* [PATCH 1/1] gnu: tcsh: Fix out of bounds read. @ 2016-12-07 6:22 Leo Famulari 2016-12-07 8:09 ` Efraim Flashner 0 siblings, 1 reply; 7+ messages in thread From: Leo Famulari @ 2016-12-07 6:22 UTC (permalink / raw) To: guix-devel * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/shells.scm (tcsh)[source]: Use it. --- gnu/local.mk | 1 + .../patches/tcsh-fix-out-of-bounds-read.patch | 31 ++++++++++++++++++++++ gnu/packages/shells.scm | 3 ++- 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch diff --git a/gnu/local.mk b/gnu/local.mk index bc9b06da6..552272bbd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -879,6 +879,7 @@ dist_patch_DATA = \ %D%/packages/patches/tclxml-3.2-install.patch \ %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ + %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ %D%/packages/patches/texi2html-document-encoding.patch \ %D%/packages/patches/texi2html-i18n.patch \ diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch new file mode 100644 index 000000000..48c294f78 --- /dev/null +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch @@ -0,0 +1,31 @@ +Fix out-of-bounds read in c_substitute(): + +http://seclists.org/oss-sec/2016/q4/612 + +Patch copied from upstream source repository: + +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 + +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001 +From: christos <christos> +Date: Fri, 2 Dec 2016 16:59:28 +0000 +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting + tcsh and hitting tab at the prompt) + +--- + ed.chared.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ed.chared.c b/ed.chared.c +index 1277e53..310393e 100644 +--- ed.chared.c ++++ ed.chared.c +@@ -750,7 +750,7 @@ c_substitute(void) + /* + * If we found a history character, go expand it. + */ +- if (HIST != '\0' && *p == HIST) ++ if (p >= InputBuf && HIST != '\0' && *p == HIST) + nr_exp = c_excl(p); + else + nr_exp = 0; diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm index f3350ef50..8596efc87 100644 --- a/gnu/packages/shells.scm +++ b/gnu/packages/shells.scm @@ -186,7 +186,8 @@ has a small feature set similar to a traditional Bourne shell.") (base32 "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q")) (patches (search-patches "tcsh-fix-autotest.patch" - "tcsh-do-not-define-BSDWAIT.patch")) + "tcsh-do-not-define-BSDWAIT.patch" + "tcsh-fix-out-of-bounds-read.patch")) (patch-flags '("-p0")))) (build-system gnu-build-system) (inputs -- 2.11.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] gnu: tcsh: Fix out of bounds read. 2016-12-07 6:22 [PATCH 1/1] gnu: tcsh: Fix out of bounds read Leo Famulari @ 2016-12-07 8:09 ` Efraim Flashner 2016-12-07 10:54 ` Ludovic Courtès 0 siblings, 1 reply; 7+ messages in thread From: Efraim Flashner @ 2016-12-07 8:09 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 3640 bytes --] On Wed, Dec 07, 2016 at 01:22:18AM -0500, Leo Famulari wrote: > * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/shells.scm (tcsh)[source]: Use it. > --- > gnu/local.mk | 1 + > .../patches/tcsh-fix-out-of-bounds-read.patch | 31 ++++++++++++++++++++++ > gnu/packages/shells.scm | 3 ++- > 3 files changed, 34 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index bc9b06da6..552272bbd 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -879,6 +879,7 @@ dist_patch_DATA = \ > %D%/packages/patches/tclxml-3.2-install.patch \ > %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch \ > %D%/packages/patches/tcsh-fix-autotest.patch \ > + %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ > %D%/packages/patches/teensy-loader-cli-help.patch \ > %D%/packages/patches/texi2html-document-encoding.patch \ > %D%/packages/patches/texi2html-i18n.patch \ > diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch > new file mode 100644 > index 000000000..48c294f78 > --- /dev/null > +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch > @@ -0,0 +1,31 @@ > +Fix out-of-bounds read in c_substitute(): > + > +http://seclists.org/oss-sec/2016/q4/612 > + > +Patch copied from upstream source repository: > + > +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 > + > +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001 > +From: christos <christos> > +Date: Fri, 2 Dec 2016 16:59:28 +0000 > +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting > + tcsh and hitting tab at the prompt) > + > +--- > + ed.chared.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/ed.chared.c b/ed.chared.c > +index 1277e53..310393e 100644 > +--- ed.chared.c > ++++ ed.chared.c > +@@ -750,7 +750,7 @@ c_substitute(void) > + /* > + * If we found a history character, go expand it. > + */ > +- if (HIST != '\0' && *p == HIST) > ++ if (p >= InputBuf && HIST != '\0' && *p == HIST) > + nr_exp = c_excl(p); > + else > + nr_exp = 0; > diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm > index f3350ef50..8596efc87 100644 > --- a/gnu/packages/shells.scm > +++ b/gnu/packages/shells.scm > @@ -186,7 +186,8 @@ has a small feature set similar to a traditional Bourne shell.") > (base32 > "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q")) > (patches (search-patches "tcsh-fix-autotest.patch" > - "tcsh-do-not-define-BSDWAIT.patch")) > + "tcsh-do-not-define-BSDWAIT.patch" > + "tcsh-fix-out-of-bounds-read.patch")) > (patch-flags '("-p0")))) > (build-system gnu-build-system) > (inputs > -- > 2.11.0 > > Still no CVE assigned to it? Building the following 429 packages would ensure 829 dependent packages are rebuilt Looks like it'll need to be grafted in addition. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] gnu: tcsh: Fix out of bounds read. 2016-12-07 8:09 ` Efraim Flashner @ 2016-12-07 10:54 ` Ludovic Courtès 2016-12-07 12:55 ` Marius Bakke 0 siblings, 1 reply; 7+ messages in thread From: Ludovic Courtès @ 2016-12-07 10:54 UTC (permalink / raw) To: Efraim Flashner; +Cc: guix-devel Efraim Flashner <efraim@flashner.co.il> skribis: > On Wed, Dec 07, 2016 at 01:22:18AM -0500, Leo Famulari wrote: >> * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Add it. >> * gnu/packages/shells.scm (tcsh)[source]: Use it. >> --- >> gnu/local.mk | 1 + >> .../patches/tcsh-fix-out-of-bounds-read.patch | 31 ++++++++++++++++++++++ >> gnu/packages/shells.scm | 3 ++- >> 3 files changed, 34 insertions(+), 1 deletion(-) >> create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch >> >> diff --git a/gnu/local.mk b/gnu/local.mk >> index bc9b06da6..552272bbd 100644 >> --- a/gnu/local.mk >> +++ b/gnu/local.mk >> @@ -879,6 +879,7 @@ dist_patch_DATA = \ >> %D%/packages/patches/tclxml-3.2-install.patch \ >> %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch \ >> %D%/packages/patches/tcsh-fix-autotest.patch \ >> + %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ >> %D%/packages/patches/teensy-loader-cli-help.patch \ >> %D%/packages/patches/texi2html-document-encoding.patch \ >> %D%/packages/patches/texi2html-i18n.patch \ >> diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch >> new file mode 100644 >> index 000000000..48c294f78 >> --- /dev/null >> +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch >> @@ -0,0 +1,31 @@ >> +Fix out-of-bounds read in c_substitute(): >> + >> +http://seclists.org/oss-sec/2016/q4/612 >> + >> +Patch copied from upstream source repository: >> + >> +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 >> + >> +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001 >> +From: christos <christos> >> +Date: Fri, 2 Dec 2016 16:59:28 +0000 >> +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting >> + tcsh and hitting tab at the prompt) >> + >> +--- >> + ed.chared.c | 2 +- >> + 1 file changed, 1 insertion(+), 1 deletion(-) >> + >> +diff --git a/ed.chared.c b/ed.chared.c >> +index 1277e53..310393e 100644 >> +--- ed.chared.c >> ++++ ed.chared.c >> +@@ -750,7 +750,7 @@ c_substitute(void) >> + /* >> + * If we found a history character, go expand it. >> + */ >> +- if (HIST != '\0' && *p == HIST) >> ++ if (p >= InputBuf && HIST != '\0' && *p == HIST) >> + nr_exp = c_excl(p); >> + else >> + nr_exp = 0; >> diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm >> index f3350ef50..8596efc87 100644 >> --- a/gnu/packages/shells.scm >> +++ b/gnu/packages/shells.scm >> @@ -186,7 +186,8 @@ has a small feature set similar to a traditional Bourne shell.") >> (base32 >> "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q")) >> (patches (search-patches "tcsh-fix-autotest.patch" >> - "tcsh-do-not-define-BSDWAIT.patch")) >> + "tcsh-do-not-define-BSDWAIT.patch" >> + "tcsh-fix-out-of-bounds-read.patch")) >> (patch-flags '("-p0")))) >> (build-system gnu-build-system) >> (inputs >> -- >> 2.11.0 >> >> > > Still no CVE assigned to it? > > Building the following 429 packages would ensure 829 dependent packages are rebuilt > Looks like it'll need to be grafted in addition. That could go to the next ‘staging’ branch or ‘core-updates’, which might be merged first. (How come this many packages depend on tcsh?) Ludo’. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] gnu: tcsh: Fix out of bounds read. 2016-12-07 10:54 ` Ludovic Courtès @ 2016-12-07 12:55 ` Marius Bakke 2016-12-08 0:40 ` Leo Famulari 0 siblings, 1 reply; 7+ messages in thread From: Marius Bakke @ 2016-12-07 12:55 UTC (permalink / raw) To: Ludovic Courtès, Efraim Flashner; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 250 bytes --] Ludovic Courtès <ludo@gnu.org> writes: > That could go to the next ‘staging’ branch or ‘core-updates’, which > might be merged first. (How come this many packages depend on tcsh?) tcsh is used by the 'boost' and 'texlive' packages. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] gnu: tcsh: Fix out of bounds read. 2016-12-07 12:55 ` Marius Bakke @ 2016-12-08 0:40 ` Leo Famulari 2016-12-08 9:39 ` Ludovic Courtès 0 siblings, 1 reply; 7+ messages in thread From: Leo Famulari @ 2016-12-08 0:40 UTC (permalink / raw) To: Marius Bakke; +Cc: guix-devel [-- Attachment #1.1: Type: text/plain, Size: 875 bytes --] On Wed, Dec 07, 2016 at 01:55:47PM +0100, Marius Bakke wrote: > Ludovic Courtès <ludo@gnu.org> writes: > > > That could go to the next ‘staging’ branch or ‘core-updates’, which > > might be merged first. (How come this many packages depend on tcsh?) > > tcsh is used by the 'boost' and 'texlive' packages. Tcsh is a native-input of boost. I think that using a graft, as in the attached patch, should work. However, when applying this patch on top of a69bc7071ec (hydra: Fix wrong-num-args error when computing the cross jobs.) and building boost with this patch, the same derivation is built: $ ./pre-inst-env guix build boost && ./pre-inst-env guix build --no-grafts boost /gnu/store/nfg59rims86f87q5hasj8ngad3cd9dpa-boost-1.61.0 /gnu/store/nfg59rims86f87q5hasj8ngad3cd9dpa-boost-1.61.0 I'd expect it to change. Am I missing something? [-- Attachment #1.2: 0001-gnu-tcsh-Fix-out-of-bounds-read.patch --] [-- Type: text/plain, Size: 3484 bytes --] From 7d84262b28a9a6d823d57ba25c316888ab044595 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Wed, 7 Dec 2016 18:51:27 -0500 Subject: [PATCH] gnu: tcsh: Fix out of bounds read. * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/shells.scm (tcsh)[replacement]: New field. (tcsh/fixed): New variable. --- gnu/local.mk | 1 + .../patches/tcsh-fix-out-of-bounds-read.patch | 31 ++++++++++++++++++++++ gnu/packages/shells.scm | 10 +++++++ 3 files changed, 42 insertions(+) create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch diff --git a/gnu/local.mk b/gnu/local.mk index eec0e018b..72b64a6cc 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -884,6 +884,7 @@ dist_patch_DATA = \ %D%/packages/patches/tclxml-3.2-install.patch \ %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \ + %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ %D%/packages/patches/teensy-loader-cli-help.patch \ %D%/packages/patches/texi2html-document-encoding.patch \ %D%/packages/patches/texi2html-i18n.patch \ diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch new file mode 100644 index 000000000..48c294f78 --- /dev/null +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch @@ -0,0 +1,31 @@ +Fix out-of-bounds read in c_substitute(): + +http://seclists.org/oss-sec/2016/q4/612 + +Patch copied from upstream source repository: + +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 + +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001 +From: christos <christos> +Date: Fri, 2 Dec 2016 16:59:28 +0000 +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting + tcsh and hitting tab at the prompt) + +--- + ed.chared.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ed.chared.c b/ed.chared.c +index 1277e53..310393e 100644 +--- ed.chared.c ++++ ed.chared.c +@@ -750,7 +750,7 @@ c_substitute(void) + /* + * If we found a history character, go expand it. + */ +- if (HIST != '\0' && *p == HIST) ++ if (p >= InputBuf && HIST != '\0' && *p == HIST) + nr_exp = c_excl(p); + else + nr_exp = 0; diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm index f3350ef50..193160975 100644 --- a/gnu/packages/shells.scm +++ b/gnu/packages/shells.scm @@ -174,6 +174,7 @@ has a small feature set similar to a traditional Bourne shell.") (define-public tcsh (package (name "tcsh") + (replacement tcsh/fixed) (version "6.18.01") (source (origin (method url-fetch) @@ -231,6 +232,15 @@ command-line editor, programmable word completion, spelling correction, a history mechanism, job control and a C-like syntax.") (license bsd-4))) +(define tcsh/fixed + (package + (inherit tcsh) + (name "tcsh") + (source (origin + (inherit (package-source tcsh)) + (patches (cons (search-patch "tcsh-fix-out-of-bounds-read.patch") + (origin-patches (package-source tcsh)))))))) + (define-public zsh (package (name "zsh") -- 2.11.0 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] gnu: tcsh: Fix out of bounds read. 2016-12-08 0:40 ` Leo Famulari @ 2016-12-08 9:39 ` Ludovic Courtès 2016-12-08 18:54 ` Leo Famulari 0 siblings, 1 reply; 7+ messages in thread From: Ludovic Courtès @ 2016-12-08 9:39 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > On Wed, Dec 07, 2016 at 01:55:47PM +0100, Marius Bakke wrote: >> Ludovic Courtès <ludo@gnu.org> writes: >> >> > That could go to the next ‘staging’ branch or ‘core-updates’, which >> > might be merged first. (How come this many packages depend on tcsh?) >> >> tcsh is used by the 'boost' and 'texlive' packages. > > Tcsh is a native-input of boost. > > I think that using a graft, as in the attached patch, should work. > > However, when applying this patch on top of a69bc7071ec (hydra: Fix > wrong-num-args error when computing the cross jobs.) and building boost > with this patch, the same derivation is built: > > $ ./pre-inst-env guix build boost && ./pre-inst-env guix build --no-grafts boost > /gnu/store/nfg59rims86f87q5hasj8ngad3cd9dpa-boost-1.61.0 > /gnu/store/nfg59rims86f87q5hasj8ngad3cd9dpa-boost-1.61.0 > > I'd expect it to change. Am I missing something? Boost has no run-time dependency on tcsh, as shown by: guix size boost | grep tcsh This is probably the reason why tcsh is in ‘native-inputs’, and also the reason why Boost is not grafted in this case. It’s a case where using a graft allows us to not rebuild anything when we know it wouldn’t make any difference. Anyway, the patch LGTM, thank you! Ludo’. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] gnu: tcsh: Fix out of bounds read. 2016-12-08 9:39 ` Ludovic Courtès @ 2016-12-08 18:54 ` Leo Famulari 0 siblings, 0 replies; 7+ messages in thread From: Leo Famulari @ 2016-12-08 18:54 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Thu, Dec 08, 2016 at 10:39:21AM +0100, Ludovic Courtès wrote: > Boost has no run-time dependency on tcsh, as shown by: > > guix size boost | grep tcsh > > This is probably the reason why tcsh is in ‘native-inputs’, and also the > reason why Boost is not grafted in this case. > > It’s a case where using a graft allows us to not rebuild anything when > we know it wouldn’t make any difference. Oh, right! Thank you for taking the time to explain something that I already knew and momentarily forgot! :) > Anyway, the patch LGTM, thank you! Pushed! ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-12-08 18:54 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-12-07 6:22 [PATCH 1/1] gnu: tcsh: Fix out of bounds read Leo Famulari 2016-12-07 8:09 ` Efraim Flashner 2016-12-07 10:54 ` Ludovic Courtès 2016-12-07 12:55 ` Marius Bakke 2016-12-08 0:40 ` Leo Famulari 2016-12-08 9:39 ` Ludovic Courtès 2016-12-08 18:54 ` Leo Famulari
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).