From unknown Tue Jun 24 14:00:23 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 15 Apr 2018 15:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 31164 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 31164@debbugs.gnu.org Cc: Marius Bakke X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15238074143107 (code B ref -1); Sun, 15 Apr 2018 15:51:01 +0000 Received: (at submit) by debbugs.gnu.org; 15 Apr 2018 15:50:14 +0000 Received: from localhost ([127.0.0.1]:54324 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f7juv-0000o3-Ji for submit@debbugs.gnu.org; Sun, 15 Apr 2018 11:50:13 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59472) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f7jur-0000no-Hh for submit@debbugs.gnu.org; Sun, 15 Apr 2018 11:50:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f7jul-00079m-93 for submit@debbugs.gnu.org; Sun, 15 Apr 2018 11:50:04 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, TVD_SPACE_RATIO,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:35159) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1f7jul-00079h-58 for submit@debbugs.gnu.org; Sun, 15 Apr 2018 11:50:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50414) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1f7juj-0001I8-S1 for guix-patches@gnu.org; Sun, 15 Apr 2018 11:50:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1f7jug-00077Y-Cd for guix-patches@gnu.org; Sun, 15 Apr 2018 11:50:01 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:35871) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1f7jug-00077K-7Z for guix-patches@gnu.org; Sun, 15 Apr 2018 11:49:58 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 7D33120EEE; Sun, 15 Apr 2018 11:49:57 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Sun, 15 Apr 2018 11:49:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=EfMk0BlLQ5tt7tYTEwdCtzrgv/2mIW43uWyC134PT ww=; b=MrhliHICDR9oxi0s0Q616jxfWLQwPWQHmP8apisTzjchVmpJ6bT6AlNkJ A/5rPTe9XfXnS4y8g4m7nxiSQAvedKwMILhoN+kRzcWlXnPcVC2p7bJUIMf1F0rz r0UHdCS6hNRd3EyWcKN/giyyl8OHhmRK0rPaDuMrU5G6zYOVZ/g3ZssTuifnxBPB FmRI8Sw2loPCeLZW2R4Hfzxp/Pz/r0hIY8LcRZ6j006eC3tw1+4p1jPFxsDQ/tTJ poarvIy1SPcx7EWDVbX/z1+5Zm7K9uiA7iUA+xaKX9lxxFTOWCqnNbv7GvN/ybYP 5hCn8Q9XWQGPEuZRroqz0jLoOskgg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=EfMk0BlLQ5tt7tYTE wdCtzrgv/2mIW43uWyC134PTww=; b=X2wiP59UJhyXmehCRpnmZudT6DE7DPqew BMEOcdezYe2H3VJ59N/B8HOvwN/KmECYnmdtJDjL24KEre8K2eYDQdl2S9lSESuo R8Z/RDrnkNKJN7tW86j5ISSPSc9ehkAc3jYPHPPJXjOACm48z/BNH+s4C53vgFL2 st5DR+eA184/TpAxlDuxsrPpyfdvuuHBj3uxwiyplztJHbJH0abT403AMPxjqtzL YPNRMYECQ34XVr/KkCcRYJWjUlOGZczNrxZJQIEio0JXwx7R4ydFkP5ickP0MIV7 QBj+YA3vR7JWiwW55igFYqDRUh1RytwYquL5zxX6/f4ZT0GiFAUpQ== X-ME-Sender: Received: from localhost (ti0089a400-2222.bb.online.no [88.89.166.190]) by mail.messagingengine.com (Postfix) with ESMTPA id 013B6E46C2; Sun, 15 Apr 2018 11:49:56 -0400 (EDT) From: Marius Bakke Date: Sun, 15 Apr 2018 17:49:45 +0200 Message-Id: <20180415154945.1591-1-mbakke@fastmail.com> X-Mailer: git-send-email 2.17.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.3 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.3 (-----) * gnu/packages/patches/sharutils-CVE-2018-1000097.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (sharutils)[source](patches): Add it. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 1 + .../patches/sharutils-CVE-2018-1000097.patch | 21 +++++++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 gnu/packages/patches/sharutils-CVE-2018-1000097.patch diff --git a/gnu/local.mk b/gnu/local.mk index 5c8824004..22080dd8a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1092,6 +1092,7 @@ dist_patch_DATA = \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ %D%/packages/patches/shadow-CVE-2018-7169.patch \ + %D%/packages/patches/sharutils-CVE-2018-1000097.patch \ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ %D%/packages/patches/slim-session.patch \ %D%/packages/patches/slim-config.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 185043360..183d70a10 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -533,6 +533,7 @@ decompressors when faced with corrupted input.") (method url-fetch) (uri (string-append "mirror://gnu/sharutils/sharutils-" version ".tar.xz")) + (patches (search-patches "sharutils-CVE-2018-1000097.patch")) (sha256 (base32 "16isapn8f39lnffc3dp4dan05b7x6mnc76v6q5nn8ysxvvvwy19b")))) diff --git a/gnu/packages/patches/sharutils-CVE-2018-1000097.patch b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch new file mode 100644 index 000000000..8d5821818 --- /dev/null +++ b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch @@ -0,0 +1,21 @@ +Fix CVE-2018-1000097: + +https://security-tracker.debian.org/tracker/CVE-2018-1000097 +https://nvd.nist.gov/vuln/detail/CVE-2018-1000097 + +Patch taken from upstream bug report: +https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00005.html + +diff --git a/src/unshar.c b/src/unshar.c +index 80bc3a9..0fc3773 100644 +--- a/src/unshar.c ++++ b/src/unshar.c +@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start) + off_t position = ftello (file); + + /* Read next line, fail if no more and no previous process. */ +- if (!fgets (rw_buffer, BUFSIZ, file)) ++ if (!fgets (rw_buffer, rw_base_size, file)) + { + if (!start) + error (0, 0, _("Found no shell commands in %s"), name); -- 2.17.0 From unknown Tue Jun 24 14:00:23 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#31164] [PATCH] gnu: sharutils: Fix CVE-2018-1000097. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 15 Apr 2018 19:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31164 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Marius Bakke Cc: 31164@debbugs.gnu.org Received: via spool by 31164-submit@debbugs.gnu.org id=B31164.152381925016242 (code B ref 31164); Sun, 15 Apr 2018 19:08:02 +0000 Received: (at 31164) by debbugs.gnu.org; 15 Apr 2018 19:07:30 +0000 Received: from localhost ([127.0.0.1]:54507 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f7mzq-0004Du-BE for submit@debbugs.gnu.org; Sun, 15 Apr 2018 15:07:30 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:39143) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f7mzl-0004Dj-KI for 31164@debbugs.gnu.org; Sun, 15 Apr 2018 15:07:29 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 1DE4621B15; Sun, 15 Apr 2018 15:07:25 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sun, 15 Apr 2018 15:07:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=kLx4Ckv7LYO40BJnsPREmSrV10/RpM2hRkPM0jiixww=; b=tGaTV sD2vpXJo1f42hGg6Sw/WGo2X1t700l2Y0OLOQH65lQFku1k0Qp4kARhUnqTnObYu iBYgVp0j882FQAD990YIurtCQVO+nhuCloStlfsTx8YljkO1+WAi7ThrhM4/Qs1z 7FIafDJ8g07RbOuf2G/w/7FG+ePuZ2p1kQpyJs= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=kLx4Ckv7LYO40BJnsPREmSrV10/Rp M2hRkPM0jiixww=; b=S3Q0po3+bCo2Cxzzv8naGZ18KTuCYxMS0eO+/4a4V0sRk Rjhb/l4AuMXM2jrkhv05CV4u+1e29exdOH4qPwKZUUT1rrZxSk5swEuVQmxdwwN8 nZqaa9GpYEwutiXI40r/2GGJnUZdrldswqMdJTrDxhsoALyGgiUe9JzxdUYWeLad PiX9YJ4BnAnzI/08I2/0GzOaXlZT4VnLRKfFgEJS1Rn85+8UeVr1ylIo1zWjTCfj iyDPDhB9+DDfqVZMC41T4a3mZI28RkkMMZMbi+RlRUvD+r9pwWN+TiTHwXuz4U12 LkNFgdRkQ9Lkyyq4j352eMIetxaR1GLXs4dTSgrsQ== X-ME-Sender: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 7976E10253; Sun, 15 Apr 2018 15:07:24 -0400 (EDT) Date: Sun, 15 Apr 2018 15:07:23 -0400 From: Leo Famulari Message-ID: <20180415190723.GA22787@jasmine.lan> References: <20180415154945.1591-1-mbakke@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline In-Reply-To: <20180415154945.1591-1-mbakke@fastmail.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Apr 15, 2018 at 05:49:45PM +0200, Marius Bakke wrote: > * gnu/packages/patches/sharutils-CVE-2018-1000097.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/compression.scm (sharutils)[source](patches): Add it. Thanks, LGTM! --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlrToucACgkQJkb6MLrK fwj4ohAAtNNOoj+hXANEvFaJWVecq5ZzBWEZ21xAuvNOK1B0eE8VLoscuIKg9sqw R3NlO2VhEg9RbZREbq87IITlmOW1nkAWlBy/txsoztktqFSQUkjxlgL1J/UlMBKd 8cpFAYXwqSxPqD7oShfZ8rfGslbEu8rxCJGz7TAXh6QbQSj4ZfjnvZFqpAfqai7a XYlqaTrX8ZECLybl8GfDs/Z7vAZdZhviFtGTXscwEMsUwWrUpN3JMOi4h9mIMa1z bsprQCrFQnMZMFIfObpJhTChMB2hs3zTdyGxNT2bSQgcv3Xij5D4b7JgZAV24Uho YRlMEYTVPxTwgV58DWLsFwDHw56Z+RjivXjzjUDc/tJP2QMyecihdJbPKvZmVfvy RXuxjC62082YiPP09G4OcAjShK2B5FWfzWPubNPczRZztLRHquU8Md8DwpXVx5af DSc/qroZl/JF++w8lWVHDpPajUX48ixbqW2LJ+U6DB70ST62/G0Ef16l1ul/w+cN okzzIT4zutXU+u9qKNEsq46eBh84nJwFstf6t8rTauVfUIsgfIexgrWZivOiAZvV J4rR5Ez+TLT+uDM8MHJ8rYkb3N4aSWxaXu5OI7qaXhbO/8qerjPJiwYhvzGM71dK XI2iVtTdf7N4imeCd5/aw67v34GznLR64rZBUGui/Wb3a0lj0Yc= =Nkah -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl-- From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 16 12:22:23 2018 Received: (at control) by debbugs.gnu.org; 16 Apr 2018 16:22:23 +0000 Received: from localhost ([127.0.0.1]:56149 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f86ta-00011R-PU for submit@debbugs.gnu.org; Mon, 16 Apr 2018 12:22:22 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:36629) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1f86tY-00011I-M5 for control@debbugs.gnu.org; Mon, 16 Apr 2018 12:22:20 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 5248921080 for ; Mon, 16 Apr 2018 12:22:20 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Mon, 16 Apr 2018 12:22:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=kAsBp1HW2Jo2i7PDa jC2viUTpuQtAlL5aUiBRMZrSyk=; b=FZQ6zTWU8oFPCZz0C4ykmRGv1wyXoDjrT pGaLhFmhXL8euMg8OeXA0rGkjlC1lCTbdjw6jA5xcw4AJ69PLEoPcd99iT77dXX1 +l/bGIcA4Y5UfmGz0ByIimypPZCq0CvD8mZtlPxaGNLqcYpCTe/iRoFrRjirM9YT 7wrBsndPE88Da4oTXHn5rh3bbWAMfMJi+kk9pdZ5jezc3hBw2F48hU3yu72hOZfp Ih25GSdDJxls33RptgeAKZMHTbfaCpJrd/OWaa/EEVAmToO4xFG/2zcUHTukV9f1 0fYrQjOTDYVr6Kh40LM0bpokkntFoiioKBoOLDnq6e7jLb9U/uG/A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=kAsBp1HW2Jo2i7PDajC2viUTpuQtAlL5aUiBRMZrSyk=; b=GzWSWaOU O39hP95KIXmsA6sfL0Z81J4Mmwx35cTOpuCa0Eqk5lG0SAB4fCf9Eqkk9pJCjFyP gn5NVfzUp+8nW2ODLtrioh0ci8Y7PaVy/zqZt9DtKVcxEnyboMq1Oys7APjQpEte 9ynIunh3BsLEG14us+IWexTXWOJBrBsfKNuQfFAsJWDWM/BIQ0Cvxbvq0eB2cL7J 2aPMYJmQKZtMR/aMre0c1Ze46uE9sHn8ovDilvrPzvB1YqChh5He5m5M7bAfI8nq WdFnJl7n/CVnCMz9W9epzEwRllpdqCPmms1QKHz9NIp44T2yV0QRxtV7P+If80kH vmoYNGKFF7YvGw== X-ME-Sender: Received: from localhost (ti0089a400-2222.bb.online.no [88.89.166.190]) by mail.messagingengine.com (Postfix) with ESMTPA id B6F861025C for ; Mon, 16 Apr 2018 12:22:19 -0400 (EDT) From: Marius Bakke To: control@debbugs.gnu.org Subject: close 31164 User-Agent: Notmuch/0.26.1 (https://notmuchmail.org) Emacs/25.3.1 (x86_64-pc-linux-gnu) Date: Mon, 16 Apr 2018 18:22:17 +0200 Message-ID: <877ep7dsue.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) close 31164 thanks