* [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520. @ 2021-05-25 18:24 Solene Rapenne via Guix-patches via 2021-05-25 19:07 ` Leo Famulari 0 siblings, 1 reply; 5+ messages in thread From: Solene Rapenne via Guix-patches via @ 2021-05-25 18:24 UTC (permalink / raw) To: 48656 This imports a patch that is not committed upstream yet but pending for merge on github https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 This is already widely used in many distributions distributing lz4 --- gnu/packages/compression.scm | 7 +++++-- gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/lz4-CVE-2021-3520.patch diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 64816a30c0..53ab999151 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -33,6 +33,7 @@ ;;; Copyright © 2021 Antoine Côté <antoine.cote@posteo.net> ;;; Copyright © 2021 Vincent Legoll <vincent.legoll@gmail.com> ;;; Copyright © 2021 Simon Tournier <zimon.toutoune@gmail.com> +;;; Copyright © 2021 Solene Rapenne <solene@perso.pw> ;;; ;;; This file is part of GNU Guix. ;;; @@ -810,15 +811,17 @@ decompression of some loosely related file formats used by Microsoft.") (commit (string-append "v" version)))) (sha256 (base32 "1w02kazh1fps3sji2sn89fz862j1199c5ajrqcgl1bnlxj09kcbz")) + (patches + (search-patches "lz4-CVE-2021-3520.patch")) (file-name (git-file-name name version)))) (build-system gnu-build-system) (outputs (list "out" "static")) (native-inputs - `(;; For tests. + `( ;; For tests. ("python" ,python) ("valgrind" ,valgrind))) (arguments - `(;; Not designed for parallel testing. + `( ;; Not designed for parallel testing. ;; See https://github.com/lz4/lz4/issues/957#issuecomment-737419821 #:parallel-tests? #f #:test-target "test" diff --git a/gnu/packages/patches/lz4-CVE-2021-3520.patch b/gnu/packages/patches/lz4-CVE-2021-3520.patch new file mode 100644 index 0000000000..100baa4758 --- /dev/null +++ b/gnu/packages/patches/lz4-CVE-2021-3520.patch @@ -0,0 +1,15 @@ +Not merged patch fixing CVE-2021-3520 +https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 + +Index: b/lib/lz4.c +--- a/lib/lz4.c.orig ++++ b/lib/lz4.c +@@ -1749,7 +1749,7 @@ LZ4_decompress_generic( + const size_t dictSize /* note : = 0 if noDict */ + ) + { +- if (src == NULL) { return -1; } ++ if ((src == NULL) || (outputSize < 0)) { return -1; } + + { const BYTE* ip = (const BYTE*) src; + const BYTE* const iend = ip + srcSize; -- 2.31.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520. 2021-05-25 18:24 [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520 Solene Rapenne via Guix-patches via @ 2021-05-25 19:07 ` Leo Famulari 2021-05-25 21:51 ` Leo Famulari 0 siblings, 1 reply; 5+ messages in thread From: Leo Famulari @ 2021-05-25 19:07 UTC (permalink / raw) To: 48656 On Tue, May 25, 2021 at 08:24:07PM +0200, Solene Rapenne via Guix-patches via wrote: > This imports a patch that is not committed upstream yet > but pending for merge on github > > https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 > > This is already widely used in many distributions distributing lz4 > > --- > gnu/packages/compression.scm | 7 +++++-- > gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++ When adding a new patch file, you have to register it in 'gnu/local.mk'. Is there any discussion about this upstream? Why isn't it included in lz4 yet? ^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520. 2021-05-25 19:07 ` Leo Famulari @ 2021-05-25 21:51 ` Leo Famulari 2023-05-29 11:31 ` Jelle Licht 0 siblings, 1 reply; 5+ messages in thread From: Leo Famulari @ 2021-05-25 21:51 UTC (permalink / raw) To: 48656 On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote: > Is there any discussion about this upstream? Why isn't it included in > lz4 yet? I found approval from the lz4 maintainers: https://github.com/lz4/lz4/pull/972#issuecomment-830192743 https://github.com/lz4/lz4/pull/972#issuecomment-799719118 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520. 2021-05-25 21:51 ` Leo Famulari @ 2023-05-29 11:31 ` Jelle Licht 2023-05-29 11:43 ` Jelle Licht 0 siblings, 1 reply; 5+ messages in thread From: Jelle Licht @ 2023-05-29 11:31 UTC (permalink / raw) To: Leo Famulari; +Cc: 48656 Leo Famulari <leo@famulari.name> writes: > On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote: >> Is there any discussion about this upstream? Why isn't it included in >> lz4 yet? > > I found approval from the lz4 maintainers: > > https://github.com/lz4/lz4/pull/972#issuecomment-830192743 > https://github.com/lz4/lz4/pull/972#issuecomment-799719118 It seems there's some uncertainty w.r.t. the validity of the CVE [0], but since then a release has been made that pulls the changes discussed in issue 972 into lz4 release 1.9.4. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520. 2023-05-29 11:31 ` Jelle Licht @ 2023-05-29 11:43 ` Jelle Licht 0 siblings, 0 replies; 5+ messages in thread From: Jelle Licht @ 2023-05-29 11:43 UTC (permalink / raw) To: Leo Famulari; +Cc: 48656 Jelle Licht <jlicht@fsfe.org> writes: > Leo Famulari <leo@famulari.name> writes: > >> On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote: >>> Is there any discussion about this upstream? Why isn't it included in >>> lz4 yet? >> >> I found approval from the lz4 maintainers: >> >> https://github.com/lz4/lz4/pull/972#issuecomment-830192743 >> https://github.com/lz4/lz4/pull/972#issuecomment-799719118 > > It seems there's some uncertainty w.r.t. the validity of the CVE [0], > but since then a release has been made that pulls the changes discussed > in issue 972 into lz4 release 1.9.4. With [0] being: https://github.com/lz4/lz4/issues/1037#issuecomment-1283560779 ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-05-29 11:44 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-05-25 18:24 [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520 Solene Rapenne via Guix-patches via 2021-05-25 19:07 ` Leo Famulari 2021-05-25 21:51 ` Leo Famulari 2023-05-29 11:31 ` Jelle Licht 2023-05-29 11:43 ` Jelle Licht
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).