From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Date: Sun, 01 Jan 2017 23:04:33 -0500 Message-ID: <87h95if6pa.fsf@openmailbox.org> References: <20161216193319.GA12690@jasmine> <20161216193659.GA26067@jasmine> <87lgv7zs6y.fsf@openmailbox.org> <20161224063251.GA30959@jasmine> <87pokhxha8.fsf@openmailbox.org> <20161224210440.GA7145@jasmine> <87lgv4ydi8.fsf@openmailbox.org> <20170101221859.GA29114@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42097) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cNtrZ-0001lZ-8m for guix-devel@gnu.org; Sun, 01 Jan 2017 23:04:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cNtrV-0000xq-Lx for guix-devel@gnu.org; Sun, 01 Jan 2017 23:04:45 -0500 Received: from lb1.openmailbox.org ([5.79.108.160]:56736 helo=mail.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cNtrV-0000xO-8F for guix-devel@gnu.org; Sun, 01 Jan 2017 23:04:41 -0500 In-Reply-To: <20170101221859.GA29114@jasmine> (Leo Famulari's message of "Sun, 1 Jan 2017 17:18:59 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sat, Dec 24, 2016 at 08:59:59PM -0500, Kei Kebreau wrote: >> Leo Famulari writes: >>=20 >> > On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote: >> >> Leo Famulari writes: >> >> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote: >> >> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. >> >> >>=20 >> >> >> * >> >> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: >> >> >> New file. >> >> >> * gnu/local.mk (dist_patch_DATA): Use it. >> >> >> * gnu/packages/scheme.scm (chicken)[source]: Use it. >> >> > >> >> > Thank you for looking into this! >> >> > >> >> > Something like this patch is in CHICKEN 4.11.1: >> >> > >> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a= =3Dcommitdiff;h=3D0d20426c6da0f116606574dadadaa878b96a68ea >> >> > >> >> > And there is a patch for the IrRegex bug after the latest tag: >> >> > >> >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a= =3Dcommitdiff;h=3D2c419f18138c17767754b36d3b706cd71a55350a >> >> > >> >> > Can you try updating CHICKEN and applying that IrRegex patch? >> >>=20 >> >> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN >> >> binary due to its build system requirements. Do we have any objection= to >> >> bootstrapping CHICKEN 4.11.1 from version 4.11.0? >> > >> > Interesting! >> > >> > I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1. >> > >> > Changing the build system like that seems unusual for a minor point >> > release, and I don't see it documented in the 4.11.1 NEWS file: >> > >> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a=3Db= lob;f=3DNEWS;h=3D545d68583c8375bd5243ec07a53faff9ec1685a3;hb=3D116f42e7a3ea= b2a02b853fd038af3cb3aadad5c3 >> > >>=20 >> I must have phrased that too vaguely. It's just a "building from release >> tarball vs from git checkout" thing, documented in the README file of >> both releases. I've been having trouble with the seemingly identical >> test suite using the attached WIP patch. Perhaps the dreary wheather is >> clouding my thoughts. > > How about using a development snapshot? > > http://code.call-cc.org/dev-snapshots/ Ah, this works excellently. Thanks for the pointer! The two attached patches should do the trick. --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=0001-gnu-chicken-Update-to-4.11.1.patch Content-Transfer-Encoding: quoted-printable From=2041ce29321b21edc698a9ed2ce6dab09f2d190d50 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Sun, 1 Jan 2017 21:49:04 -0500 Subject: [PATCH] gnu: chicken: Update to 4.11.1. * gnu/packages/scheme.scm (chicken): Update to 4.11.1. =2D-- gnu/packages/scheme.scm | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm index 78f387faf..fd96869e2 100644 =2D-- a/gnu/packages/scheme.scm +++ b/gnu/packages/scheme.scm @@ -323,14 +323,14 @@ mashups, office (web agendas, mail clients, ...), etc= .") (define-public chicken (package (name "chicken") =2D (version "4.11.0") + (version "4.11.1") (source (origin (method url-fetch) =2D (uri (string-append "http://code.call-cc.org/releases/" =2D version "/chicken-" version ".tar.gz")) + (uri (string-append "http://code.call-cc.org/dev-snapshots/" + "/2016/09/12/chicken-" version ".tar.gz")) (sha256 (base32 =2D "12ddyiikqknpr8h6llsxbg2fz75xnayvcnsvr1cwv8xnjn7jpp73")))) + "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga")))) (build-system gnu-build-system) (arguments `(#:modules ((guix build gnu-build-system) @@ -344,14 +344,7 @@ mashups, office (web agendas, mail clients, ...), etc.= ") (delete 'configure) (delete 'check) (add-after 'install 'check =2D (assoc-ref %standard-phases 'check)) =2D (add-after 'unpack 'disable-broken-tests =2D (lambda _ =2D ;; The port tests fail with this error: =2D ;; Error: (line 294) invalid escape-sequence '\x o' =2D (substitute* "tests/runtests.sh" =2D (("\\$interpret -s port-tests\\.scm") "")) =2D #t))) + (assoc-ref %standard-phases 'check))) =20 #:make-flags (let ((out (assoc-ref %outputs "out"))) (list "PLATFORM=3Dlinux" =2D-=20 2.11.0 --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch Content-Transfer-Encoding: quoted-printable From=20bd9b1255d37c2f9b2d6af61d1ad01e0a5c58838e Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Sun, 1 Jan 2017 23:02:53 -0500 Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file. * gnu/local.mk (dist_patch_DATA): Use it. * gnu/packages/scheme.scm (chicken)[source]: Use it. =2D-- gnu/local.mk | 1 + .../chicken-CVE-2016-6830+CVE-2016-6831.patch | 84 ++++++++++++++++++= ++++ gnu/packages/scheme.scm | 4 +- 3 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-683= 1.patch diff --git a/gnu/local.mk b/gnu/local.mk index 6ab1c1c48..0c42f9f44 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -497,6 +497,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/calibre-drop-unrar.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/cdparanoia-fpic.patch \ + %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch \ %D%/packages/patches/chmlib-inttypes.patch \ %D%/packages/patches/clang-libc-search-path.patch \ %D%/packages/patches/clang-3.8-libc-search-path.patch \ diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch= b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch new file mode 100644 index 000000000..43d6b579b =2D-- /dev/null +++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch @@ -0,0 +1,84 @@ +Patch by Kei Kebreau, adapted from +https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a=3Dcommi= tdiff;h=3D2c419f18138c17767754b36d3b706cd71a55350a + +diff -ur a/irregex-core.scm b/irregex-core.scm +--- a/irregex-core.scm 2016-09-11 19:03:00.000000000 -0400 ++++ b/irregex-core.scm 2017-01-01 22:24:08.416587807 -0500 +@@ -30,6 +30,8 @@ +=20 + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ;;;; History ++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation ++;; of backtracking matcher. + ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow + ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches + ;; 0.9.3: 2014/07/01 - R7RS library +@@ -3170,16 +3172,7 @@ + ((sre-empty? (sre-sequence (cdr sre))) + (error "invalid sre: empty *" sre)) + (else +- (letrec +- ((body +- (lp (sre-sequence (cdr sre)) +- n +- flags +- (lambda (cnk init src str i end matches fail) +- (body cnk init src str i end matches +- (lambda () +- (next cnk init src str i end matches f= ail) +- )))))) ++ (let ((body (rec (list '+ (sre-sequence (cdr sre)))))) + (lambda (cnk init src str i end matches fail) + (body cnk init src str i end matches + (lambda () +@@ -3204,10 +3197,21 @@ + (lambda () + (body cnk init src str i end matches fail)))))= ))) + ((+) +- (lp (sre-sequence (cdr sre)) +- n +- flags +- (rec (list '* (sre-sequence (cdr sre)))))) ++ (cond ++ ((sre-empty? (sre-sequence (cdr sre))) ++ (error "invalid sre: empty +" sre)) ++ (else ++ (letrec ++ ((body ++ (lp (sre-sequence (cdr sre)) ++ n ++ flags ++ (lambda (cnk init src str i end matches fail) ++ (body cnk init src str i end matches ++ (lambda () ++ (next cnk init src str i end matches f= ail) ++ )))))) ++ body)))) + ((=3D) + (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre)))) + ((>=3D) +diff -ur a/irregex-utils.scm b/irregex-utils.scm +--- a/irregex-utils.scm 2016-09-11 19:03:00.000000000 -0400 ++++ b/irregex-utils.scm 2017-01-01 22:25:25.447219474 -0500 +@@ -89,7 +89,7 @@ + (case (car x) + ((: seq) + (cond +- ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj))) ++ ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj))) + (display "(?:" out) (for-each lp (cdr x)) (display ")" out)) + (else (for-each lp (cdr x))))) + ((submatch) +diff -ur "a/manual-html/Unit irregex.html" "b/manual-html/Unit irregex.htm= l" +--- "a/manual-html/Unit irregex.html" 2016-09-11 19:10:47.000000000 -0400 ++++ "b/manual-html/Unit irregex.html" 2017-01-01 22:26:05.100574188 -0500 +@@ -353,6 +353,6 @@ +

Returns an optimized SRE matching any of the lite= ral strings in the list, like Emacs' regexp-opt. Note this optimi= zation doesn't help when irregex is able to build a DFA.

+ +
sre->strin= g
(sre->string <sre>) procedure
+-

Convert an SRE to a POSIX-style regular expressio= n string, if possible.

++

Convert an SRE to a PCRE-style regular expression= string, if possible.

+
+-

Previous: Unit extras

N= ext: Unit srfi-1

+\ No newline at end of file ++

Previous: Unit extras

N= ext: Unit srfi-1

diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm index fd96869e2..1fa2e7013 100644 =2D-- a/gnu/packages/scheme.scm +++ b/gnu/packages/scheme.scm @@ -330,7 +330,9 @@ mashups, office (web agendas, mail clients, ...), etc.") "/2016/09/12/chicken-" version ".tar.gz")) (sha256 (base32 =2D "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga")))) + "1rwymbbmnwdyhdzilv9w75an989xw9kjf3x52iqdng3nphpflcga")) + (patches + (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch")= ))) (build-system gnu-build-system) (arguments `(#:modules ((guix build gnu-build-system) =2D-=20 2.11.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlhp0VEACgkQ5qXuPBlG eg2P7RAAoFXtLkaWGPOUU1Wu/iq47hjd9ajERq8WlMWQJHTujfiXx9TliPbz9qVX bxRztybPteZwhktR6Eb+jiYHNr4UiqnfWs01tCDjsXW8npuaOZz0HIxzSxrVWbAL 8zDOmqXBRKyR/wAhpa69tAnKjT7d6LSNsnvESFzWy6mKwMht2wCGDEUuRbU3lEGQ 8mIWgqH9mQc4mMiaSz93njVARASKcTX3VEzorQkPPed/OfTOOVvxIef4hwecOF+O 1iyloJXLzU00HCVBUJNBEryzXsGWwbjgUSCOSyG67s7MxDRlY4ctW6T1ocMWMQ77 MMhptF8VBLO3FJ9iTUAqTRN3wbsdDCdkWUppdjJNmzpY3yh9psUiVGztp5k8byOu VocGu16WhmV+tC5fX1Ux5Ynb0FPzmJjmIQ75gOAgrz7W1hiHx8vhEbgUihmFBA8f vG7wse8Ldi8UDQtpNkJudLVA0sj0mfFQVrxshRHwBth//pSLzw0l5USMIFWKvEYu jFPPRBAus4YlRTDFkPu8W2cRJ3Vy3QwkF+CYUFZDa16Yn2TlHmql8hT0XfGQqO7I PT4Wtc1y2pYIp9LiDAoGN3CIaASXpCmOKw1HJE9dhZPXD/QfAF7lqdTBmu/cIrAm E/kHvTv9ZMTM0mrxz4tbYstuIrzWvxYwPyFI410BjdnA/BODoS8= =2xPH -----END PGP SIGNATURE----- --==-=-=--