[bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.

[bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

Tags: security

Hello,

This patch series mainly fixes the latest CVEs found in libextractor,
but it also upgrades other gnunet related packages to their latest
version.

Please also note that the versioning scheme for guile-gnunet is changed
to use that of 'git-version'. Unfortunately, this would break
"guix package --upgrade". But I think this change needs to be made at
some point anyway, so we may as well do it now.

Cheers,
Alex

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8.

[Alex Vong]

[-- Attachment #1.1: 0001-gnu-libextractor-Update-to-1.8.patch --]
[-- Type: text/x-diff, Size: 1528 bytes --]

From 8cb16fb98e444bdbed44f73038aa74d2a4a306f1 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:48:50 +0800
Subject: [PATCH 1/4] gnu: libextractor: Update to 1.8.

* gnu/packages/gnunet.scm (libextractor): Update to 1.8.
---
 gnu/packages/gnunet.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d1dc8fd58..4a6952076 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
 ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -67,14 +68,14 @@
 (define-public libextractor
   (package
    (name "libextractor")
-   (version "1.7")
+   (version "1.8")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libextractor/libextractor-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "13wf6vj7mkv6gw8h183cnk7m24ir0gyf198pyb2148ng4klgv9p0"))))
+              "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
    (build-system gnu-build-system)
    ;; WARNING: Checks require /dev/shm to be in the build chroot, especially
    ;; not to be a symbolic link to /run/shm.
-- 
2.20.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.

[Alex Vong]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0002-gnu-libextractor-Fix-CVE-2018-20430-20431.patch --]
[-- Type: text/x-diff, Size: 6100 bytes --]

From a155ee678aefe73eb8e209e7a6d4ace8afabcf92 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:50:48 +0800
Subject: [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

* gnu/packages/patches/libextractor-CVE-2018-20430.patch,
gnu/packages/patches/libextractor-CVE-2018-20431.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnunet.scm (libextractor)[source]: Use them.
---
 gnu/local.mk                                  |  2 +
 gnu/packages/gnunet.scm                       |  2 +
 .../patches/libextractor-CVE-2018-20430.patch | 60 +++++++++++++++++++
 .../patches/libextractor-CVE-2018-20431.patch | 53 ++++++++++++++++
 4 files changed, 117 insertions(+)
 create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20430.patch
 create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20431.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0bb020335..75634b741 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -888,6 +888,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
   %D%/packages/patches/libexif-CVE-2016-6328.patch		\
   %D%/packages/patches/libexif-CVE-2017-7544.patch		\
+  %D%/packages/patches/libextractor-CVE-2018-20430.patch	\
+  %D%/packages/patches/libextractor-CVE-2018-20431.patch	\
   %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch	\
   %D%/packages/patches/libgit2-mtime-0.patch			\
   %D%/packages/patches/libgit2-oom-test.patch			\
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 4a6952076..d9e903734 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -73,6 +73,8 @@
             (method url-fetch)
             (uri (string-append "mirror://gnu/libextractor/libextractor-"
                                 version ".tar.gz"))
+            (patches (search-patches "libextractor-CVE-2018-20430.patch"
+                                     "libextractor-CVE-2018-20431.patch"))
             (sha256
              (base32
               "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
diff --git a/gnu/packages/patches/libextractor-CVE-2018-20430.patch b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
new file mode 100644
index 000000000..570cd7c00
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
@@ -0,0 +1,60 @@
+Fix CVE-2018-20430:
+
+https://gnunet.org/bugs/view.php?id=5493
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20430
+https://security-tracker.debian.org/tracker/CVE-2018-20430
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=b405d707b36e0654900cba78e89f49779efea110
+
+From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 22:47:53 +0100
+Subject: [PATCH] fix #5493 (out of bounds read)
+
+---
+ src/common/convert.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/common/convert.c b/src/common/convert.c
+index c0edf21..2be2108 100644
+--- a/src/common/convert.c
++++ b/src/common/convert.c
+@@ -36,8 +36,8 @@
+  *  string is returned.
+  */
+ char *
+-EXTRACTOR_common_convert_to_utf8 (const char *input, 
+-				  size_t len, 
++EXTRACTOR_common_convert_to_utf8 (const char *input,
++				  size_t len,
+ 				  const char *charset)
+ {
+ #if HAVE_ICONV
+@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+   i = input;
+   cd = iconv_open ("UTF-8", charset);
+   if (cd == (iconv_t) - 1)
+-    return strdup (i);
++    return strndup (i, len);
+   if (len > 1024 * 1024)
+     {
+       iconv_close (cd);
+@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+     }
+   itmp = tmp;
+   finSize = tmpSize;
+-  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX)
++  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1))
+     {
+       iconv_close (cd);
+       free (tmp);
+-      return strdup (i);
++      return strndup (i, len);
+     }
+   ret = malloc (tmpSize - finSize + 1);
+   if (ret == NULL)
+-- 
+2.20.1
+
diff --git a/gnu/packages/patches/libextractor-CVE-2018-20431.patch b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
new file mode 100644
index 000000000..855c5ba64
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
@@ -0,0 +1,53 @@
+Fix CVE-2018-20431:
+
+https://gnunet.org/bugs/view.php?id=5494
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431
+https://security-tracker.debian.org/tracker/CVE-2018-20431
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7
+
+To apply the patch to libextractor 1.8 release tarball,
+hunk #1 which patches ChangeLog is removed. 
+
+From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 23:02:28 +0100
+Subject: [PATCH] fix #5494
+
+---
+ ChangeLog                    | 3 ++-
+ src/plugins/ole2_extractor.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c
+index 53fa1b9..a48b726 100644
+--- a/src/plugins/ole2_extractor.c
++++ b/src/plugins/ole2_extractor.c
+@@ -173,7 +173,7 @@ struct ProcContext
+   EXTRACTOR_MetaDataProcessor proc;
+ 
+   /**
+-   * Closure for 'proc'.
++   * Closure for @e proc.
+    */
+   void *proc_cls;
+ 
+@@ -213,7 +213,12 @@ process_metadata (gpointer key,
+ 
+   if (G_VALUE_TYPE(gval) == G_TYPE_STRING)
+     {
+-      contents = strdup (g_value_get_string (gval));
++      const char *gvals;
++
++      gvals = g_value_get_string (gval);
++      if (NULL == gvals)
++        return;
++      contents = strdup (gvals);
+     }
+   else
+     {
+-- 
+2.20.1
+
-- 
2.20.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.

[Alex Vong]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0003-gnu-libmicrohttpd-Update-to-0.9.62.patch --]
[-- Type: text/x-diff, Size: 1204 bytes --]

From c5b57304b0ec12d44ffb749befd00fb0e4d92c0f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:54:04 +0800
Subject: [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.

* gnu/packages/gnunet.scm (libmicrohttpd): Update to 0.9.62.
---
 gnu/packages/gnunet.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d9e903734..79584fcf0 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -148,14 +148,14 @@ tool to extract metadata from a file and print the results.")
 (define-public libmicrohttpd
   (package
    (name "libmicrohttpd")
-   (version "0.9.59")
+   (version "0.9.62")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libmicrohttpd/libmicrohttpd-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "0g4jgnv43yddr9yxrqg11632rip0lg5c53gmy5wy3c0i1dywv74v"))))
+              "0jfvi1fb4im3a3m8qishbmzx3zch993c0mhvl2k92l1zf1yhjgmx"))))
    (build-system gnu-build-system)
    (inputs
     `(("curl" ,curl)
-- 
2.20.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

[Alex Vong]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch --]
[-- Type: text/x-diff, Size: 1838 bytes --]

From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
 gnu/packages/gnunet.scm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..b00c8848a 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
    (home-page "https://gnunet.org/")))
 
 (define-public guile-gnunet                       ;GSoC 2015!
-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+        (revision "1"))
     (package
       (name "guile-gnunet")
-      (version (string-append "0.0." (string-take commit 7)))
+      (version (git-version "0.0" revision commit))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
                       (commit commit)))
-                (file-name (string-append name "-" version "-checkout"))
+                (git-file-name name version)
                 (sha256
                  (base32
-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
       (build-system gnu-build-system)
       (native-inputs `(("pkg-config" ,pkg-config)
                        ("autoconf" ,autoconf-wrapper)
-- 
2.20.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

[Alex Vong]

[-- Attachment #1.1: Type: text/plain, Size: 62 bytes --]

Sorry, the last patch is incorrect. The correct one is here:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch --]
[-- Type: text/x-diff, Size: 1850 bytes --]

From 9c2b78d121e4711f3c42ccc7bbc291beaf45571c Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
 gnu/packages/gnunet.scm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..62bb3026d 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
    (home-page "https://gnunet.org/")))
 
 (define-public guile-gnunet                       ;GSoC 2015!
-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+        (revision "1"))
     (package
       (name "guile-gnunet")
-      (version (string-append "0.0." (string-take commit 7)))
+      (version (git-version "0.0" revision commit))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
                       (commit commit)))
-                (file-name (string-append name "-" version "-checkout"))
+                (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
       (build-system gnu-build-system)
       (native-inputs `(("pkg-config" ,pkg-config)
                        ("autoconf" ,autoconf-wrapper)
-- 
2.20.1


[-- Attachment #1.3: Type: text/plain, Size: 1951 bytes --]


Alex Vong <alexvong1995@gmail.com> writes:

> From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 31 Dec 2018 07:00:39 +0800
> Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
>
> * gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
> [version]: Use git-version.
> [source]: Use git-file-name.
> ---
>  gnu/packages/gnunet.scm | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
> index 79584fcf0..b00c8848a 100644
> --- a/gnu/packages/gnunet.scm
> +++ b/gnu/packages/gnunet.scm
> @@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
>     (home-page "https://gnunet.org/")))
>  
>  (define-public guile-gnunet                       ;GSoC 2015!
> -  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
> +  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
> +        (revision "1"))
>      (package
>        (name "guile-gnunet")
> -      (version (string-append "0.0." (string-take commit 7)))
> +      (version (git-version "0.0" revision commit))
>        (source (origin
>                  (method git-fetch)
>                  (uri (git-reference
>                        (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
>                        (commit commit)))
> -                (file-name (string-append name "-" version "-checkout"))
> +                (git-file-name name version)
>                  (sha256
>                   (base32
> -                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
> +                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
>        (build-system gnu-build-system)
>        (native-inputs `(("pkg-config" ,pkg-config)
>                         ("autoconf" ,autoconf-wrapper)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

[bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 545 bytes --]

On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
> Tags: security
> 
> Hello,
> 
> This patch series mainly fixes the latest CVEs found in libextractor,
> but it also upgrades other gnunet related packages to their latest
> version.
> 
> Please also note that the versioning scheme for guile-gnunet is changed
> to use that of 'git-version'. Unfortunately, this would break
> "guix package --upgrade". But I think this change needs to be made at
> some point anyway, so we may as well do it now.

Thanks, please push :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#33933: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 705 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
>> Tags: security
>> 
>> Hello,
>> 
>> This patch series mainly fixes the latest CVEs found in libextractor,
>> but it also upgrades other gnunet related packages to their latest
>> version.
>> 
>> Please also note that the versioning scheme for guile-gnunet is changed
>> to use that of 'git-version'. Unfortunately, this would break
>> "guix package --upgrade". But I think this change needs to be made at
>> some point anyway, so we may as well do it now.
>
> Thanks, please push :)

Pushed as 1983a9b0a50ff759f2d192d7fa0f7ad0fb1e1384 -
5651e74cc6c1d1b8a2ef1d40e6f14e1123a7de97!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]