[PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

Done

Details

2 participants

Alex Vong
Leo Famulari

Owner: unassigned

Submitted by: Alex Vong

Severity: normal

Alex Vong wrote on 31 Dec 2018 00:15

Recipients:(address . guix-patches@gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87pntihaht.fsf@gmail.com

Tags: security

Hello,

This patch series mainly fixes the latest CVEs found in libextractor,

but it also upgrades other gnunet related packages to their latest

version.

Please also note that the versioning scheme for guile-gnunet is changed

to use that of 'git-version'. Unfortunately, this would break

"guix package --upgrade". But I think this change needs to be made at

some point anyway, so we may as well do it now.

Cheers,

Alex

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClRngAKCRBh71Au9gJS

8ud4AP93mEoxgSxC6a4cMHxYQKvhrvUqnG4BCLeTyL0mXqA0owD/di9bPnBXZ3Cu

RdDa8xdmPU8ovEmhYSl19sgEQ3tTlgk=

=YODP

-----END PGP SIGNATURE-----

Alex Vong wrote on 31 Dec 2018 00:18

[PATCH 1/4] gnu: libextractor: Update to 1.8.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87lg46had7.fsf@gmail.com

From 8cb16fb98e444bdbed44f73038aa74d2a4a306f1 Mon Sep 17 00:00:00 2001

* gnu/packages/gnunet.scm (libextractor): Update to 1.8.

---

gnu/packages/gnunet.scm | 5 +++--

1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d1dc8fd58..4a6952076 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
 ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -67,14 +68,14 @@
 (define-public libextractor
   (package
    (name "libextractor")
-   (version "1.7")
+   (version "1.8")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libextractor/libextractor-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "13wf6vj7mkv6gw8h183cnk7m24ir0gyf198pyb2148ng4klgv9p0"))))
+              "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
    (build-system gnu-build-system)
    ;; WARNING: Checks require /dev/shm to be in the build chroot, especially
    ;; not to be a symbolic link to /run/shm.
-- 
2.20.1

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSRAAKCRBh71Au9gJS

8tgpAQDMvVPBxfm00RKKliuzBsEN5WBtp8ZnlXB7M/FHHsUUMgD/YUkOD3TFxHRd

PdwxgR/GFfKfmTAWywiped2bPAJCZwE=

=KIYH

-----END PGP SIGNATURE-----

Alex Vong wrote on 31 Dec 2018 00:18

[PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87h8euhacj.fsf@gmail.com

Attachment: 0002-gnu-libextractor-Fix-CVE-2018-20430-20431.patch

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSXAAKCRBh71Au9gJS

8uuiAQCl+HSN/kASF3J35E9EiGsVh86H/w80FECOB2f9LdzU6QEAlKCfKbwCOq0K

feekZz3UXa94En1zFKqFzuph9ysbcwU=

=wS43

-----END PGP SIGNATURE-----

Alex Vong wrote on 31 Dec 2018 00:19

[PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:87d0pihabm.fsf@gmail.com

From c5b57304b0ec12d44ffb749befd00fb0e4d92c0f Mon Sep 17 00:00:00 2001

* gnu/packages/gnunet.scm (libmicrohttpd): Update to 0.9.62.

---

gnu/packages/gnunet.scm | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d9e903734..79584fcf0 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -148,14 +148,14 @@ tool to extract metadata from a file and print the results.")
 (define-public libmicrohttpd
   (package
    (name "libmicrohttpd")
-   (version "0.9.59")
+   (version "0.9.62")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libmicrohttpd/libmicrohttpd-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "0g4jgnv43yddr9yxrqg11632rip0lg5c53gmy5wy3c0i1dywv74v"))))
+              "0jfvi1fb4im3a3m8qishbmzx3zch993c0mhvl2k92l1zf1yhjgmx"))))
    (build-system gnu-build-system)
    (inputs
     `(("curl" ,curl)
-- 
2.20.1

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSfgAKCRBh71Au9gJS

8jL6AQCjmm5a4hKzFe4lwJR19Hgz3xpSdhEpNo6MUHOFC8q73wD+JXLy6jTgIdZ6

dfStJhCF9eO7AWleUNz54We6CWcSvQs=

=WIvV

-----END PGP SIGNATURE-----

Alex Vong wrote on 31 Dec 2018 00:19

[PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:878t06haau.fsf@gmail.com

From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
 gnu/packages/gnunet.scm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Toggle diff (31 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..b00c8848a 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
    (home-page "https://gnunet.org/")))
 
 (define-public guile-gnunet                       ;GSoC 2015!
-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+        (revision "1"))
     (package
       (name "guile-gnunet")
-      (version (string-append "0.0." (string-take commit 7)))
+      (version (git-version "0.0" revision commit))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
                       (commit commit)))
-                (file-name (string-append name "-" version "-checkout"))
+                (git-file-name name version)
                 (sha256
                  (base32
-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
       (build-system gnu-build-system)
       (native-inputs `(("pkg-config" ,pkg-config)
                        ("autoconf" ,autoconf-wrapper)
-- 
2.20.1

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSmQAKCRBh71Au9gJS

8k0iAP48aLSDEozUB04RmkP7PDxDl3mk+pHToFC5hAmnKKNvzQD+KzwpOaRZUQ54

3sk94lbKRDNProk2BL0b7JTiShAueAY=

=Qe6Y

-----END PGP SIGNATURE-----

Alex Vong wrote on 31 Dec 2018 00:27

Recipients:(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)

Message-ID:871s5yh9yf.fsf@gmail.com

Sorry, the last patch is incorrect. The correct one is here:

From 9c2b78d121e4711f3c42ccc7bbc291beaf45571c Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
 gnu/packages/gnunet.scm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Toggle diff (31 lines)diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..62bb3026d 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
    (home-page "https://gnunet.org/")))
 
 (define-public guile-gnunet                       ;GSoC 2015!
-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+        (revision "1"))
     (package
       (name "guile-gnunet")
-      (version (string-append "0.0." (string-take commit 7)))
+      (version (git-version "0.0" revision commit))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
                       (commit commit)))
-                (file-name (string-append name "-" version "-checkout"))
+                (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
       (build-system gnu-build-system)
       (native-inputs `(("pkg-config" ,pkg-config)
                        ("autoconf" ,autoconf-wrapper)
-- 
2.20.1

Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (41 lines)> From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 31 Dec 2018 07:00:39 +0800
> Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
>
> * gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
> [version]: Use git-version.
> [source]: Use git-file-name.
> ---
>  gnu/packages/gnunet.scm | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
> index 79584fcf0..b00c8848a 100644
> --- a/gnu/packages/gnunet.scm
> +++ b/gnu/packages/gnunet.scm
> @@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
>     (home-page "https://gnunet.org/")))
>  
>  (define-public guile-gnunet                       ;GSoC 2015!
> -  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
> +  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
> +        (revision "1"))
>      (package
>        (name "guile-gnunet")
> -      (version (string-append "0.0." (string-take commit 7)))
> +      (version (git-version "0.0" revision commit))
>        (source (origin
>                  (method git-fetch)
>                  (uri (git-reference
>                        (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
>                        (commit commit)))
> -                (file-name (string-append name "-" version "-checkout"))
> +                (git-file-name name version)
>                  (sha256
>                   (base32
> -                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
> +                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
>        (build-system gnu-build-system)
>        (native-inputs `(("pkg-config" ,pkg-config)
>                         ("autoconf" ,autoconf-wrapper)

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClUWAAKCRBh71Au9gJS

8qFxAQDsBpT4WxyFDjOg3puJQ91mRMb/4hleG0GDTD3c/oyvqQEAh/J/1BVPm5Md

YMZ25idRcSJcFIrIPTdvPRxr3pTs0Q0=

=dMEd

-----END PGP SIGNATURE-----

Alex Vong wrote on 3 Jan 2019 14:12

Re: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

Recipients:(address . guix-devel@gnu.org)

Message-ID:87bm4xyjek.fsf@gmail.com

Hello Guix,

I sent the "gnu: libextractor: Fix CVE-2018-{20430,20431}." patch to

https://debbugs.gnu.org/33933three days ago. libextractor is needed to

build gnunet, so these fixes are important for gnunet users [I am not

(yet) a user though]. Only the first two patches are directly related,

the rest updates various gnunet-related packages.

Btw, for security fixes, how long should I wait before I ping here?

Thanks,

Alex

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXC4KQwAKCRBh71Au9gJS

8jV4AP4veOsUNZWKAjZTDNwEdCN9CPihksYPEy/JOof+sr9l/QD7BwxkAQBDVlZv

b5nVwfiBdbfJ2DS+EDdHhj3kbiG+6g4=

=HvAv

-----END PGP SIGNATURE-----

Leo Famulari wrote on 3 Jan 2019 19:20

Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33933@debbugs.gnu.org)

Message-ID:20190103182056.GA2707@jasmine.lan

On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:

Toggle quote (13 lines)> Tags: security
> 
> Hello,
> 
> This patch series mainly fixes the latest CVEs found in libextractor,
> but it also upgrades other gnunet related packages to their latest
> version.
> 
> Please also note that the versioning scheme for guile-gnunet is changed
> to use that of 'git-version'. Unfortunately, this would break
> "guix package --upgrade". But I think this change needs to be made at
> some point anyway, so we may as well do it now.

Thanks, please push :)

Leo Famulari wrote on 3 Jan 2019 20:29

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)

Message-ID:20190103192918.GA5598@jasmine.lan

On Thu, Jan 03, 2019 at 09:12:35PM +0800, Alex Vong wrote:

Toggle quote (2 lines)

> Btw, for security fixes, how long should I wait before I ping here?

If you are confident in the fix, it's fine to go ahead and commit if
there is no review. Otherwise, a day or two is probably fine. If the
vulnerability is particularly severe, you could send a reminder to
<guix-security@gnu.org>, or email the maintainers directly.

Alex Vong wrote on 4 Jan 2019 00:42

Recipients:(address . 33933-done@debbugs.gnu.org)

Message-ID:871s5txq8p.fsf@gmail.com

Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)> On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
>> Tags: security
>> 
>> Hello,
>> 
>> This patch series mainly fixes the latest CVEs found in libextractor,
>> but it also upgrades other gnunet related packages to their latest
>> version.
>> 
>> Please also note that the versioning scheme for guile-gnunet is changed
>> to use that of 'git-version'. Unfortunately, this would break
>> "guix package --upgrade". But I think this change needs to be made at
>> some point anyway, so we may as well do it now.
>
> Thanks, please push :)

Pushed as 1983a9b0a50ff759f2d192d7fa0f7ad0fb1e1384 -

5651e74cc6c1d1b8a2ef1d40e6f14e1123a7de97!

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXC6d5wAKCRBh71Au9gJS

8tX2AP4kA/biaCtAJ51e1bGCUcICYnnjeGXDEyABe7i3z/nOVAD/Q9Esmh2WvcTv

8+XfHmArcOxZVJctpMz7EpoNk/q4Bwo=

=uXRd

-----END PGP SIGNATURE-----

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 33933@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date