diff mbox

[1/1] gnu: tcsh: Fix out of bounds read.

Message ID cfb28c1c96a849bfc5e8bdb4cf00b001154f2373.1481091735.git.leo@famulari.name
State New
Headers show

Commit Message

Leo Famulari Dec. 7, 2016, 6:22 a.m. UTC
* gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/shells.scm (tcsh)[source]: Use it.
---
 gnu/local.mk                                       |  1 +
 .../patches/tcsh-fix-out-of-bounds-read.patch      | 31 ++++++++++++++++++++++
 gnu/packages/shells.scm                            |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch

Comments

Efraim Flashner Dec. 7, 2016, 8:09 a.m. UTC | #1
On Wed, Dec 07, 2016 at 01:22:18AM -0500, Leo Famulari wrote:
> * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/shells.scm (tcsh)[source]: Use it.
> ---
>  gnu/local.mk                                       |  1 +
>  .../patches/tcsh-fix-out-of-bounds-read.patch      | 31 ++++++++++++++++++++++
>  gnu/packages/shells.scm                            |  3 ++-
>  3 files changed, 34 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
> 
> diff --git a/gnu/local.mk b/gnu/local.mk
> index bc9b06da6..552272bbd 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -879,6 +879,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/tclxml-3.2-install.patch			\
>    %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch		\
>    %D%/packages/patches/tcsh-fix-autotest.patch			\
> +  %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
>    %D%/packages/patches/teensy-loader-cli-help.patch		\
>    %D%/packages/patches/texi2html-document-encoding.patch	\
>    %D%/packages/patches/texi2html-i18n.patch			\
> diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
> new file mode 100644
> index 000000000..48c294f78
> --- /dev/null
> +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
> @@ -0,0 +1,31 @@
> +Fix out-of-bounds read in c_substitute():
> +
> +http://seclists.org/oss-sec/2016/q4/612
> +
> +Patch copied from upstream source repository:
> +
> +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596
> +
> +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001
> +From: christos <christos>
> +Date: Fri, 2 Dec 2016 16:59:28 +0000
> +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting
> + tcsh and hitting tab at the prompt)
> +
> +---
> + ed.chared.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/ed.chared.c b/ed.chared.c
> +index 1277e53..310393e 100644
> +--- ed.chared.c
> ++++ ed.chared.c
> +@@ -750,7 +750,7 @@ c_substitute(void)
> +     /*
> +      * If we found a history character, go expand it.
> +      */
> +-    if (HIST != '\0' && *p == HIST)
> ++    if (p >= InputBuf && HIST != '\0' && *p == HIST)
> + 	nr_exp = c_excl(p);
> +     else
> +         nr_exp = 0;
> diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
> index f3350ef50..8596efc87 100644
> --- a/gnu/packages/shells.scm
> +++ b/gnu/packages/shells.scm
> @@ -186,7 +186,8 @@ has a small feature set similar to a traditional Bourne shell.")
>                 (base32
>                  "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q"))
>                (patches (search-patches "tcsh-fix-autotest.patch"
> -                                       "tcsh-do-not-define-BSDWAIT.patch"))
> +                                       "tcsh-do-not-define-BSDWAIT.patch"
> +                                       "tcsh-fix-out-of-bounds-read.patch"))
>                (patch-flags '("-p0"))))
>      (build-system gnu-build-system)
>      (inputs
> -- 
> 2.11.0
> 
> 

Still no CVE assigned to it?

Building the following 429 packages would ensure 829 dependent packages are rebuilt
Looks like it'll need to be grafted in addition.
Ludovic Courtès Dec. 7, 2016, 10:54 a.m. UTC | #2
Efraim Flashner <efraim@flashner.co.il> skribis:

> On Wed, Dec 07, 2016 at 01:22:18AM -0500, Leo Famulari wrote:
>> * gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>> * gnu/packages/shells.scm (tcsh)[source]: Use it.
>> ---
>>  gnu/local.mk                                       |  1 +
>>  .../patches/tcsh-fix-out-of-bounds-read.patch      | 31 ++++++++++++++++++++++
>>  gnu/packages/shells.scm                            |  3 ++-
>>  3 files changed, 34 insertions(+), 1 deletion(-)
>>  create mode 100644 gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
>> 
>> diff --git a/gnu/local.mk b/gnu/local.mk
>> index bc9b06da6..552272bbd 100644
>> --- a/gnu/local.mk
>> +++ b/gnu/local.mk
>> @@ -879,6 +879,7 @@ dist_patch_DATA =						\
>>    %D%/packages/patches/tclxml-3.2-install.patch			\
>>    %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch		\
>>    %D%/packages/patches/tcsh-fix-autotest.patch			\
>> +  %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
>>    %D%/packages/patches/teensy-loader-cli-help.patch		\
>>    %D%/packages/patches/texi2html-document-encoding.patch	\
>>    %D%/packages/patches/texi2html-i18n.patch			\
>> diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
>> new file mode 100644
>> index 000000000..48c294f78
>> --- /dev/null
>> +++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
>> @@ -0,0 +1,31 @@
>> +Fix out-of-bounds read in c_substitute():
>> +
>> +http://seclists.org/oss-sec/2016/q4/612
>> +
>> +Patch copied from upstream source repository:
>> +
>> +https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596
>> +
>> +From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001
>> +From: christos <christos>
>> +Date: Fri, 2 Dec 2016 16:59:28 +0000
>> +Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting
>> + tcsh and hitting tab at the prompt)
>> +
>> +---
>> + ed.chared.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/ed.chared.c b/ed.chared.c
>> +index 1277e53..310393e 100644
>> +--- ed.chared.c
>> ++++ ed.chared.c
>> +@@ -750,7 +750,7 @@ c_substitute(void)
>> +     /*
>> +      * If we found a history character, go expand it.
>> +      */
>> +-    if (HIST != '\0' && *p == HIST)
>> ++    if (p >= InputBuf && HIST != '\0' && *p == HIST)
>> + 	nr_exp = c_excl(p);
>> +     else
>> +         nr_exp = 0;
>> diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
>> index f3350ef50..8596efc87 100644
>> --- a/gnu/packages/shells.scm
>> +++ b/gnu/packages/shells.scm
>> @@ -186,7 +186,8 @@ has a small feature set similar to a traditional Bourne shell.")
>>                 (base32
>>                  "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q"))
>>                (patches (search-patches "tcsh-fix-autotest.patch"
>> -                                       "tcsh-do-not-define-BSDWAIT.patch"))
>> +                                       "tcsh-do-not-define-BSDWAIT.patch"
>> +                                       "tcsh-fix-out-of-bounds-read.patch"))
>>                (patch-flags '("-p0"))))
>>      (build-system gnu-build-system)
>>      (inputs
>> -- 
>> 2.11.0
>> 
>> 
>
> Still no CVE assigned to it?
>
> Building the following 429 packages would ensure 829 dependent packages are rebuilt
> Looks like it'll need to be grafted in addition.

That could go to the next ‘staging’ branch or ‘core-updates’, which
might be merged first.  (How come this many packages depend on tcsh?)

Ludo’.
Marius Bakke Dec. 7, 2016, 12:55 p.m. UTC | #3
Ludovic Courtès <ludo@gnu.org> writes:

> That could go to the next ‘staging’ branch or ‘core-updates’, which
> might be merged first.  (How come this many packages depend on tcsh?)

tcsh is used by the 'boost' and 'texlive' packages.
diff mbox

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index bc9b06da6..552272bbd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -879,6 +879,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/tclxml-3.2-install.patch			\
   %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch		\
   %D%/packages/patches/tcsh-fix-autotest.patch			\
+  %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
   %D%/packages/patches/teensy-loader-cli-help.patch		\
   %D%/packages/patches/texi2html-document-encoding.patch	\
   %D%/packages/patches/texi2html-i18n.patch			\
diff --git a/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
new file mode 100644
index 000000000..48c294f78
--- /dev/null
+++ b/gnu/packages/patches/tcsh-fix-out-of-bounds-read.patch
@@ -0,0 +1,31 @@ 
+Fix out-of-bounds read in c_substitute():
+
+http://seclists.org/oss-sec/2016/q4/612
+
+Patch copied from upstream source repository:
+
+https://github.com/tcsh-org/tcsh/commit/6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596
+
+From 6a542dc4fb2ba26518a47e9b3a9bcd6a91b94596 Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Fri, 2 Dec 2016 16:59:28 +0000
+Subject: [PATCH] Fix out of bounds read (Brooks Davis) (reproduce by starting
+ tcsh and hitting tab at the prompt)
+
+---
+ ed.chared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ed.chared.c b/ed.chared.c
+index 1277e53..310393e 100644
+--- ed.chared.c
++++ ed.chared.c
+@@ -750,7 +750,7 @@ c_substitute(void)
+     /*
+      * If we found a history character, go expand it.
+      */
+-    if (HIST != '\0' && *p == HIST)
++    if (p >= InputBuf && HIST != '\0' && *p == HIST)
+ 	nr_exp = c_excl(p);
+     else
+         nr_exp = 0;
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index f3350ef50..8596efc87 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -186,7 +186,8 @@  has a small feature set similar to a traditional Bourne shell.")
                (base32
                 "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q"))
               (patches (search-patches "tcsh-fix-autotest.patch"
-                                       "tcsh-do-not-define-BSDWAIT.patch"))
+                                       "tcsh-do-not-define-BSDWAIT.patch"
+                                       "tcsh-fix-out-of-bounds-read.patch"))
               (patch-flags '("-p0"))))
     (build-system gnu-build-system)
     (inputs