From unknown Tue Jun 17 01:25:41 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#31487 <31487@debbugs.gnu.org> To: bug#31487 <31487@debbugs.gnu.org> Subject: Status: [PATCH] gnu: Add upx. Reply-To: bug#31487 <31487@debbugs.gnu.org> Date: Tue, 17 Jun 2025 08:25:41 +0000 retitle 31487 [PATCH] gnu: Add upx. reassign 31487 guix-patches submitter 31487 Pierre Neidhardt severity 31487 normal tag 31487 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Thu May 17 18:51:33 2018 Received: (at submit) by debbugs.gnu.org; 17 May 2018 22:51:33 +0000 Received: from localhost ([127.0.0.1]:38929 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fJRk7-0004vU-V8 for submit@debbugs.gnu.org; Thu, 17 May 2018 18:51:33 -0400 Received: from eggs.gnu.org ([208.118.235.92]:57102) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fJRk5-0004vG-6v for submit@debbugs.gnu.org; Thu, 17 May 2018 18:51:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fJRjy-000799-Kw for submit@debbugs.gnu.org; Thu, 17 May 2018 18:51:19 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:41993) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fJRjy-000794-Gu for submit@debbugs.gnu.org; Thu, 17 May 2018 18:51:18 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48063) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fJRjw-0002jO-VD for guix-patches@gnu.org; Thu, 17 May 2018 18:51:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fJRjv-00077u-OG for guix-patches@gnu.org; Thu, 17 May 2018 18:51:17 -0400 Received: from mail-wm0-x232.google.com ([2a00:1450:400c:c09::232]:36705) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fJRjv-00077a-GQ for guix-patches@gnu.org; Thu, 17 May 2018 18:51:15 -0400 Received: by mail-wm0-x232.google.com with SMTP id n10-v6so11777246wmc.1 for ; Thu, 17 May 2018 15:51:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=u+6l0Y7HFSF3Qar2xebCI5UClUbzuy9HhVu+AEdeX/0=; b=Sol6Y7wzvniBBrVDmCn63vcZvO7Wuw1ndVLuXd0qJUcNu4xfu2ro8S6WCLZ8ohyfRb 5vTICYDuB3xO7oUw9srnAXWmGrmDLn7QdoYs7Yh9nCFNsNFjRM8DnO+KTiB4YdKigHr/ jHQH3pRGmi0Jx/flymf2+jLKCnFOkf/KWVovcjHza5rESTqofBUoMhLbthi4ZaXyzVPb 8KcOFJcLgCRt0K4DdR29fg1s7GJB+A6HUFRsB5KUhe1YoZ1hIP91dF1zQZ2V8XzLKGg7 OnIE7sAJ74MGj/X7L91JY8L0w+4mN7o0HawYFFXuBU8OriIFfes5Iw51FWS/HDDlkmAT W1lQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=u+6l0Y7HFSF3Qar2xebCI5UClUbzuy9HhVu+AEdeX/0=; b=rraI+7AtlGhbOm+k943rE2x1dNal5R4lTvGwqgiysJEHm1wyDib1wL1aOZ/WHyr0rL SozMawELVT99IPXcYenU/geMsP+bwR4EWLPnvLTbpLaFdxQpT+YUxjbiQWcTguHz8UlV IyUjILtNWenMP+vN3qwZhWw+McRCEcmFqpkzsQDAkPwHMytSsXJWuQxgk5KkdL8JwiS3 BbwmmeDQKpjUEExlWu9DF2krAOeLmsKYJuMYurfZh86Qj4GrPBidROCVDPjqPSEEiU/h 4vKpNp1YFblYQfijYjruxQMzz6QcIG42gb+1sQL9920BL8ll8P+3Rftaxqp5f0KZmzx/ S3uA== X-Gm-Message-State: ALKqPwdbsVAT2gS6cYcOgv2mXRS7K6d5XqlvWci8XlSVhDCKx1LRRS3A z3PhFXHKJ1/eUuE3BNAP1lziAw== X-Google-Smtp-Source: AB8JxZpulynXMZ4OZcReI0JvFOP+pfQ46qre0h5m+Jhcubiqnh4J6vR7VBOVAMhfCspyn+N8Cv11tA== X-Received: by 2002:a1c:1a49:: with SMTP id a70-v6mr3157212wma.77.1526597474001; Thu, 17 May 2018 15:51:14 -0700 (PDT) Received: from mimimi.home (2a01cb040a37a0005adf9a0845f647b3.ipv6.abo.wanadoo.fr. [2a01:cb04:a37:a000:5adf:9a08:45f6:47b3]) by smtp.gmail.com with ESMTPSA id 194-v6sm9309464wml.20.2018.05.17.15.51.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 17 May 2018 15:51:13 -0700 (PDT) From: Pierre Neidhardt To: guix-patches@gnu.org Subject: [PATCH] gnu: Add upx. Date: Fri, 18 May 2018 00:51:09 +0200 Message-Id: <20180517225109.12033-1-ambrevar@gmail.com> X-Mailer: git-send-email 2.17.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) * gnu/packages/compression.scm (ucl): New variable. * gnu/packages/compression.scm (upx): New variable. --- gnu/packages/compression.scm | 73 ++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 562a2bf8b..b0d7cd971 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -2151,3 +2151,76 @@ with @code{deflate} but offers more dense compression. The specification of the Brotli Compressed Data Format is defined in RFC 7932.") (license license:expat))) + +(define-public ucl + (package + (name "ucl") + (version "1.03") + (source (origin + (method url-fetch) + (uri (string-append "http://www.oberhumer.com/opensource/" + name "/download/" name "-" version ".tar.gz")) + (sha256 + (base32 + "0j036lkwsxvm15gr29n8wn07cqq79dswjs9k54939ms5zngjjrdq")))) + (build-system gnu-build-system) + (home-page "http://www.oberhumer.com/opensource/ucl/") + (synopsis "Portable lossless data compression library") + (description "UCL implements a number of compression algorithms that +achieve an excellent compression ratio while allowing *very* fast +decompression. Decompression requires no additional memory. + +UCL is an OpenSource re-implementation of some NRV compression algorithms. + +As compared to LZO, the UCL algorithms achieve a better compression ratio but +decompression is a little bit slower. See below for some rough timings.") + (license license:gpl2))) + +(define-public upx + (package + (name "upx") + (version "3.94") + (source (origin + (method url-fetch) + (uri (string-append "https://github.com/upx/upx/releases/download/v" + version "/" name "-" version "-src.tar.xz")) + (sha256 + (base32 + "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1")))) + (build-system gnu-build-system) + (native-inputs `(("zlib" ,zlib) + ("perl" ,perl) + ("ucl" ,ucl))) + (arguments + `(#:make-flags + (list "all" + ;; CHECK_WHITESPACE does not seem to work. + ;; See https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/upx. + "CHECK_WHITESPACE=true") + #:phases + (modify-phases %standard-phases + (delete 'configure) + (delete 'check) + (delete 'install) + (add-before 'build 'patch-exec-bin-sh + (lambda _ + (substitute* (find-files "Makefile") + (("/bin/sh") (which "sh"))) + (substitute* "src/Makefile" + (("/bin/sh") (which "sh"))) + #t)) + (add-after 'build 'install-upx + (lambda* (#:key outputs #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (bin (string-append out "/bin"))) + (mkdir-p bin) + (copy-file "src/upx.out" (string-append bin "/upx"))) + #t)) + ))) + (home-page "https://upx.github.io/") + (synopsis "The Ultimate Packer for eXecutables") + (description "UPX is an advanced executable file compressor. UPX will +typically reduce the file size of programs and DLLs by around 50%-70%, thus +reducing disk space, network load times, download times and other distribution +and storage costs.") + (license license:gpl2))) -- 2.17.0 From debbugs-submit-bounces@debbugs.gnu.org Fri May 18 02:46:30 2018 Received: (at 31487) by debbugs.gnu.org; 18 May 2018 06:46:30 +0000 Received: from localhost ([127.0.0.1]:39073 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fJZ9q-0007Rw-JQ for submit@debbugs.gnu.org; Fri, 18 May 2018 02:46:30 -0400 Received: from mail-wr0-f176.google.com ([209.85.128.176]:33505) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fJZ9o-0007Rj-Mw for 31487@debbugs.gnu.org; Fri, 18 May 2018 02:46:28 -0400 Received: by mail-wr0-f176.google.com with SMTP id a15-v6so681268wrm.0 for <31487@debbugs.gnu.org>; Thu, 17 May 2018 23:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:from:to:subject:date:message-id:mime-version; bh=FoubG58K8/Hkzo4ayJXIWOBZ5LwSgQyDeuREp1uppxc=; b=HLvvhoBkv2pW0/PAzChOiKbIYfEh6nTAsZs+VmpFWAMjcyQTNrWQC3k/8Pi9MKecjM QTehh9aRTY4bzWtsRdRHzhsK6p3CyNQYK+OoEOCWYp+xPvzn77ZaoZaXaGU26qrPXFtC qIUBOd6SBSVLe4Fo3d0RZD+RMQO+Ax2O7jQ/TneltNbeE7+df7gF4shHLKQEAwAVnbIp 6DaFr56rXZqdfERN3JbaT7W+oFeIXjPpGcW4I4MlB62EKps5siMr0e2qbVQVkycfrtEL U5KglW1Cx2T0wHA5sb/Ry/+p2QOgPvSaWnhvFWrVtAqDJTK9pP+1GP3/3Fox8OKq/hJ6 s0mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:from:to:subject:date:message-id :mime-version; bh=FoubG58K8/Hkzo4ayJXIWOBZ5LwSgQyDeuREp1uppxc=; b=qmjH4M77rIbJzy7HjHWkgPThBbO69pZOtH6IOVUcatGiZOERjJ2NJbu2k0NN62Cgmc YjHaY9Pc+t9HmhDwBiuIpL59oE4iUQlBwy7AXUq65zzsU/oPtKeHtXb4PlztKVdOImA0 ZSjPGB4c7QOXjwGSyntvEeNoGX2GW2cEbTcda9hWXXm+Ju6ou0653fU/Is/p1j6FtN/4 RXY/FeiwgT62rC9LsFmr6W7P9eKvhXOjl6ShpX1KIQGPn0ztjhYitJHeWryvWFDtCv0W n8EA0QxrtRi6LkfRaGJ5eYSicUp2HsankZu41on2BNh5gjjkvN5C0samiNplt76PsT0U EuSg== X-Gm-Message-State: ALKqPwdabZeI8W+mBifvBFKag4uWW0PrHOJzfdgQZe8lue3WIvcYidHK u55w+vRfCf8nKviVCmWDgS1yjQ== X-Google-Smtp-Source: AB8JxZp1125rVtVOK97mlOp6xMtz4lXLRC28yZFmVVJD7FL2Y0ikC73s9wRYXLCC2aiX8U4kXqLUjg== X-Received: by 2002:adf:c4c4:: with SMTP id o4-v6mr6532312wrf.173.1526625982405; Thu, 17 May 2018 23:46:22 -0700 (PDT) Received: from mimimi (2a01cb040a37a0005adf9a0845f647b3.ipv6.abo.wanadoo.fr. [2a01:cb04:a37:a000:5adf:9a08:45f6:47b3]) by smtp.gmail.com with ESMTPSA id e50-v6sm17288805wre.4.2018.05.17.23.46.21 for <31487@debbugs.gnu.org> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 17 May 2018 23:46:21 -0700 (PDT) User-agent: mu4e 1.0; emacs 26.1 From: Pierre Neidhardt To: 31487@debbugs.gnu.org Subject: Re: [PATCH] gnu: Add upx. Date: Fri, 18 May 2018 08:46:20 +0200 Message-ID: <874lj5a2bn.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -0.6 (/) X-Debbugs-Envelope-To: 31487 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.6 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Forgot to add my name to the copyright list. =2D-=20 Pierre Neidhardt --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAlr+drwACgkQm9z0l6S7 zH/MDQgAo4znWaDTQkpPVbznKXd+an6f2egwylePqWMQit4uxvTJhB9EBZ7D92uI T/JvPhfArTyInI/iM94zmT+Ujs8Jw02seVYeqE2w9KJHkUKLThGghkEBAqbHA2Hu ux6oTVdyFbuDw+J9NI/VzkX/c+qGLYmLUDndhaDZu/VdZdJff45cG17RK3NFgE6G iMOSiEjmtDBsUMm/eFXBfijcCEWbja1buwA3K4cm/Uz7x8RQ+XBA+bD1vhzqWM7K HOw5AueAvX4nBidcycXuS8s/5u9Ivbp2CLg3HJiccMmkPVLchDq4F+I9lPLlpkes PGt22LPutqt1qUVDlwIGk1PMcTOGdA== =Ssx2 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat May 26 16:14:32 2018 Received: (at 31487) by debbugs.gnu.org; 26 May 2018 20:14:32 +0000 Received: from localhost ([127.0.0.1]:49926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fMfaC-0003VQ-5E for submit@debbugs.gnu.org; Sat, 26 May 2018 16:14:32 -0400 Received: from eggs.gnu.org ([208.118.235.92]:52979) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fMfaA-0003VD-Uu for 31487@debbugs.gnu.org; Sat, 26 May 2018 16:14:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fMfa4-0002ht-U6 for 31487@debbugs.gnu.org; Sat, 26 May 2018 16:14:25 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:39164) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fMfa4-0002hn-Re; Sat, 26 May 2018 16:14:24 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=34356 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fMfa4-0001Bi-BN; Sat, 26 May 2018 16:14:24 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Pierre Neidhardt Subject: Re: [bug#31487] [PATCH] gnu: Add upx. References: <20180517225109.12033-1-ambrevar@gmail.com> Date: Sat, 26 May 2018 22:14:22 +0200 In-Reply-To: <20180517225109.12033-1-ambrevar@gmail.com> (Pierre Neidhardt's message of "Fri, 18 May 2018 00:51:09 +0200") Message-ID: <87lgc6yy1t.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello, Pierre Neidhardt skribis: > * gnu/packages/compression.scm (ucl): New variable. > * gnu/packages/compression.scm (upx): New variable. I committed both as separate patches (the convention is to have one patch per package), slightly changed descriptions to remove =E2=80=9Cmarket= ing speak=E2=80=9D, and changed licenses to =E2=80=98gpl2+=E2=80=99 after check= ing the source file headers. There=E2=80=99s one issue left though: $ ./pre-inst-env guix lint upx gnu/packages/compression.scm:2179:2: upx@3.94: probably vulnerable to CVE= -2017-15056, CVE-2017-16869 Could you check whether patches are available for these? Better be safe than sorry! Thank you, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sun May 27 09:46:58 2018 Received: (at 31487) by debbugs.gnu.org; 27 May 2018 13:46:58 +0000 Received: from localhost ([127.0.0.1]:50253 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fMw0f-0004Ls-Qs for submit@debbugs.gnu.org; Sun, 27 May 2018 09:46:57 -0400 Received: from mail-wr0-f193.google.com ([209.85.128.193]:45172) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fMw0e-0004Lf-Az for 31487@debbugs.gnu.org; Sun, 27 May 2018 09:46:56 -0400 Received: by mail-wr0-f193.google.com with SMTP id w3-v6so16201980wrl.12 for <31487@debbugs.gnu.org>; Sun, 27 May 2018 06:46:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:date :message-id:mime-version; bh=m0WPlRV5ycD8aucWg3QG9kpaV8Wt9qZtySx9H57en7I=; b=RJahI65oFgOjcO8hk+nWwFMchH6E4CaZXt2+3NlZB3+Jp5nioqKC1DW3FrC/977Xtc u+dM/y0EJZZJ4nI63q4gmAYDVVDZcuUMxlIWhtC4lJNG8JoAvFbyfTpiX47vqpZSOjpp uwuxSCcvxjWJjSieLOJDNa8tsxNc3LUzFAfuKO4u02Fukdbj2XmQ5kXjW5O+UUwBoBG4 02j1QLkXg49zpt/sKnoyK5mzBUHxh+7A5tRJSTKFq1wvwwRhDxTWt2n7huxm/6n4KiWB SHsW4gNEEhnJuZCQUiTu1V8JKb/ultF0rRBhIvnkqgoDC5sS8gZhGjBAg++2F0rxQR0l croA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:date:message-id:mime-version; bh=m0WPlRV5ycD8aucWg3QG9kpaV8Wt9qZtySx9H57en7I=; b=AnyfEQcoeGerj8UzzUxQRoAa2iAyyYl3BaRJ0Muqpapln7pxT8N73IFK2ra4BZK1KR 4XqZS8ikcEKCorhTwmG50RqToNHLZvxgKscHLWr1tQBlhKTjLmNPICDZ8GN4wHe3BcTx olQ/+V8EN/4Wx5LJj09KLTEiLIeETQa7BldRiZJv4PhtvaDSlAHCmRAcAW8IDBcZB9Bm hstZmwTxWEfWky1RxoMK2VWwaCm89Bot9ThAelmm/QHh2SoCbGtYcuO+hcZLhI1ZW9Bh veyq94xN8smIzaUDBaQHkxI/RiEgg3G3PaHMEfyq8MH0MbUuudWsaFLkzlZ+psODaGns ojsQ== X-Gm-Message-State: ALKqPwd1qDPTlRRuh38Mg/jWelONV+makySGyIA9FLBnngbc70Da24si TZCLttCLU5W3mBiH9u+VihH2Kg== X-Google-Smtp-Source: AB8JxZolPyHwZOZeL3lLQv/Gn9gSvN1ui20NjHFBUvxzwMTz6jUR5TGArac00VJRna6OuZ8KgyIenQ== X-Received: by 2002:adf:c358:: with SMTP id e24-v6mr7267852wrg.257.1527428810414; Sun, 27 May 2018 06:46:50 -0700 (PDT) Received: from mimimi (87-89-234-173.abo.bbox.fr. [87.89.234.173]) by smtp.gmail.com with ESMTPSA id z7-v6sm34496684wrg.56.2018.05.27.06.46.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 27 May 2018 06:46:49 -0700 (PDT) References: <20180517225109.12033-1-ambrevar@gmail.com> <87lgc6yy1t.fsf@gnu.org> User-agent: mu4e 1.0; emacs 26.1 From: Pierre Neidhardt To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#31487] [PATCH] gnu: Add upx. In-reply-to: <87lgc6yy1t.fsf@gnu.org> Date: Sun, 27 May 2018 15:46:48 +0200 Message-ID: <87muwli52v.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -1.7 (-) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.7 (--) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > There=E2=80=99s one issue left though: > > $ ./pre-inst-env guix lint upx > gnu/packages/compression.scm:2179:2: upx@3.94: probably vulnerable to C= VE-2017-15056, CVE-2017-16869 > > Could you check whether patches are available for these? Better be safe > than sorry! Indeed they are. They are not on the master branch though, only devel I think. So what's the protocol here? Shall we cherry-pick the fixing commits or get latest devel? =2D-=20 Pierre Neidhardt The day advanced as if to light some work of mine; it was morning, and lo! now it is evening, and nothing memorable is accomplished. -- H.D. Thoreau --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAlsKtsgACgkQm9z0l6S7 zH/smgf9EWLiEL7tO6LGmtd86EjQmaBM3+0L/AUY6x5Yuwr2kp5s7qJTJS9DKgdU GCNuEJHbiLEogdJD5mjl+hXfOs5Z7ZdyKUIousuuHJjfsvyXUWZ29zHDMGchN2x3 XBUGfk0znTs1kQyPgsMSiWeiTd5tg+M0o8ocitLkwThcGQdNq8pigsOKxt/ZYgpI pHYC2d28ZseN/ZHx6qk435DNNmJOPtO40kkd56VIAZgKbeEwpObt5HmKa94ONkuy 5VUzcj9HM09azwhlUsTqVvVQY1TMqTzdEHr7Rw4NhHWD9ahPgeDmzLVwyDB1BQ+6 o3MacNjo10MGiN5HYpmRKgcPk+xGrw== =BTua -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon May 28 03:55:14 2018 Received: (at 31487) by debbugs.gnu.org; 28 May 2018 07:55:15 +0000 Received: from localhost ([127.0.0.1]:51537 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fNCzq-0005vM-KN for submit@debbugs.gnu.org; Mon, 28 May 2018 03:55:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fNCzp-0005vA-3a for 31487@debbugs.gnu.org; Mon, 28 May 2018 03:55:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fNCzg-0005vM-Pd for 31487@debbugs.gnu.org; Mon, 28 May 2018 03:55:07 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:33781) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fNCzg-0005vG-LK; Mon, 28 May 2018 03:55:04 -0400 Received: from [193.50.110.236] (port=50848 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fNCzg-0006sW-3B; Mon, 28 May 2018 03:55:04 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Pierre Neidhardt Subject: Re: [bug#31487] [PATCH] gnu: Add upx. References: <20180517225109.12033-1-ambrevar@gmail.com> <87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 9 Prairial an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 28 May 2018 09:55:01 +0200 In-Reply-To: <87muwli52v.fsf@gmail.com> (Pierre Neidhardt's message of "Sun, 27 May 2018 15:46:48 +0200") Message-ID: <878t8443l6.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hi Pierre, Pierre Neidhardt skribis: > Ludovic Court=C3=A8s writes: > >> There=E2=80=99s one issue left though: >> >> $ ./pre-inst-env guix lint upx >> gnu/packages/compression.scm:2179:2: upx@3.94: probably vulnerable to = CVE-2017-15056, CVE-2017-16869 >> >> Could you check whether patches are available for these? Better be safe >> than sorry! > > Indeed they are. > They are not on the master branch though, only devel I think. > So what's the protocol here? Shall we cherry-pick the fixing commits or > get latest devel? Yes. You can add them as individual patches (see commit aa8ac0294421d465f60e18c8271f971ec8407a95 for an example); as usual, make sure each patch starts with a few lines explaining what the patch does and where it comes from (you can take the commit log for that plus a repo URL, for instance.) Then you can check that =E2=80=98guix lint upx=E2=80=99 is happy. TIA! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue May 29 02:42:47 2018 Received: (at 31487) by debbugs.gnu.org; 29 May 2018 06:42:47 +0000 Received: from localhost ([127.0.0.1]:53016 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fNYLH-0004HZ-FG for submit@debbugs.gnu.org; Tue, 29 May 2018 02:42:47 -0400 Received: from mail-wr0-f174.google.com ([209.85.128.174]:38351) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fNYLF-0004HN-Mp for 31487@debbugs.gnu.org; Tue, 29 May 2018 02:42:46 -0400 Received: by mail-wr0-f174.google.com with SMTP id 94-v6so23460859wrf.5 for <31487@debbugs.gnu.org>; Mon, 28 May 2018 23:42:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:date :message-id:mime-version; bh=i1CaAvU4CRqJa4ljALlveZazywhD0wQD3VM3q5dycMc=; b=lC8bIenS6748cRBDGYNxPgOGhpifYrg5WWQsyd/dh0XpQWgHTKDBDPMRVEwzcLIso5 d5w3NHnRTX/O/chNbz2F3NC01RvXu2q+7wonL5Cia+LLBdurR8ox02/AbvNNWfS6vd9O 1Pw+yLXWKXvF7YYqQzonSXpnFAfHZa5T/VZoioqPDJIF7dhTb23nGmiDfjNPwnFxFwXm 7+/IT014wohAIS2pSGQuO48s5Yeo/molTQFr0gj8/CtVgIRux3vv7WyS0XWOGuwpBEzU o1W18p6A0fO6SXYNlB52Cz5iLZmub+PdQVoWauDvE0mxeQC2ORFy+anF/9oU7qYPj1kV K8ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:date:message-id:mime-version; bh=i1CaAvU4CRqJa4ljALlveZazywhD0wQD3VM3q5dycMc=; b=LCm3QN2TNZG0xDdnOIZwQsG8FJMewQ/OQ9fHON/KosSwXAgLpTbL34ohbGRF0CLFso DoABDA0+SKNTruqdAuW1CzFK39bI2bOgHLw9h/aSN4U93/W/BAiSxaNxgEsCPxVMEwfO NrUps1cmdBOuGTK1WIGFnVMUH4GvpLFRzZZlkOnDKnUOQ/wzfRwzHu3ss3gT9t9zK5Oo LP5H7R5Mv3J4+AZ1Xu+PeevxRgJZ5WAM1LqbFBBZSOxNo3b7LZrLzqgWFdkT6pLeB9I7 gPS+91BN5WUUWSGQxr6LSXs+iQPSJuYMQ7bYvdHYs3sgUzw2DI4vBMW9c5gsUspDAWxA Khmw== X-Gm-Message-State: ALKqPwfbog0qvUDRvFntM3azKgqTljpTYW0WiiRv3/wxAswcRgSOctST J2IFbeYfvibixfdH7WcSl2JOTQ== X-Google-Smtp-Source: AB8JxZoq5Xvbo+ehUwAQXYaIjGTJ6ntKOYjdVQb/fxwFqSmA0W2S30MlTndMsIEOCmbg1KrzdzJL3Q== X-Received: by 2002:adf:abab:: with SMTP id s40-v6mr13987201wrc.259.1527576159382; Mon, 28 May 2018 23:42:39 -0700 (PDT) Received: from mimimi (87-89-234-173.abo.bbox.fr. [87.89.234.173]) by smtp.gmail.com with ESMTPSA id q13-v6sm10336855wmc.29.2018.05.28.23.42.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 28 May 2018 23:42:38 -0700 (PDT) References: <20180517225109.12033-1-ambrevar@gmail.com> <87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com> <878t8443l6.fsf@gnu.org> User-agent: mu4e 1.0; emacs 26.1 From: Pierre Neidhardt To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#31487] [PATCH] gnu: Add upx. In-reply-to: <878t8443l6.fsf@gnu.org> Date: Tue, 29 May 2018 08:42:36 +0200 Message-ID: <87d0xfvu77.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -1.7 (-) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.7 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable The relevant issues: =2D https://github.com/upx/upx/issues/146 =2D https://github.com/upx/upx/pull/190 Both CVEs were rejected, so I guess there is no need to include a patch. =2D-=20 Pierre Neidhardt --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAlsM9lwACgkQm9z0l6S7 zH+R/Af+P6mSCp3yzbbugFcVt8KrmD8JouO+ziBRR1Cl4b/4LPmnaShrka7v7X23 Mfc6e+FRDM3eqEPPCzbpdRO7ZQaPUJGpCMXvduwVNVQrAe3Mus+wWmF2ydAJbO7/ 5nh8yrIlsZl3LVfAvQ+BNnuf5dyBab3cvYe6wq4dB3wogAbPYwhk/4QqXL8gaQ5B 4bz9viRRu5kRSxk8YMgsCDSxxH6dFlfGBWpQqnKOisPjDkdpwJhA222tZdz/a4lz 7Jmp5AYp3uzh16pRcN0R6tezencX9G3G35B/dzY8OCfTXIgRA9Af4ynTyhCgdkHr FhVsbPNipstjwiQG1A0tsifn43s6oA== =ePt9 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue May 29 09:27:30 2018 Received: (at 31487) by debbugs.gnu.org; 29 May 2018 13:27:31 +0000 Received: from localhost ([127.0.0.1]:53293 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fNeew-0004y1-K0 for submit@debbugs.gnu.org; Tue, 29 May 2018 09:27:30 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fNeeu-0004xo-Mq for 31487@debbugs.gnu.org; Tue, 29 May 2018 09:27:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fNeeo-0001Iy-E1 for 31487@debbugs.gnu.org; Tue, 29 May 2018 09:27:23 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, HTTP_EXCESSIVE_ESCAPES autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:59972) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fNeeo-0001Ii-Aj; Tue, 29 May 2018 09:27:22 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43308 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fNeen-0003sb-Uo; Tue, 29 May 2018 09:27:22 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Pierre Neidhardt Subject: Re: [bug#31487] [PATCH] gnu: Add upx. References: <20180517225109.12033-1-ambrevar@gmail.com> <87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com> <878t8443l6.fsf@gnu.org> <87d0xfvu77.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 10 Prairial an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 29 May 2018 15:27:19 +0200 In-Reply-To: <87d0xfvu77.fsf@gmail.com> (Pierre Neidhardt's message of "Tue, 29 May 2018 08:42:36 +0200") Message-ID: <87po1ezj60.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -3.5 (---) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.5 (----) Pierre Neidhardt skribis: > The relevant issues: > > - https://github.com/upx/upx/issues/146 > - https://github.com/upx/upx/pull/190 Hmm I see that: https://github.com/upx/upx/issues/128 corresponds to: https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%35%30%= 35%36 and: https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%36%38%= 36%39 corresponds to: https://github.com/upx/upx/issues/146 The latter (CVE-2017-16869) is marked as =E2=80=9Cdisputed=E2=80=9D above, = and I would agree with the arguments of the UPX maintainers. The authors did not react to the former (CVE-2017-15056, crash when reading ELF files), other than by fixing it, but it does look similar in spirit. What about adding a patch for CVE-2017-15056 since it would at least fix a concrete bug? CVE-2017-16869 is also a bug but it concerns Mach-O files, which are much less of a concern for our users I suppose. Patching it wouldn=E2=80= =99t hurt either, but you could also add a =E2=80=98lint-hidden-cve=E2=80=99 pro= perty for CVE-2017-16869 with a comment. TIA, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 15 03:13:08 2018 Received: (at 31487) by debbugs.gnu.org; 15 Jun 2018 07:13:08 +0000 Received: from localhost ([127.0.0.1]:48801 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fTiux-0000lL-V0 for submit@debbugs.gnu.org; Fri, 15 Jun 2018 03:13:08 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54549) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fTiut-0000kh-LC for 31487@debbugs.gnu.org; Fri, 15 Jun 2018 03:13:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fTiun-00042w-CR for 31487@debbugs.gnu.org; Fri, 15 Jun 2018 03:12:58 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, HTTP_EXCESSIVE_ESCAPES autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58815) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fTiun-00042m-8b; Fri, 15 Jun 2018 03:12:57 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=57630 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fTium-0001UE-QJ; Fri, 15 Jun 2018 03:12:57 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Pierre Neidhardt Subject: Re: [bug#31487] [PATCH] gnu: Add upx. References: <20180517225109.12033-1-ambrevar@gmail.com> <87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com> <878t8443l6.fsf@gnu.org> <87d0xfvu77.fsf@gmail.com> <87po1ezj60.fsf@gnu.org> Date: Fri, 15 Jun 2018 09:12:55 +0200 In-Reply-To: <87po1ezj60.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Tue, 29 May 2018 15:27:19 +0200") Message-ID: <87muvwwmiw.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -3.5 (---) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.5 (----) Ping! :-) ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > Pierre Neidhardt skribis: > >> The relevant issues: >> >> - https://github.com/upx/upx/issues/146 >> - https://github.com/upx/upx/pull/190 > > Hmm I see that: > > https://github.com/upx/upx/issues/128 > corresponds to: > https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%35%3= 0%35%36 > > and: > > https://nvd.nist.gov/vuln/detail?vulnId=3DCVE%2D%32%30%31%37%2D%31%36%3= 8%36%39 > corresponds to: > https://github.com/upx/upx/issues/146 > > The latter (CVE-2017-16869) is marked as =E2=80=9Cdisputed=E2=80=9D above= , and I would > agree with the arguments of the UPX maintainers. > > The authors did not react to the former (CVE-2017-15056, crash when > reading ELF files), other than by fixing it, but it does look similar in > spirit. > > What about adding a patch for CVE-2017-15056 since it would at least fix > a concrete bug? > > CVE-2017-16869 is also a bug but it concerns Mach-O files, which are > much less of a concern for our users I suppose. Patching it wouldn=E2=80= =99t > hurt either, but you could also add a =E2=80=98lint-hidden-cve=E2=80=99 p= roperty for > CVE-2017-16869 with a comment. > > TIA, > Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 16 10:55:04 2018 Received: (at 31487) by debbugs.gnu.org; 16 Jun 2018 14:55:04 +0000 Received: from localhost ([127.0.0.1]:51767 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUCbX-0003x2-Mc for submit@debbugs.gnu.org; Sat, 16 Jun 2018 10:55:04 -0400 Received: from mail-wr0-f173.google.com ([209.85.128.173]:45819) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUCbW-0003wQ-DS for 31487@debbugs.gnu.org; Sat, 16 Jun 2018 10:55:02 -0400 Received: by mail-wr0-f173.google.com with SMTP id o12-v6so12533331wrm.12 for <31487@debbugs.gnu.org>; Sat, 16 Jun 2018 07:55:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=XJlHs0uD/NGpBqt1cu54YlQA4u1D48E8IFqdWDgFpPI=; b=UQYHhQdqA1F3EfOXiQk2gInAnh5CfgsE0+YYlh/xSWe3nrVAC+snfVqeRQUXYbEdG0 qN261bfJ8HGSu174dYdiOrUrXUs4h9+yz/to3lrolhbCaeE6KfbYUJ+nSQH5QnXC2/eq YNLN23j1pM2Dp919BAUj6zS7HTrPsp4vJQnRJANB3t5wBncw6V+7FHm08qR56D3Tzk7H C2BxbzFsK7T/hMX4X4R12gJqX/ckcDDmG1zMFgYnCDcYADRhV2jPSlTS/Q8gbi5c+i+n UjTI2UeqwTBmbeIumXrThL8tY5hIBvGx2c/hnG2GJUvvIBUVJPSghgqRRHCmcrY5xhht Q3Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=XJlHs0uD/NGpBqt1cu54YlQA4u1D48E8IFqdWDgFpPI=; b=ieSp6XF07lXMhIMtDjxXNWKoYDH6ZJL2HiJnrHpsz72VLNkiImZJpUw3YIoIZ3tv/V ITfm6aM6SIOWznM73uaePIiOLOIL/zpPSlMFr79TM7vugRZDSx3dRUwxoz4QmeJ7I21Q daiTtCpyCCh/PSNzATMFt/UViBt+2RFcRnohrtulbIbEj/8kgAbsIgvSec3PWhiSF4nj py3J7sUcbGJ2zzQOvztcA/3HjJ6h7NlbddLAvnIJ5N6s3CvD3rPoUq1XGnNZ8cIed3wB vTJhydsgiN53qoO2bAWzuwaeanIRF1ggIyiUQMrkoZe9COMM/LFQDybFqOH0+qn3K8yA iR3Q== X-Gm-Message-State: APt69E0pPZSKxILmQaTwxlYWccklE+jjulOyPCavGlX0N4I9R0gM8V1q MOQ0D2Srwbao1z3uPFqjsz2pIPwf X-Google-Smtp-Source: ADUXVKK45YMbK0sOzaQDd24lO/H8etR+/yQUvOYzxZtPTn3b3n9gC7AIg0iGXk3mV2Oz1hvmzQTfrg== X-Received: by 2002:a5d:4a4d:: with SMTP id v13-v6mr5167319wrs.91.1529160896325; Sat, 16 Jun 2018 07:54:56 -0700 (PDT) Received: from localhost.localdomain ([37.173.31.202]) by smtp.gmail.com with ESMTPSA id d3-v6sm9341722wrr.90.2018.06.16.07.54.55 for <31487@debbugs.gnu.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 16 Jun 2018 07:54:55 -0700 (PDT) From: Pierre Neidhardt To: 31487@debbugs.gnu.org Subject: [PATCH] gnu: upx: Fix CVE-2017-15056. Date: Sat, 16 Jun 2018 16:54:53 +0200 Message-Id: <20180616145453.15816-1-ambrevar@gmail.com> X-Mailer: git-send-email 2.17.0 X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/packages/patches/upx-protect-against-bad-crafted-input.patch: New file. * gnu/packages/compression.scm (upx)[source]: Use it. --- gnu/packages/compression.scm | 8 +- ...px-protect-against-bad-crafted-input.patch | 96 +++++++++++++++++++ 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/upx-protect-against-bad-crafted-input.patch [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.128.173 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (ambrevar[at]gmail.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.173 listed in wl.mailspike.net] 1.5 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid X-Debbugs-Envelope-To: 31487 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) * gnu/packages/patches/upx-protect-against-bad-crafted-input.patch: New file. * gnu/packages/compression.scm (upx)[source]: Use it. --- gnu/packages/compression.scm | 8 +- ...px-protect-against-bad-crafted-input.patch | 96 +++++++++++++++++++ 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/upx-protect-against-bad-crafted-input.patch diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 8f062049a..0be7962b3 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -2209,7 +2209,8 @@ decompression is a little bit slower.") version "/" name "-" version "-src.tar.xz")) (sha256 (base32 - "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1")))) + "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1")) + (patches (search-patches "upx-protect-against-bad-crafted-input.patch")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl) ("ucl" ,ucl))) @@ -2241,6 +2242,11 @@ decompression is a little bit slower.") #t)) ))) (home-page "https://upx.github.io/") + ;; CVE-16869 is about Mach-O files which is not of a big concern for Guix. + ;; See https://github.com/upx/upx/issues/146 and + ;; https://nvd.nist.gov/vuln/detail?vulnId=CVE%2D%32%30%31%37%2D%31%36%38%36%39. + ;; The issue will be fixed after version 3.94. + (properties `((lint-hidden-cve . ("CVE-2017-16869")))) (synopsis "Compression tool for executables") (description "The Ultimate Packer for eXecutables (UPX) is an executable file diff --git a/gnu/packages/patches/upx-protect-against-bad-crafted-input.patch b/gnu/packages/patches/upx-protect-against-bad-crafted-input.patch new file mode 100644 index 000000000..525980e73 --- /dev/null +++ b/gnu/packages/patches/upx-protect-against-bad-crafted-input.patch @@ -0,0 +1,96 @@ +From 3e0c2966dffb5dadb512a476ef4be3d0cc51c2be Mon Sep 17 00:00:00 2001 +From: Pierre Neidhardt +Date: Sat, 16 Jun 2018 16:35:00 +0200 +Subject: [PATCH] Protect against bad crafted input + +Also check for wrap-around when checking oversize involving e_shoff and e_shnum. + +raised by https://github.com/upx/upx/pull/190 + modified: p_lx_elf.cpp +--- + src/p_lx_elf.cpp | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp +index 822a7652..41e805ee 100644 +--- a/src/p_lx_elf.cpp ++++ b/src/p_lx_elf.cpp +@@ -235,8 +235,17 @@ PackLinuxElf32::PackLinuxElf32help1(InputFile *f) + sz_phdrs = 0; + return; + } ++ if (0==e_phnum) throwCantUnpack("0==e_phnum"); + e_phoff = get_te32(&ehdri.e_phoff); ++ unsigned const last_Phdr = e_phoff + e_phnum * sizeof(Elf32_Phdr); ++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { ++ throwCantUnpack("bad e_phoff"); ++ } + e_shoff = get_te32(&ehdri.e_shoff); ++ unsigned const last_Shdr = e_shoff + e_shnum * sizeof(Elf32_Shdr); ++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { ++ throwCantUnpack("bad e_shoff"); ++ } + sz_phdrs = e_phnum * e_phentsize; + + if (f && Elf32_Ehdr::ET_DYN!=e_type) { +@@ -599,8 +608,17 @@ PackLinuxElf64::PackLinuxElf64help1(InputFile *f) + sz_phdrs = 0; + return; + } ++ if (0==e_phnum) throwCantUnpack("0==e_phnum"); + e_phoff = get_te64(&ehdri.e_phoff); ++ upx_uint64_t const last_Phdr = e_phoff + e_phnum * sizeof(Elf64_Phdr); ++ if (last_Phdr < e_phoff || (unsigned long)file_size < last_Phdr) { ++ throwCantUnpack("bad e_phoff"); ++ } + e_shoff = get_te64(&ehdri.e_shoff); ++ upx_uint64_t const last_Shdr = e_shoff + e_shnum * sizeof(Elf64_Shdr); ++ if (last_Shdr < e_shoff || (unsigned long)file_size < last_Shdr) { ++ throwCantUnpack("bad e_shoff"); ++ } + sz_phdrs = e_phnum * e_phentsize; + + if (f && Elf64_Ehdr::ET_DYN!=e_type) { +@@ -3763,6 +3781,9 @@ void PackLinuxElf64::pack4(OutputFile *fo, Filter &ft) + + void PackLinuxElf64::unpack(OutputFile *fo) + { ++ if (e_phoff != sizeof(Elf64_Ehdr)) {// Phdrs not contiguous with Ehdr ++ throwCantUnpack("bad e_phoff"); ++ } + unsigned const c_phnum = get_te16(&ehdri.e_phnum); + upx_uint64_t old_data_off = 0; + upx_uint64_t old_data_len = 0; +@@ -3828,6 +3849,9 @@ void PackLinuxElf64::unpack(OutputFile *fo) + unsigned total_out = 0; + unsigned c_adler = upx_adler32(NULL, 0); + unsigned u_adler = upx_adler32(NULL, 0); ++ if ((MAX_ELF_HDR - sizeof(Elf64_Ehdr))/sizeof(Elf64_Phdr) < u_phnum) { ++ throwCantUnpack("bad compressed e_phnum"); ++ } + + // Packed ET_EXE has no PT_DYNAMIC. + // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. +@@ -4383,6 +4407,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const + + void PackLinuxElf32::unpack(OutputFile *fo) + { ++ if (e_phoff != sizeof(Elf32_Ehdr)) {// Phdrs not contiguous with Ehdr ++ throwCantUnpack("bad e_phoff"); ++ } + unsigned const c_phnum = get_te16(&ehdri.e_phnum); + unsigned old_data_off = 0; + unsigned old_data_len = 0; +@@ -4449,6 +4476,9 @@ void PackLinuxElf32::unpack(OutputFile *fo) + unsigned total_out = 0; + unsigned c_adler = upx_adler32(NULL, 0); + unsigned u_adler = upx_adler32(NULL, 0); ++ if ((MAX_ELF_HDR - sizeof(Elf32_Ehdr))/sizeof(Elf32_Phdr) < u_phnum) { ++ throwCantUnpack("bad compressed e_phnum"); ++ } + + // Packed ET_EXE has no PT_DYNAMIC. + // Packed ET_DYN has original PT_DYNAMIC for info needed by rtld. +-- +2.17.0 + -- 2.17.0 From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 16 10:58:42 2018 Received: (at 31487) by debbugs.gnu.org; 16 Jun 2018 14:58:42 +0000 Received: from localhost ([127.0.0.1]:51774 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUCf4-00042k-L8 for submit@debbugs.gnu.org; Sat, 16 Jun 2018 10:58:42 -0400 Received: from mail-wr0-f174.google.com ([209.85.128.174]:34594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUCf2-00042R-SW for 31487@debbugs.gnu.org; Sat, 16 Jun 2018 10:58:41 -0400 Received: by mail-wr0-f174.google.com with SMTP id a12-v6so12577102wro.1 for <31487@debbugs.gnu.org>; Sat, 16 Jun 2018 07:58:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:date :message-id:mime-version; bh=rH3LZ/7y4H7+s9NzpQoOMbZTtjlSvdPPxK8j6iMDWZM=; b=tsB62jxBKS2rztcCZlF7ji+Q/t2OyLdvVeD0cLDGU8R2wlcN4tArYV1fNMlhoDAuhQ WJ6WGKRgzANna0g/Z1gnfWqV7ugG2uwFm/ZJG9sAhHfCOEiRUlLOLIT4DZj2LMs/088o 4a5IqqkK3PLHjMdj84Kubw9mvyadqfuNsDT259Yord/uMLgh2SPG70gnVnMsKzdO9Qfo ugdZd3goUZ8Yl0u9bfJbDY0kNKUlaxyLQ7IEzpzWtpdlqLfUoft66oRXhPGFbU2Ct4h2 zEAwfXECOzmEl42JBVhIg/PG+Dv7o4JpLH+7GuRxOZAGwL9yoJXBX9vs7AJVhgYF5JfC DGZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:date:message-id:mime-version; bh=rH3LZ/7y4H7+s9NzpQoOMbZTtjlSvdPPxK8j6iMDWZM=; b=oD27vsF9xt4flroWgpe/BP70aSpUdNsukiif/By73K81Dd5DEwwdwt0JZR5aAR0rdZ Rsm0KJL6h85CXRPTyreDP/rU2O/ngNSGEIiyrUrUwTUaFmQrgds1D2kcy7fjmeb59TxA uJxRe4Xa7PjdphXJeL+foPLLbS+Q9+kMymhVuj1CJCQdHgHZth3JE/A5RqC3M7doius5 4XHr0p0WbKiSXSFIhRQGXpfzHOO5L4B5Nh2Ffdd47MHbXp+vkxDE4lIy8NS978rtKCrN dEDoWFtkFAyrykmawygZS5Vg3w27OeJdzG2xNi/ZplKUm8yEnbnQP5C2s+thVkCSsS2i oHsA== X-Gm-Message-State: APt69E3ZvtiXzm+9JDnUgSbGmnZFCMO+IatV0Aw19B7WkBZ6vU0Zrpu9 UlDmRHPnZzUQ448G1aKiPeivJxhM X-Google-Smtp-Source: ADUXVKJKI1t5XLCBZlvKj8KwLD9LuBzKj07D1AIfObXCGXL6SDrTpRiD3K7faWh4h0xkiu7o1YNIiQ== X-Received: by 2002:adf:c3c2:: with SMTP id d2-v6mr5037942wrg.68.1529161115012; Sat, 16 Jun 2018 07:58:35 -0700 (PDT) Received: from mimimi ([37.173.31.202]) by smtp.gmail.com with ESMTPSA id g129-v6sm3914579wmf.5.2018.06.16.07.58.34 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 16 Jun 2018 07:58:34 -0700 (PDT) References: <20180517225109.12033-1-ambrevar@gmail.com> <87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com> <878t8443l6.fsf@gnu.org> <87d0xfvu77.fsf@gmail.com> <87po1ezj60.fsf@gnu.org> <87muvwwmiw.fsf@gnu.org> User-agent: mu4e 1.0; emacs 26.1 From: Pierre Neidhardt To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#31487] [PATCH] gnu: Add upx. In-reply-to: <87muvwwmiw.fsf@gnu.org> Date: Sat, 16 Jun 2018 16:58:33 +0200 Message-ID: <87602ihj6u.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Ping! :-) Sorry for the long delay. I've just sent a patch. I'm having issues with my development setup so I haven't been able to test it. =2D- Pierre Neidhardt --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAlslJZkACgkQm9z0l6S7 zH8D6wf/RpwMAh53aL1f3SYasfzdb1/AkRgdlQFbhQgVvx70ShwGDZ9z5WxtS5tU oA2n2NgKVcWVTidwF+oOlMdpMXsC1aoVr29jXGqsO0l5SVdYzdY0OPilrWgd34hM r8Y4P7wftxE3xLN59wWjykClmn2q+zGFRyld5lBla+OLTwMhpJ4pZf6DuP21e6wl zseW8kn81FmeOgmEno/6TT8ZzmHG7RFEvSc0zPvF1Sc1/DMj1sRjfeUjSEq7OEum RryO43mIKBe0O1oK+T+kssPefg4+GeRvZdtSR9zJObhI4r1ZhYuS45TAywQzxufV Ut41NuB8O9Ce4H0L9OFKGgbJQ12+CA== =kSHZ -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 16 15:15:37 2018 Received: (at 31487) by debbugs.gnu.org; 16 Jun 2018 19:15:37 +0000 Received: from localhost ([127.0.0.1]:52047 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUGfg-0003n2-St for submit@debbugs.gnu.org; Sat, 16 Jun 2018 15:15:37 -0400 Received: from mail-wm0-f52.google.com ([74.125.82.52]:39328) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUGff-0003mq-8M for 31487@debbugs.gnu.org; Sat, 16 Jun 2018 15:15:35 -0400 Received: by mail-wm0-f52.google.com with SMTP id p11-v6so8960465wmc.4 for <31487@debbugs.gnu.org>; Sat, 16 Jun 2018 12:15:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:date :message-id:mime-version; bh=Dt6HKilkKzQN+a8BGqMuhwewVxMlHhVXLcQvS0ZGfng=; b=iFEC9+VsQf4F33pPsbXiXAlxZsJDK/8uf55lpr7JiHX8ph05m/jREFszckC6B0osut LounkhHq0/btuqJels55dZ/m9+k5K8J8zY3wuuhsEQcrnwy+4uKKwzxGVKuAVMyWmpro jNaXzAuW8prrMalsAG8fFxiMya8oiuXLmxKMl7gfu163f2HOt8TZsTvPxS2y1ME9ddy4 rXWgUQAMEO7aWAZ0phw6tAjeoyDPdc/vJLz6qKHlUkdGeVbe/KA8PlW4n+tYVG9/itJT RjhLjNJr4NykRW05SUGPLif7Ag0dPkS+HCbzgJvDrH+zz+gdFby4j/qtBm9Kb8jm9e+d xw6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:date:message-id:mime-version; bh=Dt6HKilkKzQN+a8BGqMuhwewVxMlHhVXLcQvS0ZGfng=; b=DenrrjpH6PqK3zZn+clLoY1Pa5gSBFYZMLUGyWlTdWrZmNytOfxgtgQyVaJHWSnZe7 jEDAd3wkFG56Dnh+FW8shU44X5Tf5yqm5PopMuaIEZLH3Qf4qcE25yJ3zNu/+5muUQIW 2Nv2hvSP2s7or+5rWsI3/zHdmc/nvWABYSqV2x226h8y45dIQ7Bx4b2YXKhs/nmRmpeo kz46xNfJtak8sKdabi0W/swiHSclZhNAZ7tyA5kPbBdizN8CtllgYpkrZBjpbfsXtOh3 BSC8K/LN3Rfdyrt8ctI/VWk48mmFzRMXjETmqVu5A3f4fEB23+t9Gb5dxQ8IB93fWRWS EBlA== X-Gm-Message-State: APt69E1qhOCI6k90k7uxxctucia0SFm7H/RafaAl/cxAf0MaRg/Ronbw emdw3BL/ueCZfDtHF2IhkkNzSbyZ X-Google-Smtp-Source: ADUXVKKNM2dQpzAzbIdYfM4PX2kh5NVZ0m+S0Thz1bxvJ1YWaI/hDU8vIDjoYO0AbWVulxpPZpxQfg== X-Received: by 2002:a1c:9788:: with SMTP id z130-v6mr4790330wmd.88.1529176529333; Sat, 16 Jun 2018 12:15:29 -0700 (PDT) Received: from mimimi ([37.171.5.73]) by smtp.gmail.com with ESMTPSA id m65-v6sm5086794wmd.1.2018.06.16.12.15.28 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 16 Jun 2018 12:15:28 -0700 (PDT) References: <20180517225109.12033-1-ambrevar@gmail.com> <87lgc6yy1t.fsf@gnu.org> <87muwli52v.fsf@gmail.com> <878t8443l6.fsf@gnu.org> <87d0xfvu77.fsf@gmail.com> <87po1ezj60.fsf@gnu.org> <87muvwwmiw.fsf@gnu.org> <87602ihj6u.fsf@gmail.com> User-agent: mu4e 1.0; emacs 26.1 From: Pierre Neidhardt To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#31487] [PATCH] gnu: Add upx. In-reply-to: <87602ihj6u.fsf@gmail.com> Date: Sat, 16 Jun 2018 21:15:27 +0200 Message-ID: <871sd6ee5s.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 31487 Cc: 31487@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I've finally resolved issues with my Guix setup and I've successfully tested the patched version of upx. Feel free to merge. =2D-=20 Pierre Neidhardt --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAlslYc8ACgkQm9z0l6S7 zH/SiQf+LkdmC5Ua0PBWHeWJrj6tscaZF0xRSIDzhoZ8oxOnHD/hwYAKCduYd/Ui gLzPVI80KaKqTrvaehBzqn6II+8Dpe1AepPWE3mKn6saK4Cuq313grR6/3ACLp7j 5t+gm6X0uq1b75A/1r5XEqKT9nMQS3mwCMzSEa2fq48FBqo97KFvqiz7/G2dWWYb 3fZ/ZT67f3cxkmYv1IGPqwc3VOFd561+nU412XCtqcEhWfwuLjEJLFxN7egg+eY8 639IM10zvMAOJMZVdnvDSzoT0aWDdelbbwAkIiv/EFlnHt+6sTSXfkbPQbO9femX m0NQORRlZn6WRkcik5BTEwK23oRFJw== =WZW5 -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 16 17:57:25 2018 Received: (at 31487-done) by debbugs.gnu.org; 16 Jun 2018 21:57:25 +0000 Received: from localhost ([127.0.0.1]:52192 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUJCH-0005B1-Fk for submit@debbugs.gnu.org; Sat, 16 Jun 2018 17:57:25 -0400 Received: from eggs.gnu.org ([208.118.235.92]:45238) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fUJCG-0005Ap-4Z for 31487-done@debbugs.gnu.org; Sat, 16 Jun 2018 17:57:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fUJCA-0007Ze-7W for 31487-done@debbugs.gnu.org; Sat, 16 Jun 2018 17:57:18 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42462) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fUJCA-0007ZY-3P; Sat, 16 Jun 2018 17:57:18 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39518 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fUJC9-0004m5-N8; Sat, 16 Jun 2018 17:57:17 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Pierre Neidhardt Subject: Re: [bug#31487] [PATCH] gnu: upx: Fix CVE-2017-15056. References: <20180517225109.12033-1-ambrevar@gmail.com> <20180616145453.15816-1-ambrevar@gmail.com> Date: Sat, 16 Jun 2018 23:57:16 +0200 In-Reply-To: <20180616145453.15816-1-ambrevar@gmail.com> (Pierre Neidhardt's message of "Sat, 16 Jun 2018 16:54:53 +0200") Message-ID: <87zhzumm2r.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 31487-done Cc: 31487-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello, Pierre Neidhardt skribis: > * gnu/packages/patches/upx-protect-against-bad-crafted-input.patch: New f= ile. > * gnu/packages/compression.scm (upx)[source]: Use it. I renamed the patch so that it includes the CVE id, added it to gnu/local.mk, and committed. Thanks! Ludo=E2=80=99. From unknown Tue Jun 17 01:25:41 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 16 Jul 2018 11:24:11 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator