[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Chicken security bugs [was Re: address@hidden: Irregex packages shou
|
From: |
Kei Kebreau |
|
Subject: |
Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]] |
|
Date: |
Wed, 28 Dec 2016 21:07:14 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Kei Kebreau <address@hidden> writes:
> Kei Kebreau <address@hidden> writes:
>
>> Leo Famulari <address@hidden> writes:
>>
>>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>>>> Leo Famulari <address@hidden> writes:
>>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>>>> >>
>>>> >> *
>>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>>>> >> New file.
>>>> >> * gnu/local.mk (dist_patch_DATA): Use it.
>>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>>>> >
>>>> > Thank you for looking into this!
>>>> >
>>>> > Something like this patch is in CHICKEN 4.11.1:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>>>> >
>>>> > And there is a patch for the IrRegex bug after the latest tag:
>>>> >
>>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>>>> >
>>>> > Can you try updating CHICKEN and applying that IrRegex patch?
>>>>
>>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>>>> binary due to its build system requirements. Do we have any objection to
>>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>>>
>>> Interesting!
>>>
>>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>>>
>>> Changing the build system like that seems unusual for a minor point
>>> release, and I don't see it documented in the 4.11.1 NEWS file:
>>>
>>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>>>
>>
>> I must have phrased that too vaguely. It's just a "building from release
>> tarball vs from git checkout" thing, documented in the README file of
>> both releases. I've been having trouble with the seemingly identical
>> test suite using the attached WIP patch. Perhaps the dreary wheather is
>> clouding my thoughts.
>>
>
> Update! I found a file "types.db" that is unwritable. However, changing
> access permissions in the (hackish) way I've done in the patch makes the
> build's hash time-dependent.
>
>>> One way or another, we should fix these bugs in our package. Thanks for
>>> taking care of it :)
>>
>> You're welcome!
>
> Merry Grav-Mass, BTW. :)
Here's the CVE patch on top of the chicken 4.11.1 one. I can't get this
git-based build to be reproducible, though.
0001-gnu-chicken-Fix-CVE-2016-6830-6831.patch
Description: Text document
signature.asc
Description: PGP signature
- address@hidden: Irregex packages should be updated to 0.9.6], Leo Famulari, 2016/12/16
- Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Leo Famulari, 2016/12/16
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/22
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Leo Famulari, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Leo Famulari, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/24
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]], Kei Kebreau, 2016/12/25
- Re: Chicken security bugs [was Re: address@hidden: Irregex packages should be updated to 0.9.6]],
Kei Kebreau <=