diff options
| author | Tobias Geerinckx-Rice <me@tobias.gr> | 2018-03-12 18:08:04 +0100 |
|---|---|---|
| committer | Tobias Geerinckx-Rice <me@tobias.gr> | 2018-03-12 18:15:21 +0100 |
| commit | 5400fdfd5d3c2201ee3ea8ec0d55690c221a91d8 (patch) | |
| tree | d4ed59aafff35494345289da5b627d56da157064 | |
| parent | a440a6af09d530a841b814051f4efb423c65ae21 (diff) | |
| download | guix-5400fdfd5d3c2201ee3ea8ec0d55690c221a91d8.tar guix-5400fdfd5d3c2201ee3ea8ec0d55690c221a91d8.tar.gz | |
gnu: lrzip: Fix CVE-2017-8842.
* gnu/packages/compression.scm (lrzip)[source]: Add patch.
* gnu/packages/patches/lrzip-CVE-2017-8842.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/compression.scm | 3 | ||||
| -rw-r--r-- | gnu/packages/patches/lrzip-CVE-2017-8842.patch | 23 |
3 files changed, 26 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 5c95cdae21..97d5e00c2b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -885,6 +885,7 @@ dist_patch_DATA = \ %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch \ %D%/packages/patches/llvm-for-extempore.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ + %D%/packages/patches/lrzip-CVE-2017-8842.patch \ %D%/packages/patches/lua-CVE-2014-5461.patch \ %D%/packages/patches/lua-pkgconfig.patch \ %D%/packages/patches/lua51-liblua-so.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index d44ae2d259..86efe2a40e 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1017,7 +1017,8 @@ human-readable output.") "http://ck.kolivas.org/apps/lrzip/lrzip-" version ".tar.bz2")) (sha256 (base32 - "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d")))) + "0mb449vmmwpkalq732jdyginvql57nxyd31sszb108yps1lf448d")) + (patches (search-patches "lrzip-CVE-2017-8842.patch")))) (build-system gnu-build-system) (native-inputs `(;; nasm is only required when building for 32-bit x86 platforms diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch new file mode 100644 index 0000000000..89b4f2f5d9 --- /dev/null +++ b/gnu/packages/patches/lrzip-CVE-2017-8842.patch @@ -0,0 +1,23 @@ +From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001 +From: Con Kolivas <kernel@kolivas.org> +Date: Fri, 9 Mar 2018 17:39:40 +1100 +Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get + +--- + libzpaq/libzpaq.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h +index 93387da..cbe211d 100644 +--- a/libzpaq/libzpaq.h ++++ b/libzpaq/libzpaq.h +@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader { + + int get() { + if (progress && !(*s_len % 128)) { +- int pct = (total_len - *s_len) * 100 / total_len; ++ int pct = (total_len > 0) ? ++ (total_len - *s_len) * 100 / total_len : 100; + + if (pct / 10 != *last_pct / 10) { + int i; |