From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CFzMOCAKSWDzPgAA0tVLHw (envelope-from ) for ; Wed, 10 Mar 2021 18:04:16 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id EH2ENCAKSWCRNAAAbx9fmQ (envelope-from ) for ; Wed, 10 Mar 2021 18:04:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9A5E925352 for ; Wed, 10 Mar 2021 19:04:16 +0100 (CET) Received: from localhost ([::1]:48164 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lK3Bv-0003hR-JS for larch@yhetil.org; Wed, 10 Mar 2021 13:04:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41486) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lK2h2-0007PW-Lp for guix-devel@gnu.org; Wed, 10 Mar 2021 12:32:20 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43121) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lK2h0-0006ry-Fd for guix-devel@gnu.org; Wed, 10 Mar 2021 12:32:20 -0500 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id A8B345C00F0; Wed, 10 Mar 2021 12:32:14 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Wed, 10 Mar 2021 12:32:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=Rod0FTgyxtOY1/4EEu6vssc78xh2MK4fcR8Kbi4WJTk=; b=sx9qFqx2clxV fz1tl/f2E9eIBDY8a1w/amXM2jfeutukIxGyqZG28yWuWNq8baXnYQtxJu6+taEI rZq6MljjYm1v9ZsURdS61gzURWYQvIeQqjrnNdzvBZ/3HMgo5UCqi5X17FOrlury oIdcEao+S73+hX3gAk9FdSm0mjSqRwc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Rod0FTgyxtOY1/4EEu6vssc78xh2MK4fcR8Kbi4WJ Tk=; b=pTHAIUSWpO7YBVhW+u0gVCubePz1BKnN5W2LkzwtTx34PAOzLyDFucuxo ojaQbfqnN96LSBMmz3MtBJvgq4N0v91Ul+Fzcq+hdWCeF66P+BNREJ10idulYtgh oMsPwO6B7mlQh/mLF3rTtw7HXflQy2NJWZqv83umAtBbhGBdTHf6LWOQkdGSaDx2 jo7uLMlZ2oPwvLSGNvAtcjkU+SWdz93ElGh+oF/ata9ca4ssDS5cCnH1GGQkvArv /D7Fo81CKgUIOOW9F7YcKQi79sagBBVl57Cp+FmAZGiO20nbQQoBuELrGQSe6Sq5 vSnFnVrlJ0tz2sIJuaJWBdEGe0QVQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddukedguddtvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtugfgjgesth hqredttddtudenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhu lhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepvddvjeehtdeiiedvhfekheegtd ehueetvdefveelueegteeuffejgfeugffgledvnecuffhomhgrihhnpehfrhgvvggsshgu rdhorhhgnecukfhppedutddtrdduuddrudeiledruddukeenucevlhhushhtvghrufhiii gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgr mhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 3FA7C24005B; Wed, 10 Mar 2021 12:32:14 -0500 (EST) Date: Wed, 10 Mar 2021 12:32:12 -0500 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter Subject: Re: bsdiff package vulnerable to CVE-2020-14315 Message-ID: References: <789b3d6f163e1fd4033e77eaa5a864c010e645dd.camel@zaclys.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <789b3d6f163e1fd4033e77eaa5a864c010e645dd.camel@zaclys.net> Received-SPF: pass client-ip=66.111.4.26; envelope-from=leo@famulari.name; helo=out2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615399456; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=Rod0FTgyxtOY1/4EEu6vssc78xh2MK4fcR8Kbi4WJTk=; b=Rw2H10agEo/jOZjB8bcut188TESIYVI30GP7aFnn+FK4HqOhBfkfG9zv4sQTgL1OffiQBm 3JMWM8yYo7mrNQ+0Yp9sQ4G5XUOHbdtkIF8RsecKksjBWsJos5nNeGNatvLaoRpl+8Nuf7 RYvkGi2oGGn6UeYBD1wYW0mwuF+pDOa6Pcsb9Lx9uwzCQfVTm5BtqMxo8AvNrgVSnVYVou UHU9vrnvLZNdDMZ2NfWKPz5GQ5VYIunaWsZwlD2gNEz07FyCof+PQgoKkPqRzXfCm56Bu0 TaGj9jyfKMQZGil3NriN04swkf1vuC6BH5HHEPhpnNnqaTAd/BPhEzFBQEx2yw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615399456; a=rsa-sha256; cv=none; b=neAujD0bNJP9uxtL9BoOCuo2cLnhiGjzRl7SNgO3Yf3D3t6gmpxGMPTnj/y8iptEhGQozD i3kkO0n+GIiBVKToskZEyhpHppuNbliykkjOuJD+F68k2CXnMbARkiECe0WJO7N9ha/uWd 1brTz5J7o68iR8rNOrB8JcAGmd7bBcmGTCCCaicyEYN4og/vm3U1n4Vm54lWJJ29xIHutX uH4qZzhVh3DDPO7QBRx2V7UVMoQ9IeqCjdh+dHO7/WJa3lzWZqaQZ6pWLBWuJPdnG49sNi LCNWfypUnAfFZnuNheQSXe/c4uf+Ra6F2Bfcj77oxc508WdH1WoIqstMAgTORA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=sx9qFqx2; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=pTHAIUSW; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.59 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=famulari.name header.s=mesmtp header.b=sx9qFqx2; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=pTHAIUSW; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 9A5E925352 X-Spam-Score: -2.59 X-Migadu-Scanner: scn1.migadu.com X-TUID: 0Z192Vpj2v1C On Wed, Mar 10, 2021 at 09:49:57AM +0100, L=E9o Le Bouter wrote: > A patch exists from FreeBSD:=20 > https://www.freebsd.org/security/patches/SA-16:29/bspatch.patch - but > it needs non-trivial porting since FreeBSD seems to have diverged in > important ways from the source tree we use. >=20 > Debian, Fedora, Gentoo, Arch Linux, Void Linux, none have fixed this > CVE yet due to missing readily usable patch. Well, we could also just remove this package. It sounds like it is not supported on Linux. Does it offer some unique functionality?