* [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
@ 2018-12-30 23:18 ` Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
` (4 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:18 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Attachment #1.1: 0001-gnu-libextractor-Update-to-1.8.patch --]
[-- Type: text/x-diff, Size: 1528 bytes --]
From 8cb16fb98e444bdbed44f73038aa74d2a4a306f1 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:48:50 +0800
Subject: [PATCH 1/4] gnu: libextractor: Update to 1.8.
* gnu/packages/gnunet.scm (libextractor): Update to 1.8.
---
gnu/packages/gnunet.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d1dc8fd58..4a6952076 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,14 +68,14 @@
(define-public libextractor
(package
(name "libextractor")
- (version "1.7")
+ (version "1.8")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libextractor/libextractor-"
version ".tar.gz"))
(sha256
(base32
- "13wf6vj7mkv6gw8h183cnk7m24ir0gyf198pyb2148ng4klgv9p0"))))
+ "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
(build-system gnu-build-system)
;; WARNING: Checks require /dev/shm to be in the build chroot, especially
;; not to be a symbolic link to /run/shm.
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread* [bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8 Alex Vong
@ 2018-12-30 23:18 ` Alex Vong
2018-12-30 23:19 ` [bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62 Alex Vong
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:18 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0002-gnu-libextractor-Fix-CVE-2018-20430-20431.patch --]
[-- Type: text/x-diff, Size: 6100 bytes --]
From a155ee678aefe73eb8e209e7a6d4ace8afabcf92 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:50:48 +0800
Subject: [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
* gnu/packages/patches/libextractor-CVE-2018-20430.patch,
gnu/packages/patches/libextractor-CVE-2018-20431.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnunet.scm (libextractor)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/gnunet.scm | 2 +
| 60 +++++++++++++++++++
| 53 ++++++++++++++++
4 files changed, 117 insertions(+)
create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20430.patch
create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20431.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0bb020335..75634b741 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -888,6 +888,8 @@ dist_patch_DATA = \
%D%/packages/patches/libevent-2.1-skip-failing-test.patch \
%D%/packages/patches/libexif-CVE-2016-6328.patch \
%D%/packages/patches/libexif-CVE-2017-7544.patch \
+ %D%/packages/patches/libextractor-CVE-2018-20430.patch \
+ %D%/packages/patches/libextractor-CVE-2018-20431.patch \
%D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch \
%D%/packages/patches/libgit2-mtime-0.patch \
%D%/packages/patches/libgit2-oom-test.patch \
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 4a6952076..d9e903734 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -73,6 +73,8 @@
(method url-fetch)
(uri (string-append "mirror://gnu/libextractor/libextractor-"
version ".tar.gz"))
+ (patches (search-patches "libextractor-CVE-2018-20430.patch"
+ "libextractor-CVE-2018-20431.patch"))
(sha256
(base32
"1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
--git a/gnu/packages/patches/libextractor-CVE-2018-20430.patch b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
new file mode 100644
index 000000000..570cd7c00
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
@@ -0,0 +1,60 @@
+Fix CVE-2018-20430:
+
+https://gnunet.org/bugs/view.php?id=5493
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20430
+https://security-tracker.debian.org/tracker/CVE-2018-20430
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=b405d707b36e0654900cba78e89f49779efea110
+
+From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 22:47:53 +0100
+Subject: [PATCH] fix #5493 (out of bounds read)
+
+---
+ src/common/convert.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/common/convert.c b/src/common/convert.c
+index c0edf21..2be2108 100644
+--- a/src/common/convert.c
++++ b/src/common/convert.c
+@@ -36,8 +36,8 @@
+ * string is returned.
+ */
+ char *
+-EXTRACTOR_common_convert_to_utf8 (const char *input,
+- size_t len,
++EXTRACTOR_common_convert_to_utf8 (const char *input,
++ size_t len,
+ const char *charset)
+ {
+ #if HAVE_ICONV
+@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+ i = input;
+ cd = iconv_open ("UTF-8", charset);
+ if (cd == (iconv_t) - 1)
+- return strdup (i);
++ return strndup (i, len);
+ if (len > 1024 * 1024)
+ {
+ iconv_close (cd);
+@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+ }
+ itmp = tmp;
+ finSize = tmpSize;
+- if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX)
++ if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1))
+ {
+ iconv_close (cd);
+ free (tmp);
+- return strdup (i);
++ return strndup (i, len);
+ }
+ ret = malloc (tmpSize - finSize + 1);
+ if (ret == NULL)
+--
+2.20.1
+
--git a/gnu/packages/patches/libextractor-CVE-2018-20431.patch b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
new file mode 100644
index 000000000..855c5ba64
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
@@ -0,0 +1,53 @@
+Fix CVE-2018-20431:
+
+https://gnunet.org/bugs/view.php?id=5494
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431
+https://security-tracker.debian.org/tracker/CVE-2018-20431
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7
+
+To apply the patch to libextractor 1.8 release tarball,
+hunk #1 which patches ChangeLog is removed.
+
+From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 23:02:28 +0100
+Subject: [PATCH] fix #5494
+
+---
+ ChangeLog | 3 ++-
+ src/plugins/ole2_extractor.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c
+index 53fa1b9..a48b726 100644
+--- a/src/plugins/ole2_extractor.c
++++ b/src/plugins/ole2_extractor.c
+@@ -173,7 +173,7 @@ struct ProcContext
+ EXTRACTOR_MetaDataProcessor proc;
+
+ /**
+- * Closure for 'proc'.
++ * Closure for @e proc.
+ */
+ void *proc_cls;
+
+@@ -213,7 +213,12 @@ process_metadata (gpointer key,
+
+ if (G_VALUE_TYPE(gval) == G_TYPE_STRING)
+ {
+- contents = strdup (g_value_get_string (gval));
++ const char *gvals;
++
++ gvals = g_value_get_string (gval);
++ if (NULL == gvals)
++ return;
++ contents = strdup (gvals);
+ }
+ else
+ {
+--
+2.20.1
+
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread* [bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 1/4] gnu: libextractor: Update to 1.8 Alex Vong
2018-12-30 23:18 ` [bug#33933] [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
@ 2018-12-30 23:19 ` Alex Vong
2018-12-30 23:19 ` [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a Alex Vong
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:19 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0003-gnu-libmicrohttpd-Update-to-0.9.62.patch --]
[-- Type: text/x-diff, Size: 1204 bytes --]
From c5b57304b0ec12d44ffb749befd00fb0e4d92c0f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:54:04 +0800
Subject: [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.
* gnu/packages/gnunet.scm (libmicrohttpd): Update to 0.9.62.
---
gnu/packages/gnunet.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d9e903734..79584fcf0 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -148,14 +148,14 @@ tool to extract metadata from a file and print the results.")
(define-public libmicrohttpd
(package
(name "libmicrohttpd")
- (version "0.9.59")
+ (version "0.9.62")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libmicrohttpd/libmicrohttpd-"
version ".tar.gz"))
(sha256
(base32
- "0g4jgnv43yddr9yxrqg11632rip0lg5c53gmy5wy3c0i1dywv74v"))))
+ "0jfvi1fb4im3a3m8qishbmzx3zch993c0mhvl2k92l1zf1yhjgmx"))))
(build-system gnu-build-system)
(inputs
`(("curl" ,curl)
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread* [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
` (2 preceding siblings ...)
2018-12-30 23:19 ` [bug#33933] [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62 Alex Vong
@ 2018-12-30 23:19 ` Alex Vong
2018-12-30 23:27 ` Alex Vong
2019-01-03 13:12 ` [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431} Alex Vong
2019-01-03 18:20 ` Leo Famulari
5 siblings, 1 reply; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:19 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.1: 0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch --]
[-- Type: text/x-diff, Size: 1838 bytes --]
From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
gnu/packages/gnunet.scm | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..b00c8848a 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
(home-page "https://gnunet.org/")))
(define-public guile-gnunet ;GSoC 2015!
- (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+ (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+ (revision "1"))
(package
(name "guile-gnunet")
- (version (string-append "0.0." (string-take commit 7)))
+ (version (git-version "0.0" revision commit))
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
(commit commit)))
- (file-name (string-append name "-" version "-checkout"))
+ (git-file-name name version)
(sha256
(base32
- "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+ "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
(build-system gnu-build-system)
(native-inputs `(("pkg-config" ,pkg-config)
("autoconf" ,autoconf-wrapper)
--
2.20.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread* [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
2018-12-30 23:19 ` [bug#33933] [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a Alex Vong
@ 2018-12-30 23:27 ` Alex Vong
0 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2018-12-30 23:27 UTC (permalink / raw)
To: 33933; +Cc: alexvong1995
[-- Attachment #1.1: Type: text/plain, Size: 62 bytes --]
Sorry, the last patch is incorrect. The correct one is here:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch --]
[-- Type: text/x-diff, Size: 1850 bytes --]
From 9c2b78d121e4711f3c42ccc7bbc291beaf45571c Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
gnu/packages/gnunet.scm | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..62bb3026d 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
(home-page "https://gnunet.org/")))
(define-public guile-gnunet ;GSoC 2015!
- (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+ (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+ (revision "1"))
(package
(name "guile-gnunet")
- (version (string-append "0.0." (string-take commit 7)))
+ (version (git-version "0.0" revision commit))
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
(commit commit)))
- (file-name (string-append name "-" version "-checkout"))
+ (file-name (git-file-name name version))
(sha256
(base32
- "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+ "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
(build-system gnu-build-system)
(native-inputs `(("pkg-config" ,pkg-config)
("autoconf" ,autoconf-wrapper)
--
2.20.1
[-- Attachment #1.3: Type: text/plain, Size: 1951 bytes --]
Alex Vong <alexvong1995@gmail.com> writes:
> From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 31 Dec 2018 07:00:39 +0800
> Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
>
> * gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
> [version]: Use git-version.
> [source]: Use git-file-name.
> ---
> gnu/packages/gnunet.scm | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
> index 79584fcf0..b00c8848a 100644
> --- a/gnu/packages/gnunet.scm
> +++ b/gnu/packages/gnunet.scm
> @@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
> (home-page "https://gnunet.org/")))
>
> (define-public guile-gnunet ;GSoC 2015!
> - (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
> + (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
> + (revision "1"))
> (package
> (name "guile-gnunet")
> - (version (string-append "0.0." (string-take commit 7)))
> + (version (git-version "0.0" revision commit))
> (source (origin
> (method git-fetch)
> (uri (git-reference
> (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
> (commit commit)))
> - (file-name (string-append name "-" version "-checkout"))
> + (git-file-name name version)
> (sha256
> (base32
> - "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
> + "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
> (build-system gnu-build-system)
> (native-inputs `(("pkg-config" ,pkg-config)
> ("autoconf" ,autoconf-wrapper)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
@ 2019-01-03 13:12 ` Alex Vong
2019-01-03 19:29 ` [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Leo Famulari
0 siblings, 1 reply; 10+ messages in thread
From: Alex Vong @ 2019-01-03 13:12 UTC (permalink / raw)
To: guix-devel; +Cc: 33933
[-- Attachment #1: Type: text/plain, Size: 428 bytes --]
Hello Guix,
I sent the "gnu: libextractor: Fix CVE-2018-{20430,20431}." patch to
https://debbugs.gnu.org/33933 three days ago. libextractor is needed to
build gnunet, so these fixes are important for gnunet users [I am not
(yet) a user though]. Only the first two patches are directly related,
the rest updates various gnunet-related packages.
Btw, for security fixes, how long should I wait before I ping here?
Thanks,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2019-01-03 13:12 ` [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431} Alex Vong
@ 2019-01-03 19:29 ` Leo Famulari
0 siblings, 0 replies; 10+ messages in thread
From: Leo Famulari @ 2019-01-03 19:29 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel, 33933
[-- Attachment #1: Type: text/plain, Size: 395 bytes --]
On Thu, Jan 03, 2019 at 09:12:35PM +0800, Alex Vong wrote:
> Btw, for security fixes, how long should I wait before I ping here?
If you are confident in the fix, it's fine to go ahead and commit if
there is no review. Otherwise, a day or two is probably fine. If the
vulnerability is particularly severe, you could send a reminder to
<guix-security@gnu.org>, or email the maintainers directly.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2018-12-30 23:15 [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431} Alex Vong
` (4 preceding siblings ...)
2019-01-03 13:12 ` [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431} Alex Vong
@ 2019-01-03 18:20 ` Leo Famulari
2019-01-03 23:42 ` bug#33933: " Alex Vong
5 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2019-01-03 18:20 UTC (permalink / raw)
To: Alex Vong; +Cc: 33933
[-- Attachment #1: Type: text/plain, Size: 545 bytes --]
On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
> Tags: security
>
> Hello,
>
> This patch series mainly fixes the latest CVEs found in libextractor,
> but it also upgrades other gnunet related packages to their latest
> version.
>
> Please also note that the versioning scheme for guile-gnunet is changed
> to use that of 'git-version'. Unfortunately, this would break
> "guix package --upgrade". But I think this change needs to be made at
> some point anyway, so we may as well do it now.
Thanks, please push :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread* bug#33933: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
2019-01-03 18:20 ` Leo Famulari
@ 2019-01-03 23:42 ` Alex Vong
0 siblings, 0 replies; 10+ messages in thread
From: Alex Vong @ 2019-01-03 23:42 UTC (permalink / raw)
To: 33933-done; +Cc: alexvong1995
[-- Attachment #1: Type: text/plain, Size: 705 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
>> Tags: security
>>
>> Hello,
>>
>> This patch series mainly fixes the latest CVEs found in libextractor,
>> but it also upgrades other gnunet related packages to their latest
>> version.
>>
>> Please also note that the versioning scheme for guile-gnunet is changed
>> to use that of 'git-version'. Unfortunately, this would break
>> "guix package --upgrade". But I think this change needs to be made at
>> some point anyway, so we may as well do it now.
>
> Thanks, please push :)
Pushed as 1983a9b0a50ff759f2d192d7fa0f7ad0fb1e1384 -
5651e74cc6c1d1b8a2ef1d40e6f14e1123a7de97!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread