[peter@more-magic.net: Irregex packages should be updated to 0.9.6]

[peter@more-magic.net: Irregex packages should be updated to 0.9.6]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1919 bytes --]

With Peter's permission, I'm forwarding this message from guix-security
to guix-devel.

We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
but our chez-irregex and chicken packages are still vulnerable.

Note the updated discussion on the chez-irregex bug tracker:

https://github.com/fedeinthemix/chez-irregex/issues/1

----- Forwarded message from Peter Bex <peter@more-magic.net> -----

Date: Thu, 15 Dec 2016 20:40:00 +0100
From: Peter Bex <peter@more-magic.net>
To: guix-security@gnu.org
Subject: Irregex packages should be updated to 0.9.6
User-Agent: Mutt/1.5.23 (2014-03-12)

Hello there,

I'm not a Guix user, but I noticed that Guix has several repackaged
versions of the "irregex" portable regular expression engine for Scheme.
I'm a co-maintainer of the upstream package and I'd like to point out
a vulnerability we've found in it, CVE-2016-9954.

See the announcement at
http://www.openwall.com/lists/oss-security/2016/12/14/18
and the CHICKEN Scheme announcement at
http://lists.gnu.org/archive/html/chicken-announce/2016-12/msg00000.html
(currently no released version has a fix for this issue)

The specific Irregex packages in question are:

- chicken.  See above.  It will be fixed in 4.12, once it is released.
- chez-irregex.  I reported the issue for this port as
   https://github.com/fedeinthemix/chez-irregex/issues/1
- guile-irregex.  I couldn't find a repository for this package, so
   I'm assuming this is a direct packaging of the portable upstream code
   from irregex itself.  The tarball published on the author's site has
   now also been updated to 0.9.6.

Especially the guile-irregex package could be an important one if Guix
itself makes use of irregex for processing user-provided regexes,
because it can eat up all available memory if left unrestricted.

Cheers,
Peter Bex



----- End forwarded message -----

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 364 bytes --]

On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote:
> We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
> but our chez-irregex and chicken packages are still vulnerable.

Also note that (I believe) our chicken package is vulnerable to
CVE-2016-{6830,6831}:

http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1.1: Type: text/plain, Size: 572 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote:
>> We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
>> but our chez-irregex and chicken packages are still vulnerable.
>
> Also note that (I believe) our chicken package is vulnerable to
> CVE-2016-{6830,6831}:
>
> http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002.html

The attached patch is currently being tested on my computer, but I
suspect it will work.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834845.


[-- Attachment #1.2: 0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch --]
[-- Type: text/plain, Size: 19872 bytes --]

From 3423ef38ecab794f9601aa8ac63c6974d9db62d4 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Thu, 22 Dec 2016 14:16:55 -0500
Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.

* gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
* gnu/local.mk (dist_patch_DATA): Use it.
* gnu/packages/scheme.scm (chicken)[source]: Use it.
---
 gnu/local.mk                                       |   1 +
 .../chicken-CVE-2016-6830+CVE-2016-6831.patch      | 426 +++++++++++++++++++++
 gnu/packages/scheme.scm                            |   4 +-
 3 files changed, 430 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ee8f1e591..81a216a39 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -497,6 +497,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/calibre-drop-unrar.patch			\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/cdparanoia-fpic.patch			\
+  %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch	\
   %D%/packages/patches/chmlib-inttypes.patch			\
   %D%/packages/patches/clang-libc-search-path.patch		\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
new file mode 100644
index 000000000..45d5442e0
--- /dev/null
+++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
@@ -0,0 +1,426 @@
+The following patch was adapted for CHICKEN Scheme
+by Kei Kebreau <kei@openmailbox.org> based on:
+
+https://lists.nongnu.org/archive/html/chicken-hackers/2016-07/txtSWHYeFeG0R.txt
+
+diff -r -u a/NEWS b/NEWS
+--- a/NEWS	2016-12-22 14:06:40.016494788 -0500
++++ b/NEWS	2016-12-22 14:06:49.216803605 -0500
+@@ -27,6 +27,12 @@
+   - The signal handling code can no longer trigger "stack overflow" or
+     "recursion too deep or circular data encountered" errors (#1283).
+ 
++- Security fixes
++  - Fix buffer overrun due to excessively long argument or
++    environment lists in process-execute and process-spawn (#1308).
++    This also removes unnecessary limitations on the length of
++    these lists (thanks to Vasilij Schneidermann).
++
+ - Compiler:
+   - Specializations on implicit "or" types like "number" or "boolean" now
+     work, removing the requirement for the inferred types to match
+diff -r -u a/posix-common.scm b/posix-common.scm
+--- a/posix-common.scm	2016-12-22 14:06:40.024495057 -0500
++++ b/posix-common.scm	2016-12-22 14:06:55.961030020 -0500
+@@ -25,7 +25,8 @@
+ 
+ 
+ (declare 
+-  (hide ##sys#stat posix-error check-time-vector ##sys#find-files)
++  (hide ##sys#stat posix-error check-time-vector ##sys#find-files
++	list->c-string-buffer free-c-string-buffer call-with-exec-args)
+   (foreign-declare #<<EOF
+ 
+ #include <signal.h>
+@@ -679,3 +680,65 @@
+           (if (fx= epid -1)
+               (posix-error #:process-error 'process-wait "waiting for child process failed" pid)
+               (values epid enorm ecode) ) ) ) ) ) )
++
++;; This can construct argv or envp for process-execute or process-run
++(define list->c-string-buffer
++  (let* ((c-string->allocated-pointer
++	  (foreign-lambda* c-pointer ((scheme-object o))
++	    "char *ptr = malloc(C_header_size(o)); \n"
++	    "if (ptr != NULL) {\n"
++	    "  C_memcpy(ptr, C_data_pointer(o), C_header_size(o)); \n"
++	    "}\n"
++	    "C_return(ptr);")) )
++    (lambda (string-list convert loc)
++      (##sys#check-list string-list loc)
++
++      (let* ((string-count (##sys#length string-list))
++	     ;; NUL-terminated, so we must add one
++	     (buffer (make-pointer-vector (add1 string-count) #f)))
++
++	(handle-exceptions exn
++	    ;; Free to avoid memory leak, then reraise
++	    (begin (free-c-string-buffer buffer) (signal exn))
++
++	  (do ((sl string-list (cdr sl))
++	       (i 0 (fx+ i 1)) )
++	      ((or (null? sl) (fx= i string-count))) ; Should coincide
++
++	    (##sys#check-string (car sl) loc)
++	    ;; This avoids embedded NULs and appends a NUL, so "cs" is
++	    ;; safe to copy and use as-is in the pointer-vector.
++	    (let* ((cs (##sys#make-c-string (convert (car sl)) loc))
++		   (csp (c-string->allocated-pointer cs)))
++	      (unless csp (error loc "Out of memory"))
++	      (pointer-vector-set! buffer i csp)) )
++
++	  buffer) ) ) ) )
++
++(define (free-c-string-buffer buffer-array)
++  (let ((size (pointer-vector-length buffer-array)))
++    (do ((i 0 (fx+ i 1)))
++	((fx= i size))
++      (and-let* ((s (pointer-vector-ref buffer-array i)))
++	(free s)))))
++
++(define call-with-exec-args
++  (let ((pathname-strip-directory pathname-strip-directory)
++	(nop (lambda (x) x)))
++    (lambda (loc filename argconv arglist envlist proc)
++      (let* ((stripped-filename (pathname-strip-directory filename))
++	     (args (cons stripped-filename arglist)) ; Add argv[0]
++	     (argbuf (list->c-string-buffer args argconv loc))
++	     (envbuf #f))
++
++	(handle-exceptions exn
++	    ;; Free to avoid memory leak, then reraise
++	    (begin (free-c-string-buffer argbuf)
++		   (when envbuf (free-c-string-buffer envbuf))
++		   (signal exn))
++
++	  ;; Envlist is never converted, so we always use nop here
++	  (when envlist
++	    (set! envbuf (list->c-string-buffer envlist nop loc)))
++
++	  (proc (##sys#make-c-string filename loc) argbuf envbuf) )))))
+diff -r -u a/posixunix.scm b/posixunix.scm
+--- a/posixunix.scm	2016-12-22 14:06:39.976493446 -0500
++++ b/posixunix.scm	2016-12-22 14:06:55.961030020 -0500
+@@ -27,7 +27,7 @@
+ 
+ (declare
+   (unit posix)
+-  (uses scheduler irregex extras files ports)
++  (uses scheduler irregex extras files ports lolevel)
+   (disable-interrupts)
+   (hide group-member _get-groups _ensure-groups posix-error ##sys#terminal-check)
+   (not inline ##sys#interrupt-hook ##sys#user-interrupt-hook))
+@@ -88,10 +88,6 @@
+ # define O_TEXT          0
+ #endif
+ 
+-#ifndef ARG_MAX
+-# define ARG_MAX 256
+-#endif
+-
+ #ifndef MAP_FILE
+ # define MAP_FILE    0
+ #endif
+@@ -110,16 +106,10 @@
+ # define C_getenventry(i)       (environ[ i ])
+ #endif
+ 
+-#ifndef ENV_MAX
+-# define ENV_MAX        1024
+-#endif
+-
+ #ifndef FILENAME_MAX
+ # define FILENAME_MAX          1024
+ #endif
+ 
+-static C_TLS char *C_exec_args[ ARG_MAX ];
+-static C_TLS char *C_exec_env[ ENV_MAX ];
+ static C_TLS struct utsname C_utsname;
+ static C_TLS struct flock C_flock;
+ static C_TLS DIR *temphandle;
+@@ -199,29 +189,8 @@
+ 
+ #define C_lstat(fn)         C_fix(lstat((char *)C_data_pointer(fn), &C_statbuf))
+ 
+-static void C_fcall C_set_arg_string(char **where, int i, char *a, int len) {
+-  char *ptr;
+-  if(a != NULL) {
+-    ptr = (char *)C_malloc(len + 1);
+-    C_memcpy(ptr, a, len);
+-    ptr[ len ] = '\0';
+-    /* Can't barf() here, so the NUL byte check happens in Scheme */
+-  }
+-  else ptr = NULL;
+-  where[ i ] = ptr;
+-}
+-
+-static void C_fcall C_free_arg_string(char **where) {
+-  while((*where) != NULL) C_free(*(where++));
+-}
+-
+-#define C_set_exec_arg(i, a, len)	C_set_arg_string(C_exec_args, i, a, len)
+-#define C_free_exec_args()		C_free_arg_string(C_exec_args)
+-#define C_set_exec_env(i, a, len)	C_set_arg_string(C_exec_env, i, a, len)
+-#define C_free_exec_env()		C_free_arg_string(C_exec_env)
+-
+-#define C_execvp(f)         C_fix(execvp(C_data_pointer(f), C_exec_args))
+-#define C_execve(f)         C_fix(execve(C_data_pointer(f), C_exec_args, C_exec_env))
++#define C_u_i_execvp(f,a)   C_fix(execvp(C_data_pointer(f), (char *const *)C_c_pointer_vector_or_null(a)))
++#define C_u_i_execve(f,a,e) C_fix(execve(C_data_pointer(f), (char *const *)C_c_pointer_vector_or_null(a), (char *const *)C_c_pointer_vector_or_null(e)))
+ 
+ #if defined(__FreeBSD__) || defined(C_MACOSX) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__sgi__) || defined(sgi) || defined(__DragonFly__) || defined(__SUNPRO_C)
+ static C_TLS int C_uw;
+@@ -1591,43 +1560,15 @@
+ 	       (exit 0)))
+ 	    pid)))))
+ 
+-(define process-execute
+-  ;; NOTE: We use c-string here instead of scheme-object.
+-  ;; Because set_exec_* make a copy, this implies a double copy.
+-  ;; At least it's secure, we can worry about performance later, if at all
+-  (let ([setarg (foreign-lambda void "C_set_exec_arg" int c-string int)]
+-        [freeargs (foreign-lambda void "C_free_exec_args")]
+-        [setenv (foreign-lambda void "C_set_exec_env" int c-string int)]
+-        [freeenv (foreign-lambda void "C_free_exec_env")]
+-        [pathname-strip-directory pathname-strip-directory] )
+-    (lambda (filename #!optional (arglist '()) envlist)
+-      (##sys#check-string filename 'process-execute)
+-      (##sys#check-list arglist 'process-execute)
+-      (let ([s (pathname-strip-directory filename)])
+-        (setarg 0 s (##sys#size s)) )
+-      (do ([al arglist (cdr al)]
+-           [i 1 (fx+ i 1)] )
+-          ((null? al)
+-           (setarg i #f 0)
+-           (when envlist
+-             (##sys#check-list envlist 'process-execute)
+-             (do ([el envlist (cdr el)]
+-                  [i 0 (fx+ i 1)] )
+-                 ((null? el) (setenv i #f 0))
+-               (let ([s (car el)])
+-                 (##sys#check-string s 'process-execute)
+-                 (setenv i s (##sys#size s)) ) ) )
+-           (let* ([prg (##sys#make-c-string filename 'process-execute)]
+-                  [r (if envlist
+-                         (##core#inline "C_execve" prg)
+-                         (##core#inline "C_execvp" prg) )] )
+-             (when (fx= r -1)
+-               (freeargs)
+-               (freeenv)
+-               (posix-error #:process-error 'process-execute "cannot execute process" filename) ) ) )
+-        (let ([s (car al)])
+-          (##sys#check-string s 'process-execute)
+-          (setarg i s (##sys#size s)) ) ) ) ) )
++(define (process-execute filename #!optional (arglist '()) envlist)
++  (call-with-exec-args
++   'process-execute filename (lambda (x) x) arglist envlist
++   (lambda (prg argbuf envbuf)
++     (let ((r (if envbuf
++		  (##core#inline "C_u_i_execve" prg argbuf envbuf)
++		  (##core#inline "C_u_i_execvp" prg argbuf) )) )
++       (when (fx= r -1)
++	 (posix-error #:process-error 'process-execute "cannot execute process" filename) ) )))  )
+ 
+ (define-foreign-variable _wnohang int "WNOHANG")
+ (define-foreign-variable _wait-status int "C_wait_status")
+diff -r -u a/posixwin.scm b/posixwin.scm
+--- a/posixwin.scm	2016-12-22 14:06:40.016494788 -0500
++++ b/posixwin.scm	2016-12-22 14:06:55.961030020 -0500
+@@ -63,9 +63,9 @@
+ 
+ (declare
+   (unit posix)
+-  (uses scheduler irregex extras files ports)
++  (uses scheduler irregex extras files ports lolevel)
+   (disable-interrupts)
+-  (hide $quote-args-list $exec-setup $exec-teardown)
++  (hide quote-arg-string)
+   (not inline ##sys#interrupt-hook ##sys#user-interrupt-hook)
+   (foreign-declare #<<EOF
+ #ifndef WIN32_LEAN_AND_MEAN
+@@ -81,14 +81,8 @@
+ #include <utime.h>
+ #include <winsock2.h>
+ 
+-#define ARG_MAX		256
+ #define PIPE_BUF	512
+-#ifndef ENV_MAX
+-# define ENV_MAX	1024
+-#endif
+ 
+-static C_TLS char *C_exec_args[ ARG_MAX ];
+-static C_TLS char *C_exec_env[ ENV_MAX ];
+ static C_TLS struct group *C_group;
+ static C_TLS int C_pipefds[ 2 ];
+ static C_TLS time_t C_secs;
+@@ -218,39 +212,12 @@
+ 
+ #define C_lstat(fn)	    C_stat(fn)
+ 
+-static void C_fcall
+-C_set_arg_string(char **where, int i, char *dat, int len)
+-{
+-    char *ptr;
+-    if (dat)
+-    {
+-	ptr = (char *)C_malloc(len + 1);
+-	C_memcpy(ptr, dat, len);
+-	ptr[ len ] = '\0';
+-        /* Can't barf() here, so the NUL byte check happens in Scheme */
+-    }
+-    else
+-	ptr = NULL;
+-    where[ i ] = ptr;
+-}
+-
+-static void C_fcall
+-C_free_arg_string(char **where) {
+-  while (*where) C_free(*(where++));
+-}
+-
+-#define C_set_exec_arg(i, a, len)	C_set_arg_string(C_exec_args, i, a, len)
+-#define C_set_exec_env(i, a, len)	C_set_arg_string(C_exec_env, i, a, len)
+-
+-#define C_free_exec_args()		(C_free_arg_string(C_exec_args), C_SCHEME_TRUE)
+-#define C_free_exec_env()		(C_free_arg_string(C_exec_env), C_SCHEME_TRUE)
+-
+-#define C_execvp(f)	    C_fix(execvp(C_data_pointer(f), (const char *const *)C_exec_args))
+-#define C_execve(f)	    C_fix(execve(C_data_pointer(f), (const char *const *)C_exec_args, (const char *const *)C_exec_env))
++#define C_u_i_execvp(f,a)   C_fix(execvp(C_data_pointer(f), (const char *const *)C_c_pointer_vector_or_null(a)))
++#define C_u_i_execve(f,a,e) C_fix(execve(C_data_pointer(f), (const char *const *)C_c_pointer_vector_or_null(a), (const char *const *)C_c_pointer_vector_or_null(e)))
+ 
+ /* MS replacement for the fork-exec pair */
+-#define C_spawnvp(m, f)	    C_fix(spawnvp(C_unfix(m), C_data_pointer(f), (const char *const *)C_exec_args))
+-#define C_spawnvpe(m, f)    C_fix(spawnvpe(C_unfix(m), C_data_pointer(f), (const char *const *)C_exec_args, (const char *const *)C_exec_env))
++#define C_u_i_spawnvp(m,f,a) C_fix(spawnvp(C_unfix(m), C_data_pointer(f), (const char *const *)C_c_pointer_vector_or_null(a)))
++#define C_u_i_spawnvpe(m,f,a,e) C_fix(spawnvpe(C_unfix(m), C_data_pointer(f), (const char *const *)C_c_pointer_vector_or_null(a), (const char *const *)C_c_pointer_vector_or_null(e)))
+ 
+ #define C_open(fn, fl, m)   C_fix(open(C_c_string(fn), C_unfix(fl), C_unfix(m)))
+ #define C_read(fd, b, n)    C_fix(read(C_unfix(fd), C_data_pointer(b), C_unfix(n)))
+@@ -1161,74 +1128,45 @@
+ ; Windows uses a commandline style for process arguments. Thus any
+ ; arguments with embedded whitespace will parse incorrectly. Must
+ ; string-quote such arguments.
+-(define $quote-args-list
+-  (lambda (lst exactf)
+-    (if exactf
+-	lst
+-	(let ([needs-quoting?
+-					; This is essentially (string-any char-whitespace? s) but we don't
+-					; want a SRFI-13 dependency. (Do we?)
+-	       (lambda (s)
+-		 (let ([len (string-length s)])
+-		   (let loop ([i 0])
+-		     (cond
+-		      [(fx= i len) #f]
+-		      [(char-whitespace? (string-ref s i)) #t]
+-		      [else (loop (fx+ i 1))]))))])
+-	  (let loop ([ilst lst] [olst '()])
+-	    (if (null? ilst)
+-		(##sys#fast-reverse olst)
+-		(let ([str (car ilst)])
+-		  (loop
+-		   (cdr ilst)
+-		   (cons
+-		    (if (needs-quoting? str) (string-append "\"" str "\"") str)
+-		    olst)) ) ) ) ) ) ) )
+-
+-(define $exec-setup
+-  ;; NOTE: We use c-string here instead of scheme-object.
+-  ;; Because set_exec_* make a copy, this implies a double copy.
+-  ;; At least it's secure, we can worry about performance later, if at all
+-  (let ([setarg (foreign-lambda void "C_set_exec_arg" int c-string int)]
+-	[setenv (foreign-lambda void "C_set_exec_env" int c-string int)]
+-	[build-exec-argvec
+-	  (lambda (loc lst argvec-setter idx)
+-	    (if lst
+-	      (begin
+-		(##sys#check-list lst loc)
+-		(do ([l lst (cdr l)]
+-		     [i idx (fx+ i 1)] )
+-		    ((null? l) (argvec-setter i #f 0))
+-		  (let ([s (car l)])
+-		    (##sys#check-string s loc)
+-		    (argvec-setter i s (##sys#size s)) ) ) )
+-	      (argvec-setter idx #f 0) ) )])
+-    (lambda (loc filename arglst envlst exactf)
+-      (##sys#check-string filename loc)
+-      (let ([s (pathname-strip-directory filename)])
+-	(setarg 0 s (##sys#size s)) )
+-      (build-exec-argvec loc (and arglst ($quote-args-list arglst exactf)) setarg 1)
+-      (build-exec-argvec loc envlst setenv 0)
+-      (##core#inline "C_flushall")
+-      (##sys#make-c-string filename loc) ) ) )
+-
+-(define ($exec-teardown loc msg filename res)
+-  (##sys#update-errno)
+-  (##core#inline "C_free_exec_args")
+-  (##core#inline "C_free_exec_env")
+-  (if (fx= res -1)
+-      (##sys#error loc msg filename)
+-      res ) )
+-
+-(define (process-execute filename #!optional arglst envlst exactf)
+-  (let ([prg ($exec-setup 'process-execute filename arglst envlst exactf)])
+-    ($exec-teardown 'process-execute "cannot execute process" filename
+-      (if envlst (##core#inline "C_execve" prg) (##core#inline "C_execvp" prg))) ) )
+-
+-(define (process-spawn mode filename #!optional arglst envlst exactf)
+-  (let ([prg ($exec-setup 'process-spawn filename arglst envlst exactf)])
+-    ($exec-teardown 'process-spawn "cannot spawn process" filename
+-      (if envlst (##core#inline "C_spawnvpe" mode prg) (##core#inline "C_spawnvp" mode prg))) ) )
++(define quote-arg-string
++  (let ((needs-quoting?
++	 ;; This is essentially (string-any char-whitespace? s) but we
++	 ;; don't want a SRFI-13 dependency. (Do we?)
++	 (lambda (s)
++	   (let ((len (string-length s)))
++	     (let loop ((i 0))
++	       (cond
++		((fx= i len) #f)
++		((char-whitespace? (string-ref s i)) #t)
++		(else (loop (fx+ i 1)))) ) )) ))
++    (lambda (str)
++      (if (needs-quoting? str) (string-append "\"" str "\"") str) ) ) )
++
++(define (process-execute filename #!optional (arglist '()) envlist exactf)
++  (let ((argconv (if exactf (lambda (x) x) quote-arg-string)))
++    (call-with-exec-args
++     'process-execute filename argconv arglist envlist
++     (lambda (prg argbuf envbuf)
++       (##core#inline "C_flushall")
++       (let ((r (if envbuf
++		    (##core#inline "C_u_i_execve" prg argbuf envbuf)
++		    (##core#inline "C_u_i_execvp" prg argbuf) )) )
++	 (when (fx= r -1)
++	   (posix-error #:process-error 'process-execute "cannot execute process" filename) ) ) )) ) )
++
++(define (process-spawn mode filename #!optional (arglist '()) envlist exactf)
++  (let ((argconv (if exactf (lambda (x) x) quote-arg-string)))
++    (##sys#check-exact mode 'process-spawn)
++
++    (call-with-exec-args
++     'process-spawn filename argconv arglist envlist
++     (lambda (prg argbuf envbuf)
++       (##core#inline "C_flushall")
++       (let ((r (if envbuf
++		    (##core#inline "C_u_i_spawnvpe" mode prg argbuf envbuf)
++		    (##core#inline "C_u_i_spawnvp" mode prg argbuf) )) )
++	 (when (fx= r -1)
++	   (posix-error #:process-error 'process-spawn "cannot spawn process" filename) ) ) )) ) )
+ 
+ (define-foreign-variable _shlcmd c-string "C_shlcmd")
+ 
+@@ -1277,7 +1215,11 @@
+     ; information for the system drives. i.e !C:=...
+     ; For now any environment is ignored.
+     (lambda (loc cmd args env stdoutf stdinf stderrf #!optional exactf)
+-      (let ([cmdlin (string-intersperse ($quote-args-list (cons cmd args) exactf))])
++      (let* ((arglist (cons cmd args))
++	     (cmdlin (string-intersperse
++		      (if exactf
++			  arglist
++			  (map quote-arg-string arglist)))))
+ 	(let-location ([handle int -1]
+ 		       [stdin_fd int -1] [stdout_fd int -1] [stderr_fd int -1])
+ 	  (let ([res
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 78f387faf..10e8b7c60 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -330,7 +330,9 @@ mashups, office (web agendas, mail clients, ...), etc.")
                                  version "/chicken-" version ".tar.gz"))
              (sha256
               (base32
-               "12ddyiikqknpr8h6llsxbg2fz75xnayvcnsvr1cwv8xnjn7jpp73"))))
+               "12ddyiikqknpr8h6llsxbg2fz75xnayvcnsvr1cwv8xnjn7jpp73"))
+             (patches
+              (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:modules ((guix build gnu-build-system)
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1548 bytes --]

On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote:
> >> We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
> >> but our chez-irregex and chicken packages are still vulnerable.
> >
> > Also note that (I believe) our chicken package is vulnerable to
> > CVE-2016-{6830,6831}:
> >
> > http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002.html
> 
> The attached patch is currently being tested on my computer, but I
> suspect it will work.
> 
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834845.
> 

> From 3423ef38ecab794f9601aa8ac63c6974d9db62d4 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Thu, 22 Dec 2016 14:16:55 -0500
> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
> 
> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Use it.
> * gnu/packages/scheme.scm (chicken)[source]: Use it.

Thank you for looking into this!

Something like this patch is in CHICKEN 4.11.1:

https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea

And there is a patch for the IrRegex bug after the latest tag:

https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a

Can you try updating CHICKEN and applying that IrRegex patch?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 1833 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> 
>> > On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote:
>> >> We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
>> >> but our chez-irregex and chicken packages are still vulnerable.
>> >
>> > Also note that (I believe) our chicken package is vulnerable to
>> > CVE-2016-{6830,6831}:
>> >
>> > http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002.html
>> 
>> The attached patch is currently being tested on my computer, but I
>> suspect it will work.
>> 
>> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834845.
>> 
>
>> From 3423ef38ecab794f9601aa8ac63c6974d9db62d4 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Thu, 22 Dec 2016 14:16:55 -0500
>> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>> 
>> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Use it.
>> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>
> Thank you for looking into this!
>
> Something like this patch is in CHICKEN 4.11.1:
>
> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>
> And there is a patch for the IrRegex bug after the latest tag:
>
> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>
> Can you try updating CHICKEN and applying that IrRegex patch?

I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
binary due to its build system requirements. Do we have any objection to
bootstrapping CHICKEN 4.11.1 from version 4.11.0?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1619 bytes --]

On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
> >> 
> >> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Use it.
> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
> >
> > Thank you for looking into this!
> >
> > Something like this patch is in CHICKEN 4.11.1:
> >
> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
> >
> > And there is a patch for the IrRegex bug after the latest tag:
> >
> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
> >
> > Can you try updating CHICKEN and applying that IrRegex patch?
> 
> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
> binary due to its build system requirements. Do we have any objection to
> bootstrapping CHICKEN 4.11.1 from version 4.11.0?

Interesting!

I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.

Changing the build system like that seems unusual for a minor point
release, and I don't see it documented in the 4.11.1 NEWS file:

https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3

One way or another, we should fix these bugs in our package. Thanks for
taking care of it :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1.1: Type: text/plain, Size: 2043 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>> >> 
>> >> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
>> >> * gnu/local.mk (dist_patch_DATA): Use it.
>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>> >
>> > Thank you for looking into this!
>> >
>> > Something like this patch is in CHICKEN 4.11.1:
>> >
>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>> >
>> > And there is a patch for the IrRegex bug after the latest tag:
>> >
>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>> >
>> > Can you try updating CHICKEN and applying that IrRegex patch?
>> 
>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>> binary due to its build system requirements. Do we have any objection to
>> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>
> Interesting!
>
> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>
> Changing the build system like that seems unusual for a minor point
> release, and I don't see it documented in the 4.11.1 NEWS file:
>
> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>

I must have phrased that too vaguely. It's just a "building from release
tarball vs from git checkout" thing, documented in the README file of
both releases. I've been having trouble with the seemingly identical
test suite using the attached WIP patch. Perhaps the dreary wheather is
clouding my thoughts.

> One way or another, we should fix these bugs in our package. Thanks for
> taking care of it :)

You're welcome!


[-- Attachment #1.2: 0001-gnu-chicken-Update-to-4.11.1.patch --]
[-- Type: text/plain, Size: 3050 bytes --]

From 61803beae802f626e85e9fe089982c18837aaa08 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Sat, 24 Dec 2016 20:52:45 -0500
Subject: [PATCH] gnu: chicken: Update to 4.11.1.

* gnu/packages/scheme.scm (chicken): Update to 4.11.1.
---
 gnu/packages/scheme.scm | 49 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 47 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 78f387faf..4f9718ae7 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -320,9 +320,9 @@ applications in many fields such as multimedia (web galleries, music players,
 mashups, office (web agendas, mail clients, ...), etc.")
     (license gpl2+)))
 
-(define-public chicken
+(define chicken-4.11.0
   (package
-    (name "chicken")
+    (name "chicken-4.11.0")
     (version "4.11.0")
     (source (origin
              (method url-fetch)
@@ -374,6 +374,51 @@ produces portable and efficient C, supports almost all of the R5RS Scheme
 language standard, and includes many enhancements and extensions.")
     (license bsd-3)))
 
+(define-public chicken
+  (package
+    (inherit chicken-4.11.0)
+    (name "chicken")
+    (version "4.11.1")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://code.call-cc.org/git/chicken-core.git")
+                    (commit version)))
+              (sha256
+               (base32
+                "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))))
+    (arguments
+     `(;; No `configure' script; run "make check" after "make install" as
+       ;; prescribed by README.
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (delete 'check)
+         (add-after 'install 'check
+           (assoc-ref %standard-phases 'check))
+         (add-after 'unpack 'disable-broken-tests
+           (lambda _
+             ;; The port tests fail with this error:
+             ;; Error: (line 294) invalid escape-sequence '\x o'
+             (substitute* "tests/runtests.sh"
+               (("\\$interpret -s port-tests\\.scm") ""))
+             #t)))
+
+       #:make-flags (let ((out (assoc-ref %outputs "out"))
+                          (chicken-binary
+                           (string-append
+                            (assoc-ref %build-inputs "chicken-4.11.0")
+                            "/bin/chicken")))
+                      (list "PLATFORM=linux"
+                            (string-append "PREFIX=" out)
+                            (string-append "VARDIR=" out "/var/lib")
+                            (string-append "CHICKEN=" chicken-binary)))
+
+       ;; Parallel builds are not supported, as noted in README.
+       #:parallel-build? #f))
+    (inputs
+     `(("chicken-4.11.0" ,chicken-4.11.0))))) ; necessary for building from git
+
 (define-public scheme48
   (package
     (name "scheme48")
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1.1: Type: text/plain, Size: 2365 bytes --]

Kei Kebreau <kei@openmailbox.org> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>>> Leo Famulari <leo@famulari.name> writes:
>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>>> >> 
>>> >> *
>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>>> >> New file.
>>> >> * gnu/local.mk (dist_patch_DATA): Use it.
>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>>> >
>>> > Thank you for looking into this!
>>> >
>>> > Something like this patch is in CHICKEN 4.11.1:
>>> >
>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>>> >
>>> > And there is a patch for the IrRegex bug after the latest tag:
>>> >
>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>>> >
>>> > Can you try updating CHICKEN and applying that IrRegex patch?
>>> 
>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>>> binary due to its build system requirements. Do we have any objection to
>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>>
>> Interesting!
>>
>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>>
>> Changing the build system like that seems unusual for a minor point
>> release, and I don't see it documented in the 4.11.1 NEWS file:
>>
>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>>
>
> I must have phrased that too vaguely. It's just a "building from release
> tarball vs from git checkout" thing, documented in the README file of
> both releases. I've been having trouble with the seemingly identical
> test suite using the attached WIP patch. Perhaps the dreary wheather is
> clouding my thoughts.
>

Update! I found a file "types.db" that is unwritable. However, changing
access permissions in the (hackish) way I've done in the patch makes the
build's hash time-dependent.

>> One way or another, we should fix these bugs in our package. Thanks for
>> taking care of it :)
>
> You're welcome!

Merry Grav-Mass, BTW. :)

[-- Attachment #1.2: 0001-gnu-chicken-Update-to-4.11.1.patch --]
[-- Type: text/plain, Size: 3218 bytes --]

From 0f55ac1274b30f714b9454d623d860ef6f710da6 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Sun, 25 Dec 2016 00:31:53 -0500
Subject: [PATCH] gnu: chicken: Update to 4.11.1.

* gnu/packages/scheme.scm (chicken): Update to 4.11.1.
---
 gnu/packages/scheme.scm | 52 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 50 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 78f387faf..0ad449ae2 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -320,9 +320,9 @@ applications in many fields such as multimedia (web galleries, music players,
 mashups, office (web agendas, mail clients, ...), etc.")
     (license gpl2+)))
 
-(define-public chicken
+(define chicken-4.11.0
   (package
-    (name "chicken")
+    (name "chicken-4.11.0")
     (version "4.11.0")
     (source (origin
              (method url-fetch)
@@ -374,6 +374,54 @@ produces portable and efficient C, supports almost all of the R5RS Scheme
 language standard, and includes many enhancements and extensions.")
     (license bsd-3)))
 
+(define-public chicken
+  (package
+    (inherit chicken-4.11.0)
+    (name "chicken")
+    (version "4.11.1")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://code.call-cc.org/git/chicken-core.git")
+                    (commit version)))
+              (sha256
+               (base32
+                "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))))
+    (arguments
+     `(;; No `configure' script; run "make check" after "make install" as
+       ;; prescribed by README.
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (delete 'check)
+         (add-after 'install 'check
+           (assoc-ref %standard-phases 'check))
+         (add-after 'unpack 'disable-broken-tests
+           (lambda _
+             ;; The port tests fail with this error:
+             ;; Error: (line 294) invalid escape-sequence '\x o'
+             (substitute* "tests/runtests.sh"
+               (("\\$interpret -s port-tests\\.scm") "")
+               (("mkdir -p test-repository")
+                (string-append "mkdir -p test-repository\n"
+                               "chmod 644 ../types.db")))
+             #t)))
+
+       #:make-flags (let ((out (assoc-ref %outputs "out"))
+                          (chicken-binary
+                           (string-append
+                            (assoc-ref %build-inputs "chicken-4.11.0")
+                            "/bin/chicken")))
+                      (list "PLATFORM=linux"
+                            (string-append "PREFIX=" out)
+                            (string-append "VARDIR=" out "/var/lib")
+                            (string-append "CHICKEN=" chicken-binary)))
+
+       ;; Parallel builds are not supported, as noted in README.
+       #:parallel-build? #f))
+    (inputs
+     `(("chicken-4.11.0" ,chicken-4.11.0))))) ; necessary for building from git
+
 (define-public scheme48
   (package
     (name "scheme48")
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1.1: Type: text/plain, Size: 2593 bytes --]

Kei Kebreau <kei@openmailbox.org> writes:

> Kei Kebreau <kei@openmailbox.org> writes:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>>>> Leo Famulari <leo@famulari.name> writes:
>>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>>>> >> 
>>>> >> *
>>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>>>> >> New file.
>>>> >> * gnu/local.mk (dist_patch_DATA): Use it.
>>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>>>> >
>>>> > Thank you for looking into this!
>>>> >
>>>> > Something like this patch is in CHICKEN 4.11.1:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>>>> >
>>>> > And there is a patch for the IrRegex bug after the latest tag:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>>>> >
>>>> > Can you try updating CHICKEN and applying that IrRegex patch?
>>>> 
>>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>>>> binary due to its build system requirements. Do we have any objection to
>>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>>>
>>> Interesting!
>>>
>>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>>>
>>> Changing the build system like that seems unusual for a minor point
>>> release, and I don't see it documented in the 4.11.1 NEWS file:
>>>
>>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>>>
>>
>> I must have phrased that too vaguely. It's just a "building from release
>> tarball vs from git checkout" thing, documented in the README file of
>> both releases. I've been having trouble with the seemingly identical
>> test suite using the attached WIP patch. Perhaps the dreary wheather is
>> clouding my thoughts.
>>
>
> Update! I found a file "types.db" that is unwritable. However, changing
> access permissions in the (hackish) way I've done in the patch makes the
> build's hash time-dependent.
>
>>> One way or another, we should fix these bugs in our package. Thanks for
>>> taking care of it :)
>>
>> You're welcome!
>
> Merry Grav-Mass, BTW. :)

Here's the CVE patch on top of the chicken 4.11.1 one. I can't get this
git-based build to be reproducible, though.

[-- Attachment #1.2: 0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch --]
[-- Type: text/plain, Size: 6827 bytes --]

From cb31f773829fe655d966db469aced7c1ad5bd2ed Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Wed, 28 Dec 2016 20:03:20 -0500
Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.

* gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
* gnu/local.mk (dist_patch_DATA): Use it.
* gnu/packages/scheme.scm (chicken)[source]: Use it.
---
 gnu/local.mk                                       |   1 +
 .../chicken-CVE-2016-6830+CVE-2016-6831.patch      | 116 +++++++++++++++++++++
 gnu/packages/scheme.scm                            |   4 +-
 3 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 106adb235..f21f6c0b9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -497,6 +497,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/calibre-drop-unrar.patch			\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/cdparanoia-fpic.patch			\
+  %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch	\
   %D%/packages/patches/chmlib-inttypes.patch			\
   %D%/packages/patches/clang-libc-search-path.patch		\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
new file mode 100644
index 000000000..4865740d5
--- /dev/null
+++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
@@ -0,0 +1,116 @@
+From 2c419f18138c17767754b36d3b706cd71a55350a Mon Sep 17 00:00:00 2001
+From: Peter Bex <peter@more-magic.net>
+Date: Wed, 14 Dec 2016 20:25:25 +0100
+Subject: [PATCH] Update irregex to upstream 0.9.6
+
+This fixes a resource consumption vulnerability due to exponential
+memory use based on the depth of nested "+" patterns.
+
+Signed-off-by: Mario Domenech Goulart <mario@parenteses.org>
+---
+ NEWS                |  4 ++++
+ irregex-core.scm    | 32 ++++++++++++++++++--------------
+ irregex-utils.scm   |  2 +-
+ manual/Unit irregex |  2 +-
+ 4 files changed, 24 insertions(+), 16 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 052cf13..cbadd61 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,9 @@
+ 4.11.2
+ 
++- Security fixes
++  - Irregex has been updated to 0.9.6, which fixes an exponential
++    explosion in compilation of nested "+" patterns.
++
+ - Compiler:
+   - Fixed incorrect argvector restoration after GC in directly
+     recursive functions (#1317).
+diff --git a/irregex-core.scm b/irregex-core.scm
+index 2d6058c..01e027b 100644
+--- a/irregex-core.scm
++++ b/irregex-core.scm
+@@ -30,6 +30,8 @@
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;; History
++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation
++;;                     of backtracking matcher.
+ ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow
+ ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches
+ ;; 0.9.3: 2014/07/01 - R7RS library
+@@ -3170,16 +3172,7 @@
+               ((sre-empty? (sre-sequence (cdr sre)))
+                (error "invalid sre: empty *" sre))
+               (else
+-               (letrec
+-                   ((body
+-                     (lp (sre-sequence (cdr sre))
+-                         n
+-                         flags
+-                         (lambda (cnk init src str i end matches fail)
+-                           (body cnk init src str i end matches
+-                                 (lambda ()
+-                                   (next cnk init src str i end matches fail)
+-                                   ))))))
++               (let ((body (rec (list '+ (sre-sequence (cdr sre))))))
+                  (lambda (cnk init src str i end matches fail)
+                    (body cnk init src str i end matches
+                          (lambda ()
+@@ -3204,10 +3197,21 @@
+                          (lambda ()
+                            (body cnk init src str i end matches fail))))))))
+             ((+)
+-             (lp (sre-sequence (cdr sre))
+-                 n
+-                 flags
+-                 (rec (list '* (sre-sequence (cdr sre))))))
++             (cond
++              ((sre-empty? (sre-sequence (cdr sre)))
++               (error "invalid sre: empty +" sre))
++              (else
++               (letrec
++                   ((body
++                     (lp (sre-sequence (cdr sre))
++                         n
++                         flags
++                         (lambda (cnk init src str i end matches fail)
++                           (body cnk init src str i end matches
++                                 (lambda ()
++                                   (next cnk init src str i end matches fail)
++                                   ))))))
++                 body))))
+             ((=)
+              (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre))))
+             ((>=)
+diff --git a/irregex-utils.scm b/irregex-utils.scm
+index 8332791..a2195a9 100644
+--- a/irregex-utils.scm
++++ b/irregex-utils.scm
+@@ -89,7 +89,7 @@
+         (case (car x)
+           ((: seq)
+            (cond
+-            ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj)))
++            ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj)))
+              (display "(?:" out) (for-each lp (cdr x)) (display ")" out))
+             (else (for-each lp (cdr x)))))
+           ((submatch)
+diff --git a/manual/Unit irregex b/manual/Unit irregex
+index 7805273..7d59f89 100644
+--- a/manual/Unit irregex	
++++ b/manual/Unit irregex	
+@@ -825,7 +825,7 @@ doesn't help when irregex is able to build a DFA.
+ 
+ <procedure>(sre->string <sre>)</procedure>
+ 
+-Convert an SRE to a POSIX-style regular expression string, if
++Convert an SRE to a PCRE-style regular expression string, if
+ possible.
+ 
+ 
+-- 
+2.1.4
+
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 0ad449ae2..87c9fc413 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -386,7 +386,9 @@ language standard, and includes many enhancements and extensions.")
                     (commit version)))
               (sha256
                (base32
-                "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))))
+                "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))
+              (patches
+               (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch"))))
     (arguments
      `(;; No `configure' script; run "make check" after "make install" as
        ;; prescribed by README.
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 2152 bytes --]

On Sat, Dec 24, 2016 at 08:59:59PM -0500, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
> >> Leo Famulari <leo@famulari.name> writes:
> >> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
> >> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
> >> >> 
> >> >> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
> >> >> * gnu/local.mk (dist_patch_DATA): Use it.
> >> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
> >> >
> >> > Thank you for looking into this!
> >> >
> >> > Something like this patch is in CHICKEN 4.11.1:
> >> >
> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
> >> >
> >> > And there is a patch for the IrRegex bug after the latest tag:
> >> >
> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
> >> >
> >> > Can you try updating CHICKEN and applying that IrRegex patch?
> >> 
> >> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
> >> binary due to its build system requirements. Do we have any objection to
> >> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
> >
> > Interesting!
> >
> > I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
> >
> > Changing the build system like that seems unusual for a minor point
> > release, and I don't see it documented in the 4.11.1 NEWS file:
> >
> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
> >
> 
> I must have phrased that too vaguely. It's just a "building from release
> tarball vs from git checkout" thing, documented in the README file of
> both releases. I've been having trouble with the seemingly identical
> test suite using the attached WIP patch. Perhaps the dreary wheather is
> clouding my thoughts.

How about using a development snapshot?

http://code.call-cc.org/dev-snapshots/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1.1: Type: text/plain, Size: 2368 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Sat, Dec 24, 2016 at 08:59:59PM -0500, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> 
>> > On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>> >> Leo Famulari <leo@famulari.name> writes:
>> >> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>> >> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>> >> >> 
>> >> >> *
>> >> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>> >> >> New file.
>> >> >> * gnu/local.mk (dist_patch_DATA): Use it.
>> >> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>> >> >
>> >> > Thank you for looking into this!
>> >> >
>> >> > Something like this patch is in CHICKEN 4.11.1:
>> >> >
>> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>> >> >
>> >> > And there is a patch for the IrRegex bug after the latest tag:
>> >> >
>> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>> >> >
>> >> > Can you try updating CHICKEN and applying that IrRegex patch?
>> >> 
>> >> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>> >> binary due to its build system requirements. Do we have any objection to
>> >> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>> >
>> > Interesting!
>> >
>> > I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>> >
>> > Changing the build system like that seems unusual for a minor point
>> > release, and I don't see it documented in the 4.11.1 NEWS file:
>> >
>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>> >
>> 
>> I must have phrased that too vaguely. It's just a "building from release
>> tarball vs from git checkout" thing, documented in the README file of
>> both releases. I've been having trouble with the seemingly identical
>> test suite using the attached WIP patch. Perhaps the dreary wheather is
>> clouding my thoughts.
>
> How about using a development snapshot?
>
> http://code.call-cc.org/dev-snapshots/

Ah, this works excellently. Thanks for the pointer! The two attached
patches should do the trick.

[-- Attachment #1.2: 0001-gnu-chicken-Update-to-4.11.1.patch --]
[-- Type: text/plain, Size: 2107 bytes --]

From 41ce29321b21edc698a9ed2ce6dab09f2d190d50 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Sun, 1 Jan 2017 21:49:04 -0500
Subject: [PATCH] gnu: chicken: Update to 4.11.1.

* gnu/packages/scheme.scm (chicken): Update to 4.11.1.
---
 gnu/packages/scheme.scm | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 78f387faf..fd96869e2 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -323,14 +323,14 @@ mashups, office (web agendas, mail clients, ...), etc.")
 (define-public chicken
   (package
     (name "chicken")
-    (version "4.11.0")
+    (version "4.11.1")
     (source (origin
              (method url-fetch)
-             (uri (string-append "http://code.call-cc.org/releases/"
-                                 version "/chicken-" version ".tar.gz"))
+             (uri (string-append "http://code.call-cc.org/dev-snapshots/"
+                                 "/2016/09/12/chicken-" version ".tar.gz"))
              (sha256
               (base32
-               "12ddyiikqknpr8h6llsxbg2fz75xnayvcnsvr1cwv8xnjn7jpp73"))))
+               "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga"))))
     (build-system gnu-build-system)
     (arguments
      `(#:modules ((guix build gnu-build-system)
@@ -344,14 +344,7 @@ mashups, office (web agendas, mail clients, ...), etc.")
          (delete 'configure)
          (delete 'check)
          (add-after 'install 'check
-           (assoc-ref %standard-phases 'check))
-         (add-after 'unpack 'disable-broken-tests
-           (lambda _
-             ;; The port tests fail with this error:
-             ;; Error: (line 294) invalid escape-sequence '\x o'
-             (substitute* "tests/runtests.sh"
-               (("\\$interpret -s port-tests\\.scm") ""))
-             #t)))
+           (assoc-ref %standard-phases 'check)))
 
        #:make-flags (let ((out (assoc-ref %outputs "out")))
                       (list "PLATFORM=linux"
-- 
2.11.0


[-- Attachment #1.3: 0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch --]
[-- Type: text/plain, Size: 6883 bytes --]

From bd9b1255d37c2f9b2d6af61d1ad01e0a5c58838e Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Sun, 1 Jan 2017 23:02:53 -0500
Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.

* gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
* gnu/local.mk (dist_patch_DATA): Use it.
* gnu/packages/scheme.scm (chicken)[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 .../chicken-CVE-2016-6830+CVE-2016-6831.patch      | 84 ++++++++++++++++++++++
 gnu/packages/scheme.scm                            |  4 +-
 3 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6ab1c1c48..0c42f9f44 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -497,6 +497,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/calibre-drop-unrar.patch			\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/cdparanoia-fpic.patch			\
+  %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch	\
   %D%/packages/patches/chmlib-inttypes.patch			\
   %D%/packages/patches/clang-libc-search-path.patch		\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
new file mode 100644
index 000000000..43d6b579b
--- /dev/null
+++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
@@ -0,0 +1,84 @@
+Patch by Kei Kebreau, adapted from
+https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
+
+diff -ur a/irregex-core.scm b/irregex-core.scm
+--- a/irregex-core.scm	2016-09-11 19:03:00.000000000 -0400
++++ b/irregex-core.scm	2017-01-01 22:24:08.416587807 -0500
+@@ -30,6 +30,8 @@
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;; History
++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation
++;;                     of backtracking matcher.
+ ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow
+ ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches
+ ;; 0.9.3: 2014/07/01 - R7RS library
+@@ -3170,16 +3172,7 @@
+               ((sre-empty? (sre-sequence (cdr sre)))
+                (error "invalid sre: empty *" sre))
+               (else
+-               (letrec
+-                   ((body
+-                     (lp (sre-sequence (cdr sre))
+-                         n
+-                         flags
+-                         (lambda (cnk init src str i end matches fail)
+-                           (body cnk init src str i end matches
+-                                 (lambda ()
+-                                   (next cnk init src str i end matches fail)
+-                                   ))))))
++               (let ((body (rec (list '+ (sre-sequence (cdr sre))))))
+                  (lambda (cnk init src str i end matches fail)
+                    (body cnk init src str i end matches
+                          (lambda ()
+@@ -3204,10 +3197,21 @@
+                          (lambda ()
+                            (body cnk init src str i end matches fail))))))))
+             ((+)
+-             (lp (sre-sequence (cdr sre))
+-                 n
+-                 flags
+-                 (rec (list '* (sre-sequence (cdr sre))))))
++             (cond
++              ((sre-empty? (sre-sequence (cdr sre)))
++               (error "invalid sre: empty +" sre))
++              (else
++               (letrec
++                   ((body
++                     (lp (sre-sequence (cdr sre))
++                         n
++                         flags
++                         (lambda (cnk init src str i end matches fail)
++                           (body cnk init src str i end matches
++                                 (lambda ()
++                                   (next cnk init src str i end matches fail)
++                                   ))))))
++                 body))))
+             ((=)
+              (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre))))
+             ((>=)
+diff -ur a/irregex-utils.scm b/irregex-utils.scm
+--- a/irregex-utils.scm	2016-09-11 19:03:00.000000000 -0400
++++ b/irregex-utils.scm	2017-01-01 22:25:25.447219474 -0500
+@@ -89,7 +89,7 @@
+         (case (car x)
+           ((: seq)
+            (cond
+-            ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj)))
++            ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj)))
+              (display "(?:" out) (for-each lp (cdr x)) (display ")" out))
+             (else (for-each lp (cdr x)))))
+           ((submatch)
+diff -ur "a/manual-html/Unit irregex.html" "b/manual-html/Unit irregex.html"
+--- "a/manual-html/Unit irregex.html"	2016-09-11 19:10:47.000000000 -0400
++++ "b/manual-html/Unit irregex.html"	2017-01-01 22:26:05.100574188 -0500
+@@ -353,6 +353,6 @@
+ <dd class="defsig"><p>Returns an optimized SRE matching any of the literal strings in the list, like Emacs' <tt>regexp-opt</tt>.  Note this optimization doesn't help when irregex is able to build a DFA.</p></dd>
+ </dl>
+ <h5 id="sec:sre-.3estring"><a href="#sec:sre-.3estring">sre-&gt;string</a></h5><dl class="defsig"><dt class="defsig" id="def:sre-.3estring"><span class="sig"><tt>(sre-&gt;string &lt;sre&gt;)</tt></span> <span class="type">procedure</span></dt>
+-<dd class="defsig"><p>Convert an SRE to a POSIX-style regular expression string, if possible.</p></dd>
++<dd class="defsig"><p>Convert an SRE to a PCRE-style regular expression string, if possible.</p></dd>
+ </dl>
+-<hr /><p>Previous: <a href="Unit%20extras.html">Unit extras</a></p><p>Next: <a href="Unit%20srfi-1.html">Unit srfi-1</a></p></div></div></body>
+\ No newline at end of file
++<hr /><p>Previous: <a href="Unit%20extras.html">Unit extras</a></p><p>Next: <a href="Unit%20srfi-1.html">Unit srfi-1</a></p></div></div></body>
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index fd96869e2..1fa2e7013 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -330,7 +330,9 @@ mashups, office (web agendas, mail clients, ...), etc.")
                                  "/2016/09/12/chicken-" version ".tar.gz"))
              (sha256
               (base32
-               "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga"))))
+               "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga"))
+             (patches
+              (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:modules ((guix build gnu-build-system)
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 124 bytes --]

Leo Famulari <leo@famulari.name> writes:

Also, chicken's compiler doesn't work because it can't find gcc. Just a
heads up.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 896 bytes --]

On Sun, Jan 01, 2017 at 11:04:33PM -0500, Kei Kebreau wrote:
> Ah, this works excellently. Thanks for the pointer! The two attached
> patches should do the trick.

> From 41ce29321b21edc698a9ed2ce6dab09f2d190d50 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Sun, 1 Jan 2017 21:49:04 -0500
> Subject: [PATCH] gnu: chicken: Update to 4.11.1.
> 
> * gnu/packages/scheme.scm (chicken): Update to 4.11.1.

>      (source (origin
>               (method url-fetch)
> -             (uri (string-append "http://code.call-cc.org/releases/"
> -                                 version "/chicken-" version ".tar.gz"))
> +             (uri (string-append "http://code.call-cc.org/dev-snapshots/"
> +                                 "/2016/09/12/chicken-" version ".tar.gz"))

I'd leave both URIs there, to make it easier on future readers.

Otherwise, LGTM!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 997 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Sun, Jan 01, 2017 at 11:04:33PM -0500, Kei Kebreau wrote:
>> Ah, this works excellently. Thanks for the pointer! The two attached
>> patches should do the trick.
>
>> From 41ce29321b21edc698a9ed2ce6dab09f2d190d50 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Sun, 1 Jan 2017 21:49:04 -0500
>> Subject: [PATCH] gnu: chicken: Update to 4.11.1.
>> 
>> * gnu/packages/scheme.scm (chicken): Update to 4.11.1.
>
>>      (source (origin
>>               (method url-fetch)
>> -             (uri (string-append "http://code.call-cc.org/releases/"
>> -                                 version "/chicken-" version ".tar.gz"))
>> +             (uri (string-append "http://code.call-cc.org/dev-snapshots/"
>> +                                 "/2016/09/12/chicken-" version ".tar.gz"))
>
> I'd leave both URIs there, to make it easier on future readers.
>
> Otherwise, LGTM!

Amended and pushed to master!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]