[PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

DoneSubmitted by Alex Vong.

Details

2 participants

Alex Vong
Leo Famulari

Owner: unassigned

Severity: normal

A

A

Alex Vong wrote on 31 Dec 2018 00:15

Recipients:(address . guix-patches@gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87pntihaht.fsf@gmail.com

Tags: security
Hello,
This patch series mainly fixes the latest CVEs found in libextractor,but it also upgrades other gnunet related packages to their latestversion.
Please also note that the versioning scheme for guile-gnunet is changedto use that of 'git-version'. Unfortunately, this would break"guix package --upgrade". But I think this change needs to be made atsome point anyway, so we may as well do it now.
Cheers,Alex

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClRngAKCRBh71Au9gJS8ud4AP93mEoxgSxC6a4cMHxYQKvhrvUqnG4BCLeTyL0mXqA0owD/di9bPnBXZ3CuRdDa8xdmPU8ovEmhYSl19sgEQ3tTlgk==YODP-----END PGP SIGNATURE-----

A

A

Alex Vong wrote on 31 Dec 2018 00:18

[PATCH 1/4] gnu: libextractor: Update to 1.8.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87lg46had7.fsf@gmail.com

From 8cb16fb98e444bdbed44f73038aa74d2a4a306f1 Mon Sep 17 00:00:00 2001
* gnu/packages/gnunet.scm (libextractor): Update to 1.8.--- gnu/packages/gnunet.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scmindex d1dc8fd58..4a6952076 100644--- a/gnu/packages/gnunet.scm+++ b/gnu/packages/gnunet.scm@@ -7,6 +7,7 @@ ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is> ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -67,14 +68,14 @@ (define-public libextractor   (package    (name "libextractor")-   (version "1.7")+   (version "1.8")    (source (origin             (method url-fetch)             (uri (string-append "mirror://gnu/libextractor/libextractor-"                                 version ".tar.gz"))             (sha256              (base32-              "13wf6vj7mkv6gw8h183cnk7m24ir0gyf198pyb2148ng4klgv9p0"))))+              "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))    (build-system gnu-build-system)    ;; WARNING: Checks require /dev/shm to be in the build chroot, especially    ;; not to be a symbolic link to /run/shm.-- 2.20.1

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSRAAKCRBh71Au9gJS8tgpAQDMvVPBxfm00RKKliuzBsEN5WBtp8ZnlXB7M/FHHsUUMgD/YUkOD3TFxHRdPdwxgR/GFfKfmTAWywiped2bPAJCZwE==KIYH-----END PGP SIGNATURE-----

A

A

Alex Vong wrote on 31 Dec 2018 00:18

[PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87h8euhacj.fsf@gmail.com

From a155ee678aefe73eb8e209e7a6d4ace8afabcf92 Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Mon, 31 Dec 2018 06:50:48 +0800Subject: [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
* gnu/packages/patches/libextractor-CVE-2018-20430.patch,gnu/packages/patches/libextractor-CVE-2018-20431.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/gnunet.scm (libextractor)[source]: Use them.--- gnu/local.mk                                  |  2 + gnu/packages/gnunet.scm                       |  2 + .../patches/libextractor-CVE-2018-20430.patch | 60 +++++++++++++++++++ .../patches/libextractor-CVE-2018-20431.patch | 53 ++++++++++++++++ 4 files changed, 117 insertions(+) create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20430.patch create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20431.patch

Toggle diff (153 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 0bb020335..75634b741 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -888,6 +888,8 @@ dist_patch_DATA =						\   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\   %D%/packages/patches/libexif-CVE-2016-6328.patch		\   %D%/packages/patches/libexif-CVE-2017-7544.patch		\+  %D%/packages/patches/libextractor-CVE-2018-20430.patch	\+  %D%/packages/patches/libextractor-CVE-2018-20431.patch	\   %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch	\   %D%/packages/patches/libgit2-mtime-0.patch			\   %D%/packages/patches/libgit2-oom-test.patch			\diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scmindex 4a6952076..d9e903734 100644--- a/gnu/packages/gnunet.scm+++ b/gnu/packages/gnunet.scm@@ -73,6 +73,8 @@             (method url-fetch)             (uri (string-append "mirror://gnu/libextractor/libextractor-"                                 version ".tar.gz"))+            (patches (search-patches "libextractor-CVE-2018-20430.patch"+                                     "libextractor-CVE-2018-20431.patch"))             (sha256              (base32               "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))diff --git a/gnu/packages/patches/libextractor-CVE-2018-20430.patch b/gnu/packages/patches/libextractor-CVE-2018-20430.patchnew file mode 100644index 000000000..570cd7c00--- /dev/null+++ b/gnu/packages/patches/libextractor-CVE-2018-20430.patch@@ -0,0 +1,60 @@+Fix CVE-2018-20430:++https://gnunet.org/bugs/view.php?id=5493+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20430+https://security-tracker.debian.org/tracker/CVE-2018-20430++Patch copied from upstream source repository:++https://gnunet.org/git/libextractor.git/commit/?id=b405d707b36e0654900cba78e89f49779efea110++From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001+From: Christian Grothoff <christian@grothoff.org>+Date: Thu, 20 Dec 2018 22:47:53 +0100+Subject: [PATCH] fix #5493 (out of bounds read)++---+ src/common/convert.c | 10 +++++-----+ 1 file changed, 5 insertions(+), 5 deletions(-)++diff --git a/src/common/convert.c b/src/common/convert.c+index c0edf21..2be2108 100644+--- a/src/common/convert.c++++ b/src/common/convert.c+@@ -36,8 +36,8 @@+  *  string is returned.+  */+ char *+-EXTRACTOR_common_convert_to_utf8 (const char *input, +-				  size_t len, ++EXTRACTOR_common_convert_to_utf8 (const char *input,++				  size_t len,+ 				  const char *charset)+ {+ #if HAVE_ICONV+@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,+   i = input;+   cd = iconv_open ("UTF-8", charset);+   if (cd == (iconv_t) - 1)+-    return strdup (i);++    return strndup (i, len);+   if (len > 1024 * 1024)+     {+       iconv_close (cd);+@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,+     }+   itmp = tmp;+   finSize = tmpSize;+-  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX)++  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1))+     {+       iconv_close (cd);+       free (tmp);+-      return strdup (i);++      return strndup (i, len);+     }+   ret = malloc (tmpSize - finSize + 1);+   if (ret == NULL)+-- +2.20.1+diff --git a/gnu/packages/patches/libextractor-CVE-2018-20431.patch b/gnu/packages/patches/libextractor-CVE-2018-20431.patchnew file mode 100644index 000000000..855c5ba64--- /dev/null+++ b/gnu/packages/patches/libextractor-CVE-2018-20431.patch@@ -0,0 +1,53 @@+Fix CVE-2018-20431:++https://gnunet.org/bugs/view.php?id=5494+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431+https://security-tracker.debian.org/tracker/CVE-2018-20431++Patch copied from upstream source repository:++https://gnunet.org/git/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7++To apply the patch to libextractor 1.8 release tarball,+hunk #1 which patches ChangeLog is removed. ++From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001+From: Christian Grothoff <christian@grothoff.org>+Date: Thu, 20 Dec 2018 23:02:28 +0100+Subject: [PATCH] fix #5494++---+ ChangeLog                    | 3 ++-+ src/plugins/ole2_extractor.c | 9 +++++++--+ 2 files changed, 9 insertions(+), 3 deletions(-)++diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c+index 53fa1b9..a48b726 100644+--- a/src/plugins/ole2_extractor.c++++ b/src/plugins/ole2_extractor.c+@@ -173,7 +173,7 @@ struct ProcContext+   EXTRACTOR_MetaDataProcessor proc;+ +   /**+-   * Closure for 'proc'.++   * Closure for @e proc.+    */+   void *proc_cls;+ +@@ -213,7 +213,12 @@ process_metadata (gpointer key,+ +   if (G_VALUE_TYPE(gval) == G_TYPE_STRING)+     {+-      contents = strdup (g_value_get_string (gval));++      const char *gvals;++++      gvals = g_value_get_string (gval);++      if (NULL == gvals)++        return;++      contents = strdup (gvals);+     }+   else+     {+-- +2.20.1+-- 2.20.1

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSXAAKCRBh71Au9gJS8uuiAQCl+HSN/kASF3J35E9EiGsVh86H/w80FECOB2f9LdzU6QEAlKCfKbwCOq0KfeekZz3UXa94En1zFKqFzuph9ysbcwU==wS43-----END PGP SIGNATURE-----

A

A

Alex Vong wrote on 31 Dec 2018 00:19

[PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87d0pihabm.fsf@gmail.com

From c5b57304b0ec12d44ffb749befd00fb0e4d92c0f Mon Sep 17 00:00:00 2001
* gnu/packages/gnunet.scm (libmicrohttpd): Update to 0.9.62.--- gnu/packages/gnunet.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scmindex d9e903734..79584fcf0 100644--- a/gnu/packages/gnunet.scm+++ b/gnu/packages/gnunet.scm@@ -148,14 +148,14 @@ tool to extract metadata from a file and print the results.") (define-public libmicrohttpd   (package    (name "libmicrohttpd")-   (version "0.9.59")+   (version "0.9.62")    (source (origin             (method url-fetch)             (uri (string-append "mirror://gnu/libmicrohttpd/libmicrohttpd-"                                 version ".tar.gz"))             (sha256              (base32-              "0g4jgnv43yddr9yxrqg11632rip0lg5c53gmy5wy3c0i1dywv74v"))))+              "0jfvi1fb4im3a3m8qishbmzx3zch993c0mhvl2k92l1zf1yhjgmx"))))    (build-system gnu-build-system)    (inputs     `(("curl" ,curl)-- 2.20.1

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSfgAKCRBh71Au9gJS8jL6AQCjmm5a4hKzFe4lwJR19Hgz3xpSdhEpNo6MUHOFC8q73wD+JXLy6jTgIdZ6dfStJhCF9eO7AWleUNz54We6CWcSvQs==WIvV-----END PGP SIGNATURE-----

A

A

Alex Vong wrote on 31 Dec 2018 00:19

[PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:878t06haau.fsf@gmail.com

From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Mon, 31 Dec 2018 07:00:39 +0800Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.[version]: Use git-version.[source]: Use git-file-name.--- gnu/packages/gnunet.scm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)

Toggle diff (31 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scmindex 79584fcf0..b00c8848a 100644--- a/gnu/packages/gnunet.scm+++ b/gnu/packages/gnunet.scm@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")    (home-page "https://gnunet.org/")))  (define-public guile-gnunet                       ;GSoC 2015!-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")+        (revision "1"))     (package       (name "guile-gnunet")-      (version (string-append "0.0." (string-take commit 7)))+      (version (git-version "0.0" revision commit))       (source (origin                 (method git-fetch)                 (uri (git-reference                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")                       (commit commit)))-                (file-name (string-append name "-" version "-checkout"))+                (git-file-name name version)                 (sha256                  (base32-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))       (build-system gnu-build-system)       (native-inputs `(("pkg-config" ,pkg-config)                        ("autoconf" ,autoconf-wrapper)-- 2.20.1

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSmQAKCRBh71Au9gJS8k0iAP48aLSDEozUB04RmkP7PDxDl3mk+pHToFC5hAmnKKNvzQD+KzwpOaRZUQ543sk94lbKRDNProk2BL0b7JTiShAueAY==Qe6Y-----END PGP SIGNATURE-----

A

A

Alex Vong wrote on 31 Dec 2018 00:27

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:871s5yh9yf.fsf@gmail.com

Sorry, the last patch is incorrect. The correct one is here:

From 9c2b78d121e4711f3c42ccc7bbc291beaf45571c Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Mon, 31 Dec 2018 07:00:39 +0800Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.[version]: Use git-version.[source]: Use git-file-name.--- gnu/packages/gnunet.scm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)

Toggle diff (31 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scmindex 79584fcf0..62bb3026d 100644--- a/gnu/packages/gnunet.scm+++ b/gnu/packages/gnunet.scm@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")    (home-page "https://gnunet.org/")))  (define-public guile-gnunet                       ;GSoC 2015!-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")+        (revision "1"))     (package       (name "guile-gnunet")-      (version (string-append "0.0." (string-take commit 7)))+      (version (git-version "0.0" revision commit))       (source (origin                 (method git-fetch)                 (uri (git-reference                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")                       (commit commit)))-                (file-name (string-append name "-" version "-checkout"))+                (file-name (git-file-name name version))                 (sha256                  (base32-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))       (build-system gnu-build-system)       (native-inputs `(("pkg-config" ,pkg-config)                        ("autoconf" ,autoconf-wrapper)-- 2.20.1

Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (41 lines)> From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Mon, 31 Dec 2018 07:00:39 +0800> Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.>> * gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.> [version]: Use git-version.> [source]: Use git-file-name.> --->  gnu/packages/gnunet.scm | 9 +++++---->  1 file changed, 5 insertions(+), 4 deletions(-)>> diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm> index 79584fcf0..b00c8848a 100644> --- a/gnu/packages/gnunet.scm> +++ b/gnu/packages/gnunet.scm> @@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")>     (home-page "https://gnunet.org/")))>  >  (define-public guile-gnunet                       ;GSoC 2015!> -  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))> +  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")> +        (revision "1"))>      (package>        (name "guile-gnunet")> -      (version (string-append "0.0." (string-take commit 7)))> +      (version (git-version "0.0" revision commit))>        (source (origin>                  (method git-fetch)>                  (uri (git-reference>                        (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")>                        (commit commit)))> -                (file-name (string-append name "-" version "-checkout"))> +                (git-file-name name version)>                  (sha256>                   (base32> -                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))> +                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))>        (build-system gnu-build-system)>        (native-inputs `(("pkg-config" ,pkg-config)>                         ("autoconf" ,autoconf-wrapper)

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClUWAAKCRBh71Au9gJS8qFxAQDsBpT4WxyFDjOg3puJQ91mRMb/4hleG0GDTD3c/oyvqQEAh/J/1BVPm5MdYMZ25idRcSJcFIrIPTdvPRxr3pTs0Q0==dMEd-----END PGP SIGNATURE-----

A

A

Alex Vong wrote on 3 Jan 2019 14:12

Re: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

Recipients:(address . guix-devel@gnu.org)

Message-ID:87bm4xyjek.fsf@gmail.com

Hello Guix,
I sent the "gnu: libextractor: Fix CVE-2018-{20430,20431}." patch tohttps://debbugs.gnu.org/33933three days ago. libextractor is needed tobuild gnunet, so these fixes are important for gnunet users [I am not(yet) a user though]. Only the first two patches are directly related,the rest updates various gnunet-related packages.
Btw, for security fixes, how long should I wait before I ping here?
Thanks,Alex

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXC4KQwAKCRBh71Au9gJS8jV4AP4veOsUNZWKAjZTDNwEdCN9CPihksYPEy/JOof+sr9l/QD7BwxkAQBDVlZvb5nVwfiBdbfJ2DS+EDdHhj3kbiG+6g4==HvAv-----END PGP SIGNATURE-----

L

L

Leo Famulari wrote on 3 Jan 2019 19:20

Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33933@debbugs.gnu.org)

Message-ID:20190103182056.GA2707@jasmine.lan

On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:

Toggle quote (13 lines)> Tags: security> > Hello,> > This patch series mainly fixes the latest CVEs found in libextractor,> but it also upgrades other gnunet related packages to their latest> version.> > Please also note that the versioning scheme for guile-gnunet is changed> to use that of 'git-version'. Unfortunately, this would break> "guix package --upgrade". But I think this change needs to be made at> some point anyway, so we may as well do it now.

Thanks, please push :)

-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwuUoUACgkQJkb6MLrKfwiV/RAAvUUSegQNRWAyeio/goh2jskhbjBe+e7bVsIOIAFKIJIPXeFW0woprESijAwwPqNYxwbu7HKIgPxguKiRgM6lDOIL/aTN1VmaQKCBeKlviCHi8Ufm/pBc/01K74TIGiD1P2CqONohy899Yhg8JMfeOlqFkfeReo3ne3Ehzz73RBk5o7uW+5yXpIIcHKNzE0xBBxYIvh5cIg0GwehwQA9UZpFMxvSfX6K/OQgiCQT0ilr1J4L1bTTRfQavmAxATVKtRmlekvxVNrJDqRbaNH23j7GdeDmpSiCdvmgHteBzNdmQBG6nYa81ZB0J2gIcmgJFwSqIr9aACUN37hoAv0+t4LOHJbfAl6/nkVVEEzsUSSlh9nGj1AsCgOkeqq0FmFYlbAXVxqjYI1M4zulEL4fmB9G7mWFfABAalBjkx0MO6g6A20L0KB7SHEu8yQghP52hD4/15WMHiTFdwkg/Jh0Bztf96c1FFWhKAzudu4ijjU5OCNoGMoHHqkEpiLkRAmZwE0K2SZ0Srff3fGrzyY//WTnqkjMxiT1Bb69xRPL11k91D4+UH+2IlHz/vaLDcedRQ/r8s2QUNDKuwKn9eKItDvQlU8ujFxktdaPlXGdK5pZ6q2BEe6mF/UE5QIft9BJGzXXzd6h3tN8Tg1gcmNrc5GLcRZ1Mn+cQY8EY2eRzuGE==4n64-----END PGP SIGNATURE-----

L

L

Leo Famulari wrote on 3 Jan 2019 20:29

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)

Message-ID:20190103192918.GA5598@jasmine.lan

On Thu, Jan 03, 2019 at 09:12:35PM +0800, Alex Vong wrote:

Toggle quote (2 lines)

> Btw, for security fixes, how long should I wait before I ping here?

If you are confident in the fix, it's fine to go ahead and commit ifthere is no review. Otherwise, a day or two is probably fine. If thevulnerability is particularly severe, you could send a reminder to<guix-security@gnu.org>, or email the maintainers directly.

-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwuYosACgkQJkb6MLrKfwiraw/9FKRdzdGcER8e4zMIm1CS5NpBhkrfnEoZM90QyJhJBSk5lz3I4272dwn0ZL94d3A8+n3hwOiBVviP/0QK2QXEVh23aoKe+4tA/EDDZc1GDaRi1qH6pPZWhcqMOCAXSJ/SONee1g9ZTMRUTKq1DZY/6TCYF/sRd+UzzUH3QRVAzCTjGZOmSso5I1uAaQzGwUyQ0WQPSk6Oc+/zPcRyU3IW4AJfR5VXiRkYfIBROewFD+HlBzfG8LakJ1CobjDWBDOKyV3Jt0MiTFBNAG81xh5XH4vmCMNbzepVUsomFN90EUykESz/01Ev2cdNb8sv8WblIk6fLOC7Rv4VgTPpldTxH5hUSPp8OqLt4RzfNTJuUgRzQsjKLlKEoKZmM1fSWCbmLCBvDA2C8lPidqVaZZmehSsvGazoYl0bsGe2jGnsiW3DKZ4K4e0EPw3dyoOmGTwzuPBVSMYXO3flZH6f4B/QCdB1GpddrFE/ZiPutUb89Kz3kLF0hoR3xGnh9Jg61k8d26htUFCCpYREFHvWz8pibMmPdev6Ph80a9mSk5E7GCVTxx4VGiVtI+/5+BgjZv7mwpBNSGMRaV1b9mLdvh05gp7PBw6mCUU1GsdUDYClhvofMWoEcOaIMFvH94Ip/tB/sR/BUMcpYek1BtmuUmz/SpVf4PW92oDOKQ66TrDgeiA==v9xq-----END PGP SIGNATURE-----

A

A

Alex Vong wrote on 4 Jan 2019 00:42

Recipients:(address . 33933-done@debbugs.gnu.org)

Message-ID:871s5txq8p.fsf@gmail.com

Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)> On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:>> Tags: security>> >> Hello,>> >> This patch series mainly fixes the latest CVEs found in libextractor,>> but it also upgrades other gnunet related packages to their latest>> version.>> >> Please also note that the versioning scheme for guile-gnunet is changed>> to use that of 'git-version'. Unfortunately, this would break>> "guix package --upgrade". But I think this change needs to be made at>> some point anyway, so we may as well do it now.>> Thanks, please push :)

Pushed as 1983a9b0a50ff759f2d192d7fa0f7ad0fb1e1384 -5651e74cc6c1d1b8a2ef1d40e6f14e1123a7de97!

-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXC6d5wAKCRBh71Au9gJS8tX2AP4kA/biaCtAJ51e1bGCUcICYnnjeGXDEyABe7i3z/nOVAD/Q9Esmh2WvcTv8+XfHmArcOxZVJctpMz7EpoNk/q4Bwo==uXRd-----END PGP SIGNATURE-----

Closed

?

Your comment

This issue is archived.

To comment on this conversation send email to 33933@debbugs.gnu.org