* bug#30415: Unzip CVE-2018-1000031 and others @ 2018-02-10 18:57 Leo Famulari 2018-02-11 15:09 ` Leo Famulari 2018-02-11 15:35 ` Leo Famulari 0 siblings, 2 replies; 6+ messages in thread From: Leo Famulari @ 2018-02-10 18:57 UTC (permalink / raw) To: 30415 [-- Attachment #1: Type: text/plain, Size: 227 bytes --] We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033, CVE-2018-1000034, CVE-2018-1000035 in UnZip: http://seclists.org/oss-sec/2018/q1/134 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#30415: Unzip CVE-2018-1000031 and others 2018-02-10 18:57 bug#30415: Unzip CVE-2018-1000031 and others Leo Famulari @ 2018-02-11 15:09 ` Leo Famulari 2018-02-11 15:35 ` Leo Famulari 1 sibling, 0 replies; 6+ messages in thread From: Leo Famulari @ 2018-02-11 15:09 UTC (permalink / raw) To: 30415 [-- Attachment #1: Type: text/plain, Size: 430 bytes --] The 3rd-party security advisory suggests that the bugs are fixed in UnZip 6.1c23: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html See unzip610c23.zip here: http://antinode.info/ftp/info-zip/ Unfortunately, this is a zip file, unlike the 9 year old tarball on the UnZip SourceForge page. Any advice? I suppose we could keep the old UnZip package just to unpack the new one. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#30415: Unzip CVE-2018-1000031 and others 2018-02-10 18:57 bug#30415: Unzip CVE-2018-1000031 and others Leo Famulari 2018-02-11 15:09 ` Leo Famulari @ 2018-02-11 15:35 ` Leo Famulari 2018-02-12 18:58 ` Leo Famulari 1 sibling, 1 reply; 6+ messages in thread From: Leo Famulari @ 2018-02-11 15:35 UTC (permalink / raw) To: 30415 [-- Attachment #1: Type: text/plain, Size: 527 bytes --] On Sat, Feb 10, 2018 at 01:57:28PM -0500, Leo Famulari wrote: > We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033, > CVE-2018-1000034, CVE-2018-1000035 in UnZip: > > http://seclists.org/oss-sec/2018/q1/134 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc Okay, the advisory says that only CVE-2018-1000035 affects our UnZip 6.0 package; the other bugs were apparently introduced after that. And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate more. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#30415: Unzip CVE-2018-1000031 and others 2018-02-11 15:35 ` Leo Famulari @ 2018-02-12 18:58 ` Leo Famulari 2018-02-13 8:01 ` Ricardo Wurmus 0 siblings, 1 reply; 6+ messages in thread From: Leo Famulari @ 2018-02-12 18:58 UTC (permalink / raw) To: 30415 [-- Attachment #1.1: Type: text/plain, Size: 369 bytes --] On Sun, Feb 11, 2018 at 10:35:48AM -0500, Leo Famulari wrote: > And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate > more. The researcher's advisory recommends building UnZip with FORTIFY_SOURCE to reduce the impact of the bug. The attached patch does that. AFAICT, the proof-of-concept zip file is not published, and there is no upstream patch. [-- Attachment #1.2: 0001-gnu-unzip-Mitigate-CVE-2018-1000035.patch --] [-- Type: text/plain, Size: 2267 bytes --] From 4e9eaa43e19ff8fe02c02589d0ea42b88ce67c87 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Mon, 12 Feb 2018 13:49:49 -0500 Subject: [PATCH] gnu: unzip: Mitigate CVE-2018-1000035. * gnu/packages/compression.scm (unzip)[replacement]: New field. (unzip/fixed): New variable. --- gnu/packages/compression.scm | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 3a0e27945..9983ee129 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com> ;;; Copyright © 2015, 2016 Eric Bavier <bavier@member.fsf.org> ;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net> -;;; Copyright © 2015, 2017 Leo Famulari <leo@famulari.name> +;;; Copyright © 2015, 2017, 2018 Leo Famulari <leo@famulari.name> ;;; Copyright © 2015 Jeff Mickey <j@codemac.net> ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com> @@ -1719,6 +1719,7 @@ Compression ratios of 2:1 to 3:1 are common for text files.") (define-public unzip (package (inherit zip) (name "unzip") + (replacement unzip/fixed) (version "6.0") (source (origin @@ -1769,6 +1770,20 @@ recreates the stored directory structure by default.") (license (license:non-copyleft "file://LICENSE" "See LICENSE in the distribution.")))) +(define unzip/fixed + (package/inherit unzip + (arguments + (substitute-keyword-arguments (package-arguments unzip) + ((#:phases phases) + `(modify-phases ,phases + (add-after 'unpack 'fortify + (lambda _ + ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow. + ;; This environment variable is recommended in 'unix/Makefile' + ;; for passing flags to the C compiler. + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") + #t)))))))) + (define-public zziplib (package (name "zziplib") -- 2.16.1 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply related [flat|nested] 6+ messages in thread
* bug#30415: Unzip CVE-2018-1000031 and others 2018-02-12 18:58 ` Leo Famulari @ 2018-02-13 8:01 ` Ricardo Wurmus 2018-02-13 14:51 ` Leo Famulari 0 siblings, 1 reply; 6+ messages in thread From: Ricardo Wurmus @ 2018-02-13 8:01 UTC (permalink / raw) To: Leo Famulari; +Cc: 30415 Hi Leo, > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE > to reduce the impact of the bug. The attached patch does that. […] > + ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow. > + ;; This environment variable is recommended in 'unix/Makefile' > + ;; for passing flags to the C compiler. > + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") > + #t)))))))) This looks good to me. Thank you! -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#30415: Unzip CVE-2018-1000031 and others 2018-02-13 8:01 ` Ricardo Wurmus @ 2018-02-13 14:51 ` Leo Famulari 0 siblings, 0 replies; 6+ messages in thread From: Leo Famulari @ 2018-02-13 14:51 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: 30415-done [-- Attachment #1: Type: text/plain, Size: 678 bytes --] On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote: > > Hi Leo, > > > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE > > to reduce the impact of the bug. The attached patch does that. > […] > > + ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow. > > + ;; This environment variable is recommended in 'unix/Makefile' > > + ;; for passing flags to the C compiler. > > + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") > > + #t)))))))) > > This looks good to me. Thank you! Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-02-14 11:49 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-02-10 18:57 bug#30415: Unzip CVE-2018-1000031 and others Leo Famulari 2018-02-11 15:09 ` Leo Famulari 2018-02-11 15:35 ` Leo Famulari 2018-02-12 18:58 ` Leo Famulari 2018-02-13 8:01 ` Ricardo Wurmus 2018-02-13 14:51 ` Leo Famulari
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).