[PATCH] gnu: lz4: Add a patch for CVE-2021-3520.

  • Open
  • quality assurance status badge
Details
3 participants
  • Jelle Licht
  • Leo Famulari
  • Solene Rapenne
Owner
unassigned
Submitted by
Solene Rapenne
Severity
normal
S
S
Solene Rapenne wrote on 25 May 2021 20:24
(address . guix-patches@gnu.org)
20210525202407.383e1713@perso.pw
This imports a patch that is not committed upstream yet
but pending for merge on github


This is already widely used in many distributions distributing lz4

---
gnu/packages/compression.scm | 7 +++++--
gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/lz4-CVE-2021-3520.patch

Toggle diff (55 lines)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 64816a30c0..53ab999151 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -33,6 +33,7 @@
;;; Copyright © 2021 Antoine Côté <antoine.cote@posteo.net>
;;; Copyright © 2021 Vincent Legoll <vincent.legoll@gmail.com>
;;; Copyright © 2021 Simon Tournier <zimon.toutoune@gmail.com>
+;;; Copyright © 2021 Solene Rapenne <solene@perso.pw>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -810,15 +811,17 @@ decompression of some loosely related file formats used by Microsoft.")
(commit (string-append "v" version))))
(sha256
(base32 "1w02kazh1fps3sji2sn89fz862j1199c5ajrqcgl1bnlxj09kcbz"))
+ (patches
+ (search-patches "lz4-CVE-2021-3520.patch"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(outputs (list "out" "static"))
(native-inputs
- `(;; For tests.
+ `( ;; For tests.
("python" ,python)
("valgrind" ,valgrind)))
(arguments
- `(;; Not designed for parallel testing.
+ `( ;; Not designed for parallel testing.
;; See https://github.com/lz4/lz4/issues/957#issuecomment-737419821
#:parallel-tests? #f
#:test-target "test"
diff --git a/gnu/packages/patches/lz4-CVE-2021-3520.patch b/gnu/packages/patches/lz4-CVE-2021-3520.patch
new file mode 100644
index 0000000000..100baa4758
--- /dev/null
+++ b/gnu/packages/patches/lz4-CVE-2021-3520.patch
@@ -0,0 +1,15 @@
+Not merged patch fixing CVE-2021-3520
+https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
+
+Index: b/lib/lz4.c
+--- a/lib/lz4.c.orig
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+ const size_t dictSize /* note : = 0 if noDict */
+ )
+ {
+- if (src == NULL) { return -1; }
++ if ((src == NULL) || (outputSize < 0)) { return -1; }
+
+ { const BYTE* ip = (const BYTE*) src;
+ const BYTE* const iend = ip + srcSize;
--
2.31.1
L
L
Leo Famulari wrote on 25 May 2021 21:07
(name . Solene Rapenne via Guix-patches via)(address . guix-patches@gnu.org)(address . 48656@debbugs.gnu.org)
YK1K2RvBsq92Feg2@jasmine.lan
On Tue, May 25, 2021 at 08:24:07PM +0200, Solene Rapenne via Guix-patches via wrote:
Toggle quote (11 lines)
> This imports a patch that is not committed upstream yet
> but pending for merge on github
>
> https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
>
> This is already widely used in many distributions distributing lz4
>
> ---
> gnu/packages/compression.scm | 7 +++++--
> gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++

When adding a new patch file, you have to register it in 'gnu/local.mk'.

Is there any discussion about this upstream? Why isn't it included in
lz4 yet?
L
L
Leo Famulari wrote on 25 May 2021 23:51
(name . Solene Rapenne via Guix-patches via)(address . guix-patches@gnu.org)(address . 48656@debbugs.gnu.org)
YK1xXDzfPZKZf5xf@jasmine.lan
On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote:
Toggle quote (3 lines)
> Is there any discussion about this upstream? Why isn't it included in
> lz4 yet?

J
J
Jelle Licht wrote on 29 May 2023 13:31
Re: bug#48656: [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
(name . Leo Famulari)(address . leo@famulari.name)(address . 48656@debbugs.gnu.org)
87bki3nzlr.fsf@fsfe.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (9 lines)
> On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote:
>> Is there any discussion about this upstream? Why isn't it included in
>> lz4 yet?
>
> I found approval from the lz4 maintainers:
>
> https://github.com/lz4/lz4/pull/972#issuecomment-830192743
> https://github.com/lz4/lz4/pull/972#issuecomment-799719118

It seems there's some uncertainty w.r.t. the validity of the CVE [0],
but since then a release has been made that pulls the changes discussed
in issue 972 into lz4 release 1.9.4.
J
J
Jelle Licht wrote on 29 May 2023 13:43
Re: [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
(name . Leo Famulari)(address . leo@famulari.name)(address . 48656@debbugs.gnu.org)
87zg5n2wir.fsf@fsfe.org
Jelle Licht <jlicht@fsfe.org> writes:

Toggle quote (15 lines)
> Leo Famulari <leo@famulari.name> writes:
>
>> On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote:
>>> Is there any discussion about this upstream? Why isn't it included in
>>> lz4 yet?
>>
>> I found approval from the lz4 maintainers:
>>
>> https://github.com/lz4/lz4/pull/972#issuecomment-830192743
>> https://github.com/lz4/lz4/pull/972#issuecomment-799719118
>
> It seems there's some uncertainty w.r.t. the validity of the CVE [0],
> but since then a release has been made that pulls the changes discussed
> in issue 972 into lz4 release 1.9.4.

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 48656@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 48656
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch