GNU bug report logs - #46959
[PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.

Message received at 46959 <at> debbugs.gnu.org:

Received: (at 46959) by debbugs.gnu.org; 9 Mar 2021 07:58:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 09 02:58:21 2021
Received: from localhost ([127.0.0.1]:45532 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lJXG1-0000Ma-0q
	for submit <at> debbugs.gnu.org; Tue, 09 Mar 2021 02:58:21 -0500
Received: from mira.cbaines.net ([212.71.252.8]:39198)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1lJXFz-0000MQ-GK
 for 46959 <at> debbugs.gnu.org; Tue, 09 Mar 2021 02:58:20 -0500
Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:8ac0:b4c7:f5c8:7caa])
 by mira.cbaines.net (Postfix) with ESMTPSA id C5D3427BC50;
 Tue,  9 Mar 2021 07:58:18 +0000 (GMT)
Received: from capella (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 2c464445;
 Tue, 9 Mar 2021 07:58:18 +0000 (UTC)
References: <20210306050410.11022-1-lle-bout@HIDDEN>
 <871rcrnk26.fsf@HIDDEN>
 <3c481b2024c6d2b56afe403814c25472f15e1afe.camel@HIDDEN>
User-agent: mu4e 1.4.15; emacs 27.1
From: Christopher Baines <mail@HIDDEN>
To: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Subject: Re: [bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.
In-reply-to: <3c481b2024c6d2b56afe403814c25472f15e1afe.camel@HIDDEN>
Date: Tue, 09 Mar 2021 07:58:18 +0000
Message-ID: <875z20bvxh.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 46959
Cc: 46959 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


L=C3=A9o Le Bouter <lle-bout@HIDDEN> writes:

> Hello!
>
> On Sun, 2021-03-07 at 13:57 +0000, Christopher Baines wrote:
>> Any ideas? What packages should build with this change?
>
> If you are saying that this patch I sent here breaks the builds
> (because the newlib-CVE-2021-3420.patch does not apply), yes this is
> intended, I do not have motivation to finish work here, newlib-CVE-
> 2021-3420.patch needs to be backported to the versions we package.

Ok, good to know.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmBHKppfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XftdA/+KSrptSuJjbAE8lDGkN+jbrecEeMO1ch5
SYfJUtq8atFpSho6+LCQfhh14n9BJQrfVL4sgBIh0w9x8EyXeClk1n1gaCpqPGke
BLEjSdada/Mo8gs11/VaFDxNvAcB1P7oYPeOfIg/5XUB94etGwM7AIEttcjEG7yH
Ee7RXDOo+DIkGKtGLniED8zdmYtZnMEXa96O6UIRIXkB8+I+OXFjkdYru8BVV0SK
Gd1GzsQL860k51713Lv4gN+K6RlMhi1cdeT0Rd+jsGgCjLleUcpjO8UJ4h9tDYpS
9i6aeuXpsbtkFa/BxfEIvsSUg/E9xBF1JDt+cCf1U4pfh/jJdw+FRWArUwk2bbuQ
L97vobk1x0WpJzV4paQ5tPddE9T4c6sBZOGior6LFSGJLo7+Ih2e7BICU7BH3/1c
B9h8zXGhuPs2VV2gvdSV07JTZqUTDGM0TmuGsAQ42K643tiBZzBaVXscy+4aqdAi
MMRNq4F3LHZ7y3T9Ux92lI+2qO2+XyvOUg6Mj7+ZBt9SWdKEOxD5bGq5Nu7pFzHO
+bjNgjWqWFGW2lgUIpyHTDBcYOwfPyqy81dXpML6IG5tw+LeLHnhUsP+GyGxHJRD
whXv7S6C6P2GUP3iwpwUZFI/lrXJILJUIxvdjvdRewmu/Rq+ROnhA3BucehMPF0z
EioJ15a9wMk=
=IOS2
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 46959 <at> debbugs.gnu.org:

Received: (at 46959) by debbugs.gnu.org; 9 Mar 2021 05:18:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 09 00:18:07 2021
Received: from localhost ([127.0.0.1]:45391 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lJUkx-0002EW-A6
	for submit <at> debbugs.gnu.org; Tue, 09 Mar 2021 00:18:07 -0500
Received: from mail.zaclys.net ([178.33.93.72]:40261)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lJUku-0002Dz-Pd
 for 46959 <at> debbugs.gnu.org; Tue, 09 Mar 2021 00:18:05 -0500
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 1295HvJT041522
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Tue, 9 Mar 2021 06:17:57 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 1295HvJT041522
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615267078;
 bh=Vhcv9mSrMw50lhZbfPYCK+4WMvLAZnqpV79ykKabMEI=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
 b=mWqnbmoT+gBtSd7/Jhm1Kxc2wEIrFSbG7x41/qczKVhCUrHNBXVU9sLDb5neydD9G
 YKtvpqeJVdA1Y+S6jsdkqnbVdiYAy+XcxEggQJdIoZzdMVOY9o7azbjGz56PvNkEZ6
 DP5ronYyqVVi0F1NKhFjbkJx3v79UkY4csGL2xSU=
Message-ID: <3c481b2024c6d2b56afe403814c25472f15e1afe.camel@HIDDEN>
Subject: Re: [bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: Christopher Baines <mail@HIDDEN>
Date: Tue, 09 Mar 2021 06:17:52 +0100
In-Reply-To: <871rcrnk26.fsf@HIDDEN>
References: <20210306050410.11022-1-lle-bout@HIDDEN>
 <871rcrnk26.fsf@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-FfUFy0zUOgm+Ul6H1Jqy"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 46959
Cc: 46959 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-FfUFy0zUOgm+Ul6H1Jqy
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

On Sun, 2021-03-07 at 13:57 +0000, Christopher Baines wrote:
> Any ideas? What packages should build with this change?

If you are saying that this patch I sent here breaks the builds
(because the newlib-CVE-2021-3420.patch does not apply), yes this is
intended, I do not have motivation to finish work here, newlib-CVE-
2021-3420.patch needs to be backported to the versions we package.

I do not know if these packages are actually used by anyone either.

L=C3=A9o

--=-FfUFy0zUOgm+Ul6H1Jqy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBHBQAACgkQRaix6GvN
EKZ0ehAAtY0gUsSgVuJBu42EZImz42Lq93sGw4BVctZH0XxAxljn1eV5iXMHZJ6M
zTUlWvUwTgszHYJuZyA4mM9KXk3zBf6Z6HbhBak/w+9hoYPQM94OBq2ItdnxkTOF
HLKSy9wpUTZBXShuzsXaYhm2z+zSv4eGJeoNbDtAiR1/02ttvG3rDvUiz9o1rAs7
7T/x4CQxw6sPhXje7cJZ+txWHCgs7G4yglEKIeppAXzCQWsqDSv1WplzdxEpwldV
AeT3AK0aRGykVC04pWp3z7PzoU4svInGdWdz/3dB0ZBULWN/LnkM1AuXKFSbmRd3
ZGG5wbwfhOyfbchE+PucxujuCBqb6ELtVMRwx9lV7N/C753gjGRyBdUEiXnDaDU6
tCV7nWakRO+jinTc+a9RMBA1/rWx9p7WjHwR+pdjwEwbACj67jddLKEYZsd1ibSd
Q5noLjBl6mw0nQRjjOIyT6qgPS9MHk7ZGvMa29t1LIXbWeh1gN1TsJAyM8FOkzBE
G7u0EH82pEDaK5jnAUCf0N1ap05L5O54rXniXnVd1wo9WQ6+xYt+Ct6eXUZxjj3K
rnahY33JAYWc83ZMC4cKspZ4ClLFb5cVF3b9Th9DEXUgiMcdR35oSpFI1nsxRyY3
lpYsGa9pn5YXKpQX8lP2k+XNTheGnfSVr7dDLHwucjrfkO5AAIk=
=8rrB
-----END PGP SIGNATURE-----

--=-FfUFy0zUOgm+Ul6H1Jqy--

Message received at 46959 <at> debbugs.gnu.org:

Received: (at 46959) by debbugs.gnu.org; 7 Mar 2021 13:57:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 07 08:57:13 2021
Received: from localhost ([127.0.0.1]:39008 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lItuC-0006JB-Lu
	for submit <at> debbugs.gnu.org; Sun, 07 Mar 2021 08:57:12 -0500
Received: from mira.cbaines.net ([212.71.252.8]:53628)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1lItu9-0006J0-VO
 for 46959 <at> debbugs.gnu.org; Sun, 07 Mar 2021 08:57:10 -0500
Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:8ac0:b4c7:f5c8:7caa])
 by mira.cbaines.net (Postfix) with ESMTPSA id 0C3D927BC50;
 Sun,  7 Mar 2021 13:57:09 +0000 (GMT)
Received: from capella (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 77d9d817;
 Sun, 7 Mar 2021 13:57:08 +0000 (UTC)
References: <20210306050410.11022-1-lle-bout@HIDDEN>
User-agent: mu4e 1.4.15; emacs 27.1
From: Christopher Baines <mail@HIDDEN>
To: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>
Subject: Re: [bug#46959] [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.
In-reply-to: <20210306050410.11022-1-lle-bout@HIDDEN>
Date: Sun, 07 Mar 2021 13:57:05 +0000
Message-ID: <871rcrnk26.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 46959
Cc: 46959 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


L=C3=A9o Le Bouter via Guix-patches via <guix-patches@HIDDEN> writes:

> newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it=
 is
> being applied to, so if you are interested or a user of those packages pl=
ease
> finish the work, otherwise well CVE-2021-3420 will probably remain unfixe=
d.
>
> The versions of newlib are too old and too specific for it to be
> maintainable security-wise, especially considering upstream does not seem=
 to
> maintain older versions at all. I don't think GNU Guix should take that r=
ole,
> but of course the people who depend on these packages can ensure they are=
 good
> enough for themselves, otherwise contribute changes.
>
> L=C3=A9o Le Bouter (1):
>   gnu: newlib: Fix CVE-2021-3420.
>
>  gnu/local.mk                                  |   1 +
>  gnu/packages/embedded.scm                     |   6 +-
>  .../patches/newlib-CVE-2021-3420.patch        | 105 ++++++++++++++++++
>  3 files changed, 110 insertions(+), 2 deletions(-)
>  create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch

Hey,

Looking at [1] and following through the "View comparison" links, it
seems that there's some problems applying the patch added here, I can't
see a case where it's applied successfully.

1: https://patches.guix-patches.cbaines.net/project/guix-patches/patch/2021=
0306050521.11571-1-lle-bout@HIDDEN/

Unfortunately this data is still a bit hidden, but if you click on
"Compare package derivations", get all the results, then find
newlib@HIDDEN and look at the build for x86_64-linux, you
should get to this page [2] and from the "Required failed builds", I'm
guessing the source part of the package build has failed.

2: https://data.guix-patches.cbaines.net/build-server/5/build?build_server_=
build_id=3Ddd289414-7653-4b63-8b3c-7a55cdf55820

Any ideas? What packages should build with this change?

Thanks,

Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmBE27FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh
aW5lcy5uZXQACgkQXiijOwuE9XcYbg/9FtshF5jHipG1Hj77sHNp1IwinQU4rJxD
RTpdebExGr6ojVsBx0SlpBriVEmS7icA+7O4rhmGxxJapmn+tYSaJqMx2io/tzIn
tv9wjq2t0qrMCNRMA3CQWoW54yaKBIJOn/UezNCxEnfb63KPhQP6Ulg2iC6z8g3U
3S2bQM2LeC/XD0pojz3TyLre8hyabv7jzDpUGj1JEbpxK7+n2ypKiPO2TxeRu4tm
0ln9hiq3sr5+lKHfVhLz0rtDIFr3LxiuyI7t4OwKR8T49TMiDI9R9wyUqVpOzMRC
EdcIxQKiviVCw+dbQke0fxRNvlqEexV3fLA9QV94K9z2OFowYwgAtXF1jYy7mqWU
/taDlaBf0uWUBx//x8jMOOsQm0l7M/r1MVVtfaLDrNN5LiSNzly0n6fhDNlr7wQM
1e5HTdSGacAWBlmpuWKgpMsJLbiRN4QbPz98ukVqCMDoCxoHzfKLpQT9kVLjS7Pz
u3qcWlt1ICWtPd1sm7tuxuGqIGjzgj6oBF6FvUjx8S9E+s1TVymNVWkwSR9EQaFF
lcQ8D06Ux9NOSGT37865xNgBRlpQzH0ogyqlSNNupk+hw7GLjjtsAN4QE7Sqma/C
Cvxo8b/hx6F4132uZOEt1jA5ILR+Bh7wpV4o9baBIkHD+NL5kciSubs+6KL0fzy7
s7ur4mP1GIA=
=RYxy
-----END PGP SIGNATURE-----
--=-=-=--

Message received at 46959 <at> debbugs.gnu.org:

Received: (at 46959) by debbugs.gnu.org; 6 Mar 2021 05:05:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 06 00:05:48 2021
Received: from localhost ([127.0.0.1]:35871 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lIP8N-00015z-Ix
	for submit <at> debbugs.gnu.org; Sat, 06 Mar 2021 00:05:47 -0500
Received: from mail.zaclys.net ([178.33.93.72]:36097)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lIP8L-00015m-I6
 for 46959 <at> debbugs.gnu.org; Sat, 06 Mar 2021 00:05:46 -0500
Received: from localhost.localdomain (82-64-145-38.subs.proxad.net
 [82.64.145.38]) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12655dik006864
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Sat, 6 Mar 2021 06:05:39 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12655dik006864
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615007139;
 bh=z6YxpJtB2Kroh1loQXP5K2TzrnW802w1UoNFqiTZbPA=;
 h=From:To:Cc:Subject:Date:From;
 b=PrpcLUVPER11gTZoco2mwWHFsbdM6TTGMqrltCZ83vQ8oSrnh4Lsg02ed94ecanW0
 1PZlrxUx8pC1tgaB1I7bHe2shQKLA+h9KNoVV+vUIiJlqYSMAP1dmboElj6cvB0BRa
 Idohe/3EEWyN6l53eFtucqmX3s6UFgLMt9L7B81w=
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
To: 46959 <at> debbugs.gnu.org
Subject: [PATCH] gnu: newlib: Fix CVE-2021-3420.
Date: Sat,  6 Mar 2021 06:05:21 +0100
Message-Id: <20210306050521.11571-1-lle-bout@HIDDEN>
X-Mailer: git-send-email 2.30.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 46959
Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/patches/newlib-CVE-2021-3420.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/embedded.scm (newlib-arm-none-eabi,
newlib-arm-none-eabi-7-2018-q2-update): Apply it.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/embedded.scm                     |   6 +-
 .../patches/newlib-CVE-2021-3420.patch        | 105 ++++++++++++++++++
 3 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index fb3b395852..d0260b5921 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1397,6 +1397,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/netsurf-system-utf8proc.patch		\
   %D%/packages/patches/netsurf-y2038-tests.patch		\
   %D%/packages/patches/netsurf-longer-test-timeout.patch	\
+  %D%/packages/patches/newlib-CVE-2021-3420.patch		\
   %D%/packages/patches/nfs4-acl-tools-0.3.7-fixpaths.patch	\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
   %D%/packages/patches/network-manager-plugin-path.patch	\
diff --git a/gnu/packages/embedded.scm b/gnu/packages/embedded.scm
index 51ee244f3c..72dbdf7385 100644
--- a/gnu/packages/embedded.scm
+++ b/gnu/packages/embedded.scm
@@ -173,7 +173,8 @@
                                   version ".tar.gz"))
               (sha256
                (base32
-                "01i7qllwicf05vsvh39qj7qp5fdifpvvky0x95hjq39mbqiksnsl"))))
+                "01i7qllwicf05vsvh39qj7qp5fdifpvvky0x95hjq39mbqiksnsl"))
+              (patches (search-patches "newlib-CVE-2021-3420.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:out-of-source? #t
@@ -339,7 +340,8 @@ usable on embedded products.")
          (file-name (git-file-name "newlib" commit))
          (sha256
           (base32
-           "1dq23fqrk75g1a4v7569fvnnw5q440zawbxi3w0g05n8jlqsmvcy"))))
+           "1dq23fqrk75g1a4v7569fvnnw5q440zawbxi3w0g05n8jlqsmvcy"))
+         (patches (search-patches "newlib-CVE-2021-3420.patch"))))
       (arguments
        (substitute-keyword-arguments (package-arguments newlib-arm-none-eabi)
          ;; The configure flags are identical to the flags used by the "GCC ARM
diff --git a/gnu/packages/patches/newlib-CVE-2021-3420.patch b/gnu/packages/patches/newlib-CVE-2021-3420.patch
new file mode 100644
index 0000000000..f7834664b5
--- /dev/null
+++ b/gnu/packages/patches/newlib-CVE-2021-3420.patch
@@ -0,0 +1,105 @@
+From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001
+From: Corinna Vinschen <vinschen@HIDDEN>
+Date: Tue, 17 Nov 2020 10:50:57 +0100
+Subject: [PATCH] malloc/nano-malloc: correctly check for out-of-bounds
+ allocation reqs
+
+The overflow check in mEMALIGn erroneously checks for INT_MAX,
+albeit the input parameter is size_t.  Fix this to check for
+__SIZE_MAX__ instead.  Also, it misses to check the req against
+adding the alignment before calling mALLOc.
+
+While at it, add out-of-bounds checks to pvALLOc, nano_memalign,
+nano_valloc, and Cygwin's (unused) dlpvalloc.
+
+Signed-off-by: Corinna Vinschen <corinna@HIDDEN>
+---
+ newlib/libc/stdlib/mallocr.c      |  7 ++++++-
+ newlib/libc/stdlib/nano-mallocr.c | 22 +++++++++++++++++++++-
+ winsup/cygwin/malloc.cc           |  4 ++++
+ 3 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
+index 9ad720ada..13d014cc8 100644
+--- a/newlib/libc/stdlib/mallocr.c
++++ b/newlib/libc/stdlib/mallocr.c
+@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
+   nb = request2size(bytes);
+ 
+   /* Check for overflow. */
+-  if (nb > INT_MAX || nb < bytes)
++  if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes)
+   {
+     RERRNO = ENOMEM;
+     return 0;
+@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes;
+ #endif
+ {
+   size_t pagesize = malloc_getpagesize;
++  if (bytes > __SIZE_MAX__ - pagesize)
++  {
++    RERRNO = ENOMEM;
++    return 0;
++  }
+   return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1));
+ }
+ 
+diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c
+index 6dbfba84b..1e0703948 100644
+--- a/newlib/libc/stdlib/nano-mallocr.c
++++ b/newlib/libc/stdlib/nano-mallocr.c
+@@ -580,8 +580,22 @@ void * nano_memalign(RARG size_t align, size_t s)
+     if ((align & (align-1)) != 0) return NULL;
+ 
+     align = MAX(align, MALLOC_ALIGN);
++
++    /* Make sure ma_size does not overflow */
++    if (s > __SIZE_MAX__ - CHUNK_ALIGN)
++    {
++	RERRNO = ENOMEM;
++	return NULL;
++    }
+     ma_size = ALIGN_SIZE(MAX(s, MALLOC_MINSIZE), CHUNK_ALIGN);
+-    size_with_padding = ma_size + align - MALLOC_ALIGN;
++
++    /* Make sure size_with_padding does not overflow */
++    if (ma_size > __SIZE_MAX__ - (align - MALLOC_ALIGN))
++    {
++	RERRNO = ENOMEM;
++	return NULL;
++    }
++    size_with_padding = ma_size + (align - MALLOC_ALIGN);
+ 
+     allocated = nano_malloc(RCALL size_with_padding);
+     if (allocated == NULL) return NULL;
+@@ -644,6 +658,12 @@ void * nano_valloc(RARG size_t s)
+ #ifdef DEFINE_PVALLOC
+ void * nano_pvalloc(RARG size_t s)
+ {
++    /* Make sure size given to nano_valloc does not overflow */
++    if (s > __SIZE_MAX__ - MALLOC_PAGE_ALIGN)
++    {
++	RERRNO = ENOMEM;
++	return NULL;
++    }
+     return nano_valloc(RCALL ALIGN_SIZE(s, MALLOC_PAGE_ALIGN));
+ }
+ #endif /* DEFINE_PVALLOC */
+diff --git a/winsup/cygwin/malloc.cc b/winsup/cygwin/malloc.cc
+index 23c354074..8a1fc257e 100644
+--- a/winsup/cygwin/malloc.cc
++++ b/winsup/cygwin/malloc.cc
+@@ -5298,6 +5298,10 @@ void* dlpvalloc(size_t bytes) {
+   size_t pagesz;
+   ensure_initialization();
+   pagesz = mparams.page_size;
++  if (bytes > MAX_REQUEST) {
++    MALLOC_FAILURE_ACTION;
++    return NULL;
++  }
+   return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE));
+ }
+ 
+-- 
+2.27.0
+
-- 
2.30.1

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 6 Mar 2021 05:04:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 06 00:04:26 2021
Received: from localhost ([127.0.0.1]:35866 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lIP74-00013c-5Z
	for submit <at> debbugs.gnu.org; Sat, 06 Mar 2021 00:04:26 -0500
Received: from lists.gnu.org ([209.51.188.17]:60948)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lIP70-00013T-OS
 for submit <at> debbugs.gnu.org; Sat, 06 Mar 2021 00:04:25 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:58076)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lIP70-0003d3-HP
 for guix-patches@HIDDEN; Sat, 06 Mar 2021 00:04:22 -0500
Received: from mail.zaclys.net ([178.33.93.72]:42793)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lIP6y-0002sK-AL
 for guix-patches@HIDDEN; Sat, 06 Mar 2021 00:04:21 -0500
Received: from localhost.localdomain (82-64-145-38.subs.proxad.net
 [82.64.145.38]) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12654HlK006703
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Sat, 6 Mar 2021 06:04:17 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12654HlK006703
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615007058;
 bh=j+C/3iLSVI9lvRSE1dLQs/nQIaGQZ28cKt5FgKUl/iU=;
 h=From:To:Cc:Subject:Date:From;
 b=cQ4GNMfWINw7N+B8+Mt0J1BT50h+g8XH8CuASHPdP1ZcXtl4BHnkSENP+WVoIGJ5v
 8tZz7IQ7aV2WerKf6+vo5+YBREFPIcU5fATZ9QeSNGIACR75moIkiipUJn8w2eViGo
 STB2pYh/qPBKvahNlvmwiklVcRYjoHddqJHjBXPM=
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH 0/1] WIP: gnu: newlib: Fix CVE-2021-3420.
Date: Sat,  6 Mar 2021 06:04:09 +0100
Message-Id: <20210306050410.11022-1-lle-bout@HIDDEN>
X-Mailer: git-send-email 2.30.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

newlib-CVE-2021-3420.patch needs backporting to the versions of newlib it is
being applied to, so if you are interested or a user of those packages please
finish the work, otherwise well CVE-2021-3420 will probably remain unfixed.

The versions of newlib are too old and too specific for it to be
maintainable security-wise, especially considering upstream does not seem to
maintain older versions at all. I don't think GNU Guix should take that role,
but of course the people who depend on these packages can ensure they are good
enough for themselves, otherwise contribute changes.

Léo Le Bouter (1):
  gnu: newlib: Fix CVE-2021-3420.

 gnu/local.mk                                  |   1 +
 gnu/packages/embedded.scm                     |   6 +-
 .../patches/newlib-CVE-2021-3420.patch        | 105 ++++++++++++++++++
 3 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/newlib-CVE-2021-3420.patch

-- 
2.30.1