diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 12:28:18 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 13:51:39 +0000 |
commit | 73556d997143937fe09a607debe5c16f29c989d7 (patch) | |
tree | 647d16e356b9da17d03830cf89528094ed6f2844 | |
parent | ed2876361e4be4201d60d14712478e77f83a87e6 (diff) | |
download | alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.tar.bz2 alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.tar.xz alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.zip |
community/chicken: security fixes #7403 (CVE-2017-9334)
-rw-r--r-- | community/chicken/APKBUILD | 13 | ||||
-rw-r--r-- | community/chicken/CVE-2017-6949.patch | 130 | ||||
-rw-r--r-- | community/chicken/CVE-2017-9334.patch | 41 |
3 files changed, 180 insertions, 4 deletions
diff --git a/community/chicken/APKBUILD b/community/chicken/APKBUILD index 1711cd9445..320c636d34 100644 --- a/community/chicken/APKBUILD +++ b/community/chicken/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net> | 3 | # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net> |
4 | pkgname=chicken | 4 | pkgname=chicken |
5 | pkgver=4.12.0 | 5 | pkgver=4.12.0 |
6 | pkgrel=1 | 6 | pkgrel=2 |
7 | pkgdesc="R5RS and R7RS compatible scheme compiler and interpreter" | 7 | pkgdesc="R5RS and R7RS compatible scheme compiler and interpreter" |
8 | url="http://call-cc.org/" | 8 | url="http://call-cc.org/" |
9 | arch="all !ppc64le" | 9 | arch="all !ppc64le" |
@@ -13,10 +13,14 @@ depends_dev="" | |||
13 | makedepends="$depends_dev" | 13 | makedepends="$depends_dev" |
14 | install="" | 14 | install="" |
15 | subpackages="$pkgname-doc $pkgname-libs $pkgname-dev $pkgname-feathers::noarch" | 15 | subpackages="$pkgname-doc $pkgname-libs $pkgname-dev $pkgname-feathers::noarch" |
16 | source="http://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz" | 16 | source="http://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz |
17 | CVE-2017-9334.patch | ||
18 | " | ||
17 | 19 | ||
18 | # secfixes: | 20 | # secfixes: |
19 | # 4.11.1: | 21 | # 4.12.0-r2: |
22 | # - CVE-2017-9334 | ||
23 | # 4.11.1-r0: | ||
20 | # - CVE-2016-6830 | 24 | # - CVE-2016-6830 |
21 | # - CVE-2016-6831 | 25 | # - CVE-2016-6831 |
22 | 26 | ||
@@ -60,4 +64,5 @@ feathers() { | |||
60 | "$subpkgdir"/usr/share/chicken/ || return 1 | 64 | "$subpkgdir"/usr/share/chicken/ || return 1 |
61 | } | 65 | } |
62 | 66 | ||
63 | sha512sums="190bdc9e53aa50e93419e2483fd5baf3e2ef3bebe4e605653f2aadd9b8bbc98b192cfbb64ab1c99eeefb13a7795757f013799963bfb775862d746ed5c93d602f chicken-4.12.0.tar.gz" | 67 | sha512sums="190bdc9e53aa50e93419e2483fd5baf3e2ef3bebe4e605653f2aadd9b8bbc98b192cfbb64ab1c99eeefb13a7795757f013799963bfb775862d746ed5c93d602f chicken-4.12.0.tar.gz |
68 | 7d594a6abaffe59a050305878ba9cc75cf588743407b2cc44e369fb22a94d42662bf8101bec93b60cacdc0046da5bc74ff1e8ac8d9e6aacfb280406cbbabce7c CVE-2017-9334.patch" | ||
diff --git a/community/chicken/CVE-2017-6949.patch b/community/chicken/CVE-2017-6949.patch new file mode 100644 index 0000000000..ac93f38046 --- /dev/null +++ b/community/chicken/CVE-2017-6949.patch | |||
@@ -0,0 +1,130 @@ | |||
1 | From: LemonBoy <thatlemon@gmail.com> | ||
2 | Date: Fri, 10 Mar 2017 15:29:47 +0000 (+0100) | ||
3 | Subject: Add bound checking to all srfi-4 vector allocations. | ||
4 | X-Git-Url: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff_plain;h=68c4e537a29d3f878016e0144c42d0e7ae5d41b4 | ||
5 | |||
6 | Add bound checking to all srfi-4 vector allocations. | ||
7 | |||
8 | Do what C_allocate_vector already does and prevent the creation of a | ||
9 | vector that's too big or too small. | ||
10 | We should be very careful to avoid the latter case because the | ||
11 | allocation size is directly fed into `malloc' as 'x + sizeof(C_header)' | ||
12 | thus making possible to successfully allocate a vector smaller than the | ||
13 | C_header structure and get C_block_header_init to write over | ||
14 | uninitialized memory. | ||
15 | |||
16 | To reduce code duplication, type checking is moved from each of the | ||
17 | make-*vector procedures to the common "alloc" helper procedure. | ||
18 | |||
19 | Signed-off-by: Peter Bex <peter@more-magic.net> | ||
20 | Signed-off-by: Kooda <kooda@upyum.com> | ||
21 | --- | ||
22 | |||
23 | diff --git a/srfi-4.scm b/srfi-4.scm | ||
24 | index 7f5412b..69f58ba 100644 | ||
25 | --- a/srfi-4.scm | ||
26 | +++ b/srfi-4.scm | ||
27 | @@ -255,24 +255,28 @@ EOF | ||
28 | |||
29 | ;;; Basic constructors: | ||
30 | |||
31 | -(let* ([ext-alloc | ||
32 | - (foreign-lambda* scheme-object ([int bytes]) | ||
33 | - "C_word *buf = (C_word *)C_malloc(bytes + sizeof(C_header));" | ||
34 | +(let* ((ext-alloc | ||
35 | + (foreign-lambda* scheme-object ((size_t bytes)) | ||
36 | + "C_word *buf;" | ||
37 | + "if (bytes > C_HEADER_SIZE_MASK) C_return(C_SCHEME_FALSE);" | ||
38 | + "buf = (C_word *)C_malloc(bytes + sizeof(C_header));" | ||
39 | "if(buf == NULL) C_return(C_SCHEME_FALSE);" | ||
40 | "C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));" | ||
41 | - "C_return(buf);") ] | ||
42 | - [ext-free | ||
43 | - (foreign-lambda* void ([scheme-object bv]) | ||
44 | - "C_free((void *)C_block_item(bv, 1));") ] | ||
45 | - [alloc | ||
46 | + "C_return(buf);") ) | ||
47 | + (ext-free | ||
48 | + (foreign-lambda* void ((scheme-object bv)) | ||
49 | + "C_free((void *)C_block_item(bv, 1));") ) | ||
50 | + (alloc | ||
51 | (lambda (loc len ext?) | ||
52 | + (##sys#check-exact len loc) | ||
53 | + (when (fx< len 0) (##sys#error loc "size is negative" len)) | ||
54 | (if ext? | ||
55 | - (let ([bv (ext-alloc len)]) | ||
56 | + (let ((bv (ext-alloc len))) | ||
57 | (or bv | ||
58 | (##sys#error loc "not enough memory - cannot allocate external number vector" len)) ) | ||
59 | - (let ([bv (##sys#allocate-vector len #t #f #t)]) ; this could be made better... | ||
60 | + (let ((bv (##sys#allocate-vector len #t #f #t))) ; this could be made better... | ||
61 | (##core#inline "C_string_to_bytevector" bv) | ||
62 | - bv) ) ) ] ) | ||
63 | + bv) ) ) ) ) | ||
64 | |||
65 | (set! release-number-vector | ||
66 | (lambda (v) | ||
67 | @@ -282,7 +286,6 @@ EOF | ||
68 | |||
69 | (set! make-u8vector | ||
70 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
71 | - (##sys#check-exact len 'make-u8vector) | ||
72 | (let ((v (##sys#make-structure 'u8vector (alloc 'make-u8vector len ext?)))) | ||
73 | (when (and ext? fin?) (set-finalizer! v ext-free)) | ||
74 | (if (not init) | ||
75 | @@ -295,7 +298,6 @@ EOF | ||
76 | |||
77 | (set! make-s8vector | ||
78 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
79 | - (##sys#check-exact len 'make-s8vector) | ||
80 | (let ((v (##sys#make-structure 's8vector (alloc 'make-s8vector len ext?)))) | ||
81 | (when (and ext? fin?) (set-finalizer! v ext-free)) | ||
82 | (if (not init) | ||
83 | @@ -308,7 +310,6 @@ EOF | ||
84 | |||
85 | (set! make-u16vector | ||
86 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
87 | - (##sys#check-exact len 'make-u16vector) | ||
88 | (let ((v (##sys#make-structure 'u16vector (alloc 'make-u16vector (##core#inline "C_fixnum_shift_left" len 1) ext?)))) | ||
89 | (when (and ext? fin?) (set-finalizer! v ext-free)) | ||
90 | (if (not init) | ||
91 | @@ -321,7 +322,6 @@ EOF | ||
92 | |||
93 | (set! make-s16vector | ||
94 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
95 | - (##sys#check-exact len 'make-s16vector) | ||
96 | (let ((v (##sys#make-structure 's16vector (alloc 'make-s16vector (##core#inline "C_fixnum_shift_left" len 1) ext?)))) | ||
97 | (when (and ext? fin?) (set-finalizer! v ext-free)) | ||
98 | (if (not init) | ||
99 | @@ -334,7 +334,6 @@ EOF | ||
100 | |||
101 | (set! make-u32vector | ||
102 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
103 | - (##sys#check-exact len 'make-u32vector) | ||
104 | (let ((v (##sys#make-structure 'u32vector (alloc 'make-u32vector (##core#inline "C_fixnum_shift_left" len 2) ext?)))) | ||
105 | (when (and ext? fin?) (set-finalizer! v ext-free)) | ||
106 | (if (not init) | ||
107 | @@ -347,7 +346,6 @@ EOF | ||
108 | |||
109 | (set! make-s32vector | ||
110 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
111 | - (##sys#check-exact len 'make-s32vector) | ||
112 | (let ((v (##sys#make-structure 's32vector (alloc 'make-s32vector (##core#inline "C_fixnum_shift_left" len 2) ext?)))) | ||
113 | (when (and ext? fin?) (set-finalizer! v ext-free)) | ||
114 | (if (not init) | ||
115 | @@ -360,7 +358,6 @@ EOF | ||
116 | |||
117 | (set! make-f32vector | ||
118 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
119 | - (##sys#check-exact len 'make-f32vector) | ||
120 | (let ((v (##sys#make-structure 'f32vector (alloc 'make-f32vector (##core#inline "C_fixnum_shift_left" len 2) ext?)))) | ||
121 | (when (and ext? fin?) (set-finalizer! v ext-free)) | ||
122 | (if (not init) | ||
123 | @@ -375,7 +372,6 @@ EOF | ||
124 | |||
125 | (set! make-f64vector | ||
126 | (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) | ||
127 | - (##sys#check-exact len 'make-f64vector) | ||
128 | (let ((v (##sys#make-structure | ||
129 | 'f64vector | ||
130 | (alloc 'make-f64vector (##core#inline "C_fixnum_shift_left" len 3) ext?)))) | ||
diff --git a/community/chicken/CVE-2017-9334.patch b/community/chicken/CVE-2017-9334.patch new file mode 100644 index 0000000000..8b593fa58b --- /dev/null +++ b/community/chicken/CVE-2017-9334.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From 76bbb0c92c0a9e2cadac9796e55fdd2836424fdb Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Bex <address@hidden> | ||
3 | Date: Sun, 28 May 2017 12:37:44 +0200 | ||
4 | Subject: [PATCH] Fix segmentation fault in "length" on improper lists. | ||
5 | |||
6 | This fixes #1375 | ||
7 | --- | ||
8 | runtime.c | 2 +- | ||
9 | tests/library-tests.scm | 6 ++++++ | ||
10 | 3 files changed, 9 insertions(+), 1 deletion(-) | ||
11 | |||
12 | diff --git a/runtime.c b/runtime.c | ||
13 | index 86db413..7a513c2 100644 | ||
14 | --- a/runtime.c | ||
15 | +++ b/runtime.c | ||
16 | @@ -5379,7 +5379,7 @@ C_regparm C_word C_fcall C_i_length(C_word lst) | ||
17 | } | ||
18 | } | ||
19 | |||
20 | - if(C_immediatep(slow) || C_block_header(lst) != C_PAIR_TAG) | ||
21 | + if(C_immediatep(slow) || C_block_header(slow) != C_PAIR_TAG) | ||
22 | barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst); | ||
23 | |||
24 | slow = C_u_i_cdr(slow); | ||
25 | diff --git a/tests/library-tests.scm b/tests/library-tests.scm | ||
26 | index cd2f6e9..9c7cab4 100644 | ||
27 | --- a/tests/library-tests.scm | ||
28 | +++ b/tests/library-tests.scm | ||
29 | @@ -693,3 +693,9 @@ A | ||
30 | (assert (not (member "foo" '("bar")))) | ||
31 | (assert (not (member "foo" '()))) | ||
32 | (assert-fail (member "foo" "foo")) | ||
33 | + | ||
34 | + | ||
35 | +;; length | ||
36 | + | ||
37 | +(assert-fail (length 1)) | ||
38 | +(assert-fail (length '(x . y))) | ||
39 | -- | ||
40 | 2.1.4 | ||
41 | |||