From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH 1/1] gnu: tcsh: Fix out of bounds read. Date: Wed, 07 Dec 2016 11:54:47 +0100 Message-ID: <87a8c89fgo.fsf@gnu.org> References: <20161207080947.GA26434@macbook42.flashner.co.il> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41751) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cEZsE-0005FN-7m for guix-devel@gnu.org; Wed, 07 Dec 2016 05:54:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cEZsA-0008IY-7P for guix-devel@gnu.org; Wed, 07 Dec 2016 05:54:54 -0500 In-Reply-To: <20161207080947.GA26434@macbook42.flashner.co.il> (Efraim Flashner's message of "Wed, 7 Dec 2016 10:09:47 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Efraim Flashner Cc: guix-devel@gnu.org Efraim Flashner skribis: > On Wed, Dec 07, 2016 at 01:22:18AM -0500, Leo Famulari wrote: >> * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Add it. >> * gnu/packages/shells.scm (tcsh)[source]: Use it. >> --- >> gnu/local.mk | 1 + >> .../patches/tcsh-fix-out-of-bounds-read.patch | 31 +++++++++++++++= +++++++ >> gnu/packages/shells.scm | 3 ++- >> 3 files changed, 34 insertions(+), 1 deletion(-) >> create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.pat= ch >>=20 >> diff --git a/gnu/local.mk b/gnu/local.mk >> index bc9b06da6..552272bbd 100644 >> --- a/gnu/local.mk >> +++ b/gnu/local.mk >> @@ -879,6 +879,7 @@ dist_patch_DATA =3D \ >> %D%/packages/patches/tclxml-3.2-install.patch \ >> %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch \ >> %D%/packages/patches/tcsh-fix-autotest.patch \ >> + %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch \ >> %D%/packages/patches/teensy-loader-cli-help.patch \ >> %D%/packages/patches/texi2html-document-encoding.patch \ >> %D%/packages/patches/texi2html-i18n.patch \ >> diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gn= u/packages/patches/tcsh-fix-out-of-bounds-read.patch >> new file mode 100644 >> index 000000000..48c294f78 >> --- /dev/null >> +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch >> @@ -0,0 +1,31 @@ >> +Fix out-of-bounds read in c_substitute(): >> + >> +http://seclists.org/oss-sec/2016/q4/612 >> + >> +Patch copied from upstream source repository: >> + >> +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6= a91b94596 >> + >> +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001 >> +From: christos >> +Date: Fri, 2 Dec 2016 16:59:28 +0000 >> +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by st= arting >> + tcsh and hitting tab at the prompt) >> + >> +--- >> + ed.chared.c | 2 +- >> + 1 file changed, 1 insertion(+), 1 deletion(-) >> + >> +diff --git a/ed.chared.c b/ed.chared.c >> +index 1277e53..310393e 100644 >> +--- ed.chared.c >> ++++ ed.chared.c >> +@@ -750,7 +750,7 @@ c_substitute(void) >> + /* >> + * If we found a history character, go expand it. >> + */ >> +- if (HIST !=3D '\0' && *p =3D=3D HIST) >> ++ if (p >=3D InputBuf && HIST !=3D '\0' && *p =3D=3D HIST) >> + nr_exp =3D c_excl(p); >> + else >> + nr_exp =3D 0; >> diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm >> index f3350ef50..8596efc87 100644 >> --- a/gnu/packages/shells.scm >> +++ b/gnu/packages/shells.scm >> @@ -186,7 +186,8 @@ has a small feature set similar to a traditional Bou= rne shell.") >> (base32 >> "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q")) >> (patches (search-patches "tcsh-fix-autotest.patch" >> - "tcsh-do-not-define-BSDWAIT.patc= h")) >> + "tcsh-do-not-define-BSDWAIT.patc= h" >> + "tcsh-fix-out-of-bounds-read.pat= ch")) >> (patch-flags '("-p0")))) >> (build-system gnu-build-system) >> (inputs >> --=20 >> 2.11.0 >>=20 >>=20 > > Still no CVE assigned to it? > > Building the following 429 packages would ensure 829 dependent packages a= re rebuilt > Looks like it'll need to be grafted in addition. That could go to the next =E2=80=98staging=E2=80=99 branch or =E2=80=98core= -updates=E2=80=99, which might be merged first. (How come this many packages depend on tcsh?) Ludo=E2=80=99.