lang/chicken: backport security fix for CVE-2022-45145

Details: https://lists.nongnu.org/archive/html/chicken-announce/2022-11/msg00000.html > Vasilij found a security issue with the way egg-information > files are created during installation of an extension package. > Currently, escape characters in the .egg file may be used to > perform arbitrary OS command injection due to the method the > egg metadata is created and installed in the local egg repository > during the install-stage of an egg. diff from MAINTAINER Timo Myyrä, thanks!
2022-11-12 10:08:15 +00:00 · 2022-11-12 10:08:15 +00:00 · da78065c76
parent 5621316cc2
commit da78065c76
2 changed files with 53 additions and 0 deletions
--- a/lang/chicken/core/Makefile
+++ b/lang/chicken/core/Makefile
@ -1,3 +1,5 @@
+REVISION=	0
+
 SHARED_LIBS=	chicken	8.0 # 11

 TEST_TARGET=	check
--- a/lang/chicken/core/patches/patch-egg-compile_scm
+++ b/lang/chicken/core/patches/patch-egg-compile_scm
@ -0,0 +1,51 @@
+Fix CVE-2022-45145 by backporting commit a08f8f548d772ef410c672ba33a27108d8d434f3.
+
+See: https://lists.nongnu.org/archive/html/chicken-announce/2022-11/msg00000.html
+
+Index: egg-compile.scm
+--- egg-compile.scm.orig
+++ egg-compile.scm
+@@ -1191,7 +1191,7 @@ EOF
+ 
+ ~a ~a~a
+ ~a ~a~a
+-cat >~a~a <<ENDINFO
+cat >~a~a <<'ENDINFO'
+ ~aENDINFO~%
+ EOF
+                mkdir ddir qdir
+@@ -1201,11 +1201,18 @@ EOF
+        (printf #<<EOF
+ 
+ ~a ~a~a
+-echo ~a >~a~a~%
+copy /y nul ~a~a~%
+~a
+ EOF
+                mkdir ddir qdir
+-               (string-intersperse (string-split infostr "\n") "^\n\n")
+-               ddir dest)))))
+	       ddir dest
+	       (string-intersperse (map (lambda (line)
+					  (ensure-line-limit
+                                             (caretize (format "echo ~a >>~a~a"
+                                                               line ddir dest))
+                                             8191 ))
+					(string-split infostr "\n"))
+				   "\n"))))))
+ 
+ ;;; some utilities for mangling + quoting
+ 
+@@ -1277,3 +1284,12 @@ EOF
+ (define (joins strs) (string-intersperse strs " "))
+ 
+ (define (maybe f x) (if f (list x) '()))
+
+(define (caretize str)
+  (string-translate* str '(("&" . "^&") ("^" . "^^") ("|" . "^|")
+			   ("<" . "^<") (">" . "^>"))))
+
+(define (ensure-line-limit str lim)
+  (when (>= (string-length str) lim)
+    (error "line length exceeds platform limit: " str))
+  str)