[bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097.

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097.

From:	Marius Bakke
Subject:	[bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097.
Date:	Sun, 15 Apr 2018 17:49:45 +0200

* gnu/packages/patches/sharutils-CVE-2018-1000097.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/compression.scm (sharutils)[source](patches): Add it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/compression.scm                  |  1 +
 .../patches/sharutils-CVE-2018-1000097.patch  | 21 +++++++++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 gnu/packages/patches/sharutils-CVE-2018-1000097.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 5c8824004..22080dd8a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1092,6 +1092,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/sdl-libx11-1.6.patch                    \
   %D%/packages/patches/seq24-rename-mutex.patch                        \
   %D%/packages/patches/shadow-CVE-2018-7169.patch              \
+  %D%/packages/patches/sharutils-CVE-2018-1000097.patch                \
   %D%/packages/patches/shishi-fix-libgcrypt-detection.patch    \
   %D%/packages/patches/slim-session.patch                      \
   %D%/packages/patches/slim-config.patch                       \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 185043360..183d70a10 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -533,6 +533,7 @@ decompressors when faced with corrupted input.")
       (method url-fetch)
       (uri (string-append "mirror://gnu/sharutils/sharutils-"
                           version ".tar.xz"))
+      (patches (search-patches "sharutils-CVE-2018-1000097.patch"))
       (sha256
        (base32
         "16isapn8f39lnffc3dp4dan05b7x6mnc76v6q5nn8ysxvvvwy19b"))))
diff --git a/gnu/packages/patches/sharutils-CVE-2018-1000097.patch 
b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch
new file mode 100644
index 000000000..8d5821818
--- /dev/null
+++ b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch
@@ -0,0 +1,21 @@
+Fix CVE-2018-1000097:
+
+https://security-tracker.debian.org/tracker/CVE-2018-1000097
+https://nvd.nist.gov/vuln/detail/CVE-2018-1000097
+
+Patch taken from upstream bug report:
+https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00005.html
+
+diff --git a/src/unshar.c b/src/unshar.c
+index 80bc3a9..0fc3773 100644
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+       {
+         if (!start)
+           error (0, 0, _("Found no shell commands in %s"), name);
-- 
2.17.0

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097., Marius Bakke <=
- [bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097., Leo Famulari, 2018/04/15

Prev by Date: [bug#31163] [PATCH] gnu: perl: Replace with 5.26.2 [fixes CVE-2018-{6797, 6798, 6913}].
Next by Date: [bug#31165] [PATCH] gnu: xpad: Update to 5.0.0.
Previous by thread: [bug#31163] [PATCH] gnu: perl: Replace with 5.26.2 [fixes CVE-2018-{6797, 6798, 6913}].
Next by thread: [bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097.
Index(es):
- Date
- Thread