From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id sP9GDkuJSGA1SgAA0tVLHw (envelope-from ) for ; Wed, 10 Mar 2021 08:54:35 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6C8QCkuJSGCTGwAAB5/wlQ (envelope-from ) for ; Wed, 10 Mar 2021 08:54:35 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B4B9416734 for ; Wed, 10 Mar 2021 09:54:34 +0100 (CET) Received: from localhost ([::1]:33488 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lJubx-0005x3-Op for larch@yhetil.org; Wed, 10 Mar 2021 03:54:33 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42662) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJuXk-0001Fg-9O for guix-devel@gnu.org; Wed, 10 Mar 2021 03:50:13 -0500 Received: from mail.zaclys.net ([178.33.93.72]:38403) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJuXc-0000Bc-PW for guix-devel@gnu.org; Wed, 10 Mar 2021 03:50:11 -0500 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12A8o1rR028517 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 10 Mar 2021 09:50:02 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12A8o1rR028517 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1615366202; bh=4pnx1rtGHa174hoUjWMqMJ52tSCd7+9d4m6pMQnw1qo=; h=Subject:From:To:Date:From; b=TFOezu6S8is7xxGYWYdIZQE8rA71Uo5XZGv9PyocFcS5wbS6NN+5KrD+D0Gzw06cW 72y32YVJPpXfeEOTbYLuJRc3S874Yy5SFfNrxlJFdWeVTWleVXxBwSCa7fvHTy6HZj smNkD0+OstTSbTXnbgycBP+zPT81ZZuD7RNOeJwA= Message-ID: <789b3d6f163e1fd4033e77eaa5a864c010e645dd.camel@zaclys.net> Subject: bsdiff package vulnerable to CVE-2020-14315 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Wed, 10 Mar 2021 09:49:57 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-JqBM1eAqy8lfGRYpN7C2" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615366475; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=4pnx1rtGHa174hoUjWMqMJ52tSCd7+9d4m6pMQnw1qo=; b=QRerdkNhos3Nmi+Lyg85Qr8DtORw7NLehi15GFXPrd0sCVYVz5IMbSCsReiO6zuDeACoWr 9ew/qsmVRYDWTMTps8+mHwKUR3OHYGPha89wJSwSNGoYuZk7AnBjw45fPCNbECajhiUSws 12nkb3T4g4vptKOJlrjAgNOatRc8jOjYIWKHFnhHROz8lQ6c8xHkMP76/zaXuyRp4ZAsb2 gqxl05oQemw0gja+zbhs+s9LML9wtEM6B0ZnAb0ULuWaKbHMDFu2Sj8RI7dgjE/O9YRgr/ kfeu5mkm2TnxvFgBKn3N5uaQt9cRk9bExioqypB51KIZ3KNOVHWrtaaUKyO2mw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615366475; a=rsa-sha256; cv=none; b=oKRC7UbR8ajZGfPCoJgmf7NSEdEXT4eq7R71DGcMUV/tNj8Q7vUfcQIfS40r3lWxaOas1P J3Bzqb7PhPiq9efZMakxR+JXb28bWmbDg23f70fVJnwVz9e53LRxXzhznWsI4QyXFnsfK7 8p4OQAGM44iIxf08qsgMOvxnbTEdJ1zL3pAqeLQO8rqvjWSgDLNCRrq1mdLaieME3EgY18 snGqvkZUetggxo2gfYaT6U494ezVlEimyj25JtOVGp6K7XaudA3Ne4wq6QvOYf1UiL+44q QdLI8XTkrh6xfsvqCqNXmtdzsnexVpZ1U6f6Ao+a4o7srV9/h08KZhGUvWYSJw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=TFOezu6S; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.19 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=TFOezu6S; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: B4B9416734 X-Spam-Score: -5.19 X-Migadu-Scanner: scn1.migadu.com X-TUID: p2Bwa1UCGrhD --=-JqBM1eAqy8lfGRYpN7C2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2020-14315 A memory corruption vulnerability is present in bspatch as shipped in Colin Percival=E2=80=99s bsdiff tools version 4.3. Insufficient checks when handling external inputs allows an attacker to bypass the sanity checks in place and write out of a dynamically allocated buffer boundaries. A patch exists from FreeBSD:=20 https://www.freebsd.org/security/patches/SA-16:29/bspatch.patch - but it needs non-trivial porting since FreeBSD seems to have diverged in important ways from the source tree we use. Debian, Fedora, Gentoo, Arch Linux, Void Linux, none have fixed this CVE yet due to missing readily usable patch. There may be a patch in Android or ChromiumOS source trees but if it is present it is burried and not easy to find, also their tree probably has diverged in non-trivial ways too. L=C3=A9o --=-JqBM1eAqy8lfGRYpN7C2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBIiDUACgkQRaix6GvN EKaVGg//eub3QanS90kh8C6iYs7RMYflPPKf0HEFtkgXI0ANTJcz6y1Poy63bpU0 me3J7A/xJegbVUCzg/Al6kvRPEbcE8cXj0yaHs8FKiGhfcEoN/o8UvhGmETQzvow CmTXhmSeCiY04rtxhSZN62sYomGVG38wqQqKKSLgjf1ccKqJw/62r77D1r+fTqdL t4R9Mv0zlEuqxW39CiMR6zyF0lTwKXet5joqe8yHj8KaMtWzvvb7zCLOI1T6EmsY Mc0L86A+ZHHNeroRWex73QyvnHHj8mVeEdyZ4axvK6SkugZcafkGAAJR5/CIuFa5 TbAHMrIqgmUlKcFSczqGByhtG5sn1Rn/n4KGXVAu+qvpDMzZAwMgpJIVgV/VpowW WZta7c4/aMzEb/OiVSuegEglHrK9LxuUSNbwPLYVff7oXGo7ZpC6wpkx+P3TQDFw Gp6Y81ONsV3TYwFeCOwXW4hjhqHYJG6PVzjv8dcpmI5GkY4kcx4TPaOXjXNjjyfw O6IBsB+oOgbSkRIt50xT723IrzDowWt3SL7YL+Ihzs/Fc46wnJczdKDTZPWn1mmx Bd658JcV2hZgsY4//+9i4AGvgJ4qq7dGlzZedHu3xxjIeHts1vkIlizSFaQvy7iL mc3VVud+3yQao/2H1PxgQIY+Zyt6l7BXsuNTNDVbf/93YptzEn8= =CqCe -----END PGP SIGNATURE----- --=-JqBM1eAqy8lfGRYpN7C2--