community/chicken: security fixes #7403 (CVE-2017-9334)

author: Leonardo Arena <rnalrd@alpinelinux.org> 2017-06-15 12:28:18 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2017-06-15 13:51:39 +0000
commit: 73556d997143937fe09a607debe5c16f29c989d7 (patch)
tree: 647d16e356b9da17d03830cf89528094ed6f2844
parent: ed2876361e4be4201d60d14712478e77f83a87e6 (diff)
download: alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.tar.bz2
alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.tar.xz
alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.zip
3 files changed, 180 insertions, 4 deletions
diff --git a/community/chicken/APKBUILD b/community/chicken/APKBUILD
index 1711cd9445..320c636d34 100644
--- a/community/chicken/APKBUILD
+++ b/community/chicken/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
 pkgname=chicken
 pkgver=4.12.0
-pkgrel=1
+pkgrel=2
 pkgdesc="R5RS and R7RS compatible scheme compiler and interpreter"
 url="http://call-cc.org/"
 arch="all !ppc64le"
@@ -13,10 +13,14 @@ depends_dev=""
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-doc $pkgname-libs $pkgname-dev $pkgname-feathers::noarch"
-source="http://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz"
+source="http://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz
+        CVE-2017-9334.patch
+        "
 # secfixes:
-#   4.11.1:
+#   4.12.0-r2:
+#     - CVE-2017-9334
+#   4.11.1-r0:
 #     - CVE-2016-6830
 #     - CVE-2016-6831
@@ -60,4 +64,5 @@ feathers() {
                "$subpkgdir"/usr/share/chicken/ || return 1
 }
-sha512sums="190bdc9e53aa50e93419e2483fd5baf3e2ef3bebe4e605653f2aadd9b8bbc98b192cfbb64ab1c99eeefb13a7795757f013799963bfb775862d746ed5c93d602f  chicken-4.12.0.tar.gz"
+sha512sums="190bdc9e53aa50e93419e2483fd5baf3e2ef3bebe4e605653f2aadd9b8bbc98b192cfbb64ab1c99eeefb13a7795757f013799963bfb775862d746ed5c93d602f  chicken-4.12.0.tar.gz
+7d594a6abaffe59a050305878ba9cc75cf588743407b2cc44e369fb22a94d42662bf8101bec93b60cacdc0046da5bc74ff1e8ac8d9e6aacfb280406cbbabce7c  CVE-2017-9334.patch"
diff --git a/community/chicken/CVE-2017-6949.patch b/community/chicken/CVE-2017-6949.patch
new file mode 100644
index 0000000000..ac93f38046
--- /dev/null
+++ b/community/chicken/CVE-2017-6949.patch
@@ -0,0 +1,130 @@
+From: LemonBoy <thatlemon@gmail.com>
+Date: Fri, 10 Mar 2017 15:29:47 +0000 (+0100)
+Subject: Add bound checking to all srfi-4 vector allocations.
+X-Git-Url: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff_plain;h=68c4e537a29d3f878016e0144c42d0e7ae5d41b4
+Add bound checking to all srfi-4 vector allocations.
+Do what C_allocate_vector already does and prevent the creation of a
+vector that's too big or too small.
+We should be very careful to avoid the latter case because the
+allocation size is directly fed into `malloc' as 'x + sizeof(C_header)'
+thus making possible to successfully allocate a vector smaller than the
+C_header structure and get C_block_header_init to write over
+uninitialized memory.
+To reduce code duplication, type checking is moved from each of the
+make-*vector procedures to the common "alloc" helper procedure.
+Signed-off-by: Peter Bex <peter@more-magic.net>
+Signed-off-by: Kooda <kooda@upyum.com>
+---
+diff --git a/srfi-4.scm b/srfi-4.scm
+index 7f5412b..69f58ba 100644
+--- a/srfi-4.scm
+++ b/srfi-4.scm
+@@ -255,24 +255,28 @@ EOF
+ 
+ ;;; Basic constructors:
+ 
+-(let* ([ext-alloc
+-       (foreign-lambda* scheme-object ([int bytes])
+-         "C_word *buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
+(let* ((ext-alloc
+       (foreign-lambda* scheme-object ((size_t bytes))
+         "C_word *buf;"
+         "if (bytes > C_HEADER_SIZE_MASK) C_return(C_SCHEME_FALSE);"
+         "buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
+          "if(buf == NULL) C_return(C_SCHEME_FALSE);"
+          "C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));"
+-         "C_return(buf);") ]
+-       [ext-free
+-       (foreign-lambda* void ([scheme-object bv])
+-         "C_free((void *)C_block_item(bv, 1));") ]
+-       [alloc
+         "C_return(buf);") )
+       (ext-free
+       (foreign-lambda* void ((scheme-object bv))
+         "C_free((void *)C_block_item(bv, 1));") )
+       (alloc
+        (lambda (loc len ext?)
+         (##sys#check-exact len loc)
+         (when (fx< len 0) (##sys#error loc "size is negative" len))
+          (if ext?
+-             (let ([bv (ext-alloc len)])
+             (let ((bv (ext-alloc len)))
+                (or bv
+                    (##sys#error loc "not enough memory - cannot allocate external number vector" len)) )
+-             (let ([bv (##sys#allocate-vector len #t #f #t)]) ; this could be made better...
+             (let ((bv (##sys#allocate-vector len #t #f #t))) ; this could be made better...
+                (##core#inline "C_string_to_bytevector" bv)
+-               bv) ) ) ] )
+               bv) ) ) ) )
+ 
+   (set! release-number-vector
+     (lambda (v)
+@@ -282,7 +286,6 @@ EOF
+ 
+   (set! make-u8vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-u8vector)
+       (let ((v (##sys#make-structure 'u8vector (alloc 'make-u8vector len ext?))))
+        (when (and ext? fin?) (set-finalizer! v ext-free))
+        (if (not init)
+@@ -295,7 +298,6 @@ EOF
+ 
+   (set! make-s8vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-s8vector)
+       (let ((v (##sys#make-structure 's8vector (alloc 'make-s8vector len ext?))))
+        (when (and ext? fin?) (set-finalizer! v ext-free))
+        (if (not init)
+@@ -308,7 +310,6 @@ EOF
+ 
+   (set! make-u16vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-u16vector)
+       (let ((v (##sys#make-structure 'u16vector (alloc 'make-u16vector (##core#inline "C_fixnum_shift_left" len 1) ext?))))
+        (when (and ext? fin?) (set-finalizer! v ext-free))
+        (if (not init)
+@@ -321,7 +322,6 @@ EOF
+ 
+   (set! make-s16vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-s16vector)
+       (let ((v (##sys#make-structure 's16vector (alloc 'make-s16vector (##core#inline "C_fixnum_shift_left" len 1) ext?))))
+        (when (and ext? fin?) (set-finalizer! v ext-free))
+        (if (not init)
+@@ -334,7 +334,6 @@ EOF
+ 
+   (set! make-u32vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-u32vector)
+       (let ((v (##sys#make-structure 'u32vector (alloc 'make-u32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
+        (when (and ext? fin?) (set-finalizer! v ext-free))
+        (if (not init)
+@@ -347,7 +346,6 @@ EOF
+ 
+   (set! make-s32vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-s32vector)
+       (let ((v (##sys#make-structure 's32vector (alloc 'make-s32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
+        (when (and ext? fin?) (set-finalizer! v ext-free))
+        (if (not init)
+@@ -360,7 +358,6 @@ EOF
+ 
+   (set! make-f32vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-f32vector)
+       (let ((v (##sys#make-structure 'f32vector (alloc 'make-f32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
+        (when (and ext? fin?) (set-finalizer! v ext-free))
+        (if (not init)
+@@ -375,7 +372,6 @@ EOF
+ 
+   (set! make-f64vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-f64vector)
+       (let ((v (##sys#make-structure
+                'f64vector
+                (alloc 'make-f64vector (##core#inline "C_fixnum_shift_left" len 3) ext?))))
diff --git a/community/chicken/CVE-2017-9334.patch b/community/chicken/CVE-2017-9334.patch
new file mode 100644
index 0000000000..8b593fa58b
--- /dev/null
+++ b/community/chicken/CVE-2017-9334.patch
@@ -0,0 +1,41 @@
+From 76bbb0c92c0a9e2cadac9796e55fdd2836424fdb Mon Sep 17 00:00:00 2001
+From: Peter Bex <address@hidden>
+Date: Sun, 28 May 2017 12:37:44 +0200
+Subject: [PATCH] Fix segmentation fault in "length" on improper lists.
+This fixes #1375
+---
+ runtime.c               | 2 +-
+ tests/library-tests.scm | 6 ++++++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+diff --git a/runtime.c b/runtime.c
+index 86db413..7a513c2 100644
+--- a/runtime.c
+++ b/runtime.c
+@@ -5379,7 +5379,7 @@ C_regparm C_word C_fcall C_i_length(C_word lst)
+       }
+     }
+ 
+-    if(C_immediatep(slow) || C_block_header(lst) != C_PAIR_TAG)
+    if(C_immediatep(slow) || C_block_header(slow) != C_PAIR_TAG)
+       barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst);
+ 
+     slow = C_u_i_cdr(slow);
+diff --git a/tests/library-tests.scm b/tests/library-tests.scm
+index cd2f6e9..9c7cab4 100644
+--- a/tests/library-tests.scm
+++ b/tests/library-tests.scm
+@@ -693,3 +693,9 @@ A
+ (assert (not (member "foo" '("bar"))))
+ (assert (not (member "foo" '())))
+ (assert-fail (member "foo" "foo"))
+
+
+;; length
+
+(assert-fail (length 1))
+(assert-fail (length '(x . y)))
+-- 
+2.1.4
author	Leonardo Arena <rnalrd@alpinelinux.org>	2017-06-15 12:28:18 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2017-06-15 13:51:39 +0000
commit	73556d997143937fe09a607debe5c16f29c989d7 (patch)
tree	647d16e356b9da17d03830cf89528094ed6f2844
parent	ed2876361e4be4201d60d14712478e77f83a87e6 (diff)
download	alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.tar.bz2 alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.tar.xz alpine_aports-73556d997143937fe09a607debe5c16f29c989d7.zip

diff --git a/community/chicken/APKBUILD b/community/chicken/APKBUILD index 1711cd9445..320c636d34 100644 --- a/community/chicken/APKBUILD +++ b/community/chicken/APKBUILD
@@ -3,7 +3,7 @@
3	# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>	3	# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
4	pkgname=chicken	4	pkgname=chicken
5	pkgver=4.12.0	5	pkgver=4.12.0
6	pkgrel=1	6	pkgrel=2
7	pkgdesc="R5RS and R7RS compatible scheme compiler and interpreter"	7	pkgdesc="R5RS and R7RS compatible scheme compiler and interpreter"
8	url="http://call-cc.org/"	8	url="http://call-cc.org/"
9	arch="all !ppc64le"	9	arch="all !ppc64le"
@@ -13,10 +13,14 @@ depends_dev=""
13	makedepends="$depends_dev"	13	makedepends="$depends_dev"
14	install=""	14	install=""
15	subpackages="$pkgname-doc $pkgname-libs $pkgname-dev $pkgname-feathers::noarch"	15	subpackages="$pkgname-doc $pkgname-libs $pkgname-dev $pkgname-feathers::noarch"
16	source="http://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz"	16	source="http://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz
		17	CVE-2017-9334.patch
		18	"
17		19
18	# secfixes:	20	# secfixes:
19	# 4.11.1:	21	# 4.12.0-r2:
		22	# - CVE-2017-9334
		23	# 4.11.1-r0:
20	# - CVE-2016-6830	24	# - CVE-2016-6830
21	# - CVE-2016-6831	25	# - CVE-2016-6831
22		26
@@ -60,4 +64,5 @@ feathers() {
60	"$subpkgdir"/usr/share/chicken/ \|\| return 1	64	"$subpkgdir"/usr/share/chicken/ \|\| return 1
61	}	65	}
62		66
63	sha512sums="190bdc9e53aa50e93419e2483fd5baf3e2ef3bebe4e605653f2aadd9b8bbc98b192cfbb64ab1c99eeefb13a7795757f013799963bfb775862d746ed5c93d602f chicken-4.12.0.tar.gz"	67	sha512sums="190bdc9e53aa50e93419e2483fd5baf3e2ef3bebe4e605653f2aadd9b8bbc98b192cfbb64ab1c99eeefb13a7795757f013799963bfb775862d746ed5c93d602f chicken-4.12.0.tar.gz
		68	7d594a6abaffe59a050305878ba9cc75cf588743407b2cc44e369fb22a94d42662bf8101bec93b60cacdc0046da5bc74ff1e8ac8d9e6aacfb280406cbbabce7c CVE-2017-9334.patch"


diff --git a/community/chicken/CVE-2017-6949.patch b/community/chicken/CVE-2017-6949.patch new file mode 100644 index 0000000000..ac93f38046 --- /dev/null +++ b/community/chicken/CVE-2017-6949.patch
@@ -0,0 +1,130 @@
		1	From: LemonBoy <thatlemon@gmail.com>
		2	Date: Fri, 10 Mar 2017 15:29:47 +0000 (+0100)
		3	Subject: Add bound checking to all srfi-4 vector allocations.
		4	X-Git-Url: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff_plain;h=68c4e537a29d3f878016e0144c42d0e7ae5d41b4
		5
		6	Add bound checking to all srfi-4 vector allocations.
		7
		8	Do what C_allocate_vector already does and prevent the creation of a
		9	vector that's too big or too small.
		10	We should be very careful to avoid the latter case because the
		11	allocation size is directly fed into `malloc' as 'x + sizeof(C_header)'
		12	thus making possible to successfully allocate a vector smaller than the
		13	C_header structure and get C_block_header_init to write over
		14	uninitialized memory.
		15
		16	To reduce code duplication, type checking is moved from each of the
		17	make-*vector procedures to the common "alloc" helper procedure.
		18
		19	Signed-off-by: Peter Bex <peter@more-magic.net>
		20	Signed-off-by: Kooda <kooda@upyum.com>
		21	---
		22
		23	diff --git a/srfi-4.scm b/srfi-4.scm
		24	index 7f5412b..69f58ba 100644
		25	--- a/srfi-4.scm
		26	+++ b/srfi-4.scm
		27	@@ -255,24 +255,28 @@ EOF
		28
		29	;;; Basic constructors:
		30
		31	-(let* ([ext-alloc
		32	- (foreign-lambda* scheme-object ([int bytes])
		33	- "C_word buf = (C_word )C_malloc(bytes + sizeof(C_header));"
		34	+(let* ((ext-alloc
		35	+ (foreign-lambda* scheme-object ((size_t bytes))
		36	+ "C_word *buf;"
		37	+ "if (bytes > C_HEADER_SIZE_MASK) C_return(C_SCHEME_FALSE);"
		38	+ "buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
		39	"if(buf == NULL) C_return(C_SCHEME_FALSE);"
		40	"C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));"
		41	- "C_return(buf);") ]
		42	- [ext-free
		43	- (foreign-lambda* void ([scheme-object bv])
		44	- "C_free((void *)C_block_item(bv, 1));") ]
		45	- [alloc
		46	+ "C_return(buf);") )
		47	+ (ext-free
		48	+ (foreign-lambda* void ((scheme-object bv))
		49	+ "C_free((void *)C_block_item(bv, 1));") )
		50	+ (alloc
		51	(lambda (loc len ext?)
		52	+ (##sys#check-exact len loc)
		53	+ (when (fx< len 0) (##sys#error loc "size is negative" len))
		54	(if ext?
		55	- (let ([bv (ext-alloc len)])
		56	+ (let ((bv (ext-alloc len)))
		57	(or bv
		58	(##sys#error loc "not enough memory - cannot allocate external number vector" len)) )
		59	- (let ([bv (##sys#allocate-vector len #t #f #t)]) ; this could be made better...
		60	+ (let ((bv (##sys#allocate-vector len #t #f #t))) ; this could be made better...
		61	(##core#inline "C_string_to_bytevector" bv)
		62	- bv) ) ) ] )
		63	+ bv) ) ) ) )
		64
		65	(set! release-number-vector
		66	(lambda (v)
		67	@@ -282,7 +286,6 @@ EOF
		68
		69	(set! make-u8vector
		70	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		71	- (##sys#check-exact len 'make-u8vector)
		72	(let ((v (##sys#make-structure 'u8vector (alloc 'make-u8vector len ext?))))
		73	(when (and ext? fin?) (set-finalizer! v ext-free))
		74	(if (not init)
		75	@@ -295,7 +298,6 @@ EOF
		76
		77	(set! make-s8vector
		78	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		79	- (##sys#check-exact len 'make-s8vector)
		80	(let ((v (##sys#make-structure 's8vector (alloc 'make-s8vector len ext?))))
		81	(when (and ext? fin?) (set-finalizer! v ext-free))
		82	(if (not init)
		83	@@ -308,7 +310,6 @@ EOF
		84
		85	(set! make-u16vector
		86	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		87	- (##sys#check-exact len 'make-u16vector)
		88	(let ((v (##sys#make-structure 'u16vector (alloc 'make-u16vector (##core#inline "C_fixnum_shift_left" len 1) ext?))))
		89	(when (and ext? fin?) (set-finalizer! v ext-free))
		90	(if (not init)
		91	@@ -321,7 +322,6 @@ EOF
		92
		93	(set! make-s16vector
		94	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		95	- (##sys#check-exact len 'make-s16vector)
		96	(let ((v (##sys#make-structure 's16vector (alloc 'make-s16vector (##core#inline "C_fixnum_shift_left" len 1) ext?))))
		97	(when (and ext? fin?) (set-finalizer! v ext-free))
		98	(if (not init)
		99	@@ -334,7 +334,6 @@ EOF
		100
		101	(set! make-u32vector
		102	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		103	- (##sys#check-exact len 'make-u32vector)
		104	(let ((v (##sys#make-structure 'u32vector (alloc 'make-u32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
		105	(when (and ext? fin?) (set-finalizer! v ext-free))
		106	(if (not init)
		107	@@ -347,7 +346,6 @@ EOF
		108
		109	(set! make-s32vector
		110	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		111	- (##sys#check-exact len 'make-s32vector)
		112	(let ((v (##sys#make-structure 's32vector (alloc 'make-s32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
		113	(when (and ext? fin?) (set-finalizer! v ext-free))
		114	(if (not init)
		115	@@ -360,7 +358,6 @@ EOF
		116
		117	(set! make-f32vector
		118	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		119	- (##sys#check-exact len 'make-f32vector)
		120	(let ((v (##sys#make-structure 'f32vector (alloc 'make-f32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
		121	(when (and ext? fin?) (set-finalizer! v ext-free))
		122	(if (not init)
		123	@@ -375,7 +372,6 @@ EOF
		124
		125	(set! make-f64vector
		126	(lambda (len #!optional (init #f) (ext? #f) (fin? #t))
		127	- (##sys#check-exact len 'make-f64vector)
		128	(let ((v (##sys#make-structure
		129	'f64vector
		130	(alloc 'make-f64vector (##core#inline "C_fixnum_shift_left" len 3) ext?))))


diff --git a/community/chicken/CVE-2017-9334.patch b/community/chicken/CVE-2017-9334.patch new file mode 100644 index 0000000000..8b593fa58b --- /dev/null +++ b/community/chicken/CVE-2017-9334.patch
@@ -0,0 +1,41 @@
		1	From 76bbb0c92c0a9e2cadac9796e55fdd2836424fdb Mon Sep 17 00:00:00 2001
		2	From: Peter Bex <address@hidden>
		3	Date: Sun, 28 May 2017 12:37:44 +0200
		4	Subject: [PATCH] Fix segmentation fault in "length" on improper lists.
		5
		6	This fixes #1375
		7	---
		8	runtime.c \| 2 +-
		9	tests/library-tests.scm \| 6 ++++++
		10	3 files changed, 9 insertions(+), 1 deletion(-)
		11
		12	diff --git a/runtime.c b/runtime.c
		13	index 86db413..7a513c2 100644
		14	--- a/runtime.c
		15	+++ b/runtime.c
		16	@@ -5379,7 +5379,7 @@ C_regparm C_word C_fcall C_i_length(C_word lst)
		17	}
		18	}
		19
		20	- if(C_immediatep(slow) \|\| C_block_header(lst) != C_PAIR_TAG)
		21	+ if(C_immediatep(slow) \|\| C_block_header(slow) != C_PAIR_TAG)
		22	barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst);
		23
		24	slow = C_u_i_cdr(slow);
		25	diff --git a/tests/library-tests.scm b/tests/library-tests.scm
		26	index cd2f6e9..9c7cab4 100644
		27	--- a/tests/library-tests.scm
		28	+++ b/tests/library-tests.scm
		29	@@ -693,3 +693,9 @@ A
		30	(assert (not (member "foo" '("bar"))))
		31	(assert (not (member "foo" '())))
		32	(assert-fail (member "foo" "foo"))
		33	+
		34	+
		35	+;; length
		36	+
		37	+(assert-fail (length 1))
		38	+(assert-fail (length '(x . y)))
		39	--
		40	2.1.4
		41