From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]] Date: Wed, 28 Dec 2016 21:07:14 -0500 Message-ID: <87vau3trn1.fsf@openmailbox.org> References: <20161216193319.GA12690@jasmine> <20161216193659.GA26067@jasmine> <87lgv7zs6y.fsf@openmailbox.org> <20161224063251.GA30959@jasmine> <87pokhxha8.fsf@openmailbox.org> <20161224210440.GA7145@jasmine> <87lgv4ydi8.fsf@openmailbox.org> <87fulcy3ed.fsf@openmailbox.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47300) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cMQ83-0005Fa-GY for guix-devel@gnu.org; Wed, 28 Dec 2016 21:07:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cMQ80-0001t7-8a for guix-devel@gnu.org; Wed, 28 Dec 2016 21:07:39 -0500 Received: from mail2.openmailbox.org ([62.4.1.33]:38170) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cMQ7z-0001ri-Qf for guix-devel@gnu.org; Wed, 28 Dec 2016 21:07:36 -0500 In-Reply-To: <87fulcy3ed.fsf@openmailbox.org> (Kei Kebreau's message of "Sun, 25 Dec 2016 00:38:18 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Kei Kebreau writes: > Kei Kebreau writes: > >> Leo Famulari writes: >> >>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote: >>>> Leo Famulari writes: >>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote: >>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. >>>> >>=20 >>>> >> * >>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: >>>> >> New file. >>>> >> * gnu/local.mk (dist_patch_DATA): Use it. >>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it. >>>> > >>>> > Thank you for looking into this! >>>> > >>>> > Something like this patch is in CHICKEN 4.11.1: >>>> > >>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a= =3Dcommitdiff;h=3D0d20426c6da0f116606574dadadaa878b96a68ea >>>> > >>>> > And there is a patch for the IrRegex bug after the latest tag: >>>> > >>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a= =3Dcommitdiff;h=3D2c419f18138c17767754b36d3b706cd71a55350a >>>> > >>>> > Can you try updating CHICKEN and applying that IrRegex patch? >>>>=20 >>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN >>>> binary due to its build system requirements. Do we have any objection = to >>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0? >>> >>> Interesting! >>> >>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1. >>> >>> Changing the build system like that seems unusual for a minor point >>> release, and I don't see it documented in the 4.11.1 NEWS file: >>> >>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=3Dchicken-core.git;a=3Dbl= ob;f=3DNEWS;h=3D545d68583c8375bd5243ec07a53faff9ec1685a3;hb=3D116f42e7a3eab= 2a02b853fd038af3cb3aadad5c3 >>> >> >> I must have phrased that too vaguely. It's just a "building from release >> tarball vs from git checkout" thing, documented in the README file of >> both releases. I've been having trouble with the seemingly identical >> test suite using the attached WIP patch. Perhaps the dreary wheather is >> clouding my thoughts. >> > > Update! I found a file "types.db" that is unwritable. However, changing > access permissions in the (hackish) way I've done in the patch makes the > build's hash time-dependent. > >>> One way or another, we should fix these bugs in our package. Thanks for >>> taking care of it :) >> >> You're welcome! > > Merry Grav-Mass, BTW. :) Here's the CVE patch on top of the chicken 4.11.1 one. I can't get this git-based build to be reproducible, though. --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch Content-Transfer-Encoding: quoted-printable From=20cb31f773829fe655d966db469aced7c1ad5bd2ed Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Wed, 28 Dec 2016 20:03:20 -0500 Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file. * gnu/local.mk (dist_patch_DATA): Use it. * gnu/packages/scheme.scm (chicken)[source]: Use it. =2D-- gnu/local.mk | 1 + .../chicken-CVE-2016-6830+CVE-2016-6831.patch | 116 +++++++++++++++++= ++++ gnu/packages/scheme.scm | 4 +- 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-683= 1.patch diff --git a/gnu/local.mk b/gnu/local.mk index 106adb235..f21f6c0b9 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -497,6 +497,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/calibre-drop-unrar.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/cdparanoia-fpic.patch \ + %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch \ %D%/packages/patches/chmlib-inttypes.patch \ %D%/packages/patches/clang-libc-search-path.patch \ %D%/packages/patches/clang-3.8-libc-search-path.patch \ diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch= b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch new file mode 100644 index 000000000..4865740d5 =2D-- /dev/null +++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch @@ -0,0 +1,116 @@ +From 2c419f18138c17767754b36d3b706cd71a55350a Mon Sep 17 00:00:00 2001 +From: Peter Bex +Date: Wed, 14 Dec 2016 20:25:25 +0100 +Subject: [PATCH] Update irregex to upstream 0.9.6 + +This fixes a resource consumption vulnerability due to exponential +memory use based on the depth of nested "+" patterns. + +Signed-off-by: Mario Domenech Goulart +--- + NEWS | 4 ++++ + irregex-core.scm | 32 ++++++++++++++++++-------------- + irregex-utils.scm | 2 +- + manual/Unit irregex | 2 +- + 4 files changed, 24 insertions(+), 16 deletions(-) + +diff --git a/NEWS b/NEWS +index 052cf13..cbadd61 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,9 @@ + 4.11.2 +=20 ++- Security fixes ++ - Irregex has been updated to 0.9.6, which fixes an exponential ++ explosion in compilation of nested "+" patterns. ++ + - Compiler: + - Fixed incorrect argvector restoration after GC in directly + recursive functions (#1317). +diff --git a/irregex-core.scm b/irregex-core.scm +index 2d6058c..01e027b 100644 +--- a/irregex-core.scm ++++ b/irregex-core.scm +@@ -30,6 +30,8 @@ +=20 + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ;;;; History ++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation ++;; of backtracking matcher. + ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow + ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches + ;; 0.9.3: 2014/07/01 - R7RS library +@@ -3170,16 +3172,7 @@ + ((sre-empty? (sre-sequence (cdr sre))) + (error "invalid sre: empty *" sre)) + (else +- (letrec +- ((body +- (lp (sre-sequence (cdr sre)) +- n +- flags +- (lambda (cnk init src str i end matches fail) +- (body cnk init src str i end matches +- (lambda () +- (next cnk init src str i end matches f= ail) +- )))))) ++ (let ((body (rec (list '+ (sre-sequence (cdr sre)))))) + (lambda (cnk init src str i end matches fail) + (body cnk init src str i end matches + (lambda () +@@ -3204,10 +3197,21 @@ + (lambda () + (body cnk init src str i end matches fail)))))= ))) + ((+) +- (lp (sre-sequence (cdr sre)) +- n +- flags +- (rec (list '* (sre-sequence (cdr sre)))))) ++ (cond ++ ((sre-empty? (sre-sequence (cdr sre))) ++ (error "invalid sre: empty +" sre)) ++ (else ++ (letrec ++ ((body ++ (lp (sre-sequence (cdr sre)) ++ n ++ flags ++ (lambda (cnk init src str i end matches fail) ++ (body cnk init src str i end matches ++ (lambda () ++ (next cnk init src str i end matches f= ail) ++ )))))) ++ body)))) + ((=3D) + (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre)))) + ((>=3D) +diff --git a/irregex-utils.scm b/irregex-utils.scm +index 8332791..a2195a9 100644 +--- a/irregex-utils.scm ++++ b/irregex-utils.scm +@@ -89,7 +89,7 @@ + (case (car x) + ((: seq) + (cond +- ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj))) ++ ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj))) + (display "(?:" out) (for-each lp (cdr x)) (display ")" out)) + (else (for-each lp (cdr x))))) + ((submatch) +diff --git a/manual/Unit irregex b/manual/Unit irregex +index 7805273..7d59f89 100644 +--- a/manual/Unit irregex=09 ++++ b/manual/Unit irregex=09 +@@ -825,7 +825,7 @@ doesn't help when irregex is able to build a DFA. +=20 + (sre->string ) +=20 +-Convert an SRE to a POSIX-style regular expression string, if ++Convert an SRE to a PCRE-style regular expression string, if + possible. +=20 +=20 +--=20 +2.1.4 + diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm index 0ad449ae2..87c9fc413 100644 =2D-- a/gnu/packages/scheme.scm +++ b/gnu/packages/scheme.scm @@ -386,7 +386,9 @@ language standard, and includes many enhancements and e= xtensions.") (commit version))) (sha256 (base32 =2D "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))= )) + "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k")) + (patches + (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch"= )))) (arguments `(;; No `configure' script; run "make check" after "make install" as ;; prescribed by README. =2D-=20 2.11.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlhkb9MACgkQ5qXuPBlG eg3SLQ//cDUy+agYnT+3TYTSfBW1/0NDGLHNuG7o043DBPt6JXgBpbmB+ZlYePMo J0sBa5RDLSYeRmVgvccvLA0GrD/UHNqKq6utjNvCscolvVej+Gd+uxaPUwpDpnU9 64FVQqj3ww7ZM4uSkCyasTCOAdwB5YjDvs4/tNIpPlqH1NhSMit3AW7DY+0C88G5 Z31i1wSjuUlZd+LYShOpN4bOABcRZBddm5GS+1EGvEObLWsk4OVMMx6APShFQzxS Q4YnDBpElF4Mk2cq8DdSOu4JGlWkWVIt6np41oiflnjVOFOQQ6aqLDNqRgYVB1VI tyN7LTugDritKYzIsxDS8QsOPW5KT0mZwfOYwkGtVXorvxpaAKvPuX5Y7FQS5fVR d+54GReRhR8vpYdVNRRo2JJGLITqD85T6ZZIRY2MzbLm++u3Z/fSlCahUauC8ML4 1s2ti2/vIKfJcUQPnVRtd0ptMsuTOsUNYKy+va7I3A4C4Srf4fMFqIC56HH4kwvt 7uUoTwtFIp8Z9VAXDivyz/cYQ02tMakSe1aSVPKLb5mSvtHdwgkVpmCinEwGHeBZ Hwqim887yHGpM92C2Ba2ad8MYq4n2BHwI/L6XXY4y7JPDY9EVJ+b/y15FUXgJ1g9 4bJ8hSwQhDengQzwRN6bCtPJKLzRdVlJhWEBdQ9mqucdMaCwwDk= =0n6d -----END PGP SIGNATURE----- --==-=-=--