From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Date: Sat, 24 Dec 2016 01:32:51 -0500 Message-ID: <20161224063251.GA30959@jasmine> References: <20161216193319.GA12690@jasmine> <20161216193659.GA26067@jasmine> <87lgv7zs6y.fsf@openmailbox.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42617) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cKft6-0000yy-61 for guix-devel@gnu.org; Sat, 24 Dec 2016 01:33:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cKft2-0005Jk-Pv for guix-devel@gnu.org; Sat, 24 Dec 2016 01:33:00 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:60451) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cKft2-0005JR-Kc for guix-devel@gnu.org; Sat, 24 Dec 2016 01:32:56 -0500 Content-Disposition: inline In-Reply-To: <87lgv7zs6y.fsf@openmailbox.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Kei Kebreau Cc: guix-devel@gnu.org --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote: > Leo Famulari writes: >=20 > > On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote: > >> We fixed this bug in our guile-irregex package in commit fb73f07a0fe, > >> but our chez-irregex and chicken packages are still vulnerable. > > > > Also note that (I believe) our chicken package is vulnerable to > > CVE-2016-{6830,6831}: > > > > http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002.= html >=20 > The attached patch is currently being tested on my computer, but I > suspect it will work. >=20 > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D834845. >=20 > From 3423ef38ecab794f9601aa8ac63c6974d9db62d4 Mon Sep 17 00:00:00 2001 > From: Kei Kebreau > Date: Thu, 22 Dec 2016 14:16:55 -0500 > Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. >=20 > * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New fil= e. > * gnu/local.mk (dist_patch_DATA): Use it. > * gnu/packages/scheme.scm (chicken)[source]: Use it. Thank you for looking into this! Something like this patch is in CHICKEN 4.11.1: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a=3Dcommit= diff;h=3D0d20426c6da0f116606574dadadaa878b96a68ea And there is a patch for the IrRegex bug after the latest tag: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a=3Dcommit= diff;h=3D2c419f18138c17767754b36d3b706cd71a55350a Can you try updating CHICKEN and applying that IrRegex patch? --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlheFo8ACgkQJkb6MLrK fwgoxQ/7BDBy4Ylhzr0H3hL+OiY25Z7Mo5pbebHQDMOOby/Beh3yfy2MfwIE3lmX 4jorlpomEhUxpoYjFmF2KR/eIzs+Vr/UWR0iwPD/tdf2vFH2F6tnn01GdwX+K9cn g7z75V3AhIIoM0sKwMlkbS5IkfLmwUOO9yabEyDgOGlLkpgj/FsYzFCJMqYkg6lj DDfpsvNhdZQidHgVzE1V7t6mzg+ttcDKvkiy8JAODVTXtHZmZh3gvWaVaXDUfVEP CvlR3Lml8KNpb0EDwfVT42xHxVWlSKqYMw6673kzj7rWirrBOd9rPrzwGPzmYTEM hW+0wx1eO1FmJ2/hvhbjVzcVUuvJhQF8+PjqQxReAANagGNmzqW4xxyi4l3nH2lr oiHFVgbPsvqGBlbztdO1x9tORg6RhBfVDjRJJXrlDYbBvjmVUsTIDoPDFnywCC9Q bXUdqIb4cq8bElck17shf9Ar8znJfIH7/KVpDrP4qt8XAj1SudhOvy+9GErG/4Aj PrF27188kq4o68IQwmiSxm6QFg71vyNJgolcriLA0pY00ukkSZn672mgq2MpVhvb Gt4esgmycrCeaVgTvpMHvumSocllmhHNRzNIfS3hp8pBh4gQiMuM+GXckxgkkHRC 9xKkcVjgbFB3/JT3PF8DGcWo8iFcXgB5QAATwNsz9EpTgmmzN+o= =kFzj -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG--