| Message ID | 20210525202407.383e1713@perso.pw |
|---|---|
| State | New |
| Headers | show |
| Series | [bug#48656] gnu: lz4: Add a patch for CVE-2021-3520. | expand |
| Context | Check | Description |
|---|---|---|
| cbaines/applying patch | fail | View Laminar job |
| cbaines/issue | success | View issue |
On Tue, May 25, 2021 at 08:24:07PM +0200, Solene Rapenne via Guix-patches via wrote: > This imports a patch that is not committed upstream yet > but pending for merge on github > > https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 > > This is already widely used in many distributions distributing lz4 > > --- > gnu/packages/compression.scm | 7 +++++-- > gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++ When adding a new patch file, you have to register it in 'gnu/local.mk'. Is there any discussion about this upstream? Why isn't it included in lz4 yet?
On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote: > Is there any discussion about this upstream? Why isn't it included in > lz4 yet? I found approval from the lz4 maintainers: https://github.com/lz4/lz4/pull/972#issuecomment-830192743 https://github.com/lz4/lz4/pull/972#issuecomment-799719118
Leo Famulari <leo@famulari.name> writes: > On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote: >> Is there any discussion about this upstream? Why isn't it included in >> lz4 yet? > > I found approval from the lz4 maintainers: > > https://github.com/lz4/lz4/pull/972#issuecomment-830192743 > https://github.com/lz4/lz4/pull/972#issuecomment-799719118 It seems there's some uncertainty w.r.t. the validity of the CVE [0], but since then a release has been made that pulls the changes discussed in issue 972 into lz4 release 1.9.4.
Jelle Licht <jlicht@fsfe.org> writes: > Leo Famulari <leo@famulari.name> writes: > >> On Tue, May 25, 2021 at 03:07:05PM -0400, Leo Famulari wrote: >>> Is there any discussion about this upstream? Why isn't it included in >>> lz4 yet? >> >> I found approval from the lz4 maintainers: >> >> https://github.com/lz4/lz4/pull/972#issuecomment-830192743 >> https://github.com/lz4/lz4/pull/972#issuecomment-799719118 > > It seems there's some uncertainty w.r.t. the validity of the CVE [0], > but since then a release has been made that pulls the changes discussed > in issue 972 into lz4 release 1.9.4. With [0] being: https://github.com/lz4/lz4/issues/1037#issuecomment-1283560779
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 64816a30c0..53ab999151 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -33,6 +33,7 @@ ;;; Copyright © 2021 Antoine Côté <antoine.cote@posteo.net> ;;; Copyright © 2021 Vincent Legoll <vincent.legoll@gmail.com> ;;; Copyright © 2021 Simon Tournier <zimon.toutoune@gmail.com> +;;; Copyright © 2021 Solene Rapenne <solene@perso.pw> ;;; ;;; This file is part of GNU Guix. ;;; @@ -810,15 +811,17 @@ decompression of some loosely related file formats used by Microsoft.") (commit (string-append "v" version)))) (sha256 (base32 "1w02kazh1fps3sji2sn89fz862j1199c5ajrqcgl1bnlxj09kcbz")) + (patches + (search-patches "lz4-CVE-2021-3520.patch")) (file-name (git-file-name name version)))) (build-system gnu-build-system) (outputs (list "out" "static")) (native-inputs - `(;; For tests. + `( ;; For tests. ("python" ,python) ("valgrind" ,valgrind))) (arguments - `(;; Not designed for parallel testing. + `( ;; Not designed for parallel testing. ;; See https://github.com/lz4/lz4/issues/957#issuecomment-737419821 #:parallel-tests? #f #:test-target "test" diff --git a/gnu/packages/patches/lz4-CVE-2021-3520.patch b/gnu/packages/patches/lz4-CVE-2021-3520.patch new file mode 100644 index 0000000000..100baa4758 --- /dev/null +++ b/gnu/packages/patches/lz4-CVE-2021-3520.patch @@ -0,0 +1,15 @@ +Not merged patch fixing CVE-2021-3520 +https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 + +Index: b/lib/lz4.c +--- a/lib/lz4.c.orig ++++ b/lib/lz4.c +@@ -1749,7 +1749,7 @@ LZ4_decompress_generic( + const size_t dictSize /* note : = 0 if noDict */ + ) + { +- if (src == NULL) { return -1; } ++ if ((src == NULL) || (outputSize < 0)) { return -1; } + + { const BYTE* ip = (const BYTE*) src; + const BYTE* const iend = ip + srcSize;