Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau <kei@openmailbox.org>]

[-- Attachment #1.1: Type: text/plain, Size: 2593 bytes --]

Kei Kebreau <kei@openmailbox.org> writes:

> Kei Kebreau <kei@openmailbox.org> writes:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>>>> Leo Famulari <leo@famulari.name> writes:
>>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>>>> >> 
>>>> >> *
>>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>>>> >> New file.
>>>> >> * gnu/local.mk (dist_patch_DATA): Use it.
>>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>>>> >
>>>> > Thank you for looking into this!
>>>> >
>>>> > Something like this patch is in CHICKEN 4.11.1:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>>>> >
>>>> > And there is a patch for the IrRegex bug after the latest tag:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>>>> >
>>>> > Can you try updating CHICKEN and applying that IrRegex patch?
>>>> 
>>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>>>> binary due to its build system requirements. Do we have any objection to
>>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>>>
>>> Interesting!
>>>
>>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>>>
>>> Changing the build system like that seems unusual for a minor point
>>> release, and I don't see it documented in the 4.11.1 NEWS file:
>>>
>>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>>>
>>
>> I must have phrased that too vaguely. It's just a "building from release
>> tarball vs from git checkout" thing, documented in the README file of
>> both releases. I've been having trouble with the seemingly identical
>> test suite using the attached WIP patch. Perhaps the dreary wheather is
>> clouding my thoughts.
>>
>
> Update! I found a file "types.db" that is unwritable. However, changing
> access permissions in the (hackish) way I've done in the patch makes the
> build's hash time-dependent.
>
>>> One way or another, we should fix these bugs in our package. Thanks for
>>> taking care of it :)
>>
>> You're welcome!
>
> Merry Grav-Mass, BTW. :)

Here's the CVE patch on top of the chicken 4.11.1 one. I can't get this
git-based build to be reproducible, though.

[-- Attachment #1.2: 0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch --]
[-- Type: text/plain, Size: 6827 bytes --]

From cb31f773829fe655d966db469aced7c1ad5bd2ed Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Wed, 28 Dec 2016 20:03:20 -0500
Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.

* gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
* gnu/local.mk (dist_patch_DATA): Use it.
* gnu/packages/scheme.scm (chicken)[source]: Use it.
---
 gnu/local.mk                                       |   1 +
 .../chicken-CVE-2016-6830+CVE-2016-6831.patch      | 116 +++++++++++++++++++++
 gnu/packages/scheme.scm                            |   4 +-
 3 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 106adb235..f21f6c0b9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -497,6 +497,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/calibre-drop-unrar.patch			\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/cdparanoia-fpic.patch			\
+  %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch	\
   %D%/packages/patches/chmlib-inttypes.patch			\
   %D%/packages/patches/clang-libc-search-path.patch		\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
new file mode 100644
index 000000000..4865740d5
--- /dev/null
+++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch
@@ -0,0 +1,116 @@
+From 2c419f18138c17767754b36d3b706cd71a55350a Mon Sep 17 00:00:00 2001
+From: Peter Bex <peter@more-magic.net>
+Date: Wed, 14 Dec 2016 20:25:25 +0100
+Subject: [PATCH] Update irregex to upstream 0.9.6
+
+This fixes a resource consumption vulnerability due to exponential
+memory use based on the depth of nested "+" patterns.
+
+Signed-off-by: Mario Domenech Goulart <mario@parenteses.org>
+---
+ NEWS                |  4 ++++
+ irregex-core.scm    | 32 ++++++++++++++++++--------------
+ irregex-utils.scm   |  2 +-
+ manual/Unit irregex |  2 +-
+ 4 files changed, 24 insertions(+), 16 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 052cf13..cbadd61 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,9 @@
+ 4.11.2
+ 
++- Security fixes
++  - Irregex has been updated to 0.9.6, which fixes an exponential
++    explosion in compilation of nested "+" patterns.
++
+ - Compiler:
+   - Fixed incorrect argvector restoration after GC in directly
+     recursive functions (#1317).
+diff --git a/irregex-core.scm b/irregex-core.scm
+index 2d6058c..01e027b 100644
+--- a/irregex-core.scm
++++ b/irregex-core.scm
+@@ -30,6 +30,8 @@
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;; History
++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation
++;;                     of backtracking matcher.
+ ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow
+ ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches
+ ;; 0.9.3: 2014/07/01 - R7RS library
+@@ -3170,16 +3172,7 @@
+               ((sre-empty? (sre-sequence (cdr sre)))
+                (error "invalid sre: empty *" sre))
+               (else
+-               (letrec
+-                   ((body
+-                     (lp (sre-sequence (cdr sre))
+-                         n
+-                         flags
+-                         (lambda (cnk init src str i end matches fail)
+-                           (body cnk init src str i end matches
+-                                 (lambda ()
+-                                   (next cnk init src str i end matches fail)
+-                                   ))))))
++               (let ((body (rec (list '+ (sre-sequence (cdr sre))))))
+                  (lambda (cnk init src str i end matches fail)
+                    (body cnk init src str i end matches
+                          (lambda ()
+@@ -3204,10 +3197,21 @@
+                          (lambda ()
+                            (body cnk init src str i end matches fail))))))))
+             ((+)
+-             (lp (sre-sequence (cdr sre))
+-                 n
+-                 flags
+-                 (rec (list '* (sre-sequence (cdr sre))))))
++             (cond
++              ((sre-empty? (sre-sequence (cdr sre)))
++               (error "invalid sre: empty +" sre))
++              (else
++               (letrec
++                   ((body
++                     (lp (sre-sequence (cdr sre))
++                         n
++                         flags
++                         (lambda (cnk init src str i end matches fail)
++                           (body cnk init src str i end matches
++                                 (lambda ()
++                                   (next cnk init src str i end matches fail)
++                                   ))))))
++                 body))))
+             ((=)
+              (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre))))
+             ((>=)
+diff --git a/irregex-utils.scm b/irregex-utils.scm
+index 8332791..a2195a9 100644
+--- a/irregex-utils.scm
++++ b/irregex-utils.scm
+@@ -89,7 +89,7 @@
+         (case (car x)
+           ((: seq)
+            (cond
+-            ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj)))
++            ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj)))
+              (display "(?:" out) (for-each lp (cdr x)) (display ")" out))
+             (else (for-each lp (cdr x)))))
+           ((submatch)
+diff --git a/manual/Unit irregex b/manual/Unit irregex
+index 7805273..7d59f89 100644
+--- a/manual/Unit irregex	
++++ b/manual/Unit irregex	
+@@ -825,7 +825,7 @@ doesn't help when irregex is able to build a DFA.
+ 
+ <procedure>(sre->string <sre>)</procedure>
+ 
+-Convert an SRE to a POSIX-style regular expression string, if
++Convert an SRE to a PCRE-style regular expression string, if
+ possible.
+ 
+ 
+-- 
+2.1.4
+
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 0ad449ae2..87c9fc413 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -386,7 +386,9 @@ language standard, and includes many enhancements and extensions.")
                     (commit version)))
               (sha256
                (base32
-                "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))))
+                "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))
+              (patches
+               (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch"))))
     (arguments
      `(;; No `configure' script; run "make check" after "make install" as
        ;; prescribed by README.
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]