a.
This breaks install on macOS:
install -m755 -D aerc /usr/local/bin/aerc
install: illegal option -- D
Signed-off-by: Robin Jarry <robin@jarry.cc>
Allow defining a default template to use when composing new messages.
Add an example to be used for new users.
Signed-off-by: Robin Jarry <robin@jarry.cc>
some build systems build inside a git environment- most notably,
alpine aports is built inside an aports tree. this override prevents
a VERSION=$pkgver override from being passed at build time and makes
aerc think its version is an alpine version from aports:
< aerc -v
aerc v3.15.0.r122.gb306bc1c4c
Some packagers overwrote the version we embed in aerc, we really don't want that.
Hence we force clear the variable at the beginning of the makefile.
If git is available and returns a useful info we now use that version instead
of the hardcoded version