Hi, Here's security fix for chicken to address CVE-2022-45145.
Details: https://lists.nongnu.org/archive/html/chicken-announce/2022-11/msg00000.html Lightly tested on amd64. timo diff /usr/ports commit - 528717c7be7c511f687700e972f9c49ea0c67f97 path + /usr/ports blob - ed8d6eddfd6647ba5d6a303cb7f17ee779d7ca9b file + lang/chicken/Makefile.inc --- lang/chicken/Makefile.inc +++ lang/chicken/Makefile.inc @@ -2,6 +2,7 @@ DISTNAME= chicken-${V} V= 5.3.0 DISTNAME= chicken-${V} +REVISION= 0 MAINTAINER= Timo Myyra <timo.my...@bittivirhe.fi> blob - /dev/null file + lang/chicken/core/patches/patch-egg-compile_scm (mode 644) --- /dev/null +++ lang/chicken/core/patches/patch-egg-compile_scm @@ -0,0 +1,51 @@ +Fix CVE-2022-45145 by backporting commit a08f8f548d772ef410c672ba33a27108d8d434f3. + +See: https://lists.nongnu.org/archive/html/chicken-announce/2022-11/msg00000.html + +Index: egg-compile.scm +--- egg-compile.scm.orig ++++ egg-compile.scm +@@ -1191,7 +1191,7 @@ EOF + + ~a ~a~a + ~a ~a~a +-cat >~a~a <<ENDINFO ++cat >~a~a <<'ENDINFO' + ~aENDINFO~% + EOF + mkdir ddir qdir +@@ -1201,11 +1201,18 @@ EOF + (printf #<<EOF + + ~a ~a~a +-echo ~a >~a~a~% ++copy /y nul ~a~a~% ++~a + EOF + mkdir ddir qdir +- (string-intersperse (string-split infostr "\n") "^\n\n") +- ddir dest))))) ++ ddir dest ++ (string-intersperse (map (lambda (line) ++ (ensure-line-limit ++ (caretize (format "echo ~a >>~a~a" ++ line ddir dest)) ++ 8191 )) ++ (string-split infostr "\n")) ++ "\n")))))) + + ;;; some utilities for mangling + quoting + +@@ -1277,3 +1284,12 @@ EOF + (define (joins strs) (string-intersperse strs " ")) + + (define (maybe f x) (if f (list x) '())) ++ ++(define (caretize str) ++ (string-translate* str '(("&" . "^&") ("^" . "^^") ("|" . "^|") ++ ("<" . "^<") (">" . "^>")))) ++ ++(define (ensure-line-limit str lim) ++ (when (>= (string-length str) lim) ++ (error "line length exceeds platform limit: " str)) ++ str)
