guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

04/04: gnu: lrzip: Fix CVE-2017-8842.

From: Tobias Geerinckx-Rice
Subject: 04/04: gnu: lrzip: Fix CVE-2017-8842.
Date: Mon, 12 Mar 2018 13:46:26 -0400 (EDT) 
nckx pushed a commit to branch master
in repository guix.

commit 5400fdfd5d3c2201ee3ea8ec0d55690c221a91d8
Author: Tobias Geerinckx-Rice <address@hidden>
Date:   Mon Mar 12 18:08:04 2018 +0100

    gnu: lrzip: Fix CVE-2017-8842.
    
    * gnu/packages/compression.scm (lrzip)[source]: Add patch.
    * gnu/packages/patches/lrzip-CVE-2017-8842.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                   |  1 +
 gnu/packages/compression.scm                   |  3 ++-
 gnu/packages/patches/lrzip-CVE-2017-8842.patch | 23 +++++++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 5c95cda..97d5e00 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -885,6 +885,7 @@ dist_patch_DATA =                                           
\
   %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch        \
   %D%/packages/patches/llvm-for-extempore.patch                        \
   %D%/packages/patches/lm-sensors-hwmon-attrs.patch            \
+  %D%/packages/patches/lrzip-CVE-2017-8842.patch               \
   %D%/packages/patches/lua-CVE-2014-5461.patch                      \
   %D%/packages/patches/lua-pkgconfig.patch                      \
   %D%/packages/patches/lua51-liblua-so.patch                    \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index d44ae2d..86efe2a 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1017,7 +1017,8 @@ human-readable output.")
              "http://ck.kolivas.org/apps/lrzip/lrzip-"; version ".tar.bz2"))
        (sha256
         (base32
-         "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d"))))
+         "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d"))
+       (patches (search-patches "lrzip-CVE-2017-8842.patch"))))
     (build-system gnu-build-system)
     (native-inputs
      `(;; nasm is only required when building for 32-bit x86 platforms
diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch 
b/gnu/packages/patches/lrzip-CVE-2017-8842.patch
new file mode 100644
index 0000000..89b4f2f
--- /dev/null
+++ b/gnu/packages/patches/lrzip-CVE-2017-8842.patch
@@ -0,0 +1,23 @@
+From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001
+From: Con Kolivas <address@hidden>
+Date: Fri, 9 Mar 2018 17:39:40 +1100
+Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get
+
+---
+ libzpaq/libzpaq.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h
+index 93387da..cbe211d 100644
+--- a/libzpaq/libzpaq.h
++++ b/libzpaq/libzpaq.h
+@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader {
+ 
+       int get() {
+               if (progress && !(*s_len % 128)) {
+-                      int pct = (total_len - *s_len) * 100 / total_len;
++                      int pct = (total_len > 0) ?
++                              (total_len - *s_len) * 100 / total_len : 100;
+ 
+                       if (pct / 10 != *last_pct / 10) {
+                               int i;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]