From 2a74f6f7e72c0bc420316d0d7cfb72bdcaedf414 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 31 Dec 2017 13:42:58 -0500 Subject: gnu: gimp: Fix CVE-2017-{17784,17785,17786,17787,17789}. * gnu/packages/patches/gimp-CVE-2017-17784.patch, gnu/packages/patches/gimp-CVE-2017-17785.patch, gnu/packages/patches/gimp-CVE-2017-17786.patch, gnu/packages/patches/gimp-CVE-2017-17787.patch, gnu/packages/patches/gimp-CVE-2017-17789.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gimp.scm (gimp)[source]: Use them. --- gnu/local.mk | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 346c8285e0..53a1aa5a45 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -674,6 +674,11 @@ dist_patch_DATA = \ %D%/packages/patches/ghostscript-no-header-uuid.patch \ %D%/packages/patches/ghostscript-no-header-creationdate.patch \ %D%/packages/patches/ghostscript-runpath.patch \ + %D%/packages/patches/gimp-CVE-2017-17784.patch \ + %D%/packages/patches/gimp-CVE-2017-17785.patch \ + %D%/packages/patches/gimp-CVE-2017-17786.patch \ + %D%/packages/patches/gimp-CVE-2017-17787.patch \ + %D%/packages/patches/gimp-CVE-2017-17789.patch \ %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ %D%/packages/patches/glibc-CVE-2015-5180.patch \ -- cgit v1.2.3 From cc17345d549d9c99f625793bffa56bfa42abade7 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sat, 30 Dec 2017 18:49:49 +0000 Subject: gnu: Add xxhash. * gnu/packages/digest.scm: New file (xxhash): New public variable. * gnu/local.mk (GNU_SYSTEM_MODULES): Add new file. --- gnu/local.mk | 1 + gnu/packages/digest.scm | 55 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 gnu/packages/digest.scm (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 53a1aa5a45..e9b3002b68 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -119,6 +119,7 @@ GNU_SYSTEM_MODULES = \ %D%/packages/dejagnu.scm \ %D%/packages/dico.scm \ %D%/packages/dictionaries.scm \ + %D%/packages/digest.scm \ %D%/packages/direct-connect.scm \ %D%/packages/disk.scm \ %D%/packages/display-managers.scm \ diff --git a/gnu/packages/digest.scm b/gnu/packages/digest.scm new file mode 100644 index 0000000000..5f14ab913b --- /dev/null +++ b/gnu/packages/digest.scm @@ -0,0 +1,55 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2017 Tobias Geerinckx-Rice +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu packages digest) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix build-system gnu)) + +(define-public xxhash + (package + (name "xxhash") + (version "0.6.4") + (source + (origin + (method url-fetch) + (uri (string-append "https://github.com/Cyan4973/xxHash/archive/v" + version ".tar.gz")) + (file-name (string-append name "-" version ".tar.gz")) + (sha256 + (base32 "08nv9h3jzg6y85ysy2dj3qvvfsdz0rwkk497a2366syz278wqw25")))) + (build-system gnu-build-system) + (arguments + `(#:make-flags + (list "CC=gcc" + "XXH_FORCE_MEMORY_ACCESS=1" ; improved performance with GCC + (string-append "prefix=" (assoc-ref %outputs "out"))) + #:test-target "test" + #:phases + (modify-phases %standard-phases + (delete 'configure)))) ; no configure script + (home-page "https://cyan4973.github.io/xxHash/") + (synopsis "Extremely fast hash algorithm") + (description + "xxHash is an extremely fast non-cryptographic hash algorithm. It works +at speeds close to RAM limits, and comes in both 32- and 64-bit flavours. +The code is highly portable, and hashes of the same length are identical on all +platforms (both big and little endian).") + (license (list license:bsd-2 ; xxhash library (xxhash.[ch]) + license:gpl2+)))) ; xxhsum.c -- cgit v1.2.3 From 7526338837baf4d6ceef922b09df6967ff3aa6ec Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 2 Jan 2018 21:40:16 -0500 Subject: gnu: httpd: Update to 2.4.29. * gnu/packages/web.scm (httpd): Update to 2.4.29. [source]: Remove patch. * gnu/packages/patches/httpd-CVE-2017-9798.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/patches/httpd-CVE-2017-9798.patch | 22 ---------------------- gnu/packages/web.scm | 5 ++--- 3 files changed, 2 insertions(+), 26 deletions(-) delete mode 100644 gnu/packages/patches/httpd-CVE-2017-9798.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index e9b3002b68..afa25e8c06 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -746,7 +746,6 @@ dist_patch_DATA = \ %D%/packages/patches/heimdal-CVE-2017-11103.patch \ %D%/packages/patches/hmmer-remove-cpu-specificity.patch \ %D%/packages/patches/higan-remove-march-native-flag.patch \ - %D%/packages/patches/httpd-CVE-2017-9798.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \ %D%/packages/patches/hydra-disable-darcs-test.patch \ diff --git a/gnu/packages/patches/httpd-CVE-2017-9798.patch b/gnu/packages/patches/httpd-CVE-2017-9798.patch deleted file mode 100644 index 8391a3db4a..0000000000 --- a/gnu/packages/patches/httpd-CVE-2017-9798.patch +++ /dev/null @@ -1,22 +0,0 @@ -Fixes "options bleed", aka. CVE-2017-9798: - - https://nvd.nist.gov/vuln/detail/CVE-2017-9798 - https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html - -From . - ---- a/server/core.c 2017/08/16 16:50:29 1805223 -+++ b/server/core.c 2017/09/08 13:13:11 1807754 -@@ -2266,6 +2266,12 @@ - /* method has not been registered yet, but resource restriction - * is always checked before method handling, so register it. - */ -+ if (cmd->pool == cmd->temp_pool) { -+ /* In .htaccess, we can't globally register new methods. */ -+ return apr_psprintf(cmd->pool, "Could not register method '%s' " -+ "for %s from .htaccess configuration", -+ method, cmd->cmd->name); -+ } - methnum = ap_method_register(cmd->pool, - apr_pstrdup(cmd->pool, method)); - } diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index c8ad735423..a0d9e7a329 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -109,15 +109,14 @@ (define-module (gnu packages web) (define-public httpd (package (name "httpd") - (version "2.4.27") + (version "2.4.29") (source (origin (method url-fetch) (uri (string-append "mirror://apache/httpd/httpd-" version ".tar.bz2")) (sha256 (base32 - "0fn1778mxhf78np2d8qlycg1c2ak18rxax41plahasca4clc3z3i")) - (patches (search-patches "httpd-CVE-2017-9798.patch")))) + "003z3yckkdihfv69rgqsik1w2jsnh14j3ci8fjia4s2mlajm6xvp")))) (build-system gnu-build-system) (native-inputs `(("pcre" ,pcre "bin"))) ;for 'pcre-config' (inputs `(("apr" ,apr) -- cgit v1.2.3 From 0c84e8679c6d41e46416cfe97d63221a64beee55 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 3 Jan 2018 14:15:20 -0500 Subject: gnu: fossil: Fix CVE-2017-17459. * gnu/packages/patches/fossil-CVE-2017-17459.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (fossil)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/fossil-CVE-2017-17459.patch | 57 ++++++++++++++++++++++++ gnu/packages/version-control.scm | 2 + 3 files changed, 60 insertions(+) create mode 100644 gnu/packages/patches/fossil-CVE-2017-17459.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index afa25e8c06..6f540731e2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -639,6 +639,7 @@ dist_patch_DATA = \ %D%/packages/patches/fltk-xfont-on-demand.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch \ + %D%/packages/patches/fossil-CVE-2017-17459.patch \ %D%/packages/patches/freeimage-CVE-2015-0852.patch \ %D%/packages/patches/freeimage-CVE-2016-5684.patch \ %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch \ diff --git a/gnu/packages/patches/fossil-CVE-2017-17459.patch b/gnu/packages/patches/fossil-CVE-2017-17459.patch new file mode 100644 index 0000000000..e566235b4e --- /dev/null +++ b/gnu/packages/patches/fossil-CVE-2017-17459.patch @@ -0,0 +1,57 @@ +Fix CVE-2017-17459: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459 + +Patch copied from upstream source repository: + +https://www.fossil-scm.org/xfer/info/1f63db591c77108c + +Index: src/http_transport.c +================================================================== +--- src/http_transport.c ++++ src/http_transport.c +@@ -73,10 +73,23 @@ + if( resetFlag ){ + transport.nSent = 0; + transport.nRcvd = 0; + } + } ++ ++/* ++** Remove leading "-" characters from the input string. ++** ++** This prevents attacks that try to trick a victim into using ++** a ssh:// URI with a carefully crafted hostname of other ++** parameter that ends up being interpreted as a command-line ++** option by "ssh". ++*/ ++static const char *stripLeadingMinus(const char *z){ ++ while( z[0]=='-' ) z++; ++ return z; ++} + + /* + ** Default SSH command + */ + #ifdef _WIN32 +@@ -116,17 +129,17 @@ + }else{ + zHost = mprintf("%s", pUrlData->name); + } + n = blob_size(&zCmd); + blob_append(&zCmd, " ", 1); +- shell_escape(&zCmd, zHost); ++ shell_escape(&zCmd, stripLeadingMinus(zHost)); + blob_append(&zCmd, " ", 1); + shell_escape(&zCmd, mprintf("%s", pUrlData->fossil)); + blob_append(&zCmd, " test-http", 10); + if( pUrlData->path && pUrlData->path[0] ){ + blob_append(&zCmd, " ", 1); +- shell_escape(&zCmd, mprintf("%s", pUrlData->path)); ++ shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path))); + } + if( g.fSshTrace ){ + fossil_print("%s\n", blob_str(&zCmd)+n); /* Show tail of SSH command */ + } + free(zHost); + diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index cbf5ce7d87..d400afd6ef 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -1503,6 +1503,8 @@ (define-public fossil (string-append "https://www.fossil-scm.org/index.html/uv/" "fossil-src-" version ".tar.gz"))) + (patches (search-patches "fossil-CVE-2017-17459.patch")) + (patch-flags '("-p0")) (sha256 (base32 "0wfgacfg29dkl0c3l1rp5ji0kraa64gcbg5lh8p4m7mqdqcq53wv")))) -- cgit v1.2.3