GNU bug report logs

#33933 [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Sun, 30 Dec 2018 23:17:02 GMT) (full text, mbox, link).


Acknowledgement sent to Alex Vong <alexvong1995@gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Sun, 30 Dec 2018 23:17:02 GMT) (full text, mbox, link).


Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: guix-patches@gnu.org
Cc: alexvong1995@gmail.com
Subject: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
Date: Mon, 31 Dec 2018 07:15:42 +0800
[Message part 1 (text/plain, inline)]
Tags: security

Hello,

This patch series mainly fixes the latest CVEs found in libextractor,
but it also upgrades other gnunet related packages to their latest
version.

Please also note that the versioning scheme for guile-gnunet is changed
to use that of 'git-version'. Unfortunately, this would break
"guix package --upgrade". But I think this change needs to be made at
some point anyway, so we may as well do it now.

Cheers,
Alex
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Sun, 30 Dec 2018 23:19:02 GMT) (full text, mbox, link).


Message #8 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: 33933@debbugs.gnu.org
Cc: alexvong1995@gmail.com
Subject: [PATCH 1/4] gnu: libextractor: Update to 1.8.
Date: Mon, 31 Dec 2018 07:18:28 +0800
[0001-gnu-libextractor-Update-to-1.8.patch (text/x-diff, inline)]
From 8cb16fb98e444bdbed44f73038aa74d2a4a306f1 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:48:50 +0800
Subject: [PATCH 1/4] gnu: libextractor: Update to 1.8.

* gnu/packages/gnunet.scm (libextractor): Update to 1.8.
---
 gnu/packages/gnunet.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d1dc8fd58..4a6952076 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016, 2017, 2018 Nils Gillmann <ng0@n0.is>
 ;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -67,14 +68,14 @@
 (define-public libextractor
   (package
    (name "libextractor")
-   (version "1.7")
+   (version "1.8")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libextractor/libextractor-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "13wf6vj7mkv6gw8h183cnk7m24ir0gyf198pyb2148ng4klgv9p0"))))
+              "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
    (build-system gnu-build-system)
    ;; WARNING: Checks require /dev/shm to be in the build chroot, especially
    ;; not to be a symbolic link to /run/shm.
-- 
2.20.1

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Sun, 30 Dec 2018 23:20:02 GMT) (full text, mbox, link).


Message #11 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: 33933@debbugs.gnu.org
Cc: alexvong1995@gmail.com
Subject: [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
Date: Mon, 31 Dec 2018 07:18:52 +0800
[0002-gnu-libextractor-Fix-CVE-2018-20430-20431.patch (text/x-diff, inline)]
From a155ee678aefe73eb8e209e7a6d4ace8afabcf92 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:50:48 +0800
Subject: [PATCH 2/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.

* gnu/packages/patches/libextractor-CVE-2018-20430.patch,
gnu/packages/patches/libextractor-CVE-2018-20431.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnunet.scm (libextractor)[source]: Use them.
---
 gnu/local.mk                                  |  2 +
 gnu/packages/gnunet.scm                       |  2 +
 .../patches/libextractor-CVE-2018-20430.patch | 60 +++++++++++++++++++
 .../patches/libextractor-CVE-2018-20431.patch | 53 ++++++++++++++++
 4 files changed, 117 insertions(+)
 create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20430.patch
 create mode 100644 gnu/packages/patches/libextractor-CVE-2018-20431.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0bb020335..75634b741 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -888,6 +888,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
   %D%/packages/patches/libexif-CVE-2016-6328.patch		\
   %D%/packages/patches/libexif-CVE-2017-7544.patch		\
+  %D%/packages/patches/libextractor-CVE-2018-20430.patch	\
+  %D%/packages/patches/libextractor-CVE-2018-20431.patch	\
   %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch	\
   %D%/packages/patches/libgit2-mtime-0.patch			\
   %D%/packages/patches/libgit2-oom-test.patch			\
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 4a6952076..d9e903734 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -73,6 +73,8 @@
             (method url-fetch)
             (uri (string-append "mirror://gnu/libextractor/libextractor-"
                                 version ".tar.gz"))
+            (patches (search-patches "libextractor-CVE-2018-20430.patch"
+                                     "libextractor-CVE-2018-20431.patch"))
             (sha256
              (base32
               "1z1cb35griqzvshqdv5ck98dy0sgpsswn7fgiy7lbzi34sma8dg2"))))
diff --git a/gnu/packages/patches/libextractor-CVE-2018-20430.patch b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
new file mode 100644
index 000000000..570cd7c00
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20430.patch
@@ -0,0 +1,60 @@
+Fix CVE-2018-20430:
+
+https://gnunet.org/bugs/view.php?id=5493
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20430
+https://security-tracker.debian.org/tracker/CVE-2018-20430
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=b405d707b36e0654900cba78e89f49779efea110
+
+From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 22:47:53 +0100
+Subject: [PATCH] fix #5493 (out of bounds read)
+
+---
+ src/common/convert.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/common/convert.c b/src/common/convert.c
+index c0edf21..2be2108 100644
+--- a/src/common/convert.c
++++ b/src/common/convert.c
+@@ -36,8 +36,8 @@
+  *  string is returned.
+  */
+ char *
+-EXTRACTOR_common_convert_to_utf8 (const char *input, 
+-				  size_t len, 
++EXTRACTOR_common_convert_to_utf8 (const char *input,
++				  size_t len,
+ 				  const char *charset)
+ {
+ #if HAVE_ICONV
+@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+   i = input;
+   cd = iconv_open ("UTF-8", charset);
+   if (cd == (iconv_t) - 1)
+-    return strdup (i);
++    return strndup (i, len);
+   if (len > 1024 * 1024)
+     {
+       iconv_close (cd);
+@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+     }
+   itmp = tmp;
+   finSize = tmpSize;
+-  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX)
++  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1))
+     {
+       iconv_close (cd);
+       free (tmp);
+-      return strdup (i);
++      return strndup (i, len);
+     }
+   ret = malloc (tmpSize - finSize + 1);
+   if (ret == NULL)
+-- 
+2.20.1
+
diff --git a/gnu/packages/patches/libextractor-CVE-2018-20431.patch b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
new file mode 100644
index 000000000..855c5ba64
--- /dev/null
+++ b/gnu/packages/patches/libextractor-CVE-2018-20431.patch
@@ -0,0 +1,53 @@
+Fix CVE-2018-20431:
+
+https://gnunet.org/bugs/view.php?id=5494
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20431
+https://security-tracker.debian.org/tracker/CVE-2018-20431
+
+Patch copied from upstream source repository:
+
+https://gnunet.org/git/libextractor.git/commit/?id=489c4a540bb2c4744471441425b8932b97a153e7
+
+To apply the patch to libextractor 1.8 release tarball,
+hunk #1 which patches ChangeLog is removed. 
+
+From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 23:02:28 +0100
+Subject: [PATCH] fix #5494
+
+---
+ ChangeLog                    | 3 ++-
+ src/plugins/ole2_extractor.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c
+index 53fa1b9..a48b726 100644
+--- a/src/plugins/ole2_extractor.c
++++ b/src/plugins/ole2_extractor.c
+@@ -173,7 +173,7 @@ struct ProcContext
+   EXTRACTOR_MetaDataProcessor proc;
+ 
+   /**
+-   * Closure for 'proc'.
++   * Closure for @e proc.
+    */
+   void *proc_cls;
+ 
+@@ -213,7 +213,12 @@ process_metadata (gpointer key,
+ 
+   if (G_VALUE_TYPE(gval) == G_TYPE_STRING)
+     {
+-      contents = strdup (g_value_get_string (gval));
++      const char *gvals;
++
++      gvals = g_value_get_string (gval);
++      if (NULL == gvals)
++        return;
++      contents = strdup (gvals);
+     }
+   else
+     {
+-- 
+2.20.1
+
-- 
2.20.1

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Sun, 30 Dec 2018 23:20:03 GMT) (full text, mbox, link).


Message #14 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: 33933@debbugs.gnu.org
Cc: alexvong1995@gmail.com
Subject: [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.
Date: Mon, 31 Dec 2018 07:19:25 +0800
[0003-gnu-libmicrohttpd-Update-to-0.9.62.patch (text/x-diff, inline)]
From c5b57304b0ec12d44ffb749befd00fb0e4d92c0f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 06:54:04 +0800
Subject: [PATCH 3/4] gnu: libmicrohttpd: Update to 0.9.62.

* gnu/packages/gnunet.scm (libmicrohttpd): Update to 0.9.62.
---
 gnu/packages/gnunet.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index d9e903734..79584fcf0 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -148,14 +148,14 @@ tool to extract metadata from a file and print the results.")
 (define-public libmicrohttpd
   (package
    (name "libmicrohttpd")
-   (version "0.9.59")
+   (version "0.9.62")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libmicrohttpd/libmicrohttpd-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "0g4jgnv43yddr9yxrqg11632rip0lg5c53gmy5wy3c0i1dywv74v"))))
+              "0jfvi1fb4im3a3m8qishbmzx3zch993c0mhvl2k92l1zf1yhjgmx"))))
    (build-system gnu-build-system)
    (inputs
     `(("curl" ,curl)
-- 
2.20.1

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Sun, 30 Dec 2018 23:21:02 GMT) (full text, mbox, link).


Message #17 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: 33933@debbugs.gnu.org
Cc: alexvong1995@gmail.com
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
Date: Mon, 31 Dec 2018 07:19:53 +0800
[0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch (text/x-diff, inline)]
From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
 gnu/packages/gnunet.scm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..b00c8848a 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
    (home-page "https://gnunet.org/")))
 
 (define-public guile-gnunet                       ;GSoC 2015!
-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+        (revision "1"))
     (package
       (name "guile-gnunet")
-      (version (string-append "0.0." (string-take commit 7)))
+      (version (git-version "0.0" revision commit))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
                       (commit commit)))
-                (file-name (string-append name "-" version "-checkout"))
+                (git-file-name name version)
                 (sha256
                  (base32
-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
       (build-system gnu-build-system)
       (native-inputs `(("pkg-config" ,pkg-config)
                        ("autoconf" ,autoconf-wrapper)
-- 
2.20.1

[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Sun, 30 Dec 2018 23:28:01 GMT) (full text, mbox, link).


Message #20 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: 33933@debbugs.gnu.org
Cc: alexvong1995@gmail.com
Subject: Re: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
Date: Mon, 31 Dec 2018 07:27:20 +0800
[Message part 1 (text/plain, inline)]
Sorry, the last patch is incorrect. The correct one is here:

[0004-gnu-guile-gnunet-Update-to-0.0-1.d12167a.patch (text/x-diff, inline)]
From 9c2b78d121e4711f3c42ccc7bbc291beaf45571c Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 31 Dec 2018 07:00:39 +0800
Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.

* gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
[version]: Use git-version.
[source]: Use git-file-name.
---
 gnu/packages/gnunet.scm | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 79584fcf0..62bb3026d 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
    (home-page "https://gnunet.org/")))
 
 (define-public guile-gnunet                       ;GSoC 2015!
-  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
+  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
+        (revision "1"))
     (package
       (name "guile-gnunet")
-      (version (string-append "0.0." (string-take commit 7)))
+      (version (git-version "0.0" revision commit))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
                       (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
                       (commit commit)))
-                (file-name (string-append name "-" version "-checkout"))
+                (file-name (git-file-name name version))
                 (sha256
                  (base32
-                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
+                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
       (build-system gnu-build-system)
       (native-inputs `(("pkg-config" ,pkg-config)
                        ("autoconf" ,autoconf-wrapper)
-- 
2.20.1

[Message part 3 (text/plain, inline)]
Alex Vong <alexvong1995@gmail.com> writes:

> From 8009339b00ce374fadea36e964d0fcbcb85ed044 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 31 Dec 2018 07:00:39 +0800
> Subject: [PATCH 4/4] gnu: guile-gnunet: Update to 0.0-1.d12167a.
>
> * gnu/packages/gnunet.scm (guile-gnunet): Update to 0.0-1.d12167a.
> [version]: Use git-version.
> [source]: Use git-file-name.
> ---
>  gnu/packages/gnunet.scm | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
> index 79584fcf0..b00c8848a 100644
> --- a/gnu/packages/gnunet.scm
> +++ b/gnu/packages/gnunet.scm
> @@ -310,19 +310,20 @@ kinds of basic applications for the foundation of a GNU internet.")
>     (home-page "https://gnunet.org/")))
>  
>  (define-public guile-gnunet                       ;GSoC 2015!
> -  (let ((commit "383eac2aab175d8d9ea5315c2f1c8a5055c76a52"))
> +  (let ((commit "d12167ab3c8d7d6caffd9c606e389ef043760602")
> +        (revision "1"))
>      (package
>        (name "guile-gnunet")
> -      (version (string-append "0.0." (string-take commit 7)))
> +      (version (git-version "0.0" revision commit))
>        (source (origin
>                  (method git-fetch)
>                  (uri (git-reference
>                        (url "https://git.savannah.gnu.org/git/guix/gnunet.git/")
>                        (commit commit)))
> -                (file-name (string-append name "-" version "-checkout"))
> +                (git-file-name name version)
>                  (sha256
>                   (base32
> -                  "0k6mn28isjlxrnvbnblab3nh2xqx1b7san8k98kc35ap9lq0iz8w"))))
> +                  "0nqc18jh9j30y4l6yh6j35byfg6qalq7yr3frv9rk10qa041c2sv"))))
>        (build-system gnu-build-system)
>        (native-inputs `(("pkg-config" ,pkg-config)
>                         ("autoconf" ,autoconf-wrapper)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Thu, 03 Jan 2019 13:13:01 GMT) (full text, mbox, link).


Message #23 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: guix-devel@gnu.org
Cc: alexvong1995@gmail.com, 33933@debbugs.gnu.org
Subject: Re: [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430,20431}.
Date: Thu, 03 Jan 2019 21:12:35 +0800
[Message part 1 (text/plain, inline)]
Hello Guix,

I sent the "gnu: libextractor: Fix CVE-2018-{20430,20431}." patch to
https://debbugs.gnu.org/33933 three days ago. libextractor is needed to
build gnunet, so these fixes are important for gnunet users [I am not
(yet) a user though]. Only the first two patches are directly related,
the rest updates various gnunet-related packages.

Btw, for security fixes, how long should I wait before I ping here?

Thanks,
Alex
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Thu, 03 Jan 2019 18:22:02 GMT) (full text, mbox, link).


Message #26 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Alex Vong <alexvong1995@gmail.com>
Cc: 33933@debbugs.gnu.org
Subject: Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
Date: Thu, 3 Jan 2019 13:20:56 -0500
[Message part 1 (text/plain, inline)]
On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
> Tags: security
> 
> Hello,
> 
> This patch series mainly fixes the latest CVEs found in libextractor,
> but it also upgrades other gnunet related packages to their latest
> version.
> 
> Please also note that the versioning scheme for guile-gnunet is changed
> to use that of 'git-version'. Unfortunately, this would break
> "guix package --upgrade". But I think this change needs to be made at
> some point anyway, so we may as well do it now.

Thanks, please push :)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches@gnu.org:
bug#33933; Package guix-patches. (Thu, 03 Jan 2019 19:30:01 GMT) (full text, mbox, link).


Message #29 received at 33933@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Alex Vong <alexvong1995@gmail.com>
Cc: guix-devel@gnu.org, 33933@debbugs.gnu.org
Subject: Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
Date: Thu, 3 Jan 2019 14:29:18 -0500
[Message part 1 (text/plain, inline)]
On Thu, Jan 03, 2019 at 09:12:35PM +0800, Alex Vong wrote:
> Btw, for security fixes, how long should I wait before I ping here?

If you are confident in the fix, it's fine to go ahead and commit if
there is no review. Otherwise, a day or two is probably fine. If the
vulnerability is particularly severe, you could send a reminder to
<guix-security@gnu.org>, or email the maintainers directly.
[signature.asc (application/pgp-signature, inline)]

Reply sent to Alex Vong <alexvong1995@gmail.com>:
You have taken responsibility. (Thu, 03 Jan 2019 23:43:02 GMT) (full text, mbox, link).


Notification sent to Alex Vong <alexvong1995@gmail.com>:
bug acknowledged by developer. (Thu, 03 Jan 2019 23:43:02 GMT) (full text, mbox, link).


Message #34 received at 33933-done@debbugs.gnu.org (full text, mbox, reply):

From: Alex Vong <alexvong1995@gmail.com>
To: 33933-done@debbugs.gnu.org
Cc: alexvong1995@gmail.com, Leo Famulari <leo@famulari.name>
Subject: Re: [bug#33933] [PATCH 0/4] gnu: libextractor: Fix CVE-2018-{20430, 20431}.
Date: Fri, 04 Jan 2019 07:42:30 +0800
[Message part 1 (text/plain, inline)]
Leo Famulari <leo@famulari.name> writes:

> On Mon, Dec 31, 2018 at 07:15:42AM +0800, Alex Vong wrote:
>> Tags: security
>> 
>> Hello,
>> 
>> This patch series mainly fixes the latest CVEs found in libextractor,
>> but it also upgrades other gnunet related packages to their latest
>> version.
>> 
>> Please also note that the versioning scheme for guile-gnunet is changed
>> to use that of 'git-version'. Unfortunately, this would break
>> "guix package --upgrade". But I think this change needs to be made at
>> some point anyway, so we may as well do it now.
>
> Thanks, please push :)

Pushed as 1983a9b0a50ff759f2d192d7fa0f7ad0fb1e1384 -
5651e74cc6c1d1b8a2ef1d40e6f14e1123a7de97!
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Fri, 01 Feb 2019 12:24:05 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 05:53:52 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.