Package: chicken Version: 4.9.0.1-1 Severity: normal Tags: patch pending Dear maintainer,
I've prepared an NMU for chicken (versioned as 4.9.0.1-1.1). The diff is attached to this message. Regards. diff -Nru chicken-4.9.0.1/debian/changelog chicken-4.9.0.1/debian/changelog --- chicken-4.9.0.1/debian/changelog 2014-11-23 19:28:44.000000000 +0100 +++ chicken-4.9.0.1/debian/changelog 2016-05-29 10:46:57.000000000 +0200 @@ -1,3 +1,12 @@ +chicken (4.9.0.1-1.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * CVE-2015-4556: cherry pick patch from upstream repository (Closes: #788833) + * CVE-2014-9651: cherry pick patch from upstream repository (Closes: #775346) + * Add chicken-bin to B-D to prevent FTBFS. + + -- Tobias Frost <t...@debian.org> Sat, 28 May 2016 23:17:57 +0200 + chicken (4.9.0.1-1) unstable; urgency=high * New upstream version; diff -Nru chicken-4.9.0.1/debian/control chicken-4.9.0.1/debian/control --- chicken-4.9.0.1/debian/control 2014-11-23 19:23:35.000000000 +0100 +++ chicken-4.9.0.1/debian/control 2016-05-29 10:37:54.000000000 +0200 @@ -3,7 +3,7 @@ Section: interpreters Priority: optional Maintainer: Davide Puricelli (evo) <e...@debian.org> -Build-Depends: debhelper (>> 5.0.0), texinfo, chrpath +Build-Depends: debhelper (>> 5.0.0), texinfo, chrpath, chicken-bin Standards-Version: 3.8.4.0 Package: chicken-bin diff -Nru chicken-4.9.0.1/debian/patches/CVE-2014-9651.patch chicken-4.9.0.1/debian/patches/CVE-2014-9651.patch --- chicken-4.9.0.1/debian/patches/CVE-2014-9651.patch 1970-01-01 01:00:00.000000000 +0100 +++ chicken-4.9.0.1/debian/patches/CVE-2014-9651.patch 2016-05-28 23:20:41.000000000 +0200 @@ -0,0 +1,73 @@ +From 230eed2745ea2b57de3c9073e8596892b1da2d8c Mon Sep 17 00:00:00 2001 +From: Moritz Heidkamp <address@hidden> +Date: Sun, 14 Dec 2014 23:33:52 +0100 +Subject: [PATCH] Fix buffer overrun in substring-index[-ci] + +When passing a start index greater than 0, substring-index[-ci] would +scan past the end of the subject string, leading to bogus results in +case the substring is accidentally run into beyond the end of the +subject. This patch fixes the issue and also adds a range check for the +start index. +--- + data-structures.scm | 22 ++++++++++++++-------- + tests/data-structures-tests.scm | 11 ++++++++++- + 2 files changed, 24 insertions(+), 9 deletions(-) + +--- a/data-structures.scm ++++ b/data-structures.scm +@@ -303,15 +303,21 @@ + (define (traverse which where start test loc) + (##sys#check-string which loc) + (##sys#check-string where loc) +- (let ([wherelen (##sys#size where)] +- [whichlen (##sys#size which)] ) ++ (let* ((wherelen (##sys#size where)) ++ (whichlen (##sys#size which)) ++ (end (fx- wherelen whichlen))) + (##sys#check-exact start loc) +- (let loop ([istart start] [iend whichlen]) +- (cond [(fx> iend wherelen) #f] +- [(test istart whichlen) istart] +- [else +- (loop (fx+ istart 1) +- (fx+ iend 1) ) ] ) ) ) ) ++ (if (and (fx>= start 0) ++ (fx> wherelen start)) ++ (let loop ((istart start)) ++ (cond ((fx> istart end) #f) ++ ((test istart whichlen) istart) ++ (else (loop (fx+ istart 1))))) ++ (##sys#error-hook (foreign-value "C_OUT_OF_RANGE_ERROR" int) ++ loc ++ start ++ wherelen)))) ++ + (set! ##sys#substring-index + (lambda (which where start) + (traverse +--- a/tests/data-structures-tests.scm ++++ b/tests/data-structures-tests.scm +@@ -1,6 +1,6 @@ + ;;;; data-structures-tests.scm + +-(use data-structures) ++(use data-structures lolevel) + + (define-syntax assert-error + (syntax-rules () +@@ -54,6 +54,15 @@ + (assert (string=? "x" (string-translate* "ab" '(("ab" . "x"))))) + (assert (string=? "xy" (string-translate* "xyz" '(("z" . ""))))) + ++ ++;; This used to fail because substring-index and co. used to search ++;; beyond the end of the subject string when a start index > 0 was ++;; provided. We use object-evict to ensure that the strings are placed ++;; in adjacent memory ranges so we can detect this error. ++(let* ((foo (object-evict (make-string 32 #\x))) ++ (bar (object-evict "y"))) ++ (assert (not (substring-index "y" foo 30)))) ++ + ;; topological-sort + + (assert (equal? '() (topological-sort '() eq?))) diff -Nru chicken-4.9.0.1/debian/patches/CVE-2015-4556.patch chicken-4.9.0.1/debian/patches/CVE-2015-4556.patch --- chicken-4.9.0.1/debian/patches/CVE-2015-4556.patch 1970-01-01 01:00:00.000000000 +0100 +++ chicken-4.9.0.1/debian/patches/CVE-2015-4556.patch 2016-05-29 11:00:13.000000000 +0200 @@ -0,0 +1,72 @@ +commit 8a460209d78ed532c0b92e32c21625c4952bde3c +Author: Peter Bex <pe...@more-magic.net> +Date: Sun Jun 14 19:52:26 2015 +0200 + + Fix potential buffer overrun error in string-translate* + + string-translate* would scan from every position in the target string + for each source string in the map, even if that would mean scanning + past the end. The out-of-bounds read would be limited to the size of + the overlapping prefix in the trailing garbage beyond the string, + because memcmp will stop scanning as soon as there is a different + byte in either of the memory areas. + + This also adds a few basic tests for string-translate* + + Signed-off-by: Evan Hanson <ev...@foldling.org> + +--- a/data-structures.scm ++++ b/data-structures.scm +@@ -504,7 +504,7 @@ + (define (string-translate* str smap) + (##sys#check-string str 'string-translate*) + (##sys#check-list smap 'string-translate*) +- (let ([len (##sys#size str)]) ++ (let ((len (##sys#size str))) + (define (collect i from total fs) + (if (fx>= i len) + (##sys#fragments->string +@@ -513,15 +513,16 @@ + (if (fx> i from) + (cons (##sys#substring str from i) fs) + fs) ) ) +- (let loop ([smap smap]) ++ (let loop ((smap smap)) + (if (null? smap) + (collect (fx+ i 1) from (fx+ total 1) fs) +- (let* ([p (car smap)] +- [sm (car p)] +- [smlen (string-length sm)] +- [st (cdr p)] ) +- (if (##core#inline "C_substring_compare" str sm i 0 smlen) +- (let ([i2 (fx+ i smlen)]) ++ (let* ((p (car smap)) ++ (sm (car p)) ++ (smlen (string-length sm)) ++ (st (cdr p)) ) ++ (if (and (fx<= (fx+ i smlen) len) ++ (##core#inline "C_substring_compare" str sm i 0 smlen)) ++ (let ((i2 (fx+ i smlen))) + (when (fx> i from) + (set! fs (cons (##sys#substring str from i) fs)) ) + (collect +--- a/tests/data-structures-tests.scm ++++ b/tests/data-structures-tests.scm +@@ -43,6 +43,17 @@ + (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00a"))) + (assert (< 0 (string-compare3-ci "foo\x00b" "foo\x00A"))) + ++(assert (string=? "bde" (string-translate* "abcd" ++ '(("a" . "b") ++ ("b" . "") ++ ("c" . "d") ++ ("d" . "e"))))) ++(assert (string=? "bc" (string-translate* "abc" ++ '(("ab" . "b") ++ ("bc" . "WRONG"))))) ++(assert (string=? "x" (string-translate* "ab" '(("ab" . "x"))))) ++(assert (string=? "xy" (string-translate* "xyz" '(("z" . ""))))) ++ + ;; topological-sort + + (assert (equal? '() (topological-sort '() eq?))) diff -Nru chicken-4.9.0.1/debian/patches/fix-manpages.patch chicken-4.9.0.1/debian/patches/fix-manpages.patch --- chicken-4.9.0.1/debian/patches/fix-manpages.patch 2014-11-23 19:23:35.000000000 +0100 +++ chicken-4.9.0.1/debian/patches/fix-manpages.patch 2016-05-28 23:16:49.000000000 +0200 @@ -1,8 +1,6 @@ -Index: chicken-4.9.0/chicken-install.1 -=================================================================== ---- chicken-4.9.0.orig/chicken-install.1 -+++ chicken-4.9.0/chicken-install.1 -@@ -42,7 +42,7 @@ installation paths if specified. +--- a/chicken-install.1 ++++ b/chicken-install.1 +@@ -42,7 +42,7 @@ .B CHICKEN_REPOSITORY The path where extension libraries are installed. Defaults to the package-library path selected during configuration (usually @@ -11,11 +9,9 @@ ) .SH DOCUMENTATION -Index: chicken-4.9.0/chicken-status.1 -=================================================================== ---- chicken-4.9.0.orig/chicken-status.1 -+++ chicken-4.9.0/chicken-status.1 -@@ -35,7 +35,7 @@ when configuring the system. +--- a/chicken-status.1 ++++ b/chicken-status.1 +@@ -35,7 +35,7 @@ .B CHICKEN_REPOSITORY The path where extension libraries are installed. Defaults to the package-library path selected during configuration (usually @@ -24,11 +20,9 @@ ) -Index: chicken-4.9.0/chicken-uninstall.1 -=================================================================== ---- chicken-4.9.0.orig/chicken-uninstall.1 -+++ chicken-4.9.0/chicken-uninstall.1 -@@ -41,7 +41,7 @@ installation paths if specified. +--- a/chicken-uninstall.1 ++++ b/chicken-uninstall.1 +@@ -41,7 +41,7 @@ .B CHICKEN_REPOSITORY The path where extension libraries are installed. Defaults to the package-library path selected during configuration (usually @@ -37,11 +31,9 @@ ) -Index: chicken-4.9.0/chicken.1 -=================================================================== ---- chicken-4.9.0.orig/chicken.1 -+++ chicken-4.9.0/chicken.1 -@@ -21,10 +21,6 @@ is a compiler and interpreter for the pr +--- a/chicken.1 ++++ b/chicken.1 +@@ -21,10 +21,6 @@ supporting most of the features as described in the .I Revised^5 Report on .I the Algorithmic Language Scheme @@ -52,10 +44,8 @@ For a more convenient interface, see the manual page for csc(1). .SH OPTIONS -Index: chicken-4.9.0/csi.1 -=================================================================== ---- chicken-4.9.0.orig/csi.1 -+++ chicken-4.9.0/csi.1 +--- a/csi.1 ++++ b/csi.1 @@ -3,9 +3,7 @@ .SH NAME diff -Nru chicken-4.9.0.1/debian/patches/series chicken-4.9.0.1/debian/patches/series --- chicken-4.9.0.1/debian/patches/series 2014-11-23 19:23:35.000000000 +0100 +++ chicken-4.9.0.1/debian/patches/series 2016-05-29 10:44:14.000000000 +0200 @@ -1 +1,3 @@ fix-manpages.patch +CVE-2015-4556.patch +CVE-2014-9651.patch