guix-devel/gnu/packages/patches/chicken-CVE-2017-11343.patch

Fix CVE-2017-11343:

https://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11343

Patch copied from upstream mailing list:

http://lists.gnu.org/archive/html/chicken-hackers/2017-06/txtod8Pa1wGU0.txt

From ae2633195cc5f4f61c9da4ac90f0c14c010dcc3d Mon Sep 17 00:00:00 2001
From: Peter Bex <address@hidden>
Date: Fri, 30 Jun 2017 15:39:45 +0200
Subject: [PATCH 2/2] Initialize symbol table after setting up randomization

Otherwise, the symbol table wouldn't be correctly randomized.
---
 NEWS      | 3 +++
 runtime.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

#diff --git a/NEWS b/NEWS
#index f4b0e041..6588b30e 100644
#--- a/NEWS
#+++ b/NEWS
#@@ -96,6 +96,9 @@
#     buffer overrun and/or segfault (thanks to Lemonboy).
#   - CVE-2017-9334: `length' no longer crashes on improper lists (fixes
#     #1375, thanks to "megane").
#+  - The randomization factor of the symbol table was set before
#+    the random seed was set, causing it to have a fixed value on many
#+    platforms.
# 
# - Core Libraries
#   - Unit "posix": If file-lock, file-lock/blocking or file-unlock are
diff --git a/runtime.c b/runtime.c
index 81c54dd2..a4580abc 100644
--- a/runtime.c
+++ b/runtime.c
@@ -799,7 +799,6 @@ int CHICKEN_initialize(int heap, int stack, int symbols, void *toplevel)
   C_initial_timer_interrupt_period = INITIAL_TIMER_INTERRUPT_PERIOD;
   C_timer_interrupt_counter = INITIAL_TIMER_INTERRUPT_PERIOD;
   memset(signal_mapping_table, 0, sizeof(int) * NSIG);
-  initialize_symbol_table();
   C_dlerror = "cannot load compiled code dynamically - this is a statically linked executable";
   error_location = C_SCHEME_FALSE;
   C_pre_gc_hook = NULL;
@@ -816,6 +815,7 @@ int CHICKEN_initialize(int heap, int stack, int symbols, void *toplevel)
   callback_continuation_level = 0;
   gc_ms = 0;
   (void)C_randomize(C_fix(time(NULL)));
+  initialize_symbol_table();
 
   if (profiling) {
 #ifndef C_NONUNIX
-- 
2.11.0
gnu: chicken: Fix CVE-2017-11343. * gnu/packages/patches/chicken-CVE-2017-11343.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/scheme.scm (chicken)[source]: Use it. 2017-07-18 02:14:15 +02:00			`Fix CVE-2017-11343:`

			`https://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html`
			`https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11343`

			`Patch copied from upstream mailing list:`

			`http://lists.gnu.org/archive/html/chicken-hackers/2017-06/txtod8Pa1wGU0.txt`

			`From ae2633195cc5f4f61c9da4ac90f0c14c010dcc3d Mon Sep 17 00:00:00 2001`
			`From: Peter Bex <address@hidden>`
			`Date: Fri, 30 Jun 2017 15:39:45 +0200`
			`Subject: [PATCH 2/2] Initialize symbol table after setting up randomization`

			`Otherwise, the symbol table wouldn't be correctly randomized.`
			`---`
			`NEWS \| 3 +++`
			`runtime.c \| 2 +-`
			`2 files changed, 4 insertions(+), 1 deletion(-)`

			`#diff --git a/NEWS b/NEWS`
			`#index f4b0e041..6588b30e 100644`
			`#--- a/NEWS`
			`#+++ b/NEWS`
			`#@@ -96,6 +96,9 @@`
			`# buffer overrun and/or segfault (thanks to Lemonboy).`
			# - CVE-2017-9334: `length' no longer crashes on improper lists (fixes
			`# #1375, thanks to "megane").`
			`#+ - The randomization factor of the symbol table was set before`
			`#+ the random seed was set, causing it to have a fixed value on many`
			`#+ platforms.`
			`#`
			`# - Core Libraries`
			`# - Unit "posix": If file-lock, file-lock/blocking or file-unlock are`
			`diff --git a/runtime.c b/runtime.c`
			`index 81c54dd2..a4580abc 100644`
			`--- a/runtime.c`
			`+++ b/runtime.c`
			`@@ -799,7 +799,6 @@ int CHICKEN_initialize(int heap, int stack, int symbols, void *toplevel)`
			`C_initial_timer_interrupt_period = INITIAL_TIMER_INTERRUPT_PERIOD;`
			`C_timer_interrupt_counter = INITIAL_TIMER_INTERRUPT_PERIOD;`
			`memset(signal_mapping_table, 0, sizeof(int) * NSIG);`
			`- initialize_symbol_table();`
			`C_dlerror = "cannot load compiled code dynamically - this is a statically linked executable";`
			`error_location = C_SCHEME_FALSE;`
			`C_pre_gc_hook = NULL;`
			`@@ -816,6 +815,7 @@ int CHICKEN_initialize(int heap, int stack, int symbols, void *toplevel)`
			`callback_continuation_level = 0;`
			`gc_ms = 0;`
			`(void)C_randomize(C_fix(time(NULL)));`
			`+ initialize_symbol_table();`

			`if (profiling) {`
			`#ifndef C_NONUNIX`
			`--`
			`2.11.0`