Patchwork [1/1] gnu: readline-6.2: Fix CVE-2014-2524.

login
register
mail settings
Submitter Leo Famulari
Date Nov. 13, 2016, 10:24 a.m.
Message ID <bbbc0f5def7a99c4387bb3870375d95cdff83852.1479032640.git.leo@famulari.name>
Download mbox | patch
Permalink /patch/17444/
State New
Headers show

Comments

Leo Famulari - Nov. 13, 2016, 10:24 a.m.
* gnu/packages/patches/readline-6.2-CVE-2014-2524.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/readline.scm (readline-6.2): Use it.
---
 gnu/local.mk                                       |  1 +
 .../patches/readline-6.2-CVE-2014-2524.patch       | 42 ++++++++++++++++++++++
 gnu/packages/readline.scm                          |  2 ++
 3 files changed, 45 insertions(+)
 create mode 100644 gnu/packages/patches/readline-6.2-CVE-2014-2524.patch
Ludovic Courtès - Nov. 13, 2016, 12:12 p.m.
Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/readline-6.2-CVE-2014-2524.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/readline.scm (readline-6.2): Use it.

LGTM, thank you!

Ludo’.
Leo Famulari - Nov. 13, 2016, 10:04 p.m.
On Sun, Nov 13, 2016 at 01:12:31PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/patches/readline-6.2-CVE-2014-2524.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/readline.scm (readline-6.2): Use it.
> 
> LGTM, thank you!

Okay, pushed!

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ce0fdeb..070e35e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -828,6 +828,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/rapicorn-isnan.patch			\
   %D%/packages/patches/ratpoison-shell.patch			\
   %D%/packages/patches/readline-link-ncurses.patch		\
+  %D%/packages/patches/readline-6.2-CVE-2014-2524.patch		\
   %D%/packages/patches/ripperx-missing-file.patch		\
   %D%/packages/patches/rpm-CVE-2014-8118.patch			\
   %D%/packages/patches/rsem-makefile.patch			\
diff --git a/gnu/packages/patches/readline-6.2-CVE-2014-2524.patch b/gnu/packages/patches/readline-6.2-CVE-2014-2524.patch
new file mode 100644
index 0000000..12db684
--- /dev/null
+++ b/gnu/packages/patches/readline-6.2-CVE-2014-2524.patch
@@ -0,0 +1,42 @@ 
+Fix CVE-2014-2524:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524
+http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html
+
+Patch copied from:
+https://ftp.gnu.org/gnu/readline/readline-6.3-patches/readline63-003
+
+			   READLINE PATCH REPORT
+			   =====================
+
+Readline-Release: 6.3
+Patch-ID: readline63-003
+
+Bug-Reported-by:
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+There are debugging functions in the readline release that are theoretically
+exploitable as security problems.  They are not public functions, but have
+global linkage.
+
+Patch (apply with `patch -p0'):
+
+*** ../readline-6.3/util.c	2013-09-02 13:36:12.000000000 -0400
+--- util.c	2014-03-20 10:25:53.000000000 -0400
+***************
+*** 477,480 ****
+--- 479,483 ----
+  }
+  
++ #if defined (DEBUG)
+  #if defined (USE_VARARGS)
+  static FILE *_rl_tracefp;
+***************
+*** 539,542 ****
+--- 542,546 ----
+  }
+  #endif
++ #endif /* DEBUG */
diff --git a/gnu/packages/readline.scm b/gnu/packages/readline.scm
index 6435e98..4381779 100644
--- a/gnu/packages/readline.scm
+++ b/gnu/packages/readline.scm
@@ -84,6 +84,8 @@  comfortable for anyone.")
               (method url-fetch)
               (uri (string-append "mirror://gnu/readline/readline-"
                                   version ".tar.gz"))
+              (patches (search-patches "readline-6.2-CVE-2014-2524.patch"))
+              (patch-flags '("-p0"))
               (sha256
                (base32
                 "10ckm2bd2rkxhvdmj7nmbsylmihw0abwcsnxf8y27305183rd9kr"))))))