From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:403:478a::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id 0Np/IDdgJGXO2wAAG6o9tA:P1
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 09 Oct 2023 22:19:03 +0200
Received: from aspmx1.migadu.com ([2001:41d0:403:478a::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id 0Np/IDdgJGXO2wAAG6o9tA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 09 Oct 2023 22:19:03 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id EBA0640FFB
	for <larch@yhetil.org>; Mon,  9 Oct 2023 22:19:01 +0200 (CEST)
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lnikki.la header.s=fm3 header.b=f0Cz6sq0;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=cHw0gTXb;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1696882743;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=ll9EZlxF+vbOYBkYgbqWMSMBWvoPaGP43ZN7aycdni4=;
	b=IUVGk5EsLrmTbW0oPyPqhYJ6O7w54p1A43CEm6Dag8JqCZq9wLc5dKQYVD9jcr1PS4IFqg
	C7zjgcFT8H4Y32zG8DODiwc97TmNibtx5G0Tg5qiiEjKaELN1cfQ3jvqxbdbCUT7rc0aH9
	/00vOB2PwiFu/mPyemLcA3hvRt8tr9bojBaPgwZkDLhhHY8d5d0eXg3AYIqxP2jbHaHCVa
	6waK8WhxZ4Wd/oV+LG0JCv6fbNVcXLJpFROB7AQnMFVPpkYTx6pwImBwgOEnuT4v5EdgHz
	5YIVY/r5RMUDa1ifNqZsdqR8X1T2i5Z8UF+RU39vRRt1ecZJ3oHyLoYV01GwsQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1696882743; a=rsa-sha256; cv=none;
	b=hP54UmxiOXFyg1fnrmElDhH9vDHwYs2ruJ8RV6b985A2X5nwfV5+mjqGRL+DK/L6CT7PNZ
	v0990gjT8YJOtBFOV22tpaqlGkHNZnZ7eNtJVsURqdpybY4AYxXleHQA9ssmTaY10tSpHx
	+W7bfzv99gRfVcmXZGfpGBTpxtHvMFfkKb5dEXJl84cCKn2JReXxR0ZvSHq5+Q2rfHBeUg
	q8jgbT+Fbpdnw9ndfpjxxuRDExnV0fMPANkJfFSiGwNUr9G1SBuWoMGPu2G7FOo3Sverh4
	5JdoKm1kcSbfGXCnHKJ5WqnUjiK/0ak7J61LcIMDnf+KfyoDSv6LV+8h0yeGEg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lnikki.la header.s=fm3 header.b=f0Cz6sq0;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=cHw0gTXb;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1qpwiH-0001fY-0f; Mon, 09 Oct 2023 16:18:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qpwiA-0001eo-EM
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:18:44 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qpwi9-0002Ja-GG
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:18:41 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qpwiU-00034C-7G
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:19:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#66428] [PATCH] gnu: libcue: Fix CVE-2023-43641.
Resent-From: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 09 Oct 2023 20:19:02 +0000
Resent-Message-ID: <handler.66428.B.169688270111725@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 66428
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 66428@debbugs.gnu.org
Cc: Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.169688270111725
 (code B ref -1); Mon, 09 Oct 2023 20:19:02 +0000
Received: (at submit) by debbugs.gnu.org; 9 Oct 2023 20:18:21 +0000
Received: from localhost ([127.0.0.1]:33449 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1qpwhm-00032y-16
 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:21 -0400
Received: from lists.gnu.org ([2001:470:142::17]:50194)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hello@lnikki.la>) id 1qpwhj-00032j-OP
 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <hello@lnikki.la>) id 1qpwhJ-0001XT-4U
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:49 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <hello@lnikki.la>) id 1qpwhH-00028c-8L
 for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:48 -0400
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.nyi.internal (Postfix) with ESMTP id B99635C035D;
 Mon,  9 Oct 2023 16:17:43 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Mon, 09 Oct 2023 16:17:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lnikki.la; h=cc
 :cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to; s=fm3; t=1696882663; x=1696969063; bh=ll9EZlxF+v
 bOYBkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=f0Cz6sq0wSLD79haELIFqtVdzO
 s6wgL7rWg26xS3/NzyDAeY8p/FDCNbGSRrYbsZs9BwAzs32d2EEpJaTsDT6ibKdV
 dt2qua5T1Sts7MW+Iu5wAEUTIwkCzC6h/T2o48TO/dvGwCO3S6elRKAtdENKtEcE
 EPWHbQ5NMhBwpMJCmQ7kT5ZNsoz90EEgkxfQ9WuurMOFaT4rwuv5gZZPrms8vnwu
 P3x/rZF5h1ityCKjxW1FKBiZOFiOUo5a0rXr7B5OEID/hMqcWz6dLvbrYXXLPp2X
 KkiXPKUJWGvyfY2HnDS/L+Qq26vtgfituBXy1TPqFeUm4koWLOzB7ebZyiIA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:message-id:mime-version:reply-to:sender:subject
 :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; t=1696882663; x=1696969063; bh=ll9EZlxF+vbOY
 BkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=cHw0gTXb6Ui5KxN1XEQRSxJ3xxMPT
 /7Nw/QnpvxSV7OLEalgt26alDyINJw/TK7VW5Cs5C+X4LyfdQApJoxu4T9PUPf8n
 1ChxrqeTJGZ5pKIoDuD+85wnrN2o06fHwjOh7y5fmjwtxVnI1xL06/0ZeN55DyyV
 uvxh6ONjuL7Wrp6r7sEipPfyEMek1dw9UjGndDIRsgi07veXrZFqVSmzu6XuOkhk
 g+ET6KvxtqGCz+O1TXD0ZEdh1ngDupRM98zhVoAqywU0I8yEajSvc4j12D4SuEPK
 ENrXbHyT7mgUFz2+rt3M71S8t9cMkXy6AWEHUqGyjaTFK55KtG/T9WkMg==
X-ME-Sender: <xms:518kZW8MbbNf2e-5OHiJWkv9OMie0AgFj10Qyn58PqLXr3y2EwrcCQ>
 <xme:518kZWsh5F4pE_HVbyWqeiNCC4BDv03BmaY747aY-ufC5InES8rQX83sVcrzMB1wv
 c8DfnQFUIJ9K0k6Taw>
X-ME-Received: <xmr:518kZcC0LO2aFz0Ph-dhzotC2ka-kh4N1OIJOWav3hR5dgYaS36upbGkBdXwoveniKF05KOmOoUFzZm371CyqL3_RtLHLxZkiZCKXBXy>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrheefgddugeejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertd
 ertdejnecuhfhrohhmpefnvghoucfpihhkkhhilhomuceohhgvlhhloheslhhnihhkkhhi
 rdhlrgeqnecuggftrfgrthhtvghrnhepgeegieefleevfeeggfehtdejieehgfeivddvff
 ektdevtdeftdehgeeufffftefgnecuffhomhgrihhnpehgihhthhhusgdrsghlohhgnecu
 vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhgvlhhloh
 eslhhnihhkkhhirdhlrg
X-ME-Proxy: <xmx:518kZefhUIwq-c-ISC8DsM6APj_e2LfemLwbXeHglnIWwmMLjntHGA>
 <xmx:518kZbN9nThw19-P7hwf0SaWPjYVpmiXvk4t4qwdUK6x01MDkn6f5g>
 <xmx:518kZYnz5zWwVszpoAia6JJX6RYqfG_fkW_WJIuJR9WzF1ZiJIKJTw>
 <xmx:518kZQoIbRrgLKsMcM87moizKgM69oQnvZBrwYfUszy_Thmp0cBQZg>
Feedback-ID: i41f146a7:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 9 Oct 2023 16:17:42 -0400 (EDT)
Date: Mon,  9 Oct 2023 23:15:44 +0300
Message-ID: <20231009201647.9891-1-hello@lnikki.la>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=66.111.4.25; envelope-from=hello@lnikki.la;
 helo=out1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Reply-to:  Leo =?UTF-8?Q?Nikkil=C3=A4?= <hello@lnikki.la>
X-ACL-Warn: ,  =?utf-8?q?Leo_Nikkil=C3=A4_via_Guix-patches?= <guix-patches@gnu.org>
From:  =?utf-8?q?Leo_Nikkil=C3=A4_via_Guix-patches?= via <guix-patches@gnu.org>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Scanner: mx0.migadu.com
X-Migadu-Spam-Score: -6.31
X-Spam-Score: -6.31
X-Migadu-Queue-Id: EBA0640FFB
X-TUID: 2UEK1EzgnlRt

Fixes a vulnerability in libcue that can result in a nasty RCE exploit
under GNOME:

https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

* gnu/packages/patches/libcue-CVE-2023-43641.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/cdrom.scm (libcue)[source]: Use it.
---
 gnu/local.mk                                   |  1 +
 gnu/packages/cdrom.scm                         |  3 ++-
 .../patches/libcue-CVE-2023-43641.patch        | 18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libcue-CVE-2023-43641.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c481aa153a..ff40cf7a9b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1517,6 +1517,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcanberra-wayland-crash.patch \
   %D%/packages/patches/libcroco-CVE-2020-12825.patch		\
+  %D%/packages/patches/libcue-CVE-2023-43641.patch		\
   %D%/packages/patches/libcyaml-libyaml-compat.patch		\
   %D%/packages/patches/libexpected-use-provided-catch2.patch	\
   %D%/packages/patches/libgda-cve-2021-39359.patch		\
diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
index de31002ac1..d06fe068db 100644
--- a/gnu/packages/cdrom.scm
+++ b/gnu/packages/cdrom.scm
@@ -560,7 +560,8 @@ (define-public libcue
              (file-name (git-file-name name version))
              (sha256
               (base32
-               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))))
+               "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm"))
+             (patches (search-patches "libcue-CVE-2023-43641.patch"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
diff --git a/gnu/packages/patches/libcue-CVE-2023-43641.patch b/gnu/packages/patches/libcue-CVE-2023-43641.patch
new file mode 100644
index 0000000000..640c197981
--- /dev/null
+++ b/gnu/packages/patches/libcue-CVE-2023-43641.patch
@@ -0,0 +1,18 @@
+Fix CVE-2023-43641:
+https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
+
+Patch from the disclosure post.
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+ 
+ void track_set_index(Track *track, int i, long ind)
+ {
+-	if (i > MAXINDEX) {
++	if (i < 0 || i > MAXINDEX) {
+ 		fprintf(stderr, "too many indexes\n");
+                 return;
+         }

base-commit: 7937c8827b8d23347a3159b4696335bd19fc17aa
-- 
2.41.0