From patchwork Mon Oct 9 20:15:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Leo_Nikkil=C3=A4?= X-Patchwork-Id: 54682 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6E3EE27BBE9; Mon, 9 Oct 2023 21:19:05 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id B496327BBE2 for ; Mon, 9 Oct 2023 21:19:01 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qpwiH-0001fY-0f; Mon, 09 Oct 2023 16:18:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpwiA-0001eo-EM for guix-patches@gnu.org; Mon, 09 Oct 2023 16:18:44 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qpwi9-0002Ja-GG for guix-patches@gnu.org; Mon, 09 Oct 2023 16:18:41 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qpwiU-00034C-7G for guix-patches@gnu.org; Mon, 09 Oct 2023 16:19:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#66428] [PATCH] gnu: libcue: Fix CVE-2023-43641. Resent-From: Leo =?utf-8?q?Nikkil=C3=A4?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 09 Oct 2023 20:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 66428 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 66428@debbugs.gnu.org Cc: Leo =?utf-8?q?Nikkil=C3=A4?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.169688270111725 (code B ref -1); Mon, 09 Oct 2023 20:19:02 +0000 Received: (at submit) by debbugs.gnu.org; 9 Oct 2023 20:18:21 +0000 Received: from localhost ([127.0.0.1]:33449 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpwhm-00032y-16 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:21 -0400 Received: from lists.gnu.org ([2001:470:142::17]:50194) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpwhj-00032j-OP for submit@debbugs.gnu.org; Mon, 09 Oct 2023 16:18:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpwhJ-0001XT-4U for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:49 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpwhH-00028c-8L for guix-patches@gnu.org; Mon, 09 Oct 2023 16:17:48 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id B99635C035D; Mon, 9 Oct 2023 16:17:43 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Mon, 09 Oct 2023 16:17:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lnikki.la; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to; s=fm3; t=1696882663; x=1696969063; bh=ll9EZlxF+v bOYBkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=f0Cz6sq0wSLD79haELIFqtVdzO s6wgL7rWg26xS3/NzyDAeY8p/FDCNbGSRrYbsZs9BwAzs32d2EEpJaTsDT6ibKdV dt2qua5T1Sts7MW+Iu5wAEUTIwkCzC6h/T2o48TO/dvGwCO3S6elRKAtdENKtEcE EPWHbQ5NMhBwpMJCmQ7kT5ZNsoz90EEgkxfQ9WuurMOFaT4rwuv5gZZPrms8vnwu P3x/rZF5h1ityCKjxW1FKBiZOFiOUo5a0rXr7B5OEID/hMqcWz6dLvbrYXXLPp2X KkiXPKUJWGvyfY2HnDS/L+Qq26vtgfituBXy1TPqFeUm4koWLOzB7ebZyiIA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1696882663; x=1696969063; bh=ll9EZlxF+vbOY BkYgbqWMSMBWvoPaGP43ZN7aycdni4=; b=cHw0gTXb6Ui5KxN1XEQRSxJ3xxMPT /7Nw/QnpvxSV7OLEalgt26alDyINJw/TK7VW5Cs5C+X4LyfdQApJoxu4T9PUPf8n 1ChxrqeTJGZ5pKIoDuD+85wnrN2o06fHwjOh7y5fmjwtxVnI1xL06/0ZeN55DyyV uvxh6ONjuL7Wrp6r7sEipPfyEMek1dw9UjGndDIRsgi07veXrZFqVSmzu6XuOkhk g+ET6KvxtqGCz+O1TXD0ZEdh1ngDupRM98zhVoAqywU0I8yEajSvc4j12D4SuEPK ENrXbHyT7mgUFz2+rt3M71S8t9cMkXy6AWEHUqGyjaTFK55KtG/T9WkMg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrheefgddugeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkffoggfgsedtkeertd ertdejnecuhfhrohhmpefnvghoucfpihhkkhhilhomuceohhgvlhhloheslhhnihhkkhhi rdhlrgeqnecuggftrfgrthhtvghrnhepgeegieefleevfeeggfehtdejieehgfeivddvff ektdevtdeftdehgeeufffftefgnecuffhomhgrihhnpehgihhthhhusgdrsghlohhgnecu vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhgvlhhloh eslhhnihhkkhhirdhlrg X-ME-Proxy: Feedback-ID: i41f146a7:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 9 Oct 2023 16:17:42 -0400 (EDT) Date: Mon, 9 Oct 2023 23:15:44 +0300 Message-ID: <20231009201647.9891-1-hello@lnikki.la> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Received-SPF: pass client-ip=66.111.4.25; envelope-from=hello@lnikki.la; helo=out1-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Leo =?utf-8?q?Nikkil=C3=A4?= X-ACL-Warn: , =?utf-8?q?Leo_Nikkil=C3=A4_via_Guix-patches?= X-Patchwork-Original-From: =?utf-8?q?Leo_Nikkil=C3=A4_via_Guix-patches?= via From: =?utf-8?q?Leo_Nikkil=C3=A4?= Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Fixes a vulnerability in libcue that can result in a nasty RCE exploit under GNOME: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/ * gnu/packages/patches/libcue-CVE-2023-43641.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/cdrom.scm (libcue)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/cdrom.scm | 3 ++- .../patches/libcue-CVE-2023-43641.patch | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libcue-CVE-2023-43641.patch base-commit: 7937c8827b8d23347a3159b4696335bd19fc17aa diff --git a/gnu/local.mk b/gnu/local.mk index c481aa153a..ff40cf7a9b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1517,6 +1517,7 @@ dist_patch_DATA = \ %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \ %D%/packages/patches/libcanberra-wayland-crash.patch \ %D%/packages/patches/libcroco-CVE-2020-12825.patch \ + %D%/packages/patches/libcue-CVE-2023-43641.patch \ %D%/packages/patches/libcyaml-libyaml-compat.patch \ %D%/packages/patches/libexpected-use-provided-catch2.patch \ %D%/packages/patches/libgda-cve-2021-39359.patch \ diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm index de31002ac1..d06fe068db 100644 --- a/gnu/packages/cdrom.scm +++ b/gnu/packages/cdrom.scm @@ -560,7 +560,8 @@ (define-public libcue (file-name (git-file-name name version)) (sha256 (base32 - "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm")))) + "1iqw4n01rv2jyk9lksagyxj8ml0kcfwk67n79zy1r6zv1xfp5ywm")) + (patches (search-patches "libcue-CVE-2023-43641.patch")))) (build-system cmake-build-system) (arguments `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON"))) diff --git a/gnu/packages/patches/libcue-CVE-2023-43641.patch b/gnu/packages/patches/libcue-CVE-2023-43641.patch new file mode 100644 index 0000000000..640c197981 --- /dev/null +++ b/gnu/packages/patches/libcue-CVE-2023-43641.patch @@ -0,0 +1,18 @@ +Fix CVE-2023-43641: +https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/ + +Patch from the disclosure post. + +diff --git a/cd.c b/cd.c +index cf77a18..4bbea19 100644 +--- a/cd.c ++++ b/cd.c +@@ -339,7 +339,7 @@ track_get_rem(const Track* track) + + void track_set_index(Track *track, int i, long ind) + { +- if (i > MAXINDEX) { ++ if (i < 0 || i > MAXINDEX) { + fprintf(stderr, "too many indexes\n"); + return; + }