[bug#27937] Update php to 7.1.8

[bug#27937] Update php to 7.1.8

[Julien Lepiller]

[-- Attachment #1: Type: text/plain, Size: 74 bytes --]

Hi,

a new version of php has been released. Here is a patch to update it.

[-- Attachment #2: 0001-gnu-php-Update-to-7.1.8.patch --]
[-- Type: text/x-patch, Size: 3853 bytes --]

From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Thu, 3 Aug 2017 20:14:56 +0200
Subject: [PATCH] gnu: php: Update to 7.1.8.

* gnu/packages/patches/gd-CVE-2017-7890.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it
* gnu/packages/php.scm (php): Update to 7.1.8.
---
 gnu/local.mk                                |  1 +
 gnu/packages/patches/gd-CVE-2017-7890.patch | 30 +++++++++++++++++++++++++++++
 gnu/packages/php.scm                        | 18 ++++++++++++++---
 3 files changed, 46 insertions(+), 3 deletions(-)
 create mode 100644 gnu/packages/patches/gd-CVE-2017-7890.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index f4fef78f3..fcb57e24c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -626,6 +626,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcr-disable-failing-tests.patch		\
   %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch	\
   %D%/packages/patches/gdk-pixbuf-list-dir.patch		\
+  %D%/packages/patches/gd-CVE-2017-7890.patch		\
   %D%/packages/patches/gd-fix-gd2-read-test.patch		\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
   %D%/packages/patches/gd-freetype-test-failure.patch		\
diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch
new file mode 100644
index 000000000..743fc6d3d
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2017-7890.patch
@@ -0,0 +1,30 @@
+From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
+From: LEPILLER Julien <julien.lepiller@irisa.fr>
+Date: Thu, 3 Aug 2017 17:04:17 +0200
+Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
+
+The stack allocated color map buffers were not zeroed before usage, and
+so undefined palette indexes could cause information leakage.
+
+This is CVE-2017-7890.
+---
+ src/gd_gif_in.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index 008d1ec..c195448 100644
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -216,6 +216,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 
+ 	gdImagePtr im = 0;
+ 
++	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
++	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
++
+ 	if(!ReadOK(fd, buf, 6)) {
+ 		return 0;
+ 	}
+-- 
+2.13.3
+
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index 7d569eef3..81e2d1a9a 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -49,10 +49,22 @@
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:))
 
+(define gd-for-php
+  (package
+    (inherit gd)
+    (source (origin
+             (inherit (package-source gd))
+             (patches (search-patches "gd-fix-gd2-read-test.patch"
+                                      "gd-fix-tests-on-i686.patch"
+                                      "gd-freetype-test-failure.patch"
+                                      "gd-php-73968-Fix-109-XBM-reading.patch"
+				      "gd-CVE-2017-7890.patch"))))))
+
+
 (define-public php
   (package
     (name "php")
-    (version "7.1.6")
+    (version "7.1.8")
     (home-page "https://secure.php.net/")
     (source (origin
               (method url-fetch)
@@ -60,7 +72,7 @@
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0nr49gqhk4pv8kcdc60cl1mgwlinawpraq9ba15whzmb472lsn01"))
+                "1aramb6dm57pr2iz61id9vzfy7h5qkb6bf7dxhrwnjk0723qahw9"))
               (modules '((guix build utils)))
               (snippet
                '(with-directory-excursion "ext"
@@ -282,7 +294,7 @@
        ("curl" ,curl)
        ("cyrus-sasl" ,cyrus-sasl)
        ("freetype" ,freetype)
-       ("gd" ,gd)
+       ("gd" ,gd-for-php)
        ("gdbm" ,gdbm)
        ("glibc" ,glibc)
        ("gmp" ,gmp)
-- 
2.13.3

[bug#27937] Update php to 7.1.8

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1971 bytes --]

On Thu, Aug 03, 2017 at 08:22:00PM +0200, Julien Lepiller wrote:
> Hi,
> 
> a new version of php has been released. Here is a patch to update it.

> From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Thu, 3 Aug 2017 20:14:56 +0200
> Subject: [PATCH] gnu: php: Update to 7.1.8.
> 
> * gnu/packages/patches/gd-CVE-2017-7890.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it
> * gnu/packages/php.scm (php): Update to 7.1.8.

Thanks! Overall LGTM.

Could this close <https://bugs.gnu.org/27808>?

> diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch b/gnu/packages/patches/gd-CVE-2017-7890.patch
> new file mode 100644
> index 000000000..743fc6d3d
> --- /dev/null
> +++ b/gnu/packages/patches/gd-CVE-2017-7890.patch
> @@ -0,0 +1,30 @@
> +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00 2001
> +From: LEPILLER Julien <julien.lepiller@irisa.fr>
> +Date: Thu, 3 Aug 2017 17:04:17 +0200
> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized memory.
> +
> +The stack allocated color map buffers were not zeroed before usage, and
> +so undefined palette indexes could cause information leakage.
> +
> +This is CVE-2017-7890.

Would this patch be valuable for the "regular" gd package as well, or is
it specific to gd-for-php?

> +(define gd-for-php
> +  (package
> +    (inherit gd)
> +    (source (origin
> +             (inherit (package-source gd))
> +             (patches (search-patches "gd-fix-gd2-read-test.patch"
> +                                      "gd-fix-tests-on-i686.patch"
> +                                      "gd-freetype-test-failure.patch"
> +                                      "gd-php-73968-Fix-109-XBM-reading.patch"
> +				      "gd-CVE-2017-7890.patch"))))))
                                      ^  
                                      This indentation is too far to the left.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27937] Update php to 7.1.8

[Julien Lepiller]

Le 4 août 2017 00:20:10 GMT+02:00, Leo Famulari <leo@famulari.name> a écrit :
>On Thu, Aug 03, 2017 at 08:22:00PM +0200, Julien Lepiller wrote:
>> Hi,
>> 
>> a new version of php has been released. Here is a patch to update it.
>
>> From 49de4d05b1b292af598755bfa7754661519218b8 Mon Sep 17 00:00:00
>2001
>> From: Julien Lepiller <julien@lepiller.eu>
>> Date: Thu, 3 Aug 2017 20:14:56 +0200
>> Subject: [PATCH] gnu: php: Update to 7.1.8.
>> 
>> * gnu/packages/patches/gd-CVE-2017-7890.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it
>> * gnu/packages/php.scm (php): Update to 7.1.8.
>
>Thanks! Overall LGTM.
>
>Could this close <https://bugs.gnu.org/27808>?
>

I think it does

>> diff --git a/gnu/packages/patches/gd-CVE-2017-7890.patch
>b/gnu/packages/patches/gd-CVE-2017-7890.patch
>> new file mode 100644
>> index 000000000..743fc6d3d
>> --- /dev/null
>> +++ b/gnu/packages/patches/gd-CVE-2017-7890.patch
>> @@ -0,0 +1,30 @@
>> +From 99ba5c353373ed198f54af66fe4e355ebb96e363 Mon Sep 17 00:00:00
>2001
>> +From: LEPILLER Julien <julien.lepiller@irisa.fr>
>> +Date: Thu, 3 Aug 2017 17:04:17 +0200
>> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized
>memory.
>> +
>> +The stack allocated color map buffers were not zeroed before usage,
>and
>> +so undefined palette indexes could cause information leakage.
>> +
>> +This is CVE-2017-7890.
>
>Would this patch be valuable for the "regular" gd package as well, or
>is
>it specific to gd-for-php?

It could be used for gd, but I think it would trigger a lot of rebuilds. I'm not confident with how the graft mechanism works, so I would need some help.

>
>> +(define gd-for-php
>> +  (package
>> +    (inherit gd)
>> +    (source (origin
>> +             (inherit (package-source gd))
>> +             (patches (search-patches "gd-fix-gd2-read-test.patch"
>> +                                      "gd-fix-tests-on-i686.patch"
>> +                                     
>"gd-freetype-test-failure.patch"
>> +                                     
>"gd-php-73968-Fix-109-XBM-reading.patch"
>> +				      "gd-CVE-2017-7890.patch"))))))
>                                      ^  
>                               This indentation is too far to the left.

Arg... those are tabs I guess. Thanks for the review! I will push it this evening if everything is ok.

[bug#27937] Update php to 7.1.8

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]

On Fri, Aug 04, 2017 at 08:30:08AM +0200, Julien Lepiller wrote:
> >> +From: LEPILLER Julien <julien.lepiller@irisa.fr>
> >> +Date: Thu, 3 Aug 2017 17:04:17 +0200
> >> +Subject: [PATCH] Fix #399: Buffer over-read into uninitialized
> >memory.
> >> +
> >> +The stack allocated color map buffers were not zeroed before usage,
> >and
> >> +so undefined palette indexes could cause information leakage.
> >> +
> >> +This is CVE-2017-7890.
> >
> >Would this patch be valuable for the "regular" gd package as well, or
> >is
> >it specific to gd-for-php?
> 
> It could be used for gd, but I think it would trigger a lot of
> rebuilds. I'm not confident with how the graft mechanism works, so I
> would need some help.

Okay, I'll look into it this weekend, unless somebody beats me to it.

Next time there are lots of Guix people gathered together, I want to
hold some kind of "security updates workshop", with the goal of helping
more people feel comfortable working in this area.

For gd in particular, if you have some specific questions, I can answer
them over email. Surely more people have questions, too. The discussion
could result in improvements to the manual's section on this topic.

> Arg... those are tabs I guess. Thanks for the review! I will push it
> this evening if everything is ok.

Great!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27937] Update php to 7.1.8

[Julien Lepiller]

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]

Le Fri, 4 Aug 2017 11:01:38 -0400,
Leo Famulari <leo@famulari.name> a écrit :
 
> 
> Okay, I'll look into it this weekend, unless somebody beats me to it.
> 
> Next time there are lots of Guix people gathered together, I want to
> hold some kind of "security updates workshop", with the goal of
> helping more people feel comfortable working in this area.
> 
> For gd in particular, if you have some specific questions, I can
> answer them over email. Surely more people have questions, too. The
> discussion could result in improvements to the manual's section on
> this topic.
> 

Hi,

I think this patch fixes gd correctly. I think I'm supposed to
also make a patch for core-updates with the new gd for rebuilds to
occur in that branch, right? How do I proceed?

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-gd-Fix-CVE-2017-7890.patch --]
[-- Type: text/x-patch, Size: 1330 bytes --]

From 828b7458582cd6fae0e7dd2375315b6b52149554 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Sat, 5 Aug 2017 09:46:13 +0200
Subject: [PATCH] gnu: gd: Fix CVE-2017-7890.

* gnu/packages/gd.scm (gd)[replacement]: New field.
(gd/fixed): New variable.
---
 gnu/packages/gd.scm | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index aac0f9664..48db1b247 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -37,6 +37,7 @@
 (define-public gd
   (package
     (name "gd")
+    (replacement gd/fixed)
 
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
@@ -93,6 +94,16 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+(define-public gd/fixed
+  (package
+    (inherit gd)
+    (source (origin
+             (inherit (package-source gd))
+             (patches 
+               (append
+                 (origin-patches (package-source gd))
+                 (search-patches "gd-CVE-2017-7890.patch")))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
-- 
2.13.4

bug#27937: Update php to 7.1.8

[Ludovic Courtès]

Julien Lepiller <julien@lepiller.eu> skribis:

> From 828b7458582cd6fae0e7dd2375315b6b52149554 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Sat, 5 Aug 2017 09:46:13 +0200
> Subject: [PATCH] gnu: gd: Fix CVE-2017-7890.
>
> * gnu/packages/gd.scm (gd)[replacement]: New field.
> (gd/fixed): New variable.

AFAICS this patch has been obsoleted by commit
4f6815614097630dfe507df7bae768d37f3f0627, and PHP has been upgraded as
well.

Too bad this submission stalled for too long!

Thanks Julien.

Ludo’.