From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#30415: Unzip CVE-2018-1000031 and others Date: Mon, 12 Feb 2018 13:58:02 -0500 Message-ID: <20180212185802.GA30991@jasmine.lan> References: <20180210185728.GA18894@jasmine.lan> <20180211153548.GA1853@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="JP+T4n/bALQSJXh8" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47212) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1elJJj-0008Om-HN for bug-guix@gnu.org; Mon, 12 Feb 2018 13:59:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1elJJf-0002Sr-BF for bug-guix@gnu.org; Mon, 12 Feb 2018 13:59:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:60351) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1elJJe-0002Qg-Vd for bug-guix@gnu.org; Mon, 12 Feb 2018 13:59:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1elJJe-0006Dk-FF for bug-guix@gnu.org; Mon, 12 Feb 2018 13:59:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20180211153548.GA1853@jasmine.lan> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 30415@debbugs.gnu.org --JP+T4n/bALQSJXh8 Content-Type: multipart/mixed; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Feb 11, 2018 at 10:35:48AM -0500, Leo Famulari wrote: > And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate > more. The researcher's advisory recommends building UnZip with FORTIFY_SOURCE to reduce the impact of the bug. The attached patch does that. AFAICT, the proof-of-concept zip file is not published, and there is no upstream patch. --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-unzip-Mitigate-CVE-2018-1000035.patch" Content-Transfer-Encoding: quoted-printable =46rom 4e9eaa43e19ff8fe02c02589d0ea42b88ce67c87 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 12 Feb 2018 13:49:49 -0500 Subject: [PATCH] gnu: unzip: Mitigate CVE-2018-1000035. * gnu/packages/compression.scm (unzip)[replacement]: New field. (unzip/fixed): New variable. --- gnu/packages/compression.scm | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 3a0e27945..9983ee129 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -5,7 +5,7 @@ ;;; Copyright =C2=A9 2015 Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer ;;; Copyright =C2=A9 2015, 2016 Eric Bavier ;;; Copyright =C2=A9 2015, 2016, 2017 Ricardo Wurmus -;;; Copyright =C2=A9 2015, 2017 Leo Famulari +;;; Copyright =C2=A9 2015, 2017, 2018 Leo Famulari ;;; Copyright =C2=A9 2015 Jeff Mickey ;;; Copyright =C2=A9 2015, 2016, 2017 Efraim Flashner ;;; Copyright =C2=A9 2016 Ben Woodcroft @@ -1719,6 +1719,7 @@ Compression ratios of 2:1 to 3:1 are common for text = files.") (define-public unzip (package (inherit zip) (name "unzip") + (replacement unzip/fixed) (version "6.0") (source (origin @@ -1769,6 +1770,20 @@ recreates the stored directory structure by default.= ") (license (license:non-copyleft "file://LICENSE" "See LICENSE in the distribution.")))) =20 +(define unzip/fixed + (package/inherit unzip + (arguments + (substitute-keyword-arguments (package-arguments unzip) + ((#:phases phases) + `(modify-phases ,phases + (add-after 'unpack 'fortify + (lambda _ + ;; Mitigate CVE-2018-1000035, an exploitable buffer overf= low. + ;; This environment variable is recommended in 'unix/Make= file' + ;; for passing flags to the C compiler. + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=3D1") + #t)))))))) + (define-public zziplib (package (name "zziplib") --=20 2.16.1 --0OAP2g/MAC+5xKAE-- --JP+T4n/bALQSJXh8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlqB47kACgkQJkb6MLrK fwgiWw/8DJ02xI3sqGYPx3qg6TiR2Vh23dK//cUGGWqnEnerhBTs4ZluZKjXxTxP 53U2TjMZHFTUS6Wyx8DcovGM7IH3VmgCYXuTCqvd16gDv4TfWqjlaPJBwlph6SIQ 0+e9BblHu5RTc7nsjS8a3LabJdN6RQMd3uUbdsMi5Q5YlLwzrZVyhJJblIk/8L1g Yg9x7Az+oALLHVDEygqWQ8VuM3g6yYiJr7LTkm8DZC0RJcebI9SK2Zd3ZdajN0D5 utQIW8EqM1IOch+Rwx6WY07kYc/jKQQtU9IpU5ihbl6wFjHqNKsHdLy7YihXQbub YGC9+CIZ76j6QpdeMbMcU+OQxF+3bWwCty0tdEyURvh8NmpcaC3x06SkPy4AdO5O BgQfaduozL4BaRHfL2Om+fNBO+IeMDRCkiody8D3clPwrzsBlt4u2rTYUbVg9Wab bEqDizRj0EJ+53UrmikHqt9fwcLNqEOt+kQpMl5UB9oZlR4oEQpirPvSFoQ4ZYUF SRd6+LULfeRyAl7ygVx023hGppzA4BS+q2KpRacegB0B1E4pe1ASKU1sz+PVyGBY rc5C55Ou4eu+4jvPYipfn+5aUtNgaQ9e1jTpLrmtmzPDXeWxkLg9gmKeJBemxwno eTqKKuFTqeDxk++V8mSaB6CVtbf9MRHYgP28Yi62An1y/o634Yg= =NlSW -----END PGP SIGNATURE----- --JP+T4n/bALQSJXh8--