From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091. Date: Tue, 03 Jan 2017 17:49:29 +0100 Message-ID: <8760lwqeau.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <049f6fc2d37899df14579e04092582e3382489d5.1483302566.git.leo@famulari.name> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53411) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOSHJ-0006bP-DZ for guix-devel@gnu.org; Tue, 03 Jan 2017 11:49:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOSHG-0003L0-1h for guix-devel@gnu.org; Tue, 03 Jan 2017 11:49:37 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:45215) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cOSHF-0003JK-RU for guix-devel@gnu.org; Tue, 03 Jan 2017 11:49:33 -0500 In-Reply-To: <049f6fc2d37899df14579e04092582e3382489d5.1483302566.git.leo@famulari.name> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari , guix-devel@gnu.org --=-=-= Content-Type: text/plain Leo Famulari writes: > * gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/unrtf.scm (unrtf)[source]: Use it. [...] > diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch > new file mode 100644 > index 000000000..0a58b40db > --- /dev/null > +++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch > @@ -0,0 +1,224 @@ > +Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions): > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091 > +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705 > +http://seclists.org/oss-sec/2016/q4/787 > + > +Patch copied from Debian: > + > +https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8 > + > +The Debian patch adapts this upstream commit so that it can be applied > +to the 0.21.9 release tarball: > + > +http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 Isn't the Debian patch the same as this upstream commit? I can't spot the difference with a cursory glance. > +diff --git a/debian/patches/series b/debian/patches/series > +new file mode 100644 > +index 0000000..7868249 > +--- /dev/null > ++++ b/debian/patches/series > +@@ -0,0 +1 @@ > ++0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch This part we surely don't need ;-) Unless the Debian patch fixes other issues than upstream revision 3b16893a6406 I would just pick and link to that, skipping the Debian step. WDYT? Thanks for taking care of this! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlhr1hkACgkQoqBt8qM6 VPoOZQf+KDECq/q38au/lcvJ/fyF2HBwRdpX41vLPMgMqlnodgkdL2rZT5DXsnMZ 88L3WVVaeH5JRdXeA6hdUxtvra25xkhEL/Rbx7vBUm6Eda+1Za4Z0SEfpTfTVfXw vBjz6u83vgO6ZO1ttKp43FkwqHNHbQV5NG8esRcGf2IdumbWOunl9mld8hrEMSH3 4JHHbPjDuheLxZaJddZw6pvkjjTGv6ZnsfEdN1zagm84YKTE9MZEPoybonqok0Fg xn+zcvPUS+/koDOGEBBe8A5b91epfMwyL7Q9Xs2jp8ZbFJ8qAJDM/OrZetDLGIW3 PQC9Z27SUz5GBPf9kYuh1G49F70flQ== =3TWk -----END PGP SIGNATURE----- --=-=-=--