From: sms
Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
Bug-Debian: http://bugs.debian.org/773722

--- a/extract.c
+++ b/extract.c
@@ -2234,10 +2234,17 @@
     if (compr_offset < 4)                /* field is not compressed: */
         return PK_OK;                    /* do nothing and signal OK */
 
+    /* Return no/bad-data error status if any problem is found:
+     *    1. eb_size is too small to hold the uncompressed size
+     *       (eb_ucsize).  (Else extract eb_ucsize.)
+     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
+     *    3. eb_ucsize is positive, but eb_size is too small to hold
+     *       the compressed data header.
+     */
     if ((eb_size < (EB_UCSIZE_P + 4)) ||
-        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
-         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
-        return IZ_EF_TRUNC;               /* no compressed data! */
+     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
+     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+        return IZ_EF_TRUNC;             /* no/bad compressed data! */
 
     if (
 #ifdef INT_16BIT
 href='/guix/log/gnu/build/install.scm'>log</a><a href='/guix/tree/gnu/build/install.scm?id=0b3743c059f4e02a33cdaba332fad71728c088f8'>tree</a><a href='/guix/commit/gnu/build/install.scm?id=0b3743c059f4e02a33cdaba332fad71728c088f8'>commit</a><a href='/guix/diff/gnu/build/install.scm?id=0b3743c059f4e02a33cdaba332fad71728c088f8'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/gnu/build/install.scm'>
<input type='hidden' name='id' value='0b3743c059f4e02a33cdaba332fad71728c088f8'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=0b3743c059f4e02a33cdaba332fad71728c088f8'>root</a>/<a href='/guix/log/gnu?id=0b3743c059f4e02a33cdaba332fad71728c088f8'>gnu</a>/<a href='/guix/log/gnu/build?id=0b3743c059f4e02a33cdaba332fad71728c088f8'>build</a>/<a href='/guix/log/gnu/build/install.scm?id=0b3743c059f4e02a33cdaba332fad71728c088f8'>install.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/build/install.scm?id=0b3743c059f4e02a33cdaba332fad71728c088f8&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2022-12-10 14:34:35 +0100'>2022-12-10</span></td><td><a href='/guix/commit/gnu/build/install.scm?id=61b7e9687757aff013b99e4ab15669a950c8b222'>install: 'umount-cow-store' retries upon EBUSY.</a><span class='msg-avail'>...<span class='msg-tooltip'>Possibly fixes &lt;https://issues.guix.gnu.org/59884&gt;.

* gnu/build/install.scm (umount*): New procedure.
(unmount-cow-store): Use it instead of 'umount'.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2022-11-15 14:15:11 -0500'>2022-11-15</span></td><td><a href='/guix/commit/gnu/build/install.scm?id=0bb872b379a98e4523c8f8d946e581bad1c4c323'>install: Validate symlink target in evaluate-populate-directive.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/build/install.scm (evaluate-populate-directive): By default, error when
the target of a symlink doesn't exist.  Always ensure TARGET ends with "/".
(populate-root-file-system): Call evaluate-populate-directive with
 #:error-on-dangling-symlink #t and add comment.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2020-12-15 17:32:10 +0100'>2020-12-15</span></td><td><a href='/guix/commit/gnu/build/install.scm?id=6a060ff27ff68384d7c90076baa36c349fff689d'>store-copy: 'populate-store' can optionally deduplicate files.</a><span class='msg-avail'>...<span class='msg-tooltip'>Until now deduplication was performed as an additional pass after
copying files, which involve re-traversing all the files that had just
been copied.

* guix/store/deduplication.scm (copy-file/deduplicate): New procedure.
* tests/store-deduplication.scm ("copy-file/deduplicate"): New test.
* guix/build/store-copy.scm (populate-store): Add #:deduplicate?
parameter and honor it.
* tests/gexp.scm ("gexp-&gt;derivation, store copy"): Pass #:deduplicate? #f
to 'populate-store'.
* gnu/build/image.scm (initialize-root-partition): Pass #:deduplicate?
to 'populate-store'.  Pass #:deduplicate? #f to 'register-closure'.
* gnu/build/vm.scm (root-partition-initializer): Likewise.
* gnu/build/install.scm (populate-single-profile-directory): Pass
 #:deduplicate? #f to 'populate-store'.
* gnu/build/linux-initrd.scm (build-initrd): Likewise.
* guix/scripts/pack.scm (self-contained-tarball)[import-module?]: New
procedure.
[build]: Pass it as an argument to 'source-module-closure'.
* guix/scripts/pack.scm (squashfs-image)[build]: Wrap in
'with-extensions'.
* gnu/system/linux-initrd.scm (expression-&gt;initrd)[import-module?]: New
procedure.
[builder]: Pass it to 'source-module-closure'.
* gnu/system/install.scm (cow-store-service-type)[import-module?]: New
procedure.  Pass it to 'source-module-closure'.
</span></span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (Expand)	Author
2022-12-10	install: 'umount-cow-store' retries upon EBUSY....Possibly fixes <https://issues.guix.gnu.org/59884>. * gnu/build/install.scm (umount*): New procedure. (unmount-cow-store): Use it instead of 'umount'.	Ludovic Courtès
2022-11-15	install: Validate symlink target in evaluate-populate-directive....* gnu/build/install.scm (evaluate-populate-directive): By default, error when the target of a symlink doesn't exist. Always ensure TARGET ends with "/". (populate-root-file-system): Call evaluate-populate-directive with #:error-on-dangling-symlink #t and add comment.	Maxim Cournoyer
2020-12-15	store-copy: 'populate-store' can optionally deduplicate files....Until now deduplication was performed as an additional pass after copying files, which involve re-traversing all the files that had just been copied. * guix/store/deduplication.scm (copy-file/deduplicate): New procedure. * tests/store-deduplication.scm ("copy-file/deduplicate"): New test. * guix/build/store-copy.scm (populate-store): Add #:deduplicate? parameter and honor it. * tests/gexp.scm ("gexp->derivation, store copy"): Pass #:deduplicate? #f to 'populate-store'. * gnu/build/image.scm (initialize-root-partition): Pass #:deduplicate? to 'populate-store'. Pass #:deduplicate? #f to 'register-closure'. * gnu/build/vm.scm (root-partition-initializer): Likewise. * gnu/build/install.scm (populate-single-profile-directory): Pass #:deduplicate? #f to 'populate-store'. * gnu/build/linux-initrd.scm (build-initrd): Likewise. * guix/scripts/pack.scm (self-contained-tarball)[import-module?]: New procedure. [build]: Pass it as an argument to 'source-module-closure'. * guix/scripts/pack.scm (squashfs-image)[build]: Wrap in 'with-extensions'. * gnu/system/linux-initrd.scm (expression->initrd)[import-module?]: New procedure. [builder]: Pass it to 'source-module-closure'. * gnu/system/install.scm (cow-store-service-type)[import-module?]: New procedure. Pass it to 'source-module-closure'.	Ludovic Courtès