Be explicit of buggy packages' module

author: Nguyễn Gia Phong <cnx@loang.net> 2025-02-21 20:23:06 +0900
committer: Nguyễn Gia Phong <cnx@loang.net> 2025-02-21 20:23:06 +0900
commit: 739555d3816d8760290e711725f77358b527d6b7 (patch)
tree: fe14a5a436c25759815f545043e16f97f885a3d0
parent: 62610838c088abca335fac300f4b46d6643ed5ab (diff)
download: loftix-739555d3816d8760290e711725f77358b527d6b7.tar.gz
2 files changed, 29 insertions, 17 deletions
diff --git a/bugs/README.md b/bugs/README.md
index 59b420c..a431934 100644
--- a/bugs/README.md
+++ b/bugs/README.md
@@ -4,60 +4,60 @@
 
 - CVE-2017-6965: [heap buffer overflow][sourceware-21137]
 
-      guix shell binutils@2.27
+      guix shell -e '(@@ (loftix bugs) binutils-2.27-asan)'
       readelf -w cve/2017/6965/bug_3
 
 - CVE-2017-14745: [integer overflow][sourceware-22148]
 
-      guix shell binutils@2.29
+      guix shell -e '(@@ (loftix bugs) binutils-2.29)'
       objdump -d cve/2017/14745/crash_1
 
 - CVE-2017-15020: [heap buffer overflow][sourceware-22202]
 
-      guix shell binutils@2.29
+      guix shell -e '(@@ (loftix bugs) binutils-2.29-asan)'
       nm -l cve/2017/15020/reproducer
 
 - CVE-2017-15025: [divide-by-zero][sourceware-22186]
 
-      guix shell binutils@2.29
+      guix shell -e '(@@ (loftix bugs) binutils-2.29)'
       nm -l cve/2017/15025/3899.crashes.bin
       nm -l cve/2017/15025/floatexception.elf
       objdump -S cve/2017/15025/floatexception.elf
 
 - CVE-2019-9077: [heap buffer overflow][sourceware-24243]
 
-      guix shell binutils@2.32
+      guix shell -e '(@@ (loftix bugs) binutils-2.32-asan)'
       readelf -a cve/2019/9077/hbo2
 
 ## JasPer
 
 - CVE-2016-8691: [divide-by-zero][jasper-22]
 
-      guix shell jasper@1.900.3
+      guix shell -e '(@@ (loftix bugs) jasper-1.900.3)'
       imginfo -f cve/2016/8691/11.crash
 
 - CVE-2016-9557: [signed integer overflow][jasper-67]
 
-      guix shell jasper@1.900.19
+      guix shell -e '(@@ (loftix bugs) jasper-1.900.19)'
       imginfo -f cve/2016/9557/signed-int-overflow.jp2
 
 ## libarchive
 
 - CVE-2016-5844: [signed integer overflow][libarchive-717]
 
-      guix shell libarchive@3.2.0
+      guix shell -e '(@@ (loftix bugs) libarchive-3.2.0-ubsan)'
       bsdtar -tf cve/2016/5844/libarchive-signed-int-overflow.iso
 
 ## libjpeg-turbo
 
 - CVE-2012-2806: [heap buffer overflow][chromium-40058947]
 
-      guix shell libjpeg-turbo@1.2.0
+      guix shell -e '(@@ (loftix bugs) libjpeg-turbo-1.2.0-asan)'
       djpeg cve/2012/2806/cnode0006-heap-buffer-overflow-796.jpg
 
 - CVE-2017-15232: [null pointer dereference][mozjpeg-268]
 
-      guix shell libjpeg-turbo@1.5.2
+      guix shell -e '(@@ (loftix bugs) libjpeg-turbo-1.5.2)'
       djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\
         -targa -grayscale -outfile /dev/null cve/2017/15232/1.jpg
       djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\
@@ -65,7 +65,7 @@
 
 - CVE-2018-14498: [heap buffer overflow][libjpeg-turbo-258]
 
-      guix shell libjpeg-turbo@1.5.3
+      guix shell -e '(@@ (loftix bugs) libjpeg-turbo-1.5.3-asan)'
       cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:209_1.bmp
       cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:209_2.bmp
       cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:210_1.bmp
@@ -74,36 +74,36 @@
 
 - CVE-2018-19664: [heap buffer overflow][libjpeg-turbo-305]
 
-      guix shell libjpeg-turbo@2.0.1
+      guix shell -e '(@@ (loftix bugs) libjpeg-turbo-2.0.1-asan)'
       djpeg -colors 256 -bmp cve/2018/19664/heap-buffer-overflow-2.jpg
 
 ## libxml2
 
 - CVE-2012-5134: [heap buffer overflow][chromium-40076524]
 
-      guix shell libxml2@2.9.0
+      guix shell -e '(@@ (loftix bugs) libxml2-2.9.0-asan)'
       xmllint cve/2012/5134/bad.xml
 
 - CVE-2016-1838: [heap buffer overflow][chromium-42452154]
 
-      guix shell libxml2@2.9.3
+      guix shell -e '(@@ (loftix bugs) libxml2-2.9.3-asan)'
       xmllint cve/2016/1838/attachment_316158
 
 - CVE-2016-1839: [heap buffer overflow][chromium-42452152]
 
-      guix shell libxml2@2.9.3
+      guix shell -e '(@@ (loftix bugs) libxml2-2.9.3-asan)'
       xmllint --html cve/2016/1839/asan_heap-oob
 
 - CVE-2017-5969: [null pointer derefence][oss-sec-20161105-3]
 
-      guix shell libxml2@2.9.4
+      guix shell -e '(@@ (loftix bugs) libxml2-2.9.4
       xmllint --recover cve/2017/5969/crash-libxml2-recover.xml
 
 ## potrace
 
 - CVE-2013-7437: [possible heap overflow][redhat-955808]
 
-      guix shell potrace@1.11
+      guix shell -e '(@@ (loftix bugs) potrace-1.11)'
       potrace cve/2013/7437/1.bmp
       potrace cve/2013/7437/2.bmp
 
diff --git a/loftix/bugs.scm b/loftix/bugs.scm
index 32774dc..d6adce9 100644
--- a/loftix/bugs.scm
+++ b/loftix/bugs.scm
@@ -50,6 +50,18 @@
                (base32 "1gqfyksdnj3iir5gzyvlp785mnk60g1pll6zbzbslfchhr4rb8i9"))
               (patches '())))))
 
+(define-public binutils-2.29
+  (package
+    (inherit binutils-2.33)
+    (version "2.29")
+    (source (origin
+              (inherit (package-source binutils))
+              (uri (string-append "mirror://gnu/binutils/binutils-"
+                                  version ".tar.bz2"))
+              (sha256
+               (base32 "1gqfyksdnj3iir5gzyvlp785mnk60g1pll6zbzbslfchhr4rb8i9"))
+              (patches '())))))
+
 (define-public binutils-2.27-asan
   (package
     (inherit binutils-2.29-asan)
author	Nguyễn Gia Phong <cnx@loang.net>	2025-02-21 20:23:06 +0900
committer	Nguyễn Gia Phong <cnx@loang.net>	2025-02-21 20:23:06 +0900
commit	739555d3816d8760290e711725f77358b527d6b7 (patch)
tree	fe14a5a436c25759815f545043e16f97f885a3d0
parent	62610838c088abca335fac300f4b46d6643ed5ab (diff)
download	loftix-739555d3816d8760290e711725f77358b527d6b7.tar.gz