Re: Chicken security bugs [was Re: [peter@more-magic.net: Irregex packages should be updated to 0.9.6]]

[Kei Kebreau]

Kei Kebreau <k...@openmailbox.org> writes:

> Leo Famulari <l...@famulari.name> writes:
>
>> On Sat, Dec 24, 2016 at 02:23:43PM -0500, Kei Kebreau wrote:
>>> Leo Famulari <l...@famulari.name> writes:
>>> > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
>>> >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
>>> >> 
>>> >> *
>>> >> gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch:
>>> >> New file.
>>> >> * gnu/local.mk (dist_patch_DATA): Use it.
>>> >> * gnu/packages/scheme.scm (chicken)[source]: Use it.
>>> >
>>> > Thank you for looking into this!
>>> >
>>> > Something like this patch is in CHICKEN 4.11.1:
>>> >
>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea
>>> >
>>> > And there is a patch for the IrRegex bug after the latest tag:
>>> >
>>> > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a
>>> >
>>> > Can you try updating CHICKEN and applying that IrRegex patch?
>>> 
>>> I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN
>>> binary due to its build system requirements. Do we have any objection to
>>> bootstrapping CHICKEN 4.11.1 from version 4.11.0?
>>
>> Interesting!
>>
>> I don't see why we shouldn't use 4.11.0 to bootstrap 4.11.1.
>>
>> Changing the build system like that seems unusual for a minor point
>> release, and I don't see it documented in the 4.11.1 NEWS file:
>>
>> https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=blob;f=NEWS;h=545d68583c8375bd5243ec07a53faff9ec1685a3;hb=116f42e7a3eab2a02b853fd038af3cb3aadad5c3
>>
>
> I must have phrased that too vaguely. It's just a "building from release
> tarball vs from git checkout" thing, documented in the README file of
> both releases. I've been having trouble with the seemingly identical
> test suite using the attached WIP patch. Perhaps the dreary wheather is
> clouding my thoughts.
>

Update! I found a file "types.db" that is unwritable. However, changing
access permissions in the (hackish) way I've done in the patch makes the
build's hash time-dependent.

>> One way or another, we should fix these bugs in our package. Thanks for
>> taking care of it :)
>
> You're welcome!

Merry Grav-Mass, BTW. :)

From 0f55ac1274b30f714b9454d623d860ef6f710da6 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <k...@openmailbox.org>
Date: Sun, 25 Dec 2016 00:31:53 -0500
Subject: [PATCH] gnu: chicken: Update to 4.11.1.

* gnu/packages/scheme.scm (chicken): Update to 4.11.1.
---
 gnu/packages/scheme.scm | 52 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 50 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 78f387faf..0ad449ae2 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -320,9 +320,9 @@ applications in many fields such as multimedia (web 
galleries, music players,
 mashups, office (web agendas, mail clients, ...), etc.")
     (license gpl2+)))
 
-(define-public chicken
+(define chicken-4.11.0
   (package
-    (name "chicken")
+    (name "chicken-4.11.0")
     (version "4.11.0")
     (source (origin
              (method url-fetch)
@@ -374,6 +374,54 @@ produces portable and efficient C, supports almost all of 
the R5RS Scheme
 language standard, and includes many enhancements and extensions.")
     (license bsd-3)))
 
+(define-public chicken
+  (package
+    (inherit chicken-4.11.0)
+    (name "chicken")
+    (version "4.11.1")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://code.call-cc.org/git/chicken-core.git";)
+                    (commit version)))
+              (sha256
+               (base32
+                "1a0jxi5k2n2dx7zn9blynd9lg45v2w4jnh24d67lqazasricgs1k"))))
+    (arguments
+     `(;; No `configure' script; run "make check" after "make install" as
+       ;; prescribed by README.
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (delete 'check)
+         (add-after 'install 'check
+           (assoc-ref %standard-phases 'check))
+         (add-after 'unpack 'disable-broken-tests
+           (lambda _
+             ;; The port tests fail with this error:
+             ;; Error: (line 294) invalid escape-sequence '\x o'
+             (substitute* "tests/runtests.sh"
+               (("\\$interpret -s port-tests\\.scm") "")
+               (("mkdir -p test-repository")
+                (string-append "mkdir -p test-repository\n"
+                               "chmod 644 ../types.db")))
+             #t)))
+
+       #:make-flags (let ((out (assoc-ref %outputs "out"))
+                          (chicken-binary
+                           (string-append
+                            (assoc-ref %build-inputs "chicken-4.11.0")
+                            "/bin/chicken")))
+                      (list "PLATFORM=linux"
+                            (string-append "PREFIX=" out)
+                            (string-append "VARDIR=" out "/var/lib")
+                            (string-append "CHICKEN=" chicken-binary)))
+
+       ;; Parallel builds are not supported, as noted in README.
+       #:parallel-build? #f))
+    (inputs
+     `(("chicken-4.11.0" ,chicken-4.11.0))))) ; necessary for building from git
+
 (define-public scheme48
   (package
     (name "scheme48")
-- 
2.11.0

signature.asc
Description: PGP signature