unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* bsdiff package vulnerable to CVE-2020-14315
@ 2021-03-10  8:49 Léo Le Bouter
  2021-03-10 17:32 ` Leo Famulari
  0 siblings, 1 reply; 4+ messages in thread
From: Léo Le Bouter @ 2021-03-10  8:49 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 832 bytes --]

CVE-2020-14315

A memory corruption vulnerability is present in bspatch as shipped in
Colin Percival’s bsdiff tools version 4.3. Insufficient checks when
handling external inputs allows an attacker to bypass the sanity checks
in place and write out of a dynamically allocated buffer boundaries.

A patch exists from FreeBSD: 
https://www.freebsd.org/security/patches/SA-16:29/bspatch.patch - but
it needs non-trivial porting since FreeBSD seems to have diverged in
important ways from the source tree we use.

Debian, Fedora, Gentoo, Arch Linux, Void Linux, none have fixed this
CVE yet due to missing readily usable patch.

There may be a patch in Android or ChromiumOS source trees but if it is
present it is burried and not easy to find, also their tree probably
has diverged in non-trivial ways too.

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: bsdiff package vulnerable to CVE-2020-14315
  2021-03-10  8:49 bsdiff package vulnerable to CVE-2020-14315 Léo Le Bouter
@ 2021-03-10 17:32 ` Leo Famulari
  2021-03-10 20:33   ` Léo Le Bouter
  0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2021-03-10 17:32 UTC (permalink / raw)
  To: Léo Le Bouter; +Cc: guix-devel

On Wed, Mar 10, 2021 at 09:49:57AM +0100, Léo Le Bouter wrote:
> A patch exists from FreeBSD: 
> https://www.freebsd.org/security/patches/SA-16:29/bspatch.patch - but
> it needs non-trivial porting since FreeBSD seems to have diverged in
> important ways from the source tree we use.
> 
> Debian, Fedora, Gentoo, Arch Linux, Void Linux, none have fixed this
> CVE yet due to missing readily usable patch.

Well, we could also just remove this package. It sounds like it is not
supported on Linux. Does it offer some unique functionality?


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: bsdiff package vulnerable to CVE-2020-14315
  2021-03-10 17:32 ` Leo Famulari
@ 2021-03-10 20:33   ` Léo Le Bouter
  2021-03-14 21:31     ` Mark H Weaver
  0 siblings, 1 reply; 4+ messages in thread
From: Léo Le Bouter @ 2021-03-10 20:33 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 342 bytes --]

On Wed, 2021-03-10 at 12:32 -0500, Leo Famulari wrote:
> Well, we could also just remove this package. It sounds like it is
> not
> supported on Linux. Does it offer some unique functionality?

I would advocate for removal of the package, or at least warning about
absence of security patches for security issues at install/show time.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: bsdiff package vulnerable to CVE-2020-14315
  2021-03-10 20:33   ` Léo Le Bouter
@ 2021-03-14 21:31     ` Mark H Weaver
  0 siblings, 0 replies; 4+ messages in thread
From: Mark H Weaver @ 2021-03-14 21:31 UTC (permalink / raw)
  To: Léo Le Bouter, Leo Famulari; +Cc: guix-devel

Léo Le Bouter <lle-bout@zaclys.net> writes:

> On Wed, 2021-03-10 at 12:32 -0500, Leo Famulari wrote:
>> Well, we could also just remove this package. It sounds like it is
>> not
>> supported on Linux. Does it offer some unique functionality?
>
> I would advocate for removal of the package, or at least warning about
> absence of security patches for security issues at install/show time.

For the record, Léo removed this package in commit
373c7b5791acd8f377455be47260948b843dd5db on the 'master' branch.

      Mark


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-03-14 21:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-10  8:49 bsdiff package vulnerable to CVE-2020-14315 Léo Le Bouter
2021-03-10 17:32 ` Leo Famulari
2021-03-10 20:33   ` Léo Le Bouter
2021-03-14 21:31     ` Mark H Weaver

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).