From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id I9BgCN2CTmAcKwAA0tVLHw (envelope-from ) for ; Sun, 14 Mar 2021 21:40:45 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id aFKSA92CTmAoBAAAbx9fmQ (envelope-from ) for ; Sun, 14 Mar 2021 21:40:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7EA1B266E6 for ; Sun, 14 Mar 2021 22:40:44 +0100 (CET) Received: from localhost ([::1]:35596 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLYTa-0004c8-T0 for larch@yhetil.org; Sun, 14 Mar 2021 17:40:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55946) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLYRz-0003kz-7U for bug-guix@gnu.org; Sun, 14 Mar 2021 17:39:08 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51028) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lLYRy-0004NL-AT for bug-guix@gnu.org; Sun, 14 Mar 2021 17:39:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lLYRy-00032d-8A for bug-guix@gnu.org; Sun, 14 Mar 2021 17:39:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47144: security patching of 'patch' package Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 14 Mar 2021 21:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47144 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47144@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161575794111684 (code B ref -1); Sun, 14 Mar 2021 21:39:02 +0000 Received: (at submit) by debbugs.gnu.org; 14 Mar 2021 21:39:01 +0000 Received: from localhost ([127.0.0.1]:34341 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLYRx-00032M-Bf for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:39:01 -0400 Received: from lists.gnu.org ([209.51.188.17]:35168) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLYRv-00032F-Ty for submit@debbugs.gnu.org; Sun, 14 Mar 2021 17:39:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55932) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLYRv-0003hB-LP for bug-guix@gnu.org; Sun, 14 Mar 2021 17:38:59 -0400 Received: from world.peace.net ([64.112.178.59]:55722) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLYRs-0004M3-QH for bug-guix@gnu.org; Sun, 14 Mar 2021 17:38:59 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lLYRr-0001IX-1C; Sun, 14 Mar 2021 17:38:55 -0400 From: Mark H Weaver References: <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net> Date: Sun, 14 Mar 2021 17:37:25 -0400 Message-ID: <877dm9s9fz.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615758044; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=vT7wFFc9AXdr9ju7etiJTUB/9AEVtDJn2CpQkpHuRtc=; b=V0xVkdC5imnyxK0YtfPwUFKtBh8LkDzSV1qQ4KuT6PZ20hbwSRnOR/zbCiPUJwwY4mZvb/ JiKURQWXjke7rLNYKCUwGX1Ai67AC36TA4Pc1+L0WI0L5G6xBNGQocwK99kNPg2XCF0gfi NJYtss+XlOWR29JDoT5h3V4UaQjL97K+TSLE8xtHWzTmJG6GEE3K+JmD2jIyPSpt6dGtcD 4cPjnb/GXk7cA5mWDCfE61bN4Y0clwRL6NuLebVKwyyYwratSLHuCBkHkKNamROK4IN12M /EA5w91qbJ7olHoUJHJ5AouV0Z3XnrPP10pv14cDdJ01e2XqpGinVbvdfPENXw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615758044; a=rsa-sha256; cv=none; b=ar5zfLF5gtW1n0BLJ3iU/rx4HWOc8gDPX65xsMCwcxgQfYQbghUbyzlIrKzvFfE7vpMu9t Gvf2u/pw+MnkhuwpnGqTCybHkEZ73ZpWeEApCCFjEBFfgKtxOvuckBaK3Vl/9KLjI4pdGm DqV04CrwRY8a2ACV7Sn9DvggshLwIkn/p6vgWjvveb75gvyp8qkuXZuBMSXgqC/GYP/rgq xvV8j6KBHKrifqcqFg6HHLrtU4KTtDn9WaHF/ju0HvvlizaWXpG6Nk4aRM1ui/27CeDsLF N1sGUm/Po4Fw812KmIMtCL7nUY81fRL00U1TF+s8+NhEfZrCMB2dh0+F3aQkrA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -4.50 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 7EA1B266E6 X-Spam-Score: -4.50 X-Migadu-Scanner: scn0.migadu.com X-TUID: PPaMisd3Wj17 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten. Mark -------------------- Start of forwarded message -------------------- Subject: security patching of 'patch' package From: L=C3=A9o Le Bouter To: guix-devel@gnu.org Date: Wed, 10 Mar 2021 04:14:35 +0100 --=-=-= Content-Type: multipart/signed; boundary="==-=-=" --==-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello! I could find that the 'patch' package was vulnerable to numerous CVEs that other distros like Debian have patched. Here's the list reported by 'guix lint -c cve patch': patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- 2018-6952 Can I use latest commit from master to build 'patch' then graft original package? i.e. https://git.savannah.gnu.org/git/patch.git There's not that many commits since last release, but lots of time:=20 https://git.savannah.gnu.org/cgit/patch.git/log/ Thank you, L=C3=A9o --==-=-= Content-Type: application/pgp-signature; name=signature.asc Content-Transfer-Encoding: base64 Content-Description: This is a digitally signed message part LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVGSXZMaTlnTCt4 YXgzZzZSUmFpeDZHdk5FS1lGQW1CSU9ac0FDZ2tRUmFpeDZHdk4KRUtZVktoQUFtUWJTMHE2eGdt b0M1RW8rVDRxWWlMcmc2RWZVTWljWU85STFMQkRGR2ZwODVYSU1qcUF0SWtpRAoyQjFYSkx6WFk3 eFpoZWlLQllManBwdXE1WEhYR01RODBKWmkwbFFFdW9NaDArMURUY3Z2STBVZ3R5ZGp4dmFzCkM5 RFRsaE5URnhtMzY4VzdxeFlSMkp0dHNVc3R5d2VWejI3RFBZOU82MlFSVW55SFJzSnZRWExTSS9D SFdYRkkKM0RpWHpqakJYb3dzQ3U5YWY2OWZJekJDQlE2QjBRdmtucnlIbml4MUFlVm5TZnUvMFNN N0JpbXk1QUtPbmprTgpjam5IUXI1TWMrRklWZE91L3B6Z05vVm13Y3pWaHl1L0E4blJlWUlpZVBH VE1hK0NwdUVyL1ZyZXhxYzNucGNYCmpZem80UCtkL1BSZEFMR2dkT2xHTURkbEFyM1pWSGhTOVA1 YWdRZTlRM1llSlZWU1p6d0g2VHpGVCswS3JFTnkKMkhvTSt6S05CRThxVkxNdURIOUFhWjdYclp5 SkpEb211RG05MjdvamFTblMwc3EwbmJ6ekxXa1NOR25MK2hYago1TkZDbS9RQ2xHeVNjOURNdVpX Yzc2bnhuMDJCVHlraUtYQzAzUC9HZk1KM0I5N0xldjUxaDVvRWk0VGxLc1JoCmpsTXdKQmFZcDho NkZQNkVESkxjOGFoYUlLTjhhb29xdXV0Rk9VWG4rSUdCbVlZMXVYVE8wVjBVSnFWejEzMUoKR2Rt SDRTblZxV3RDYmlLQ1ZMU2d1QXRoUzZFd1NxMEVBekVhZVVWbWkxOFlBKytnT3A2TitGUVNtanBS a1J3WApqVnd0VG16WW9ML3lLeDI4Q29QYXBGSzdwYTNla0IwVzQzbnc0L0ViNjhxcGJ2bHBYeEk9 Cj1jRVNQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --==-=-=-- --=-=-= Content-Type: text/plain -------------------- End of forwarded message -------------------- --=-=-=--