From: Kei Kebreau <kei@openmailbox.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]
Date: Sun, 01 Jan 2017 23:04:33 -0500 [thread overview]
Message-ID: <87h95if6pa.fsf@openmailbox.org> (raw)
In-Reply-To: <20170101221859.GA29114@jasmine> (Leo Famulari's message of "Sun, 1 Jan 2017 17:18:59 -0500")
[-- Attachment #1.1: Type: text/plain, Size: 2368 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Sat, Dec 24, 2016 at 08:59:59PM -0500, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>>
>> > On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>> >> Leo Famulari <leo@famulari.name> writes:
>> >> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>> >> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>> >> >>
>> >> >> *
>> >> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>> >> >> New file.
>> >> >> * gnu/local.mk (dist_patch_DATA): Use it.
>> >> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>> >> >
>> >> > Thank you for looking into this!
>> >> >
>> >> > Something like this patch is in CHICKEN 4.11.1:
>> >> >
>> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>> >> >
>> >> > And there is a patch for the IrRegex bug after the latest tag:
>> >> >
>> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>> >> >
>> >> > Can you try updating CHICKEN and applying that IrRegex patch?
>> >>
>> >> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>> >> binary due to its build system requirements. Do we have any objection to
>> >> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>> >
>> > Interesting!
>> >
>> > I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>> >
>> > Changing the build system like that seems unusual for a minor point
>> > release, and I don't see it documented in the 4.11.1 NEWS file:
>> >
>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>> >
>>
>> I must have phrased that too vaguely. It's just a "building from release
>> tarball vs from git checkout" thing, documented in the README file of
>> both releases. I've been having trouble with the seemingly identical
>> test suite using the attached WIP patch. Perhaps the dreary wheather is
>> clouding my thoughts.
>
> How about using a development snapshot?
>
> http://code.call-cc.org/dev-snapshots/
Ah, this works excellently. Thanks for the pointer! The two attached
patches should do the trick.
[-- Attachment #1.2: 0001-gnu-chicken-Update-to-4.11.1.patch --]
[-- Type: text/plain, Size: 2107 bytes --]
From 41ce29321b21edc698a9ed2ce6dab09f2d190d50 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Sun, 1 Jan 2017 21:49:04 -0500
Subject: [PATCH] gnu: chicken: Update to 4.11.1.
* gnu/packages/scheme.scm (chicken): Update to 4.11.1.
---
gnu/packages/scheme.scm | 17 +++++------------
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 78f387faf..fd96869e2 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -323,14 +323,14 @@ mashups, office (web agendas, mail clients, ...), etc.")
(define-public chicken
(package
(name "chicken")
- (version "4.11.0")
+ (version "4.11.1")
(source (origin
(method url-fetch)
- (uri (string-append "http://code.call-cc.org/releases/"
- version "/chicken-" version ".tar.gz"))
+ (uri (string-append "http://code.call-cc.org/dev-snapshots/"
+ "/2016/09/12/chicken-" version ".tar.gz"))
(sha256
(base32
- "12ddyiikqknpr8h6llsxbg2fz75xnayvcnsvr1cwv8xnjn7jpp73"))))
+ "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga"))))
(build-system gnu-build-system)
(arguments
`(#:modules ((guix build gnu-build-system)
@@ -344,14 +344,7 @@ mashups, office (web agendas, mail clients, ...), etc.")
(delete 'configure)
(delete 'check)
(add-after 'install 'check
- (assoc-ref %standard-phases 'check))
- (add-after 'unpack 'disable-broken-tests
- (lambda _
- ;; The port tests fail with this error:
- ;; Error: (line 294) invalid escape-sequence '\x o'
- (substitute* "tests/runtests.sh"
- (("\\$interpret -s port-tests\\.scm") ""))
- #t)))
+ (assoc-ref %standard-phases 'check)))
#:make-flags (let ((out (assoc-ref %outputs "out")))
(list "PLATFORM=linux"
--
2.11.0
[-- Attachment #1.3: 0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch --]
[-- Type: text/plain, Size: 6883 bytes --]
From bd9b1255d37c2f9b2d6af61d1ad01e0a5c58838e Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Sun, 1 Jan 2017 23:02:53 -0500
Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
* gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
* gnu/local.mk (dist_patch_DATA): Use it.
* gnu/packages/scheme.scm (chicken)[source]: Use it.
---
gnu/local.mk | 1 +
.../chicken-CVE-2016-6830+CVE-2016-6831.patch | 84 ++++++++++++++++++++++
gnu/packages/scheme.scm | 4 +-
3 files changed, 88 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 6ab1c1c48..0c42f9f44 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -497,6 +497,7 @@ dist_patch_DATA = \
%D%/packages/patches/calibre-drop-unrar.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/cdparanoia-fpic.patch \
+ %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch \
%D%/packages/patches/chmlib-inttypes.patch \
%D%/packages/patches/clang-libc-search-path.patch \
%D%/packages/patches/clang-3.8-libc-search-path.patch \
diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
new file mode 100644
index 000000000..43d6b579b
--- /dev/null
+++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
@@ -0,0 +1,84 @@
+Patch by Kei Kebreau, adapted from
+https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
+
+diff -ur a/irregex-core.scm b/irregex-core.scm
+--- a/irregex-core.scm 2016-09-11 19:03:00.000000000 -0400
++++ b/irregex-core.scm 2017-01-01 22:24:08.416587807 -0500
+@@ -30,6 +30,8 @@
+
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;; History
++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation
++;; of backtracking matcher.
+ ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow
+ ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches
+ ;; 0.9.3: 2014/07/01 - R7RS library
+@@ -3170,16 +3172,7 @@
+ ((sre-empty? (sre-sequence (cdr sre)))
+ (error "invalid sre: empty *" sre))
+ (else
+- (letrec
+- ((body
+- (lp (sre-sequence (cdr sre))
+- n
+- flags
+- (lambda (cnk init src str i end matches fail)
+- (body cnk init src str i end matches
+- (lambda ()
+- (next cnk init src str i end matches fail)
+- ))))))
++ (let ((body (rec (list '+ (sre-sequence (cdr sre))))))
+ (lambda (cnk init src str i end matches fail)
+ (body cnk init src str i end matches
+ (lambda ()
+@@ -3204,10 +3197,21 @@
+ (lambda ()
+ (body cnk init src str i end matches fail))))))))
+ ((+)
+- (lp (sre-sequence (cdr sre))
+- n
+- flags
+- (rec (list '* (sre-sequence (cdr sre))))))
++ (cond
++ ((sre-empty? (sre-sequence (cdr sre)))
++ (error "invalid sre: empty +" sre))
++ (else
++ (letrec
++ ((body
++ (lp (sre-sequence (cdr sre))
++ n
++ flags
++ (lambda (cnk init src str i end matches fail)
++ (body cnk init src str i end matches
++ (lambda ()
++ (next cnk init src str i end matches fail)
++ ))))))
++ body))))
+ ((=)
+ (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre))))
+ ((>=)
+diff -ur a/irregex-utils.scm b/irregex-utils.scm
+--- a/irregex-utils.scm 2016-09-11 19:03:00.000000000 -0400
++++ b/irregex-utils.scm 2017-01-01 22:25:25.447219474 -0500
+@@ -89,7 +89,7 @@
+ (case (car x)
+ ((: seq)
+ (cond
+- ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj)))
++ ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj)))
+ (display "(?:" out) (for-each lp (cdr x)) (display ")" out))
+ (else (for-each lp (cdr x)))))
+ ((submatch)
+diff -ur "a/manual-html/Unit irregex.html" "b/manual-html/Unit irregex.html"
+--- "a/manual-html/Unit irregex.html" 2016-09-11 19:10:47.000000000 -0400
++++ "b/manual-html/Unit irregex.html" 2017-01-01 22:26:05.100574188 -0500
+@@ -353,6 +353,6 @@
+ <dd class="defsig"><p>Returns an optimized SRE matching any of the literal strings in the list, like Emacs' <tt>regexp-opt</tt>. Note this optimization doesn't help when irregex is able to build a DFA.</p></dd>
+ </dl>
+ <h5 id="sec:sre-.3estring"><a href="#sec:sre-.3estring">sre->string</a></h5><dl class="defsig"><dt class="defsig" id="def:sre-.3estring"><span class="sig"><tt>(sre->string <sre>)</tt></span> <span class="type">procedure</span></dt>
+-<dd class="defsig"><p>Convert an SRE to a POSIX-style regular expression string, if possible.</p></dd>
++<dd class="defsig"><p>Convert an SRE to a PCRE-style regular expression string, if possible.</p></dd>
+ </dl>
+-<hr /><p>Previous: <a href="Unit%20extras.html">Unit extras</a></p><p>Next: <a href="Unit%20srfi-1.html">Unit srfi-1</a></p></div></div></body>
+\ No newline at end of file
++<hr /><p>Previous: <a href="Unit%20extras.html">Unit extras</a></p><p>Next: <a href="Unit%20srfi-1.html">Unit srfi-1</a></p></div></div></body>
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index fd96869e2..1fa2e7013 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -330,7 +330,9 @@ mashups, office (web agendas, mail clients, ...), etc.")
"/2016/09/12/chicken-" version ".tar.gz"))
(sha256
(base32
- "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga"))))
+ "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga"))
+ (patches
+ (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch"))))
(build-system gnu-build-system)
(arguments
`(#:modules ((guix build gnu-build-system)
--
2.11.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2017-01-02 4:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 19:33 [peter@more-magic.net: Irregex packages should be updated to 0.9.6] Leo Famulari
2016-12-16 19:36 ` Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Leo Famulari
2016-12-22 19:20 ` Kei Kebreau
2016-12-24 6:32 ` Leo Famulari
2016-12-24 19:23 ` Kei Kebreau
2016-12-24 21:04 ` Leo Famulari
2016-12-25 1:59 ` Kei Kebreau
2016-12-25 5:38 ` Kei Kebreau
2016-12-29 2:07 ` Kei Kebreau
2017-01-01 22:18 ` Leo Famulari
2017-01-02 4:04 ` Kei Kebreau [this message]
2017-01-03 5:21 ` Leo Famulari
2017-01-03 13:36 ` Kei Kebreau
2017-01-02 4:07 ` Kei Kebreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h95if6pa.fsf@openmailbox.org \
--to=kei@openmailbox.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).