bug#47614: [security] Chunked store references in .zo files in Racket 8

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47614: [security] Chunked store references in .zo files in Racket 8

From:	Philip McGrath
Subject:	bug#47614: [security] Chunked store references in .zo files in Racket 8 #47614
Date:	Tue, 6 Apr 2021 21:48:34 -0400
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.9.0

Ah, I see the thread for https://issues.guix.gnu.org/47614 wasn't cc'edhere:



-------- Forwarded Message --------

Subject: Re: Racket 8 and store references (was [security] Chunked storereferences in .zo files in Racket 8 #47614)

Date: Tue, 6 Apr 2021 21:38:57 -0400
From: Philip McGrath <philip@philipmcgrath.com>
To: Jack Hill <jackhill@jackhill.us>, Mark H Weaver <mhw@netris.org>
CC: guix-devel@gnu.org

Indeed, I expect this is a more precise diagnosis of the same problem.My patch in https://issues.guix.gnu.org/47180 solves it by putting thestore references (search paths for foreign libraries) in a configurationdata file that isn't compiled, so they don't end up in .zo files in thefirst place.

The .zo format is intentionally undocumented and subject to breakingchange, including from different compilation options. At a minimum, achange to the Racket version number signals a breaking change tocompiled code (e.g. Git is now at 8.0.0.13, so 13 breaking changes sincethe release). Internally, I don't know all the details, but the normal8.0 .zo format has a Racket layer around the Chez Scheme object format,which seems to be very complex: it looks like it supportsuser-configurable compression at the granularity of the individualobject within an object file. So it seems much better to avoid rewriting.zo files altogether.


-Philip

On 4/6/21 9:20 PM, Jack Hill wrote:

On Tue, 6 Apr 2021, Mark H Weaver wrote:

Anyway, I doubt that imposing such a limitation would adequately solve
the problem here of chunked references in Racket 8, because I suspect
that Racket 8 could split store references at arbitrary points in the
string.  I doubt that we can safely assume that the hash component of
store references will be stored contiguously in *.zo files.


Mark and everyone,

I wanted to spin off a subthread on guix-devel, to make you aware ofanother problem that we've run into with reference in .zo gettingmangled: https://issues.guix.gnu.org/47180


Best,
Jack

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47614: [security] Chunked store references in .zo files in Racket 8 #47614, Philip McGrath <=
- bug#47614: [security] Chunked store references in .zo files in Racket 8, Ludovic Courtès, 2021/04/16
  - bug#47614: [security] Chunked store references in .zo files in Racket 8, Philip McGrath, 2021/04/16
  - bug#47614: [security] Chunked store references in .zo files in Racket 8, Mark H Weaver, 2021/04/17

Prev by Date: bug#47225: QEMU warning about performance
Next by Date: bug#45571: Support stable uids and gids for system accounts in a container
Previous by thread: bug#47628: Epiphany fails to launch after webkitgtk-2.32.0 update
Next by thread: bug#47614: [security] Chunked store references in .zo files in Racket 8
Index(es):
- Date
- Thread