From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#30415: Unzip CVE-2018-1000031 and others Date: Tue, 13 Feb 2018 09:51:35 -0500 Message-ID: <20180213145135.GB18012@jasmine.lan> References: <20180210185728.GA18894@jasmine.lan> <20180211153548.GA1853@jasmine.lan> <20180212185802.GA30991@jasmine.lan> <87zi4djp1z.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="H1spWtNR+x+ondvy" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37482) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1elbwE-0000IU-9f for bug-guix@gnu.org; Tue, 13 Feb 2018 09:52:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1elbwA-0003wR-A5 for bug-guix@gnu.org; Tue, 13 Feb 2018 09:52:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:32815) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1elbwA-0003wF-1w for bug-guix@gnu.org; Tue, 13 Feb 2018 09:52:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1elbw9-0001YW-Rm for bug-guix@gnu.org; Tue, 13 Feb 2018 09:52:01 -0500 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87zi4djp1z.fsf@elephly.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ricardo Wurmus Cc: 30415-done@debbugs.gnu.org --H1spWtNR+x+ondvy Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote: >=20 > Hi Leo, >=20 > > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE > > to reduce the impact of the bug. The attached patch does that. > [=E2=80=A6] > > + ;; Mitigate CVE-2018-1000035, an exploitable buffer o= verflow. > > + ;; This environment variable is recommended in 'unix/= Makefile' > > + ;; for passing flags to the C compiler. > > + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1") > > + #t)))))))) >=20 > This looks good to me. Thank you! Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930 --H1spWtNR+x+ondvy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqC+3cACgkQJkb6MLrK fwh3Wg//R0fYSSN5wOoJZ+egel2y9bgbvMQ1Fp/oa8dozXxZhHnNsHNMLNsHNc6p D2QNNeAt/HRJukt7VkignxWJyorYbL3cLtDwiZ4f1G709fAYDow3jIDvWdgoj4id BLfENmq77pVHcs5QPeECqZWoNyJ4IPCQlbCK9GnMrnBQeKZAEltdCB4rH1dsmOlK tAoyPnT7e8WeHjQTzs5DJWz+npr8NVxAjnSR9ZRX1jEe4wWGvCFtZ8pEHEgDuTlE pBUeFi5LFBvnwndrU86AjTYJenV6FOkukdsrm2lFydINi7dnzw4Jn9G5WbQ0ObQR hO7ZfSkNUtZ3reuZFYof53xx8XPbv7SJREVoa3pZbzr1XQVZl1OHVkbq6kxEhqIT um7dhtsCHnVLdBoqBdnRW3HPLVKKEil89vkAkoUsuHaLRQBtBiR4VD/Qis58xmeC AKKo11wtn/yp+B47NqX4ww8P1GCHGYTej42erwHPeXV82X8H0UN+j6oaAe3asctA 62wmZjMr6yafRcHecZPtvdhFFgECMQhxjFsYBGDDD8/+j4L4Z2/2uGC2rFjpqV75 Dii91qLHuyoP+zw1s+EEbTHOjwFICcW2rtdSiEHj7xMFaFQ9WgOIdMflWRsBLoRK afntTuJLuEB3uf2Oq0FHtBZXLgm+adIAwHYOef5c7xcuHydhBcU= =h5Yt -----END PGP SIGNATURE----- --H1spWtNR+x+ondvy--