From 53dd99bc0b2e23c5463b4cb95546fd438a72d229 Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Fri, 26 Mar 2021 22:51:14 +0100 Subject: gnu: upx: Fix CVE-2021-20285. * gnu/packages/patches/upx-CVE-2021-20285.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (upx): Apply patch. --- gnu/packages/compression.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 2d065046ee..ef73e6038b 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -2100,7 +2100,8 @@ decompression is a little bit slower.") version "/upx-" version "-src.tar.xz")) (sha256 (base32 - "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7")))) + "051pk5jk8fcfg5mpgzj43z5p4cn7jy5jbyshyn78dwjqr7slsxs7")) + (patches (search-patches "upx-CVE-2021-20285.patch")))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) -- cgit v1.2.3 From 9feef62b73e284e106717a386624d6da90750a3d Mon Sep 17 00:00:00 2001 From: Léo Le Bouter Date: Tue, 30 Mar 2021 02:10:19 +0200 Subject: gnu: zstd: Downgrade to 1.4.4 and make security graft saner. * gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (zstd-1.4.9): Remove. (zstd/fixed): New variable. Apply patch. (zstd)[replacement]: Graft with zstd/fixed. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 19 +++--- .../zstd-CVE-2021-24031_CVE-2021-24032.patch | 68 ++++++++++++++++++++++ 3 files changed, 76 insertions(+), 12 deletions(-) create mode 100644 gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch (limited to 'gnu/packages/compression.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 40732ca696..deb4ddcede 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1824,6 +1824,7 @@ dist_patch_DATA = \ %D%/packages/patches/yggdrasil-extra-config.patch \ %D%/packages/patches/ytnef-CVE-2021-3403.patch \ %D%/packages/patches/ytnef-CVE-2021-3404.patch \ + %D%/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch \ %D%/packages/patches/zziplib-CVE-2018-16548.patch MISC_DISTRO_FILES = \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index ef73e6038b..5ed4b4ce98 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1409,7 +1409,7 @@ or junctions, and always follows hard links.") "v" version "/zstd-" version ".tar.gz")) (sha256 (base32 "05ckxap00qvc0j51d3ci38150cxsw82w7s9zgd5fgzspnzmp1vsr")))) - (replacement zstd-1.4.9) + (replacement zstd/fixed) (build-system gnu-build-system) (outputs '("out" ;1.2MiB executables and documentation "lib" ;1.2MiB shared library and headers @@ -1469,21 +1469,16 @@ speed.") license:public-domain ; zlibWrapper/examples/fitblk* license:zlib)))) ; zlibWrapper/{gz*.c,gzguts.h} -(define-public zstd-1.4.9 +(define zstd/fixed (package (inherit zstd) - (name "zstd") - (version "1.4.9") (source (origin - (method url-fetch) - (uri (string-append "https://github.com/facebook/zstd/releases/download/" - "v" version "/zstd-" version ".tar.gz")) - (sha256 - (base32 "14yj7309gsvg39rki4xqnd6w5idmqi0655v1fc0mk1m2kvhp9b19")))) - (arguments - (substitute-keyword-arguments (package-arguments zstd) - ((#:tests? _ #t) #f))))) + (inherit (package-source zstd)) + (patches + (search-patches + ;; From Ubuntu focal-security + "zstd-CVE-2021-24031_CVE-2021-24032.patch")))))) (define-public pzstd (package/inherit zstd diff --git a/gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch b/gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch new file mode 100644 index 0000000000..48b5eb18eb --- /dev/null +++ b/gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch @@ -0,0 +1,68 @@ +Description: fix race condition allowing attackers to access destination file + This commit addresses https://github.com/facebook/zstd/issues/2491. + . + Note that a downside of this solution is that it is global: `umask()` affects + all file creation calls in the process. I believe this is safe since + `fileio.c` functions should only ever be used in the zstd binary, and these + are (almost) the only files ever created by zstd, and AIUI they're only + created in a single thread. So we can get away with messing with global state. + . + Note that this doesn't change the permissions of files created by `dibio.c`. + I'm not sure what those should be... +Author: W. Felix Handte +Origin: upstream +Bug: https://github.com/facebook/zstd/issues/2491 +Bug-Debian: https://github.com/facebook/zstd/issues/2491 +Applied-Upstream: commit:a774c5797399040af62db21d8a9b9769e005430e +Reviewed-by: Étienne Mollier +Last-Update: 2021-03-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/programs/fileio.c ++++ b/programs/fileio.c +@@ -606,11 +606,11 @@ FIO_openDstFile(FIO_prefs_t* const prefs + FIO_remove(dstFileName); + } } + +- { FILE* const f = fopen( dstFileName, "wb" ); ++ { const int old_umask = UTIL_umask(0177); /* u-x,go-rwx */ ++ FILE* const f = fopen( dstFileName, "wb" ); ++ UTIL_umask(old_umask); + if (f == NULL) { + DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno)); +- } else if(srcFileName != NULL && strcmp (srcFileName, stdinmark)) { +- chmod(dstFileName, 00600); + } + return f; + } +--- a/programs/util.c ++++ b/programs/util.c +@@ -54,6 +54,15 @@ int UTIL_getFileStat(const char* infilen + return 1; + } + ++int UTIL_umask(int mode) { ++#if PLATFORM_POSIX_VERSION > 0 ++ return umask(mode); ++#else ++ /* do nothing, fake return value */ ++ return mode; ++#endif ++} ++ + int UTIL_setFileStat(const char *filename, stat_t *statbuf) + { + int res = 0; +--- a/programs/util.h ++++ b/programs/util.h +@@ -136,6 +136,10 @@ int UTIL_isSameFile(const char* file1, c + int UTIL_compareStr(const void *p1, const void *p2); + int UTIL_isCompressedFile(const char* infilename, const char *extensionList[]); + const char* UTIL_getFileExtension(const char* infilename); ++/** ++ * Wraps umask(). Does nothing when the platform doesn't have that concept. ++ */ ++int UTIL_umask(int mode); + + #ifndef _MSC_VER + U32 UTIL_isFIFO(const char* infilename); -- cgit v1.2.3 From 9098745b181b3022587a35afd255f7ff1d41ac86 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 30 Mar 2021 11:03:08 +0300 Subject: gnu: zziplib/fixed: Add missing library symlinks. Fixes , , . * gnu/packages/compression.scm (zziplib/fixed)[arguments]: Add new phase to create missing library symlinks. --- gnu/packages/compression.scm | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'gnu/packages/compression.scm') diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 5ed4b4ce98..37a7d230fe 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -7,7 +7,7 @@ ;;; Copyright © 2015, 2016, 2017, 2018, 2020 Ricardo Wurmus ;;; Copyright © 2015, 2017, 2018 Leo Famulari ;;; Copyright © 2015 Jeff Mickey -;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Efraim Flashner +;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Efraim Flashner ;;; Copyright © 2016 Ben Woodcroft ;;; Copyright © 2016 Danny Milosavljevic ;;; Copyright © 2016–2021 Tobias Geerinckx-Rice @@ -1786,7 +1786,20 @@ timestamps in the file header with a fixed time (1 January 2008). (sha256 (base32 "0i6bpa2b13z19alm6ig80364dnin1w28cvif18k6wkkb0w3dzp8y")))) - (arguments `()) + (arguments + `(#:phases + (modify-phases %standard-phases + (add-after 'install 'install-compatibility-symlinks + (lambda* (#:key outputs #:allow-other-keys) + (with-directory-excursion + (string-append (assoc-ref outputs "out") "/lib") + (map (lambda (lib new-symlink) + (symlink lib new-symlink)) + (list "libzzip.so.13" "libzzipfseeko.so.13" + "libzzipmmapped.so.13" "libzzipwrap.so.13") + (list "libzzip-0.so.13" "libzzipfseeko-0.so.13" + "libzzipmmapped-0.so.13" "libzzipwrap-0.so.13"))) + #t))))) (native-inputs `(("python" ,python) ,@(alist-delete "python" -- cgit v1.2.3