From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: bug#30415: Unzip CVE-2018-1000031 and others
Date: Tue, 13 Feb 2018 09:01:44 +0100
Message-ID: <87zi4djp1z.fsf@elephly.net>
References: <20180210185728.GA18894@jasmine.lan>
	<20180211153548.GA1853@jasmine.lan>
	<20180212185802.GA30991@jasmine.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50717)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1elvYh-0005DQ-V7
	for bug-guix@gnu.org; Wed, 14 Feb 2018 06:49:09 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1elvYe-0001T1-SX
	for bug-guix@gnu.org; Wed, 14 Feb 2018 06:49:08 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:34293)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1elvYe-0001Sv-KN
	for bug-guix@gnu.org; Wed, 14 Feb 2018 06:49:04 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1elvYc-0000jI-5f
	for bug-guix@gnu.org; Wed, 14 Feb 2018 06:49:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.30415.B30415.15186089322787@debbugs.gnu.org>
In-reply-to: <20180212185802.GA30991@jasmine.lan>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 30415@debbugs.gnu.org


Hi Leo,

> The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> to reduce the impact of the bug. The attached patch does that.
[=E2=80=A6]
> +                 ;; Mitigate CVE-2018-1000035, an exploitable buffer ove=
rflow.
> +                 ;; This environment variable is recommended in 'unix/Ma=
kefile'
> +                 ;; for passing flags to the C compiler.
> +                 (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1")
> +                 #t))))))))

This looks good to me.  Thank you!

--=20
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net