Package: chicken Version: 4.11.0-1 Severity: normal Tags: patch pending Dear maintainer,
I've prepared an NMU for chicken (versioned as 4.12.0-0.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards.
diff -Naur chicken-4.11.0/debian/changelog chicken-4.12.0/debian/changelog --- chicken-4.11.0/debian/changelog 2016-12-14 23:41:18.000000000 +0100 +++ chicken-4.12.0/debian/changelog 2017-10-21 23:32:36.253488867 +0200 @@ -1,3 +1,16 @@ +chicken (4.12.0-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release. + - fixes CVE-2016-6830, CVE-2016-6831 (Closes: #834845) + - fixes CVE-2016-9954 (Closes: #851278) + * Cherry pick upstream patches for. Patches are named after the CVE + - CVE-2017-9334 (Closes: #863884) + - CVE-2017-6949 (Closes: #858057) + - CVE-2017-11343 (Closes: #870266) + + -- Tobias Frost <[email protected]> Sat, 21 Oct 2017 23:04:32 +0200 + chicken (4.11.0-1) unstable; urgency=medium * New upstream version; closes: #825720, #844371. diff -Naur chicken-4.11.0/debian/control chicken-4.12.0/debian/control --- chicken-4.11.0/debian/control 2016-12-14 23:41:18.000000000 +0100 +++ chicken-4.12.0/debian/control 2017-10-21 23:44:04.854839506 +0200 @@ -3,7 +3,7 @@ Section: interpreters Priority: optional Maintainer: Davide Puricelli (evo) <[email protected]> -Build-Depends: debhelper (>> 5.0.0), texinfo, chrpath +Build-Depends: debhelper (>> 5.0.0), texinfo, chrpath, chicken-bin Standards-Version: 3.8.4.0 Package: chicken-bin diff -Naur chicken-4.11.0/debian/patches/CVE-2017-11343.patch chicken-4.12.0/debian/patches/CVE-2017-11343.patch --- chicken-4.11.0/debian/patches/CVE-2017-11343.patch 1970-01-01 01:00:00.000000000 +0100 +++ chicken-4.12.0/debian/patches/CVE-2017-11343.patch 2017-10-21 22:43:42.591833518 +0200 @@ -0,0 +1,25 @@ +Origin: http://lists.gnu.org/archive/html/chicken-hackers/2017-06/txtod8Pa1wGU0.txt +From: Peter Bex <address@hidden> +Date: Fri, 30 Jun 2017 15:39:45 +0200 +Subject: [PATCH 2/2] Initialize symbol table after setting up randomization + +Otherwise, the symbol table wouldn't be correctly randomized. +--- +--- a/runtime.c ++++ b/runtime.c +@@ -783,7 +783,6 @@ + C_initial_timer_interrupt_period = INITIAL_TIMER_INTERRUPT_PERIOD; + C_timer_interrupt_counter = INITIAL_TIMER_INTERRUPT_PERIOD; + memset(signal_mapping_table, 0, sizeof(int) * NSIG); +- initialize_symbol_table(); + C_dlerror = "cannot load compiled code dynamically - this is a statically linked executable"; + error_location = C_SCHEME_FALSE; + C_pre_gc_hook = NULL; +@@ -795,6 +794,7 @@ + callback_continuation_level = 0; + gc_ms = 0; + (void)C_randomize(C_fix(time(NULL))); ++ initialize_symbol_table(); + + if (profiling) { + #ifndef C_NONUNIX diff -Naur chicken-4.11.0/debian/patches/CVE-2017-6949.patch chicken-4.12.0/debian/patches/CVE-2017-6949.patch --- chicken-4.11.0/debian/patches/CVE-2017-6949.patch 1970-01-01 01:00:00.000000000 +0100 +++ chicken-4.12.0/debian/patches/CVE-2017-6949.patch 2017-10-21 22:36:46.188872211 +0200 @@ -0,0 +1,126 @@ +Description: Fix for CVE-2017-6949 + Do what C_allocate_vector already does and prevent the creation of a + vector that's too big or too small. + We should be very careful to avoid the latter case because the + allocation size is directly fed into `malloc' as 'x + sizeof(C_header)' + thus making possible to successfully allocate a vector smaller than the + C_header structure and get C_block_header_init to write over + uninitialized memory. + . + To reduce code duplication, type checking is moved from each of the + make-*vector procedures to the common "alloc" helper procedure. + . +Signed-off-by: Peter Bex <[email protected]> +Signed-off-by: Kooda <[email protected]> +Origin: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=patch;h=68c4e537a29d3f878016e0144c42d0e7ae5d41b4 +Author: LemonBoy <[email protected]> +--- +index 7f5412b..69f58ba 100644 +--- a/srfi-4.scm ++++ b/srfi-4.scm +@@ -255,24 +255,28 @@ EOF + + ;;; Basic constructors: + +-(let* ([ext-alloc +- (foreign-lambda* scheme-object ([int bytes]) +- "C_word *buf = (C_word *)C_malloc(bytes + sizeof(C_header));" ++(let* ((ext-alloc ++ (foreign-lambda* scheme-object ((size_t bytes)) ++ "C_word *buf;" ++ "if (bytes > C_HEADER_SIZE_MASK) C_return(C_SCHEME_FALSE);" ++ "buf = (C_word *)C_malloc(bytes + sizeof(C_header));" + "if(buf == NULL) C_return(C_SCHEME_FALSE);" + "C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));" +- "C_return(buf);") ] +- [ext-free +- (foreign-lambda* void ([scheme-object bv]) +- "C_free((void *)C_block_item(bv, 1));") ] +- [alloc ++ "C_return(buf);") ) ++ (ext-free ++ (foreign-lambda* void ((scheme-object bv)) ++ "C_free((void *)C_block_item(bv, 1));") ) ++ (alloc + (lambda (loc len ext?) ++ (##sys#check-exact len loc) ++ (when (fx< len 0) (##sys#error loc "size is negative" len)) + (if ext? +- (let ([bv (ext-alloc len)]) ++ (let ((bv (ext-alloc len))) + (or bv + (##sys#error loc "not enough memory - cannot allocate external number vector" len)) ) +- (let ([bv (##sys#allocate-vector len #t #f #t)]) ; this could be made better... ++ (let ((bv (##sys#allocate-vector len #t #f #t))) ; this could be made better... + (##core#inline "C_string_to_bytevector" bv) +- bv) ) ) ] ) ++ bv) ) ) ) ) + + (set! release-number-vector + (lambda (v) +@@ -282,7 +286,6 @@ EOF + + (set! make-u8vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-u8vector) + (let ((v (##sys#make-structure 'u8vector (alloc 'make-u8vector len ext?)))) + (when (and ext? fin?) (set-finalizer! v ext-free)) + (if (not init) +@@ -295,7 +298,6 @@ EOF + + (set! make-s8vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-s8vector) + (let ((v (##sys#make-structure 's8vector (alloc 'make-s8vector len ext?)))) + (when (and ext? fin?) (set-finalizer! v ext-free)) + (if (not init) +@@ -308,7 +310,6 @@ EOF + + (set! make-u16vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-u16vector) + (let ((v (##sys#make-structure 'u16vector (alloc 'make-u16vector (##core#inline "C_fixnum_shift_left" len 1) ext?)))) + (when (and ext? fin?) (set-finalizer! v ext-free)) + (if (not init) +@@ -321,7 +322,6 @@ EOF + + (set! make-s16vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-s16vector) + (let ((v (##sys#make-structure 's16vector (alloc 'make-s16vector (##core#inline "C_fixnum_shift_left" len 1) ext?)))) + (when (and ext? fin?) (set-finalizer! v ext-free)) + (if (not init) +@@ -334,7 +334,6 @@ EOF + + (set! make-u32vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-u32vector) + (let ((v (##sys#make-structure 'u32vector (alloc 'make-u32vector (##core#inline "C_fixnum_shift_left" len 2) ext?)))) + (when (and ext? fin?) (set-finalizer! v ext-free)) + (if (not init) +@@ -347,7 +346,6 @@ EOF + + (set! make-s32vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-s32vector) + (let ((v (##sys#make-structure 's32vector (alloc 'make-s32vector (##core#inline "C_fixnum_shift_left" len 2) ext?)))) + (when (and ext? fin?) (set-finalizer! v ext-free)) + (if (not init) +@@ -360,7 +358,6 @@ EOF + + (set! make-f32vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-f32vector) + (let ((v (##sys#make-structure 'f32vector (alloc 'make-f32vector (##core#inline "C_fixnum_shift_left" len 2) ext?)))) + (when (and ext? fin?) (set-finalizer! v ext-free)) + (if (not init) +@@ -375,7 +372,6 @@ EOF + + (set! make-f64vector + (lambda (len #!optional (init #f) (ext? #f) (fin? #t)) +- (##sys#check-exact len 'make-f64vector) + (let ((v (##sys#make-structure + 'f64vector + (alloc 'make-f64vector (##core#inline "C_fixnum_shift_left" len 3) ext?)))) +-- + diff -Naur chicken-4.11.0/debian/patches/CVE-2017-9334.patch chicken-4.12.0/debian/patches/CVE-2017-9334.patch --- chicken-4.11.0/debian/patches/CVE-2017-9334.patch 1970-01-01 01:00:00.000000000 +0100 +++ chicken-4.12.0/debian/patches/CVE-2017-9334.patch 2017-10-21 22:14:01.594841343 +0200 @@ -0,0 +1,26 @@ +Description: Fix for CVE-2017-9334. +Origin: http://lists.nongnu.org/archive/html/chicken-hackers/2017-05/msg00099.html + +--- a/runtime.c ++++ b/runtime.c +@@ -5372,7 +5372,7 @@ + } + } + +- if(C_immediatep(slow) || C_block_header(lst) != C_PAIR_TAG) ++ if(C_immediatep(slow) || C_block_header(slow) != C_PAIR_TAG) + barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst); + + slow = C_u_i_cdr(slow); +--- a/tests/library-tests.scm ++++ b/tests/library-tests.scm +@@ -693,3 +693,9 @@ + (assert (not (member "foo" '("bar")))) + (assert (not (member "foo" '()))) + (assert-fail (member "foo" "foo")) ++ ++ ++;; length ++ ++(assert-fail (length 1)) ++(assert-fail (length '(x . y))) diff -Naur chicken-4.11.0/debian/patches/series chicken-4.12.0/debian/patches/series --- chicken-4.11.0/debian/patches/series 2016-12-14 23:41:03.000000000 +0100 +++ chicken-4.12.0/debian/patches/series 2017-10-21 22:43:33.771770782 +0200 @@ -1 +1,4 @@ fix-manpages.patch +CVE-2017-9334.patch +CVE-2017-6949.patch +CVE-2017-11343.patch diff -Naur chicken-4.11.0/debian/rules chicken-4.12.0/debian/rules --- chicken-4.11.0/debian/rules 2017-10-21 13:34:51.699022666 +0200 +++ chicken-4.12.0/debian/rules 2017-10-22 00:06:14.272983080 +0200 @@ -23,6 +23,7 @@ $(MAKE) clean $(MAKE) distclean rm -f c_defaults.h chicken_defaults.h lib*.so chicken.info-* feathers + grep -l 'Generated from .*\.scm by the CHICKEN compiler' * | xargs rm || /bin/true dh_clean install: build
