Re: Wheezy update of chicken?
I just had a look at CVE-2016-6830.
https://security-tracker.debian.org/tracker/CVE-2016-6830
refers to:
http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00001.html
Which has the following text:
"A fix has been implemented in master d866ac1 and chicken-5 c598381.
The patch for master can be found at
http://lists.nongnu.org/archive/html/chicken-hackers/2016-07/msg00049.html"
The references commits are:
⌁ [brian:~/tree … n/debian-lts/wheezy/chicken/chicken-core] master ± git show c598381
commit c5983812188d01daeaa9bc64e7306f2a34a9f207
Author: Evan Hanson <evhan@foldling.org>
Date: Fri Aug 12 17:47:58 2016 +1200
Preserve spawnvp[e] return value in process-spawn
diff --git a/posixwin.scm b/posixwin.scm
index 89edd82..302a91b 100644
--- a/posixwin.scm
+++ b/posixwin.scm
@@ -1173,7 +1173,8 @@ EOF
(##core#inline "C_u_i_spawnvpe" mode prg argbuf envbuf)
(##core#inline "C_u_i_spawnvp" mode prg argbuf))))
(when (fx= r -1)
- (posix-error #:process-error 'process-spawn "cannot spawn process" filename)))))))
+ (posix-error #:process-error 'process-spawn "cannot spawn process" filename))
+ r)))))
(define-foreign-variable _shlcmd c-string "C_shlcmd")
⌁ [brian:~/tree … n/debian-lts/wheezy/chicken/chicken-core] master ± git show d866ac1
commit d866ac1962d9d73e652c8efaa54685238c3ec780
Author: Evan Hanson <evhan@foldling.org>
Date: Fri Aug 12 17:47:58 2016 +1200
Preserve spawnvp[e] return value in process-spawn
diff --git a/posixwin.scm b/posixwin.scm
index 194889e..cfca11c 100644
--- a/posixwin.scm
+++ b/posixwin.scm
@@ -1166,7 +1166,8 @@ EOF
(##core#inline "C_u_i_spawnvpe" mode prg argbuf envbuf)
(##core#inline "C_u_i_spawnvp" mode prg argbuf))))
(when (fx= r -1)
- (posix-error #:process-error 'process-spawn "cannot spawn process" filename)))))))
+ (posix-error #:process-error 'process-spawn "cannot spawn process" filename))
+ r)))))
(define-foreign-variable _shlcmd c-string "C_shlcmd")
I am not convinced these commits fix this security issue. Please tell me
I am wrong, they look like they would be very simple to apply to
wheezy...
The reference mailing list post:
http://lists.nongnu.org/archive/html/chicken-hackers/2016-07/msg00049.html
contains a more complicated patch:
NEWS | 6 ++
manual/Acknowledgements | 44 +++++++-------
posix-common.scm | 65 +++++++++++++++++++-
posixunix.scm | 83 ++++---------------------
posixwin.scm | 158 +++++++++++++++---------------------------------
5 files changed, 154 insertions(+), 202 deletions(-)
It looks like this patch involves refactoring of the code. Which is
going to make it more complicated applying it to the wheezy version.
--
Brian May <bam@debian.org>
Reply to: