From 09748a352729762dacb8e6171752aaa6d03df85d Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 16 Oct 2017 14:15:08 -0400 Subject: gnu: wpa-supplicant: Fix "KRACK" key reinstallation attacks [security fixes]. Fixes CVE-2017-{13078,13079,13080,13081,13082,13087,13088}. See these announcements for more information: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt https://www.krackattacks.com/ * gnu/packages/patches/wpa-supplicant-CVE-2017-13082.patch, gnu/packages/patches/wpa-supplicant-fix-key-reuse.patch, gnu/packages/patches/wpa-supplicant-fix-nonce-reuse.patch gnu/packages/patches/wpa-supplicant-fix-zeroed-keys.patch, gnu/packages/patches/wpa-supplicant-krack-followups.patch: New files. * gnu/packages/admin.scm (wpa-supplicant-minimal)[source]: Use them. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 9defe9d583..f648dda141 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1104,6 +1104,11 @@ dist_patch_DATA = \ %D%/packages/patches/wordnet-CVE-2008-2149.patch \ %D%/packages/patches/wordnet-CVE-2008-3908-pt1.patch \ %D%/packages/patches/wordnet-CVE-2008-3908-pt2.patch \ + %D%/packages/patches/wpa-supplicant-CVE-2017-13082.patch \ + %D%/packages/patches/wpa-supplicant-fix-key-reuse.patch \ + %D%/packages/patches/wpa-supplicant-fix-zeroed-keys.patch \ + %D%/packages/patches/wpa-supplicant-fix-nonce-reuse.patch \ + %D%/packages/patches/wpa-supplicant-krack-followups.patch \ %D%/packages/patches/xcb-proto-python3-print.patch \ %D%/packages/patches/xcb-proto-python3-whitespace.patch \ %D%/packages/patches/xdotool-fix-makefile.patch \ -- cgit v1.2.3 From d991b0566433b0ff78dd92165430da2f40fe721d Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Thu, 3 Mar 2016 18:08:32 +0100 Subject: gnu: Add Axoloti. * gnu/packages/axoloti.scm: New file. * gnu/packages/patches/libusb-for-axoloti.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patch. (GNU_SYSTEM_MODULES): Add module. --- gnu/local.mk | 2 + gnu/packages/axoloti.scm | 352 ++++++++++++++++++++++++++ gnu/packages/patches/libusb-for-axoloti.patch | 14 + 3 files changed, 368 insertions(+) create mode 100644 gnu/packages/axoloti.scm create mode 100644 gnu/packages/patches/libusb-for-axoloti.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index f648dda141..e2f31c27bf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -66,6 +66,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/autotools.scm \ %D%/packages/avahi.scm \ %D%/packages/avr.scm \ + %D%/packages/axoloti.scm \ %D%/packages/backup.scm \ %D%/packages/base.scm \ %D%/packages/bash.scm \ @@ -813,6 +814,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunistring-gnulib-multi-core.patch \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ + %D%/packages/patches/libusb-for-axoloti.patch \ %D%/packages/patches/libvisio-fix-tests.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ diff --git a/gnu/packages/axoloti.scm b/gnu/packages/axoloti.scm new file mode 100644 index 0000000000..7a53980c4d --- /dev/null +++ b/gnu/packages/axoloti.scm @@ -0,0 +1,352 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2016, 2017 Ricardo Wurmus +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages axoloti) + #:use-module (guix utils) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix build-system gnu) + #:use-module (guix build-system ant) + #:use-module (gnu packages) + #:use-module (gnu packages base) + #:use-module (gnu packages compression) + #:use-module (gnu packages cross-base) + #:use-module (gnu packages embedded) + #:use-module (gnu packages flashing-tools) + #:use-module (gnu packages java) + #:use-module (gnu packages libusb) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages textutils) + #:use-module (gnu packages version-control) + #:use-module (gnu packages xml)) + +(define libusb-for-axoloti + (package (inherit libusb) + (name "axoloti-libusb") + (version (package-version libusb)) + (source + (origin + (inherit (package-source libusb)) + (patches (list (search-patch "libusb-for-axoloti.patch"))))))) + +(define dfu-util-for-axoloti + (package (inherit dfu-util) + (name "axoloti-dfu-util") + (version "0.8") + (source + (origin + (method url-fetch) + (uri (string-append "http://dfu-util.sourceforge.net/releases/" + "dfu-util-" version ".tar.gz")) + (sha256 + (base32 + "0n7h08avlzin04j93m6hkq9id6hxjiiix7ff9gc2n89aw6dxxjsm")))) + (inputs + `(("libusb" ,libusb-for-axoloti))))) + +(define-public axoloti-runtime + (package + (name "axoloti-runtime") + (version "1.0.12") + (source (origin + (method url-fetch) + (uri (string-append "https://github.com/axoloti/axoloti/" + "archive/" version ".tar.gz")) + (file-name (string-append name "-" version ".tar.gz")) + (sha256 + (base32 + "1dynk6h0nixp4zihpirpqa4vi8fq1lhm443jsmvhk135ykhf364p")) + (modules '((guix build utils))) + (snippet + '(begin + ;; Remove pre-built Java binaries. + (delete-file-recursively "lib/") + #t)))) + (build-system gnu-build-system) + (arguments + `(#:tests? #f ; no check target + #:modules ((guix build gnu-build-system) + (guix build utils) + (srfi srfi-1) + (srfi srfi-26) + (ice-9 match) + (ice-9 regex)) + #:imported-modules ((guix build syscalls) + ,@%gnu-build-system-modules) + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'patch-paths + (lambda* (#:key inputs #:allow-other-keys) + ;; prepare ChibiOS + (and (zero? (system* "unzip" "-o" (assoc-ref inputs "chibios"))) + (zero? (system* "mv" "ChibiOS_2.6.9" "chibios")) + (with-directory-excursion "chibios/ext" + (zero? (system* "unzip" "-o" "fatfs-0.9-patched.zip")))) + + ;; Remove source of non-determinism in ChibiOS + (substitute* "chibios/os/various/shell.c" + (("#ifdef __DATE__") "#if 0")) + + ;; Patch shell paths + (substitute* '("src/main/java/qcmds/QCmdCompileFirmware.java" + "src/main/java/qcmds/QCmdCompilePatch.java" + "src/main/java/qcmds/QCmdFlashDFU.java") + (("/bin/sh") (which "sh"))) + + ;; Override cross compiler base name + (substitute* "firmware/Makefile.patch" + (("arm-none-eabi-(gcc|g\\+\\+|objcopy|objdump)" tool) + (which tool))) + + ;; Hardcode full path to compiler tools + (substitute* '("firmware/Makefile" + "firmware/flasher/Makefile" + "firmware/mounter/Makefile") + (("TRGT =.*") + (string-append "TRGT = " + (assoc-ref inputs "cross-toolchain") + "/bin/arm-none-eabi-\n"))) + + ;; Hardcode path to "make" + (substitute* '("firmware/compile_firmware_linux.sh" + "firmware/compile_patch_linux.sh") + (("make") (which "make"))) + + ;; Hardcode path to "dfu-util" + (substitute* "platform_linux/upload_fw_dfu.sh" + (("-f \"\\$\\{platformdir\\}/bin/dfu-util\"") "-z \"\"") + (("\\./dfu-util") (which "dfu-util"))) + #t)) + (delete 'configure) + (replace 'build + ;; Build Axoloti firmware with cross-compiler + (lambda* (#:key inputs #:allow-other-keys) + (let* ((toolchain (assoc-ref inputs "cross-toolchain")) + (headers (string-append + toolchain + "/arm-none-eabi/include:" + toolchain + "/arm-none-eabi/include/arm-none-eabi/armv7e-m"))) + (setenv "CROSS_CPATH" headers) + (setenv "CROSS_CPLUS_INCLUDE_PATH" headers) + (setenv "CROSS_LIBRARY_PATH" + (string-append toolchain + "/arm-none-eabi/lib"))) + (with-directory-excursion "platform_linux" + (zero? (system* "sh" "compile_firmware.sh"))))) + (replace 'install + (lambda* (#:key inputs outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (share (string-append out "/share/axoloti/")) + (doc (string-append share "doc")) + (dir (getcwd)) + (pats '("/doc/[^/]+$" + "/patches/[^/]+/[^/]+$" + "/objects/[^/]+/[^/]+$" + "/firmware/.+" + "/chibios/[^/]+$" + "/chibios/boards/ST_STM32F4_DISCOVERY/[^/]+$" + "/chibios/(ext|os|docs)/.+" + "/CMSIS/[^/]+/[^/]+$" + "/patch/[^/]+/[^/]+$" + "/[^/]+\\.txt$")) + (pattern (string-append + "(" (string-join + (map (cut string-append dir <>) + pats) + "|") ")")) + (files (find-files dir + (lambda (file stat) + (and (eq? 'regular (stat:type stat)) + (string-match pattern file)))))) + (for-each (lambda (file) + (install-file file + (string-append + share + (regexp-substitute + #f + (string-match dir (dirname file)) + 'pre 'post)))) + files) + #t)))))) + (inputs + `(("chibios" + ,(origin + (method url-fetch) + (uri "mirror://sourceforge/chibios/ChibiOS_RT%20stable/Version%202.6.9/ChibiOS_2.6.9.zip") + (sha256 + (base32 + "0lb5s8pkj80mqhsy47mmq0lqk34s2a2m3xagzihalvabwd0frhlj")))) + ;; for compiling patches + ("make" ,gnu-make) + ;; for compiling firmware + ("cross-toolchain" ,arm-none-eabi-nano-toolchain-4.9) + ;; for uploading compiled patches and firmware + ("dfu-util" ,dfu-util-for-axoloti))) + (native-inputs + `(("unzip" ,unzip))) + (home-page "http://axoloti.com") + (synopsis "Audio development environment for the Axoloti core board") + (description + "The Axoloti patcher offers a “patcher” environment similar to Pure Data +for sketching digital audio algorithms. The patches run on a standalone +powerful microcontroller board: Axoloti Core. This package provides the +runtime.") + (license license:gpl3+))) + +(define-public axoloti-patcher + (package (inherit axoloti-runtime) + (name "axoloti-patcher") + (version (package-version axoloti-runtime)) + (arguments + `(#:tests? #f ; no check target + #:modules ((guix build gnu-build-system) + ((guix build ant-build-system) #:prefix ant:) + (guix build utils) + (srfi srfi-1) + (srfi srfi-26) + (ice-9 match) + (ice-9 regex) + (sxml simple) + (sxml xpath) + (sxml transform)) + #:imported-modules ((guix build ant-build-system) + (guix build syscalls) + ,@%gnu-build-system-modules) + #:phases + (modify-phases %standard-phases + (delete 'configure) + (replace 'build + (lambda* (#:key inputs #:allow-other-keys) + (setenv "JAVA_HOME" (assoc-ref inputs "icedtea")) + ;; We want to use our own jar files instead of the pre-built + ;; stuff in lib. So we replace the zipfileset tags in the + ;; build.xml with new ones that reference our jars. + (let* ((build.xml (with-input-from-file "build.xml" + (lambda _ + (xml->sxml #:trim-whitespace? #t)))) + (jars (append-map (match-lambda + (((? (cut string-prefix? "java-" <>) + label) . directory) + (find-files directory "\\.jar$")) + (_ '())) + inputs)) + (classpath (string-join jars ":")) + (fileset (map (lambda (jar) + `(zipfileset (@ (excludes "META-INF/*.SF") + (src ,jar)))) + jars))) + (call-with-output-file "build.xml" + (lambda (port) + (sxml->xml + (pre-post-order + build.xml + `(;; Remove all zipfileset tags from the "jar" tree and + ;; inject our own tags. + (jar . ,(lambda (tag . kids) + `(jar ,@(append-map + (filter (lambda (e) + (not (eq? 'zipfileset (car e))))) + kids) + ,@fileset))) + ;; Skip the "bundle" target (and the "-post-jar" target + ;; that depends on it), because we don't need it and it + ;; confuses sxml->xml. + (target . ,(lambda (tag . kids) + (let ((name ((sxpath '(name *text*)) + (car kids)))) + (if (or (member "bundle" name) + (member "-post-jar" name)) + '() ; skip + `(,tag ,@kids))))) + (*default* . ,(lambda (tag . kids) `(,tag ,@kids))) + (*text* . ,(lambda (_ txt) + (match txt + ;; Remove timestamp. + ("${TODAY}" "(unknown)") + (_ txt)))))) + port))) + + ;; Build it! + (zero? (system* "ant" + (string-append "-Djavac.classpath=" classpath) + "-Dbuild.runtime=true" + "-Dbuild.time=01/01/1970 00:00:00" + "-Djavac.source=1.7" + "-Djavac.target=1.7" + (string-append "-Dtag.short.version=" + ,version)))))) + (replace 'install + (lambda* (#:key inputs outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (share (string-append out "/share/axoloti/"))) + (install-file "dist/Axoloti.jar" share) + + ;; We do this to ensure that this package retains references to + ;; other Java packages' jar files. + (install-file "build.xml" share) + + ;; Create a launcher script + (mkdir (string-append out "/bin")) + (let ((target (string-append out "/bin/Axoloti"))) + (with-output-to-file target + (lambda () + (let* ((dir (string-append (assoc-ref outputs "out") + "/share/axoloti")) + (runtime (string-append (assoc-ref inputs "axoloti-runtime") + "/share/axoloti")) + (toolchain (assoc-ref inputs "cross-toolchain")) + (includes (string-append + toolchain + "/arm-none-eabi/include:" + toolchain + "/arm-none-eabi/include/arm-none-eabi/armv7e-m"))) + (display + (string-append "#!" (which "sh") "\n" + "export CROSS_CPATH=" includes "\n" + "export CROSS_CPLUS_INCLUDE_PATH=" includes "\n" + "export CROSS_LIBRARY_PATH=" + toolchain "/arm-none-eabi/lib" "\n" + (which "java") + " -Daxoloti_release=" runtime + " -Daxoloti_runtime=" runtime + " -jar " dir "/Axoloti.jar"))))) + (chmod target #o555)) + #t))) + (add-after 'install 'strip-jar-timestamps + (assoc-ref ant:%standard-phases 'strip-jar-timestamps))))) + (inputs + `(("icedtea" ,icedtea "jdk") + ("cross-toolchain" ,arm-none-eabi-nano-toolchain-4.9) + ("java-simple-xml" ,java-simple-xml) + ("java-rsyntaxtextarea" ,java-rsyntaxtextarea) + ("java-usb4java" ,java-usb4java) + ("java-jsch" ,java-jsch) + ("java-slf4j-api" ,java-slf4j-api) + ("java-jgit" ,java-jgit-4.2) + ("axoloti-runtime" ,axoloti-runtime))) + (native-inputs + `(("ant" ,ant) + ("zip" ,zip) ; for repacking the jar + ("unzip" ,unzip))) + (description + "The Axoloti patcher offers a “patcher” environment similar to Pure Data +for sketching digital audio algorithms. The patches run on a standalone +powerful microcontroller board: Axoloti Core. This package provides the +patcher application."))) diff --git a/gnu/packages/patches/libusb-for-axoloti.patch b/gnu/packages/patches/libusb-for-axoloti.patch new file mode 100644 index 0000000000..2c07d767d9 --- /dev/null +++ b/gnu/packages/patches/libusb-for-axoloti.patch @@ -0,0 +1,14 @@ +diff -rp -u4 libusb-1.0.19-orig/libusb/descriptor.c libusb-1.0.19/libusb/descriptor.c +--- libusb-1.0.19-orig/libusb/descriptor.c 2015-05-12 00:15:19 +0200 ++++ libusb-1.0.19/libusb/descriptor.c 2015-05-12 00:17:09 +0200 +@@ -1181,9 +1181,9 @@ int API_EXPORTED libusb_get_string_descr + if (tbuf[1] != LIBUSB_DT_STRING) + return LIBUSB_ERROR_IO; + + if (tbuf[0] > r) +- return LIBUSB_ERROR_IO; ++ tbuf[0] = r; + + for (di = 0, si = 2; si < tbuf[0]; si += 2) { + if (di >= (length - 1)) + break; -- cgit v1.2.3 From 07dfc89859a3539100a23c8acc0d643f4f7cb99d Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 18 Oct 2017 22:15:09 +0200 Subject: gnu: mupdf: Fix CVE-2017-15587. * gnu/packages/patches/mupdf-CVE-2017-15587.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/pdf.scm (mupdf)[source](patches): Use it. --- gnu/local.mk | 1 + gnu/packages/patches/mupdf-CVE-2017-15587.patch | 21 +++++++++++++++++++++ gnu/packages/pdf.scm | 3 ++- 3 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/mupdf-CVE-2017-15587.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index e2f31c27bf..45adc73f20 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -877,6 +877,7 @@ dist_patch_DATA = \ %D%/packages/patches/mozjs38-version-detection.patch \ %D%/packages/patches/mumps-build-parallelism.patch \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ + %D%/packages/patches/mupdf-CVE-2017-15587.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ diff --git a/gnu/packages/patches/mupdf-CVE-2017-15587.patch b/gnu/packages/patches/mupdf-CVE-2017-15587.patch new file mode 100644 index 0000000000..5da7737ea1 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2017-15587.patch @@ -0,0 +1,21 @@ +Fix CVE-2017-15587. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587 +https://nandynarwhals.org/CVE-2017-15587/ + +Copied from upstream: + + +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 66bd0ed..6292793 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz + pdf_xref_entry *table; + int i, n; + +- if (i0 < 0 || i1 < 0) ++ if (i0 < 0 || i1 < 0 || (i0+i1) < 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index"); + //if (i0 + i1 > pdf_xref_len(ctx, doc)) + // fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries"); diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 98df90e2d4..56f5486791 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -540,7 +540,8 @@ extracting content or merging files.") (sha256 (base32 "02phamcchgsmvjnb3ir7r5sssvx9fcrscn297z73b82n1jl79510")) - (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch")) + (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" + "mupdf-CVE-2017-15587.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is -- cgit v1.2.3 From 9ccce799102433b0ae2b480ac0c4f96794808199 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 19 Oct 2017 17:33:55 -0400 Subject: gnu: musl: Update to 1.1.17. * gnu/packages/musl.scm (musl): Update to 1.1.17. [source]: Remove patch. * gnu/packages/patches/musl-CVE-2016-8859.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/musl.scm | 5 +- gnu/packages/patches/musl-CVE-2016-8859.patch | 81 --------------------------- 3 files changed, 2 insertions(+), 85 deletions(-) delete mode 100644 gnu/packages/patches/musl-CVE-2016-8859.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 45adc73f20..fd4f1bed97 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -879,7 +879,6 @@ dist_patch_DATA = \ %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \ %D%/packages/patches/mupdf-CVE-2017-15587.patch \ %D%/packages/patches/mupen64plus-ui-console-notice.patch \ - %D%/packages/patches/musl-CVE-2016-8859.patch \ %D%/packages/patches/mutt-store-references.patch \ %D%/packages/patches/ncurses-CVE-2017-10684-10685.patch \ %D%/packages/patches/net-tools-bitrot.patch \ diff --git a/gnu/packages/musl.scm b/gnu/packages/musl.scm index 321290872e..dbb8c4856f 100644 --- a/gnu/packages/musl.scm +++ b/gnu/packages/musl.scm @@ -27,15 +27,14 @@ (define-public musl (package (name "musl") - (version "1.1.15") + (version "1.1.17") (source (origin (method url-fetch) (uri (string-append "http://www.musl-libc.org/releases/" name "-" version ".tar.gz")) - (patches (search-patches "musl-CVE-2016-8859.patch")) (sha256 (base32 - "1ymhxkskivzph0q34zadwfglc5gyahqajm7chqqn2zraxv3lgr4p")))) + "0r0lyp2w6v2bvm8h1si7w3p2qx037szl14qnxm5p00568z3m3an8")))) (build-system gnu-build-system) (arguments `(#:tests? #f ; Musl has no tests diff --git a/gnu/packages/patches/musl-CVE-2016-8859.patch b/gnu/packages/patches/musl-CVE-2016-8859.patch deleted file mode 100644 index 7bb5b892dd..0000000000 --- a/gnu/packages/patches/musl-CVE-2016-8859.patch +++ /dev/null @@ -1,81 +0,0 @@ -Fix CVE-2016-8859: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8859 - -Patch copied from upstream source repository: - -http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 - -From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001 -From: Rich Felker -Date: Thu, 6 Oct 2016 18:34:58 -0400 -Subject: [PATCH] fix missing integer overflow checks in regexec buffer size - computations - -most of the possible overflows were already ruled out in practice by -regcomp having already succeeded performing larger allocations. -however at least the num_states*num_tags multiplication can clearly -overflow in practice. for safety, check them all, and use the proper -type, size_t, rather than int. - -also improve comments, use calloc in place of malloc+memset, and -remove bogus casts. ---- - src/regex/regexec.c | 23 ++++++++++++++++++----- - 1 file changed, 18 insertions(+), 5 deletions(-) - -diff --git a/src/regex/regexec.c b/src/regex/regexec.c -index 16c5d0a..dd52319 100644 ---- a/src/regex/regexec.c -+++ b/src/regex/regexec.c -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - - #include - -@@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string, - - /* Allocate memory for temporary data required for matching. This needs to - be done for every matching operation to be thread safe. This allocates -- everything in a single large block from the stack frame using alloca() -- or with malloc() if alloca is unavailable. */ -+ everything in a single large block with calloc(). */ - { -- int tbytes, rbytes, pbytes, xbytes, total_bytes; -+ size_t tbytes, rbytes, pbytes, xbytes, total_bytes; - char *tmp_buf; -+ -+ /* Ensure that tbytes and xbytes*num_states cannot overflow, and that -+ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */ -+ if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states)) -+ goto error_exit; -+ -+ /* Likewise check rbytes. */ -+ if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next))) -+ goto error_exit; -+ -+ /* Likewise check pbytes. */ -+ if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos))) -+ goto error_exit; -+ - /* Compute the length of the block we need. */ - tbytes = sizeof(*tmp_tags) * num_tags; - rbytes = sizeof(*reach_next) * (tnfa->num_states + 1); -@@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string, - + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes; - - /* Allocate the memory. */ -- buf = xmalloc((unsigned)total_bytes); -+ buf = calloc(total_bytes, 1); - if (buf == NULL) - return REG_ESPACE; -- memset(buf, 0, (size_t)total_bytes); - - /* Get the various pointers within tmp_buf (properly aligned). */ - tmp_tags = (void *)buf; --- -2.10.1 - -- cgit v1.2.3 From 7827032a7cf7f68922de99b044969f1f823869fd Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 20 Oct 2017 13:02:54 -0400 Subject: gnu: libvirt: Fix CVE-2017-1000256. * gnu/packages/patches/libvirt-CVE-2017-1000256.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/virtualization.scm (libvirt)[source]: Use it. --- gnu/local.mk | 1 + .../patches/libvirt-CVE-2017-1000256.patch | 84 ++++++++++++++++++++++ gnu/packages/virtualization.scm | 1 + 3 files changed, 86 insertions(+) create mode 100644 gnu/packages/patches/libvirt-CVE-2017-1000256.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index fd4f1bed97..a4e3426f55 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -815,6 +815,7 @@ dist_patch_DATA = \ %D%/packages/patches/libunistring-gnulib-multi-core.patch \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ %D%/packages/patches/libusb-for-axoloti.patch \ + %D%/packages/patches/libvirt-CVE-2017-1000256.patch \ %D%/packages/patches/libvisio-fix-tests.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch new file mode 100644 index 0000000000..d577e1eb50 --- /dev/null +++ b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch @@ -0,0 +1,84 @@ +Fix CVE-2017-1000256: + +https://security.libvirt.org/2017/0002.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256 + +Patch copied from upstream source repository: + +https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7 + +From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrange +Date: Thu, 5 Oct 2017 17:54:28 +0100 +Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate + +The default_tls_x509_verify (and related) parameters in qemu.conf +control whether the QEMU TLS servers request & verify certificates +from clients. This works as a simple access control system for +servers by requiring the CA to issue certs to permitted clients. +This use of client certificates is disabled by default, since it +requires extra work to issue client certificates. + +Unfortunately the code was using this configuration parameter when +setting up both TLS clients and servers in QEMU. The result was that +TLS clients for character devices and disk devices had verification +turned off, meaning they would ignore errors while validating the +server certificate. + +This allows for trivial MITM attacks between client and server, +as any certificate returned by the attacker will be accepted by +the client. + +This is assigned CVE-2017-1000256 / LSN-2017-0002 + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrange +(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157) +--- + src/qemu/qemu_command.c | 2 +- + .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- + ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 9a27987..ae78cd1 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + if (virJSONValueObjectCreate(propsret, + "s:dir", path, + "s:endpoint", (isListen ? "server": "client"), +- "b:verify-peer", verifypeer, ++ "b:verify-peer", (isListen ? verifypeer : true), + NULL) < 0) + goto cleanup; + +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +index 5aff773..ab5f7e2 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +@@ -26,7 +26,7 @@ server,nowait \ + localport=1111 \ + -device isa-serial,chardev=charserial0,id=serial0 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no \ ++endpoint=client,verify-peer=yes \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +index 91f1fe0..2567abb 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +@@ -31,7 +31,7 @@ localport=1111 \ + data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ + keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ ++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ +-- +1.7.1 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index c4461c3da2..8fce545dbe 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -322,6 +322,7 @@ manage system or application containers.") (method url-fetch) (uri (string-append "https://libvirt.org/sources/libvirt-" version ".tar.xz")) + (patches (search-patches "libvirt-CVE-2017-1000256.patch")) (sha256 (base32 "1fk75cdzg59y9hnfdpdwv83fsc1yffy3lac4ch19zygfkqhcnysf")))) -- cgit v1.2.3