Bug 200980
| Summary: | lang/chicken: CVE-2015-4556: out-of-bounds read in CHICKEN Scheme's string-translate* procedure | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||||||||||||||||
| Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||||||||||||||||||||
| Status: | Closed FIXED | ||||||||||||||||||||||||
| Severity: | Affects Some People | CC: | delphij, koobs, ports-secteam, vmagerya | ||||||||||||||||||||||
| Priority: | --- | Keywords: | patch, patch-ready, security | ||||||||||||||||||||||
| Version: | Latest | Flags: | vmagerya:
maintainer-feedback+
|
||||||||||||||||||||||
| Hardware: | Any | ||||||||||||||||||||||||
| OS: | Any | ||||||||||||||||||||||||
| URL: | http://openwall.com/lists/oss-security/2015/06/15/4 | ||||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||||
|
Description
Jason Unovitch
2015-06-20 02:05:11 UTC
Created attachment 157898 [details]
chicken-4.10.0rc1.diff
Unfortunately it is not as trivial as applying that patch to a
previous release: one of the files that patch touches must be
translated into C during the build, which requires an installed
version of chicken. Normally release tarballs include the generated
C file, but if the patch is applied that generated file becomes
obsolete, and the build process can not continue.
The solution is to use one of the release tarballs.
Since chicken 4.10 is not yet released, we could use 4.10.0rc1
for the time being. It's better than nothing.
Here's a patch for that, complete with a vuln.xml update.
(In reply to Vitaly Magerya from comment #1) QA: # portlint -ac FATAL: Makefile: PORTVERSION looks illegal. You should modify "4.10.0rc1". WARN: Makefile: Consider defining LICENSE. I have build tests pending now. Created attachment 157947 [details] chicken-4.10.0r1.diff > FATAL: Makefile: PORTVERSION looks illegal. You should modify "4.10.0rc1". Portlint is being overly pedantic here in my opinion; 'pkg version' supports that version format flawlessly. In any case, here's an updated diff with fixed version string (no other changes). Created attachment 157966 [details]
Poudriere testport build logs from 10.1-RELEASE amd64
Testport attached, also testport build successful on the following:
8.4-RELEASE-p28 amd64
8.4-RELEASE-p28 i386
9.3-RELEASE-p14 amd64
9.3-RELEASE-p14 i386
10.1-RELEASE-p10 amd64
10.1-RELEASE-p10 i386
11.0-CURRENT r284104 amd64
11.0-CURRENT r284104 i386
Portlint fix resolves earlier error.
Regarding security/vuxml documentation and a close action for the PR. RC1 doesn't list CVE-2015-4556 as being fixed in the RC1 release notes here: http://code.call-cc.org/dev-snapshots/2015/06/07/NEWS - Security fixes - CVE-2014-6310: Use POSIX poll() on Android platform to avoid potential select() buffer overrun. - CVE-2014-9651: substring-index[-ci] no longer scans beyond string boundaries. That was annouced 8 days after RC1 was released and the git commit for the fix was 7 days after RC1. It does announce an earlier issue being fixed that hasn't been documented yet. Created attachment 157968 [details]
security/vuxml entry to document both CVE-2015-4556 and CVE-2015-9651
Tentative vuxml to document both issues while we hash out exactly what issue is fixed in what version. Version string has tentatively been left at 4.10.0 since pkg was picking up the rc version as being newer then the release.
A commit references this bug: Author: delphij Date: Mon Jun 22 07:02:21 UTC 2015 New revision: 390276 URL: https://svnweb.freebsd.org/changeset/ports/390276 Log: Document lang/chicken vulnerabilities CVE-2014-9651 and CVE-2015-4556. PR: 200980 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: delphij Date: Mon Jun 22 07:08:27 UTC 2015 New revision: 390277 URL: https://svnweb.freebsd.org/changeset/ports/390277 Log: Update to 4.10.0 RC1. PR: 200980 Submitted by: maintainer (Vitaly Magerya) MFH: 2015Q2 Security: 0da404ad-1891-11e5-a1cf-002590263bf5, e7b7f2b5-177a-11e5-ad33-f8d111029e6a Changes: head/lang/chicken/Makefile head/lang/chicken/distinfo A commit references this bug: Author: delphij Date: Mon Jun 22 07:09:46 UTC 2015 New revision: 390278 URL: https://svnweb.freebsd.org/changeset/ports/390278 Log: MFH: r390277 Update to 4.10.0 RC1. PR: 200980 Submitted by: maintainer (Vitaly Magerya) Security: 0da404ad-1891-11e5-a1cf-002590263bf5, e7b7f2b5-177a-11e5-ad33-f8d111029e6a Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/lang/chicken/Makefile branches/2015Q2/lang/chicken/distinfo Committed, thanks! Created attachment 157976 [details]
chicken-4.10.0.r1,1.diff
You're right, Jason; RC1 only fixes CVE-2014-9651 (substring-index*
issue), not CVE-2015-4556 (string-translate* issue). I did not
notice that.
That's not the only place I've messed up though. The current
version of lang/chicken is '4.10.0r1', and both CVE issues are
marked with '<range><lt>4.10.0</lt></range>'. Now observe:
$ pkg version -t 4.10.0r1 4.10.0
>
Whoops!
Note that the originally proposed version is actually better:
$ pkg version -t 4.10.0rc1 4.10.0
<
In any case, the correct version string I should have used is
'4.10.0.r1', but now that '4.10.0r1' has been committed, I'm
afraid we'll need to bump PORTEPOCH (which I'd prefer to avoid,
but I don't see how).
In short here's an additional patch, which changes the version
of lang/chicken to '4.10.0.r1,1', marks CVE-2015-4556 with
'<range><lt>4.10.0,1</lt></range>', and CVE-2014-9651 with
'<range><lt>4.10.0.r1,1</lt></range>'.
To double-check the version strings:
$ pkg version -t 4.10.0r1 4.10.0.r1,1
<
$ pkg version -t 4.10.0.r1,1 4.10.0,1
<
I hope I did not mess anything up this time...
Re-open for new attachment 157976 [details] Assign to committer that closed. Vitaly/Jason, please clarify exactly what Xin Li needs to do now given that the following changeset has already been committed: https://svnweb.freebsd.org/changeset/ports/390278 We share the vulnerability database across ports tree branches, right? In this case, applying my last patch to the 2015Q2 branch is preferable, but optional (if the patch is not applied, people will see 4.10.0r1 version as having 2 vulnerabilities, while there should only be 1, which is undesirable, but not fatal). My apologies for attaching a "tentative" patch. We should have finished all of our discussion and agreed on the way ahead beforehand. Vitaly, The most logical way ahead I can see would be: 1. Apply the chicken-4.10.0.r1,1.diff to the ports/head branch with one minor suggested change. Due to the unfixed CVE, modify the CVE-2015-4556 / 0da404ad-1891-11e5-a1cf-002590263bf5 vuxml entry before commit to include "<freebsdpr>ports/200980</freebsdpr>" as a reference for anyone looking for supplemental information. 2. MFH the lang/chicken/Makefile update to 2015Q2. The security/vuxml under 2015Q2 hasn't been updated since the branch was made. 3. Hold this PR open until we can update to 4.10.0,1 for the release or RC2 comes out with the fix and we update to 4.10.0.r2,1 Does this make sense as our course of action? Other comment, I see what you mean regarding the generated C files; it would certainly be a non-trivial amount of effort to backport the fix to the release tarball. (In reply to Jason Unovitch from comment #14) > 1. Apply the chicken-4.10.0.r1,1.diff to the ports/head branch > with one minor suggested change. Due to the unfixed CVE, modify > the CVE-2015-4556 / 0da404ad-1891-11e5-a1cf-002590263bf5 vuxml > entry before commit to include "<freebsdpr>ports/200980</freebsdpr>" > as a reference for anyone looking for supplemental information. I'm OK with that addition. Also, '<modified>2015-06-23</modified>' should be added to the '<dates>' sections of both vuln entries (something I forgot to include in chicken-4.10.0.r1,1.diff). > 2. MFH the lang/chicken/Makefile update to 2015Q2. The > security/vuxml under 2015Q2 hasn't been updated since the branch > was made. Yes. Note that security/vuxml in the quarterly branches is mostly irrelevant, since 'pkg audit' uses data from vuxml.freebsd.org, which is prepared from the head. > 3. Hold this PR open until we can update to 4.10.0,1 for the > release or RC2 comes out with the fix and we update to 4.10.0.r2,1 > > Does this make sense as our course of action? Yes. > Other comment, I see what you mean regarding the generated C > files; it would certainly be a non-trivial amount of effort to > backport the fix to the release tarball. My thinking is that while I could apply the patch to 4.9.0.1, re-generate the needed C files, and provide a combined diff, it would contain changes not directly approved by the chicken team, so you'd need to trust that I (a random person on the internet) did not hide a backdoor in that diff, which I think is too much to ask. (In reply to Vitaly Magerya from comment #15) >> 1. Apply the chicken-4.10.0.r1,1.diff to the ports/head branch >> with one minor suggested change. Due to the unfixed CVE, modify >> the CVE-2015-4556 / 0da404ad-1891-11e5-a1cf-002590263bf5 vuxml >> entry before commit to include "<freebsdpr>ports/200980</freebsdpr>" >> as a reference for anyone looking for supplemental information. > > I'm OK with that addition. > > Also, '<modified>2015-06-23</modified>' should be added to the > '<dates>' sections of both vuln entries (something I forgot to > include in chicken-4.10.0.r1,1.diff). Good catch. >> Other comment, I see what you mean regarding the generated C >> files; it would certainly be a non-trivial amount of effort to >> backport the fix to the release tarball. > > My thinking is that while I could apply the patch to 4.9.0.1, > re-generate the needed C files, and provide a combined diff, it > would contain changes not directly approved by the chicken team, > so you'd need to trust that I (a random person on the internet) > did not hide a backdoor in that diff, which I think is too much > to ask. The regenerated C file ended up being a 10,000+ line diff and had issues building anyway. Backporting fixes in a way that is easy to audit is one thing but the nature of how this app works makes that new C file impossible to effectively audit. Xin, The recommended course of action is in comment 14 above. For item 1, as mentioned in comment 15 we'll need '<modified>2015-06-23</modified>' on both entries. That wasn't in the 'chicken-4.10.0.r1,1.diff' A commit references this bug: Author: delphij Date: Mon Jun 22 23:18:22 UTC 2015 New revision: 390340 URL: https://svnweb.freebsd.org/changeset/ports/390340 Log: Change version format (from 4.10.0r1 to 4.10.0.r1) and bump PORTEPOCH. This is because our current versioning system sees 4.10.0r1 > 4.10.0. vuxml change would follow. PR: 200980 Submitted by: maintainer (Vitaly Magerya) MFH: 2015Q2 Changes: head/lang/chicken/Makefile A commit references this bug: Author: delphij Date: Mon Jun 22 23:22:24 UTC 2015 New revision: 390341 URL: https://svnweb.freebsd.org/changeset/ports/390341 Log: Reflect version range change after r390340. While I'm there, also fix the CVE-2015-4556 entry because it's not yet fixed in the ports tree and add a reference to the PR while there. PR: 200980 Submitted by: Vitaly Magerya (with changes suggested by Jason Unovitch) Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: delphij Date: Mon Jun 22 23:22:53 UTC 2015 New revision: 390342 URL: https://svnweb.freebsd.org/changeset/ports/390342 Log: MFH: r390340 Change version format (from 4.10.0r1 to 4.10.0.r1) and bump PORTEPOCH. This is because our current versioning system sees 4.10.0r1 > 4.10.0. vuxml change would follow. PR: 200980 Submitted by: maintainer (Vitaly Magerya) Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/lang/chicken/Makefile Comment on attachment 157947 [details]
chicken-4.10.0r1.diff
Committed, thanks!
Comment on attachment 157966 [details]
Poudriere testport build logs from 10.1-RELEASE amd64
This was committed, thanks for testing.
Comment on attachment 157968 [details]
security/vuxml entry to document both CVE-2015-4556 and CVE-2015-9651
Committed, thanks!
Comment on attachment 157976 [details]
chicken-4.10.0.r1,1.diff
Committed, thanks!
Created attachment 158375 [details] chicken-4.10.0.r2,1.diff Bump to chicken-4.10.0.r2,1 with SHA256 of 85c8....2fba for the CVE-2015-4556 fix. Vitaly, does this look good to you? http://code.call-cc.org/dev-snapshots/2015/07/04/NEWS http://code.call-cc.org/dev-snapshots/ Tested on my desktop in a 10.1-RELEASE Poudriere but other builds are pending on 11 down to 8.4 on my build test machine. I'll provide a testport log later. (In reply to Jason Unovitch from comment #25) The patch looks perfect, and I did notice this release appearing in the snapshot list (I have actually tested an identical patch this morning), but... this build has not yet been announced. Check out chicken-announce archive [1] -- it's got no mention of it at the moment. I think we should wait a day for that announcement to be posted. [1] http://lists.nongnu.org/archive/html/chicken-announce/ Created attachment 158401 [details] chicken-4.10.0.r2,1.log -- Poudriere testport from 10.1-RELEASE jail (In reply to Vitaly Magerya from comment #26) Excellent. Poudriere log attached and I've built on the jails listed below in Poudriere. Go ahead and give the maintainer-feedback+ when you are ready for the commit. Once that is committed and MFH'd to 2015Q3 everything this PR was opened for is done so it's ready to be closed. Just a thought for the future, it makes sense to me when the final release is out to request that to MFH to 2015Q3 as well even if there are no security fixes just so we don't have a release candidate there. That's outside of the scope of this PR but figured I would mention it. 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p14 amd64 10.1-RELEASE-p14 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386 Thank you both. Vitaliy, could you please obsolete (or ask Jason to obsolete) the patch that you dont want referenced by committers.
I'm assuming its the r2 version, in which case please obsolete attachment 157976 [details] if i'm correct
Created attachment 159285 [details] lang/chicken: chicken-4.10.0.r4,1.patch Vitaly, 4.10.0 RC4 has been released. See http://lists.nongnu.org/archive/html/chicken-announce/2015-07/msg00001.html. Are you ok with this patch? Log: Security update to Chicken 4.10.0 RC4 PR: 200980 Security: CVE-2015-4556 Security: 0da404ad-1891-11e5-a1cf-002590263bf5 Approved by: Vitaly Magerya (maintainer) Submitted by: Jason Unovitch MFH: 2015Q3 Created attachment 159286 [details]
security/vuxml fixup
Log:
Reflect Chicken 4.10.0 RC2 as the minimum version with the CVE-2015-4556 fix
PR: 200980
Security: CVE-2015-4556
Security: 0da404ad-1891-11e5-a1cf-002590263bf5
Created attachment 159287 [details]
chicken-4.10.0.r4,1.log -- Poudriere testport from 10.1-RELEASE jail
No issues noted in the logs. Also Poudriere build tested on the following:
8.4-RELEASE-p31 amd64
8.4-RELEASE-p31 i386
9.3-RELEASE-p17 amd64
9.3-RELEASE-p17 i386
10.1-RELEASE-p14 amd64
10.1-RELEASE-p14 i386
10.2-BETA2 amd64
10.2-BETA2 i386
11.0-CURRENT r284725 amd64
11.0-CURRENT r284725 i386
(In reply to Vitaly Magerya from comment #26) Vitaly, With this update, the CVE-2015-4556 fix that the PR was opened for and CVE-2014-9651 fix that we came across during QA are all addressed. This will be ready to close with your go ahead. Yes, plase commit both patches. Comment on attachment 159285 [details]
lang/chicken: chicken-4.10.0.r4,1.patch
I've tried to put the "maintainer‑approval +" flag on the diff, but it doesn't seem to work... Maybe if I'll add a comment while setting that flag, it'll work.
Comment on attachment 159285 [details] lang/chicken: chicken-4.10.0.r4,1.patch Nope. Unless I'm not seeing something obvious, it didn't work. Please consider patches from comment #29 and comment #30 "approved". Comment on attachment 159285 [details] lang/chicken: chicken-4.10.0.r4,1.patch Set maintainer-approval+ based off comment #35. Submitter is now committer, congratulations! (In reply to Jason Unovitch from comment #29) Revised entry pending account access: Security update to Chicken 4.10.0 RC4 PR: 200980 Security: CVE-2015-4556 Security: 0da404ad-1891-11e5-a1cf-002590263bf5 Approved by: delphij (mentor), Vitaly Magerya (maintainer) MFH: 2015Q3 A commit references this bug: Author: junovitch Date: Fri Jul 31 00:18:49 UTC 2015 New revision: 393282 URL: https://svnweb.freebsd.org/changeset/ports/393282 Log: Security update to Chicken 4.10.0 RC4 PR: 200980 Security: CVE-2015-4556 Security: 0da404ad-1891-11e5-a1cf-002590263bf5 Approved by: delphij (mentor), Vitaly Magerya (maintainer) MFH: 2015Q3 Changes: head/lang/chicken/Makefile head/lang/chicken/distinfo A commit references this bug: Author: junovitch Date: Fri Jul 31 00:26:35 UTC 2015 New revision: 393283 URL: https://svnweb.freebsd.org/changeset/ports/393283 Log: Reflect Chicken 4.10.0 RC2 as the minimum version with the CVE-2015-4556 fix PR: 200980 Security: CVE-2015-4556 Security: 0da404ad-1891-11e5-a1cf-002590263bf5 Approved by: delphij (mentor) Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: junovitch Date: Fri Jul 31 00:59:10 UTC 2015 New revision: 393285 URL: https://svnweb.freebsd.org/changeset/ports/393285 Log: MFH: r393282 Security update to Chicken 4.10.0 RC4 PR: 200980 Security: CVE-2015-4556 Security: 0da404ad-1891-11e5-a1cf-002590263bf5 Approved by: delphij (mentor), Vitaly Magerya (maintainer) Approved by: ports-secteam (delphij) Changes: _U branches/2015Q3/ branches/2015Q3/lang/chicken/Makefile branches/2015Q3/lang/chicken/distinfo Vitaly, Thank you! Update has been committed and MFH'd to 2015Q3. Vitaly, A suggestion that came up... It may be a bit late now but never too late to learn something new. Something to keep in mind for next time is this syntax would have been cleaner and we wouldn't have had that "PORTVERSION looks illegal" issue. DISTVERSION= 4.10.0rc4 |