* [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
@ 2018-12-30 23:15 Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8 Alex Vong
` (5 more replies)
0 siblings, 6 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:15 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Attachment #1: Type: text/plain, Size: 437 bytes --]
Tags: security
Hello,
This patch series mainly fixes the latest CVEs found in libextractor,
but it also upgrades other gnunet related packages to their latest
version.
Please also note that the versioning scheme for guile-gnunet is changed
to use that of 'git-version'. Unfortunately, this would break
"guix package --upgrade". But I think this change needs to be made at
some point anyway, so we may as well do it now.
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
@ 2018-12-30 23:18 ` Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
` (4 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:18 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Attachment #1.1: 0001-gnu-libextractor-Update-to-1.8.patch --]
[-- Type: text/x-diff, Size: 1528 bytes --]
From 8cb16fb98e444bdbed44f73038aa74d2a4a306f1 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:48:50 +0800
Subject: [PATCH 1/4] gnu: libextractor: Update to 1.8.
* gnu/packages/gnunet.scm (libextractor): Update to 1.8.
---
gnu/packages/gnunet.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d1dc8fd58..4a6952076 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,14 +68,14 @@
(define-public libextractor
(package
(name "libextractor")
- (version "1.7")
+ (version "1.8")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libextractor/libextractor-"
version ".tar.gz"))
(sha256
(base32
- "13wf6vj7mkv6gw8h183cnk7m24ir0gyf198pyb2148ng4klgv9p0"))))
+ "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
(build-system gnu-build-system)
;; WARNING: Checks require /dev/shm to be in the build chroot, especially
;; not to be a symbolic link to /run/shm.
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8 Alex Vong
@ 2018-12-30 23:18 ` Alex Vong
2018-12-30 23:19 ` [bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62 Alex Vong
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:18 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0002-gnu-libextractor-Fix-CVE-2018-20430-20431.patch --]
[-- Type: text/x-diff, Size: 6100 bytes --]
From a155ee678aefe73eb8e209e7a6d4ace8afabcf92 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:50:48 +0800
Subject: [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
* gnu/packages/patches/libextractor-CVE-2018-20430.patch,
gnu/packages/patches/libextractor-CVE-2018-20431.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnunet.scm (libextractor)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/gnunet.scm | 2 +
| 60 +++++++++++++++++++
| 53 ++++++++++++++++
4 files changed, 117 insertions(+)
create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20430.patch
create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20431.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0bb020335..75634b741 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -888,6 +888,8 @@ dist_patch_DATA = \
%D%/packages/patches/libevent-2.1-skip-failing-test.patch \
%D%/packages/patches/libexif-CVE-2016-6328.patch \
%D%/packages/patches/libexif-CVE-2017-7544.patch \
+ %D%/packages/patches/libextractor-CVE-2018-20430.patch \
+ %D%/packages/patches/libextractor-CVE-2018-20431.patch \
%D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch \
%D%/packages/patches/libgit2-mtime-0.patch \
%D%/packages/patches/libgit2-oom-test.patch \
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 4a6952076..d9e903734 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -73,6 +73,8 @@
(method url-fetch)
(uri (string-append "mirror://gnu/libextractor/libextractor-"
version ".tar.gz"))
+ (patches (search-patches "libextractor-CVE-2018-20430.patch"
+ "libextractor-CVE-2018-20431.patch"))
(sha256
(base32
"1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
--git a/gnu/packages/patches/libextractor-CVE-2018-20430.patch b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
new file mode 100644
index 000000000..570cd7c00
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
@@ -0,0 +1,60 @@
+Fix CVE-2018-20430:
+
+https://gnunet.org/bugs/view.php?id=5493
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20430
+https://security-tracker.debian.org/tracker/CVE-2018-20430
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=b405d707b36e0654900cba78e89f49779efea110
+
+From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 22:47:53 +0100
+Subject: [PATCH] fix #5493 (out of bounds read)
+
+---
+ src/common/convert.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/common/convert.c b/src/common/convert.c
+index c0edf21..2be2108 100644
+--- a/src/common/convert.c
++++ b/src/common/convert.c
+@@ -36,8 +36,8 @@
+ * string is returned.
+ */
+ char *
+-EXTRACTOR_common_convert_to_utf8 (const char *input,
+- size_t len,
++EXTRACTOR_common_convert_to_utf8 (const char *input,
++ size_t len,
+ const char *charset)
+ {
+ #if HAVE_ICONV
+@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+ i = input;
+ cd = iconv_open ("UTF-8", charset);
+ if (cd == (iconv_t) - 1)
+- return strdup (i);
++ return strndup (i, len);
+ if (len > 1024 * 1024)
+ {
+ iconv_close (cd);
+@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+ }
+ itmp = tmp;
+ finSize = tmpSize;
+- if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX)
++ if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1))
+ {
+ iconv_close (cd);
+ free (tmp);
+- return strdup (i);
++ return strndup (i, len);
+ }
+ ret = malloc (tmpSize - finSize + 1);
+ if (ret == NULL)
+--
+2.20.1
+
--git a/gnu/packages/patches/libextractor-CVE-2018-20431.patch b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
new file mode 100644
index 000000000..855c5ba64
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
@@ -0,0 +1,53 @@
+Fix CVE-2018-20431:
+
+https://gnunet.org/bugs/view.php?id=5494
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431
+https://security-tracker.debian.org/tracker/CVE-2018-20431
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7
+
+To apply the patch to libextractor 1.8 release tarball,
+hunk #1 which patches ChangeLog is removed.
+
+From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 23:02:28 +0100
+Subject: [PATCH] fix #5494
+
+---
+ ChangeLog | 3 ++-
+ src/plugins/ole2_extractor.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c
+index 53fa1b9..a48b726 100644
+--- a/src/plugins/ole2_extractor.c
++++ b/src/plugins/ole2_extractor.c
+@@ -173,7 +173,7 @@ struct ProcContext
+ EXTRACTOR_MetaDataProcessor proc;
+
+ /**
+- * Closure for 'proc'.
++ * Closure for @e proc.
+ */
+ void *proc_cls;
+
+@@ -213,7 +213,12 @@ process_metadata (gpointer key,
+
+ if (G_VALUE_TYPE(gval) == G_TYPE_STRING)
+ {
+- contents = strdup (g_value_get_string (gval));
++ const char *gvals;
++
++ gvals = g_value_get_string (gval);
++ if (NULL == gvals)
++ return;
++ contents = strdup (gvals);
+ }
+ else
+ {
+--
+2.20.1
+
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8 Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
@ 2018-12-30 23:19 ` Alex Vong
2018-12-30 23:19 ` [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a Alex Vong
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:19 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0003-gnu-libmicrohttpd-Update-to-0.9.62.patch --]
[-- Type: text/x-diff, Size: 1204 bytes --]
From c5b57304b0ec12d44ffb749befd00fb0e4d92c0f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:54:04 +0800
Subject: [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.
* gnu/packages/gnunet.scm (libmicrohttpd): Update to 0.9.62.
---
gnu/packages/gnunet.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d9e903734..79584fcf0 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -148,14 +148,14 @@ tool to extract metadata from a file and print the results.")
(define-public libmicrohttpd
(package
(name "libmicrohttpd")
- (version "0.9.59")
+ (version "0.9.62")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libmicrohttpd/libmicrohttpd-"
version ".tar.gz"))
(sha256
(base32
- "0g4jgnv43yddr9yxrqg11632rip0lg5c53gmy5wy3c0i1dywv74v"))))
+ "0jfvi1fb4im3a3m8qishbmzx3zch993c0mhvl2k92l1zf1yhjgmx"))))
(build-system gnu-build-system)
(inputs
`(("curl" ,curl)
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
` (2 preceding siblings ...)
2018-12-30 23:19 ` [bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62 Alex Vong
@ 2018-12-30 23:19 ` Alex Vong
2018-12-30 23:27 ` Alex Vong
2019-01-03 13:12 ` [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431} Alex Vong
2019-01-03 18:20 ` Leo Famulari
5 siblings, 1 reply; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:19 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch --]
[-- Type: text/x-diff, Size: 1838 bytes --]
From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
gnu/packages/gnunet.scm | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..b00c8848a 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
(home-page "https://gnunet.org/")))
(define-public guile-gnunet ;GSoC 2015!
- (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+ (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+ (revision "1"))
(package
(name "guile-gnunet")
- (version (string-append "0.0." (string-take commit 7)))
+ (version (git-version "0.0" revision commit))
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
(commit commit)))
- (file-name (string-append name "-" version "-checkout"))
+ (git-file-name name version)
(sha256
(base32
- "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+ "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
(build-system gnu-build-system)
(native-inputs `(("pkg-config" ,pkg-config)
("autoconf" ,autoconf-wrapper)
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
2018-12-30 23:19 ` [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a Alex Vong
@ 2018-12-30 23:27 ` Alex Vong
0 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:27 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Attachment #1.1: Type: text/plain, Size: 62 bytes --]
Sorry, the last patch is incorrect. The correct one is here:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch --]
[-- Type: text/x-diff, Size: 1850 bytes --]
From 9c2b78d121e4711f3c42ccc7bbc291beaf45571c Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
gnu/packages/gnunet.scm | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..62bb3026d 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
(home-page "https://gnunet.org/")))
(define-public guile-gnunet ;GSoC 2015!
- (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+ (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+ (revision "1"))
(package
(name "guile-gnunet")
- (version (string-append "0.0." (string-take commit 7)))
+ (version (git-version "0.0" revision commit))
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
(commit commit)))
- (file-name (string-append name "-" version "-checkout"))
+ (file-name (git-file-name name version))
(sha256
(base32
- "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+ "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
(build-system gnu-build-system)
(native-inputs `(("pkg-config" ,pkg-config)
("autoconf" ,autoconf-wrapper)
--
2.20.1
[-- Attachment #1.3: Type: text/plain, Size: 1951 bytes --]
Alex Vong <alexvong1995@gmail.com> writes:
> From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 31 Dec 2018 07:00:39 +0800
> Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
>
> * gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
> [version]: Use git-version.
> [source]: Use git-file-name.
> ---
> gnu/packages/gnunet.scm | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
> index 79584fcf0..b00c8848a 100644
> --- a/gnu/packages/gnunet.scm
> +++ b/gnu/packages/gnunet.scm
> @@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
> (home-page "https://gnunet.org/")))
>
> (define-public guile-gnunet ;GSoC 2015!
> - (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
> + (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
> + (revision "1"))
> (package
> (name "guile-gnunet")
> - (version (string-append "0.0." (string-take commit 7)))
> + (version (git-version "0.0" revision commit))
> (source (origin
> (method git-fetch)
> (uri (git-reference
> (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
> (commit commit)))
> - (file-name (string-append name "-" version "-checkout"))
> + (git-file-name name version)
> (sha256
> (base32
> - "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
> + "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
> (build-system gnu-build-system)
> (native-inputs `(("pkg-config" ,pkg-config)
> ("autoconf" ,autoconf-wrapper)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
@ 2019-01-03 13:12 ` Alex Vong
2019-01-03 19:29 ` [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Leo Famulari
0 siblings, 1 reply; 10+ messages in thread
From: Alex Vong @ 2019-01-03 13:12 UTC (permalink / raw)
To: guix-devel; +Cc: 33933
[-- Attachment #1: Type: text/plain, Size: 428 bytes --]
Hello Guix,
I sent the "gnu: libextractor: Fix CVE-2018-{20430,20431}." patch to
https://debbugs.gnu.org/33933 three days ago. libextractor is needed to
build gnunet, so these fixes are important for gnunet users [I am not
(yet) a user though]. Only the first two patches are directly related,
the rest updates various gnunet-related packages.
Btw, for security fixes, how long should I wait before I ping here?
Thanks,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
` (4 preceding siblings ...)
2019-01-03 13:12 ` [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431} Alex Vong
@ 2019-01-03 18:20 ` Leo Famulari
2019-01-03 23:42 ` bug#33933: " Alex Vong
5 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2019-01-03 18:20 UTC (permalink / raw)
To: Alex Vong; +Cc: 33933
[-- Attachment #1: Type: text/plain, Size: 545 bytes --]
On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
> Tags: security
>
> Hello,
>
> This patch series mainly fixes the latest CVEs found in libextractor,
> but it also upgrades other gnunet related packages to their latest
> version.
>
> Please also note that the versioning scheme for guile-gnunet is changed
> to use that of 'git-version'. Unfortunately, this would break
> "guix package --upgrade". But I think this change needs to be made at
> some point anyway, so we may as well do it now.
Thanks, please push :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2019-01-03 13:12 ` [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431} Alex Vong
@ 2019-01-03 19:29 ` Leo Famulari
0 siblings, 0 replies; 10+ messages in thread
From: Leo Famulari @ 2019-01-03 19:29 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel, 33933
[-- Attachment #1: Type: text/plain, Size: 395 bytes --]
On Thu, Jan 03, 2019 at 09:12:35PM +0800, Alex Vong wrote:
> Btw, for security fixes, how long should I wait before I ping here?
If you are confident in the fix, it's fine to go ahead and commit if
there is no review. Otherwise, a day or two is probably fine. If the
vulnerability is particularly severe, you could send a reminder to
<guix-security@gnu.org>, or email the maintainers directly.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#33933: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2019-01-03 18:20 ` Leo Famulari
@ 2019-01-03 23:42 ` Alex Vong
0 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2019-01-03 23:42 UTC (permalink / raw)
To: 33933-done; +Cc: alexvong1995
[-- Attachment #1: Type: text/plain, Size: 705 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
>> Tags: security
>>
>> Hello,
>>
>> This patch series mainly fixes the latest CVEs found in libextractor,
>> but it also upgrades other gnunet related packages to their latest
>> version.
>>
>> Please also note that the versioning scheme for guile-gnunet is changed
>> to use that of 'git-version'. Unfortunately, this would break
>> "guix package --upgrade". But I think this change needs to be made at
>> some point anyway, so we may as well do it now.
>
> Thanks, please push :)
Pushed as 1983a9b0a50ff759f2d192d7fa0f7ad0fb1e1384 -
5651e74cc6c1d1b8a2ef1d40e6f14e1123a7de97!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-01-03 23:43 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8 Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
2018-12-30 23:19 ` [bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62 Alex Vong
2018-12-30 23:19 ` [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a Alex Vong
2018-12-30 23:27 ` Alex Vong
2019-01-03 13:12 ` [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431} Alex Vong
2019-01-03 19:29 ` [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Leo Famulari
2019-01-03 18:20 ` Leo Famulari
2019-01-03 23:42 ` bug#33933: " Alex Vong
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.