GNU bug report logs - #31164
[PATCH] gnu: sharutils: Fix CVE-2018-1000097.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31164 in the body.
You can then email your comments to 31164 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Cc: Marius Bakke <mbakke <at> fastmail.com>
Subject: [PATCH] gnu: sharutils: Fix CVE-2018-1000097.
Date: Sun, 15 Apr 2018 17:49:45 +0200

* gnu/packages/patches/sharutils-CVE-2018-1000097.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/compression.scm (sharutils)[source](patches): Add it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/compression.scm                  |  1 +
 .../patches/sharutils-CVE-2018-1000097.patch  | 21 +++++++++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 gnu/packages/patches/sharutils-CVE-2018-1000097.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 5c8824004..22080dd8a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1092,6 +1092,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/sdl-libx11-1.6.patch			\
   %D%/packages/patches/seq24-rename-mutex.patch			\
   %D%/packages/patches/shadow-CVE-2018-7169.patch		\
+  %D%/packages/patches/sharutils-CVE-2018-1000097.patch		\
   %D%/packages/patches/shishi-fix-libgcrypt-detection.patch	\
   %D%/packages/patches/slim-session.patch			\
   %D%/packages/patches/slim-config.patch			\
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 185043360..183d70a10 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -533,6 +533,7 @@ decompressors when faced with corrupted input.")
       (method url-fetch)
       (uri (string-append "mirror://gnu/sharutils/sharutils-"
                           version ".tar.xz"))
+      (patches (search-patches "sharutils-CVE-2018-1000097.patch"))
       (sha256
        (base32
         "16isapn8f39lnffc3dp4dan05b7x6mnc76v6q5nn8ysxvvvwy19b"))))
diff --git a/gnu/packages/patches/sharutils-CVE-2018-1000097.patch b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch
new file mode 100644
index 000000000..8d5821818
--- /dev/null
+++ b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch
@@ -0,0 +1,21 @@
+Fix CVE-2018-1000097:
+
+https://security-tracker.debian.org/tracker/CVE-2018-1000097
+https://nvd.nist.gov/vuln/detail/CVE-2018-1000097
+
+Patch taken from upstream bug report:
+https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00005.html
+
+diff --git a/src/unshar.c b/src/unshar.c
+index 80bc3a9..0fc3773 100644
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+ 	{
+ 	  if (!start)
+ 	    error (0, 0, _("Found no shell commands in %s"), name);
-- 
2.17.0

Message #8 received at 31164 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 31164 <at> debbugs.gnu.org
Subject: Re: [bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097.
Date: Sun, 15 Apr 2018 15:07:23 -0400

[Message part 1 (text/plain, inline)]

On Sun, Apr 15, 2018 at 05:49:45PM +0200, Marius Bakke wrote:
> * gnu/packages/patches/sharutils-CVE-2018-1000097.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/compression.scm (sharutils)[source](patches): Add it.

Thanks, LGTM!

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.