bug#46194: Doas vulnerability CVE-2019-25016

bug#46194: Doas vulnerability CVE-2019-25016

[Leo Famulari]

Our package of doas is apparently vulnerable to CVE-2019-25016:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25016

bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1.

[Brice Waegeneire]

* gnu/packages/admin.scm (opendoas): Update to 6.8.1.

Fixes #46194.
---
As there isn't any service for this package (I'm working on it), it's quite
useless and there isn't any package depending on it.  I guess very few
people, if any, are using it so I see no need for grafting here.

 gnu/packages/admin.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 538e8d3eb4..1ddbea7a02 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -1512,7 +1512,7 @@ commands and their arguments.")
 (define-public opendoas
   (package
     (name "opendoas")
-    (version "6.8")
+    (version "6.8.1")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -1521,7 +1521,7 @@ commands and their arguments.")
               (file-name (git-file-name name version))
               (sha256
                (base32
-                "1dlwnvy8r6slxcy260gfkximp1ms510wdslpfq9y6xvd2qi5izcb"))))
+                "0gfcssm21vdfg6kcrcc7hz1h4jmhy2zv29rfqyrrj3a6r9b5ah8p"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-- 
2.29.2

bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1.

[Leo Famulari]

On Sun, Jan 31, 2021 at 08:41:07PM +0100, Brice Waegeneire wrote:
> * gnu/packages/admin.scm (opendoas): Update to 6.8.1.
> 
> Fixes #46194.
> ---
> As there isn't any service for this package (I'm working on it), it's quite
> useless and there isn't any package depending on it.  I guess very few
> people, if any, are using it so I see no need for grafting here.

Thanks! I pushed as 9c8156507abeb15f6d3816800c077fd99f861e3d

The question of "should it be grafted" depends on how many packages
depend on it:

$ guix refresh -l opendoas
No dependents other than itself: opendoas@6.8

If `guix refresh` reports that more than 300 packages will be rebuilt,
security updates should use grafts, as specified in the manual section
Submitting Patches:

https://guix.gnu.org/manual/en/html_node/Submitting-Patches.html

We don't want to wait for a 'staging' or 'core-updates' cycle for
security updates, so grafts let us cheat and push things directly to
master, without requiring expensive recompilation of dependent packages.

I know you could have pushed this yourself, although I did it on your
behalf. Now that we've clarified the use case of grafts, please feel
free to push things like this without review :)

The manual section Commit Access offers some guidelines:

"For patches that just add a new package, and a simple one, it’s OK to
commit, if you’re confident (which means you successfully built it in a
chroot setup, and have done a reasonable copyright and license
auditing). Likewise for package upgrades, except upgrades that trigger a
lot of rebuilds (for example, upgrading GnuTLS or GLib)."

bug#46194: [PATCH] gnu: opendoas: Update to 6.8.1.

[me--- via Bug reports for GNU Guix]

Brice,

On 2021-01-31 20:41, Brice Waegeneire wrote:
> * gnu/packages/admin.scm (opendoas): Update to 6.8.1.

Thanks for the prompt security bump!  The number of CVE fixes I've 
pushed for sudo the past year has made me reconsider its use in favour 
of this package.

> As there isn't any service for this package (I'm working on it), it's 
> quite
> useless

Services are nice to have but always optional: I doubt there's a package 
in Guix that is 'useless' or unused because it lacks a service.

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.