On Wed, Dec 07, 2016 at 01:22:18AM -0500, Leo Famulari wrote: > * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/shells.scm (tcsh)[source]: Use it. > --- > gnu/local.mk | 1 + > .../patches/tcsh-fix-out-of-bounds-read.patch | 31 ++++++++++++++++++++++ > gnu/packages/shells.scm | 3 ++- > 3 files changed, 34 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index bc9b06da6..552272bbd 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -879,6 +879,7 @@ dist_patch_DATA = \ > %D%/packages/patches/tclxml-3.2-install.patch \ > %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch \ > %D%/packages/patches/tcsh-fix-autotest.patch \ > + %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ > %D%/packages/patches/teensy-loader-cli-help.patch \ > %D%/packages/patches/texi2html-document-encoding.patch \ > %D%/packages/patches/texi2html-i18n.patch \ > diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch > new file mode 100644 > index 000000000..48c294f78 > --- /dev/null > +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch > @@ -0,0 +1,31 @@ > +Fix out-of-bounds read in c_substitute(): > + > +http://seclists.org/oss-sec/2016/q4/612 > + > +Patch copied from upstream source repository: > + > +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 > + > +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001 > +From: christos > +Date: Fri, 2 Dec 2016 16:59:28 +0000 > +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting > + tcsh and hitting tab at the prompt) > + > +--- > + ed.chared.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/ed.chared.c b/ed.chared.c > +index 1277e53..310393e 100644 > +--- ed.chared.c > ++++ ed.chared.c > +@@ -750,7 +750,7 @@ c_substitute(void) > + /* > + * If we found a history character, go expand it. > + */ > +- if (HIST != '\0' && *p == HIST) > ++ if (p >= InputBuf && HIST != '\0' && *p == HIST) > + nr_exp = c_excl(p); > + else > + nr_exp = 0; > diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm > index f3350ef50..8596efc87 100644 > --- a/gnu/packages/shells.scm > +++ b/gnu/packages/shells.scm > @@ -186,7 +186,8 @@ has a small feature set similar to a traditional Bourne shell.") > (base32 > "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q")) > (patches (search-patches "tcsh-fix-autotest.patch" > - "tcsh-do-not-define-BSDWAIT.patch")) > + "tcsh-do-not-define-BSDWAIT.patch" > + "tcsh-fix-out-of-bounds-read.patch")) > (patch-flags '("-p0")))) > (build-system gnu-build-system) > (inputs > -- > 2.11.0 > > Still no CVE assigned to it? Building the following 429 packages would ensure 829 dependent packages are rebuilt Looks like it'll need to be grafted in addition. -- Efraim Flashner אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted