[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: gnu: zstd: Downgrade to 1.4.4 and make security g
|
From: |
guix-commits |
|
Subject: |
branch master updated: gnu: zstd: Downgrade to 1.4.4 and make security graft saner. |
|
Date: |
Mon, 29 Mar 2021 20:22:20 -0400 |
This is an automated email from the git hooks/post-receive script.
lle_bout pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new 9feef62 gnu: zstd: Downgrade to 1.4.4 and make security graft saner.
9feef62 is described below
commit 9feef62b73e284e106717a386624d6da90750a3d
Author: Léo Le Bouter <lle-bout@zaclys.net>
AuthorDate: Tue Mar 30 02:10:19 2021 +0200
gnu: zstd: Downgrade to 1.4.4 and make security graft saner.
* gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/compression.scm (zstd-1.4.9): Remove.
(zstd/fixed): New variable. Apply patch.
(zstd)[replacement]: Graft with zstd/fixed.
---
gnu/local.mk | 1 +
gnu/packages/compression.scm | 19 +++---
.../zstd-CVE-2021-24031_CVE-2021-24032.patch | 68 ++++++++++++++++++++++
3 files changed, 76 insertions(+), 12 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 40732ca..deb4ddc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1824,6 +1824,7 @@ dist_patch_DATA =
\
%D%/packages/patches/yggdrasil-extra-config.patch \
%D%/packages/patches/ytnef-CVE-2021-3403.patch \
%D%/packages/patches/ytnef-CVE-2021-3404.patch \
+ %D%/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch \
%D%/packages/patches/zziplib-CVE-2018-16548.patch
MISC_DISTRO_FILES = \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index ef73e60..5ed4b4c 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1409,7 +1409,7 @@ or junctions, and always follows hard links.")
"v" version "/zstd-" version ".tar.gz"))
(sha256
(base32 "05ckxap00qvc0j51d3ci38150cxsw82w7s9zgd5fgzspnzmp1vsr"))))
- (replacement zstd-1.4.9)
+ (replacement zstd/fixed)
(build-system gnu-build-system)
(outputs '("out" ;1.2MiB executables and documentation
"lib" ;1.2MiB shared library and headers
@@ -1469,21 +1469,16 @@ speed.")
license:public-domain ; zlibWrapper/examples/fitblk*
license:zlib)))) ; zlibWrapper/{gz*.c,gzguts.h}
-(define-public zstd-1.4.9
+(define zstd/fixed
(package
(inherit zstd)
- (name "zstd")
- (version "1.4.9")
(source
(origin
- (method url-fetch)
- (uri (string-append
"https://github.com/facebook/zstd/releases/download/";
- "v" version "/zstd-" version ".tar.gz"))
- (sha256
- (base32 "14yj7309gsvg39rki4xqnd6w5idmqi0655v1fc0mk1m2kvhp9b19"))))
- (arguments
- (substitute-keyword-arguments (package-arguments zstd)
- ((#:tests? _ #t) #f)))))
+ (inherit (package-source zstd))
+ (patches
+ (search-patches
+ ;; From Ubuntu focal-security
+ "zstd-CVE-2021-24031_CVE-2021-24032.patch"))))))
(define-public pzstd
(package/inherit zstd
diff --git a/gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch
b/gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch
new file mode 100644
index 0000000..48b5eb1
--- /dev/null
+++ b/gnu/packages/patches/zstd-CVE-2021-24031_CVE-2021-24032.patch
@@ -0,0 +1,68 @@
+Description: fix race condition allowing attackers to access destination file
+ This commit addresses https://github.com/facebook/zstd/issues/2491.
+ .
+ Note that a downside of this solution is that it is global: `umask()` affects
+ all file creation calls in the process. I believe this is safe since
+ `fileio.c` functions should only ever be used in the zstd binary, and these
+ are (almost) the only files ever created by zstd, and AIUI they're only
+ created in a single thread. So we can get away with messing with global state.
+ .
+ Note that this doesn't change the permissions of files created by `dibio.c`.
+ I'm not sure what those should be...
+Author: W. Felix Handte <w@felixhandte.com>
+Origin: upstream
+Bug: https://github.com/facebook/zstd/issues/2491
+Bug-Debian: https://github.com/facebook/zstd/issues/2491
+Applied-Upstream: commit:a774c5797399040af62db21d8a9b9769e005430e
+Reviewed-by: Étienne Mollier <etienne.mollier@mailoo.org>
+Last-Update: 2021-03-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/programs/fileio.c
++++ b/programs/fileio.c
+@@ -606,11 +606,11 @@ FIO_openDstFile(FIO_prefs_t* const prefs
+ FIO_remove(dstFileName);
+ } }
+
+- { FILE* const f = fopen( dstFileName, "wb" );
++ { const int old_umask = UTIL_umask(0177); /* u-x,go-rwx */
++ FILE* const f = fopen( dstFileName, "wb" );
++ UTIL_umask(old_umask);
+ if (f == NULL) {
+ DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
+- } else if(srcFileName != NULL && strcmp (srcFileName, stdinmark)) {
+- chmod(dstFileName, 00600);
+ }
+ return f;
+ }
+--- a/programs/util.c
++++ b/programs/util.c
+@@ -54,6 +54,15 @@ int UTIL_getFileStat(const char* infilen
+ return 1;
+ }
+
++int UTIL_umask(int mode) {
++#if PLATFORM_POSIX_VERSION > 0
++ return umask(mode);
++#else
++ /* do nothing, fake return value */
++ return mode;
++#endif
++}
++
+ int UTIL_setFileStat(const char *filename, stat_t *statbuf)
+ {
+ int res = 0;
+--- a/programs/util.h
++++ b/programs/util.h
+@@ -136,6 +136,10 @@ int UTIL_isSameFile(const char* file1, c
+ int UTIL_compareStr(const void *p1, const void *p2);
+ int UTIL_isCompressedFile(const char* infilename, const char
*extensionList[]);
+ const char* UTIL_getFileExtension(const char* infilename);
++/**
++ * Wraps umask(). Does nothing when the platform doesn't have that concept.
++ */
++int UTIL_umask(int mode);
+
+ #ifndef _MSC_VER
+ U32 UTIL_isFIFO(const char* infilename);
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: gnu: zstd: Downgrade to 1.4.4 and make security graft saner.,
guix-commits <=