From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Date: Sat, 24 Dec 2016 14:23:43 -0500 Message-ID: <87pokhxha8.fsf@openmailbox.org> References: <20161216193319.GA12690@jasmine> <20161216193659.GA26067@jasmine> <87lgv7zs6y.fsf@openmailbox.org> <20161224063251.GA30959@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58975) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cKrvU-0007ly-Az for guix-devel@gnu.org; Sat, 24 Dec 2016 14:24:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cKrvQ-0007Uz-T4 for guix-devel@gnu.org; Sat, 24 Dec 2016 14:24:16 -0500 Received: from mail2.openmailbox.org ([62.4.1.33]:52341) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cKrvQ-0007UF-CS for guix-devel@gnu.org; Sat, 24 Dec 2016 14:24:12 -0500 In-Reply-To: <20161224063251.GA30959@jasmine> (Leo Famulari's message of "Sat, 24 Dec 2016 01:32:51 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote: >> Leo Famulari writes: >>=20 >> > On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote: >> >> We fixed this bug in our guile-irregex package in commit fb73f07a0fe, >> >> but our chez-irregex and chicken packages are still vulnerable. >> > >> > Also note that (I believe) our chicken package is vulnerable to >> > CVE-2016-{6830,6831}: >> > >> > http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002= .html >>=20 >> The attached patch is currently being tested on my computer, but I >> suspect it will work. >>=20 >> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D834845. >>=20 > >> From 3423ef38ecab794f9601aa8ac63c6974d9db62d4 Mon Sep 17 00:00:00 2001 >> From: Kei Kebreau >> Date: Thu, 22 Dec 2016 14:16:55 -0500 >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. >>=20 >> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New fi= le. >> * gnu/local.mk (dist_patch_DATA): Use it. >> * gnu/packages/scheme.scm (chicken)[source]: Use it. > > Thank you for looking into this! > > Something like this patch is in CHICKEN 4.11.1: > > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a=3Dcomm= itdiff;h=3D0d20426c6da0f116606574dadadaa878b96a68ea > > And there is a patch for the IrRegex bug after the latest tag: > > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a=3Dcomm= itdiff;h=3D2c419f18138c17767754b36d3b706cd71a55350a > > Can you try updating CHICKEN and applying that IrRegex patch? I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN binary due to its build system requirements. Do we have any objection to bootstrapping CHICKEN 4.11.1 from version 4.11.0? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlheyz8ACgkQ5qXuPBlG eg3eHA/+OSjUOyH+6DOsfRxolRkLRTL0pOHL5E9ZxbL09n1USwqSu8xghtlF+xmH K/FdXuDaOoR1g9TxncRizUTkOMWZjEpH5lSQSzkLQzjNVOLE4C8ih+TqKSqNELVA 0L7SAxjaezcRnsPVWK2u3E8GlMO1HDkTMN2Nf2miMHC+trFEwg6IZxzK5AG2DO2/ EInatwKxoPABb1pAFn0aDFmTAc7jDFmVjvdjJp7phtzjQBHX15lVsng13QFga3lh Lp+CuzBjccQ8W/HlkPhZq5H1ZCma/kPtV11iBgqsKbUqaY98qVJyQpDh3wlsFwGW eyQJ/VysEMzP0LKA7SKSChuarN4/hL6SG6PmYTua1FDAQ9AqpnUE2uRcfg1sj9sp AHzVZCEDBh+kXSUxit2QA0TuRf5TTS7Osy9uSKedIty35dxwbpdxHRMB8SB6b/I8 j2WRo5Al4oo59b2G59Uyh18ShSPCwa8I4Uy0VwpJAlbEU+iagRskrsNGDqTHswPY oa0C27TiTsm7/cOZ8HhEC3FmG8kmEjr5GQFpI0POOjZxqiesB/L460Xwy/KkVURS pWcu6q8+eFsf7QRDCR7CljbfdkreO+WYj5vbdJo5ribgNG5tSmj9pVgnH5I0Zu5w IeoP28jaWq0UOiVwMdijJYqExmHPZHVPRHrSLs1J6S9Epkhz0UQ= =HyPF -----END PGP SIGNATURE----- --=-=-=--