diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/java-jeromq-fix-tests.patch | 253 | ||||
-rw-r--r-- | gnu/packages/patches/java-simple-xml-fix-tests.patch | 37 | ||||
-rw-r--r-- | gnu/packages/patches/lrzip-CVE-2017-8842.patch | 23 | ||||
-rw-r--r-- | gnu/packages/patches/shadow-CVE-2018-7169.patch | 191 | ||||
-rw-r--r-- | gnu/packages/patches/util-linux-CVE-2018-7738.patch | 49 | ||||
-rw-r--r-- | gnu/packages/patches/zsh-CVE-2018-7548.patch | 48 | ||||
-rw-r--r-- | gnu/packages/patches/zsh-CVE-2018-7549.patch | 56 |
7 files changed, 657 insertions, 0 deletions
diff --git a/gnu/packages/patches/java-jeromq-fix-tests.patch b/gnu/packages/patches/java-jeromq-fix-tests.patch new file mode 100644 index 0000000000..5466b92707 --- /dev/null +++ b/gnu/packages/patches/java-jeromq-fix-tests.patch @@ -0,0 +1,253 @@ +From 5803aadd3f209eba1ffbb2cf7bf16778019dbee1 Mon Sep 17 00:00:00 2001 +From: fredoboulo <fredoboulo@users.noreply.github.com> +Date: Fri, 23 Feb 2018 23:55:57 +0100 +Subject: [PATCH] Fix #524 : V1 and V2 protocol downgrades handle received data + in handshake buffer + +This patch is upstream pull request, see: +https://gihub.com/zeromq/jeromq/pull/527. + +It is merged on commit c2afa9c, and we can drop it on the +0.4.4 release. + +--- + src/main/java/zmq/io/StreamEngine.java | 21 ++++++++++-- + src/test/java/zmq/io/AbstractProtocolVersion.java | 41 +++++++++++++---------- + src/test/java/zmq/io/V0ProtocolTest.java | 12 +++++++ + src/test/java/zmq/io/V1ProtocolTest.java | 16 +++++++-- + src/test/java/zmq/io/V2ProtocolTest.java | 16 +++++++-- + 5 files changed, 81 insertions(+), 25 deletions(-) + +diff --git a/src/main/java/zmq/io/StreamEngine.java b/src/main/java/zmq/io/StreamEngine.java +index b8933c92..fe2f2d8d 100644 +--- a/src/main/java/zmq/io/StreamEngine.java ++++ b/src/main/java/zmq/io/StreamEngine.java +@@ -816,9 +816,7 @@ private boolean handshake() + assert (bufferSize == headerSize); + + // Make sure the decoder sees the data we have already received. +- greetingRecv.flip(); +- inpos = greetingRecv; +- insize = greetingRecv.limit(); ++ decodeDataAfterHandshake(0); + + // To allow for interoperability with peers that do not forward + // their subscriptions, we inject a phantom subscription message +@@ -846,6 +844,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V1.revision) { + } + encoder = new V1Encoder(errno, Config.OUT_BATCH_SIZE.getValue()); + decoder = new V1Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator); ++ ++ decodeDataAfterHandshake(V2_GREETING_SIZE); + } + else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) { + // ZMTP/2.0 framing. +@@ -859,6 +859,8 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) { + } + encoder = new V2Encoder(errno, Config.OUT_BATCH_SIZE.getValue()); + decoder = new V2Decoder(errno, Config.IN_BATCH_SIZE.getValue(), options.maxMsgSize, options.allocator); ++ ++ decodeDataAfterHandshake(V2_GREETING_SIZE); + } + else { + zmtpVersion = Protocol.V3; +@@ -904,6 +906,19 @@ else if (greetingRecv.get(revisionPos) == Protocol.V2.revision) { + return true; + } + ++ private void decodeDataAfterHandshake(int greetingSize) ++ { ++ final int pos = greetingRecv.position(); ++ if (pos > greetingSize) { ++ // data is present after handshake ++ greetingRecv.position(greetingSize).limit(pos); ++ ++ // Make sure the decoder sees this extra data. ++ inpos = greetingRecv; ++ insize = greetingRecv.remaining(); ++ } ++ } ++ + private Msg identityMsg() + { + Msg msg = new Msg(options.identitySize); +diff --git a/src/test/java/zmq/io/AbstractProtocolVersion.java b/src/test/java/zmq/io/AbstractProtocolVersion.java +index e60db403..aa06b4a7 100644 +--- a/src/test/java/zmq/io/AbstractProtocolVersion.java ++++ b/src/test/java/zmq/io/AbstractProtocolVersion.java +@@ -18,15 +18,18 @@ + import zmq.SocketBase; + import zmq.ZError; + import zmq.ZMQ; ++import zmq.ZMQ.Event; + import zmq.util.Utils; + + public abstract class AbstractProtocolVersion + { ++ protected static final int REPETITIONS = 1000; ++ + static class SocketMonitor extends Thread + { +- private final Ctx ctx; +- private final String monitorAddr; +- private final List<ZMQ.Event> events = new ArrayList<>(); ++ private final Ctx ctx; ++ private final String monitorAddr; ++ private final ZMQ.Event[] events = new ZMQ.Event[1]; + + public SocketMonitor(Ctx ctx, String monitorAddr) + { +@@ -41,15 +44,15 @@ public void run() + boolean rc = s.connect(monitorAddr); + assertThat(rc, is(true)); + // Only some of the exceptional events could fire +- while (true) { +- ZMQ.Event event = ZMQ.Event.read(s); +- if (event == null && s.errno() == ZError.ETERM) { +- break; +- } +- assertThat(event, notNullValue()); +- +- events.add(event); ++ ++ ZMQ.Event event = ZMQ.Event.read(s); ++ if (event == null && s.errno() == ZError.ETERM) { ++ s.close(); ++ return; + } ++ assertThat(event, notNullValue()); ++ ++ events[0] = event; + s.close(); + } + } +@@ -69,11 +72,12 @@ public void run() + boolean rc = ZMQ.setSocketOption(receiver, ZMQ.ZMQ_LINGER, 0); + assertThat(rc, is(true)); + +- SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor"); +- monitor.start(); + rc = ZMQ.monitorSocket(receiver, "inproc://monitor", ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL); + assertThat(rc, is(true)); + ++ SocketMonitor monitor = new SocketMonitor(ctx, "inproc://monitor"); ++ monitor.start(); ++ + rc = ZMQ.bind(receiver, host); + assertThat(rc, is(true)); + +@@ -81,17 +85,18 @@ public void run() + OutputStream out = sender.getOutputStream(); + for (ByteBuffer raw : raws) { + out.write(raw.array()); +- ZMQ.msleep(100); + } + + Msg msg = ZMQ.recv(receiver, 0); + assertThat(msg, notNullValue()); + assertThat(new String(msg.data(), ZMQ.CHARSET), is(payload)); + +- ZMQ.msleep(500); +- assertThat(monitor.events.size(), is(1)); +- assertThat(monitor.events.get(0).event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL)); +- assertThat((Integer) monitor.events.get(0).arg, is(version)); ++ monitor.join(); ++ ++ final Event event = monitor.events[0]; ++ assertThat(event, notNullValue()); ++ assertThat(event.event, is(ZMQ.ZMQ_EVENT_HANDSHAKE_PROTOCOL)); ++ assertThat((Integer) event.arg, is(version)); + + InputStream in = sender.getInputStream(); + byte[] data = new byte[255]; +diff --git a/src/test/java/zmq/io/V0ProtocolTest.java b/src/test/java/zmq/io/V0ProtocolTest.java +index bd547d23..1a5b7aef 100644 +--- a/src/test/java/zmq/io/V0ProtocolTest.java ++++ b/src/test/java/zmq/io/V0ProtocolTest.java +@@ -10,6 +10,18 @@ + + public class V0ProtocolTest extends AbstractProtocolVersion + { ++ @Test ++ public void testFixIssue524() throws IOException, InterruptedException ++ { ++ for (int idx = 0; idx < REPETITIONS; ++idx) { ++ if (idx % 100 == 0) { ++ System.out.print(idx + " "); ++ } ++ testProtocolVersion0short(); ++ } ++ System.out.println(); ++ } ++ + @Test(timeout = 2000) + public void testProtocolVersion0short() throws IOException, InterruptedException + { +diff --git a/src/test/java/zmq/io/V1ProtocolTest.java b/src/test/java/zmq/io/V1ProtocolTest.java +index e1045f34..764159d0 100644 +--- a/src/test/java/zmq/io/V1ProtocolTest.java ++++ b/src/test/java/zmq/io/V1ProtocolTest.java +@@ -10,7 +10,19 @@ + + public class V1ProtocolTest extends AbstractProtocolVersion + { +- @Test(timeout = 2000) ++ @Test ++ public void testFixIssue524() throws IOException, InterruptedException ++ { ++ for (int idx = 0; idx < REPETITIONS; ++idx) { ++ if (idx % 100 == 0) { ++ System.out.print(idx + " "); ++ } ++ testProtocolVersion1short(); ++ } ++ System.out.println(); ++ } ++ ++ @Test + public void testProtocolVersion1short() throws IOException, InterruptedException + { + List<ByteBuffer> raws = raws(0); +@@ -25,7 +37,7 @@ public void testProtocolVersion1short() throws IOException, InterruptedException + assertProtocolVersion(1, raws, "abcdefg"); + } + +- @Test(timeout = 2000) ++ @Test + public void testProtocolVersion1long() throws IOException, InterruptedException + { + List<ByteBuffer> raws = raws(0); +diff --git a/src/test/java/zmq/io/V2ProtocolTest.java b/src/test/java/zmq/io/V2ProtocolTest.java +index d5e64bce..7fda31bc 100644 +--- a/src/test/java/zmq/io/V2ProtocolTest.java ++++ b/src/test/java/zmq/io/V2ProtocolTest.java +@@ -21,7 +21,19 @@ protected ByteBuffer identity() + .put((byte) 0); + } + +- @Test(timeout = 2000) ++ @Test ++ public void testFixIssue524() throws IOException, InterruptedException ++ { ++ for (int idx = 0; idx < REPETITIONS; ++idx) { ++ if (idx % 100 == 0) { ++ System.out.print(idx + " "); ++ } ++ testProtocolVersion2short(); ++ } ++ System.out.println(); ++ } ++ ++ @Test + public void testProtocolVersion2short() throws IOException, InterruptedException + { + List<ByteBuffer> raws = raws(1); +@@ -38,7 +50,7 @@ public void testProtocolVersion2short() throws IOException, InterruptedException + assertProtocolVersion(2, raws, "abcdefg"); + } + +- @Test(timeout = 2000) ++ @Test + public void testProtocolVersion2long() throws IOException, InterruptedException + { + List<ByteBuffer> raws = raws(1); diff --git a/gnu/packages/patches/java-simple-xml-fix-tests.patch b/gnu/packages/patches/java-simple-xml-fix-tests.patch new file mode 100644 index 0000000000..6270b87009 --- /dev/null +++ b/gnu/packages/patches/java-simple-xml-fix-tests.patch @@ -0,0 +1,37 @@ +From b3b7a305f1278ec414500bf96c4c7a7f634c941b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jens=20Thee=C3=9F?= <theess@subshell.com> +Date: Thu, 15 Sep 2016 13:08:26 +0200 +Subject: [PATCH] Dictionary uses stable order. This fixes unit tests. + +This is upstream pull request #15: +https://github.com/ngallagher/simplexml/pull/15 +This software is unmaintained, this pull request will no get merged. +The patch is modified, to match the directory layout of the tarball. + +--- + src/main/java/org/simpleframework/xml/util/Dictionary.java | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/main/java/org/simpleframework/xml/util/Dictionary.java b/src/main/java/org/simpleframework/xml/util/Dictionary.java +index 077d2514..c7327426 100644 +--- a/src/org/simpleframework/xml/util/Dictionary.java ++++ b/src/org/simpleframework/xml/util/Dictionary.java +@@ -19,8 +19,8 @@ + package org.simpleframework.xml.util; + + import java.util.AbstractSet; +-import java.util.HashMap; + import java.util.Iterator; ++import java.util.LinkedHashMap; + + /** + * The <code>Dictionary</code> object represents a mapped set of entry +@@ -134,7 +134,7 @@ public T remove(String name) { + * + * @see org.simpleframework.xml.util.Entry + */ +- private static class Table<T> extends HashMap<String, T> { ++ private static class Table<T> extends LinkedHashMap<String, T> { + + /** + * Constructor for the <code>Table</code> object. This will diff --git a/gnu/packages/patches/lrzip-CVE-2017-8842.patch b/gnu/packages/patches/lrzip-CVE-2017-8842.patch new file mode 100644 index 0000000000..89b4f2f5d9 --- /dev/null +++ b/gnu/packages/patches/lrzip-CVE-2017-8842.patch @@ -0,0 +1,23 @@ +From 38386bd482c0a8102a79958cb3eddcb97a167ca3 Mon Sep 17 00:00:00 2001 +From: Con Kolivas <kernel@kolivas.org> +Date: Fri, 9 Mar 2018 17:39:40 +1100 +Subject: [PATCH] CVE-2017-8842 Fix divide-by-zero in bufRead::get + +--- + libzpaq/libzpaq.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libzpaq/libzpaq.h b/libzpaq/libzpaq.h +index 93387da..cbe211d 100644 +--- a/libzpaq/libzpaq.h ++++ b/libzpaq/libzpaq.h +@@ -465,7 +465,8 @@ struct bufRead: public libzpaq::Reader { + + int get() { + if (progress && !(*s_len % 128)) { +- int pct = (total_len - *s_len) * 100 / total_len; ++ int pct = (total_len > 0) ? ++ (total_len - *s_len) * 100 / total_len : 100; + + if (pct / 10 != *last_pct / 10) { + int i; diff --git a/gnu/packages/patches/shadow-CVE-2018-7169.patch b/gnu/packages/patches/shadow-CVE-2018-7169.patch new file mode 100644 index 0000000000..eeae5b9b71 --- /dev/null +++ b/gnu/packages/patches/shadow-CVE-2018-7169.patch @@ -0,0 +1,191 @@ +Fix CVE-2018-7169: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169 + +Patch copied from upstream source repository: + +https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 + +From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai <asarai@suse.de> +Date: Thu, 15 Feb 2018 23:49:40 +1100 +Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group + +This is necessary to match the kernel-side policy of "self-mapping in a +user namespace is fine, but you cannot drop groups" -- a policy that was +created in order to stop user namespaces from allowing trivial privilege +escalation by dropping supplementary groups that were "blacklisted" from +certain paths. + +This is the simplest fix for the underlying issue, and effectively makes +it so that unless a user has a valid mapping set in /etc/subgid (which +only administrators can modify) -- and they are currently trying to use +that mapping -- then /proc/$pid/setgroups will be set to deny. This +workaround is only partial, because ideally it should be possible to set +an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow +administrators to further restrict newgidmap(1). + +We also don't write anything in the "allow" case because "allow" is the +default, and users may have already written "deny" even if they +technically are allowed to use setgroups. And we don't write anything if +the setgroups policy is already "deny". + +Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 +Fixes: CVE-2018-7169 +Reported-by: Craig Furman <craig.furman89@gmail.com> +Signed-off-by: Aleksa Sarai <asarai@suse.de> +--- + src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 80 insertions(+), 9 deletions(-) + +diff --git a/src/newgidmap.c b/src/newgidmap.c +index b1e33513..59a2e75c 100644 +--- a/src/newgidmap.c ++++ b/src/newgidmap.c +@@ -46,32 +46,37 @@ + */ + const char *Prog; + +-static bool verify_range(struct passwd *pw, struct map_range *range) ++ ++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups) + { + /* An empty range is invalid */ + if (range->count == 0) + return false; + +- /* Test /etc/subgid */ +- if (have_sub_gids(pw->pw_name, range->lower, range->count)) ++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */ ++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) { ++ *allow_setgroups = true; + return true; ++ } + +- /* Allow a process to map its own gid */ +- if ((range->count == 1) && (pw->pw_gid == range->lower)) ++ /* Allow a process to map its own gid. */ ++ if ((range->count == 1) && (pw->pw_gid == range->lower)) { ++ /* noop -- if setgroups is enabled already we won't disable it. */ + return true; ++ } + + return false; + } + + static void verify_ranges(struct passwd *pw, int ranges, +- struct map_range *mappings) ++ struct map_range *mappings, bool *allow_setgroups) + { + struct map_range *mapping; + int idx; + + mapping = mappings; + for (idx = 0; idx < ranges; idx++, mapping++) { +- if (!verify_range(pw, mapping)) { ++ if (!verify_range(pw, mapping, allow_setgroups)) { + fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"), + Prog, + mapping->upper, +@@ -89,6 +94,70 @@ static void usage(void) + exit(EXIT_FAILURE); + } + ++void write_setgroups(int proc_dir_fd, bool allow_setgroups) ++{ ++ int setgroups_fd; ++ char *policy, policy_buffer[4096]; ++ ++ /* ++ * Default is "deny", and any "allow" will out-rank a "deny". We don't ++ * forcefully write an "allow" here because the process we are writing ++ * mappings for may have already set themselves to "deny" (and "allow" ++ * is the default anyway). So allow_setgroups == true is a noop. ++ */ ++ policy = "deny\n"; ++ if (allow_setgroups) ++ return; ++ ++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC); ++ if (setgroups_fd < 0) { ++ /* ++ * If it's an ENOENT then we are on too old a kernel for the setgroups ++ * code to exist. Emit a warning and bail on this. ++ */ ++ if (ENOENT == errno) { ++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog); ++ goto out; ++ } ++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* ++ * Check whether the policy is already what we want. /proc/self/setgroups ++ * is write-once, so attempting to write after it's already written to will ++ * fail. ++ */ ++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) { ++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (!strncmp(policy_buffer, policy, strlen(policy))) ++ goto out; ++ ++ /* Write the policy. */ ++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) { ++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"), ++ Prog, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ if (dprintf(setgroups_fd, "%s", policy) < 0) { ++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"), ++ Prog, ++ policy, ++ strerror(errno)); ++ exit(EXIT_FAILURE); ++ } ++ ++out: ++ close(setgroups_fd); ++} ++ + /* + * newgidmap - Set the gid_map for the specified process + */ +@@ -103,6 +172,7 @@ int main(int argc, char **argv) + struct stat st; + struct passwd *pw; + int written; ++ bool allow_setgroups = false; + + Prog = Basename (argv[0]); + +@@ -145,7 +215,7 @@ int main(int argc, char **argv) + (unsigned long) getuid ())); + return EXIT_FAILURE; + } +- ++ + /* Get the effective uid and effective gid of the target process */ + if (fstat(proc_dir_fd, &st) < 0) { + fprintf(stderr, _("%s: Could not stat directory for target %u\n"), +@@ -177,8 +247,9 @@ int main(int argc, char **argv) + if (!mappings) + usage(); + +- verify_ranges(pw, ranges, mappings); ++ verify_ranges(pw, ranges, mappings, &allow_setgroups); + ++ write_setgroups(proc_dir_fd, allow_setgroups); + write_mapping(proc_dir_fd, ranges, mappings, "gid_map"); + sub_gid_close(); + +-- +2.16.2 + diff --git a/gnu/packages/patches/util-linux-CVE-2018-7738.patch b/gnu/packages/patches/util-linux-CVE-2018-7738.patch new file mode 100644 index 0000000000..080e2f56ba --- /dev/null +++ b/gnu/packages/patches/util-linux-CVE-2018-7738.patch @@ -0,0 +1,49 @@ +Fix CVE-2018-7738: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738 + +Patch copied from upstream source repository: + +https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55 + +From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Thu, 16 Nov 2017 16:27:32 +0100 +Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in + paths + + # mount /dev/sdc1 /mnt/test/foo\ bar + # umount <tab> + +has to return "/mnt/test/foo\ bar". + +Changes: + + * don't use mount | awk output, we have findmnt + * force compgen use \n as entries separator + +Addresses: https://github.com/karelzak/util-linux/issues/539 +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + bash-completion/umount | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/bash-completion/umount b/bash-completion/umount +index d76cb9fff..98c90d61a 100644 +--- a/bash-completion/umount ++++ b/bash-completion/umount +@@ -40,9 +40,10 @@ _umount_module() + return 0 + ;; + esac +- local DEVS_MPOINTS +- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')" +- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) ) +- return 0 ++ ++ local oldifs=$IFS ++ IFS=$'\n' ++ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) ) ++ IFS=$oldifs + } + complete -F _umount_module umount diff --git a/gnu/packages/patches/zsh-CVE-2018-7548.patch b/gnu/packages/patches/zsh-CVE-2018-7548.patch new file mode 100644 index 0000000000..1ee15fad73 --- /dev/null +++ b/gnu/packages/patches/zsh-CVE-2018-7548.patch @@ -0,0 +1,48 @@ +Fix CVE-2018-7548: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7548 + +Patch copied from upstream source repository: + +https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102 + +From 110b13e1090bc31ac1352b28adc2d02b6d25a102 Mon Sep 17 00:00:00 2001 +From: Joey Pabalinas <joeypabalinas@gmail.com> +Date: Tue, 23 Jan 2018 22:28:08 -0800 +Subject: [PATCH] 42313: avoid null-pointer deref when using ${(PA)...} on an + empty array result + +--- + ChangeLog | 5 +++++ + Src/subst.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +#diff --git a/ChangeLog b/ChangeLog +#index d2ba94afc..3037edda4 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,3 +1,8 @@ +#+2018-01-23 Barton E. Schaefer <schaefer@zsh.org> +#+ +#+ * Joey Pabalinas: 42313: Src/subst.c: avoid null-pointer deref +#+ when using ${(PA)...} on an empty array result +#+ +# 2018-01-23 Oliver Kiddle <okiddle@yahoo.co.uk> +# +# * 42317: Completion/Linux/Command/_cryptsetup, +diff --git a/Src/subst.c b/Src/subst.c +index d027e3d83..a265a187e 100644 +--- a/Src/subst.c ++++ b/Src/subst.c +@@ -2430,7 +2430,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags, + val = aval[0]; + isarr = 0; + } +- s = dyncat(val, s); ++ s = val ? dyncat(val, s) : dupstring(s); + /* Now behave po-faced as if it was always like that... */ + subexp = 0; + /* +-- +2.16.2 + diff --git a/gnu/packages/patches/zsh-CVE-2018-7549.patch b/gnu/packages/patches/zsh-CVE-2018-7549.patch new file mode 100644 index 0000000000..abefcdf2f9 --- /dev/null +++ b/gnu/packages/patches/zsh-CVE-2018-7549.patch @@ -0,0 +1,56 @@ +Fix CVE-2018-7549: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549 + +Patch copied from upstream source repository: + +https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd + +From c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd Mon Sep 17 00:00:00 2001 +From: Stephane Chazelas <stephane.chazelas@gmail.com> +Date: Fri, 22 Dec 2017 22:17:09 +0000 +Subject: [PATCH] Avoid crash copying empty hash table. + +Visible with typeset -p. +--- + ChangeLog | 2 ++ + Src/params.c | 11 +++++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index f74c26b88..e3628cfa7 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,5 +1,7 @@ +# 2018-01-04 Peter Stephenson <p.stephenson@samsung.com> +# +#+ * Stephane: 42159: Src/params.c: avoid crash copying empty hash table. +#+ +# * Sebastian: 42188: Src/Modules/system.c: It is necessary to +# close the lock descriptor in some failure cases. +# +diff --git a/Src/params.c b/Src/params.c +index 31ff0445b..de7730ae7 100644 +--- a/Src/params.c ++++ b/Src/params.c +@@ -549,10 +549,13 @@ scancopyparams(HashNode hn, UNUSED(int flags)) + HashTable + copyparamtable(HashTable ht, char *name) + { +- HashTable nht = newparamtable(ht->hsize, name); +- outtable = nht; +- scanhashtable(ht, 0, 0, 0, scancopyparams, 0); +- outtable = NULL; ++ HashTable nht = 0; ++ if (ht) { ++ nht = newparamtable(ht->hsize, name); ++ outtable = nht; ++ scanhashtable(ht, 0, 0, 0, scancopyparams, 0); ++ outtable = NULL; ++ } + return nht; + } + +-- +2.16.2 + |