Kei Kebreau writes: > Kei Kebreau writes: > >> Leo Famulari writes: >> >>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote: >>>> Leo Famulari writes: >>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote: >>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. >>>> >> >>>> >> * >>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: >>>> >> New file. >>>> >> * gnu/local.mk (dist_patch_DATA): Use it. >>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it. >>>> > >>>> > Thank you for looking into this! >>>> > >>>> > Something like this patch is in CHICKEN 4.11.1: >>>> > >>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea >>>> > >>>> > And there is a patch for the IrRegex bug after the latest tag: >>>> > >>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a >>>> > >>>> > Can you try updating CHICKEN and applying that IrRegex patch? >>>> >>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN >>>> binary due to its build system requirements. Do we have any objection to >>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0? >>> >>> Interesting! >>> >>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1. >>> >>> Changing the build system like that seems unusual for a minor point >>> release, and I don't see it documented in the 4.11.1 NEWS file: >>> >>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3 >>> >> >> I must have phrased that too vaguely. It's just a "building from release >> tarball vs from git checkout" thing, documented in the README file of >> both releases. I've been having trouble with the seemingly identical >> test suite using the attached WIP patch. Perhaps the dreary wheather is >> clouding my thoughts. >> > > Update! I found a file "types.db" that is unwritable. However, changing > access permissions in the (hackish) way I've done in the patch makes the > build's hash time-dependent. > >>> One way or another, we should fix these bugs in our package. Thanks for >>> taking care of it :) >> >> You're welcome! > > Merry Grav-Mass, BTW. :) Here's the CVE patch on top of the chicken 4.11.1 one. I can't get this git-based build to be reproducible, though.