Re: Wheezy update of chicken?

To: Chris Lamb <lamby@debian.org>, "Davide Puricelli \(evo\)" <evo@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: Wheezy update of chicken?
From: Brian May <bam@debian.org>
Date: Fri, 19 Aug 2016 18:00:04 +1000
Message-id: <[🔎] 87shu1429n.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 1471511354.2276496.698880937.477B2260@webmail.messagingengine.com>
References: <[🔎] 1471511354.2276496.698880937.477B2260@webmail.messagingengine.com>

I just had a look at CVE-2016-6830.

https://security-tracker.debian.org/tracker/CVE-2016-6830

refers to:

http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00001.html

Which has the following text:

"A fix has been implemented in master d866ac1 and chicken-5 c598381.
The patch for master can be found at
http://lists.nongnu.org/archive/html/chicken-hackers/2016-07/msg00049.html";

The references commits are:

⌁ [brian:~/tree … n/debian-lts/wheezy/chicken/chicken-core] master ± git show c598381
commit c5983812188d01daeaa9bc64e7306f2a34a9f207
Author: Evan Hanson <evhan@foldling.org>
Date:   Fri Aug 12 17:47:58 2016 +1200

    Preserve spawnvp[e] return value in process-spawn

diff --git a/posixwin.scm b/posixwin.scm
index 89edd82..302a91b 100644
--- a/posixwin.scm
+++ b/posixwin.scm
@@ -1173,7 +1173,8 @@ EOF
                    (##core#inline "C_u_i_spawnvpe" mode prg argbuf envbuf)
                    (##core#inline "C_u_i_spawnvp" mode prg argbuf))))
         (when (fx= r -1)
-          (posix-error #:process-error 'process-spawn "cannot spawn process" filename)))))))
+          (posix-error #:process-error 'process-spawn "cannot spawn process" filename))
+        r)))))
 
 (define-foreign-variable _shlcmd c-string "C_shlcmd")
 
⌁ [brian:~/tree … n/debian-lts/wheezy/chicken/chicken-core] master ± git show d866ac1
commit d866ac1962d9d73e652c8efaa54685238c3ec780
Author: Evan Hanson <evhan@foldling.org>
Date:   Fri Aug 12 17:47:58 2016 +1200

    Preserve spawnvp[e] return value in process-spawn

diff --git a/posixwin.scm b/posixwin.scm
index 194889e..cfca11c 100644
--- a/posixwin.scm
+++ b/posixwin.scm
@@ -1166,7 +1166,8 @@ EOF
                    (##core#inline "C_u_i_spawnvpe" mode prg argbuf envbuf)
                    (##core#inline "C_u_i_spawnvp" mode prg argbuf))))
         (when (fx= r -1)
-          (posix-error #:process-error 'process-spawn "cannot spawn process" filename)))))))
+          (posix-error #:process-error 'process-spawn "cannot spawn process" filename))
+        r)))))
 
 (define-foreign-variable _shlcmd c-string "C_shlcmd")
 
I am not convinced these commits fix this security issue. Please tell me
I am wrong, they look like they would be very simple to apply to
wheezy...

The reference mailing list post:
http://lists.nongnu.org/archive/html/chicken-hackers/2016-07/msg00049.html

contains a more complicated patch:

 NEWS                    |   6 ++
 manual/Acknowledgements |  44 +++++++-------
 posix-common.scm        |  65 +++++++++++++++++++-
 posixunix.scm           |  83 ++++---------------------
 posixwin.scm            | 158 +++++++++++++++---------------------------------
 5 files changed, 154 insertions(+), 202 deletions(-)

It looks like this patch involves refactoring of the code. Which is
going to make it more complicated applying it to the wheezy version.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Wheezy update of chicken?
  - From: Brian May <bam@debian.org>
- Re: Wheezy update of chicken?
  - From: Chris Lamb <lamby@debian.org>

References:
- Wheezy update of chicken?
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Re: CVE-2016-2839 / Firefox-ESR
Next by Date: Re: Wheezy update of chicken?
Previous by thread: Wheezy update of chicken?
Next by thread: Re: Wheezy update of chicken?
Index(es):
- Date
- Thread