From cb31f773829fe655d966db469aced7c1ad5bd2ed Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Wed, 28 Dec 2016 20:03:20 -0500 Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file. * gnu/local.mk (dist_patch_DATA): Use it. * gnu/packages/scheme.scm (chicken)[source]: Use it. --- gnu/local.mk | 1 + .../chicken-CVE-2016-6830+CVE-2016-6831.patch | 116 +++++++++++++++++++++ gnu/packages/scheme.scm | 4 +- 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch diff --git a/gnu/local.mk b/gnu/local.mk index 106adb235..f21f6c0b9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -497,6 +497,7 @@ dist_patch_DATA = \ %D%/packages/patches/calibre-drop-unrar.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/cdparanoia-fpic.patch \ + %D%/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch \ %D%/packages/patches/chmlib-inttypes.patch \ %D%/packages/patches/clang-libc-search-path.patch \ %D%/packages/patches/clang-3.8-libc-search-path.patch \ diff --git a/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch new file mode 100644 index 000000000..4865740d5 --- /dev/null +++ b/gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch @@ -0,0 +1,116 @@ +From 2c419f18138c17767754b36d3b706cd71a55350a Mon Sep 17 00:00:00 2001 +From: Peter Bex +Date: Wed, 14 Dec 2016 20:25:25 +0100 +Subject: [PATCH] Update irregex to upstream 0.9.6 + +This fixes a resource consumption vulnerability due to exponential +memory use based on the depth of nested "+" patterns. + +Signed-off-by: Mario Domenech Goulart +--- + NEWS | 4 ++++ + irregex-core.scm | 32 ++++++++++++++++++-------------- + irregex-utils.scm | 2 +- + manual/Unit irregex | 2 +- + 4 files changed, 24 insertions(+), 16 deletions(-) + +diff --git a/NEWS b/NEWS +index 052cf13..cbadd61 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,9 @@ + 4.11.2 + ++- Security fixes ++ - Irregex has been updated to 0.9.6, which fixes an exponential ++ explosion in compilation of nested "+" patterns. ++ + - Compiler: + - Fixed incorrect argvector restoration after GC in directly + recursive functions (#1317). +diff --git a/irregex-core.scm b/irregex-core.scm +index 2d6058c..01e027b 100644 +--- a/irregex-core.scm ++++ b/irregex-core.scm +@@ -30,6 +30,8 @@ + + ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ;;;; History ++;; 0.9.6: 2016/12/05 - fixed exponential memory use of + in compilation ++;; of backtracking matcher. + ;; 0.9.5: 2016/09/10 - fixed a bug in irregex-fold handling of bow + ;; 0.9.4: 2015/12/14 - performance improvement for {n,m} matches + ;; 0.9.3: 2014/07/01 - R7RS library +@@ -3170,16 +3172,7 @@ + ((sre-empty? (sre-sequence (cdr sre))) + (error "invalid sre: empty *" sre)) + (else +- (letrec +- ((body +- (lp (sre-sequence (cdr sre)) +- n +- flags +- (lambda (cnk init src str i end matches fail) +- (body cnk init src str i end matches +- (lambda () +- (next cnk init src str i end matches fail) +- )))))) ++ (let ((body (rec (list '+ (sre-sequence (cdr sre)))))) + (lambda (cnk init src str i end matches fail) + (body cnk init src str i end matches + (lambda () +@@ -3204,10 +3197,21 @@ + (lambda () + (body cnk init src str i end matches fail)))))))) + ((+) +- (lp (sre-sequence (cdr sre)) +- n +- flags +- (rec (list '* (sre-sequence (cdr sre)))))) ++ (cond ++ ((sre-empty? (sre-sequence (cdr sre))) ++ (error "invalid sre: empty +" sre)) ++ (else ++ (letrec ++ ((body ++ (lp (sre-sequence (cdr sre)) ++ n ++ flags ++ (lambda (cnk init src str i end matches fail) ++ (body cnk init src str i end matches ++ (lambda () ++ (next cnk init src str i end matches fail) ++ )))))) ++ body)))) + ((=) + (rec `(** ,(cadr sre) ,(cadr sre) ,@(cddr sre)))) + ((>=) +diff --git a/irregex-utils.scm b/irregex-utils.scm +index 8332791..a2195a9 100644 +--- a/irregex-utils.scm ++++ b/irregex-utils.scm +@@ -89,7 +89,7 @@ + (case (car x) + ((: seq) + (cond +- ((and (pair? (cddr x)) (pair? (cddr x)) (not (eq? x obj))) ++ ((and (pair? (cdr x)) (pair? (cddr x)) (not (eq? x obj))) + (display "(?:" out) (for-each lp (cdr x)) (display ")" out)) + (else (for-each lp (cdr x))))) + ((submatch) +diff --git a/manual/Unit irregex b/manual/Unit irregex +index 7805273..7d59f89 100644 +--- a/manual/Unit irregex ++++ b/manual/Unit irregex +@@ -825,7 +825,7 @@ doesn't help when irregex is able to build a DFA. + + (sre->string ) + +-Convert an SRE to a POSIX-style regular expression string, if ++Convert an SRE to a PCRE-style regular expression string, if + possible. + + +-- +2.1.4 + diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm index 0ad449ae2..87c9fc413 100644 --- a/gnu/packages/scheme.scm +++ b/gnu/packages/scheme.scm @@ -386,7 +386,9 @@ language standard, and includes many enhancements and extensions.") (commit version))) (sha256 (base32 - "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k")))) + "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k")) + (patches + (search-patches "chicken-CVE-2016-6830+CVE-2016-6831.patch")))) (arguments `(;; No `configure' script; run "make check" after "make install" as ;; prescribed by README. -- 2.11.0