From de5bc83cd3245d76c8769e14cd1d6fb5256de28b Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 17 Feb 2020 04:50:12 +0100 Subject: gnu: upx: Don't use NAME in source URI. * gnu/packages/compression.scm (upx)[source]: Hard-code NAME. --- gnu/packages/compression.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 98af41760f..a65e320a9b 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1907,7 +1907,7 @@ (define-public upx (source (origin (method url-fetch) (uri (string-append "https://github.com/upx/upx/releases/download/v" - version "/" name "-" version "-src.tar.xz")) + version "/upx-" version "-src.tar.xz")) (sha256 (base32 "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1")) -- cgit v1.2.3 From f5255ed3d3689c793b87939d30df7e2e3443b004 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 17 Feb 2020 04:55:47 +0100 Subject: gnu: upx: Update to 3.96. * gnu/packages/compression.scm (upx): Update to 3.96. [source]: Remove patch. [arguments]: Remove CHECK_WHITESPACE work-around. [properties]: Remove obsolete hidden CVE. * gnu/packages/patches/upx-fix-CVE-2017-15056.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/compression.scm | 15 +--- gnu/packages/patches/upx-fix-CVE-2017-15056.patch | 96 ----------------------- 3 files changed, 3 insertions(+), 109 deletions(-) delete mode 100644 gnu/packages/patches/upx-fix-CVE-2017-15056.patch (limited to 'gnu/packages/compression.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 1f7cad9d32..f2289518e5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1465,7 +1465,6 @@ dist_patch_DATA = \ %D%/packages/patches/ustr-fix-build-with-gcc-5.patch \ %D%/packages/patches/util-linux-tests.patch \ %D%/packages/patches/upower-builddir.patch \ - %D%/packages/patches/upx-fix-CVE-2017-15056.patch \ %D%/packages/patches/valgrind-enable-arm.patch \ %D%/packages/patches/vboot-utils-fix-format-load-address.patch \ %D%/packages/patches/vboot-utils-fix-tests-show-contents.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index a65e320a9b..3f4b99bfcf 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1903,15 +1903,14 @@ (define-public ucl (define-public upx (package (name "upx") - (version "3.94") + (version "3.96") (source (origin (method url-fetch) (uri (string-append "https://github.com/upx/upx/releases/download/v" version "/upx-" version "-src.tar.xz")) (sha256 (base32 - "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1")) - (patches (search-patches "upx-fix-CVE-2017-15056.patch")))) + "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) @@ -1920,10 +1919,7 @@ (define-public upx ("zlib" ,zlib))) (arguments `(#:make-flags - (list "all" - ;; CHECK_WHITESPACE does not seem to work. - ;; See https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/upx. - "CHECK_WHITESPACE=true") + (list "all") #:phases (modify-phases %standard-phases (delete 'configure) @@ -1945,11 +1941,6 @@ (define-public upx #t)) ))) (home-page "https://upx.github.io/") - ;; CVE-2017-16869 is about Mach-O files which is not of a big concern for Guix. - ;; See https://github.com/upx/upx/issues/146 and - ;; https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-16869. - ;; The issue will be fixed after version 3.94. - (properties `((lint-hidden-cve . ("CVE-2017-16869")))) (synopsis "Compression tool for executables") (description "The Ultimate Packer for eXecutables (UPX) is an executable file diff --git a/gnu/packages/patches/upx-fix-CVE-2017-15056.patch b/gnu/packages/patches/upx-fix-CVE-2017-15056.patch deleted file mode 100644 index 525980e73e..0000000000 --- a/gnu/packages/patches/upx-fix-CVE-2017-15056.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001 -From: Pierre Neidhardt -Date: Sat, 16 Jun 2018 16:35:00 +0200 -Subject: [PATCH] Protect against bad crafted input - -Also check for wrap-around when checking oversize involving e_shoff and e_shnum. - -raised by https://github.com/upx/upx/pull/190 - modified: p_lx_elf.cpp ---- - src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp -index 822a7652..41e805ee 100644 ---- a/src/p_lx_elf.cpp -+++ b/src/p_lx_elf.cpp -@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f) - sz_phdrs = 0; - return; - } -+ if (0==e_phnum) throwCantUnpack("0==e_phnum"); - e_phoff = get_te32(&ehdri.e_phoff); -+ unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr); -+ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { -+ throwCantUnpack("bad e_phoff"); -+ } - e_shoff = get_te32(&ehdri.e_shoff); -+ unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr); -+ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { -+ throwCantUnpack("bad e_shoff"); -+ } - sz_phdrs = e_phnum * e_phentsize; - - if (f && Elf32_Ehdr::ET_DYN!=e_type) { -@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f) - sz_phdrs = 0; - return; - } -+ if (0==e_phnum) throwCantUnpack("0==e_phnum"); - e_phoff = get_te64(&ehdri.e_phoff); -+ upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr); -+ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { -+ throwCantUnpack("bad e_phoff"); -+ } - e_shoff = get_te64(&ehdri.e_shoff); -+ upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr); -+ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { -+ throwCantUnpack("bad e_shoff"); -+ } - sz_phdrs = e_phnum * e_phentsize; - - if (f && Elf64_Ehdr::ET_DYN!=e_type) { -@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft) - - void PackLinuxElf64::unpack(OutputFile *fo) - { -+ if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr -+ throwCantUnpack("bad e_phoff"); -+ } - unsigned const c_phnum = get_te16(&ehdri.e_phnum); - upx_uint64_t old_data_off = 0; - upx_uint64_t old_data_len = 0; -@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo) - unsigned total_out = 0; - unsigned c_adler = upx_adler32(NULL, 0); - unsigned u_adler = upx_adler32(NULL, 0); -+ if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) { -+ throwCantUnpack("bad compressed e_phnum"); -+ } - - // Packed ET_EXE has no PT_DYNAMIC. - // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. -@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const - - void PackLinuxElf32::unpack(OutputFile *fo) - { -+ if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr -+ throwCantUnpack("bad e_phoff"); -+ } - unsigned const c_phnum = get_te16(&ehdri.e_phnum); - unsigned old_data_off = 0; - unsigned old_data_len = 0; -@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo) - unsigned total_out = 0; - unsigned c_adler = upx_adler32(NULL, 0); - unsigned u_adler = upx_adler32(NULL, 0); -+ if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) { -+ throwCantUnpack("bad compressed e_phnum"); -+ } - - // Packed ET_EXE has no PT_DYNAMIC. - // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. --- -2.17.0 - -- cgit v1.2.3 From 7046106ef90e7855311dbb1f1ae9fed3df5cf875 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 17 Feb 2020 04:53:30 +0100 Subject: gnu: upx: Clean up. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/compression.scm (upx)[arguments]: Combine duplicate substitutions. Replace ‘install’ phase. Fix indentation. --- gnu/packages/compression.scm | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 3f4b99bfcf..0982173b66 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1922,24 +1922,21 @@ (define-public upx (list "all") #:phases (modify-phases %standard-phases - (delete 'configure) - (delete 'check) - (delete 'install) + (delete 'configure) ; no configure script + (delete 'check) ; no test suite (add-before 'build 'patch-exec-bin-sh (lambda _ - (substitute* (find-files "Makefile") - (("/bin/sh") (which "sh"))) - (substitute* "src/Makefile" + (substitute* (list "Makefile" + "src/Makefile") (("/bin/sh") (which "sh"))) #t)) - (add-after 'build 'install-upx + (replace 'install (lambda* (#:key outputs #:allow-other-keys) (let* ((out (assoc-ref outputs "out")) - (bin (string-append out "/bin"))) + (bin (string-append out "/bin"))) (mkdir-p bin) (copy-file "src/upx.out" (string-append bin "/upx"))) - #t)) - ))) + #t))))) (home-page "https://upx.github.io/") (synopsis "Compression tool for executables") (description -- cgit v1.2.3 From dcc3f2158678734555b0b8522e55673eb06b93ea Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Tue, 25 Feb 2020 17:40:43 +0100 Subject: gnu: libzip: Update to 1.6.1. * gnu/packages/compression.scm (libzip): Update to 1.6.1. [inputs]: Add XZ. --- gnu/packages/compression.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 0982173b66..ee10bd03ce 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1624,18 +1624,19 @@ (define-public zziplib (define-public libzip (package (name "libzip") - (version "1.5.2") + (version "1.6.1") (source (origin (method url-fetch) (uri (string-append "https://libzip.org/download/libzip-" version ".tar.xz")) (sha256 (base32 - "1d53shcy7nvls5db573bbdlm25lfz1iw2zshng5f00cssi5lvpmk")))) + "0h9nsgkw0dk4srsvmz6xy6f9l4h815xn07j8h40l8gqvcxxaqpbh")))) (native-inputs `(("perl" ,perl))) (inputs `(("gnutls" ,gnutls) + ("liblzma" ,xz) ("openssl" ,openssl) ("zlib" ,zlib))) (build-system cmake-build-system) -- cgit v1.2.3 From 790b66e34fd81cdda246361303072065e6339c97 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 4 Mar 2020 10:15:06 +0200 Subject: gnu: zziplib: Fix CVE-2018-16548. * gnu/packages/compression.scm (zziplib)[replacement]: New field. (zziplib/fixed): New private variable. * gnu/packages/patches/zziplib-CVE-2018-16548.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 3 +- gnu/packages/compression.scm | 8 ++++ gnu/packages/patches/zziplib-CVE-2018-16548.patch | 49 +++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/zziplib-CVE-2018-16548.patch (limited to 'gnu/packages/compression.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 359ed4bbbc..cbb7d2b2f0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1513,7 +1513,8 @@ dist_patch_DATA = \ %D%/packages/patches/xsane-fix-pdf-floats.patch \ %D%/packages/patches/xsane-fix-snprintf-buffer-length.patch \ %D%/packages/patches/xsane-support-ipv6.patch \ - %D%/packages/patches/xsane-tighten-default-umask.patch + %D%/packages/patches/xsane-tighten-default-umask.patch \ + %D%/packages/patches/zziplib-CVE-2018-16548.patch MISC_DISTRO_FILES = \ %D%/packages/ld-wrapper.in \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index ee10bd03ce..6463b50735 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1584,6 +1584,7 @@ (define-public zziplib (package (name "zziplib") (version "0.13.69") + (replacement zziplib/fixed) (home-page "https://github.com/gdraheim/zziplib") (source (origin (method git-fetch) @@ -1621,6 +1622,13 @@ (define-public zziplib ;; files carry the Zlib license; see "docs/copying.html" for details. (license (list license:lgpl2.0+ license:mpl1.1)))) +(define zziplib/fixed + (package + (inherit zziplib) + (source (origin + (inherit (package-source zziplib)) + (patches (search-patches "zziplib-CVE-2018-16548.patch")))))) + (define-public libzip (package (name "libzip") diff --git a/gnu/packages/patches/zziplib-CVE-2018-16548.patch b/gnu/packages/patches/zziplib-CVE-2018-16548.patch new file mode 100644 index 0000000000..a17c6a9768 --- /dev/null +++ b/gnu/packages/patches/zziplib-CVE-2018-16548.patch @@ -0,0 +1,49 @@ +The following 3 patches applied to 0.13.69 in this order, combined: +https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb.patch +https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687.patch +https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99.patch + +diff --git a/test/test.zip b/test/test.zip +index 2c992ea..952d475 100644 +Binary files a/test/test.zip and b/test/test.zip differ +diff --git a/zzip/zip.c b/zzip/zip.c +index 14e2e06..f97a40a 100644 +--- a/zzip/zip.c ++++ b/zzip/zip.c +@@ -472,9 +472,15 @@ __zzip_parse_root_directory(int fd, + } else + { + if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0) ++ { ++ free(hdr0); + return ZZIP_DIR_SEEK; ++ } + if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent)) ++ { ++ free(hdr0); + return ZZIP_DIR_READ; ++ } + d = &dirent; + } + +@@ -574,11 +580,18 @@ __zzip_parse_root_directory(int fd, + + if (hdr_return) + *hdr_return = hdr0; ++ else ++ { ++ /* If it is not assigned to *hdr_return, it will never be free()'d */ ++ free(hdr0); ++ } + } /* else zero (sane) entries */ ++ else ++ free(hdr0); + # ifndef ZZIP_ALLOW_MODULO_ENTRIES +- return (entries != zz_entries ? ZZIP_CORRUPTED : 0); ++ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0; + # else +- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0); ++ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0; + # endif + } + -- cgit v1.2.3