From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id s9K4IUGqemC0ZAEAgWs5BA (envelope-from ) for ; Sat, 17 Apr 2021 11:28:33 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id sDbhGUGqemCgNAAAB5/wlQ (envelope-from ) for ; Sat, 17 Apr 2021 09:28:33 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F2F87265EA for ; Sat, 17 Apr 2021 11:28:32 +0200 (CEST) Received: from localhost ([::1]:56830 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXhFf-00060Z-Ad for larch@yhetil.org; Sat, 17 Apr 2021 05:28:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48582) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lXhFD-0005rw-Sw for bug-guix@gnu.org; Sat, 17 Apr 2021 05:28:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58977) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lXhFC-0004Lg-8Y for bug-guix@gnu.org; Sat, 17 Apr 2021 05:28:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lXhFC-0008Eh-5R for bug-guix@gnu.org; Sat, 17 Apr 2021 05:28:02 -0400 Subject: bug#47614: [security] Chunked store references in .zo files in Racket 8 Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Date: Sat, 17 Apr 2021 09:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 47614 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Philip McGrath Mail-Followup-To: 47614@debbugs.gnu.org, mhw@netris.org, mhw@netris.org Received: via spool by 47614-done@debbugs.gnu.org id=D47614.161865166531632 (code D ref 47614); Sat, 17 Apr 2021 09:28:01 +0000 Received: (at 47614-done) by debbugs.gnu.org; 17 Apr 2021 09:27:45 +0000 Received: from localhost ([127.0.0.1]:42290 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXhEv-0008E8-B2 for submit@debbugs.gnu.org; Sat, 17 Apr 2021 05:27:45 -0400 Received: from world.peace.net ([64.112.178.59]:44758) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXhEr-0008Du-71 for 47614-done@debbugs.gnu.org; Sat, 17 Apr 2021 05:27:43 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lXhEl-0000Td-Ch; Sat, 17 Apr 2021 05:27:35 -0400 From: Mark H Weaver In-Reply-To: <87blae44gx.fsf_-_@gnu.org> References: <7eaf8b95-5550-66e1-fda2-d691255b49d7@philipmcgrath.com> <2abc59d0-905e-ab0c-ae25-bf572f34fcd5@philipmcgrath.com> <87blae44gx.fsf_-_@gnu.org> Date: Sat, 17 Apr 2021 05:25:47 -0400 Message-ID: <87h7k58dop.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47614-done@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618651713; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-to: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=VXR/zVlfk58PPAJJUtGDHhls6OS67q7yYb5uzLprzao=; b=OC9ywoHEF9t7KcyPRXJu9pY8V+EsELTT9VrPAJ/62XIh/NVdhqNQocdyTc76Y4ThRUYKe7 JxUoCCQJ+zbRkSVOHiWd6LpAB4Yqu7zIuYP6hRxSTw2SK4onWT2VP454ggbE0avVC6/c5r gCcNZ0iPhIgQpPzqFBYggJXo//WTxbxNtEsX7XcFcO+lxAwHR1rdrx1uuwA1NCG9cBCENJ s+wd7c2ukf137d31q8guFKwttP71uYucPxhpln8RSJIUH5UGmVnB6avj6ZaNzt+5ReEbnF 1np8MmtnGv4L/8NT+zOhNX+mizkEZHUY3/qCz1OqiDtf4Q8MFHnC5TZWx5TAMg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618651713; a=rsa-sha256; cv=none; b=X/pei43qAnupDMh0VXGV/n+/fJ4ZrrD0T47KYfm1MEDvPFixuwPmq1r2WemxGk3NJGMbD8 EJd6ZreCeTVRCc69nSx0+Hca3Y+ghCyzaA8A0lI2W+DTBtr4mPp/vtsIkk7bdgtI8Pr9qN pkqKFAKsoaA25Wf5Dr96p1JeXkynEU9d56qyLttu1maDZ4ojoPB1AAPSbtkbExwxA/O8rx hklCqoGrN2t720pJXRU8UmkhPXFjSp+IplhV+VQxigjJucAlGMBq+yZaJ5CRvO8pXyTdAq 0pUBNKEP6C228ngwGwvU8xzpMK9k/ajQP7mBxdEsTXYX3QuF7Gd8qvZyPHORbA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -0.94 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: F2F87265EA X-Spam-Score: -0.94 X-Migadu-Scanner: scn0.migadu.com X-TUID: h32VVwYxuVYw Ludovic Court=C3=A8s writes: > IIUC, now that has been closed, > this bug is fixed. Am I right? Yes, I believe so. All store items referenced by Racket now seem to be properly grafted, so I'm closing this bug now. The more general issue with the grafting code--namely that since commit 57bdd79e48, it no longer has the desirable property of checking every byte against an expected value before rewriting it, which can lead to silent corruption of files such as Racket .zo files if any store items references sneak in--can be addressed in another bug report. Thanks, Mark