unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Marius Bakke <mbakke@fastmail.com>
To: Leo Famulari <leo@famulari.name>, guix-devel@gnu.org
Subject: Re: [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091.
Date: Tue, 03 Jan 2017 17:49:29 +0100	[thread overview]
Message-ID: <8760lwqeau.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (raw)
In-Reply-To: <049f6fc2d37899df14579e04092582e3382489d5.1483302566.git.leo@famulari.name>

[-- Attachment #1: Type: text/plain, Size: 1615 bytes --]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/unrtf.scm (unrtf)[source]: Use it.

[...]

> diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
> new file mode 100644
> index 000000000..0a58b40db
> --- /dev/null
> +++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
> @@ -0,0 +1,224 @@
> +Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions):
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
> +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
> +http://seclists.org/oss-sec/2016/q4/787
> +
> +Patch copied from Debian:
> +
> +https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8
> +
> +The Debian patch adapts this upstream commit so that it can be applied
> +to the 0.21.9 release tarball:
> +
> +http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406

Isn't the Debian patch the same as this upstream commit? I can't spot
the difference with a cursory glance.


> +diff --git a/debian/patches/series b/debian/patches/series
> +new file mode 100644
> +index 0000000..7868249
> +--- /dev/null
> ++++ b/debian/patches/series
> +@@ -0,0 +1 @@
> ++0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch

This part we surely don't need ;-)

Unless the Debian patch fixes other issues than upstream revision
3b16893a6406 I would just pick and link to that, skipping the Debian
step. WDYT?

Thanks for taking care of this!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

  reply	other threads:[~2017-01-03 16:49 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-01 20:29 [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091 Leo Famulari
2017-01-03 16:49 ` Marius Bakke [this message]
2017-01-04  7:13   ` Leo Famulari
2017-01-04  7:27     ` Leo Famulari
2017-01-04  7:50       ` mcrypt CVE-2012-{4409,4527} [was Re: [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091.] Leo Famulari
2017-01-04 15:09       ` [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091 Marius Bakke

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8760lwqeau.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me \
    --to=mbakke@fastmail.com \
    --cc=guix-devel@gnu.org \
    --cc=leo@famulari.name \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).