GNU bug report logs - #31487
[PATCH] gnu: Add upx.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: tracker <at> debbugs.gnu.org
Subject: bug#31487: closed ([PATCH] gnu: Add upx.)
Date: Sat, 16 Jun 2018 21:58:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Sat, 16 Jun 2018 23:57:16 +0200
with message-id <87zhzumm2r.fsf <at> gnu.org>
and subject line Re: [bug#31487] [PATCH] gnu: upx: Fix CVE-2017-15056.
has caused the debbugs.gnu.org bug report #31487,
regarding [PATCH] gnu: Add upx.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
31487: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=31487
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Pierre Neidhardt <ambrevar <at> gmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: Add upx.
Date: Fri, 18 May 2018 00:51:09 +0200

* gnu/packages/compression.scm (ucl): New variable.
* gnu/packages/compression.scm (upx): New variable.
---
 gnu/packages/compression.scm | 73 ++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 562a2bf8b..b0d7cd971 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2151,3 +2151,76 @@ with @code{deflate} but offers more dense compression.
 
 The specification of the Brotli Compressed Data Format is defined in RFC 7932.")
     (license license:expat)))
+
+(define-public ucl
+  (package
+    (name "ucl")
+    (version "1.03")
+    (source (origin
+             (method url-fetch)
+             (uri (string-append "http://www.oberhumer.com/opensource/"
+                                 name "/download/" name "-" version ".tar.gz"))
+             (sha256
+              (base32
+               "0j036lkwsxvm15gr29n8wn07cqq79dswjs9k54939ms5zngjjrdq"))))
+    (build-system gnu-build-system)
+    (home-page "http://www.oberhumer.com/opensource/ucl/")
+    (synopsis "Portable lossless data compression library")
+    (description "UCL implements a number of compression algorithms that
+achieve an excellent compression ratio while allowing *very* fast
+decompression.  Decompression requires no additional memory.
+
+UCL is an OpenSource re-implementation of some NRV compression algorithms.
+
+As compared to LZO, the UCL algorithms achieve a better compression ratio but
+decompression is a little bit slower.  See below for some rough timings.")
+    (license license:gpl2)))
+
+(define-public upx
+  (package
+    (name "upx")
+    (version "3.94")
+    (source (origin
+             (method url-fetch)
+             (uri (string-append "https://github.com/upx/upx/releases/download/v"
+                                 version "/" name "-" version "-src.tar.xz"))
+             (sha256
+              (base32
+               "08anybdliqsbsl6x835iwzljahnm9i7v26icdjkcv33xmk6p5vw1"))))
+    (build-system gnu-build-system)
+    (native-inputs `(("zlib" ,zlib)
+                     ("perl" ,perl)
+                     ("ucl" ,ucl)))
+    (arguments
+     `(#:make-flags
+       (list "all"
+             ;; CHECK_WHITESPACE does not seem to work.
+             ;; See https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/upx.
+             "CHECK_WHITESPACE=true")
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (delete 'check)
+         (delete 'install)
+         (add-before 'build 'patch-exec-bin-sh
+           (lambda _
+             (substitute* (find-files "Makefile")
+               (("/bin/sh") (which "sh")))
+             (substitute* "src/Makefile"
+               (("/bin/sh") (which "sh")))
+             #t))
+         (add-after 'build 'install-upx
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                   (bin (string-append out "/bin")))
+               (mkdir-p bin)
+               (copy-file "src/upx.out" (string-append bin "/upx")))
+             #t))
+         )))
+    (home-page "https://upx.github.io/")
+    (synopsis "The Ultimate Packer for eXecutables")
+    (description "UPX is an advanced executable file compressor.  UPX will
+typically reduce the file size of programs and DLLs by around 50%-70%, thus
+reducing disk space, network load times, download times and other distribution
+and storage costs.")
+    (license license:gpl2)))
-- 
2.17.0

[Message part 3 (message/rfc822, inline)]

From: ludo <at> gnu.org (Ludovic Courtès)
To: Pierre Neidhardt <ambrevar <at> gmail.com>
Cc: 31487-done <at> debbugs.gnu.org
Subject: Re: [bug#31487] [PATCH] gnu: upx: Fix CVE-2017-15056.
Date: Sat, 16 Jun 2018 23:57:16 +0200

Hello,

Pierre Neidhardt <ambrevar <at> gmail.com> skribis:

> * gnu/packages/patches/upx-protect-against-bad-crafted-input.patch: New file.
> * gnu/packages/compression.scm (upx)[source]: Use it.

I renamed the patch so that it includes the CVE id, added it to
gnu/local.mk, and committed.

Thanks!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.