Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

"Adam D. Barratt"  writes:

> For the record, I retried the build this evening with an explicit
> dependency on the new glibc version (as otherwise it won't get
> automagically upgraded in the chroot) and it built successfully.

Excellent.
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

On Wed, 2017-04-26 at 08:20 -0500, Rob Browning wrote:
> "Adam D. Barratt"  writes:
> 
> > That glibc version got accepted last night, so hopefully we'll be in a
> > position to retry the guile-2.0 build later on.
> 
> Great.  Please let me know if I can help further.

For the record, I retried the build this evening with an explicit
dependency on the new glibc version (as otherwise it won't get
automagically upgraded in the chroot) and it built successfully.

Regards,

Adam

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

"Adam D. Barratt"  writes:

> That glibc version got accepted last night, so hopefully we'll be in a
> position to retry the guile-2.0 build later on.

Great.  Please let me know if I can help further.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

On Tue, 2017-04-25 at 23:23 -0500, Rob Browning wrote:
> Rob Browning  writes:
> 
> > I'll try to get some time this week to run the tests on a porterbox --
> > see if I can reproduce the problem there.
> 
> I was able to reproduce the problem on partch, and then poked around a
> bit.  It looks like this might be a glibc bug that's addressed in
> 2.19-18+deb8u8: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855606
> 
> I tested a trivial C program in jessie and sid chroots that just prints
> sqrt(2.0) and pow(2.0, 0.5) to 70 decimal places.
[...]
> Given that, I suspect that the buildd didn't have that version of libc,
> and if/when they do, the test will be fine.

Aha, interesting - thanks!

That glibc version got accepted last night, so hopefully we'll be in a
position to retry the guile-2.0 build later on.

Regards,

Adam

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

Rob Browning  writes:

> I'll try to get some time this week to run the tests on a porterbox --
> see if I can reproduce the problem there.

I was able to reproduce the problem on partch, and then poked around a
bit.  It looks like this might be a glibc bug that's addressed in
2.19-18+deb8u8: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855606

I tested a trivial C program in jessie and sid chroots that just prints
sqrt(2.0) and pow(2.0, 0.5) to 70 decimal places.

jessie (glibc 2.19-18+deb8u7):
  1.41421356237309492343001693370752036571502685546875
  1.414213562373095145474621858738828450441360473632812500

sid (glibc 2.24-10):
  1.414213562373095145474621858738828450441360473632812500
  1.414213562373095145474621858738828450441360473632812500

Then I grabbed the 2.19-18+deb8u8 deb, unpacked it, and

  (jessie_powerpc-dchroot)rlb@partch:~/guile-2.0-2.0.11+1$ 
LD_LIBRARY_PATH=/home/rlb/libc6_2.19-18+deb8u8/lib/powerpc-linux-gnu 
./check-guile fractions.test
  Testing /home/rlb/guile-2.0-2.0.11+1/meta/guile ... fractions.test
  with GUILE_LOAD_PATH=/home/rlb/guile-2.0-2.0.11+1/test-suite
  Running fractions.test

  Totals for this test run:
  passes: 349
  failures:   0
  unexpected passes:  0
  expected failures:  0
  unresolved test cases:  0
  untested test cases:0
  unsupported test cases: 0
  errors: 0

Given that, I suspect that the buildd didn't have that version of libc,
and if/when they do, the test will be fine.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

Rob Browning  writes:

> Rob Browning  writes:
>
>> "Adam D. Barratt"  writes:
>>
>>> On Sun, 2017-01-29 at 22:06 +, Adam D. Barratt wrote:
 On Sat, 2017-01-28 at 11:48 +, Adam D. Barratt wrote:
 > Uploaded and flagged for acceptance.
 
 Unfortunately the powerpc build FTBFS in the "check-guile" test.
 
 The build log for the most recent attempt can be found at
 https://buildd.debian.org/status/fetch.php?pkg=guile-2.0&arch=powerpc&ver=2.0.11%2B1-9%2Bdeb8u1&stamp=1485708200&raw=0
  
>>>
>>> Ping?
>>
>> Just uploaded to jessie (please shout if I did that wrong).
>
> Ugh - ignore this upload completely (already rejected).  I got confused
> about where we were.

This looks like the problem:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=20017 and so I've reported
our failure there.  I'll also see about reproducing the problem manually
on a porterbox.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

Rob Browning  writes:

> "Adam D. Barratt"  writes:
>
>> On Sun, 2017-01-29 at 22:06 +, Adam D. Barratt wrote:
>>> On Sat, 2017-01-28 at 11:48 +, Adam D. Barratt wrote:
>>> > Uploaded and flagged for acceptance.
>>> 
>>> Unfortunately the powerpc build FTBFS in the "check-guile" test.
>>> 
>>> The build log for the most recent attempt can be found at
>>> https://buildd.debian.org/status/fetch.php?pkg=guile-2.0&arch=powerpc&ver=2.0.11%2B1-9%2Bdeb8u1&stamp=1485708200&raw=0
>>>  
>>
>> Ping?
>
> Just uploaded to jessie (please shout if I did that wrong).

Ugh - ignore this upload completely (already rejected).  I got confused
about where we were.

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

"Adam D. Barratt"  writes:

> On Sun, 2017-01-29 at 22:06 +, Adam D. Barratt wrote:
>> On Sat, 2017-01-28 at 11:48 +, Adam D. Barratt wrote:
>> > Uploaded and flagged for acceptance.
>> 
>> Unfortunately the powerpc build FTBFS in the "check-guile" test.
>> 
>> The build log for the most recent attempt can be found at
>> https://buildd.debian.org/status/fetch.php?pkg=guile-2.0&arch=powerpc&ver=2.0.11%2B1-9%2Bdeb8u1&stamp=1485708200&raw=0
>>  
>
> Ping?

Just uploaded to jessie (please shout if I did that wrong).

I built new packages, and here's the debdiff against current jessie:

diff -Nru guile-2.0-2.0.11+1/debian/.git-dpm guile-2.0-2.0.11+1/debian/.git-dpm
--- guile-2.0-2.0.11+1/debian/.git-dpm	2014-10-06 10:07:49.0 -0500
+++ guile-2.0-2.0.11+1/debian/.git-dpm	2017-04-22 19:15:24.0 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-fdc2c9e00af5f2721c4e70180d30f45c15adc65a
-fdc2c9e00af5f2721c4e70180d30f45c15adc65a
+6f697cf7a887fcb4163bef810536bb55cf3b11d3
+6f697cf7a887fcb4163bef810536bb55cf3b11d3
 972fb41f0ce124d97f5cf64bde1075510cd21e18
 972fb41f0ce124d97f5cf64bde1075510cd21e18
 guile-2.0_2.0.11+1.orig.tar.bz2
diff -Nru guile-2.0-2.0.11+1/debian/changelog guile-2.0-2.0.11+1/debian/changelog
--- guile-2.0-2.0.11+1/debian/changelog	2014-10-07 14:49:51.0 -0500
+++ guile-2.0-2.0.11+1/debian/changelog	2017-04-22 19:24:21.0 -0500
@@ -1,3 +1,19 @@
+guile-2.0 (2.0.11+1-9+deb8u1) jessie; urgency=medium
+
+  * Fix REPL server vulnerability (CVE-2016-8606).  Add
+0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch to
+incorporate the fix.  See that file for further information.
+(Closes: 840555)
+
+  * Fix mkdir umask-related vulnerability (CVE-2016-8605).  Previously,
+whenever the second argument to mkdir was omitted, it would
+temporarily change the umask to 0, a change which would also affect
+any concurrent threads.  Add
+0018-Remove-umask-calls-from-mkdir.patch to incorporate the fix.
+See that file for further information. (Closes: 840556)
+
+ -- Rob Browning   Sat, 22 Apr 2017 19:24:21 -0500
+
 guile-2.0 (2.0.11+1-9) unstable; urgency=medium
 
   * Always use "gcc" in guile-snarf.  Avoid the gcc-4.8 CC override that
diff -Nru guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch
--- guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch	1969-12-31 18:00:00.0 -0600
+++ guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch	2017-04-22 19:15:24.0 -0500
@@ -0,0 +1,337 @@
+From 9de478809f909986c725294d1dc03a317eafa3ff Mon Sep 17 00:00:00 2001
+From: Mark H Weaver 
+Date: Fri, 9 Sep 2016 07:36:52 -0400
+Subject: REPL Server: Guard against HTTP inter-protocol exploitation attacks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Christopher Allan Webber 
+Co-authored-by: Ludovic Courtès 
+
+This commit adds protection to Guile's REPL servers against HTTP
+inter-protocol exploitation attacks, a scenario whereby an attacker can,
+via an HTML page, cause a web browser to send data to TCP servers
+listening on a loopback interface or private network.  See
+ and
+, The HTML Form Protocol
+Attack (2001) by Tochen Topf .
+
+Here we add a procedure to 'before-read-hook' that looks for a possible
+HTTP request-line in the first line of input from the client socket.  If
+present, the socket is drained and closed, and a loud warning is written
+to stderr (POSIX file descriptor 2).
+
+* module/system/repl/server.scm: Add 'maybe-check-for-http-request'
+to 'before-read-hook' when this module is loaded.
+(with-temporary-port-encoding, with-saved-port-line+column)
+(drain-input-and-close, permissive-http-request-line?)
+(check-for-http-request, guard-against-http-request)
+(maybe-check-for-http-request): New procedures.
+(serve-client): Use 'guard-against-http-request'.
+* module/system/repl/coop-server.scm (start-repl-client): Use
+'guard-against-http-request'.
+* doc/ref/guile-invoke.texi (Command-line Options): In the description
+of the --listen option, make the security warning more prominent.
+Mention the new protection added here.  Recommend using UNIX domain
+sockets for REPL servers.  "a path to" => "the file name of".
+
+Origin: upstream, http://git.savannah.gnu.org/cgit/guile.git/commit/?id=08c021916dbd3a235a9f9cc33df4c418c0724e03
+Bug-Debian: http://bugs.debian.org/840555
+---
+ doc/ref/guile-invoke.texi  |  20 +++-
+ module/system/repl/coop-server.scm |   7 +-
+ module/system/repl/server.scm  | 182 -
+ 3 files changed, 201 insertions(+), 8 deletions(-)
+
+diff --git a/doc/ref/g

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

On Sun, 2017-01-29 at 22:06 +, Adam D. Barratt wrote:
> On Sat, 2017-01-28 at 11:48 +, Adam D. Barratt wrote:
> > Uploaded and flagged for acceptance.
> 
> Unfortunately the powerpc build FTBFS in the "check-guile" test.
> 
> The build log for the most recent attempt can be found at
> https://buildd.debian.org/status/fetch.php?pkg=guile-2.0&arch=powerpc&ver=2.0.11%2B1-9%2Bdeb8u1&stamp=1485708200&raw=0
>  

Ping?

Regards,

Adam

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

On Sat, 2017-01-28 at 11:48 +, Adam D. Barratt wrote:
> Uploaded and flagged for acceptance.

Unfortunately the powerpc build FTBFS in the "check-guile" test.

The build log for the most recent attempt can be found at
https://buildd.debian.org/status/fetch.php?pkg=guile-2.0&arch=powerpc&ver=2.0.11%2B1-9%2Bdeb8u1&stamp=1485708200&raw=0
 

Regards,

Adam

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

Control: tags -1 + pending

On Sat, 2017-01-14 at 20:14 +0100, Salvatore Bonaccorso wrote:
> Hi Rob,
> 
> On Sat, Jan 14, 2017 at 12:58:10PM -0600, Rob Browning wrote:
> > Salvatore Bonaccorso  writes:
> > 
> > > Any news on that upload?
> > 
> > I should be able to handle it before Tuesday, but let me make sure I
> > understand what's desired.  We're talking about the 2.0.11+1-9+deb8u1
> > changes I initially proposed?
> 
> Disclaimer: I'm not a stable release manager, just tracking open CVEs
> for jessie which were no-dsa but proposed to be scheduled via a point
> release.
> 
> Yes we are talking about the changes, which Adam Barratt, acked in
> https://bugs.debian.org/841724#24

Uploaded and flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9
Added tag(s) pending.

-- 
841724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Salvatore Bonaccorso]

Hi Rob,

On Sat, Jan 14, 2017 at 12:58:10PM -0600, Rob Browning wrote:
> Salvatore Bonaccorso  writes:
> 
> > Any news on that upload?
> 
> I should be able to handle it before Tuesday, but let me make sure I
> understand what's desired.  We're talking about the 2.0.11+1-9+deb8u1
> changes I initially proposed?

Disclaimer: I'm not a stable release manager, just tracking open CVEs
for jessie which were no-dsa but proposed to be scheduled via a point
release.

Yes we are talking about the changes, which Adam Barratt, acked in
https://bugs.debian.org/841724#24

Regards,
Salvatore

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

Salvatore Bonaccorso  writes:

> Any news on that upload?

I should be able to handle it before Tuesday, but let me make sure I
understand what's desired.  We're talking about the 2.0.11+1-9+deb8u1
changes I initially proposed?

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Salvatore Bonaccorso]

Hi Rob,

On Thu, Jan 05, 2017 at 08:11:21PM +, Adam D. Barratt wrote:
> Control: tags -1 -moreinfo +confirmed
> 
> On Sat, 2016-10-22 at 14:11 -0500, Rob Browning wrote:
> > "Adam D. Barratt"  writes:
> > 
> > > Control: tags -1 + moreinfo
> > > Control: severity -1 normal
> > >
> > > On Sat, 2016-10-22 at 13:10 -0500, Rob Browning wrote:
> > >> I'd like to propose an update for jessie as described by the attached
> > >> debdiff.  Though the final upload/diff might be slightly different
> > >> (i.e. the dpm hashes).
> > >> 
> > >> Both of the changes (patches) have been cherry-picked from upstream as
> > >> described in the patch headers.
> > >
> > > The security tracker indicates that both issues - CVE-2016-8605 and
> > > CVE-2016-8606 - still affect the guile-2.0 packages in unstable. Is that
> > > correct? If so then that would be a prerequisite to applying the fixes
> > > in stable.
> > 
> > Hmm, well I'm also preparing 2.0.13+1-1 packages for unstable that include
> > (upstream) both fixes.  Should I upload those first?
> 
> That happened in the meantime, so please feel free to go ahead with the
> upload to stable.

Any news on that upload?

Regards,
Salvatore

Processed: Re: Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9
Removed tag(s) moreinfo.
Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9
Added tag(s) confirmed.

-- 
841724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Sat, 2016-10-22 at 14:11 -0500, Rob Browning wrote:
> "Adam D. Barratt"  writes:
> 
> > Control: tags -1 + moreinfo
> > Control: severity -1 normal
> >
> > On Sat, 2016-10-22 at 13:10 -0500, Rob Browning wrote:
> >> I'd like to propose an update for jessie as described by the attached
> >> debdiff.  Though the final upload/diff might be slightly different
> >> (i.e. the dpm hashes).
> >> 
> >> Both of the changes (patches) have been cherry-picked from upstream as
> >> described in the patch headers.
> >
> > The security tracker indicates that both issues - CVE-2016-8605 and
> > CVE-2016-8606 - still affect the guile-2.0 packages in unstable. Is that
> > correct? If so then that would be a prerequisite to applying the fixes
> > in stable.
> 
> Hmm, well I'm also preparing 2.0.13+1-1 packages for unstable that include
> (upstream) both fixes.  Should I upload those first?

That happened in the meantime, so please feel free to go ahead with the
upload to stable.

Regards,

Adam

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

"Adam D. Barratt"  writes:

> Control: tags -1 + moreinfo
> Control: severity -1 normal
>
> On Sat, 2016-10-22 at 13:10 -0500, Rob Browning wrote:
>> I'd like to propose an update for jessie as described by the attached
>> debdiff.  Though the final upload/diff might be slightly different
>> (i.e. the dpm hashes).
>> 
>> Both of the changes (patches) have been cherry-picked from upstream as
>> described in the patch headers.
>
> The security tracker indicates that both issues - CVE-2016-8605 and
> CVE-2016-8606 - still affect the guile-2.0 packages in unstable. Is that
> correct? If so then that would be a prerequisite to applying the fixes
> in stable.

Hmm, well I'm also preparing 2.0.13+1-1 packages for unstable that include
(upstream) both fixes.  Should I upload those first?

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Adam D. Barratt]

Control: tags -1 + moreinfo
Control: severity -1 normal

On Sat, 2016-10-22 at 13:10 -0500, Rob Browning wrote:
> I'd like to propose an update for jessie as described by the attached
> debdiff.  Though the final upload/diff might be slightly different
> (i.e. the dpm hashes).
> 
> Both of the changes (patches) have been cherry-picked from upstream as
> described in the patch headers.

The security tracker indicates that both issues - CVE-2016-8605 and
CVE-2016-8606 - still affect the guile-2.0 packages in unstable. Is that
correct? If so then that would be a prerequisite to applying the fixes
in stable.

Regards,

Adam

Processed: Re: Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9
Added tag(s) moreinfo.
> severity -1 normal
Bug #841724 [release.debian.org] jessie-pu: package guile-2.0/2.0.11+1-9
Severity set to 'normal' from 'important'

-- 
841724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#841724: jessie-pu: package guile-2.0/2.0.11+1-9

[Rob Browning]

Package: release.debian.org
Severity: important
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I'd like to propose an update for jessie as described by the attached
debdiff.  Though the final upload/diff might be slightly different
(i.e. the dpm hashes).

Both of the changes (patches) have been cherry-picked from upstream as
described in the patch headers.

diff -Nru guile-2.0-2.0.11+1/debian/.git-dpm guile-2.0-2.0.11+1/debian/.git-dpm
--- guile-2.0-2.0.11+1/debian/.git-dpm	2014-10-06 10:07:49.0 -0500
+++ guile-2.0-2.0.11+1/debian/.git-dpm	2016-10-14 00:08:24.0 -0500
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-fdc2c9e00af5f2721c4e70180d30f45c15adc65a
-fdc2c9e00af5f2721c4e70180d30f45c15adc65a
+6f697cf7a887fcb4163bef810536bb55cf3b11d3
+6f697cf7a887fcb4163bef810536bb55cf3b11d3
 972fb41f0ce124d97f5cf64bde1075510cd21e18
 972fb41f0ce124d97f5cf64bde1075510cd21e18
 guile-2.0_2.0.11+1.orig.tar.bz2
diff -Nru guile-2.0-2.0.11+1/debian/changelog guile-2.0-2.0.11+1/debian/changelog
--- guile-2.0-2.0.11+1/debian/changelog	2014-10-07 14:49:51.0 -0500
+++ guile-2.0-2.0.11+1/debian/changelog	2016-10-22 11:36:24.0 -0500
@@ -1,3 +1,19 @@
+guile-2.0 (2.0.11+1-9+deb8u1) jessie; urgency=high
+
+  * Fix REPL server vulnerability (CVE-2016-8606).  Add
+0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch to
+incorporate the fix.  See that file for further information.
+(Closes: 840555)
+
+  * Fix mkdir umask-related vulnerability (CVE-2016-8605).  Previously,
+whenever the second argument to mkdir was omitted, it would
+temporarily change the umask to 0, a change which would also affect
+any concurrent threads.  Add
+0018-Remove-umask-calls-from-mkdir.patch to incorporate the fix.
+See that file for further information. (Closes: 840556)
+
+ -- Rob Browning   Sat, 22 Oct 2016 11:36:24 -0500
+
 guile-2.0 (2.0.11+1-9) unstable; urgency=medium
 
   * Always use "gcc" in guile-snarf.  Avoid the gcc-4.8 CC override that
diff -Nru guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch
--- guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch	1969-12-31 18:00:00.0 -0600
+++ guile-2.0-2.0.11+1/debian/patches/0017-REPL-Server-Guard-against-HTTP-inter-protocol-exploi.patch	2016-10-14 00:08:23.0 -0500
@@ -0,0 +1,337 @@
+From 9de478809f909986c725294d1dc03a317eafa3ff Mon Sep 17 00:00:00 2001
+From: Mark H Weaver 
+Date: Fri, 9 Sep 2016 07:36:52 -0400
+Subject: REPL Server: Guard against HTTP inter-protocol exploitation attacks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by Christopher Allan Webber 
+Co-authored-by: Ludovic Courtès 
+
+This commit adds protection to Guile's REPL servers against HTTP
+inter-protocol exploitation attacks, a scenario whereby an attacker can,
+via an HTML page, cause a web browser to send data to TCP servers
+listening on a loopback interface or private network.  See
+ and
+, The HTML Form Protocol
+Attack (2001) by Tochen Topf .
+
+Here we add a procedure to 'before-read-hook' that looks for a possible
+HTTP request-line in the first line of input from the client socket.  If
+present, the socket is drained and closed, and a loud warning is written
+to stderr (POSIX file descriptor 2).
+
+* module/system/repl/server.scm: Add 'maybe-check-for-http-request'
+to 'before-read-hook' when this module is loaded.
+(with-temporary-port-encoding, with-saved-port-line+column)
+(drain-input-and-close, permissive-http-request-line?)
+(check-for-http-request, guard-against-http-request)
+(maybe-check-for-http-request): New procedures.
+(serve-client): Use 'guard-against-http-request'.
+* module/system/repl/coop-server.scm (start-repl-client): Use
+'guard-against-http-request'.
+* doc/ref/guile-invoke.texi (Command-line Options): In the description
+of the --listen option, make the security warning more prominent.
+Mention the new protection added here.  Recommend using UNIX domain
+sockets for REPL servers.  "a path to" => "the file name of".
+
+Origin: upstream, http://git.savannah.gnu.org/cgit/guile.git/commit/?id=08c021916dbd3a235a9f9cc33df4c418c0724e03
+Bug-Debian: http://bugs.debian.org/840555
+---
+ doc/ref/guile-invoke.texi  |  20 +++-
+ module/system/repl/coop-server.scm |   7 +-
+ module/system/repl/server.scm  | 182 -
+ 3 files changed, 201 insertions(+), 8 deletions(-)
+
+diff --git a/doc/ref/guile-invoke.texi b/doc/ref/guile-invoke.texi
+index 95493dd..9353e8a 100644
+--- a/doc/ref/guile-invoke.texi
 b/doc/ref/guile-invoke.texi
+@@ -1,7 +1,7 @@
+ @c -*-texinfo-*-
+ @c This is part of the GNU Guile