From: Kei Kebreau <kei@openmailbox.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]
Date: Wed, 28 Dec 2016 21:07:14 -0500 [thread overview]
Message-ID: <87vau3trn1.fsf@openmailbox.org> (raw)
In-Reply-To: <87fulcy3ed.fsf@openmailbox.org> (Kei Kebreau's message of "Sun, 25 Dec 2016 00:38:18 -0500")
[-- Attachment #1.1: Type: text/plain, Size: 2593 bytes --]
Kei Kebreau <kei@openmailbox.org> writes:
> Kei Kebreau <kei@openmailbox.org> writes:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>>>> Leo Famulari <leo@famulari.name> writes:
>>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>>>> >>
>>>> >> *
>>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>>>> >> New file.
>>>> >> * gnu/local.mk (dist_patch_DATA): Use it.
>>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>>>> >
>>>> > Thank you for looking into this!
>>>> >
>>>> > Something like this patch is in CHICKEN 4.11.1:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>>>> >
>>>> > And there is a patch for the IrRegex bug after the latest tag:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>>>> >
>>>> > Can you try updating CHICKEN and applying that IrRegex patch?
>>>>
>>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>>>> binary due to its build system requirements. Do we have any objection to
>>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>>>
>>> Interesting!
>>>
>>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>>>
>>> Changing the build system like that seems unusual for a minor point
>>> release, and I don't see it documented in the 4.11.1 NEWS file:
>>>
>>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>>>
>>
>> I must have phrased that too vaguely. It's just a "building from release
>> tarball vs from git checkout" thing, documented in the README file of
>> both releases. I've been having trouble with the seemingly identical
>> test suite using the attached WIP patch. Perhaps the dreary wheather is
>> clouding my thoughts.
>>
>
> Update! I found a file "types.db" that is unwritable. However, changing
> access permissions in the (hackish) way I've done in the patch makes the
> build's hash time-dependent.
>
>>> One way or another, we should fix these bugs in our package. Thanks for
>>> taking care of it :)
>>
>> You're welcome!
>
> Merry Grav-Mass, BTW. :)
Here's the CVE patch on top of the chicken 4.11.1 one. I can't get this
git-based build to be reproducible, though.
[-- Attachment #1.2: 0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch --]
[-- Type: text/plain, Size: 6827 bytes --]
From cb31f773829fe655d966db469aced7c1ad5bd2ed Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Wed, 28 Dec 2016 20:03:20 -0500
Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
* gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
* gnu/local.mk (dist_patch_DATA): Use it.
* gnu/packages/scheme.scm (chicken)[source]: Use it.
---
gnu/local.mk | 1 +
.../chicken-CVE-2016-6830+CVE-2016-6831.patch | 116 +++++++++++++++++++++
gnu/packages/scheme.scm | 4 +-
3 files changed, 120 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 106adb235..f21f6c0b9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -497,6 +497,7 @@ dist_patch_DATA = \
%D%/packages/patches/calibre-drop-unrar.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/cdparanoia-fpic.patch \
+ %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch \
%D%/packages/patches/chmlib-inttypes.patch \
%D%/packages/patches/clang-libc-search-path.patch \
%D%/packages/patches/clang-3.8-libc-search-path.patch \
diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
new file mode 100644
index 000000000..4865740d5
--- /dev/null
+++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
@@ -0,0 +1,116 @@
+From 2c419f18138c17767754b36d3b706cd71a55350a Mon Sep 17 00:00:00 2001
+From: Peter Bex <peter@more-magic.net>
+Date: Wed, 14 Dec 2016 20:25:25 +0100
+Subject: [PATCH] Update irregex to upstream 0.9.6
+
+This fixes a resource consumption vulnerability due to exponential
+memory use based on the depth of nested "+" patterns.
+
+Signed-off-by: Mario Domenech Goulart <mario@parenteses.org>
+---
+ NEWS | 4 ++++
+ irregex-core.scm | 32 ++++++++++++++++++--------------
+ irregex-utils.scm | 2 +-
+ manual/Unit irregex | 2 +-
+ 4 files changed, 24 insertions(+), 16 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 052cf13..cbadd61 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,9 @@
+ 4.11.2
+
++- Security fixes
++ - Irregex has been updated to 0.9.6, which fixes an exponential
++ explosion in compilation of nested "+" patterns.
++
+ - Compiler:
+ - Fixed incorrect argvector restoration after GC in directly
+ recursive functions (#1317).
+diff --git a/irregex-core.scm b/irregex-core.scm
+index 2d6058c..01e027b 100644
+--- a/irregex-core.scm
++++ b/irregex-core.scm
+@@ -30,6 +30,8 @@
+
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;; History
++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation
++;; of backtracking matcher.
+ ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow
+ ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches
+ ;; 0.9.3: 2014/07/01 - R7RS library
+@@ -3170,16 +3172,7 @@
+ ((sre-empty? (sre-sequence (cdr sre)))
+ (error "invalid sre: empty *" sre))
+ (else
+- (letrec
+- ((body
+- (lp (sre-sequence (cdr sre))
+- n
+- flags
+- (lambda (cnk init src str i end matches fail)
+- (body cnk init src str i end matches
+- (lambda ()
+- (next cnk init src str i end matches fail)
+- ))))))
++ (let ((body (rec (list '+ (sre-sequence (cdr sre))))))
+ (lambda (cnk init src str i end matches fail)
+ (body cnk init src str i end matches
+ (lambda ()
+@@ -3204,10 +3197,21 @@
+ (lambda ()
+ (body cnk init src str i end matches fail))))))))
+ ((+)
+- (lp (sre-sequence (cdr sre))
+- n
+- flags
+- (rec (list '* (sre-sequence (cdr sre))))))
++ (cond
++ ((sre-empty? (sre-sequence (cdr sre)))
++ (error "invalid sre: empty +" sre))
++ (else
++ (letrec
++ ((body
++ (lp (sre-sequence (cdr sre))
++ n
++ flags
++ (lambda (cnk init src str i end matches fail)
++ (body cnk init src str i end matches
++ (lambda ()
++ (next cnk init src str i end matches fail)
++ ))))))
++ body))))
+ ((=)
+ (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre))))
+ ((>=)
+diff --git a/irregex-utils.scm b/irregex-utils.scm
+index 8332791..a2195a9 100644
+--- a/irregex-utils.scm
++++ b/irregex-utils.scm
+@@ -89,7 +89,7 @@
+ (case (car x)
+ ((: seq)
+ (cond
+- ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj)))
++ ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj)))
+ (display "(?:" out) (for-each lp (cdr x)) (display ")" out))
+ (else (for-each lp (cdr x)))))
+ ((submatch)
+diff --git a/manual/Unit irregex b/manual/Unit irregex
+index 7805273..7d59f89 100644
+--- a/manual/Unit irregex
++++ b/manual/Unit irregex
+@@ -825,7 +825,7 @@ doesn't help when irregex is able to build a DFA.
+
+ <procedure>(sre->string <sre>)</procedure>
+
+-Convert an SRE to a POSIX-style regular expression string, if
++Convert an SRE to a PCRE-style regular expression string, if
+ possible.
+
+
+--
+2.1.4
+
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 0ad449ae2..87c9fc413 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -386,7 +386,9 @@ language standard, and includes many enhancements and extensions.")
(commit version)))
(sha256
(base32
- "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))))
+ "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))
+ (patches
+ (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch"))))
(arguments
`(;; No `configure' script; run "make check" after "make install" as
;; prescribed by README.
--
2.11.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2016-12-29 2:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 19:33 [peter@more-magic.net: Irregex packages should be updated to 0.9.6] Leo Famulari
2016-12-16 19:36 ` Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Leo Famulari
2016-12-22 19:20 ` Kei Kebreau
2016-12-24 6:32 ` Leo Famulari
2016-12-24 19:23 ` Kei Kebreau
2016-12-24 21:04 ` Leo Famulari
2016-12-25 1:59 ` Kei Kebreau
2016-12-25 5:38 ` Kei Kebreau
2016-12-29 2:07 ` Kei Kebreau [this message]
2017-01-01 22:18 ` Leo Famulari
2017-01-02 4:04 ` Kei Kebreau
2017-01-03 5:21 ` Leo Famulari
2017-01-03 13:36 ` Kei Kebreau
2017-01-02 4:07 ` Kei Kebreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vau3trn1.fsf@openmailbox.org \
--to=kei@openmailbox.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).