[PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

  • Done
  • quality assurance status badge
Details
2 participants
  • Alex Vong
  • Leo Famulari
Owner
unassigned
Submitted by
Alex Vong
Severity
normal
A
A
Alex Vong wrote on 31 Dec 2018 00:15
(address . guix-patches@gnu.org)(address . alexvong1995@gmail.com)
87pntihaht.fsf@gmail.com
Tags: security

Hello,

This patch series mainly fixes the latest CVEs found in libextractor,
but it also upgrades other gnunet related packages to their latest
version.

Please also note that the versioning scheme for guile-gnunet is changed
to use that of 'git-version'. Unfortunately, this would break
"guix package --upgrade". But I think this change needs to be made at
some point anyway, so we may as well do it now.

Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClRngAKCRBh71Au9gJS
8ud4AP93mEoxgSxC6a4cMHxYQKvhrvUqnG4BCLeTyL0mXqA0owD/di9bPnBXZ3Cu
RdDa8xdmPU8ovEmhYSl19sgEQ3tTlgk=
=YODP
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 31 Dec 2018 00:18
[PATCH 1/4] gnu: libextractor: Update to 1.8.
(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87lg46had7.fsf@gmail.com
From 8cb16fb98e444bdbed44f73038aa74d2a4a306f1 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:48:50 +0800
Subject: [PATCH 1/4] gnu: libextractor: Update to 1.8.

* gnu/packages/gnunet.scm (libextractor): Update to 1.8.
---
gnu/packages/gnunet.scm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d1dc8fd58..4a6952076 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,14 +68,14 @@
(define-public libextractor
(package
(name "libextractor")
- (version "1.7")
+ (version "1.8")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libextractor/libextractor-"
version ".tar.gz"))
(sha256
(base32
- "13wf6vj7mkv6gw8h183cnk7m24ir0gyf198pyb2148ng4klgv9p0"))))
+ "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
(build-system gnu-build-system)
;; WARNING: Checks require /dev/shm to be in the build chroot, especially
;; not to be a symbolic link to /run/shm.
--
2.20.1
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSRAAKCRBh71Au9gJS
8tgpAQDMvVPBxfm00RKKliuzBsEN5WBtp8ZnlXB7M/FHHsUUMgD/YUkOD3TFxHRd
PdwxgR/GFfKfmTAWywiped2bPAJCZwE=
=KIYH
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 31 Dec 2018 00:18
[PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87h8euhacj.fsf@gmail.com
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSXAAKCRBh71Au9gJS
8uuiAQCl+HSN/kASF3J35E9EiGsVh86H/w80FECOB2f9LdzU6QEAlKCfKbwCOq0K
feekZz3UXa94En1zFKqFzuph9ysbcwU=
=wS43
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 31 Dec 2018 00:19
[PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.
(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87d0pihabm.fsf@gmail.com
From c5b57304b0ec12d44ffb749befd00fb0e4d92c0f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:54:04 +0800
Subject: [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.

* gnu/packages/gnunet.scm (libmicrohttpd): Update to 0.9.62.
---
gnu/packages/gnunet.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d9e903734..79584fcf0 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -148,14 +148,14 @@ tool to extract metadata from a file and print the results.")
(define-public libmicrohttpd
(package
(name "libmicrohttpd")
- (version "0.9.59")
+ (version "0.9.62")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libmicrohttpd/libmicrohttpd-"
version ".tar.gz"))
(sha256
(base32
- "0g4jgnv43yddr9yxrqg11632rip0lg5c53gmy5wy3c0i1dywv74v"))))
+ "0jfvi1fb4im3a3m8qishbmzx3zch993c0mhvl2k92l1zf1yhjgmx"))))
(build-system gnu-build-system)
(inputs
`(("curl" ,curl)
--
2.20.1
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSfgAKCRBh71Au9gJS
8jL6AQCjmm5a4hKzFe4lwJR19Hgz3xpSdhEpNo6MUHOFC8q73wD+JXLy6jTgIdZ6
dfStJhCF9eO7AWleUNz54We6CWcSvQs=
=WIvV
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 31 Dec 2018 00:19
[PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)
878t06haau.fsf@gmail.com
From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
gnu/packages/gnunet.scm | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..b00c8848a 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
(home-page "https://gnunet.org/")))
(define-public guile-gnunet ;GSoC 2015!
- (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+ (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+ (revision "1"))
(package
(name "guile-gnunet")
- (version (string-append "0.0." (string-take commit 7)))
+ (version (git-version "0.0" revision commit))
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
(commit commit)))
- (file-name (string-append name "-" version "-checkout"))
+ (git-file-name name version)
(sha256
(base32
- "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+ "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
(build-system gnu-build-system)
(native-inputs `(("pkg-config" ,pkg-config)
("autoconf" ,autoconf-wrapper)
--
2.20.1
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClSmQAKCRBh71Au9gJS
8k0iAP48aLSDEozUB04RmkP7PDxDl3mk+pHToFC5hAmnKKNvzQD+KzwpOaRZUQ54
3sk94lbKRDNProk2BL0b7JTiShAueAY=
=Qe6Y
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 31 Dec 2018 00:27
(address . 33933@debbugs.gnu.org)(address . alexvong1995@gmail.com)
871s5yh9yf.fsf@gmail.com
Sorry, the last patch is incorrect. The correct one is here:
From 9c2b78d121e4711f3c42ccc7bbc291beaf45571c Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
gnu/packages/gnunet.scm | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

Toggle diff (31 lines)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..62bb3026d 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
(home-page "https://gnunet.org/")))
(define-public guile-gnunet ;GSoC 2015!
- (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+ (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+ (revision "1"))
(package
(name "guile-gnunet")
- (version (string-append "0.0." (string-take commit 7)))
+ (version (git-version "0.0" revision commit))
(source (origin
(method git-fetch)
(uri (git-reference
(url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
(commit commit)))
- (file-name (string-append name "-" version "-checkout"))
+ (file-name (git-file-name name version))
(sha256
(base32
- "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+ "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
(build-system gnu-build-system)
(native-inputs `(("pkg-config" ,pkg-config)
("autoconf" ,autoconf-wrapper)
--
2.20.1
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (41 lines)
> From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 31 Dec 2018 07:00:39 +0800
> Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
>
> * gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
> [version]: Use git-version.
> [source]: Use git-file-name.
> ---
> gnu/packages/gnunet.scm | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
> index 79584fcf0..b00c8848a 100644
> --- a/gnu/packages/gnunet.scm
> +++ b/gnu/packages/gnunet.scm
> @@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
> (home-page "https://gnunet.org/")))
>
> (define-public guile-gnunet ;GSoC 2015!
> - (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
> + (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
> + (revision "1"))
> (package
> (name "guile-gnunet")
> - (version (string-append "0.0." (string-take commit 7)))
> + (version (git-version "0.0" revision commit))
> (source (origin
> (method git-fetch)
> (uri (git-reference
> (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
> (commit commit)))
> - (file-name (string-append name "-" version "-checkout"))
> + (git-file-name name version)
> (sha256
> (base32
> - "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
> + "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
> (build-system gnu-build-system)
> (native-inputs `(("pkg-config" ,pkg-config)
> ("autoconf" ,autoconf-wrapper)
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXClUWAAKCRBh71Au9gJS
8qFxAQDsBpT4WxyFDjOg3puJQ91mRMb/4hleG0GDTD3c/oyvqQEAh/J/1BVPm5Md
YMZ25idRcSJcFIrIPTdvPRxr3pTs0Q0=
=dMEd
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 3 Jan 2019 14:12
Re: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
(address . guix-devel@gnu.org)
87bm4xyjek.fsf@gmail.com
Hello Guix,

I sent the "gnu: libextractor: Fix CVE-2018-{20430,20431}." patch to
https://debbugs.gnu.org/33933three days ago. libextractor is needed to
build gnunet, so these fixes are important for gnunet users [I am not
(yet) a user though]. Only the first two patches are directly related,
the rest updates various gnunet-related packages.

Btw, for security fixes, how long should I wait before I ping here?

Thanks,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXC4KQwAKCRBh71Au9gJS
8jV4AP4veOsUNZWKAjZTDNwEdCN9CPihksYPEy/JOof+sr9l/QD7BwxkAQBDVlZv
b5nVwfiBdbfJ2DS+EDdHhj3kbiG+6g4=
=HvAv
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 3 Jan 2019 19:20
Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33933@debbugs.gnu.org)
20190103182056.GA2707@jasmine.lan
On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
Toggle quote (13 lines)
> Tags: security
>
> Hello,
>
> This patch series mainly fixes the latest CVEs found in libextractor,
> but it also upgrades other gnunet related packages to their latest
> version.
>
> Please also note that the versioning scheme for guile-gnunet is changed
> to use that of 'git-version'. Unfortunately, this would break
> "guix package --upgrade". But I think this change needs to be made at
> some point anyway, so we may as well do it now.

Thanks, please push :)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwuUoUACgkQJkb6MLrK
fwiV/RAAvUUSegQNRWAyeio/goh2jskhbjBe+e7bVsIOIAFKIJIPXeFW0woprESi
jAwwPqNYxwbu7HKIgPxguKiRgM6lDOIL/aTN1VmaQKCBeKlviCHi8Ufm/pBc/01K
74TIGiD1P2CqONohy899Yhg8JMfeOlqFkfeReo3ne3Ehzz73RBk5o7uW+5yXpIIc
HKNzE0xBBxYIvh5cIg0GwehwQA9UZpFMxvSfX6K/OQgiCQT0ilr1J4L1bTTRfQav
mAxATVKtRmlekvxVNrJDqRbaNH23j7GdeDmpSiCdvmgHteBzNdmQBG6nYa81ZB0J
2gIcmgJFwSqIr9aACUN37hoAv0+t4LOHJbfAl6/nkVVEEzsUSSlh9nGj1AsCgOke
qq0FmFYlbAXVxqjYI1M4zulEL4fmB9G7mWFfABAalBjkx0MO6g6A20L0KB7SHEu8
yQghP52hD4/15WMHiTFdwkg/Jh0Bztf96c1FFWhKAzudu4ijjU5OCNoGMoHHqkEp
iLkRAmZwE0K2SZ0Srff3fGrzyY//WTnqkjMxiT1Bb69xRPL11k91D4+UH+2IlHz/
vaLDcedRQ/r8s2QUNDKuwKn9eKItDvQlU8ujFxktdaPlXGdK5pZ6q2BEe6mF/UE5
QIft9BJGzXXzd6h3tN8Tg1gcmNrc5GLcRZ1Mn+cQY8EY2eRzuGE=
=4n64
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 3 Jan 2019 20:29
(name . Alex Vong)(address . alexvong1995@gmail.com)
20190103192918.GA5598@jasmine.lan
On Thu, Jan 03, 2019 at 09:12:35PM +0800, Alex Vong wrote:
Toggle quote (2 lines)
> Btw, for security fixes, how long should I wait before I ping here?

If you are confident in the fix, it's fine to go ahead and commit if
there is no review. Otherwise, a day or two is probably fine. If the
vulnerability is particularly severe, you could send a reminder to
<guix-security@gnu.org>, or email the maintainers directly.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwuYosACgkQJkb6MLrK
fwiraw/9FKRdzdGcER8e4zMIm1CS5NpBhkrfnEoZM90QyJhJBSk5lz3I4272dwn0
ZL94d3A8+n3hwOiBVviP/0QK2QXEVh23aoKe+4tA/EDDZc1GDaRi1qH6pPZWhcqM
OCAXSJ/SONee1g9ZTMRUTKq1DZY/6TCYF/sRd+UzzUH3QRVAzCTjGZOmSso5I1uA
aQzGwUyQ0WQPSk6Oc+/zPcRyU3IW4AJfR5VXiRkYfIBROewFD+HlBzfG8LakJ1Co
bjDWBDOKyV3Jt0MiTFBNAG81xh5XH4vmCMNbzepVUsomFN90EUykESz/01Ev2cdN
b8sv8WblIk6fLOC7Rv4VgTPpldTxH5hUSPp8OqLt4RzfNTJuUgRzQsjKLlKEoKZm
M1fSWCbmLCBvDA2C8lPidqVaZZmehSsvGazoYl0bsGe2jGnsiW3DKZ4K4e0EPw3d
yoOmGTwzuPBVSMYXO3flZH6f4B/QCdB1GpddrFE/ZiPutUb89Kz3kLF0hoR3xGnh
9Jg61k8d26htUFCCpYREFHvWz8pibMmPdev6Ph80a9mSk5E7GCVTxx4VGiVtI+/5
+BgjZv7mwpBNSGMRaV1b9mLdvh05gp7PBw6mCUU1GsdUDYClhvofMWoEcOaIMFvH
94Ip/tB/sR/BUMcpYek1BtmuUmz/SpVf4PW92oDOKQ66TrDgeiA=
=v9xq
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 4 Jan 2019 00:42
(address . 33933-done@debbugs.gnu.org)
871s5txq8p.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)
> On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
>> Tags: security
>>
>> Hello,
>>
>> This patch series mainly fixes the latest CVEs found in libextractor,
>> but it also upgrades other gnunet related packages to their latest
>> version.
>>
>> Please also note that the versioning scheme for guile-gnunet is changed
>> to use that of 'git-version'. Unfortunately, this would break
>> "guix package --upgrade". But I think this change needs to be made at
>> some point anyway, so we may as well do it now.
>
> Thanks, please push :)

Pushed as 1983a9b0a50ff759f2d192d7fa0f7ad0fb1e1384 -
5651e74cc6c1d1b8a2ef1d40e6f14e1123a7de97!
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCXC6d5wAKCRBh71Au9gJS
8tX2AP4kA/biaCtAJ51e1bGCUcICYnnjeGXDEyABe7i3z/nOVAD/Q9Esmh2WvcTv
8+XfHmArcOxZVJctpMz7EpoNk/q4Bwo=
=uXRd
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 33933@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 33933
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch