From 605ade4429177416c5a3a47bcb3cd35578228262 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 15 Apr 2018 13:36:42 +0200 Subject: gnu: google-brotli: Update to 1.0.4. * gnu/packages/compression.scm (google-brotli): Update to 1.0.4. --- gnu/packages/compression.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 1850433609..f312e47177 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -2111,14 +2111,14 @@ non-Windows systems without running the actual installer using wine.") (define-public google-brotli (package (name "google-brotli") - (version "1.0.2") + (version "1.0.4") (source (origin (method url-fetch) (uri (string-append "https://github.com/google/brotli/archive/v" version ".tar.gz")) (sha256 (base32 - "08kl9gww2058p1p7j9xqmcmrabcfihhj3fq984d7fi3bchb2mky2")))) + "1hrpmz162k4x3xm6vmbpm443jlfr1kp536p8962y2dncy7gs6s12")))) (build-system cmake-build-system) (arguments `(#:phases -- cgit v1.2.3 From d0ee11b2f000c3c027fd8370bc2195266398444f Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 15 Apr 2018 17:48:37 +0200 Subject: gnu: sharutils: Fix CVE-2018-1000097. * gnu/packages/patches/sharutils-CVE-2018-1000097.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (sharutils)[source](patches): Use it. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 1 + .../patches/sharutils-CVE-2018-1000097.patch | 21 +++++++++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 gnu/packages/patches/sharutils-CVE-2018-1000097.patch (limited to 'gnu/packages/compression.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 713d9ae118..0bdfc521c2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1093,6 +1093,7 @@ dist_patch_DATA = \ %D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ %D%/packages/patches/shadow-CVE-2018-7169.patch \ + %D%/packages/patches/sharutils-CVE-2018-1000097.patch \ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ %D%/packages/patches/slim-session.patch \ %D%/packages/patches/slim-config.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index f312e47177..562a2bf8b7 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -533,6 +533,7 @@ decompressors when faced with corrupted input.") (method url-fetch) (uri (string-append "mirror://gnu/sharutils/sharutils-" version ".tar.xz")) + (patches (search-patches "sharutils-CVE-2018-1000097.patch")) (sha256 (base32 "16isapn8f39lnffc3dp4dan05b7x6mnc76v6q5nn8ysxvvvwy19b")))) diff --git a/gnu/packages/patches/sharutils-CVE-2018-1000097.patch b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch new file mode 100644 index 0000000000..8d58218184 --- /dev/null +++ b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch @@ -0,0 +1,21 @@ +Fix CVE-2018-1000097: + +https://security-tracker.debian.org/tracker/CVE-2018-1000097 +https://nvd.nist.gov/vuln/detail/CVE-2018-1000097 + +Patch taken from upstream bug report: +https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00005.html + +diff --git a/src/unshar.c b/src/unshar.c +index 80bc3a9..0fc3773 100644 +--- a/src/unshar.c ++++ b/src/unshar.c +@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start) + off_t position = ftello (file); + + /* Read next line, fail if no more and no previous process. */ +- if (!fgets (rw_buffer, BUFSIZ, file)) ++ if (!fgets (rw_buffer, rw_base_size, file)) + { + if (!start) + error (0, 0, _("Found no shell commands in %s"), name); -- cgit v1.2.3