Date: Saturday, November 12, 2022 @ 21:39:01 Author: blakkheim Revision: 1347098
upgpkg: chicken 5.3.0-4: add patch for CVE-2022-45145 Added: chicken/trunk/CVE-2022-45145.patch Modified: chicken/trunk/PKGBUILD ----------------------+ CVE-2022-45145.patch | 77 +++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 12 +++++-- 2 files changed, 86 insertions(+), 3 deletions(-) Added: CVE-2022-45145.patch =================================================================== --- CVE-2022-45145.patch (rev 0) +++ CVE-2022-45145.patch 2022-11-12 21:39:01 UTC (rev 1347098) @@ -0,0 +1,77 @@ +From a08f8f548d772ef410c672ba33a27108d8d434f3 Mon Sep 17 00:00:00 2001 +From: Vasilij Schneidermann <[email protected]> +Date: Sat, 5 Nov 2022 13:49:25 +0100 +Subject: [PATCH 1/1] Split up potentially long echo invocation on win32 + +Eggs with a very long infostr may trigger the maximum command line +invocation length of 8191 chars. To avoid running into this +limitation, the generated install script now creates an empty file, +then echoes each line into it. + +Closes #1800 + +This patch further addresses some security issues reported by Vasilij +and applied by Felix Winkelmann: + +- disable variable/command expansion in script-fragments + that produce egg-info files. +- limit the maximum line length of shell commands in for + Windows in the latter. + +Signed-off-by: felix <[email protected]> +Signed-off-by: Peter Bex <[email protected]> +--- + egg-compile.scm | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/egg-compile.scm b/egg-compile.scm +index c1f2ceb0..9ba45681 100644 +--- a/egg-compile.scm ++++ b/egg-compile.scm +@@ -1129,7 +1129,7 @@ EOF + + ~a ~a~a + ~a ~a~a +-cat >~a~a <<ENDINFO ++cat >~a~a <<'ENDINFO' + ~aENDINFO~% + EOF + mkdir ddir qdir +@@ -1139,11 +1139,18 @@ EOF + (printf #<<EOF + + ~a ~a~a +-echo ~a >~a~a~% ++copy /y nul ~a~a~% ++~a + EOF + mkdir ddir qdir +- (string-intersperse (string-split infostr "\n") "^\n\n") +- ddir dest))))) ++ ddir dest ++ (string-intersperse (map (lambda (line) ++ (ensure-line-limit ++ (caretize (format "echo ~a >>~a~a" ++ line ddir dest)) ++ 8191 )) ++ (string-split infostr "\n")) ++ "\n")))))) + + ;;; some utilities for mangling + quoting + +@@ -1227,3 +1234,12 @@ EOF + (substring fname (add1 plen)))) + + (define (maybe f x) (if f (list x) '())) ++ ++(define (caretize str) ++ (string-translate* str '(("&" . "^&") ("^" . "^^") ("|" . "^|") ++ ("<" . "^<") (">" . "^>")))) ++ ++(define (ensure-line-limit str lim) ++ (when (>= (string-length str) lim) ++ (error "line length exceeds platform limit: " str)) ++ str) +-- +2.20.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-11-12 21:35:27 UTC (rev 1347097) +++ PKGBUILD 2022-11-12 21:39:01 UTC (rev 1347098) @@ -4,7 +4,7 @@ pkgname=chicken pkgver=5.3.0 -pkgrel=3 +pkgrel=4 pkgdesc='Feature rich R5RS Scheme compiler and interpreter' arch=(x86_64) url='https://call-cc.org/' @@ -12,9 +12,15 @@ makedepends=(chicken) optdepends=('tk: for the tcl/tk egg') options=(staticlibs) -source=("https://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz";) -b2sums=('7e1fb8c844542927eec53df751014f718b8c96fb6cf390d6464d7d55467c7320346be9ed05202b9c5c96548f274243ae52fead488981d7c207bec2c001db7cd7') +source=("https://code.call-cc.org/releases/$pkgver/$pkgname-$pkgver.tar.gz"; + "CVE-2022-45145.patch") +b2sums=('7e1fb8c844542927eec53df751014f718b8c96fb6cf390d6464d7d55467c7320346be9ed05202b9c5c96548f274243ae52fead488981d7c207bec2c001db7cd7' + '0b07d7935da0619eb2dfba4d0944c45bb5aa6d46e904125f9ee5b55ef6592d5619b7b6aa8a3136b76d8de4f3d768c6831b386a872bd6518f8b3fa04bb9f767d4') +prepare() { + patch -Np1 -i ../CVE-2022-45145.patch -d $pkgname-$pkgver +} + build() { export CFLAGS+=' -ffat-lto-objects' export CXXFLAGS+=' -ffat-lto-objects'
