GNU bug report logs - #48656
[PATCH] gnu: lz4: Add a patch for CVE-2021-3520.

Previous Next

Package: guix-patches;

Reported by: Solene Rapenne <solene <at> perso.pw>

Date: Tue, 25 May 2021 18:25:01 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 48656 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#48656; Package guix-patches. (Tue, 25 May 2021 18:25:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Solene Rapenne <solene <at> perso.pw>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 25 May 2021 18:25:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Solene Rapenne <solene <at> perso.pw>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Date: Tue, 25 May 2021 20:24:07 +0200

This imports a patch that is not committed upstream yet
but pending for merge on github

https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7

This is already widely used in many distributions distributing lz4

---
 gnu/packages/compression.scm                 |  7 +++++--
 gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/lz4-CVE-2021-3520.patch

diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 64816a30c0..53ab999151 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -33,6 +33,7 @@
 ;;; Copyright © 2021 Antoine Côté <antoine.cote <at> posteo.net>
 ;;; Copyright © 2021 Vincent Legoll <vincent.legoll <at> gmail.com>
 ;;; Copyright © 2021 Simon Tournier <zimon.toutoune <at> gmail.com>
+;;; Copyright © 2021 Solene Rapenne <solene <at> perso.pw>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -810,15 +811,17 @@ decompression of some loosely related file formats used by Microsoft.")
                            (commit (string-append "v" version))))
        (sha256
         (base32 "1w02kazh1fps3sji2sn89fz862j1199c5ajrqcgl1bnlxj09kcbz"))
+       (patches
+        (search-patches "lz4-CVE-2021-3520.patch"))
        (file-name (git-file-name name version))))
     (build-system gnu-build-system)
     (outputs (list "out" "static"))
     (native-inputs
-     `(;; For tests.
+     `( ;; For tests.
        ("python" ,python)
        ("valgrind" ,valgrind)))
     (arguments
-     `(;; Not designed for parallel testing.
+     `( ;; Not designed for parallel testing.
        ;; See https://github.com/lz4/lz4/issues/957#issuecomment-737419821
        #:parallel-tests? #f
        #:test-target "test"
diff --git a/gnu/packages/patches/lz4-CVE-2021-3520.patch b/gnu/packages/patches/lz4-CVE-2021-3520.patch
new file mode 100644
index 0000000000..100baa4758
--- /dev/null
+++ b/gnu/packages/patches/lz4-CVE-2021-3520.patch
@@ -0,0 +1,15 @@
+Not merged patch fixing CVE-2021-3520
+https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
+
+Index: b/lib/lz4.c
+--- a/lib/lz4.c.orig
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+                  const size_t dictSize         /* note : = 0 if noDict */
+                  )
+ {
+-    if (src == NULL) { return -1; }
++    if ((src == NULL) || (outputSize < 0)) { return -1; }
+ 
+     {   const BYTE* ip = (const BYTE*) src;
+         const BYTE* const iend = ip + srcSize;
-- 
2.31.1
Information forwarded to guix-patches <at> gnu.org:
bug#48656; Package guix-patches. (Tue, 25 May 2021 19:08:02 GMT) Full text and rfc822 format available.

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Solene Rapenne via Guix-patches via <guix-patches <at> gnu.org>
Cc: 48656 <at> debbugs.gnu.org
Subject: Re: [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Date: Tue, 25 May 2021 15:07:05 -0400

On Tue, May 25, 2021 at 08:24:07PM +0200, Solene Rapenne via Guix-patches via wrote:
> This imports a patch that is not committed upstream yet
> but pending for merge on github
> 
> https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
> 
> This is already widely used in many distributions distributing lz4
> 
> ---
>  gnu/packages/compression.scm                 |  7 +++++--
>  gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++

When adding a new patch file, you have to register it in 'gnu/local.mk'.

Is there any discussion about this upstream? Why isn't it included in
lz4 yet?
Information forwarded to guix-patches <at> gnu.org:
bug#48656; Package guix-patches. (Tue, 25 May 2021 19:08:02 GMT) Full text and rfc822 format available.
Information forwarded to guix-patches <at> gnu.org:
bug#48656; Package guix-patches. (Tue, 25 May 2021 21:52:02 GMT) Full text and rfc822 format available.

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Solene Rapenne via Guix-patches via <guix-patches <at> gnu.org>
Cc: 48656 <at> debbugs.gnu.org
Subject: Re: [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Date: Tue, 25 May 2021 17:51:24 -0400

On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote:
> Is there any discussion about this upstream? Why isn't it included in
> lz4 yet?

I found approval from the lz4 maintainers:

https://github.com/lz4/lz4/pull/972#issuecomment-830192743
https://github.com/lz4/lz4/pull/972#issuecomment-799719118
Information forwarded to guix-patches <at> gnu.org:
bug#48656; Package guix-patches. (Tue, 25 May 2021 21:52:02 GMT) Full text and rfc822 format available.
Information forwarded to guix-patches <at> gnu.org:
bug#48656; Package guix-patches. (Mon, 29 May 2023 11:32:02 GMT) Full text and rfc822 format available.

Message #20 received at 48656 <at> debbugs.gnu.org (full text, mbox):

From: Jelle Licht <jlicht <at> fsfe.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 48656 <at> debbugs.gnu.org
Subject: Re: bug#48656: [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Date: Mon, 29 May 2023 13:31:12 +0200

Leo Famulari <leo <at> famulari.name> writes:

> On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote:
>> Is there any discussion about this upstream? Why isn't it included in
>> lz4 yet?
>
> I found approval from the lz4 maintainers:
>
> https://github.com/lz4/lz4/pull/972#issuecomment-830192743
> https://github.com/lz4/lz4/pull/972#issuecomment-799719118

It seems there's some uncertainty w.r.t. the validity of the CVE [0],
but since then a release has been made that pulls the changes discussed
in issue 972 into lz4 release 1.9.4.
Information forwarded to guix-patches <at> gnu.org:
bug#48656; Package guix-patches. (Mon, 29 May 2023 11:44:01 GMT) Full text and rfc822 format available.

Message #23 received at 48656 <at> debbugs.gnu.org (full text, mbox):

From: Jelle Licht <jlicht <at> fsfe.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 48656 <at> debbugs.gnu.org
Subject: Re: [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Date: Mon, 29 May 2023 13:43:24 +0200

Jelle Licht <jlicht <at> fsfe.org> writes:

> Leo Famulari <leo <at> famulari.name> writes:
>
>> On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote:
>>> Is there any discussion about this upstream? Why isn't it included in
>>> lz4 yet?
>>
>> I found approval from the lz4 maintainers:
>>
>> https://github.com/lz4/lz4/pull/972#issuecomment-830192743
>> https://github.com/lz4/lz4/pull/972#issuecomment-799719118
>
> It seems there's some uncertainty w.r.t. the validity of the CVE [0],
> but since then a release has been made that pulls the changes discussed
> in issue 972 into lz4 release 1.9.4.

With [0] being: https://github.com/lz4/lz4/issues/1037#issuecomment-1283560779
This bug report was last modified 2 years and 18 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.