From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: Flex security update: RCE in generated code (CVE-2016-6354) Date: Sun, 28 Aug 2016 12:41:49 +0300 Message-ID: <20160828094149.GJ26988@macbook42.flashner.co.il> References: <20160826221426.GA29432@jasmine> <20160826224959.GA8478@jasmine> <87poot7ujp.fsf@gnu.org> <20160828005434.GA31891@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="eWbcAUUbgrfSEG1c" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35577) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bdwbO-00080I-92 for guix-devel@gnu.org; Sun, 28 Aug 2016 05:42:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bdwbJ-0001xY-Hk for guix-devel@gnu.org; Sun, 28 Aug 2016 05:42:05 -0400 Content-Disposition: inline In-Reply-To: <20160828005434.GA31891@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --eWbcAUUbgrfSEG1c Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 27, 2016 at 08:54:34PM -0400, Leo Famulari wrote: > On Sat, Aug 27, 2016 at 11:48:10PM +0200, Ludovic Court=C3=A8s wrote: > > Hello! > >=20 > > Leo Famulari skribis: > >=20 > > > On Fri, Aug 26, 2016 at 06:14:26PM -0400, Leo Famulari wrote: > > >> Subject: [PATCH] gnu: flex: Fix CVE-2016-6354. > > >>=20 > > >> * gnu/packages/flex.scm (flex)[replacement]: New field. > > >> (flex/fixed): New variable. > > >> * gnu/packages/patches/flex-CVE-2016-6354.patch: New file. > > >> * gnu/local.mk (dist_patch_DATA): Add it. > > > > > > As Mark pointed out on #guix, bugs in flex's generated code can not be > > > addressed with a graft. > >=20 > > Indeed. We should add this patch to =E2=80=98core-updates=E2=80=99 and= start building > > it (I haven=E2=80=99t checked the status of the various branches, thoug= h.) >=20 > Done as eba7fab890. >=20 > I'm not sure of the overall health of the branch, but I have built some > packages from it locally on x86_64. So, the base system seems to be > working. >=20 I somehow managed to push a lot to the branch, and currently cmake is broken, both the "old" version and the "new" version I pushed. They are broken in the same way, so (based on nothing at all) I assume its related to the file update. Also, gcc-4.9.4 causes the same breakage on arm as 5.3.0 did. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --eWbcAUUbgrfSEG1c Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXwrHdAAoJEPTB05F+rO6Tn4IP/RNkQVzuZHbVChtQCA7KIHSP XRTF4Jc7+x4mQEoM9TrUR4FwZEoU1U26dVITIcP7taIUV1Zhx7GmZ+ISsOFIpz7p Rm/H5YK4zGPB4dvA0SYdJzc6aioOuDLgdaOXBa6IbX5JrHJtj3UisCDPhNVKR2j5 15p7saMRn9hg3qJ5bkDH+GtaHhPja8xdm4RYGwnoUt4hSiPFyiICYjJsKQJb1ChW OLKVuVA71jWeRkRoCdT0NRASvlXgZutOzA+tDqiRFAJq5jBrD04W9q3y3oS6PMYi ots1uLGOe6h24zmruScV+K04jfDk9oFjEIWC+D5un4VZ/F3IYbCK8UTrntTlhqxF BtjO+uTV8wMc3v6oZDl4LSaBqKLdg/TkNymhbZ4lXar05gHYKlIvt8EFxqwX7uiF 7UdixU7gmBpIWkkf1jq0dDFADOr9O7bvW0mENz6R5Baej4yOjfQBz+v9bGOhopjt Hy+AwYySi6LIAdVgu4Gkyl4Kfp6Kxl7wzRXIBgG6km+CG7tTG9TH4Prwfzjx4MIn tTuEBluGFCVq7RK7Ygu2Xgtg9fNGZUSPs3DaJmJ9QQLGhotm1jzOtJvfnbYCYGIB NKCma75vdr0/J0BFrf1xgk9zs9r+jidg75JeMz9BWQ/1TlJvAbdZz5TJfZkEOeE4 XjcIFxmJnzAlXnCE3UYb =aqv6 -----END PGP SIGNATURE----- --eWbcAUUbgrfSEG1c--