X-Loop: help-debbugs@HIDDEN
Subject: [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Resent-From: Solene Rapenne <solene@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 25 May 2021 18:25:01 +0000
Resent-Message-ID: <handler.48656.B.162196706931998 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 48656
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 48656 <at> debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.162196706931998
(code B ref -1); Tue, 25 May 2021 18:25:01 +0000
Received: (at submit) by debbugs.gnu.org; 25 May 2021 18:24:29 +0000
Received: from localhost ([127.0.0.1]:46734 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1llbjB-0008K2-DQ
for submit <at> debbugs.gnu.org; Tue, 25 May 2021 14:24:29 -0400
Received: from lists.gnu.org ([209.51.188.17]:60800)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <solene@HIDDEN>) id 1llbj7-0008Jr-Qe
for submit <at> debbugs.gnu.org; Tue, 25 May 2021 14:24:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50550)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <solene@HIDDEN>) id 1llbj7-00070L-B3
for guix-patches@HIDDEN; Tue, 25 May 2021 14:24:25 -0400
Received: from perso.pw ([163.172.223.238]:17711)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <solene@HIDDEN>) id 1llbj5-0007gp-41
for guix-patches@HIDDEN; Tue, 25 May 2021 14:24:25 -0400
Received: from perso.pw (localhost [127.0.0.1])
by perso.pw (OpenSMTPD) with ESMTP id 694815d8
for <guix-patches@HIDDEN>; Tue, 25 May 2021 20:24:12 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=perso.pw; h=date:from:to
:subject:message-id:mime-version:content-type
:content-transfer-encoding; s=1337; bh=dNy+jjGmGe+VR1TsY24mVSgjH
lQ=; b=pAwOpf+PKL+9SbFi1JBxrPPboPb3TPnCcq6l8gZjbuGDAeE1B1R/reCtV
Y2J2S4mLLwJlWIMus0lapxG4NT/fT7oazzuuvp8K7f8OD+w7krp8cJu8gfkgbVmB
NjeBTEbWBb/LRGxd0Ds9FwuJAqQNAOUpu613hiXo7GlPpumBMI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=perso.pw; h=date:from:to
:subject:message-id:mime-version:content-type
:content-transfer-encoding; q=dns; s=1337; b=MjemXaWE8ffyWqt5Z+l
stIomTsjmg7p3OdCwltXrYC/1V67Iq323KKnlm7QcVs5NJzp9k1lOooBvT59GMh6
lJY4JQZlz9txlq6h12/zSQ4YPBa/hQH/nSJgodY3zx/jkaw75/AdMAxnV0/tjjjO
APxt4xJd84uaIhwIkKsqMTuw=
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on perso.pw
X-Spam-Level:
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
autolearn=ham autolearn_force=no version=3.4.5
Received: from localhost (176-154-164-34.abo.bbox.fr [176.154.164.34])
by perso.pw (OpenSMTPD) with ESMTPSA id 9266ae62
(TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for <guix-patches@HIDDEN>;
Tue, 25 May 2021 20:24:09 +0200 (CEST)
Date: Tue, 25 May 2021 20:24:07 +0200
From: Solene Rapenne <solene@HIDDEN>
Message-ID: <20210525202407.383e1713@HIDDEN>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=163.172.223.238; envelope-from=solene@HIDDEN;
helo=perso.pw
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)
This imports a patch that is not committed upstream yet
but pending for merge on github
https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
This is already widely used in many distributions distributing lz4
---
gnu/packages/compression.scm | 7 +++++--
gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++
2 files changed, 20 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/lz4-CVE-2021-3520.patch
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 64816a30c0..53ab999151 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -33,6 +33,7 @@
;;; Copyright =C2=A9 2021 Antoine C=C3=B4t=C3=A9 <antoine.cote@HIDDEN>
;;; Copyright =C2=A9 2021 Vincent Legoll <vincent.legoll@HIDDEN>
;;; Copyright =C2=A9 2021 Simon Tournier <zimon.toutoune@HIDDEN>
+;;; Copyright =C2=A9 2021 Solene Rapenne <solene@HIDDEN>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -810,15 +811,17 @@ decompression of some loosely related file formats us=
ed by Microsoft.")
(commit (string-append "v" version))))
(sha256
(base32 "1w02kazh1fps3sji2sn89fz862j1199c5ajrqcgl1bnlxj09kcbz"))
+ (patches
+ (search-patches "lz4-CVE-2021-3520.patch"))
(file-name (git-file-name name version))))
(build-system gnu-build-system)
(outputs (list "out" "static"))
(native-inputs
- `(;; For tests.
+ `( ;; For tests.
("python" ,python)
("valgrind" ,valgrind)))
(arguments
- `(;; Not designed for parallel testing.
+ `( ;; Not designed for parallel testing.
;; See https://github.com/lz4/lz4/issues/957#issuecomment-737419821
#:parallel-tests? #f
#:test-target "test"
diff --git a/gnu/packages/patches/lz4-CVE-2021-3520.patch b/gnu/packages/pa=
tches/lz4-CVE-2021-3520.patch
new file mode 100644
index 0000000000..100baa4758
--- /dev/null
+++ b/gnu/packages/patches/lz4-CVE-2021-3520.patch
@@ -0,0 +1,15 @@
+Not merged patch fixing CVE-2021-3520
+https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
+
+Index: b/lib/lz4.c
+--- a/lib/lz4.c.orig
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+ const size_t dictSize /* note : =3D 0 if noDict =
*/
+ )
+ {
+- if (src =3D=3D NULL) { return -1; }
++ if ((src =3D=3D NULL) || (outputSize < 0)) { return -1; }
+=20
+ { const BYTE* ip =3D (const BYTE*) src;
+ const BYTE* const iend =3D ip + srcSize;
--=20
2.31.1
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Solene Rapenne <solene@HIDDEN> Subject: bug#48656: Acknowledgement ([PATCH] gnu: lz4: Add a patch for CVE-2021-3520.) Message-ID: <handler.48656.B.162196706931998.ack <at> debbugs.gnu.org> References: <20210525202407.383e1713@HIDDEN> X-Gnu-PR-Message: ack 48656 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 48656 <at> debbugs.gnu.org Date: Tue, 25 May 2021 18:25:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): guix-patches@HIDDEN If you wish to submit further information on this problem, please send it to 48656 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 48656: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D48656 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Resent-From: Leo Famulari <leo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 25 May 2021 19:08:02 +0000
Resent-Message-ID: <handler.48656.B.16219696373572 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 48656
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 48656 <at> debbugs.gnu.org
X-Debbugs-Original-To: Solene Rapenne via Guix-patches via <guix-patches@HIDDEN>
X-Debbugs-Original-Cc: 48656 <at> debbugs.gnu.org
Received: via spool by submit <at> debbugs.gnu.org id=B.16219696373572
(code B ref -1); Tue, 25 May 2021 19:08:02 +0000
Received: (at submit) by debbugs.gnu.org; 25 May 2021 19:07:17 +0000
Received: from localhost ([127.0.0.1]:46774 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1llcOb-0000vY-9r
for submit <at> debbugs.gnu.org; Tue, 25 May 2021 15:07:17 -0400
Received: from lists.gnu.org ([209.51.188.17]:37830)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <leo@HIDDEN>) id 1llcOW-0000vB-3B
for submit <at> debbugs.gnu.org; Tue, 25 May 2021 15:07:13 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:57844)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1llcOV-00075j-UA
for guix-patches@HIDDEN; Tue, 25 May 2021 15:07:11 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44425)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1llcOT-0000Di-Ui
for guix-patches@HIDDEN; Tue, 25 May 2021 15:07:11 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
by mailout.nyi.internal (Postfix) with ESMTP id 07DB95C0198;
Tue, 25 May 2021 15:07:08 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
by compute2.internal (MEProxy); Tue, 25 May 2021 15:07:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
h=date:from:to:cc:subject:message-id:references:mime-version
:content-type:in-reply-to; s=mesmtp; bh=58NHWTP0XqkA83zNdH1tnGYR
pGndbHcLVuueiI5RTmk=; b=Q+laSKWNLp3mewnSNaqW+AYwgxel6/xJ8l3nmDXt
Fvei6seY7i429UwppRjxL+OJXYdHwYhWsbfBfpU5Fy1O+1aIREreiIwWrfLz9FsK
coHH3dELRbEHhLcGuydF063Lty7yhgqRWZkjsHKaBV9W535V1tjKzeu2VPtdzXZk
Xes=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-type:date:from:in-reply-to
:message-id:mime-version:references:subject:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=58NHWT
P0XqkA83zNdH1tnGYRpGndbHcLVuueiI5RTmk=; b=uau04qIqRN5keboL2K2RtN
Uk+v/3Hwb2i7iGVe7+D2WrEhdYTz1z8dcyUpWR++S6hjOEUuHoRkE8nd4vBu9F4j
oISu5x8nb6ZyJM/LdLtFHDdm7kG+hBClZA8xWtMmJY5K3UEQHcg3xSI8qBNUrDyq
ZBLZIWJCjn+2w7xOkJrgqnm6vHAb2fTAxMTRzlyl/2eNOFspVs5EXNoS3z3QucYm
tXnvNElNS+aY3ZTr0qwQnoqd7SVflAWqjE7JOzAzhQEUJLRA+UJAXHidYl2JJcAg
/fXU6FhGWzw9B7FbUD2TlmiyuNZTyKH5yzWonztWTMdYENZspohdUpTSvRtOd0LQ
==
X-ME-Sender: <xms:20qtYKh7XhGdYnPim7GA3vLU_OS6MzPcTLWtWZe9opEO99RjKqGofQ>
<xme:20qtYLCyKT_VCfbo3xaywCxmgZj1mb85PfznPuExd17lHJhT4XXCLLoBrrgcuVm8p
yr6Prav5ZSquEQzRQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekuddgudefhecutefuodetggdotefrod
ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
enucfjughrpeffhffvuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepnfgvohcu
hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
htvghrnhephefgleevhfdttdefheeitdfgheffffffledvlefhgfektdethefguefgheeg
tefhnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepuddttddruddurdduie
elrdduudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho
mheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:20qtYCGN66w6Si2Hv_r8nUZga979N1n7zpS6rH_dnI7mmAIiTp61dQ>
<xmx:20qtYDQpZj7JUHruM0aTfxSxktCQz9qVK93-w4CuTv0gzfXeN8bXVQ>
<xmx:20qtYHwHuKogRA1eLNyohGUpb7Kc_lv4HUa-ZkCBqifTtTvfWmifrA>
<xmx:3EqtYIuLj51902We8cR8XZC0nYAdX9Aa0BsIobbNA75PKErfx-hXLA>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
[100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA;
Tue, 25 May 2021 15:07:07 -0400 (EDT)
Date: Tue, 25 May 2021 15:07:05 -0400
From: Leo Famulari <leo@HIDDEN>
Message-ID: <YK1K2RvBsq92Feg2@HIDDEN>
References: <20210525202407.383e1713@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210525202407.383e1713@HIDDEN>
Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@HIDDEN;
helo=out4-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)
On Tue, May 25, 2021 at 08:24:07PM +0200, Solene Rapenne via Guix-patches via wrote:
> This imports a patch that is not committed upstream yet
> but pending for merge on github
>
> https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
>
> This is already widely used in many distributions distributing lz4
>
> ---
> gnu/packages/compression.scm | 7 +++++--
> gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++
When adding a new patch file, you have to register it in 'gnu/local.mk'.
Is there any discussion about this upstream? Why isn't it included in
lz4 yet?
X-Loop: help-debbugs@HIDDEN
Subject: [bug#48656] [PATCH] gnu: lz4: Add a patch for CVE-2021-3520.
Resent-From: Leo Famulari <leo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 25 May 2021 19:08:02 +0000
Resent-Message-ID: <handler.48656.B48656.16219696343562 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 48656
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 48656 <at> debbugs.gnu.org
X-Debbugs-Original-To: Solene Rapenne via Guix-patches via <guix-patches@HIDDEN>
X-Debbugs-Original-Cc: 48656 <at> debbugs.gnu.org
Received: via spool by 48656-submit <at> debbugs.gnu.org id=B48656.16219696343562
(code B ref 48656); Tue, 25 May 2021 19:08:02 +0000
Received: (at 48656) by debbugs.gnu.org; 25 May 2021 19:07:14 +0000
Received: from localhost ([127.0.0.1]:46772 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1llcOY-0000vN-2k
for submit <at> debbugs.gnu.org; Tue, 25 May 2021 15:07:14 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44039)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <leo@HIDDEN>) id 1llcOX-0000v5-1V
for 48656 <at> debbugs.gnu.org; Tue, 25 May 2021 15:07:13 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
by mailout.nyi.internal (Postfix) with ESMTP id 07DB95C0198;
Tue, 25 May 2021 15:07:08 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
by compute2.internal (MEProxy); Tue, 25 May 2021 15:07:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
h=date:from:to:cc:subject:message-id:references:mime-version
:content-type:in-reply-to; s=mesmtp; bh=58NHWTP0XqkA83zNdH1tnGYR
pGndbHcLVuueiI5RTmk=; b=Q+laSKWNLp3mewnSNaqW+AYwgxel6/xJ8l3nmDXt
Fvei6seY7i429UwppRjxL+OJXYdHwYhWsbfBfpU5Fy1O+1aIREreiIwWrfLz9FsK
coHH3dELRbEHhLcGuydF063Lty7yhgqRWZkjsHKaBV9W535V1tjKzeu2VPtdzXZk
Xes=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-type:date:from:in-reply-to
:message-id:mime-version:references:subject:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=58NHWT
P0XqkA83zNdH1tnGYRpGndbHcLVuueiI5RTmk=; b=uau04qIqRN5keboL2K2RtN
Uk+v/3Hwb2i7iGVe7+D2WrEhdYTz1z8dcyUpWR++S6hjOEUuHoRkE8nd4vBu9F4j
oISu5x8nb6ZyJM/LdLtFHDdm7kG+hBClZA8xWtMmJY5K3UEQHcg3xSI8qBNUrDyq
ZBLZIWJCjn+2w7xOkJrgqnm6vHAb2fTAxMTRzlyl/2eNOFspVs5EXNoS3z3QucYm
tXnvNElNS+aY3ZTr0qwQnoqd7SVflAWqjE7JOzAzhQEUJLRA+UJAXHidYl2JJcAg
/fXU6FhGWzw9B7FbUD2TlmiyuNZTyKH5yzWonztWTMdYENZspohdUpTSvRtOd0LQ
==
X-ME-Sender: <xms:20qtYKh7XhGdYnPim7GA3vLU_OS6MzPcTLWtWZe9opEO99RjKqGofQ>
<xme:20qtYLCyKT_VCfbo3xaywCxmgZj1mb85PfznPuExd17lHJhT4XXCLLoBrrgcuVm8p
yr6Prav5ZSquEQzRQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekuddgudefhecutefuodetggdotefrod
ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
enucfjughrpeffhffvuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepnfgvohcu
hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
htvghrnhephefgleevhfdttdefheeitdfgheffffffledvlefhgfektdethefguefgheeg
tefhnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepuddttddruddurdduie
elrdduudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho
mheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:20qtYCGN66w6Si2Hv_r8nUZga979N1n7zpS6rH_dnI7mmAIiTp61dQ>
<xmx:20qtYDQpZj7JUHruM0aTfxSxktCQz9qVK93-w4CuTv0gzfXeN8bXVQ>
<xmx:20qtYHwHuKogRA1eLNyohGUpb7Kc_lv4HUa-ZkCBqifTtTvfWmifrA>
<xmx:3EqtYIuLj51902We8cR8XZC0nYAdX9Aa0BsIobbNA75PKErfx-hXLA>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
[100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA;
Tue, 25 May 2021 15:07:07 -0400 (EDT)
Date: Tue, 25 May 2021 15:07:05 -0400
From: Leo Famulari <leo@HIDDEN>
Message-ID: <YK1K2RvBsq92Feg2@HIDDEN>
References: <20210525202407.383e1713@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210525202407.383e1713@HIDDEN>
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)
On Tue, May 25, 2021 at 08:24:07PM +0200, Solene Rapenne via Guix-patches via wrote:
> This imports a patch that is not committed upstream yet
> but pending for merge on github
>
> https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
>
> This is already widely used in many distributions distributing lz4
>
> ---
> gnu/packages/compression.scm | 7 +++++--
> gnu/packages/patches/lz4-CVE-2021-3520.patch | 15 +++++++++++++++
When adding a new patch file, you have to register it in 'gnu/local.mk'.
Is there any discussion about this upstream? Why isn't it included in
lz4 yet?
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.