[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: gnu: sharutils: Fix CVE-2018-1000097.
From: |
Marius Bakke |
Subject: |
01/01: gnu: sharutils: Fix CVE-2018-1000097. |
Date: |
Mon, 16 Apr 2018 12:12:53 -0400 (EDT) |
mbakke pushed a commit to branch master
in repository guix.
commit d0ee11b2f000c3c027fd8370bc2195266398444f
Author: Marius Bakke <address@hidden>
Date: Sun Apr 15 17:48:37 2018 +0200
gnu: sharutils: Fix CVE-2018-1000097.
* gnu/packages/patches/sharutils-CVE-2018-1000097.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/compression.scm (sharutils)[source](patches): Use it.
---
gnu/local.mk | 1 +
gnu/packages/compression.scm | 1 +
.../patches/sharutils-CVE-2018-1000097.patch | 21 +++++++++++++++++++++
3 files changed, 23 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index 713d9ae..0bdfc52 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1093,6 +1093,7 @@ dist_patch_DATA =
\
%D%/packages/patches/sdl-libx11-1.6.patch \
%D%/packages/patches/seq24-rename-mutex.patch \
%D%/packages/patches/shadow-CVE-2018-7169.patch \
+ %D%/packages/patches/sharutils-CVE-2018-1000097.patch \
%D%/packages/patches/shishi-fix-libgcrypt-detection.patch \
%D%/packages/patches/slim-session.patch \
%D%/packages/patches/slim-config.patch \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index f312e47..562a2bf 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -533,6 +533,7 @@ decompressors when faced with corrupted input.")
(method url-fetch)
(uri (string-append "mirror://gnu/sharutils/sharutils-"
version ".tar.xz"))
+ (patches (search-patches "sharutils-CVE-2018-1000097.patch"))
(sha256
(base32
"16isapn8f39lnffc3dp4dan05b7x6mnc76v6q5nn8ysxvvvwy19b"))))
diff --git a/gnu/packages/patches/sharutils-CVE-2018-1000097.patch
b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch
new file mode 100644
index 0000000..8d58218
--- /dev/null
+++ b/gnu/packages/patches/sharutils-CVE-2018-1000097.patch
@@ -0,0 +1,21 @@
+Fix CVE-2018-1000097:
+
+https://security-tracker.debian.org/tracker/CVE-2018-1000097
+https://nvd.nist.gov/vuln/detail/CVE-2018-1000097
+
+Patch taken from upstream bug report:
+https://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00005.html
+
+diff --git a/src/unshar.c b/src/unshar.c
+index 80bc3a9..0fc3773 100644
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
+ off_t position = ftello (file);
+
+ /* Read next line, fail if no more and no previous process. */
+- if (!fgets (rw_buffer, BUFSIZ, file))
++ if (!fgets (rw_buffer, rw_base_size, file))
+ {
+ if (!start)
+ error (0, 0, _("Found no shell commands in %s"), name);